For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Red Hat in the news, £5.5B in Bitcoin recovered from scammer, more Breaches

Hello! ArvinF​ is your editor of the F5 SIRT This Week in Security, covering 28 September to 4 October 2025. This week, Red Hat is in the news for their Consulting GitLab instance breach and an "Important" rated vulnerability in their OpenShift AI Service product. A win - UK's Metropolitan police have arrested a scammer and recovered £5.5B (!) in Bitcoin. Then came the breach disclosures from Alianz, Westjet, Motility and a "US tech company”. Finally, the ransomware and extortion gangs - Scattered LAPSUS$ Hunters 1B Salesforce record under ransom and Radiant Group's extortion attempt getting slammed by another extortion group.  Let’s get to it! 

 

Red Hat's Consulting GitLab instance has been breached by an extortion group named Crimson Collective.

The group initially bragged about the breach on Telegram, showing file listings and other sensitive data in Customer Engagement Reports (CERs)  that are related to Redhat customers environments. 

Redhat published a security incident advisory:

We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.

Crimson Collective threat group notes that they found authentication tokens inside these repos and have “already used these to compromise downstream Red Hat customers.”

In an advisory from the Belgian government, it notes the incident is “High Risk” for Belgian organizations and has “potential supply chain impact if service providers or IT partners worked with Red Hat Consulting”

From the same advisory, it provided recommendations:

  • Revoke & Rotate all tokens, keys, and credentials shared with Red Hat or used in integrations.
  • Engage Third-Parties – ask your IT providers or partners whether they have used Red Hat Consulting and assess your potential exposure.
  • Contact Red Hat for guidance on your specific exposure.
  • Increase monitoring of authentication events, API calls, and system access for anomalies.

 

https://www.theregister.com/2025/10/03/red_hat_gitlab_breach/

https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance

https://www.theregister.com/2025/10/02/cybercrims_claim_raid_on_28000/

https://ccb.belgium.be/news/hackers-crimson-collective-use-leaked-authentication-tokens-access-customer-systems

 

From standard user to Full Cluster Admin in Red Hat Openshift AI Service via CVE-2025-10725

Red Hat OpenShift AI Service has a 9.9 out of 10 CVSS Score CVE, tracked as CVE-2025-10725, thinly avoiding a 10 out of 10, due to a requirement of a Low-Privileged attacker.

https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

In the advisory:

A flaw was found in Red Hat OpenShift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster’s confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.

To resolve the vulnerability, upgrade to RHOAI 2.16.3 or if Kueue features are not required, the Kueue component management state can be set to “Removed” in the RHOAI DataScienceCluster resource. For RHOAI 2.19+, a workaround is  Prevent the RHOAI operator from managing the kueue-batch-user-rolebinding then Disable the ClusterRoleBinding by updating its subject to a different, non-existent, group. Once updates providing fixes have been applied, it's recommended to remove the clusterrolebinding.

This “Important” rated CVE came out approx the same time as the Red Hat Consulting GitLab breach. 

https://www.theregister.com/2025/10/01/critical_red_hat_openshift_ai_bug/

https://access.redhat.com/security/cve/cve-2025-10725#cve-affected-packages

 

£5.5B in Bitcoin recovered from scammer

A scammer caught by the London Metropolitan Police after a seven-year investigation and recovered a record-busting Bitcoin seizure worth £5.5B.

.. carried out what the police describe as a "large-scale fraud in China" between 2014 and 2017, and then attempted to launder the significant proceeds after arriving in the UK.

The three-year fraud affected more than 128,000 people and netted 61,000 Bitcoin, which at current prices is worth more than £5.5 billion ($7.4 billion).

At the point the crypto tokens were seized, they would have been worth around $404 million.

The scammer fled using false documents and entered the UK and attempted to launder the stolen money by buying property, said the Met.

An associate helped in attempting to cash in on the laundering by buying properties in the UK and Dubai. This associate was caught last year and was jailed/sentenced.

The scammer may get additional time if they fail to pay up and return more than £3.1 million.

The Crown Prosecution Service said the associate benefited by £3.5 million (c $4.7 million) from the fraud, led by the scammer, and the £3.1 million figure was the total sum of her available assets at the time.

Reforms to crime legislation under the previous Conservative government aimed to make it easier for the UK authorities to seize, freeze and recover crypto assets, external.

The changes would also allow some victims to apply for the release of their assets held in accounts.

https://www.theregister.com/2025/09/30/met_police_bitcoin_fraud/

https://www.bbc.com/news/articles/cy0415kk3rzo

https://news.met.police.uk/news/woman-convicted-following-worlds-largest-seizure-501569

https://www.gov.uk/government/news/new-powers-to-seize-cryptoassets-used-by-criminals-go-live

 

3.7M breach notification letters - The mailman and mail servers will be busy sending breach notification letters.

