Red Hat Consulting, a provider of expert technical services to large enterprises, suffered a major breach by the extortion group Crimson Collective, linked to actors associated with LAPSUS$ and Scattered Spider. The attackers exfiltrated customer documentation, source code, proprietary consultancy reports, and sensitive assets, including .pfx private certificates for entities like ING Bank and Delta Airlines. Over 32 million files were compromised, affecting more than 5,000 enterprise customers, including high-profile organizations such as HSBC, Walmart, NHS Scotland (via Atos Group), AIR, AMEX_GBT, and BOC.The breach exposed consultancy engagement reports, internal assets, and proprietary code, posing severe risks of fraud, intellectual property theft, and operational disruption. The leaked data includes highly sensitive credentials and certificates, necessitating urgent remediation, including credential rotation, security reviews, and incident response measures. The scale and sensitivity of the stolen data suggest long-term reputational damage, financial losses, and potential regulatory penalties. Crimson Collective’s ties to LAPSUS$—known for high-impact attacks on telecoms and critical services—further escalate the threat severity, as the group has demonstrated a pattern of targeting major service providers with systemic consequences.

The Crimson Collective, a cybercriminal group, executed a supply chain breach of Red Hat’s consulting division, compromising ~800 organizations, including U.S. defense contractors (Naval Surface Warfare Centers, SOCOM, Raytheon), government agencies (House of Representatives, NASA’s JPL), and critical infrastructure entities. The stolen data includes Customer Engagement Reports (CERs)—highly sensitive blueprints containing network architectures, authentication tokens, API keys, and infrastructure configurations, effectively granting attackers backdoor access to hundreds of interconnected systems. The breach was timed to exploit the U.S. federal government shutdown (Oct 1, 2025), crippling incident response when cybersecurity teams were understaffed. Attackers waited since mid-September, testing capabilities via attacks on Nintendo and Claro Colombia before disclosing the breach at peak vulnerability. The data is now for sale with an Oct 10 deadline, while the government remains partially paralyzed. The exposure includes cryptic defense projects, risking compromised entry points into critical systems. Collaborating with ShinyHunters’ extortion-as-a-service platform, the attack represents an ecosystem exploitation-as-a-service model, targeting entire supply chains rather than individual entities. The precision, timing, and target selection (aligning with nation-state intelligence priorities) suggest potential state-sponsored involvement or direction, weaponizing political divisions and technical gaps for asymmetric warfare. The fallout threatens U.S. defense industrial base resilience, with implications for allies and global cybersecurity stability.

A critical privilege escalation vulnerability (CVE-2025-10725, CVSS 9.9) was discovered in Red Hat OpenShift AI, a platform for managing AI/ML workloads across hybrid clouds. The flaw allows a low-privileged authenticated attacker (e.g., a data scientist with standard Jupyter notebook access) to escalate privileges to full cluster administrator, compromising the entire infrastructure. This enables theft of sensitive data, disruption of all hosted services, and complete takeover of the underlying systems—posing a total breach risk to the platform and its applications.Affected versions include OpenShift AI 2.19, 2.21, and RHOAI. While Red Hat classified it as 'Important' (due to the authentication prerequisite), the impact is severe: attackers could exfiltrate proprietary AI models, customer data, or internal research, halt critical operations, or pivot to broader network infiltration. Mitigations involve restricting broad permissions (e.g., `kueue-batch-user-role` bindings) and enforcing least-privilege access for job creation. The vulnerability underscores risks in AI/ML infrastructure, where compromised environments could lead to operational shutdowns, intellectual property theft, or cascading supply-chain attacks.

The critical use-after-free vulnerability in the Linux kernel, designated CVE-2024-36904, has significant implications for Red Hat Enterprise Linux and its derivatives. This flaw, existing undetected for seven years, impacts the TCP subsystem enabling remote code execution with kernel privileges. The revelation of this vulnerability through a public PoC exploit by security researchers raises alarm, as it bypasses kernel defenses under specific conditions. Enterprises deploying Red Hat and related systems are at risk of a complete system compromise, endangering the integrity and confidentiality of their operations. Immediate patching has been advised to mitigate risks, with a patch released in July 2024. This vulnerability not only highlights the necessity of continual vigilance in cybersecurity but also underscores the latent threats residing in long-standing systems.

Red Hat is investigating a security breach involving a self-managed GitLab Community Edition instance used exclusively by Red Hat Consulting. The attack, claimed by the hacker group Crimson Collective, resulted in the theft of ~570 GB of data from 28,000 internal projects, including 800 Customer Engagement Reports (CERs). These CERs contained sensitive details such as infrastructure configurations, authentication keys, and database URIs, which the attackers allegedly used to access downstream customer systems (e.g., Bank of America, T-Mobile, AT&T, Fidelity, Walmart). The breach occurred ~two weeks before detection (late September 2024), with attackers publishing directory listings of stolen repositories and CERs (2020–2025) on Telegram. Red Hat isolated the compromised instance, revoked attacker access, and reported the incident to authorities. While Red Hat asserts no impact on its software supply chain or other services, the attackers claim to have extorted the company but received only generic vulnerability reporting instructions. The group also vandalized Nintendo’s topic page around the same time, suggesting broader malicious activity.