Co-op confirm members data stolen, updates for Broadcom and Oracle, companies being targeted on Microsoft Teams...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.Â
Vulnerabilities and Patches
Broadcom Releases Security Updates for VMware ESXi, Workstation, Fusion, and Tools
Broadcom has released a critical advisory that addresses four security vulnerabilities in multiple VMware platforms, which include Cloud Foundation, vSphere Foundation, ESXi, Workstation Pro, Fusion, Tools, and Telco Cloud. Three of the vulnerabilities could allow an attacker with local administrative privileges to execute code on the host machine and the other vulnerability could lead to information disclosure.Â
- CVE-2025-41236 : VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability in the VMXNET3 virtual network adapter. A malicious actor with local administrative privileges on a virtual machine with VMXNET3 virtual network adapter may exploit this issue to execute code on the host. Non VMXNET3 virtual adapters are not affected by this issue.
- CVE-2025-41237: VMware ESXi, Workstation, and Fusion contain an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
- CVE-2025-41238: VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.
- CVE-2025-41239: VMware ESXi, Workstation, Fusion, and VMware Tools contains an information disclosure vulnerability due to the usage of an uninitialised memory in vSockets. A malicious actor with local administrative privileges on a virtual machine may be able to exploit this issue to leak memory from processes communicating with vSockets.
Affected organisations are encouraged to review Broadcom’s VMware advisory VMSA-2025-0013 and apply the relevant updates.
Oracle Critical Patch Update, July 2025 Security Update Review
Oracle released its second quarterly edition of this year’s Critical Patch Update. The update received patches for 309 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In this quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 84, constituting about 27% of the total patches released. Oracle MySQL and Oracle Fusion Middleware followed, with 40 and 36 security patches. 228 of the 309 security patches provided by the July Critical Patch Update (about 74%) are for non-Oracle CVEs, such as open-source components included and exploitable in the context of their Oracle product distributions. This batch of security patches received 15 updates for Oracle Database products. The following is the product-wise distribution:
- Six new security updates for Oracle Database Server with a maximum reported CVSS Base Score of 8.8.
- One of these updates applies to client-only deployments of the Oracle Database.
- One new security update for Oracle Application Express with a maximum reported CVSS Base Score of 9.0.
- One new security update for Oracle Blockchain Platform with a maximum reported CVSS Base Score of 6.5.
- Five new security updates for Oracle GoldenGate with a maximum reported CVSS Base Score of 7.5.
- One new security update for Oracle NoSQL Database with a maximum reported CVSS Base Score of 3.7.
- One new security update for Oracle REST Data Services with a maximum reported CVSS Base Score of 6.1.
In these security updates, Oracle has covered product families, including Oracle Database Server, Oracle Application Express, Oracle Blockchain Platform, Oracle GoldenGate, Oracle NoSQL Database, Oracle REST Data Services, Oracle Commerce, Oracle Communications Applications, Oracle Communications, Oracle Construction and Engineering, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle Financial Services Applications, Oracle Fusion Middleware, Oracle Analytics, Oracle HealthCare Applications, Oracle Hospitality Applications, Oracle Hyperion, Oracle Insurance Applications, Oracle Java SE, Oracle JD Edwards, Oracle MySQL, Oracle PeopleSoft, Oracle Retail Applications, Oracle Siebel CRM, Oracle Supply Chain, Oracle Utilities Applications, Oracle Virtualization.
Cyber Attacks
Louis Vuitton Data Breach Hits Customers in Several Countries
Customers of the French luxury retailer Louis Vuitton are being notified of a data breach that appears to impact people in several countries. Data breach notifications have been published on Louis Vuitton websites or privately sent out for customers in the United Kingdom, South Korea, and Turkey. Other countries may be impacted as well. The cyberattack resulted in the theft of information such as name, contact information, and other data shared by customers. Passwords, payment card information and other financial details have not been obtained by the hackers, Louis Vuitton said. The incidents reported in each country appear to be connected, based on the type of information that has been compromised and the date when the breach was detected, July 2. Press releases issued in Korea and Turkey indicate that the hackers gained initial access nearly one month before the intrusion was detected. In Turkey, the company reported that the breach impacted nearly 143,000 residents. The same statement reveals that the incident involved a compromised account related to a third-party service provider. It’s unclear if the company has been targeted in a ransomware attack. Louis Vuitton has provided the following statement to SecurityWeek:
Louis Vuitton recently discovered an unauthorised party accessed some of the data we hold for our clients. We immediately began taking steps to investigate and contain this incident, supported by leading cybersecurity experts. While our investigation is ongoing, we can confirm that no payment information was contained in the database accessed. We are working to notify the relevant regulators and affected clients in line with applicable law. At Louis Vuitton, we truly value the trust our clients place in us and the confidential nature of our relationship. We sincerely regret any concern or inconvenience this situation may cause. We continuously work to update our security measures to protect against the evolving threat landscape, and we have taken steps to further strengthen the protection of our systems.
However, sources have said that the LVMH breaches are linked to an attack by the ShinyHunters extortion group, which gained access and stole data from a third-party vendor’s database. This same attack is also believed to be tied to a data breach at Adidas disclosed in May that also impacted customers from South Korea and Turkey.
