The Qilin ransomware group targeted Asahi on September 29th, exfiltrating over 9,300 files (27GB) of sensitive data, including financial documents, employee IDs, contracts, and internal reports. The attack disrupted operations at six breweries, halting production of thirty beer labels and potentially causing hundreds of millions in losses. The breach involved both data theft and operational outages, severely impacting supply chain and revenue streams. Ransomware was explicitly deployed, compounding financial and reputational damage. Check Point’s Threat Emulation flags this as Ransomware.Wins.Qilin, confirming the attack’s sophisticated and destructive nature.
Source: https://research.checkpoint.com/2025/13th-october-threat-intelligence-report/
TPRM report: https://www.rankiteo.com/company/asahibeverages
"id": "asa3732437101325",
"linkid": "asahibeverages",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [[{'customers_affected': None,
'industry': 'Beverages (Brewing)',
'location': 'Japan',
'name': 'Asahi Group Holdings, Ltd.',
'size': 'Large (Japan’s largest brewing company)',
'type': 'Public Company'}],
[{'customers_affected': '110,000 residents (service '
'disruption)',
'industry': 'Public Administration',
'location': 'Texas, USA',
'name': 'City of Sugar Land',
'size': 'Medium (~110,000 residents affected)',
'type': 'Municipal Government'}],
[{'customers_affected': None,
'industry': 'Legal Services',
'location': 'USA',
'name': 'Williams & Connolly LLP',
'size': 'Large (high-profile firm)',
'type': 'Law Firm'}],
[{'customers_affected': None,
'industry': 'Various (targeting AWS environments)',
'location': 'Global',
'name': 'Multiple AWS Customers (Undisclosed)',
'size': None,
'type': 'Private/Public Organizations'}],
[{'customers_affected': 'Unknown',
'industry': 'Electronic Components Distribution',
'location': 'Global (EMEA database breached)',
'name': 'Avnet, Inc.',
'size': 'Large',
'type': 'Public Company'}],
[{'customers_affected': '<30',
'industry': 'Gambling/Sports Betting',
'location': 'USA',
'name': 'DraftKings Inc.',
'size': 'Large',
'type': 'Public Company'}],
[{'customers_affected': None,
'industry': 'Various (IoT, surveillance, web hosting)',
'location': 'Global',
'name': 'Owners of 30+ Device Types (DVRs, NVRs, '
'CCTV, Web Servers)',
'size': None,
'type': 'Organizations/Individuals'}],
[{'customers_affected': None,
'industry': 'Various (targeting internet-exposed EBS '
'apps)',
'location': 'Global',
'name': 'Organizations Using Oracle E-Business Suite',
'size': None,
'type': 'Enterprises'}],
[{'customers_affected': None,
'industry': 'Various (database users)',
'location': 'Global',
'name': 'Organizations Using Redis Servers (~60,000 '
'without authentication)',
'size': None,
'type': 'Enterprises'}],
[{'customers_affected': None,
'industry': 'Various',
'location': 'Global',
'name': 'Targets of XWorm RAT',
'size': None,
'type': 'Organizations/Individuals'}]],
'attack_vector': ['Email Account Compromise',
'Exposed AWS Credentials / Privilege Escalation',
'Credential Stuffing',
'Exploiting 56 Vulnerabilities (RCE, Command Injection)',
'Unauthenticated RCE via BI Publisher Integration',
'Authenticated Use-After-Free RCE in Lua Engine'],
'customer_advisories': ['Service interruption notices issued; no action '
'required beyond patience.',
'Limited to affected attorneys’ contacts; no broad '
'customer impact.',
'Fewer than 30 customers notified; advised to monitor '
'accounts and reset passwords.'],
'data_breach': [{'data_exfiltration': 'Yes',
'file_types_exposed': 'Documents, databases',
'number_of_records_exposed': '9,300+ files (27GB)',
'personally_identifiable_information': 'Employee IDs',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Financial documents, employee '
'IDs, contracts, internal '
'reports'},
{'data_exfiltration': 'No evidence'},
{'data_exfiltration': 'Likely',
'file_types_exposed': 'Emails, attachments',
'sensitivity_of_data': 'High (attorney communications)',
'type_of_data_compromised': 'Email account contents'},
{'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High (cloud assets targeted)',
'type_of_data_compromised': 'AWS-hosted data (scope '
'undisclosed)'},
{'data_exfiltration': 'Yes',
'file_types_exposed': 'Database records',
'sensitivity_of_data': 'High (but mostly unreadable without '
'proprietary tools)',
'type_of_data_compromised': 'Internal sales data (1.3TB '
'compressed)'},
{'data_exfiltration': 'Yes',
'number_of_records_exposed': '<30 customers',
'personally_identifiable_information': 'Yes (PII)',
