In partnership with
⏱️ ≈ 9-minute read
Editor’s Note: ERP platforms are getting treated like soft targets, mobile zero-clicks aren’t done with us, and regulators are shipping anti-deepfake playbooks. Grab coffee—then patch, plan, and push back.
📬 This Week’s Clickables
📌 Big News: 🧱 Oracle EBS extortion campaign widens • 🕰️ Nevada’s months-long ransomware dwell time
🚨 Can’t Miss: 🏛️ CBO breach • 📱 “LANDFALL” spyware chain • 🪟 Win11 23H2 reaches EoS • 📺 Sling TV’s CCPA penalty • 😈 Two defenders charged in BlackCat ops
🤖 AI in Cyber: 🧪 Multi-turn jailbreaks surge • 🪄 “PROMPTFLUX” uses an LLM • 🇮🇪 Ireland’s SAFE anti-deepfake push • 🧠 When “reasoning” weakens safety
🧪 Strange Cyber Story: 🎭 Akira “steals HR data” from a project with… no HR
🚨 Big Stories
🧱 Oracle EBS extortion campaign keeps widening
What Happened. The extortion wave abusing Oracle E-Business Suite (EBS) keeps pulling in big names across media, insurance, manufacturing, and aviation. Leak-site postings and victim confirmations show a multi-industry blast radius with ERP at the center.
Why It’s Important. ERP is backbone tech—finance, HR, supply, billing. When abused, fallout is operational, not just data loss. Slow patch/upgrade cycles create long-lived exposure.
The Other Side. Oracle has issued guidance acknowledging customer extortion attempts; researchers have tied activity to CL0P/FIN11-style tactics. Many impacts trace to upstream providers/integrations.
Takeaway. Treat ERP like Tier-0. Inventory all EBS exposure, lock down SSO/IDP and integrations, and rehearse vendor-involved IR (legal + comms).
TL;DR. ERP is the new supply chain. Are your board and IR playbooks explicitly ERP-aware if finance/HR systems go dark?
Further Reading: SecurityWeek, Reuters, TechCrunch
CISA’s Known Exploited Vulnerabilities catalog surpassed 1,300+ CVEs this year—each one confirmed exploited in the wild🕰️ Nevada’s post-mortem: ransomware dwell time measured in months
What Happened. A statewide outage traced back to malware planted in May—months before the August detonation. The state declined to pay, recovered most data, and projects seven-figure costs, partially offset by insurance.
Why It’s Important. A quiet intrusion leveraging signed tools and decentralized IT allowed long dwell time and mapping of crown jewels. Governance—not just tools—shaped the blast radius.
The Other Side. Officials cite improved segmentation/logging since, but admit visibility gaps around admin toolchains.
Takeaway. Harden the toolchain. Enforce code-signing verification, lock down remote admin, and hunt living-off-the-land patterns on a schedule—not just post-incident.
TL;DR. Ransomware is the finale; the opener is months of unnoticed prep. Do you continuously test controls around admin tools and script runners?
Further Reading: AP News
Become An AI Expert In Just 5 Minutes
If you’re a decision maker at your company, you need to be on the bleeding edge of, well, everything. But before you go signing up for seminars, conferences, lunch ‘n learns, and all that jazz, just know there’s a far better (and simpler) way: Subscribing to The Deep View.
This daily newsletter condenses everything you need to know about the latest and greatest AI developments into a 5-minute read. Squeeze it into your morning coffee break and before you know it, you’ll be an expert too.
Subscribe right here. It’s totally free, wildly informative, and trusted by 600,000+ readers at Google, Meta, Microsoft, and beyond.
