13th October – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 13th October, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Qilin ransomware group has claimed responsibility for targeting Asahi, Japan’s largest brewing company, that had been hacked on September 29^th. The attack resulted in the exfiltration of over 9,300 files totaling 27GB of sensitive data, including financial documents, employee IDs, contracts, and internal reports. The attack disrupted operations at six breweries, impacting the production of thirty labels and potentially causing hundreds of millions in losses.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Qilin)

• Sugar Land city in Texas has been a victim of a cyber-attack that resulted in outages to several online municipal services, including bill pay, permit payments, and utility billing systems, but did not affect critical infrastructure or emergency services. The incident impacted the digital access of nearly 110,000 residents, exposing service interruptions but with no disclosed evidence of data theft.
• American law firm Williams & Connolly has confirmed a cyber attack that resulted in unauthorized access to email accounts belonging to a small number of attorneys. The firm reported no evidence that confidential client data was stolen from central databases, and the scope of the compromised information appears limited to email accounts. The attack has been attributed to suspected China affiliated threat actors.
• Crimson Collective threat group, who claimed the Red Hat intrusion last week, is now targeting AWS environments for data theft and extortion. The group harvests exposed AWS credentials, creates new IAM users and access keys, assigns AdministratorAccess for privilege escalation and enumerates cloud assets. Afterwards, the group resets RDS master passwords and snapshots EBS volumes to spin up EC2 instances under permissive security groups, then delivers extortion notes through SES from within AWS victim accounts. Post-disclosure, Crimson Collective partnered with “Scattered Lapsus$ Hunters” to amplify pressure and has reused IPs across incidents, aiding cross-case correlation.
• Electronic components maker Avnet has suffered a data breach that resulted in unauthorized access to an externally hosted EMEA internal-sales database. A threat actor has claimed responsibility for stealing 1.3TB of compressed data and demanding ransom, but most data is reportedly unreadable without proprietary tools, and the total number of affected individuals remains unknown.
• American gambling company DraftKings has experienced a data breach that resulted in unauthorized access to customer accounts through credential stuffing attacks, exposing personal information such as names, phone numbers, email addresses, last four digits of payment cards and more. The breach has reportedly impacted fewer than 30 customers, and no sensitive data was accessed.

VULNERABILITIES AND PATCHES

• A new large-scale botnet campaign, RondoDox, is actively exploiting 56 vulnerabilities – including RCE and command injection CVEs like CVE-2023-1389, CVE-2024-3721, and CVE-2024-12856 – across 30+ device types (DVRs, NVRs, CCTV, web servers). Active since June, it exploits new and legacy bugs (including unpatched EOL devices), weaponizes Pwn2Own code, and uses an “exploit shotgun” to maximize infections and seize device/network control.

Check Point IPS provides protection against this threat (TP-Link Archer AX21 Command Injection (CVE-2023-1389); TBK DVR Devices Command Injection (CVE-2024-3721); Four-Faith F3x Series Command Injection (CVE-2024-12856))

• Oracle E-Business Suite zero-day CVE-2025-61882 enables unauthenticated RCE via the BI Publisher Integration component with a single low-complexity HTTP request, allowing data theft from internet-exposed EBS apps. The flaw is actively leveraged by Cl0p and other threat actors for extortion.

Check Point IPS provides protection against this threat (Oracle Concurrent Processing Remote Code Execution (CVE-2025-61882))

• Redis has patched CVE-2025-49844, a critical use-after-free RCE in the default-enabled Lua engine affecting all versions. Authenticated exploits enable sandbox escape and full host compromise (reverse shells, credential theft, lateral movement, malware); at least 60k of ~330k Internet-exposed Redis servers lack auth, and the flaw is already being abused by botnets and ransomware.

Check Point IPS provides protection against this threat (Redis Use After Free (CVE-2025-49844))

THREAT INTELLIGENCE REPORTS

• Check Points Research global cyber threats analysis of September 2025 reflects a temporary stabilization in overall attack volumes – yet beneath the surface, ransomware activity and data risks linked to GenAI surged to new highs.  1 in every 54 GenAI prompts from enterprise networks posed a high risk of sensitive data exposure, a threat that impacted 91% of organizations using GenAI tools regularly.
• Researchers have discovered that XWorm RAT has resurfaced with 35 plugins and an upgraded ransomware module for file encryption, wallpaper changes, and ransom notes. New versions support plugins for browser, email, messaging app, FTP, and crypto wallet data-theft and more.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Worm.Wins.Xworm; RAT.Wins.XWorm.ta.*)

• Researchers have analyzed a new Android spyware campaign dubbed ClayRat, which mimics apps like WhatsApp, TikTok, and YouTube to target Russian users via phishing websites and Telegram channels. The malware uses session-based installation to evade Android 13+ restrictions, acts as a dropper for encrypted payloads, and assumes SMS handler responsibility to exfiltrate messages, call logs, device info, and photos, while mass-propagating itself through SMS to contacts.