Red Hat, has been allegedly been hit by a breach and this has been posted by Crimson Collective hackers group on Telegram. The cyber criminals claim they’ve snatched private GitHub repositories, which include sensitive data about approximately 800 customers’ networks.
Key points from the RedHat Breach
Data from 28,000 internal projects at Red Hat has allegedly been stolen.
The hacker group Crimson Collective claims to have stolen nearly 570GB of data.
Extortion group known as Crimson Collective posted of they gaining access to over 28,000 Red Hat repositories, containing 570.2 GB in total.
The data extracted data allegedly includes around 800 Customer Engagement Reports (CERs), exposing sensitive customer information, such as their network configurations.
The hackers posted the claims on a Telegram channel created on September 24th, 2025. As proof, the cybercriminals provided the entire file tree, a list of allegedly stolen CERs, and some other screenshots.
According to International Cyber Digest, these include the National Security Agency (NSA), the Department of Energy, the National Institute of Standards and Technology (NIST), IBM, Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Telefonica, other major telecoms, banks, and many other organizations.
“Source code and consulting engagement reports (CERs), if leaked, can help attackers analyze internal company infrastructure and software running on that infrastructure. This makes it significantly easier and faster to identify vulnerable attack vectors for potential attackers, “ said Aras Nazarovas, information security researcher at Cybernews.
RedHat confirmed the attack
According to the attackers, they found authentication keys, full database URIs, and other private information in the Red Hat code and CERs, which they allegedly used to gain access to downstream customer infrastructure.
On Telegram, the hacker group published a complete directory listing of stolen GitHub repositories, along with a list of customer reports from the period 2020-2025.
Red Hat has confirmed the security incident relating to its GitLab instance, but declined to comment on the attackers’ specific claims regarding the GitHub repositories and customer reports. The company emphasizes that there is no reason to believe that the security issue affects other Red Hat services or products. Red Hat says it is very confident in the integrity of its software supply chain.
The CER list includes organizations from various sectors, including major international names such as Bank of America, T-Mobile, AT&T, Fidelity, and Walmart.
Extortion Demands by Hackers
The data breach on RedHat was also an attempt to contact Red Hat and get through with extortion demands. The cybercriminals received a response asking them to submit a vulnerability report to the security team.
The ticket created by cyber criminals was reportedly forwarded repeatedly to various individuals, including employees of Red Hat’s legal and security departments.
A critical flaw in AzureD supported cyber criminals to get access to the digital keys in Azure cloud environment and discovered by Resecurity researchers .
The action enabled unauthorized token requests against Microsoft’s OAuth 2.0 endpoints and giving adversaries a direct path to Microsoft Graph and Microsoft 365 data.
A small critical cloud misconfiguration can give access to cyber attackers to infiltrate and this happened to Azure D when their Cloud native application configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD).
Cloud application are not merely hosted in the cloud instead they are built to thrive in a cloud environment, providing unprecedented scalability, resilience and flexibility making them game changer.
Recently the publicly accessible configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD). This potentially led attackers to authenticate directly via Microsoft’s OAuth 2.0 endpoints and infiltrate Azure cloud environments.
This issue cannot be overlooked by enterprise as the discovery by Resecurity’s HUNTER team exposed Azure AD credentials ClientId and ClientSecret — exposed in an Application Settings (appsettings.json) file on the public Internet.
Once the credentials lands up in hackers domain any malicious activates can be conducted and compromise an organization’s Azure-based cloud deployment simultaneously retrieve sensitive data from SharePoint or Exchange Online etc. Further abuse of Graph API for privilege escalation or persistence; and the deployment of malicious applications under the organization’s tenant.
Exploiting AzureD FlawThe attack flow
To exploit the flaw, an attacker can first use the leaked ClientId and ClientSecret to authenticate against Azure AD using the Client Credentials from OAuth2 flow to acquire an access token.
Once this is acquired, the attacker then can send a GET request to the Microsoft Graph API to enumerate users within the tenant.
This allows them to collect usernames and emails; build a list for password spraying or phishing; and/or identify naming conventions and internal accounts, according to the post.
Cyber attacker also can query the Microsoft Graph API to copy OAuth2 to take permission grants within the tenant, revealing which applications have been authorized for further permissions, they hold.
Once acquired token allows an attacker to use group information to identify privilege clusters and business-critical teams.
Protecting Enterprise from getting Azure secrets exposed.
Enterprise failing to practice regular scanning, penetration tests, or code reviews, exposed cloud files can remain unnoticed until attackers discover them and exploit them, according to the post.
Further for better security posture enterprise can restricting file access; removing secrets from code and configuration files; rotating exposed credentials immediately; enforcing least privilege principles and setting up monitoring and alerts on credential use, according to the post.
Importance of automation in cloud native application
Implement continuous integration and continuous deployment (CI/CD) pipelines to automate building, deploying, and testing cloud native applications. Manage and provision cloud infrastructure using code, allowing for version control and repeatability.
Several benefits of following best practices when developing cloud native apps, like increased scalability, fewer occurrences of critical failures, and high efficiency
Enterprises having product based focus will go for cloud-first approach and ask questions on how to go about cloud computing etc.
What could have happened or will happen if not looked into Azure Active Directory (Azure AD) flaw?
Azure Active Directory (Azure AD) termed as high impact in terms of vulnerability.
Once authenticated, attackers can:
Retrieve sensitive SharePoint, OneDrive, or Exchange Online data via Graph API calls.
Enumerate users, groups, and roles, mapping out the tenant’s privilege model.
Abuse permission grants to escalate privileges or install malicious service principals.
Deploy rogue applications under the compromised tenant, creating persistence and backdoors.
Enterprises must perform compliance checks to ensure that application designed meets industry standards and regulatory requirements. Once robust auditing and reporting mechanisms is on track that changes any access to sensitive data.
The United States remains the primary target for Ransomware attacks
UK is preparing to ban any Ransomware payments for critical infrastructure companies
Manufacturing, Technology and Healthcare top targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks as per Zscaler report
RaaS market growth drivers
There has been improvement in cyber resilience but it has been observed when too many entities pay ransom, each payment provides gateway for next attack as the payment incentivise.
Ransomware attack target pattern reveals how threat actors are strategically focusing on industries where operational disruption, data sensitivity, and regulatory concerns create maximum leverage.
In the beginning of July 2025, Federal authorities, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have issued a high-priority advisory warning about the escalating threat posed by the Medusa ransomware group.
Medusa ransomware group ramped up its attacks, increasingly targeting users of major email service providers like Gmail and Outlook. Medusa’s reach extends across multiple industries, with healthcare, education, legal services, insurance, technology, and manufacturing among the hardest hit.
Now UK is preparing to ban any Ransomware payments for critical infrastructure companies, local governments, schools and publicly funded entities like the NHS. The new ransomware payment proposal is just one part of a package of new regulations slated to soon go into effect in the UK, mostly centered on the Cyber Resilience Bill.
The new UK rules would additionally require all business types that are not impacted to notify the government when they intend to make a ransomware payment and may be required to seek guidance on the possibility of the payment violating sanctions on cybercriminal groups.
Surge in ransomware attacks
Zscaler released its annual ThreatLabz 2025 Ransomware Report, revealing a dramatic 146% surge in ransomware attacks blocked by their cloud platform
The report highlights a significant shift in attack strategies, with threat actors increasingly focusing on data extortion over encryption.
Key findings show that ransomware groups stole 238 TB of data, representing a 92% increase year-over-year.
The report identifies Manufacturing, Technology, and Healthcare as the most targeted sectors, with the Oil & Gas industry experiencing a remarkable 935% increase in attacks.
The United States remains the primary target, accounting for 50% of all attacks with 3,671 incidents. RansomHub emerged as the most active group with 833 publicly named victims, followed by Akira (520) and Clop (488).
Ransomware and Crypto market
Well ransomware technique might have changed its pattern but not tactics, with crytpcurrencies it marked a major change and turning point in the world of cyber security.
How can we forget WannaCry (2017), it was perhaps the most infamous ransomware attack in history, caused global disruption by exploiting a Windows vulnerability.
The demand was Bitcoin, but its scale and method were more advanced but not the first.
BlackSuit ransomware extortion sites seized in Operation Checkmate
Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.
Yesterday 28 july, the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.
Key trends Key driving the Ransomware Protection Market
The demand for ransomware protection solutions is further fuelled by the growing number of cyber-attacks targeting businesses, particularly in the BFSI sector, which remains the largest revenue generator in the market.
The demand for RaaS based products growing due to corporate digitization, and the advent of crypto currency like Bitcoin are the key market drivers enhancing the market demand and growth.
This include technological advancements and increasing cyber threats.
Market size in 2024: USD 32.24 billion; projected to reach USD 93.35 billion by 2032.
End-point security segment accounted for 35% of market revenue.
BFSI sector generated the most income, with significant ransomware attacks reported.
Managed services segment dominated the market, catering to SMEs for enhanced cyber security.
Of all the reasons, cyber attacks now focus on any vulnerability as many businesses are switching to cloud services. In response to the ransom, distributed denial-of-service (DDoS) attacks are launched, which continue until the ransom is paid or the data risks being permanently lost.
Cybercriminals may breach into sites for trading cryptocurrencies and steal money. Crypto currency is currently the most widely used payment method in the event of a ransomware attack
Email remained the primary entry point in 96% of the reviewed breaches, accounting for 93%.
Social attacks are roughly three times more likely to cause breaches in businesses than physical vulnerabilities, highlighting the importance of regular staff cybersecurity training.
It has caused business to start researching ransomware defenses and has significantly increased demand for these defenses in the market under investigation.
Around the world, there are more data leaks and other security breaches. Phishing attacks have been used against numerous businesses from various industries at some point.
APEC market for Ransomware expected to grow
The Asia-Pacific Ransomware Protection Market is expected to grow at the fastest CAGR from 2023 to 2032.
This is due to the growing economies of China, India, and Australia spending extensively on cyber security solutions; Asia Pacific is also predicted to have growth potential in the ransomware prevention market.
Moreover, China’s Ransomware Protection market held the largest market share, and The Asia-Pacific region’s fastest-growing market for ransomware protection was India.
The market for Ransomware Protection industry has recently provided some of the most important benefits. Major players in the Ransomware Protection market, are attempting to increase market demand by investing in research and development operations.
Ransomware Protection Industry Developments
Intrucept has launched Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.
Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.
Here are some features we offer:
Over 400 third-party and cloud integrations.
More than 1,100 preconfigured correlation rules.
Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
Prebuilt playbooks and automated response capabilities.
Summary : Grafana has issued urgent patches to address multiple high-severity vulnerabilities stemming from underlying flaws in the Chromium V8 JavaScript engine.
The most critical of these, CVE-2025-6554, is a zero-day vulnerability that was actively exploited in the wild. Several of these bugs, if unpatched, could allow attackers to execute arbitrary code, perform memory corruption or bypass sandbox protections via malicious HTML content.
Grafana users running affected versions of Image Renderer and Synthetic Monitoring Agent are strongly advised to update immediately.
Grafana has patched four high-severity Chromium V8 vulnerabilities in its Image Renderer and Synthetic Monitoring Agent. The most critical, CVE-2025-6554 is a zero-day type confusion bug that was actively exploited. Other flaws include CVE-2025-5959 (remote code execution), CVE-2025-6191 (integer overflow) and CVE-2025-6192 (use-after-free).
Affected versions are Image Renderer < 3.12.9 and Synthetic Monitoring Agent < 0.38.3. Users should update immediately to stay protected.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-6554
Chrome on Windows, macOS, Linux
Type confusion in the V8 JavaScript engine allows improper memory handling, leading to code execution
Remote code execution. Potential system compromise.
CVE-2025-5959
Chrome on Windows, macOS, Linux
Type Confusion in V8 in Google Chrome prior to allowing a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Remote code execution. Potential system compromise.
CVE-2025-6191
Chrome on Windows, macOS, Linux
Integer overflows in V8 in Google Chrome prior to allowing a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.
Arbitrary code execution. Memory Corruption.
