Oracle hack, North Korean Hackers, Critical Flaw in Apache
Notable news by F5 SIRT This Week in Security, March 30th to April 5th. The news this week captures the dynamic nature of the cybersecurity field, where the interplay between cyber threats and defense mechanisms ensures continuous engagement for professionals. The demand for skilled cybersecurity experts remains robust, with projections indicating a 33% growth in employment for information security analysts from 2023 to 2033, significantly outpacing the average for all occupations. This trend underscores the ongoing need for vigilance and expertise in safeguarding digital assets, highlighting that cybersecurity is not just about keeping professionals occupied, but is essential for protecting critical information in our increasingly digital world. Until next time, keep it safe. Lior
Oracle Confirms Cloud Hack
Oracle has confirmed suffering a data breach, but the tech giant is apparently trying to downplay the impact of the incident.
Oracle has privately confirmed to some customers that certain cloud systems were breached, despite its earlier public denials. A hacker known as 'rose87168' claimed to have accessed data from over 140,000 Oracle Cloud tenants, including encrypted credentials, and initially sought a $20 million ransom before offering the data for sale.
The hacker provided evidence such as customer data samples and internal Oracle recordings. Security firms and some customers have verified the authenticity of the leaked data. Oracle has reportedly informed affected clients that the breach involved a legacy system inactive for eight years, suggesting minimal risk, though some compromised credentials date as recently as 2024. The FBI and cybersecurity firm CrowdStrike are investigating the incident.
https://www.securityweek.com/oracle-confirms-cloud-hack/
Call Records of Millions Exposed by Verizon App Vulnerability
A patch has been released for a serious information disclosure vulnerability affecting a Verizon call filtering application.
A vulnerability in Verizon's Call Filter iOS application could have allowed unauthorized access to incoming call records of potentially all Verizon Wireless customers. Discovered by cybersecurity researcher Evan Connelly and reported on February 22, 2025, the flaw resided in the app's server request mechanism, which failed to verify that the phone number in a data request belonged to the authenticated user.
This oversight could have enabled attackers to retrieve incoming call records, including phone numbers and timestamps, by specifying any arbitrary phone number. Verizon, which has over 140 million subscribers, addressed the issue by mid-March through a patch implemented by the third-party developer of the application. The company stated that there was no indication the flaw had been exploited.
https://www.securityweek.com/call-records-of-millions-exposed-by-verizon-app-vulnerability/
North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages
North Korean threat actors involved in the "Contagious Interview" campaign have expanded their operations by publishing 11 malicious npm packages designed to distribute the BeaverTail malware and a new remote access trojan (RAT) loader. These packages collectively downloaded over 5,600 times before removal.
These packages masquerade as utilities and debuggers, employing hexadecimal string encoding to evade detection. Notably, some are linked to Bitbucket repositories, with directories named to suggest job interview themes, indicating a tactic to lure developers. The malicious code functions as a RAT loader, capable of fetching and executing remote JavaScript, allowing attackers to deploy additional malware. This activity underscores the persistent and evolving strategies of the threat actors in targeting software supply chains.
https://thehackernews.com/2025/04/north-korean-hackers-deploy-beavertail.html
Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware
The North Korean Lazarus Group has launched a campaign targeting job seekers in the cryptocurrency sector by impersonating legitimate companies such as Coinbase and Kraken. They approach candidates via LinkedIn or X (Twitter), inviting them to video-call interviews. During these interactions, victims are directed to a fake video interviewing service named Willo, where they are prompted to enable their camera.
An error message then appears, instructing them to download a driver to fix the issue—a tactic known as "ClickFix." This led to the installation of a previously undocumented Go-based backdoor called GolangGhost on Windows and MacOS systems. GolangGhost allows attackers to remotely control infected systems and steal sensitive data.
https://thehackernews.com/2025/04/lazarus-group-targets-job-seekers-with.html
Critical Flaw in Apache Parquet Allows Remote Attackers to Execute Arbitrary Code
A critical security vulnerability, identified as CVE-2025-30065 with a CVSS score of 10.0, has been discovered in Apache Parquet's Java Library. This flaw allows remote attackers to execute arbitrary code by tricking systems into processing specially crafted Parquet files. The vulnerability affects all versions up to and including 1.15.0 and has been addressed in version 1.15.1. Users are advised to update to the latest version to mitigate potential risks.
https://thehackernews.com/2025/04/critical-flaw-in-apache-parquet-allows.html
