Incident Types: The types of cybersecurity incidents that have occurred include Ransomware, Breach, Vulnerability and Cyber Attack.

Total Financial Loss: The total financial loss from these incidents is estimated to be $0.

Detection and Response: The company detects and responds to cybersecurity incidents through an network segmentation with ineffective segmentation, and enhanced monitoring with oversights in security monitoring, and remediation measures with patches available, and containment measures with block port 4011 on firewalls, containment measures with configure the irm_hostedserviceurl core setting with an empty value and restart the altiris inventory rule management service, and remediation measures with limit .net remoting access to localhost-only in upcoming releases, and law enforcement notified with yes, and enhanced monitoring with monitoring for risky logins and unauthorized account misuse, and and third party assistance with google threat intelligence group (gitg), third party assistance with mandiant, third party assistance with nviso (for windows variants), and containment measures with scanner script for *nix-based appliances (mandiant), containment measures with yara rule (g_apt_backdoor_brickstorm_3), and incident response plan activated with yes (broadcom patch release), and third party assistance with nviso (vulnerability reporting and poc), third party assistance with google mandiant (threat actor analysis), and containment measures with patch release for cve-2025-41244, containment measures with previous patches for cve-2025-22224, cve-2025-22225, cve-2025-22226 (march 2024), containment measures with nsx vulnerabilities patched (november 2024), and incident response plan activated with cisa's binding operational directive (bod) 22-01 enforcement, and third party assistance with broadcom (vmware) security patches, third party assistance with nviso (vulnerability research), third party assistance with google mandiant (threat actor analysis), and containment measures with patch application (mandated within 3 weeks for fceb agencies), containment measures with discontinuing use of vulnerable products if patches unavailable, and remediation measures with applying vendor-provided mitigations, remediation measures with enhanced monitoring for exploitation attempts, and communication strategy with cisa advisory to federal agencies and private sector, communication strategy with broadcom's public disclosure of exploitation, and enhanced monitoring with recommended for all organizations, and and third party assistance with nviso, third party assistance with google mandiant, and containment measures with patching vmware tools (12.4.9 for windows 32-bit, 12.5.4 for general; open-vm-tools for linux), containment measures with disabling sdmp if patching is not feasible, and remediation measures with applying security updates by november 20, 2025 (cisa deadline), remediation measures with monitoring for signs of exploitation, and communication strategy with cisa advisory via kev catalog, communication strategy with public disclosure by security researchers (e.g., bleepingcomputer, techradar), and enhanced monitoring with recommended for systems running vmware tools with sdmp, and communication strategy with public disclosure via the register; adp issued a statement clarifying limited impact and no ransom payment, and network segmentation with recommended for organizations using oracle e-business suite, and enhanced monitoring with recommended: review security logs for unauthorized access, deploy edr solutions, and and third party assistance with mandiant (google-owned cybersecurity firm), and containment measures with oracle security patches (cve-2025-61882, cve-2025-21884), and remediation measures with patch application for oracle ebs vulnerabilities, and communication strategy with oracle security alerts to customers, communication strategy with public disclosure via media..

Common Attack Types: The most common types of attacks the company has faced is Ransomware.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Executable File, VMware virtualization products, Poisoned ad on Google Ads network, Port 4011, Social engineering, Zero-Day Exploits in Network Appliances, Exploitation of CVE-2025-41244 (privilege escalation via /tmp/httpd)Previous exploits: CVE-2023-46747 (F5 BIG-IP), CVE-2024-1709 (ConnectWise ScreenConnect), CVE-2025-31324 (NetWeaver Visual Composer), Exploitation of CVE-2025-41244 on vulnerable VMware systems, VMware Tools with SDMP enabledLocal privilege escalation on compromised VMs, unpatched zero-day vulnerability in Oracle E-Business Suite, Zero-day vulnerabilities in Oracle EBS (CVE-2025-61882 and CVE-2025-21884).

