CCTR.43.OCT.25

Monday morning cyber coffee read CCTR.43.OCT.25

Suspected China Nexus Threat Actor (UNC5221 / Brickstorm), breached F5’s internal systems, maintaining persistence for over a year before detection on 9 August 2025. Attackers exfiltrated portions of BIG-IP source code and undisclosed vulnerability data.

If a threat actor was in your environment for a year, what do you think they might have stolen?

F5 has since released patches for 44 vulnerabilities, including those stolen and confirmed no evidence of downstream supply chain compromise or active exploitation.

• Apply October 2025 F5 security updates across all affected F5 products.

• Decommission any End-of-Support F5 systems exposed to the internet

• Review and reset all administrative and DevOps account credentials associated with F5 appliances.

• Follow F5’s Brickstorm Threat Hunting Guide to inspect for persistence through management interfaces or embedded malware.

• F5 and CrowdStrike have extended Falcon EDR sensors and Overwatch Threat Hunting to BIG-IP devices. Eligible customers receive free Falcon EDR licences through October 2026.

While F5 reports no active exploitation, UNC5221’s history of code exfiltration to discover zero-days makes this breach strategically significant. So, monitor your BIG-IP systems indicating post-compromise persistence.

https://my.f5.com/manage/s/article/K000154696

Interesting Brickstorm TTPs https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

A critical vulnerability, CVE-2025-9242, in WatchGuard’s IKEv2 VPN handler allows remote attackers to compromise Firebox appliances running vulnerable versions of Fireware OS without valid credentials, gaining full control of the firewall. A compromised Firebox could then be weaponised as a command and control (C2) node, credential harvesting point, or lateral movement pivot within internal networks.

Patch immediately to the latest Fireware OS release.

If patching is delayed, apply vendor workarounds and restrict IKE exposure until updates are installed.

Watchtower https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/

Oracle confirmed that attackers exploited vulnerabilities patched in July 2025 within Oracle E-Business Suite (EBS) systems, prompting emergency updates on 4 October and a follow-up patch (CVE-2025-61884) on 11 October.

Investigations revealed that the campaign had been active for months, with threat actors exploiting CVE-2025-61882 as a zero-day from at least 9 August 2025, prior to any available fix. The attackers exfiltrated large volumes of data from multiple Oracle EBS customers before issuing extortion demands under the CL0P brand.

This represents a high-impact compromise of ERP and financial systems, leading to data theft, operational disruption and significant extortion risk.

Looks like the action of the day is, Patch, Harden, Hunt and Monitor.

https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation