Skip to content
Back to Listing Page

AI-Generated Scams on the Rise

Kyle Gill, Information Security Officer
Kyle Gill, Information Security Officer |

👁️‍🗨️At a Glance

  • Attack tempo remains elevated (≈2,200+ global cyberattacks per day).
  • High-impact incidents this period include: F5 BIG-IP source code theft (nation-state), Oracle EBS 0‑day exploitation attributed to CL0P, on‑prem SharePoint 0‑days used to drop Warlock ransomware, and Qilin’s claim against Volkswagen Group France.
  • Microsoft’s October Patch Tuesday fixed 170+ flaws with six 0‑days; urgent patching and compensating controls are recommended for Windows, Office, and WSUS.
  • Ransomware activity continues upward: publicly disclosed incidents hit a record in Q3 2025 (+36% YoY).
  • AI is accelerating social engineering and detection evasion; 68% of analysts report AI‑generated phishing is harder to detect, while ~25% of enterprises have experienced AI‑generated attacks in the last year.

🔦Threat Landscape Spotlight

2,200+
Daily global cyberattacks (est.) Source: DemandSage, Digital Silk.

⚠️Priority Incidents Oct. 16-22, 2025

  1. F5 breach: BIG-IP source code & vulnerability info exfiltrated (nation-state)
    • Long-term access to BIG-IP dev environment; source code and undisclosed vuln info stolen. Agency directives urge rapid patching and hardening of management interfaces.
    • Mitigation: Apply F5 October updates; disable public mgmt interfaces; follow threat hunting guidance
  2. Oracle E-Business Suite zero-days exploited in mass extortion (CL0P)
    • CVE‑2025‑61882 (RCE, unauthenticated) actively exploited; Oracle issued emergency fixes; CISA added CVE‑2025‑61884 to KEV.
    • Mitigation: Patch immediately; review Oracle’s IOCs; retrospectively hunt for access from July–Oct 2025.
  3. On‑prem SharePoint zero‑days (“ToolShell”) leading to Warlock ransomware
    • Chains involving CVE‑2025‑49704/49706 and related CVE‑2025‑53770/53771 used by Chinese clusters (incl. Storm‑2603) to deploy Warlock; widespread compromises of internet‑facing servers.
    • Mitigation: Apply cumulative SharePoint updates; remove public exposure; rotate MachineKeys; restart IIS; hunt for web shells (spinstall*.aspx).
  4. Volkswagen Group France claimed by Qilin (data exfiltration/extortion)
    • Qilin listed ~150 GB allegedly stolen (customer/employee/vehicle data). VW investigating.
    • Mitigation: Third‑party due diligence for automotive partners; monitor for data exposure; prepare comms playbooks.
  5. Michigan City, Indiana — Obscura ransomware
    • City confirmed ransomware with ~450 GB data theft; services impacted then restored; data published after nonpayment.
    • Mitigation: Segmentation for municipal/OT; immutable backups; tabletop for extortion scenarios.

🔧Patching & Vulnerabilities — Changes This Week

  • Microsoft October Patch Tuesday: 170+ CVEs, 6 zero‑days (incl. Agere Modem driver EoP removal; RASMan EoP; Secure Boot bypass in IGEL OS). Prioritize WSUS RCE (CVE‑2025‑59287) and Office RCE via Preview Pane (CVE‑2025‑59227/59234).

📈Current Cyberthreat Trends

03_ai_threats
AI threat signals: 68% say AI‑phishing is harder to detect (SQ Magazine); ~25% report AI‑generated attacks seen (Team8 CISO survey).
Implications: Upgrade email controls with advanced content analysis and identity signal checks; deploy voice‑biometrics challenge for high‑risk approvals; train staff with AI‑simulated lures.
02_ransomware_q3_yoy
Publicly disclosed ransomware incidents: +36% YoY (Q3). Source: BlackFog via TechRepublic.
04_zero_day_breakdown

Zero‑day clusters shaping this period: Microsoft (6), Oracle EBS (2), SharePoint ToolShell (2).

Ransomware Incidents

Relative impact based on major incidents observed this period (F5, VW France, Michigan City, Oracle EBS).

 

🚩Insider Threat Indicators

  • Ransomware crews increasingly recruit insiders to sell access. Indicators: sudden privilege escalations, anomalous data staging to non‑production shares, unusual after‑hours authentication from on‑prem to cloud, and DLP alerts on HR/Finance exports.

👥Third‑Party Risk Insights

  • Technology supply chain: F5 breach underlines exposure of widely deployed appliances; ensure no public management interfaces and validate patch level.
  • ERP stack: Oracle EBS zero‑day exploitation shows the risk in internet‑facing ERP portals; require attestation of emergency CPU application and logging of BI Publisher/Concurrent Manager access.
 

📊User Behavior Analytics (UBA) — What to Watch

  • Spikes in failed VPN logins followed by successful RASMan service elevation (post‑Patch Tuesday).
  • Mass SharePoint file enumerations and .aspx uploads to TEMPLATE/LAYOUTS/.
  • Unusual SQL queries targeting ERP financial tables post‑patch.

🛡️Recommended ActionsNext 7-14 days

  1. F5 hardening & patching: inventory, remove public mgmt interfaces, apply October updates, and follow CISA ED deadlines.
  2. Oracle EBS: apply CVE‑2025‑61882/61884 fixes; review IOCs; restrict external access; enforce SSO+MFA.
  3. SharePoint on‑prem: apply cumulative updates; pull from internet; rotate MachineKeys; restart IIS; hunt for spinstall*.aspx and odd w3wp child processes.
  4. Windows & Office: prioritize October zero‑days; mitigate WSUS RCE; disable Office Preview Pane where feasible.
  5. Email & Identity: enable advanced phishing controls, DMARC p=reject, conditional access with phishing‑resistant MFA.
  6. Backups & DR: verify immutability and offline copies; rehearse ransomware recovery; ensure rapid restoration SLAs.
  7. UBA & DLP: enable anomaly detections on data staging; monitor executives and finance users for deepfake/vishing attempts.

Keep reading