Average Financial Loss: The average financial loss per incident is $0.00.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Passwords, List Of Symantec Clients, Government Agencies, List Of Clients Using Symantec'S Cloudsoc Services, Account Managers, Account Numbers, , Sensitive customer data, Patient Records, Transaction Data, , Login credentials, Credentials, Browser Data, Cookies, Sensitive Information, , Emails, Email Attachments/Files, , Employee Data, , Personally Identifiable Information (Pii), Financial Data, Employment Records, Health Insurance Details, , Potential: Corporate Data (Supply Chain, Financial, Customer), Intellectual Property (Research Data), , Corporate Data, Customer Data, Sensitive Business Information and .

Incident Response Plan: The company's incident response plan is described as Yes (Broadcom patch release), CISA's Binding Operational Directive (BOD) 22-01 enforcement, , , .

Third-Party Assistance: The company involves third-party assistance in incident response through Google Threat Intelligence Group (GITG), Mandiant, NVISO (for Windows variants), , NVISO (vulnerability reporting and PoC), Google Mandiant (threat actor analysis), , Broadcom (VMware) security patches, NVISO (vulnerability research), Google Mandiant (threat actor analysis), , NVISO, Google Mandiant, , Mandiant (Google-owned cybersecurity firm), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Patches available, Limit .NET Remoting access to localhost-only in upcoming releases, , Applying vendor-provided mitigations, Enhanced monitoring for exploitation attempts, , Applying security updates by November 20, 2025 (CISA deadline), Monitoring for signs of exploitation, , Patch application for Oracle EBS vulnerabilities, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by block port 4011 on firewalls, configure the irm_hostedserviceurl core setting with an empty value and restart the altiris inventory rule management service, , scanner script for *nix-based appliances (mandiant), yara rule (g_apt_backdoor_brickstorm_3), , patch release for cve-2025-41244, previous patches for cve-2025-22224, cve-2025-22225, cve-2025-22226 (march 2024), nsx vulnerabilities patched (november 2024), , patch application (mandated within 3 weeks for fceb agencies), discontinuing use of vulnerable products if patches unavailable, , patching vmware tools (12.4.9 for windows 32-bit, 12.5.4 for general; open-vm-tools for linux), disabling sdmp if patching is not feasible, , oracle security patches (cve-2025-61882, cve-2025-21884) and .

