Wednesday War Room – 10/15/2025

This week, the cybersecurity landscape has been rocked by a series of high-profile breaches and zero-day exploits, reminding us that no organization is an island.

Author

J.W. Croley
October 15, 2025

In partnership with

Privacy-first email. Built for real protection.

End-to-end encrypted, ad-free, and open-source. Proton Mail protects your inbox with zero data tracking.

From critical infrastructure providers to major consumer brands and even the hallowed halls of academia, the past 72 hours have delivered a masterclass in the pervasive and interconnected nature of cyber risk.

The message is clear: the threats are real, they are relentless, and they are coming for everyone.

F5 Breach: A Nation-State Attack on Critical Infrastructure

Risk Level: Critical

Business Impact: Theft of source code, exposure of undisclosed vulnerabilities, potential for widespread supply chain attacks

What You Need to Know: On October 15th, F5 disclosed that a “highly sophisticated nation-state threat actor” had breached its systems and stolen source code for its BIG-IP products, as well as information about undisclosed vulnerabilities. The company revealed that the attackers had maintained long-term, persistent access to its network. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive in response to the breach.

Why This Matters:

  • This is a nightmare scenario for a critical infrastructure provider like F5, whose products are used by thousands of organizations worldwide.

  • The theft of source code and vulnerability information gives adversaries a powerful arsenal to develop new exploits and launch widespread attacks.

  • The involvement of a nation-state actor indicates a high level of sophistication and a long-term strategic objective.

Executive Actions:

📦 Immediately apply the latest updates for all F5 products in your environment.

🔐 Review all configurations and access controls for your F5 devices.

🧱 Monitor for any suspicious activity related to your F5 infrastructure.

📊 Prepare for potential supply chain attacks leveraging compromised F5 products.

T-Mobile Breach: 37 Million Customers Exposed

Risk Level: Critical

Business Impact: Massive consumer data exposure, regulatory fines, reputational damage

What You Need to Know: T-Mobile disclosed on October 14th that it had suffered a data breach exposing the personal data of 37 million customers. The company has not yet identified the threat actor responsible for the attack.

Why This Matters: 

  • This is another massive data breach for T-Mobile, which has a long and troubled history of security incidents.

  • The exposure of a vast amount of consumer data creates a significant risk of identity theft, phishing, and other forms of fraud.

  • The company’s repeated security failures will likely lead to intense scrutiny from regulators and a significant loss of customer trust.

Executive Actions: 

📦 If you are a T-Mobile customer, take immediate steps to protect your account, including changing your password and enabling multi-factor authentication.

🔐 Be on the lookout for phishing emails and other scams that may try to leverage the stolen data.

🧱 Consider using a credit monitoring service to protect yourself from identity theft.

📊 If your organization uses T-Mobile for business, review your account security and monitor for any suspicious activity.

Harvard Breached in Oracle Zero-Day Attack

Risk Level: High

Business Impact: Exposure of sensitive university data, reputational damage

What You Need to Know: Harvard University confirmed on October 15th that it was a victim of the recent attacks exploiting a zero-day vulnerability (CVE-2025-61882) in Oracle’s E-Business Suite. The Clop ransomware group has claimed responsibility for the attack and has added Harvard to its dark web leak site.

Why This Matters: 

  • This incident demonstrates that even the most prestigious institutions are not immune to sophisticated cyberattacks.

  • The use of a zero-day vulnerability highlights the importance of a proactive and intelligence-driven approach to security.

  • The involvement of the Clop ransomware group indicates that the attackers are financially motivated and will likely demand a significant ransom.

Executive Actions: 

📦 If your organization uses Oracle E-Business Suite, ensure that you have applied the emergency patch for CVE-2025-61882.

🔐 Review your organization’s exposure to other potential zero-day vulnerabilities.

🧱 Implement enhanced monitoring for suspicious activity on all critical enterprise applications.

📊 Review your incident response plan to ensure that you are prepared to respond to a zero-day attack.Leadership Insight:

The past 72 hours have been a brutal but necessary wake-up call. The cyber threat landscape is more dangerous and dynamic than ever before.

We are in a constant state of conflict, and the adversary is sophisticated, relentless, and well-resourced. A reactive, compliance-based approach to security is no longer sufficient.

We must adopt a proactive, intelligence-driven, and risk-based approach to cybersecurity if we are to have any hope of defending our organizations and our way of life.

Go from AI overwhelmed to AI savvy professional

AI will eliminate 300 million jobs in the next 5 years.

Yours doesn't have to be one of them.

