Media Coverage

A sophisticated cyberattack targeting Oracle E-Business Suite (EBS) customers has exposed critical vulnerabilities in enterprise resource planning systems, compromising an estimated 100 organizations worldwide between July and October 2025. The campaign, attributed to the notorious Clop ransomware group and linked to the financially motivated threat actor FIN11, exploited a zero-day vulnerability, CVE-2025-61882, to achieve unauthenticated remote code execution on internet-facing EBS portals.

Shadowserver researchers released data on October 8, 2025, showing 576 potentially vulnerable IP addresses based on internet scanning for the zero-day vulnerability. This figure represents only internet-exposed Oracle EBS instances and does not account for organizations that may have been compromised but maintained the systems behind firewalls or other network security controls.​

Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealers Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers. The main suspect for VenomRAT was also arrested in Greece on 3 November 2025.

The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware. Operation Endgame, coordinated by Europol and Eurojust, is a joint effort between law enforcement and judicial authorities of Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom and the United States to tackle ransomware enablers. More than 30 national and international public and private parties are supporting the actions. Important contributions were made by the following private partners: Cryptolaemus, Shadowserver and RoLR, Spycloud, Cymru, Proofpoint, Crowdstrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, Trellix and Bitdefender.

Specialists of the State Service for Special Communications participated in the OSCE regional training for Ukraine and Moldova, dedicated to increasing the effectiveness of the implementation of confidence-building measures in the field of cybersecurity and information and communication technologies (ICT) security. During the event, representatives of the State Service for Special Communications shared with international partners best practices in the field of critical infrastructure protection at the national level. They informed participants about key methods and results of responding to cyberattacks carried out against Ukraine in the context of full-scale armed aggression.

In addition to representatives from Ukraine and Moldova, experts from Romania, Belgium, Germany, and a representative of The Shadowserver Foundation were invited as speakers.

The Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to patch a critical-severity Windows Server Update Services (WSUS) vulnerability after adding it to its catalog of security flaws exploited in attacks.

The Shadowserver Foundation has uncovered more than 71,000 internet-exposed WatchGuard devices running vulnerable versions of Fireware OS. The Shadowserver Foundation, a nonprofit dedicated to scanning for internet vulnerabilities, began sharing daily IP data on affected WatchGuard devices this week. Shadowserver’s data, available through their Vulnerable ISAKMP reporting portal, includes anonymized IP addresses to help network defenders identify and remediate their own exposures.

An action day performed in Latvia on 10 October 2025 led to the arrest of five cybercriminals of Latvian nationality and the seizure of infrastructure used to enable crimes against thousands of victims across Europe. During the operation codenamed ‘SIMCARTEL’, law enforcement arrested two further suspects, took down five servers and seized 1 200 SIM box devices alongside 40 000 active SIM cards. Investigators from Austria, Estonia and Latvia, together with their colleagues at Europol und Eurojust, were able to attribute to the criminal network more than 1 700 individual cyber fraud cases in Austria and 1 500 in Latvia, with a total loss of several million euros.

To prepare for the action day in Latvia, Eurojust and Europol leveraged their strengths to enhance the international law enforcement effort. They assisted in planning and administering the action day, with support from Joint Investigation Team partners Austria, Estonia and Latvia, as well as Finland. During the operation, the technical infrastructure of the organised criminal network was dismantled in collaboration between Europol and the Shadowserver Foundation.

A recent breach of F5 Networks’ infrastructure has left more than 269,000 devices exposed and vulnerable to attack. Security researchers first detected unusual activity on F5’s management portal, prompting the company to issue an alert and patch critical vulnerabilities.

Shadowserver’s Device Identification report, which tracks vulnerable or misconfigured network equipment, now lists more than 269,000 F5 devices still online and unpatched. Shadowserver provides an interactive dashboard that breaks down the geographic distribution of exposed F5 gear.

A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer. That’s according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish. Infoblox said it worked with the Shadowserver Foundation to sinkhole two of Detour Dog’s C2 domains (webdmonitor[.]io and aeroarrows[.]io) on July 30 and August 6, 2025.

Cisco has confirmed two serious vulnerabilities impacting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. Tracked as CVE-2025-20333 and CVE-2025-20362, both issues allow attackers to run arbitrary code on unpatched devices. Cisco security advisories warn that exploits for both flaws are already in the wild. Shadowserver’s daily vulnerable HTTP report now includes a live list of ASA/FTD instances susceptible to these 0-day bugs. On September 29, security researchers discovered 48,800+ publicly reachable IPs still running outdated firewall versions. Network teams should subscribe for daily updates and cross-check their public IP ranges against Shadowserver’s list.

Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT’s License Servlet that can be exploited in command injection attacks. GoAnywhere MFT is a web-based managed file transfer tool that helps organizations securely transfer files and maintain audit logs of who accesses the shared files. Security analysts at the nonprofit Shadowserver Foundation are monitoring over 470 GoAnywhere MFT instances. However, it is unclear how many of these have already been patched or have their admin console exposed online.