Daily Cyber Briefing
The Daily Cyber Briefing delivers concise, no-fluff updates on the latest cybersecurity threats, breaches, and regulatory changes. Each episode equips listeners with actionable insights to stay ahead of emerging risks in today’s fast-moving digital landscape.
Daily Cyber Briefing
Hacking Harvard, Pixels, and Patches: The Cl0p, Pixnapping, and RMPocalypse Rundown
This morning, we dive deep into major zero-day exploitation, including the Cl0p campaign targeting Oracle EBS, which has claimed Harvard University as a victim. We also dissect the new Pixnapping attack stealing 2FA codes from Android phones and examine the urgent implications of the RMPocalypse flaw affecting AMD's confidential computing.
Host: Mike Housch Podcast: Cyber Scoops & Digital Shenanigans
Mike Housch (0:06): Welcome back to Cyber Scoops & Digital Shenanigans, the podcast where we break down the most critical cybersecurity news of the week. I’m your host, Mike Housch, and if you thought the beginning of October was quiet, think again. We have zero-days, massive data dumps, and a major headache for CISOs managing legacy systems. We're covering the Cl0p fallout hitting higher education, a clever new Android pixel-stealing attack, and a serious vulnerability that shatters AMD’s confidential computing promises. Let’s dive in.
(Segment 1: The Oracle EBS Crisis and Harvard)
Mike Housch (0:47): Our lead story this week is the widening fallout from the zero-day attacks targeting Oracle’s E-Business Suite, or EBS. For those unfamiliar, EBS is a deeply critical enterprise resource planning (ERP) solution that often holds an organization’s most sensitive administrative data. We now have our first confirmed victim: Harvard University.
Mike Housch (1:11): Hackers connected to the Cl0p ransomware group have claimed responsibility, posting links on their data leak website pointing to over 1.3 terabytes of archive files allegedly stolen from Harvard. While SecurityWeek hasn't verified the content of those leaked files, Harvard confirmed they were targeted in the Oracle EBS campaign. They noted that their investigation is ongoing, but they currently believe the incident impacts "a limited number of parties associated with a small administrative unit".
Mike Housch (1:45): Harvard stated that the vulnerability exploited by the hackers has since been patched, and they have found no evidence of other systems being compromised. However, the scope of this attack is much wider than just one university. According to Google’s Threat Intelligence Group (GTIG) and Mandiant, dozens of organizations are believed to have been targeted in this campaign. Some researchers even warn the real number may exceed a hundred.
Mike Housch (2:16): What makes the EBS environment such a tempting target? The information typically stored there is gold for criminals: financial, customer, supplier, HR, and inventory data. The attack campaign appears to have involved exploiting both known and zero-day vulnerabilities, alongside the deployment of sophisticated malware. The extortion emails sent to targeted executives were deployed on behalf of the Cl0p ransomware group, leveraging the reputation Cl0p built from past successful campaigns against file transfer products like MOVEit, Fortra, and Accellion.
Mike Housch (2:55): The timeline here is critical. Exploitation of software flaws appears to have started around August 9th, though Google has indicated that the attacks may have begun even earlier, possibly as early as July 10th. This gave the criminals a massive head start—potentially months—before the first fixes were rushed out. We’ve also seen Oracle rush out an additional emergency patch (CVE-2025-61884, CVSS score of 7.5) affecting the Runtime UI component in EBS, which can be exploited remotely without authentication to potentially allow access to sensitive resources. This ongoing flurry of patches suggests the fallout is far from over. For enterprise admins, the Oracle EBS suite has absolutely become a "weekend wrecker".
(Segment 2: Pixnapping Android Flaw)
Mike Housch (4:00): Now let’s shift gears to a fascinating new threat affecting mobile users: an attack codenamed Pixnapping. This is a nasty side-channel attack that targets Android devices from Google and Samsung running versions 13 through 16. The scariest part? It can covertly steal sensitive data, including two-factor authentication (2FA) codes, Google Maps timelines, emails, and chat messages, without needing any special Android permissions.
Mike Housch (4:37): Pixnapping works by exploiting Android APIs and a hardware side-channel known as GPU.zip. Essentially, a malicious app tricks the system into sending victim app pixels into the rendering pipeline. The rogue app then uses semi-transparent activities and the Android window blur API to mask, enlarge, and transmit the target pixels, one by one, using the side-channel. Researchers described the outcome as being "as if the malicious app was taking a screenshot of screen contents it should not have access to".
Mike Housch (5:16): The attack targets information that is visible on the screen. A particularly good target is Google Authenticator, because the position of the 2FA code is highly predictable. During testing, researchers were able to capture 2FA codes in under 30 seconds—which is crucial since Authenticator codes expire quickly. However, success rates varied, ranging from 29% to 73% on Pixel devices, and researchers were unable to recover codes on a Samsung Galaxy S25 within the 30-second window.
Mike Housch (5:51): Google assigned the vulnerability the ID CVE-2025-48561 and rolled out a patch in the September 2025 Android Security Bulletin. However, the bad news is that researchers have already found a workaround that can re-enable Pixnapping. Google is currently working on an additional fix, which is expected to be available in December. Additionally, this same behavior can be used to determine if an arbitrary app is installed on the device, bypassing restrictions designed to prevent querying the list of all installed apps—a flaw Google has marked as "won't fix".