Key Lessons Learned: The key lessons learned from past incidents are Importance of robust security measures to prevent such incidents.Threat actors leveraged zero-day vulnerabilities in network appliances lacking EDR support (e.g., VMware vCenter).,Dwell time (avg. 393 days) often exceeded log retention, complicating forensics.,BRICKSTORM's self-monitoring (Watcher function) and WebSocket C2 evaded traditional detection.,Lateral movement relied on credential reuse from vaults (e.g., Delinea Secret Server) and automated secret stealer tools.,Microsoft Entra ID scopes (mail.read, full_access_as_app) were exploited for email access.1. State-sponsored actors like UNC5174 are increasingly exploiting zero-day vulnerabilities in enterprise software (VMware, F5 BIG-IP, ConnectWise, SAP) for espionage and financial gain. 2. Privilege escalation vulnerabilities in widely used tools (e.g., VMware Aria Operations) can lead to full system compromise if left unpatched. 3. Collaboration with threat intelligence firms (NVISO, Mandiant, Microsoft) is critical for timely detection and mitigation. 4. Regular patching of high-severity vulnerabilities reported by entities like NSA and Microsoft Threat Intelligence is essential to prevent exploitation.Critical importance of timely patching for known exploited vulnerabilities (KEVs),State-sponsored actors leverage privilege escalation flaws for persistent access,Need for cross-sector collaboration (e.g., NVISO, Mandiant, CISA) in threat intelligence sharingState-sponsored actors leverage zero-day vulnerabilities for long-term espionage campaigns.,Timely patching is critical to mitigate exploitation, especially for vulnerabilities added to CISA's KEV catalog.,Collaboration between security researchers (e.g., NVISO, Mandiant) and government agencies (e.g., CISA) is essential for threat intelligence sharing.,Proof-of-concept (POC) code releases can accelerate both defensive and offensive operations.Zero-day vulnerabilities in enterprise software (e.g., Oracle E-Business Suite) pose severe risks due to lack of patches at exploitation time.,High-value targets (e.g., semiconductor manufacturers) are prioritized by ransomware groups like Cl0p for maximum impact.,Proactive measures (e.g., network segmentation, EDR, threat intelligence monitoring) are critical for mitigating zero-day risks.,Supply chain and ERP systems are attractive targets due to their central role in business operations.Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Deploy application controls to manage software execution, Heightened vigilance, Urgent patch application, Enhance monitoring for risky logins and unauthorized account misuse, Implement phishing-resistant multifactor authentication and Maintain offline backups stored separately from source systems.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: VMware, and Source: Broadcom PSIRT, and Source: LRQA security researchers, and Source: Federal Bureau of Investigation (FBI)Date Accessed: July 29, 2025, and Source: Cybersecurity and Infrastructure Security Agency (CISA)Date Accessed: July 29, 2025, and Source: Royal Canadian Mounted Police (RCMP)Date Accessed: July 29, 2025, and Source: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)Date Accessed: July 29, 2025, and Source: Australian Federal Police (AFP)Date Accessed: July 29, 2025, and Source: Canadian Centre for Cyber Security (CCCS)Date Accessed: July 29, 2025, and Source: United Kingdom’s National Cyber Security Centre (NCSC-UK)Date Accessed: July 29, 2025, and Source: Google Threat Intelligence Group (GITG)Date Accessed: 2025-09-24, and Source: Google Mandiant BRICKSTORM Scanner Script, and Source: NVISO Report on BRICKSTORM Windows VariantsDate Accessed: 2025-04-01, and Source: Google Report on BRICKSTORM (April 2024)Date Accessed: 2024-04-01, and Source: BleepingComputerDate Accessed: 2024-11-05, and Source: NVISO Research (Maxime Thiebaut)Date Accessed: 2024-11-04, and Source: Google Mandiant (UNC5174 Analysis), and Source: Broadcom Security Advisory for CVE-2025-41244Date Accessed: 2024-11-05, and Source: Microsoft Threat Intelligence (VMware Zero-Days, March 2024), and Source: CISA Advisory on CVE-2025-41244Url: https://www.cisa.gov/known-exploited-vulnerabilities-catalogDate Accessed: 2025-10-10, and Source: NVISO Research (Maxime Thiebaut) - Proof of ConceptDate Accessed: 2024-10-01, and