'sensitivity_of_data': 'Moderate',
'type_of_data_compromised': 'Names, phone numbers, email '
'addresses, last four digits of '
'payment cards'},
{'data_exfiltration': 'Likely (botnet C2)'},
{'data_exfiltration': 'Yes (extortion)',
'sensitivity_of_data': 'High (enterprise data)',
'type_of_data_compromised': 'Data from Oracle E-Business '
'Suite applications'},
{'data_exfiltration': 'Yes (botnet/ransomware)',
'sensitivity_of_data': 'High (authentication data)',
'type_of_data_compromised': 'Credentials, host data (via '
'RCE)'},
{'data_encryption': 'Yes (ransomware module)',
'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes (comprehensive)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Browser data, emails, messaging '
'app data, FTP credentials, '
'crypto wallet data'}],
'date_detected': ['2025-09-29'],
'date_publicly_disclosed': ['2025-10-13',
'2025-10-13',
'2025-10-13',
'2025-10-13',
'2025-10-13',
'2025-10-13',
'2025-10-13',
'2025-10-13',
'2025-10-13',
'2025-10-13'],
'description': ['Qilin ransomware group claimed responsibility for targeting '
'Asahi, Japan’s largest brewing company, hacked on September '
'29th. The attack resulted in the exfiltration of over 9,300 '
'files (27GB) of sensitive data, including financial '
'documents, employee IDs, contracts, and internal reports. '
'The attack disrupted operations at six breweries, impacting '
'production of thirty labels and potentially causing hundreds '
'of millions in losses.',
'Sugar Land city in Texas suffered a cyber-attack causing '
'outages to online municipal services (bill pay, permit '
'payments, utility billing systems), affecting digital access '
'for nearly 110,000 residents. No evidence of data theft was '
'disclosed, and critical infrastructure/emergency services '
'remained unaffected.',
'American law firm Williams & Connolly confirmed unauthorized '
'access to email accounts of a small number of attorneys. No '
'evidence of confidential client data theft from central '
'databases was reported. The attack was attributed to '
'suspected China-affiliated threat actors.',
'Crimson Collective, after claiming the Red Hat intrusion, is '
'now targeting AWS environments for data theft and extortion. '
'The group harvests exposed AWS credentials, creates new IAM '
'users with AdministratorAccess, resets RDS passwords, '
'snapshots EBS volumes, and delivers extortion notes via SES. '
"They partnered with 'Scattered Lapsus$ Hunters' and reused "
'IPs across incidents.',
'Avnet suffered a data breach involving unauthorized access '
'to an externally hosted EMEA internal-sales database. A '
'threat actor claimed to steal 1.3TB of compressed data and '
'demanded ransom, though most data is reportedly unreadable '
'without proprietary tools. The number of affected '
'individuals remains unknown.',
'DraftKings experienced a credential stuffing attack exposing '
'personal information (names, phone numbers, emails, last '
'four digits of payment cards) of fewer than 30 customers. No '
'sensitive data was accessed.',
'The RondoDox botnet campaign is exploiting 56 '
'vulnerabilities (including CVE-2023-1389, CVE-2024-3721, '
'CVE-2024-12856) across 30+ device types (DVRs, NVRs, CCTV, '
"web servers). Active since June, it uses an 'exploit "
"shotgun' approach to maximize infections and seize control "
'of devices/networks.',
'Oracle E-Business Suite zero-day CVE-2025-61882 enables '
'unauthenticated RCE via the BI Publisher Integration '
'component. The flaw is actively exploited by Cl0p and others '
'for extortion, targeting internet-exposed EBS applications.',
'Redis patched CVE-2025-49844, a critical use-after-free RCE '
'in the Lua engine affecting all versions. Authenticated '
'exploits enable sandbox escape and full host compromise. At '
'least 60,000 of ~330,000 internet-exposed Redis servers lack '
'authentication, and the flaw is being abused by botnets and '
'ransomware.',
'XWorm RAT resurfaced with 35 plugins and an upgraded '
'ransomware module for file encryption, wallpaper changes, '
'and ransom notes. New versions support plugins for stealing '
'data from browsers, emails, messaging apps, FTP, crypto '
'wallets, and more.'],
'impact': [{'brand_reputation_impact': 'High (major brewing company)',
'data_compromised': '9,300+ files (27GB: financial documents, '
'employee IDs, contracts, internal reports)',
'financial_loss': 'Potentially hundreds of millions',
'identity_theft_risk': 'Moderate (employee IDs exposed)',
'operational_impact': 'Significant disruption to production',
