Executive Summary
In October 2025, Red Hat suffered a significant data breach after threat actor group Crimson Collective compromised its internal GitLab repositories, exfiltrating nearly 570GB of data including around 800 Customer Engagement Reports (CERs). These reports contained sensitive details about customers’ networks and infrastructure. Following unsuccessful ransom negotiations, Crimson Collective partnered with Scattered Lapsus$ Hunters and ShinyHunters to escalate extortion attempts, publicly posting data samples and demanding payment before a hard deadline. High-profile organizations such as Walmart, HSBC, Bank of Canada, and the US Department of Defense were among affected clients named in the leak.
The collaboration between multiple threat actors and the rise of Extortion-as-a-Service operations like ShinyHunters highlight a new era of corporate extortion risk, with increasing pressure on organizations to proactively secure code repositories and sensitive customer communications against rapidly-evolving, multi-actor cyber threats.
Why This Matters Now
This breach exposes the growing trend of data extortion collectives openly leveraging data leak marketplaces to pressure victims, amplifying risk, brand damage, and regulatory scrutiny. As extortion tactics evolve, protecting source code platforms and sensitive customer datasets is now urgent for all enterprises in the software and consulting sector.
Attack Path Analysis
Attackers gained initial access likely via a vulnerable or misconfigured GitLab instance used by Red Hat Consulting. They escalated privileges to access sensitive internal repositories and engagement reports. Lateral movement enabled further access across repositories and potentially to related storage or infrastructure. The adversaries established command and control for data staging and exfil filtration orchestration. Massive exfiltration of sensitive data, including customer engagement reports, was performed. Finally, the attackers enacted extortion and public data leaks, increasing organizational and reputational impact.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited a vulnerable or misconfigured GitLab instance to gain an initial foothold in Red Hat's consulting SaaS environment.
Related CVEs
CVE-2025-61884
CVSS 7.5An unauthenticated server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component allows remote attackers to access sensitive resources.
Affected Products:
Oracle E-Business Suite – 12.2.3 to 12.2.14
Exploit Status:
exploited in the wildCVE-2025-61882
CVSS 9.8A zero-day vulnerability in the BI Publisher Integration component of Oracle Concurrent Processing allows unauthenticated remote code execution.
Affected Products:
Oracle E-Business Suite – 12.2.3 to 12.2.14
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts: Cloud Accounts
Exploit Public-Facing Application
Data from Cloud Storage Object
Email Collection
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Endpoint Denial of Service
Data Encrypted for Impact
Data Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – User Identification and Authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework Requirements
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Strong Authentication, Least Privilege
Control ID: Identity Pillar, Authentication & Access
NIS2 Directive – Security of Network and Information Systems
Control ID: Art. 21(2)
ISO/IEC 27001:2022 – Data Leakage Prevention
Control ID: A.8.12
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Red Hat breach exposes GitLab repositories containing customer engagement reports, threatening software development infrastructure and requiring enhanced zero trust segmentation and encrypted traffic capabilities.
Financial Services
Stolen CERs from major financial institutions like HSBC, Bank of Canada, and American Express reveal network infrastructure details, demanding stronger egress security and threat detection.
Banking/Mortgage
Customer engagement reports containing sensitive banking infrastructure data leaked by ShinyHunters, necessitating improved multicloud visibility and east-west traffic security for regulatory compliance.
Defense/Space
Department of Defence CER exposure through Red Hat breach creates national security implications, requiring enhanced Kubernetes security and inline IPS capabilities for classified systems protection.
Sources
- Red Hat data breach escalates as ShinyHunters joins extortionhttps://www.bleepingcomputer.com/news/security/red-hat-data-breach-escalates-as-shinyhunters-joins-extortion/Verified
- CISA confirms hackers exploited Oracle E-Business Suite SSRF flawhttps://www.bleepingcomputer.com/news/security/cisa-confirms-hackers-exploited-oracle-e-business-suite-ssrf-flaw/Verified
- Oracle E-Business Suite CVE-2025-61882 Exploited in Extortion Attackshttps://www.vulncheck.com/blog/oracle-e-business-suite-cve-2025-61882-exploited-in-extortion-attacksVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, workload isolation, and egress data controls would have severely limited attackers' movement after initial compromise, prevented broad repository access, and detected or blocked large-scale data exfiltration attempts.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Centralized policy enforcement rapidly detects unauthorized access attempts.
Control: Zero Trust Segmentation
Mitigation: Isolated workloads and enforced least-privilege boundaries reduce blast radius.
Control: East-West Traffic Security
Mitigation: Internal network segmentation and inspection block or alert on suspicious lateral movement.
Control: Threat Detection & Anomaly Response
Mitigation: Continuous monitoring identifies unusual outbound or staged transfer activity.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound traffic filtering detects and blocks unauthorized large data transfers.
Comprehensive visibility into all cloud environments supports rapid containment and regulatory response.
Impact at a Glance
Affected Business Functions
- Consulting Services
- Customer Relationship Management
Estimated downtime: 7 days
Estimated loss: $5,000,000
Approximately 570GB of compressed data, including 800 Customer Engagement Reports (CERs) containing sensitive information about customers' network architectures, infrastructure, and platforms, were exposed. Notable affected clients include Walmart, HSBC, Bank of Canada, Atos Group, American Express, Department of Defence, and Société Française du Radiotéléphone.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and microsegmentation to strictly limit lateral movement between development repositories and internal resources.
- • Enforce least privilege with identity-based access controls and namespace policies to minimize exposure in the event of credential or SaaS compromise.
- • Deploy egress filtering and outbound policy enforcement to detect and block unauthorized data exfiltration attempts in real time.
- • Continuously monitor for anomalous access patterns, privilege escalations, and shadow IT or covert remote tooling indicative of early-stage attacks.
- • Centralize multi-cloud visibility and automated policy enforcement to rapidly contain breaches, support forensics, and fulfill compliance obligations.