Source: Google Mandiant - UNC5174 Threat Actor ProfileDate Accessed: 2024-12-01, and Source: Broadcom Security Advisory for CVE-2025-41244Date Accessed: 2025-09-10, and Source: CISA Known Exploited Vulnerabilities (KEV) CatalogUrl: https://www.cisa.gov/known-exploited-vulnerabilities-catalog, and Source: BleepingComputerUrl: https://www.bleepingcomputer.com, and Source: TechRadarUrl: https://www.techradar.com, and Source: NVISO (Proof-of-Concept Release), and Source: Google Mandiant (UNC5174 Analysis), and Source: The Register, and Source: The Register, and Source: GBHackers (GBH), and Source: U.S. Cybersecurity and Infrastructure Security Agency (CISA), and Source: UK National Cyber Security Centre (NCSC), and Source: Mandiant (Google-owned cybersecurity firm), and Source: Oracle Security Alerts (CVE-2025-61882, CVE-2025-21884), and Source: Z2Data Supplier Risk AnalysisUrl: https://www.z2data.com.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Cisa Advisory To Federal Agencies And Private Sector, Broadcom'S Public Disclosure Of Exploitation, Cisa Advisory Via Kev Catalog, Public Disclosure By Security Researchers (E.G., Bleepingcomputer, Techradar), public disclosure via The Register; ADP issued a statement clarifying limited impact and no ransom payment, Oracle Security Alerts To Customers and Public Disclosure Via Media.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Broadcom urged customers to apply patches immediately; no detailed advisory provided in the article., Cisa Alert To Fceb Agencies, Broadcom Customer Notifications, Urgent Patching Recommendations For Vmware Aria Operations/Tools Users, , Cisa Kev Advisory, Vmware Security Bulletin (Implied), Vmware Patch Notifications, Security Researcher Disclosures (E.G., Nviso, Mandiant), , Oracle Security Alerts Urging Immediate Patching, Mandiant’S Analysis Of Cl0P’S Modus Operandi, Companies Advised To Monitor For Data Leaks On Cl0P’S Blog Or Dark Web Marketplaces and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Oversights in security monitoring, Monitoring for risky logins and unauthorized account misuse, Google Threat Intelligence Group (Gitg), Mandiant, Nviso (For Windows Variants), , Nviso (Vulnerability Reporting And Poc), Google Mandiant (Threat Actor Analysis), , Broadcom (Vmware) Security Patches, Nviso (Vulnerability Research), Google Mandiant (Threat Actor Analysis), , Recommended For All Organizations, , Nviso, Google Mandiant, , Recommended For Systems Running Vmware Tools With Sdmp, , Recommended: Review Security Logs For Unauthorized Access, Deploy Edr Solutions, , Mandiant (Google-Owned Cybersecurity Firm), .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Block Port 4011 On Firewalls, Configure The Irm Hostedserviceurl Core Setting With An Empty Value And Restart The Altiris Inventory Rule Management Service, Limit .Net Remoting Access To Localhost-Only In Upcoming Releases, , Deploy Mandiant’S Scanner Script For Brickstorm Detection., Audit And Restrict Entra Id Application Permissions., Enhance Monitoring For Websocket-Based C2 Traffic (E.G., Wss://Opra1.Oprawh.Workers[.]Dev)., Implement Network Segmentation To Isolate Vmware Environments., Extend Log Retention Policies To At Least 1 Year (To Cover 393-Day Dwell Time)., , Broadcom Released Patches For Cve-2025-41244 And Related Vmware Nsx Vulnerabilities., Nviso Published Poc To Aid Detection And Mitigation., Organizations Advised To Audit Vmware Environments For Signs Of Exploitation (E.G., Suspicious /Tmp/Httpd Binaries)., Enhanced Monitoring For Unc5174 Ttps (Tactics, Techniques, Procedures) Across Enterprise Software., , Enforce Bod 22-01 Compliance For Federal Agencies, Accelerate Patch Deployment Timelines For Critical Infrastructure, Enhance Detection Capabilities For Privilege Escalation Attempts, Conduct Threat Hunting For Unc5174 Indicators Of Compromise (Iocs), , Mandatory Patching Deadline (November 20, 2025) For Fceb Agencies., Public Disclosure Of Poc Code To Raise Awareness (Nviso)., Enhanced Collaboration Between Cisa, Vmware, And Security Researchers For Mitigation., , Immediate Application Of Oracle-Provided Security Patches., Enhanced Supplier Risk Assessments Using Scrm Platforms (E.G., Z2Data)., Implementation Of Behavioral Wafs Or Anomaly Detection For Oracle Ebs Environments., Review Of Third-Party Software Dependencies For Similar Vulnerabilities., .

