AI-Generated Scams on the Rise

👁️‍🗨️At a Glance

• Attack tempo remains elevated (≈2,200+ global cyberattacks per day).
• High-impact incidents this period include: F5 BIG-IP source code theft (nation-state), Oracle EBS 0‑day exploitation attributed to CL0P, on‑prem SharePoint 0‑days used to drop Warlock ransomware, and Qilin’s claim against Volkswagen Group France.
• Microsoft’s October Patch Tuesday fixed 170+ flaws with six 0‑days; urgent patching and compensating controls are recommended for Windows, Office, and WSUS.
• Ransomware activity continues upward: publicly disclosed incidents hit a record in Q3 2025 (+36% YoY).
• AI is accelerating social engineering and detection evasion; 68% of analysts report AI‑generated phishing is harder to detect, while ~25% of enterprises have experienced AI‑generated attacks in the last year.

🔦Threat Landscape Spotlight

⚠️Priority Incidents— Oct. 16-22, 2025

1. F5 breach: BIG-IP source code & vulnerability info exfiltrated (nation-state)
   • Long-term access to BIG-IP dev environment; source code and undisclosed vuln info stolen. Agency directives urge rapid patching and hardening of management interfaces.
   • Mitigation: Apply F5 October updates; disable public mgmt interfaces; follow threat hunting guidance
2. Oracle E-Business Suite zero-days exploited in mass extortion (CL0P)
   • CVE‑2025‑61882 (RCE, unauthenticated) actively exploited; Oracle issued emergency fixes; CISA added CVE‑2025‑61884 to KEV.
   • Mitigation: Patch immediately; review Oracle’s IOCs; retrospectively hunt for access from July–Oct 2025.
     
3. On‑prem SharePoint zero‑days (“ToolShell”) leading to Warlock ransomware
   • Chains involving CVE‑2025‑49704/49706 and related CVE‑2025‑53770/53771 used by Chinese clusters (incl. Storm‑2603) to deploy Warlock; widespread compromises of internet‑facing servers.
   • Mitigation: Apply cumulative SharePoint updates; remove public exposure; rotate MachineKeys; restart IIS; hunt for web shells (spinstall*.aspx).
4. Volkswagen Group France claimed by Qilin (data exfiltration/extortion)
   • Qilin listed ~150 GB allegedly stolen (customer/employee/vehicle data). VW investigating.
   • Mitigation: Third‑party due diligence for automotive partners; monitor for data exposure; prepare comms playbooks.
5. Michigan City, Indiana — Obscura ransomware
   • City confirmed ransomware with ~450 GB data theft; services impacted then restored; data published after nonpayment.
   • Mitigation: Segmentation for municipal/OT; immutable backups; tabletop for extortion scenarios.

🔧Patching & Vulnerabilities — Changes This Week

• Microsoft October Patch Tuesday: 170+ CVEs, 6 zero‑days (incl. Agere Modem driver EoP removal; RASMan EoP; Secure Boot bypass in IGEL OS). Prioritize WSUS RCE (CVE‑2025‑59287) and Office RCE via Preview Pane (CVE‑2025‑59227/59234).
  
  

📈Current Cyberthreat Trends

1. F5 hardening & patching: inventory, remove public mgmt interfaces, apply October updates, and follow CISA ED deadlines.
2. Oracle EBS: apply CVE‑2025‑61882/61884 fixes; review IOCs; restrict external access; enforce SSO+MFA.
3. SharePoint on‑prem: apply cumulative updates; pull from internet; rotate MachineKeys; restart IIS; hunt for spinstall*.aspx and odd w3wp child processes.
4. Windows & Office: prioritize October zero‑days; mitigate WSUS RCE; disable Office Preview Pane where feasible.
5. Email & Identity: enable advanced phishing controls, DMARC p=reject, conditional access with phishing‑resistant MFA.
6. Backups & DR: verify immutability and offline copies; rehearse ransomware recovery; ensure rapid restoration SLAs.
7. UBA & DLP: enable anomaly detections on data staging; monitor executives and finance users for deepfake/vishing attempts.