News Week: December 1st to December 7th, 2025

New Oracle-related breach highlights ongoing risks for higher education

The University of Pennsylvania has disclosed another security incident after unauthorized access to files stored in its Oracle E-Business Suite environment was identified. According to breach notifications, attackers exploited a previously unknown vulnerability to obtain documents containing personal identifiers, with at least 1,488 individuals confirmed as affected so far. The full scope may be broader, as the investigation is still ongoing. This incident follows an earlier breach reported in October 2025 and reflects a wider trend of attacks against academic institutions, particularly those managing alumni and development data. The campaign is believed to be linked to clop, a ransomware group known for large-scale extortion operations involving zero-day flaws in enterprise software. While patches have been applied and no misuse of the data has been detected, the case underscores how sophisticated vulnerabilities in widely used systems can expose sensitive information even in well-resourced organizations.

December Android update addresses exploited vulnerabilities at scale

Google has published its December 2025 security update for Android, resolving a total of 107 vulnerabilities across system components, the kernel, and third-party modules. Notably, the release includes fixes for two Android zero days that were already being exploited in limited, targeted attacks. These flaws affected devices running Android 13 through 16 and enabled information disclosure and privilege escalation under specific conditions. Although Google did not disclose technical details, similar issues in the past have been associated with highly targeted surveillance campaigns rather than mass exploitation. Beyond the actively abused bugs, the update also patches critical denial-of-service and kernel-level elevation-of-privilege weaknesses, including fixes impacting Qualcomm-based devices. Users are encouraged to apply updates promptly, keep Play Protect enabled, and consider upgrading unsupported devices, as timely patching remains one of the most effective defenses against zero day abuse on Android.

Record-breaking botnet activity exposes limits of current defenses

Security researchers have linked a new record-setting attack to the Aisuru botnet, which recently generated a distributed denial-of-service incident peaking at 29.7 terabits per second. The attack, mitigated within just over a minute, relied on millions of compromised routers and IoT devices that flooded targets with massive volumes of UDP traffic across thousands of ports. Analysis shows that this was not an isolated case: in only three months, Aisuru was responsible for more than 1,300 large-scale attacks, many exceeding thresholds considered hyper-volumetric. Such activity demonstrates how rented botnet infrastructure can rapidly overwhelm networks, sometimes even impacting upstream internet providers that were not directly targeted. With attacks often lasting only seconds or minutes, response windows are extremely narrow, while recovery can take far longer. The continued rise of Ddos activity of this scale highlights the growing risk to hosting providers, telecoms, and critical online services.

Third-party software breach ripples through the US banking sector

A significant security incident at Marquis Software Solutions has had wide-reaching consequences for the US financial sector, with more than 74 banks and credit unions affected. The breach originated in August 2025 after attackers gained access through a compromised firewall, allowing them to exfiltrate files containing sensitive customer data provided by Marquis’ clients. Exposed information reportedly included names, contact details, Social Security numbers, and financial account data, impacting hundreds of thousands of individuals nationwide. Although no confirmed misuse has been reported, regulatory filings suggest a ransom payment may have been made to prevent data disclosure, a tactic commonly associated with ransomware gangs. Subsequent security improvements point to VPN-based intrusion methods, aligning with known attack patterns linked to akira ransomware. The incident highlights how vulnerabilities at service providers can cascade across regulated industries, reinforcing the importance of robust vendor risk management and timely security hardening.

Ransomware incident disrupts pharmaceutical research operations

US-based pharmaceutical research company Inotiv has confirmed that a ransomware attack in August 2025 led to the theft of personal data belonging to thousands of individuals. The intrusion temporarily shut down parts of the company’s IT environment, affecting internal applications, databases, and overall business continuity. After completing system restoration, Inotiv began notifying 9,542 affected people, including current and former employees, family members, and other individuals connected to the company or its acquisitions. While the firm has not publicly detailed the specific data types involved or formally named the attackers, Qilin ransomware has claimed responsibility and published sample data to support its allegations. The group operates under a raas model, enabling affiliates to conduct attacks using shared infrastructure and tooling. This case illustrates how ransomware incidents in the pharmaceutical sector can extend beyond operational disruption to long-term data exposure and regulatory obligations.

Critical framework vulnerability triggers rapid, global exploitation

A newly disclosed security flaw affecting applications built with React Server Components has quickly escalated into a widespread threat. The vulnerability, tracked as CVE-2025-55182, allows unauthenticated attackers to achieve remote code execution through a single crafted HTTP request, putting tens of thousands of internet-facing systems at risk. Security monitoring groups estimate that more than 77,000 IP addresses remain exposed, and confirmed breaches already span over 30 organizations across different industries. Shortly after a public proof of concept was released, automated scanning and exploitation surged, with attackers testing systems using simple commands before deploying more advanced payloads. Some intrusions have been linked to state-associated threat actors conducting reconnaissance and credential harvesting. Given the speed and scale of exploitation, defenders are under pressure to patch, rebuild, and redeploy affected applications while reviewing logs for suspicious command execution that may indicate prior compromise.

Conclusion

Taken together, these incidents highlight how diverse and fast-moving today’s threat landscape has become, spanning ransomware campaigns, zero-day exploitation, supply chain breaches, and record-breaking DDoS attacks. Organizations across education, finance, healthcare, and technology are increasingly exposed to systemic risks, where a single vulnerability or third-party compromise can have widespread consequences. Proactive patching, continuous monitoring, and well-prepared response plans are no longer optional, but essential for limiting operational disruption and data loss.

As ransomware and cybersecurity experts, we support organizations before, during, and after an attack with professional Ransomware Recovery Services, strategic Ransomware Negotiation Services, and ongoing preparedness through an Incident Response Retainer.

If your organization is facing an active incident or wants to strengthen its resilience against future attacks, now is the right time to speak with experienced specialists.