CVE-2025-6192
Chrome on Windows, macOS, Linux
Use after free in Metrics in Google Chrome prior to allowing a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Arbitrary code execution.
Remediation:
Users should immediately update Google Chrome to the latest patched version:
Other Chromium-based browsers (Edge, Brave, Opera etc.) should also be updated as patches become available from their respective vendors.
Conclusion: The criticality of CVE-2025-6554, CVE-2025-5959, CVE-2025-6191, CVE-2025-6192 in the wild highlights the urgency of applying the latest Chrome security update.
Type confusion vulnerabilities like this can lead to full system compromise and are highly sought-after by cybercriminals. Users and organizations should take immediate action to mitigate potential risks.
As sophisticated cyber threat grows so is the cost and leaders are now preferring to leverage AI for improved threat detection, incident response and cost optimization.
Wipro report on ‘State of Cybersecurity Report 2025’ say 35% cybersecurity leaders which is nearly 33%, globally are opting for AI-driven automation at the forefront of their strategic priorities.
The report surveyed over 100 global cybersecurity leaders and consultants and found that AI-driven automation and cost optimization were among the main cybersecurity priorities for organizations.
Key findings:
30% of respondents state that investing in AI automation to bolster cybersecurity operations and reduce costs is a top priority.
Other strategies used by CISOs to optimize costs include tools rationalization (26%), security and risk management process optimization (23%) and operating model simplification (20%). The report also highlights the growing role of AI in managing cyber threats and how investing in advanced AI-driven security solutions, continuously monitoring AI developments.
Fostering a culture of innovation and adaptation within cybersecurity teams can play a significant role in risk management.
Many CISOs are leveraging AI to improve threat detection and response times (31 %) and to build enhanced incident response capabilities (24%).
“Cybersecurity budgets are struggling to keep pace with the growing sophistication of cyber threats,” said Tony Buffomante, SVP & Global Head — Cybersecurity & Risk Services, Wipro Limited. “AI offers a solution by helping organizations strengthen defenses while optimizing costs. This allows CISOs to adopt a more outcome-driven focus by prioritizing risk-adjusted returns on investments.
However, even with AI’s growing significance, the implementation of Zero Trust security frameworks remains the predominant investment focus for nearly all surveyed leaders.
AI The crime enabler
In the beginning of 2025, reports came from various sources attackers are weaponizing AI and what cyber security leaders will do about it.
We all know how AI AI has been a good force in helping organizations detect anomalies, automate security responses and to some extent strengthen defense measures. But cost is high and requires lot of investments which many organizations are unbale to do.
At the same time cybercriminals have started to leverage the same technology to supercharge their attacks. The dark web we all know has long been a marketplace for malware and stolen credentials, but in 2025, we’re seeing a surge in AI-powered Cybercrime-as-a-Service (CaaS). Even low-skilled hackers can now rent AI-driven attack tools, making sophisticated threats accessible to a wider pool of cybercriminals.
But what is concerning the type of attacks that selects high-value targets, customizes ransom demands and known as Automated ransomware.
Also malicious actors deploying AI Bots scan for vulnerabilities and analyze defenses, to launch cyber attacks with precisions.
Lot of voice and video spoofing kits have arrived in the market embedded with AI tools that generate convincing deepfake audio or video for fraud and impersonation scams.
Wake up call for Business & Organization
The rise of AI-powered cyber threats is a wake-up call for businesses, governments, and individuals alike and the ‘State of Cybersecurity Report 2025‘ exactly pin-points the necessity to have AI automation to bolster cybersecurity operations and reduce costs.
The next wave of cyber crime is going to be more tactful embedded with AI. AI can analyze vast amounts of publicly available data to create detailed psychological profiles of potential victims.
This enables cyber criminals and prepares them for highly targeted and persuasive social engineering attacks. Having automation driven by AI allows attacks to unfold much more rapidly, leaving defenders with less time to react.
Conclusion: AI-Powered Security Solutions: Just as attackers are leveraging AI, so too must defenders. Implementing AI-powered security tools will act as first line defense and will be able to adapt to new threats in real-time.