(Segment 3: RMPocalypse and Confidential Computing)
Mike Housch (6:55): From software vulnerabilities, we move to a critical hardware security defect affecting AMD processors. Academic researchers from ETH Zurich have unveiled RMPocalypse, an attack that fundamentally breaks confidential computing integrity guarantees in AMD’s Secure Encrypted Virtualization with Secure Nested Paging, or SEV-SNP.
Mike Housch (7:20): This vulnerability, tracked as CVE-2025-0033, is a race condition that occurs when the AMD Secure Processor (ASP) initializes the Reverse Map Table, or RMP. The RMP is a crucial component added to SEV-SNP specifically to prevent hypervisors from tampering with guest page mappings. The problem is that during initialization, the ASP does not adequately protect the memory containing the RMP, creating a "catch-22" scenario.
Mike Housch (7:55): RMPocalypse exploits this incomplete protection by allowing a malicious hypervisor to corrupt the RMP during setup. The attack is terrifyingly efficient: the researchers found that a single overwrite of just 8 bytes within the RMP causes the entire RMP to become compromised. With a compromised RMP, all SEV-SNP integrity guarantees are void, leading to a full breach of confidentiality.
Mike Housch (8:26): Successful exploitation allows an attacker to arbitrarily tamper with confidential virtual machines (CVMs) and exfiltrate all secrets with a 100% success rate. The researchers demonstrated the impact by enabling debug mode on production-mode CVMs, faking attestation, and injecting code.
Mike Housch (8:48): Which chips are affected? AMD has confirmed that its EPYC™ 7003, 8004, and 9004 Series Processors are vulnerable. AMD has already released fixes and sent patches to OEMs, who are expected to roll out BIOS updates. Microsoft has also acknowledged the issue, stating they are working on updates to remediate it in Azure Confidential Computing’s AMD-based clusters, although they believe in-the-wild exploitation is less likely due to security guardrails already in place.
(Segment 4: The Windows 10 Cliff and Supply Chain Theft)
Mike Housch (9:50): Finally, let's hit on two critical topics that should be dominating CISO meetings right now. First, the ticking clock on legacy operating systems. As of today, October 14, 2025, Windows 10 has reached end of support, or EOS. This means Microsoft will no longer provide free software updates, technical support, or, most critically, security patches.
Mike Housch (10:17): Here's the kicker: despite the deadline, Windows 10 is still running on hundreds of millions of devices. Various reports show that Windows 10 maintains a market share of at least 40%. Specifically for corporate users, Kaspersky data suggests Windows 10 is present on nearly 60% of systems. This massive installed base is now highly vulnerable to new cyberattacks.
Mike Housch (10:48): Organizations that can't immediately upgrade to Windows 11 have the option of enrolling in the Extended Security Updates (ESU) program. This offers security updates until October 13, 2026, but it comes at a price: $61 per device for commercial organizations, and that price will double each year for up to three years. Experts like Jon Abbott of ThreatAware stress that while ESU is a temporary solution, organizations must ensure every Windows 10 device is eventually updated or decommissioned. The highest priority should be given to devices handling sensitive data under regulations like GDPR, SOX, or PCI-DSS.
Mike Housch (11:30): Switching focus to the development world, we are seeing dangerous new tactics in software supply chain attacks. Researchers have identified several malicious packages across development ecosystems like npm, Python (PyPI), and RubyGems that are leveraging Discord as an effective Command-and-Control, or C2, channel.
Mike Housch (11:53): Why Discord? Attackers love Discord webhooks because they are write-only, free, fast, and allow actors to avoid maintaining their own hosting infrastructure. These malicious packages—such as mysql-dumpdiscord on npm and malinssx on PyPI—are designed to exfiltrate stolen developer data, including sensitive configuration files like .env files, API keys, and host details.
Mike Housch (12:25): We are also tracking a state-directed operation called "Contagious Interview," linked to North Korean threat actors. They publish hundreds of malicious packages, often using typosquatting (like dotevn instead of dotenv), to target Web3, cryptocurrency, and blockchain developers. If a job seeker clones a booby-trapped repository, the package runs locally and acts as a stealer (like BeaverTail), harvesting everything from browser credentials and cryptocurrency wallet data to macOS Keychain and keystrokes. This campaign demonstrates a durable, factory-style approach to using the npm ecosystem for initial access.
Mike Housch (13:17): This week's news highlights that compromise can come from any direction: enterprise ERP systems being hit by established ransomware groups like Cl0p, mobile phones susceptible to innovative side-channel attacks like Pixnapping, or critical hardware infrastructure vulnerable to deep-seated flaws like RMPocalypse.
Mike Housch (13:38): The common threads are clear: patching urgency is paramount—especially when dealing with zero-days and rushing fixes. And visibility into your entire estate—from your enterprise Oracle systems to unmanaged Windows 10 endpoints—is essential for risk management.
Mike Housch (13:58): We’ve run out of time, but thank you for tuning into Cyber Scoops & Digital Shenanigans. Stay safe out there, apply those patches, and we’ll catch you next week for more scoops and shenanigans.