Oracle denies breach as hacker allegedly leaks companies impacted

This week, an attacker alleged that they have breached a component of the Oracle cloud service. Oracle issued a public denial that any services were affected, however, a threat actor known as ‘rose87168’ shared data samples allegedly stolen from Oracle Cloud servers—and multiple companies have since anonymously confirmed their authenticity, according to security researchers and media outlets. The hacker claimed access to authentication data and encrypted passwords for 6 million users, citing a vulnerability in Oracle Fusion Middleware 11g (CVE-2021-35587) as the attack vector.

Evidence from the Wayback machine suggests the threat actor at one point had the ability to create files on Oracle's "login.us2.oraclecloud.com" server, placing their e-mail address in a file which was publicly available.

Despite Oracle’s firm denial that its Cloud systems were compromised, the alleged leaked data includes accurate LDAP details, email addresses, and domains linked to a vast number of government agencies and businesses. The server in question has since gone offline. Investigations are ongoing.

VanHelsing ransomware emerges as a new multi-platform threat

A new ransomware-as-a-service (RaaS) operation called VanHelsing has surfaced, targeting Windows, Linux, BSD, ARM, and ESXi systems. First promoted on cybercrime forums on 7 March, it offers experienced affiliates free access while requiring a $5,000 deposit from newcomers.

According to Check Point and CYFIRMA, VanHelsing is operated by Russian cybercriminals who ban attacks in CIS countries. Affiliates retain 80% of ransom payments, which are processed via a blockchain-based escrow system. Victim files are exfiltrated and stored on the gang’s servers.

Written in C++, VanHelsing uses ChaCha20 encryption and supports stealth features, such as delayed file renaming to avoid detection. Its dark web extortion site currently lists three victims, including a Texas city and two tech firms.

Though still evolving, the malware shows signs of immaturity—such as logic bugs and incomplete command-line flags—yet its rapid development and wide targeting make it one to watch. Experts warn of rising risk if adoption grows.

Ukraine rail ticketing hit by major cyber-attack

A large-scale cyber-attack disabled online ticket sales for Ukraine’s national railway, Ukrzaliznytsia. Announced on 24 March via Telegram, the company described the attack as “systematic, complex, and multi-level,” forcing the shutdown of its online booking system until at least 25 March.

Despite the disruption, trains continue to run on schedule thanks to backup protocols. Passengers are being urged to buy tickets at staffed ticket offices, which now have extended hours, or onboard the train. The public is also asked to avoid crowding stations unless travel is imminent.

Ukrzaliznytsia is working with the SBU’s Cyber Department and CERT-UA to restore services, warning that full recovery will only happen after security checks.

With airports closed due to war, Ukraine’s railways are crucial to national transport. Just days earlier, the railway was hit by a Russian strike. Yet services persist—undeterred by either physical or digital attacks.

Pro-Russian hackers target Belgian government websites in DDoS attack

The pro-Russian hacker group NoName057 disrupted several Belgian government websites on Thursday, targeting platforms like MyGov.be and the Walloon Parliament. MyGov.be, which offers citizens access to official documents, was inaccessible for part of the day, while other government portals in Brussels and Wallonia also experienced downtime.

The Centre for Cybersecurity Belgium quickly responded, alerting relevant authorities. Researchers confirmed the involvement of NoName057, a group that has repeatedly targeted Belgium, including a similar five-day campaign last October.

This latest Distributed Denial-of-Service (DDoS) attack was reportedly in protest of Belgium’s recent €1 billion aid package to Ukraine, announced by Defence Minister Theo Francken during a meeting with President Volodymyr Zelensky earlier this month.

While DDoS attacks can cause temporary disruption by overwhelming servers with traffic, they don’t allow data theft. Most affected websites are now back online, though authorities warn further disruption remains possible.

Cyberattack hits South Africa’s top poultry producer Astral Foods

South Africa’s largest poultry producer, Astral Foods, reported losses of over $1 million following a cyberattack on March 16^th. The incident disrupted processing and delivery operations, causing significant delays and revenue losses.

In a statement to investors, Astral confirmed it activated its disaster recovery protocols to restore systems, and all business units are now functioning normally. The attack reportedly caused roughly 20 million rand ($1 million) in lost profits, and the company warned of a major hit to earnings per share for the current financial period.

Astral said no sensitive data was compromised. The exact nature of the attack remains unclear, and no ransomware group has claimed responsibility.

Agricultural and food producers remain high-value targets for ransomware gangs due to their role in critical supply chains.

Google patches Chrome zero-day exploited in targeted APT attacks

Google has issued an emergency fix for a high-severity Chrome vulnerability (CVE-2025-2783), actively exploited in targeted attacks against Russian organisations. The flaw, rated 8.3 on the CVSS scale, stems from an "incorrect handle" in Chrome's Mojo IPC library on Windows.

The exploit is being tracked as part of an advanced persistent threat (APT) campaign dubbed "Operation ForumTroll." Victims were infected simply by clicking a phishing email link, which redirected them to a malicious website that exploited the Chrome zero-day to bypass sandbox protections.

Espionage is the campaign’s objective, with victims including media, academia, and government bodies. While CVE-2025-2783 enables initial access, researchers believe a second exploit for remote code execution was also used, though it remains unidentified.

Chrome users—especially those on Chromium-based browsers like Edge and Brave—are urged to update immediately to version 134.0.6998.177/.178.

NHS software provider fined £3m over ransomware breach

The Information Commissioner’s Office (ICO) has fined the Advanced Computer Software Group £3 million for serious security failings that led to a ransomware attack in August 2022. The breach exposed sensitive data of 79,404 people, including patient phone numbers, medical records, and even home access details for nearly 900 patients receiving care.

The ICO found that hackers exploited a customer account without multi-factor authentication (MFA) to gain access. While Advanced had rolled out MFA across many systems, “the lack of complete coverage” was cited as a critical weakness.

The attack disrupted vital NHS services, including NHS 111 and patient check-in systems, leaving some staff unable to access records.

Information Commissioner John Edwards said the fine should serve as a “stark reminder” to prioritise robust cybersecurity across all systems. Originally facing a £6m fine, the penalty was reduced due to Advanced’s cooperation with authorities and NHS response teams.

306 arrested in major INTERPOL cybercrime operation across Africa

INTERPOL has announced the arrest of 306 suspects across seven African nations as part of Operation Red Card (Nov 2024–Feb 2025), a sweeping crackdown on cyber-enabled scams and online fraud. Authorities seized 1,842 devices and uncovered schemes involving over 5,000 victims.

Nigeria led the operation with 130 arrests, including 113 foreign nationals allegedly involved in scams like online casinos and investment fraud. Some suspects were reportedly victims of human trafficking, coerced into running the schemes. Assets seized included 26 vehicles, 16 houses, 39 plots of land, and 685 devices.

In South Africa, police dismantled a SIM box fraud network, arresting 40 people and seizing over 1,000 SIM cards. Zambia reported 14 arrests tied to malware-laced messages that hijacked mobile banking apps. Rwanda arrested 45 scammers responsible for $305,000 in fraud.

The operation, backed by INTERPOL and the UK’s FCDO, highlights growing international cooperation to fight cybercrime across borders.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.