This Weeks Headlines

• Oracle Reports Second Cybersecurity Breach
• Hackers Exploit Legacy Stripe API to Validate Stolen Credit Cards
• UK Software Provider Fined £3M Over Ransomware Attack That Exposed Customer Data
• Hackers Exploit WordPress MU-Plugins Feature to Conceal Malware in Compromised Sites
• BlackLock Ransomware Operators Exposed After Leaking Their Own Decryption Keys
• Google Patches ‘ImageRunner’ Vulnerability in Cloud Run

Oracle Reports Second Cybersecurity Breach

Oracle has informed clients of a second cybersecurity breach within a month, where a hacker accessed a legacy system and stole old customer log-in credentials. Some of these credentials date back as recently as 2024.

The stolen data has reportedly been offered for sale online, and the attacker sought an extortion payment from Oracle.

The FBI and cybersecurity firm CrowdStrike are investigating the incident. Oracle assured clients that the compromised legacy system has not been in use for eight years, suggesting minimal risk.

This breach is separate from a previous incident affecting healthcare clients.

Hackers Exploit Legacy Stripe API to Validate Stolen Credit Cards

Cybercriminals are abusing a deprecated Stripe API to validate stolen credit card details, allowing them to confirm which cards are active before using them for fraudulent transactions.

Researchers discovered that threat actors are leveraging the legacy API’s lack of security checks, making it an attractive tool for carding operations. This technique enables attackers to bypass modern fraud detection mechanisms, leading to unauthorised transactions and financial losses.

Businesses using Stripe are urged to review their API configurations, disable outdated endpoints, and implement stronger fraud prevention measures to protect customer data and prevent financial abuse.

UK Software Provider Fined £3M Over Ransomware Attack That Exposed Customer Data

The UK Information Commissioner’s Office (ICO) has fined a software provider £3 million following a 2022 ransomware attack that exposed sensitive customer data.

The ICO determined that the company failed to implement adequate security measures, leaving systems vulnerable to exploitation.

Attackers gained access through an unpatched vulnerability, leading to widespread data theft and operational disruptions.

The ICO emphasised that organisations handling customer data must prioritise cybersecurity and maintain up-to-date protections. This penalty serves as a warning to other businesses about the consequences of poor security practices.

Organisations are urged to follow cybersecurity best practices, including regular patching, multi-factor authentication, and proactive threat monitoring to prevent similar breaches.

Hackers Exploit WordPress MU-Plugins Feature to Conceal Malware in Compromised Sites

Cybercriminals are exploiting the lesser-known WordPress Must-Use (MU) Plugins feature to stealthily deploy and hide malware on compromised websites.

According to Bitdefender researchers, attackers use this built-in functionality—intended for essential site-wide plugins—to install malicious code that persists through security scans and updates. The technique allows threat actors to maintain access, inject backdoors, and execute malicious actions undetected.

Since MU-Plugins load automatically and are not visible in the standard WordPress dashboard, they offer an effective way to evade detection.

Website administrators are urged to conduct regular security audits, monitor file integrity, and implement strong access controls to prevent unauthorised modifications and potential cyberattacks.

BlackLock Ransomware Operators Exposed After Leaking Their Own Decryption Keys

Security researchers have uncovered critical details about the BlackLock ransomware group after its operators mistakenly leaked their own decryption keys.

The ransomware, which has been targeting businesses and encrypting their data for ransom, suffered a major setback when security analysts discovered a flaw in its operations.

The leaked keys allow victims to potentially recover encrypted files without paying the ransom. Experts warn, however, that despite this blunder, BlackLock remains an active threat.

Organisations are advised to strengthen their cybersecurity defenses, maintain regular backups, and implement proactive threat monitoring to mitigate ransomware risks.

Google Patches ‘ImageRunner’ Vulnerability in Cloud Run

Google has addressed a privilege escalation vulnerability, dubbed ‘ImageRunner,’ in its Cloud Run service that could have allowed attackers with specific permissions—namely run.services.update and iam.serviceAccounts.actAs—to deploy new service revisions and access private container images within the same project. By exploiting this flaw, malicious actors could inject harmful code into container images, potentially leading to data exfiltration or unauthorised control over applications.

The vulnerability was reported by Tenable and patched by Google on January 28, 2025. A

dministrators are advised to ensure that principals creating or updating Cloud Run resources have explicit permissions to access the container images, specifically by assigning the Artifact Registry Reader (roles/artifactregistry.reader) IAM role.

If you’re ready to chat about how we can help protect your business from cyber threats, contact us using the form below 👇.