For the latest discoveries in cyber research for the week of 20th October, please download our Threat Intelligence Bulletin.TOP ATTACKS AND BREACHESF5 has disclosed a cyber attack, reportedly carried out by a nation-state actor with long-term, persistent access to critical product development environments. The attacker exfiltrated files that included portions of BIG-IP source code and information about undisclosed vulnerabilities. Some stolen files also contained data impacting a small percentage of customers. Zero-day vulnerability in Oracle E-Business Suite servers (CVE-2025-61882) utilized by Cl0p ransomware gang caused two significant security incidents that were disclosed last week. Harvard University has suffered a data breach that resulted in sensitive information being stolen from a small administrative unit. Envoy Air, American Airlines largest regional carrier, has also confirmed a cyber attack leading to the theft of a limited amount of business and commercial data. Check Point IPS provides protection against this threat (Oracle Concurrent Processing Remote Code Execution) Australian airliner Qantas has suffered a data breach that resulted in the leak of roughly 5 million customers’ personal details after attackers accessed a third-party platform integrated with Salesforce. The Scattered LAPSUS$ Hunters ransomware group is responsible for the attack. Clothing retailer MANGO experienced a data breach following the compromise of a marketing vendor, which exposed customer information. The leaked data includes some personal details of customers but excludes financial details. No threat actor has claimed responsibility yet. Sotheby, major auctions and private sales corporation, has suffered a data breach involving the theft of sensitive employee information, including full names, Social Security numbers, and financial account details. No threat actor has claimed responsibility yet. Dairy Farmers of America has been victim of a cyber attack exposing personal data belonging to 4,546 employees and cooperative members. The breach disrupted operations across several manufacturing plants and was carried out through a sophisticated social engineering campaign. The Play ransomware gang claimed responsibility for the attack. Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Win.Play; Ransomware.Wins.PLAY) Michigan City, Indiana has confirmed a ransomware attack that caused significant network disruption and led to the theft of 450 GB of municipal data, affecting both online and telephone services for city employees. The Obscura ransomware gang has taken responsibility, stating that all stolen data was leaked publicly after ransom demands were ignored. More than 30,000 residents were impacted as critical city operations and multiple government systems suffered widespread outages. VULNERABILITIES AND PATCHESCheck Point Research has identified a security vulnerability in the Rust-based Windows kernel component function in the Graphics Device Interface (GDI). The vulnerability, exploitable from low-integrity user space on Windows 11 24H2, was reproducibly triggered through extensive fuzzing using mutated EMF+ samples containing malformed path data. Microsoft addressed this issue as a moderate-severity denial-of-service in OS Build 26100.4202 (KB5058499) by restructuring the affected function and increasing internal checks, as confirmed by CPR’s technical analysis and proof-of-concept. Microsoft’s October Patch Tuesday addressed 175 vulnerabilities, including three zero-days (CVE-2025-59230, CVE-2025-24990, and CVE-2025-47827) observed under active exploitation, where successful attacks could result in SYSTEM privileges or Secure Boot bypass in Windows and IGEL OS. Two critical 9.8-severity vulnerabilities were also fixed: CVE-2025-59287 enabling remote code execution via deserialization in Windows Server Update Service, and CVE-2025-59246 allowing privilege escalation in Azure Entra ID. Check point IPS blade provides protection against these threats ((Microsoft Windows Remote Access Connection Manager Privilege Escalation (CVE-2025-59230), Agere Modem Driver Privilege Escalation (CVE-2025-24990) Microsoft Windows Server Update Service Remote Code Execution (CVE-2025-59287)) A critical-severity HTTP request smuggling vulnerability, tracked as CVE-2025-55315 with a CVSS score of 9.9, was patched in ASP.NET Core’s Kestrel web server. Successful exploitation allows attackers to bypass security features, hijack user credentials, tamper with files, or trigger denial-of-service by smuggling malicious HTTP requests within legitimate ones. The vulnerability impacts multiple versions of ASP.NET Core and Visual Studio. THREAT INTELLIGENCE REPORTSCheck Point Research has released an overview of phishing trends in Q3 2025, identifying Microsoft as the most impersonated brand in phishing campaigns, accounting for 40% of all brand spoofing attempts, followed by Google (9%) and Apple (6%). The tech sector led impersonation activity, while PayPal and DHL also returned to the top 10 list, reflecting an increased targeting of financial and shipping services through convincing fraudulent login pages that harvest user credentials and sensitive personal data. Attackers leveraged legitimate branding and emotional triggers to deceive users into submitting information on fake sites mimicking trusted companies. Over 266,000 F5 BIG-IP instances have been found exposed online following the disclosure of a security breach, in which nation-state attackers accessed F5 source code and sensitive information about undisclosed BIG-IP vulnerabilities. The newly released patches address 44 vulnerabilities impacting products including BIG-IP, F5OS, BIG-IQ, and APM, with observed threat actor activity linked to Chinese UNC5291 and malware such as Brickstorm, Zipline, and Spawnant. Exploitation of these vulnerabilities could enable attackers to steal credentials and API keys, move laterally within affected networks, establish persistence, and exfiltrate sensitive data. The post 20th October – Threat Intelligence Report appeared first on Check Point Research.