For the latest discoveries in cyber research for the week of 17th November, please download our Threat Intelligence Bulletin.TOP ATTACKS AND BREACHESCl0p’s Oracle E-Business Suite (CVE-2025-61882) zero-day campaign continues to expand. There are new confirmed breaches at The Washington Post, Logitech, Allianz UK, and GlobalLogic, as well as a newly listed but unconfirmed breach involving the British National Health Service (NHS). The group has leaked data sets ranging from gigabytes to terabytes and is sending extortion emails to Oracle EBS customers. Oracle has issued emergency patches, but investigations indicate exploitation began months before disclosure.Check Point IPS provides protection against this threat (Oracle Concurrent Processing Remote Code Execution)Payment processor Checkout.com has discloseda data breach by the ShinyHunters threat group. Attackers accessed documents from a legacy cloud storage system that wasn’t properly decommissioned, potentially affecting about 25% of current merchants. That being said, no payment card numbers or funds were compromised. The company is notifying impacted parties and regulators.DoorDash, a food delivery company, has confirmeda data breach after an employee fell victim to a social engineering scam. Contact details including names, physical addresses, email addresses, and phone numbers were accessed across the US, Canada, Australia, and New Zealand.Ransomware group dubbed “J Group” claims to have breached Australian engineering firm IKAD. The group has reportedly exfiltrated 800GB of data by exploiting a VPN flaw and maintaining undetected access for five months. IKAD confirmed a cyber incident and the theft of non-sensitive contract and HR information, while denying exposure of classified defence data.Pro-Russian group NoName057(16) launched DDoS attacks disrupting Danish government, municipal, and defense-related websites, including the Ministry of Transport, Borger.dk, and Terma. The outages were brief with no data loss, and the activity aligns with wider pro-Russia targeting of European institutions.Port Alliance, a Russian port operator handling coal and fertilizer exports, has reportedthree days of cyberattacks combining DDoS and attempted network intrusions. Terminals remain operational, but digital services were disrupted by a botnet of more than 15,000 rotated IP addresses. The goal of the attack was to destabilize operations and disrupt business processes.Princeton University disclosed a breach of its Advancement database on November 10, lasting less than 24 hours before attackers were removed. The compromised database contained names, contact information, and fundraising records for alumni, donors, faculty, students, and parents, but did not include Social Security numbers, passwords, or financial information.VULNERABILITIES AND PATCHESMicrosoft’s October Patch Tuesday Microsoft addressed63 vulnerabilities, including an actively exploited Windows zero-day, CVE-2025-62215, a kernel privilege escalation flaw used to gain admin access. It also addressed CVE-2025-60724, a critical GDI+ vulnerability rated 9.8 enabling remote code execution via malicious documents or uploaded files, impacting Windows and Office.Check Point IPS provides protection against this threat (Microsoft Windows Kernel Privilege Escalation (CVE-2025-62215))Researchers uncoveredCVE-2025-20337 and CVE-2025-5777, critical zero-day flaws in Cisco Identity Service Engine and Citrix products actively exploited against internet-facing systems. The flaws enable remote code execution without login, administrator access, and deployment of custom in-memory webshells. The exploitation began before disclosure or complete patches.Check Point IPS provides protection against these threats (Cisco Identity Services Engine Remote Code Execution (CVE-2025-20337), Citrix NetScaler Out-of-Bounds Read (CVE-2025-5777))Researchers analyzedCVE-2025-12480, a critical authentication bypass in the Triofox enterprise file sharing platform (CVSS 9.1). Attackers are actively exploiting it to create admin accounts and run code via the built-in antivirus feature, installing remote access tools and tunneling RDP.Check Point IPS provides protection against this threat (Gladinet Triofox Authentication Bypass (CVE-2025-12480))THREAT INTELLIGENCE REPORTSCheck Point Research reports on a fragmented ransomware landscape in Q3 2025, with 85 active groups and 1,592 victims listed across leak sites, averaging 535 victims per month. Qilin led activity while LockBit 5.0 returned, signaling potential recentralization. Manufacturing and business services remained the most affected sectors.Check Point Research published its October 2025 global threat report, highlighting a continued rise in cyberattacks, with organizations averaging 1,938 weekly attacks (+5% YoY) and ransomware incidents surging 48% YoY. The report also notes escalating GenAI-related data leakage risks, with 1 in 44 enterprise prompts exposing sensitive information.Check Point researchers analyzed a phishing campaign abusing Meta’s Facebook Business Suite and the facebookmail.com domain to deliver convincing fake notifications. More than 40,000 emails targeted over 5,000 organizations across the US, Europe, Canada, and Australia, targeting SMBs in advertising-reliant sectors, bypassing filters, and directing victims to credential-harvesting sites.Check Point researchers profiledthe Payroll Pirates, a malvertising network impersonating payroll systems, credit unions, and trading platforms in the US. Using Google and Microsoft ads, cloaking, and Telegram bots to bypass authentication codes, it has targeted over 200 interfaces and lured more than 500,000 users, with activity spiking in September 2025.The post 17th November – Threat Intelligence Report appeared first on Check Point Research.