Storm-1175 exploits critical GoAnywhere MFT flaw in ransomware attacks

A cybercrime group known as Storm-1175 has been exploiting a maximum severity GoAnywhere MFT vulnerability, CVE-2025-10035, in Medusa ransomware campaigns since at least 11 September. The flaw, caused by a deserialisation weakness in Fortra’s License Servlet, enables remote, low-complexity attacks without user interaction.

While Fortra released a patch on 18 September, Researchers identified more than 500 exposed instances online, and it’s unclear how many remain unpatched. They flagged the issue as exploited in the wild a week after the patch, citing evidence of zero-day use from 10 September.

Microsoft confirmed that Storm-1175 exploited the flaw for initial access before maintaining persistence via SimpleHelp and MeshAgent. The group then conducted reconnaissance, moved laterally using Remote Desktop, exfiltrated data with Rclone, and deployed Medusa ransomware. Microsoft and Fortra are urging admins to upgrade immediately and check logs for signs of compromise.

Millions at risk as Microsoft due to end Windows 10 support next week

Around 5 million British computer users face increased cyber risks as Microsoft ends support for Windows 10 on October 14^th, according to consumer group Which?. Out of an estimated 21 million UK users, one in four plan to continue using the outdated system, leaving them vulnerable to malware, viruses, and scams. Over a third of those not taking action are aged over 55.

The move will also contribute to global e-waste, with millions of PCs expected to become obsolete if they can’t run newer software. Microsoft is urging users to upgrade to Windows 11 where possible or purchase a one-year extension to allow more time to transition.

Yusuf Mehdi, Microsoft executive vice-president, warned that unsupported devices will become more exposed to cyber threats and that apps may stop working properly. We urge users to check their systems immediately to avoid leaving themselves open to attack.

Clop gang exploits oracle EBS zero-day in data theft attacks

The Clop ransomware gang has been exploiting a critical zero-day vulnerability in Oracle E-Business Suite (EBS) since early August, according to CrowdStrike. Tracked as CVE-2025-61882, the flaw affects the BI Publisher Integration component and enables unauthenticated attackers to execute remote code on vulnerable systems through low-complexity attacks requiring no user interaction. Oracle issued a patch over the weekend.

Researchers discovered that the bug is part of a vulnerability chain allowing attackers to gain remote code execution with a single HTTP request. The exploit was originally leaked online in May by the Scattered Lapsus$ Hunters group.

CrowdStrike confirmed that Clop has been using this zero-day to steal sensitive documents, with initial exploitation traced back to 9 August. Analysts believe GRACEFUL SPIDER is likely involved but warn other threat groups may also be exploiting the flaw. Investigations are ongoing.

Salesforce refuses to pay ransom after massive data theft attacks

Salesforce has confirmed it will not negotiate with or pay a ransom to the threat actors behind a large-scale data theft campaign targeting its customers. In an email to customers, the company cited “credible threat intelligence” that attackers planned to leak the stolen data. The Scattered Lapsus$ Hunters group has launched a data leak site to extort 39 major organisations, including FedEx, Disney, Marriott, Google, Cisco, and IKEA, claiming to hold nearly 1 billion records.

The stolen data came from two 2025 campaigns. The first used social engineering to trick staff into linking malicious OAuth apps to Salesforce instances. The second, in August, involved stolen SalesLoft OAuth tokens to exfiltrate CRM data from hundreds of companies, including major tech firms.

Salesforce’s refusal comes as the extortion site has been taken offline, with signs suggesting possible law enforcement involvement. Investigations into the attacks continue.

Cyber-attacks on supply chains surge amid major corporate disruptions

Nearly a third of business leaders have reported a rise in cyber-attacks on their supply chains over the past six months, according to a survey by the Chartered Institute of Procurement and Supply (Cips). Cyber threats have rapidly climbed the list of concerns for procurement managers across manufacturing, energy, and technology, rivalling geopolitical instability and tariffs as leading business risks.

High-profile incidents have underscored the danger. Jaguar Land Rover’s month-long shutdown following a cyber-attack is estimated to have cost £120m in profits, while recent breaches at Marks & Spencer and the Co-op caused tens of millions in losses. In Japan, Asahi was forced to halt production at 30 plants due to a systems outage.

Cips’ survey found that 29% of managers reported attacks on companies within their supply chains. The organisation has urged businesses to strengthen digital defences to protect operations and maintain customer trust in increasingly interconnected global trade networks.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.