'systems_affected': 'Six breweries, production of thirty labels '
'disrupted'},
{'brand_reputation_impact': 'Moderate (municipal services)',
'customer_complaints': 'Likely (service interruptions)',
'data_compromised': 'None disclosed',
'downtime': 'Service outages for ~110,000 residents',
'operational_impact': 'Disruption to digital services',
'systems_affected': 'Online municipal services (bill pay, permit '
'payments, utility billing)'},
{'brand_reputation_impact': 'Moderate (high-profile law firm)',
'data_compromised': 'Limited to email accounts of a small number '
'of attorneys',
'legal_liabilities': 'Potential (client confidentiality concerns)',
'operational_impact': 'Limited (no central databases compromised)',
'systems_affected': 'Email accounts'},
{'brand_reputation_impact': 'High (targeted extortion)',
'data_compromised': 'Data theft from AWS environments (scope '
'undisclosed)',
'operational_impact': 'Extortion pressure, potential data loss',
'systems_affected': 'AWS environments (IAM, RDS, EBS, EC2, SES)'},
{'brand_reputation_impact': 'Moderate (supply chain risk)',
'data_compromised': '1.3TB of compressed data (mostly unreadable '
'without proprietary tools)',
'systems_affected': 'Externally hosted EMEA internal-sales '
'database'},
{'brand_reputation_impact': 'Low (limited scope)',
'customer_complaints': 'Possible',
'data_compromised': 'Personal information (names, phone numbers, '
'emails, last four digits of payment cards) '
'of fewer than 30 customers',
'identity_theft_risk': 'Low (partial payment card data)',
'payment_information_risk': 'Low (last four digits only)',
'systems_affected': 'Customer accounts'},
{'operational_impact': 'Device/network control by botnet',
'systems_affected': '30+ device types (DVRs, NVRs, CCTV, web '
'servers)'},
{'brand_reputation_impact': 'High (zero-day exploitation)',
'data_compromised': 'Data theft from internet-exposed EBS apps '
'(scope undisclosed)',
'operational_impact': 'Extortion risk',
'systems_affected': 'Oracle E-Business Suite applications'},
{'brand_reputation_impact': 'High (critical vulnerability)',
'data_compromised': 'Potential credential theft, lateral '
'movement, malware deployment',
'identity_theft_risk': 'High (credential theft)',
'operational_impact': 'Full host compromise (reverse shells, '
'credential theft)',
'systems_affected': 'Redis servers (~60,000 internet-exposed '
'without authentication)'},
{'brand_reputation_impact': 'High (RAT resurgence)',
'data_compromised': 'Browser, email, messaging app, FTP, crypto '
'wallet data (via plugins)',
'identity_theft_risk': 'High (comprehensive data theft)',
'operational_impact': 'Data theft, ransomware encryption',
'payment_information_risk': 'High (crypto wallet targeting)',
'systems_affected': 'Infected hosts'}],
'initial_access_broker': [{'entry_point': 'Email account compromise',
'high_value_targets': 'Attorney email accounts'},
{'backdoors_established': 'New IAM users with '
'AdministratorAccess',
'entry_point': 'Exposed AWS credentials',
'high_value_targets': 'Cloud assets (RDS, EBS, '
'EC2)'},
{'backdoors_established': 'Botnet recruitment',
'entry_point': 'Exploiting unpatched '
'vulnerabilities (56 CVEs)',
'high_value_targets': 'DVRs, NVRs, CCTV, web '
'servers',
'reconnaissance_period': 'Active since June 2025'},
{'entry_point': 'Internet-exposed BI Publisher '
'component',
'high_value_targets': 'Oracle EBS applications'},
{'backdoors_established': 'Sandbox escape, reverse '
'shells',
'entry_point': 'Unauthenticated Redis servers',
'high_value_targets': 'Redis hosts'}],
'investigation_status': ['Ongoing (cross-case correlation via reused IPs)'],
'lessons_learned': ['Exposed AWS credentials and excessive IAM privileges '
'enable cloud environment compromise. Cross-case IP reuse '
'aids threat correlation.',
'Credential stuffing remains effective for account '
'takeovers; MFA could mitigate risk.',
'Legacy and unpatched IoT devices are prime targets for '
'botnet recruitment. Network segmentation and EOL device '
'replacement are critical.',
'Internet-exposed enterprise applications (e.g., Oracle '
'EBS) are high-value targets for zero-day exploitation. '
'Restrict access and patch promptly.',
'Unauthenticated services (e.g., Redis) are low-hanging '
'fruit for RCE exploits. Enforce authentication and least '
'privilege.',
'RATs with modular plugins (e.g., XWorm) pose broad '
'risks. Endpoint protection and behavioral analysis are '
'essential for detection.'],
'motivation': ['Financial Gain (Ransom)',
'Data Theft and Extortion',