Here's how to future-proof your career:

  • Join the Superhuman AI newsletter - read by 1M+ professionals

  • Learn AI skills in 3 mins a day

  • Become the AI expert on your team

Ransomware Attack on Municipal Bond Market

Risk Level: High

Business Impact: Disruption to critical financial infrastructure, potential for market instabilityustomer data exposure, corporate database compromise, reputational damage

What You Need to Know: A ransomware attack has disrupted the $4.3 trillion municipal bond market. The attack has taken down MuniOS, the main distribution platform for debt documents, preventing state and local borrowers from posting new offerings. The platform is operated by ImageMaster LLC.

Why This Matters:

  • This attack highlights the vulnerability of critical financial infrastructure to ransomware.

  • The disruption to the municipal bond market could have a significant impact on state and local governments that rely on this market to finance their operations.

  • The incident is a stark reminder of the systemic risk that ransomware poses to the broader economy.

Executive Actions: 

📦 If your organization is involved in the municipal bond market, assess the impact of this disruption on your operations.

🔐 Review the security of all critical financial infrastructure that your organization relies on.

🧱 Implement enhanced monitoring for suspicious activity on all systems that interact with financial markets.

📊 Develop a contingency plan to address potential disruptions to critical financial infrastructure.

University HR Systems Targeted in “Payroll Pirate” Attacks

Risk Level: High 

Business Impact: Financial fraud, employee data exposure, reputational damage

What You Need to Know: Microsoft has warned of a new campaign by the Storm-2657 threat group, dubbed “payroll pirate,” that targets U.S. universities. The attackers are compromising HR platforms like Workday to redirect employee salaries to their own accounts. The campaign has already targeted 25 universities with nearly 6,000 phishing emails.

Why This Matters: 

  • This is a novel and concerning attack vector that combines social engineering, business email compromise, and payroll fraud.

  • The attackers are exploiting the lack of multi-factor authentication (MFA) and weak authentication practices to gain access to sensitive HR systems.

  • The education sector is a prime target for these types of attacks due to its often-limited security resources and large user base.

Executive Actions:

📦 Enforce MFA across all accounts, especially for access to sensitive HR and payroll systems.

🔐 Educate employees about the risks of phishing and social engineering attacks.

🧱 Implement enhanced monitoring for suspicious activity on all HR and payroll systems.

📊 Review your organization’s payroll processes to identify and mitigate potential vulnerabilities.

SonicWall Breach: A Security Vendor’s Worst Nightmare

Risk Level: High 

Business Impact: Exposure of firewall configuration data, potential for widespread customer compromise

What You Need to Know: SonicWall has announced that its recent data breach is far more serious than initially believed. The company now says that an unauthorized party accessed firewall configuration backup files for all customers who have used its cloud backup service. This is a significant escalation from the company’s earlier assessment that only 5% of its firewall install base was affected.

Why This Matters: 

  • This is a devastating breach for a security vendor, as it undermines the trust that customers place in its products.

  • The exposure of firewall configuration data gives attackers a roadmap to compromise the networks of thousands of organizations.

  • The incident highlights the risks associated with cloud-based backup services, even for security products.

Executive Actions:

📦 If you are a SonicWall customer, immediately follow the company’s guidance to assess and remediate affected systems.

🔐 Review the security of all cloud-based services used in your organization, especially those that store sensitive configuration data.

🧱 Implement enhanced monitoring for suspicious activity on your firewall and other security infrastructure.

📊 Re-evaluate your organization’s reliance on any single security vendor.

⚙️ Immediate Leadership Checklist ⚙️

🔄 Strengthen Your Human Defenses: Enforce MFA across all accounts, educate employees about the risks of phishing and social engineering, and implement enhanced monitoring for suspicious user activity.

📦 Verify Your Patching Cadence: Confirm that your organization has a robust and rapid patching process for critical vulnerabilities, especially for internet-facing systems.

🧠 Enhance Your Financial Infrastructure Security: Review the security of all critical financial infrastructure that your organization relies on and develop a contingency plan to address potential disruptions.

📊 Assess Your Zero-Day Response Plan: Review your incident response plan to ensure that you are prepared to respond to a zero-day attack.

📜 Review Your Supply Chain Risk: Immediately initiate a review of your organization’s supply chain risk management program, with a focus on critical software and infrastructure providers.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Free email without sacrificing your privacy

Gmail is free, but you pay with your data. Proton Mail is different.

We don’t scan your messages. We don’t sell your behavior. We don’t follow you across the internet.

Proton Mail gives you full-featured, private email without surveillance or creepy profiling. It’s email that respects your time, your attention, and your boundaries.

Email doesn’t have to cost your privacy.