Cyber Incident Affects Multiple London Councils

DoorDash confirmed a data breach in October 2025 where an unauthorized third party accessed user contact information, including names, phone numbers, physical addresses, and email details. The breach was caused by a social engineering attack on a DoorDash employee. The company has taken steps to mitigate the breach, including shutting down unauthorized access, starting an investigation, and referring the matter to law enforcement. DoorDash has also deployed new security enhancements and provided additional training for employees. This is the third notable security incident suffered by DoorDash in the last six years, following breaches in 2019 and 2022. The breach notification emails primarily targeted DoorDash Canada users, but the incident may extend beyond Canada. Users have expressed concerns about the timing of the notifications and the handling of the incident, with some users threatening legal action against DoorDash.

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. GlobalLogic, a digital engineering services provider, has notified over 10,000 current and former employees that their data was stolen in an Oracle E-Business Suite (EBS) data breach. The attackers exploited an Oracle EBS zero-day vulnerability (CVE-2025-61882) to steal personal information belonging to 10,471 employees. GlobalLogic's investigation identified access and exfiltration on October 9, 2025, with the earliest date of threat actor activity as July 10, 2025, and the most recent activity occurring on August 20, 2025. The stolen data includes names, addresses, phone numbers, emergency contact details, email addresses, dates of birth, nationalities, countries of birth, passport information, national identifiers or tax identifiers (e.g., Social Security Numbers), salary information, and bank account details. Clop has yet to add GlobalLogic to its leak site, suggesting the company is still negotiating with the threat group or has already paid a ransom. The Washington Post is also among the victims, with nearly 10,000 employees and contractors affected by the data breach. The hackers leveraged a then-zero-day vulnerability in Oracle E-Business Suite software, stole data, and attempted to extort the firm in late September. The compromised data includes full names, bank account numbers and routing numbers, Social Security numbers (SSNs), and tax and ID numbers. Logitech International S.A. confirmed a data breach after a cyberattack by the Clop extortion gang, which exploited a third-party zero-day vulnerability in Oracle E-Business Suite. Logitech filed a Form 8-K with the U.S. Securities and Exchange Commission confirming the data breach. The breach likely includes limited information about employees, consumers, customers, and suppliers, but not sensitive data like national ID numbers or credit card information. Clop added Logitech to its data-leak extortion site, leaking almost 1.8 TB of data allegedly stolen from the company. Logitech confirmed that the breach occurred through a third-party zero-day vulnerability that was patched as soon as a fix was available. Cox Enterprises detected a data breach in late September 2025, which occurred between August 9-14, 2025, due to a zero-day vulnerability in Oracle E-Business Suite. The Cl0p ransomware gang has taken credit for exploiting CVE-2025-61882 as a zero-day vulnerability in Oracle E-Business Suite. The threat actor added Cox Enterprises to their data leak website on the dark web on October 27 and published the stolen information. Cl0p listed 29 new companies as their victims earlier today, including major organizations in the automotive, software, and technology sectors. Cox Enterprises is offering identity theft protection and credit monitoring services through IDX at no cost for 12 months to 9,479 impacted individuals. Canon has confirmed being targeted in the recent Oracle E-Business Suite (EBS) hacking campaign. The incident is limited to a subsidiary of Canon U.S.A., Inc., and only affected the web server. Canon has taken security measures and resumed service, but is continuing to investigate further to ensure that there is no other impact. No Canon data has been leaked at the time of writing. Canon was previously targeted in a ransomware attack back in 2020, where hackers stole employee information from the firm’s systems. More than 100 organizations have been named to date on the Cl0p ransomware website as alleged victims of the campaign. Nearly half of the named organizations are major companies in sectors such as IT and telecoms, heavy industry and manufacturing, healthcare and pharma, retail, automotive and transportation, media, and energy and utilities. The United Kingdom’s National Health Service (NHS) is conducting an investigation but has yet to confirm a data breach. The list of big companies that have yet to publicly confirm a data breach includes Michelin, Broadcom, and Bechtel. Cl0p has been the public-facing group to take credit for the Oracle campaign, but an unknown cluster of a threat actor tracked as FIN11 is believed to be behind the attacks. FIN11 conducted similar campaigns targeting other widely used enterprise products in the past. Organizations are typically not listed on the Cl0p website without cause, but the actual scope of the breach may be exaggerated by the threat actors. Dartmouth College has disclosed a data breach after the Clop extortion gang leaked data allegedly stolen from the school's Oracle E-Business Suite servers on its dark web leak site. The private Ivy League research university, founded in 1769, has an endowment of $9 billion as of June 30, 2025, over 40 academic departments and programs, and more than 4,000 undergraduate students, with a 7:1 undergraduate-to-faculty ratio. In a breach notification letter filed with the office of Maine's Attorney General, Dartmouth says the attackers exploited an Oracle E-Business Suite (EBS) zero-day vulnerability to steal personal information belonging to 1,494 individuals. The total number of people potentially impacted by this data breach is likely much larger, given that the school is headquartered in Hanover, New Hampshire, and it hasn't yet filed a breach notice with the state's Attorney General. "Through the investigation, we determined that an unauthorized actor took certain files between August 9, 2025, and August 12, 2025. We reviewed the files and on October 30, 2025, identified one or more that contained your name and Social Security number," the college says in letters mailed to those affected by the data leak. In a separate appendix filed with Maine's AG, Dartmouth added that the threat actors also stole documents containing the financial account information of impacted individuals. A Dartmouth College spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today regarding the ransom demanded by the Clop gang and the total number of individuals impacted by the breach. The incident is part of a much larger extortion campaign in which the Clop ransomware gang has exploited a zero-day flaw (CVE-2025-61882) since early August 2025 to steal sensitive files from many victims' Oracle EBS platforms. While Clop has yet to disclose the total number of impacted organizations, Google Threat Intelligence Group chief analyst John Hultquist has told BleepingComputer that dozens of organizations were likely breached. The extortion group has also targeted Harvard University, The Washington Post, Logitech, GlobalLogic, and American Airlines subsidiary Envoy Air in this campaign, with their data also leaked online and now available for download via Torrent.