Hackers Leverage Microsoft Teams to Spread Matanbuchus 3.0 Malware to Targeted Firms
Cybersecurity researchers have flagged a new variant of a known malware loader called Matanbuchus that packs in significant features to enhance its stealth and evade detection.
Matanbuchus is the name given to a malware-as-a-service (MaaS) offering that can act as a conduit for next-stage payloads, including Cobalt Strike beacons and ransomware.
First advertised in February 2021 on Russian-speaking cybercrime forums for a rental price of $2,500, the malware has been put to use as part of ClickFix-like lures to trick users visiting legitimate-but-compromised sites not running it. Matanbuchus’s delivery methods have evolved over time, leveraging phishing emails pointing to booby-trapped Google Drive links, drive-by downloads from compromised sites, malicious MSI installers, and malvertising. It has been used to deploy a variety of secondary payloads including DanaBot, QakBot, and Cobalt Strike, all known precursors to ransomware deployment. The latest version of the loader, tracked as Matanbuchus 3.0, incorporates several new features, including improved communication protocol techniques, in-memory capabilities, enhanced obfuscation methods, CMD and PowerShell reverse shell support, and the ability to run next-stage DLL, EXE, and shellcode payloads, per Morphisec.
The cybersecurity company said it observed the malware in an incident earlier this month where an unnamed company was targeted via external Microsoft Teams calls that impersonated an IT help desk and tricked employees into launching Quick Assist for remote access and then executing a PowerShell script that deployed Matanbuchus. It’s worth noting that similar social engineering tactics have been employed by threat actors associated with the Black Basta ransomware operation. “Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive,” Morphisec CTO Michael Gorelik said. “This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader.”
In Other News...
Critical Golden dMSA Attack in Windows Server 2025 Enables Cross-Domain Attacks and Persistent Access
Cybersecurity researchers have disclosed what they say is a “critical design flaw” in delegated Managed Service Accounts (dMSAs) introduced in Windows Server 2025. “The flaw can result in high-impact attacks, enabling cross-domain lateral movement and persistent access to all managed service accounts and their resources across Active Directory indefinitely,” Semperis said in a report shared.
Put differently, successful exploitation could allow adversaries to sidestep authentication guardrails and generate passwords for all Delegated Managed Service Accounts (dMSAs) and group Managed Service Accounts (gMSAs) and their associated service accounts.
The persistence and privilege escalation method has been codenamed Golden dMSA, with the cybersecurity company deeming it as low complexity since the vulnerability simplifies brute-force password generation. However, for bad actors to exploit it, they must already be in possession of a Key Distribution Service (KDS) root key that’s typically only available to privileged accounts, such as root Domain Admins, Enterprise Admins, and SYSTEM.
Described as the crown jewel of Microsoft’s gMSA infrastructure, the KDS root key serves as a master key, allowing an attacker to derive the current password for any dMSA or gMSA account without having to connect to the domain controller (DC). “The attack leverages a critical design flaw: A structure that’s used for the password-generation computation contains predictable time-based components with only 1,024 possible combinations, making brute-force password generation computationally trivial,” security researcher Adi Malyanker said.
Delegated Managed Service Accounts is a new feature introduced by Microsoft that facilitates migration from an existing legacy service account. It was introduced in Windows Server 2025 to counter Kerberoasting attacks. The machine accounts bind authentication directly to explicitly authorized machines in Active Directory (AD), thus eliminating the possibility of credential theft. By tying authentication to device identity, only specified machine identities mapped in AD can access the account.
Co-op confirms data of 6.5 million members stolen in cyberattack
UK retailer Co-op has confirmed that personal data of 6.5 million members was stolen in the massive cyberattack in April that shut down systems and caused food shortages in its grocery stores.
Co-op (short for the Co-operative Group) is one of the United Kingdom’s largest consumer co-operatives, operating food stores, funeral services, insurance, and legal services. It is owned by millions of members who receive discounts on services and share in the company’s governance. Co-op’s CEO, Shirine Khoury-Haq, apologized today on the BBC Breakfast show, confirming that the attackers successfully stole the data for all its 6.5 million members. “Their data was copied, and the criminals did have access to it like they do when they hack other organisations. That is the awful part of this unfortunately,” said Khoury-Haq. While no financial or transaction information was exposed in the attack, the contact information for its members was stolen. The CEO said the breach felt like a personal attack, not on her, but rather on the Co-op’s members and employees who were impacted. “And it it’s not about me. It was my colleagues. It was personal to me because it hurt them. It hurt my members. They took their data, and it hurt our customers and that I do take personally,” she explained in the interview.
The cyberattack occurred in April, forcing Co-op to shut down several IT systems to prevent the threat actors from further spreading to devices and ultimately deploying the DragonForce ransomware encryptor. Initially downplayed as an attempted intrusion into its network, the company later confirmed that a “significant” amount of data was accessed and stolen during the attack. Sources said at the time that the breach initially occurred on April 22, after the threat actors conducted a social engineering attack that allowed them to reset an employee’s password. Once they gained access to the network, they spread to other devices and ultimately stole the Windows domain’s Windows NTDS.dit file. This file is a database for Windows Active Directory Services that contains password hashes for Windows accounts.