From the Maine AG breach disclosure pages on affected persons:

Insurance biz Allianz Life - 1,497,036

WestJet - 1.2 million

Motility - 766670

From the news ... "US tech company" - 250,000

The Impact:

Allianz Life - The attackers accessed the data of the insurer's customers, staff, and financial professionals

WestJet - affected its online services and mobile app, exposed customer data - could include names, contact details, information and documents provided in connection with their reservation and travel, and data regarding victims'

Motility Software Solutions - "unauthorized actor deployed malware that encrypted a portion of our systems. Although the malware primarily restricted our access to internal data, the forensic evidence suggests that, before encryption, the actor may have removed limited files containing customers' personal data ... could include full names, home and email addresses, telephone numbers, dates of birth, SSNs, and driver's license numbers."

That’s a lot of names, SSNs, CCs, email addresses, addresses, IDs. 

All three businesses offered identity protection and credit monitoring services – Allianz Life and WestJet two years of coverage, Motility 12 months. 

https://www.theregister.com/2025/10/01/north_american_data_breaches/

 

Scattered LAPSUS$ Hunters 1B Salesforce Records under ransom

Scattered LAPSUS$ Hunters gave Salesforce until October 10, a deadline to negotiate payment or leak their customer’s data.

Scattered LAPSUS$ Hunters are 3 threat / ransomware groups - Scattered Spider, ShinyHunters, and Lapsus$ - that had a moment of solidarity "to break into businesses' networks, steal their data, and force an extortion payment."

Per Salesforce advisory:

"We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities," "Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,"  "At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology."

In August of 2025, there was the Salesloft drift breach that affected Salesforce customers. 

https://www.theregister.com/2025/10/03/scattered_lapsus_hunters_latest_leak/

https://www.theregister.com/2025/09/14/in_brief_infosec/

https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/

https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/

https://status.salesforce.com/generalmessages/20000224?locale=en-US

 

Radiant Group extortion gang crosses the line and gets schooled by other ransomware groups

Radiant Group stole data from Kido International, a school for young children with branches in the UK, US, and India. They then posted unblurred pictures of 10 children, along with their addresses, parents’ names, and other personal data, and threatened to expose more if a ransom wasn't paid.

Parents of some children claimed to have received threatening calls after Radiant published the data. London's Metropolitan Police investigators are following up on the case.

But now, Radiant says it removed the child data it had posted after receiving pressure from other ransomware groups. It seems they crossed a line in the criminal world and backed down when called out for it.

Rebecca Taylor, a threat intelligence knowledge manager at security biz Sophos, tells The Register that the crew was called out by the well-established ransomware-as-a-service Nova gang on the Russian Anonymous Market Place (RAMP), an online souk for cybercriminals. One of Nova's affiliate members, going under the handle BlackBeard, told Radiant, "reputation important, don't attack child right."

"We have disabled any attacks relating to them, is not allowed anymore," Radiant answered, and added, "Any data relating to under 18s who attended have been deleted." BlackBeard congratulated them and wished the extortionists good luck for the future and Nova offered to help in future raids.

Radiant claimed to have information on over 8,000 children enrolled at Kido, as well as their family, teachers, and staff.

Taylor told us that the Radiant Group seems to be new script kiddies on the block and have overstepped themselves, and are now trying to make nice with the rest of the criminal community.

https://www.theregister.com/2025/10/02/ransomware_radiant_delete_kids_info/

https://www.theregister.com/2025/09/25/ransomware_gang_publishes_toddlers_images/

https://www.theguardian.com/technology/2025/oct/02/kido-nursery-hackers-say-they-have-deleted-stolen-data

 

Outro

The amount of breach news from this week was something - the leaked personal and financial information will surely be the foundation of future breaches and extortions. These breaches were perpetrated by ransomware and extortion gangs that utilized social engineering and known and unknown vulnerabilities in their campaigns. As defenders, we should advise our organizations to keep our systems updated, implement levels and layers of security defenses and keep ourselves and our peers educated on good security practices. The silver lining is the recovery of the £5.5B worth of Bitcoin from scammers caught in the UK. The many victims of scammers have an opportunity to recover their lost assets. 

Credit to the original source and posts!      

I hope the news I picked is informative and educational. Till next time - Stay Safe and Secure!

As always, if this is your first TWIS, you can always read past editions.  We also encourage you to check out all of the content from the F5 SIRT.

Updated Oct 10, 2025
Version 2.0
f5 sirt
security
twis
No CommentsBe the first to comment