🔥 Can’t Miss
🏛️ U.S. Congressional Budget Office confirms compromise
The CBO disclosed a breach and says containment and enhanced monitoring are in place; reporting points to a suspected foreign actor and warns staff about phishing on the back of exposed comms. 👉 Key takeaway: Back-office gov orgs hold policy intelligence and inter-agency comms—treat them like high-value targets.📱 Samsung “LANDFALL” spyware chain abused a zero-click imaging bug
Unit 42 detailed a commercial-grade Android implant delivered via malicious DNG images (CVE-2025-21042). Patches shipped earlier this year; the flaw is now in CISA’s KEV with deadlines. 👉 Key takeaway: Exec phones need rapid OS/firmware currency, enforced MDM, and media-handling hardening.🪟 Windows 11 23H2 (Home/Pro) hits end of servicing—now
Nov 11, 2025 was the last security update for 23H2 Home/Pro. Enterprises lingering on 23H2 should accelerate upgrades to 24H2/25H2. 👉 Key takeaway: Unsupported OS = quiet risk multiplier during the holiday threat window.📺 Sling TV pays $530k in CCPA settlement over opt-out UX
California’s AG cited confusing consent flows and kids’ privacy lapses; the settlement includes injunctive UX fixes. 👉 Key takeaway: Design is compliance—dark-pattern-ish UX now draws fines, not just blog posts.😈 Two cybersecurity pros charged with running BlackCat ops
Prosecutors allege incident-response professionals moonlighted as ALPHV affiliates, hitting U.S. firms with multimillion-dollar demands. 👉 Key takeaway: Trust but verify—apply people-centric zero trust (access reviews, conflict-of-interest checks) to sensitive IR roles.
Tired of newsletters vanishing into Gmail’s promotion tab — or worse, being buried under ad spam?
Proton Mail keeps your subscriptions organized without tracking or filtering tricks. No hidden tabs. No data profiling. Just the content you signed up for, delivered where you can actually read it.
Built for privacy and clarity, Proton Mail is a better inbox for newsletter lovers and information seekers alike.
🤖 AI in Cyber
🧪 Cisco: multi-turn prompt attacks massively increase jailbreak success
Cisco’s analysis shows multi-turn conversations can push jailbreak success into the ~90% range versus much lower single-turn baselines. 👉 Key takeaway: Safety must reason over dialogue state; one-shot filters won’t cut it.🪄 Google GTIG: “PROMPTFLUX” malware uses an LLM to rewrite itself
Google Threat Intelligence describes experimental malware that queries an LLM mid-execution for obfuscation and persistence tricks. 👉 Key takeaway: Monitor AI API egress like any high-risk dependency; treat model calls as potential C2.🇮🇪 Ireland’s Central Bank warns on deepfake investment scams (SAFE)
Regulators launched a consumer campaign after a surge in fake-endorsement ads, promoting SAFE (Stop, Assess, Fact-check, Expose). 👉 Key takeaway: Borrow regulators’ playbooks for your fraud UX and customer comms.🧠 Fortune: “reasoning” can backfire—easier to jailbreak
Coverage highlights studies suggesting more capable reasoning can weaken safety when adversaries iterate. 👉 Key takeaway: Procurement should weigh capability vs. controllability—not every “smarter” model is safer for enterprise.
🧟♂️ Strange Cyber
🎭 Akira “breaches” Apache OpenOffice… of nonexistent employees
Intro. Ransomware crew Akira claimed it swiped 23GB of “corporate files,” including employee records, from Apache OpenOffice. The Apache Software Foundation (ASF) responded with a collective eyebrow raise: OpenOffice doesn’t have employees.
What Happened. Akira listed OpenOffice on its leak site, alleging stolen HR and financial docs. ASF says there’s no evidence of compromise—and an open-source project with volunteers doesn’t hold the HR data the gang described.
Why It’s Important. Leak-site theater is part of the playbook: false or inflated claims can spook partners and burn IR cycles.
The Other Side. Could a third-party or look-alike be involved? ASF is investigating; with no specifics from Akira, the claim looks like pressure tactics.
Takeaway. Don’t let extortionists set your narrative. Verify data reality fast, publish what you don’t store, and be ready to dispute fake breaches as quickly as real ones.
TL;DR. A gang claimed HR data from a project with no HR—extortion as performance art. Are your IR + comms teams pre-scripted to challenge bogus claims?
Further Reading: BleepingComputer, TechRadar Pro
Thanks for reading this week’s edition. Like what you see? Forward it!
Hate everything you see or have other feedback? Reply back to this email!