SonicWall has confirmed that all customers using its cloud backup service had firewall configuration files accessed by an unauthorized actor. The accessed backup files contain AES-256-encrypted credentials and configuration data, increasing the risk of targeted attacks. The breach, initially detected in early September 2025, was caused by brute-force attacks. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with Mandiant and law enforcement agencies. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. There is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. In September 2025, SonicWall disclosed a security breach affecting MySonicWall accounts, resulting in the exposure of firewall configuration backup files for all customers using the cloud backup service. The breach, caused by a series of brute-force attacks, could facilitate easier exploitation of SonicWall firewalls by threat actors. SonicWall has advised customers to reset credentials, update secrets, and follow detailed guidance to mitigate potential risks. The company has cut off attackers' access and is collaborating with cybersecurity and law enforcement agencies. The exposed files may contain sensitive information, such as credentials and tokens, for services running on SonicWall devices. Additionally, the Akira ransomware group has been targeting unpatched SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and bypassing MFA on VPN accounts using previously stolen OTP seeds. SonicWall confirmed that attackers accessed the API service for cloud backup and there is no evidence that threat actors have leveraged exposed data against impacted customers in attacks at this time. The threat actor UNC6148 has been deploying the OVERSTEP malware, a previously unknown persistent backdoor/user-mode rootkit, to maintain persistent access, steal sensitive credentials, and conceal its own components. The malware modifies the appliance's boot process to evade detection and hide files and activity. UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on SonicWall SMA appliances. Potential vulnerabilities exploited by UNC6148 include CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819. SonicWall has advised customers to look for signs of compromise, such as gaps or deletions in SMA logs, unexpected appliance reboots, persistent admin sessions, unauthorized configuration changes, and reoccurring access following patching or resets. CISA recommends upgrading firmware, replacing and rebuilding SMA 500v, resetting OTP bindings, enforcing MFA, resetting passwords, and replacing certificates with private keys stored on the appliance. Over 100 SonicWall SSL VPN accounts across 16 customer accounts have been compromised. The compromised accounts were accessed rapidly, indicating the use of valid credentials rather than brute-forcing. The compromised accounts were accessed from the IP address 202.155.8[.]73. In some cases, threat actors conducted network scanning and attempted to access local Windows accounts. Huntress has not found evidence linking the breach to the recent spike in compromises.

The **Gainsight cyber-attack** has expanded significantly, with Salesforce initially identifying **three impacted customers** but later confirming a **larger, unspecified number of victims** by **November 21, 2025**. Meanwhile, the **Scattered Lapsus$ Hunters (SLSH) alliance** has launched a **new phishing campaign targeting Zendesk users**, deploying over **40 typosquatted domains** (e.g., *znedesk[.]com*) and **malicious helpdesk tickets** to harvest credentials and deploy remote access trojans (RATs). The group’s tactics mirror those used in the **August 2025 Salesforce attacks**, with **deceptive SSO portals** and **social engineering lures** aimed at support staff. **Discord** has already confirmed a breach via its Zendesk-based support system, exposing user data including **names, emails, billing details, and government-issued IDs**. Gainsight’s breach involved **unauthorized access via an AT&T IP address on November 8**, preceded by reconnaissance from **3.239.45[.]43 on October 23** and approximately **20 suspicious intrusions between November 16–23** using **VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a method tied to the **Salesloft Drift breach**. Salesforce revoked all access tokens associated with Gainsight applications, while third-party vendors like **Gong.io, Zendesk, and HubSpot** severed integrations as a precaution. HubSpot confirmed no compromise of its infrastructure. Forensic investigations by **Mandiant** and Salesforce revealed the attackers exploited **compromised multifactor credentials** for VPN and system access. Customers were advised to **rotate S3 keys, reset NXT passwords, and re-authorize integrations** while adopting **Google Threat Intelligence Group (GTIG) mitigations**. The SLSH alliance has also unveiled a new **ransomware-as-a-service (RaaS) platform, ShinySp1d3r**, featuring **advanced anti-forensic capabilities**, network propagation tools, and **AI-enhanced modifications** of the **HellCat ransomware**. The platform is administered by **Saif Al-Din Khader (aka Rey)**, a core SLSH member who claims cooperation with law enforcement since June 2025. The group has been linked to **51 cyberattacks in the past year**, combining RaaS with extortion-as-a-service (EaaS) and insider recruitment to maximize impact. This attack follows a year-long pattern of **high-impact breaches** by ShinyHunters and Scattered Spider, including the **$107 million loss at the Co-operative Group (U.K.)**, **Jaguar Land Rover’s operational shutdown**, and breaches at **Allianz Life, Farmers Insurance, and Workday**, all exploiting **Salesforce platform vulnerabilities**. Despite arrests (e.g., **Scattered Spider members Owen Flowers and Thalha Jubair**) and shutdown claims, the threat persists, with **new victims emerging in critical sectors like rail transport (Almaviva/FS Italiane Group)** and now **Zendesk users**. Authorities, including the **FBI and U.K. NCA**, continue issuing alerts as the groups adapt tactics, leveraging **third-party IT providers, cloud-based CRM systems, and AI-enhanced tooling** to evade detection and scale operations.