Last Ransom Demanded: The amount of the last ransom demanded was ['$2 million', '$5 million'].

Last Attacking Group: The attacking group in the last incident were an SEXi ransomware (rebranded as APT INC), QilinHunters International, Scattered Spider (UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, Muddled Libra), UNC5221Silk Typhoon (disputed as same group by some vendors), UNC5174 (Chinese state-sponsored, linked to Ministry of State Security - MSS), UNC5174, UNC5174Houken (possibly linked), El Dorado ransomware group, El Dorado ransomware gangBlackLock operation, Cl0p ransomware gang and Cl0p (Clop).

Most Recent Incident Detected: The most recent incident detected was on 2021-02-01.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-11-20.

Highest Financial Loss: The highest financial loss from an incident was Hundreds of millions in damages.

Most Significant Data Compromised: The most significant data compromised in an incident were passwords, list of Symantec clients, government agencies, list of clients using Symantec's CloudSOC services, account managers, account numbers, , Potentially sensitive customer data, Patient record systems, Transaction databases, , Potential unauthorized data access, Login credentials of enterprise administrators, Credentials, browser data, cookies, sensitive information, Emails of Key Individuals, Files from Email Mailboxes, , Broadcom employee data, , birthdates, email addresses, phone numbers, home addresses, national ID numbers, national health insurance ID numbers, health insurance policy numbers, financial account numbers, salary details, employment termination dates, and .

Most Significant System Affected: The most significant system affected in an incident was Symantec Enterprise Products and and VMware virtualization productsPatient record systemsTransaction databases and VMware Aria OperationsCloud FoundationTelco Cloud platforms and and Symantec Endpoint Management Suite 8.6.x-8.8 and VMware ESXi hypervisorsSnowflake cloud environmentsSlackMicrosoft TeamsExchange Online and VMware vCenter ServersESXi HostsNetwork AppliancesMicrosoft Entra ID Enterprise Applications and VMware Aria Operations (credential-based mode)VMware Tools (credential-less mode) and VMware Aria Operations (with SDMP enabled)VMware Tools on vulnerable VMs and VMware Aria OperationsVMware Tools (with SDMP enabled) and Oracle E-Business Suitesupply chain operationsfinancial systemscustomer datamanufacturing operationsresearch data and Oracle E-Business Suite (EBS) versions 12.2.3–12.2.14.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was google threat intelligence group (gitg), mandiant, nviso (for windows variants), , nviso (vulnerability reporting and poc), google mandiant (threat actor analysis), , broadcom (vmware) security patches, nviso (vulnerability research), google mandiant (threat actor analysis), , nviso, google mandiant, , mandiant (google-owned cybersecurity firm), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Block port 4011 on firewallsConfigure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Scanner Script for *nix-based Appliances (Mandiant)YARA Rule (G_APT_Backdoor_BRICKSTORM_3), Patch release for CVE-2025-41244Previous patches for CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 (March 2024)NSX vulnerabilities patched (November 2024), Patch application (mandated within 3 weeks for FCEB agencies)Discontinuing use of vulnerable products if patches unavailable, Patching VMware Tools (12.4.9 for Windows 32-bit, 12.5.4 for general; open-vm-tools for Linux)Disabling SDMP if patching is not feasible, Oracle security patches (CVE-2025-61882 and CVE-2025-21884).

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were government agencies, Transaction databases, Emails of Key Individuals, birthdates, phone numbers, Broadcom employee data, Credentials, browser data, cookies, sensitive information, passwords, home addresses, national health insurance ID numbers, Login credentials of enterprise administrators, health insurance policy numbers, list of clients using Symantec's CloudSOC services, account numbers, list of Symantec clients, salary details, email addresses, national ID numbers, Potential unauthorized data access, Files from Email Mailboxes, Potentially sensitive customer data, account managers, Patient record systems, employment termination dates and financial account numbers.

