Descriptive Alt Text

This Week in Cybersecurity: Looking Back at Week 41

October 10, 2025 Reading Time: 5 minutes

Our top stories this week reveal a significant cybercrime power shift, with three major groups forming a ransomware cartel to professionalise and escalate their operations. We detail the immediate need to patch two maximum severity flaws: the active exploitation of the GoAnywhere MFT zero day and the discovery of a 13 year old RCE bug in Redis.

The human element remains a critical target, as we examine the high impact Salesforce Vishing Attack and the compromise of a Discord vendor, highlighting the escalating risk of third party and supply chain failures.

Finally, we issue an Urgent Action alert for a critical WordPress theme vulnerability that allows attackers to hijack admin accounts.

LockBit, Qilin and DragonForce Form Ransomware Cartel

The alliance of three prominent cyber extortion operations, LockBit, Qilin and DragonForcemarks a significant escalation in the organisation of the Ransomware as a Service (RaaS) ecosystem.

This “coalition” aims to unite efforts and collaboratively develop their direction, likely leading to the sharing of techniques, resources and infrastructure. This mirrors past collaborations that introduced tactics like double extortion.

While experts are concerned about the potential for larger, more sophisticated and more effective attacks on critical infrastructure, some note the alliance carries a risk: that any shared payments could be linked to LockBit’s sanctioned leader, potentially making ransom payments illegal for US entities and harming the cartel’s bottom line.

View Source

Urgent Action: Maximum Severity Vulnerabilities

These two vulnerabilities pose an immediate threat, with one being actively exploited and the other representing a pervasive, decade old risk in cloud infrastructure.

Critical GoAnywhere MFT Zero Day Exploited by Storm-1175 to Deploy Medusa Ransomware

Microsoft has officially linked the threat actor Storm-1175 to the active exploitation of a critical zero day vulnerability in Fortra’s GoAnywhere MFT (Managed File Transfer) software.

The flaw, CVE 2025 10035 (CVSS score: 10.0), is a severe, unauthenticated deserialisation bug leading to Remote Code Execution (RCE). Storm-1175 has been exploiting this vulnerability since at least September 11th, 2025, using initial access to deploy RMM tools, conduct discovery and ultimately deploy the Medusa ransomware across the victim’s network.

Organisations running GoAnywhere MFT are strongly urged to update to version 7.8.4 or the Sustain Release 7.6.3 to patch the flaw.

View Source

Max Severity Flaw Exposes 60,000 Unauthenticated Redis Servers to RCE

A critical security flaw, nicknamed “RediShell” and tracked as CVE 2025 49844, has been discovered in the popular Redis in memory database platform. The vulnerability, which carries the maximum CVSS score of 10.0, is a 13 year old use after free bug in its Lua scripting engine.

While exploitation requires authentication, approximately 60,000 Redis instances exposed to the internet are not protected by any authentication, making them highly vulnerable to Remote Code Execution (RCE). Administrators are urged to patch immediately and implement strong authentication and network restrictions.

View Source

Third Party Risk: Customer Data Exposed in Major Vendor Compromises

These incidents emphasise that a company’s attack surface now extends deeply into its supply chain, making vendor security paramount.

Vishing Attack Exposes Data of approx 40 Salesforce Customers

The Scattered LAPSUS$ Hunters hacking group claims to have stolen almost one billion records from approximately 40 major companies that use Salesforce, including high profile names like FedEx, Stellantis and Cisco.

The hackers gained access by exploiting “vishing” (voice phishing), tricking employees into granting access, rather than exploiting a platform vulnerability.

Salesforce confirmed it will not pay the ransom, urging affected customers to immediately audit all connected apps and bolster employee training against social engineering.

View Source

Discord Support Vendor Compromised, Exposing 70,000 Government ID Photos

Discord announced it will not pay an extortion demand from threat actors after a compromise of one of its third party customer support providers (Zendesk).

The exposure impacted approximately 70,000 users who had their government ID photos exposed. Other exposed data included names, emails and contact details. Discord has secured the affected systems and ended its work with the compromised vendor.

View Source

Renault UK Hit by Third-Party Breach, Exposing Customer Details

Renault UK confirmed that it suffered a cyber attack resulting in the theft of personal customer data from one of its third party data providers. The compromised information includes customer names, addresses, phone numbers and vehicle details.

Renault UK stressed that its own internal systems were not affected and no financial information or passwords were compromised.

View Source

A critical security vulnerability, tracked as CVE 2025 5947 (CVSS score: 9.8), is being actively exploited in the wild, impacting the Service Finder WordPress theme and its bundled Bookings plugin.

The flaw allows an unauthenticated attacker to gain administrator privileges on affected sites. Administrators using this theme are urged to immediately update to version 6.1 or later to prevent site takeover and the injection of malicious code.

View Source

Resilience in the Age of Collaboration

The threats this week underscore a simple truth that attackers are consolidating power and exploiting vulnerabilities that have existed for over a decade. The formation of ransomware cartels demands an equivalent level of preparedness and scrutiny from defenders, particularly regarding supply chain dependencies (Salesforce, Discord, Renault) and fundamental infrastructure flaws (GoAnywhere, Redis).

Survival against these rapidly evolving and short dwell time threats demands proactive security testing, not just patching.


Don’t get caught off guard. Get in touch with our team today to learn how our services can help you navigate these complex threats and secure your digital future.

Let's Talk About Your Project

Leave us your details and one of our team will reach out to explore how we can assist with your cybersecurity requirements.

Postal address

The BASE Enterprise Centre

Railway Road

Stranorlar

Co. Donegal

Ireland

F93 VAK6

Phone number
IE: +353 74 970 7876 | UK: +44 20 4538 2818