Oracle customers confirm data stolen in alleged cloud breach is valid

Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid. Last week, a person named ‘rose87168’ claimed to have breached Oracle Cloud servers and began selling the alleged authentication data and encrypted passwords of 6 million users. The threat actor also said that stolen SSO and LDAP passwords could be decrypted using the info in the stolen files and offered to share some of the data with anyone who could help recover them.

OpenAI Offering $100K Bounties for Critical Vulnerabilities

Artificial intelligence tech giant OpenAI has raised its maximum bug bounty payout to $100,000 (up from $20,000) as part of plans to outsource the discovery of critical, high-impact vulnerabilities in its infrastructure and products. The new bounty program is part of a broader set of security initiatives from OpenAI that includes funding for security research projects, continuous adversarial red teaming, and engagements with open-source software communities. In addition to the higher payouts for critical security findings, OpenAI said it will provide bonus promotions for qualifying reports during limited-time periods.

UK warns of emerging threat from ‘sadistic’ online ‘Com networks’ of teenage boys

Online networks of teenage boys “dedicated to inflicting harm and committing a range of criminality” are among the most significant concerns for British law enforcement, officials announced this week. Britain’s National Crime Agency (NCA) is warning of a “new generation of young, English-speaking cyber criminals” who are “predominantly teenage boys that often share sadistic and misogynistic material, and have been seen to target those their own age or younger.” In a strategic assessment, the agency said “the threat from cybercriminals based in the UK and other English-speaking countries, such as the USA, has increased relative to 2023,” which is being “driven by a loose association of online entities from a wider internet-based subculture nicknamed ‘The Com’.”

Defense Contractor MORSE to Pay $4.6M to Settle Cybersecurity Failure Allegations

Cambridge, Massachusetts-based defense contractor MORSE Corp has agreed to pay $4.6 million to settle allegations regarding its failure to comply with the government’s cybersecurity requirements. A law firm representing a whistleblower said its client raised concerns over MORSE Corp’s cybersecurity failures in January 2023. MORSE specializes in aerospace engineering and the accusations were related to the company’s contracts with the US Army and Air Force. The whistleblower said MORSE had not fully implemented required NIST data security controls (and inflated its assessment score), it did not have a consolidated system security plan, and was using email services that did not meet the government’s security requirements. 

Morphing Meerkat Phishing Kits Target Over 100 Brands

A phishing-as-a-service (PhaaS) platform has been observed generating phishing kits that use DNS mail exchange (MX) records to serve fake login pages spoofing over 100 brands, cybersecurity company Infoblox reports. The platform, likely operated by a threat actor tracked as Morphing Meerkat, provides users with services such as mass spam delivery, email security system bypass, and obfuscation. According to Infoblox, the threat actor exploits open redirect vulnerabilities on adtech infrastructure, uses compromised domains to send phishing emails, and distributes stolen credentials via email and chat services.