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Supply chain and ERP systems are attractive targets due to their central role in business operations., Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Conduct regular audits of enterprise software for zero-day vulnerabilities., Deploy application controls to manage software execution, Immediately apply Broadcom's patches for CVE-2025-41244 and related VMware vulnerabilities., Configure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management Service, Review and harden VMware Aria Operations and Tools configurations, especially in credential-less modes., Enhance monitoring for risky logins and unauthorized account misuse, Implement network segmentation to limit lateral movement in case of breach., Monitor for signs of UNC5174 activity, including lateral movement and data exfiltration, Prioritize vulnerability management for VMware products in federal and private-sector environments, Apply security patches for Oracle E-Business Suite as soon as they are released., Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately., Extend log retention periods to exceed average dwell times (393+ days)., Deploy behavioral detection rules for privilege escalation attempts via service abuse (e.g., listening sockets opened by unprivileged processes)., Consider network segmentation to limit impact of compromised VMs, Monitor for suspicious binary staging in paths like /tmp/httpd or other broadly-matched regex locations., Restrict unprivileged user access to critical service discovery mechanisms in VMware environments., Develop and test incident response plans for ransomware attacks, including data exfiltration scenarios., Conduct threat hunting for indicators of UNC5174 activity, including backdoors or sold access credentials., Disable SDMP in VMware Aria Operations if patching is not immediately feasible., Conduct threat hunting for indicators of compromise (IOCs) associated with UNC5174 or Houken., Patch zero-day vulnerabilities in VMware and other appliances promptly., Limit .NET Remoting access to localhost-only in upcoming releases, Monitor network appliances (e.g., VMware) for unauthorized processes like BRICKSTORM (vami-httpd)., Enhance logging and detection capabilities for VMware environments, particularly those managed by Aria Operations., Prepare incident response plans specifically for ransomware and zero-day scenarios., Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components., Monitor systems for signs of privilege escalation or unauthorized root access., Monitor threat intelligence sources for zero-day disclosures related to enterprise software., Enforce MFA and audit high-privilege accounts (e.g., Entra ID Enterprise Applications)., Conduct regular vulnerability assessments for critical ERP and supply chain systems., Implement phishing-resistant multifactor authentication, Maintain offline backups stored separately from source systems, Block port 4011 on firewalls, Review and update incident response plans to include scenarios involving state-sponsored espionage., Evaluate the need for network segmentation to limit lateral movement in case of breaches., Review and update incident response plans for privilege escalation scenarios, Heightened vigilance, Immediately patch VMware Aria Operations and VMware Tools to the latest versions (e.g., VMware Tools 12.4.9/12.5.4, open-vm-tools for Linux)., Monitor dark web markets for potential sales of network access linked to UNC5174 or similar actors., Immediately review security logs for unauthorized access attempts in Oracle E-Business Suite environments., Urgent patch application, Immediately apply patches for CVE-2025-41244 as per vendor guidance, Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data)., Segment networks to limit lateral movement via credential reuse., Deploy endpoint detection and response (EDR) solutions for early threat detection. and Implement YARA rules or Mandiant’s scanner script for *nix-based systems..

Most Recent Source: The most recent source of information about an incident are Google Threat Intelligence Group (GITG), Australian Federal Police (AFP), NVISO Research (Maxime Thiebaut), CISA Known Exploited Vulnerabilities (KEV) Catalog, The Register, Cybersecurity and Infrastructure Security Agency (CISA), TechRadar, United Kingdom’s National Cyber Security Centre (NCSC-UK), U.S. Cybersecurity and Infrastructure Security Agency (CISA), LRQA security researchers, Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), VMware, Broadcom PSIRT, CISA Advisory on CVE-2025-41244, Google Mandiant - UNC5174 Threat Actor Profile, Z2Data Supplier Risk Analysis, Google Report on BRICKSTORM (April 2024), NVISO (Proof-of-Concept Release), Broadcom Security Advisory for CVE-2025-41244, GBHackers (GBH), Oracle Security Alerts (CVE-2025-61882, CVE-2025-21884), Royal Canadian Mounted Police (RCMP), NVISO Report on BRICKSTORM Windows Variants, NVISO Research (Maxime Thiebaut) - Proof of Concept, Canadian Centre for Cyber Security (CCCS), BleepingComputer, Google Mandiant (UNC5174 Analysis), UK National Cyber Security Centre (NCSC), Mandiant (Google-owned cybersecurity firm), Google Mandiant BRICKSTORM Scanner Script, Microsoft Threat Intelligence (VMware Zero-Days and March 2024).

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.cisa.gov/known-exploited-vulnerabilities-catalog, https://www.cisa.gov/known-exploited-vulnerabilities-catalog, https://www.bleepingcomputer.com, https://www.techradar.com, https://www.z2data.com .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was CISA alert to FCEB agencies, Broadcom customer notifications, CISA KEV advisory, VMware security bulletin (implied), Oracle security alerts urging immediate patching, Mandiant’s analysis of Cl0p’s modus operandi, .

Most Recent Customer Advisory: The most recent customer advisory issued were an Broadcom urged customers to apply patches immediately; no detailed advisory provided in the article., Urgent patching recommendations for VMware Aria Operations/Tools users, VMware patch notificationsSecurity researcher disclosures (e.g., NVISO, Mandiant) and Companies advised to monitor for data leaks on Cl0p’s blog or dark web marketplaces.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an unpatched zero-day vulnerability in Oracle E-Business Suite, VMware virtualization products, Social engineering, Executable File, Poisoned ad on Google Ads network and Port 4011.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Since at least mid-October 2024 (per NVISO), At least since mid-October 2024 (per NVISO)Potentially longer (up to a year, per researchers), Since late September 2023 (pre-exploitation activity).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Oversights in security monitoringIneffective segmentationDelay in implementing available patches, Exploitation of Kickidler tool, Insecure deserialization of .NET objects through the BinaryServerFormatterSinkProvider with TypeFilterLevel set to Full, Exploitation of unpatched zero-day vulnerabilities in network appliances.Lack of EDR support on targeted systems (e.g., VMware vCenter).Insufficient log retention (dwell time exceeded retention periods).Overprivileged Microsoft Entra ID applications (mail.read, full_access_as_app).Credential harvesting via HTTP basic auth and MFA bypass techniques., Privilege escalation vulnerability in VMware service discovery mechanism (broad regex path matching).Insufficient validation of unprivileged user processes opening listening sockets.Delayed public disclosure of in-the-wild exploitation (attacks began in October 2024; patch/report in November 2024).Reuse of exploit techniques across multiple vulnerabilities (e.g., CVE-2023-46747, CVE-2024-1709) by UNC5174., Delayed patching of known critical vulnerability (CVE-2025-41244)Insufficient privilege separation in VMware Tools/Aria OperationsState-sponsored actor (UNC5174) leveraging zero-day exploitation chain, Unpatched vulnerability (CVE-2025-41244) in VMware Aria Operations and VMware Tools.Insufficient monitoring for privilege escalation attempts.State-sponsored actors (UNC5174) leveraging zero-day exploits for espionage., third-party vendor vulnerability (BSH)supply chain risk during transition period, third-party vulnerability (BSH compromise)supply chain risk during payroll provider transition, Use of unpatched enterprise software (Oracle E-Business Suite) with zero-day vulnerability.Potential lack of network segmentation allowing lateral movement.Targeting by a sophisticated threat actor (Cl0p) with a history of exploiting zero-days., Unpatched zero-day vulnerabilities in Oracle EBS (CVE-2025-61882, CVE-2025-21884).Lack of real-time monitoring for unauthenticated HTTP requests targeting critical components (BI Publisher, Configurator UI).Supplier risk blind spots in enterprise software supply chains..

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Block port 4011 on firewallsConfigure the IRM_HostedServiceUrl core setting with an empty value and restart the Altiris Inventory Rule Management ServiceLimit .NET Remoting access to localhost-only in upcoming releases, Deploy Mandiant’s scanner script for BRICKSTORM detection.Audit and restrict Entra ID application permissions.Enhance monitoring for WebSocket-based C2 traffic (e.g., wss://opra1.oprawh.workers[.]dev).Implement network segmentation to isolate VMware environments.Extend log retention policies to at least 1 year (to cover 393-day dwell time)., Broadcom released patches for CVE-2025-41244 and related VMware NSX vulnerabilities.NVISO published PoC to aid detection and mitigation.Organizations advised to audit VMware environments for signs of exploitation (e.g., suspicious /tmp/httpd binaries).Enhanced monitoring for UNC5174 TTPs (tactics, techniques, procedures) across enterprise software., Enforce BOD 22-01 compliance for federal agenciesAccelerate patch deployment timelines for critical infrastructureEnhance detection capabilities for privilege escalation attemptsConduct threat hunting for UNC5174 indicators of compromise (IOCs), Mandatory patching deadline (November 20, 2025) for FCEB agencies.Public disclosure of POC code to raise awareness (NVISO).Enhanced collaboration between CISA, VMware, and security researchers for mitigation., Immediate application of Oracle-provided security patches.Enhanced supplier risk assessments using SCRM platforms (e.g., Z2Data).Implementation of behavioral WAFs or anomaly detection for Oracle EBS environments.Review of third-party software dependencies for similar vulnerabilities..