'Financial Gain (Ransom)',
'Device/Network Control for Botnet Expansion',
'Extortion',
'Botnet Expansion / Ransomware Deployment',
'Data Theft / Extortion'],
'post_incident_analysis': [{'root_causes': ['Likely phishing or unpatched '
'vulnerability leading to initial '
'access.',
'Inadequate segmentation allowing '
'lateral movement across '
'breweries.']},
{'root_causes': ['Unknown (potential unpatched '
'vulnerability or '
'misconfiguration in municipal '
'systems).']},
{'root_causes': ['Successful phishing or '
'credential theft targeting '
'attorneys.',
'Lack of MFA on email accounts.']},
{'corrective_actions': ['AWS issued guidance on '
'credential rotation and '
'IAM best practices.'],
'root_causes': ['Exposed AWS credentials (poor '
'secret management).',
'Over-permissive IAM policies '
'(AdministratorAccess assigned to '
'new users).',
'Lack of monitoring for unusual '
'IAM activity.']},
{'root_causes': ['Insecure externally hosted '
'database (EMEA internal-sales).',
'Lack of encryption for sensitive '
'data at rest.']},
{'corrective_actions': ['DraftKings enforced '
'password resets for '
'affected accounts.'],
'root_causes': ['Reused credentials (credential '
'stuffing).',
'Lack of MFA on customer '
'accounts.']},
{'corrective_actions': ['Check Point recommended '
'patching and segmenting '
'vulnerable devices.'],
'root_causes': ['Unpatched legacy devices with '
'known vulnerabilities.',
'Lack of network segmentation for '
'IoT devices.']},
{'corrective_actions': ['Oracle released patch; '
'users advised to restrict '
'component exposure.'],
'root_causes': ['Internet-exposed Oracle EBS with '
'unpatched zero-day '
'(CVE-2025-61882).',
'Over-permissive access to BI '
'Publisher component.']},
{'corrective_actions': ['Redis patched '
'CVE-2025-49844; users '
'advised to enable '
'authentication.'],
'root_causes': ['Unauthenticated Redis servers '
'(~60,000 exposed).',
'Lack of sandboxing for Lua '
'engine.']},
{'corrective_actions': ['Check Point updated '
'protections for XWorm RAT '
'variants.'],
'root_causes': ['Effective social engineering or '
'exploit delivery for initial '
'infection.',
'Lack of endpoint protection to '
'detect RAT plugins.']}],
'ransomware': [{'data_exfiltration': 'Yes (27GB)',
'ransomware_strain': 'Qilin'},
{'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes (extortion)'},
{'data_exfiltration': 'Yes (1.3TB)', 'ransom_demanded': 'Yes'},
{'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': 'XWorm'}],
'recommendations': [['Implement robust ransomware protection (e.g., Check '
'Point Threat Emulation).',
'Segment critical networks to limit lateral movement.',
'Regularly back up data and test restoration processes.'],
['Enhance municipal cybersecurity posture with DDoS '
'protection and web application firewalls.',
'Implement redundant systems for critical services to '
'minimize downtime.'],
['Strengthen email security with MFA and anomaly '
'detection.',
'Monitor for signs of state-sponsored threat activity, '
'especially in high-value sectors.'],
['Enforce least-privilege IAM policies and rotate AWS '
'credentials regularly.',
'Monitor for unusual IAM activity (e.g., new users with '
'AdministratorAccess).',
'Use AWS GuardDuty or third-party tools to detect '
'compromised credentials.'],
['Encrypt sensitive databases and restrict access to '
'proprietary tools.',
'Conduct third-party risk assessments for externally '
'hosted databases.'],
['Enforce MFA and password complexity requirements to '
'thwart credential stuffing.',
'Monitor for unusual login patterns and implement '
'automated account lockdowns.'],
['Patch or retire end-of-life devices vulnerable to known '
'exploits.',
'Segment IoT devices from critical networks and monitor '
'for botnet activity.'],
['Apply Oracle patches immediately, especially for '
'internet-facing applications.',
'Restrict access to BI Publisher and other high-risk '
'components.'],
['Enable Redis authentication and restrict internet '
'exposure.',
'Monitor for unauthorized Lua script execution and '
'sandbox escapes.'],
['Deploy advanced endpoint protection to detect and block '
'RATs.',
'Monitor for unusual plugin activity (e.g., '
'browser/crypto wallet data theft).',
'Educate users on recognizing ransomware wallpaper '
'changes and extortion notes.']],
'references': [[{'date_accessed': '2025-10-13',
'source': 'Check Point Threat Intelligence Bulletin (October '
'2025)',
'url': None}],
[{'date_accessed': '2025-10-13',
'source': 'Check Point Threat Intelligence Bulletin (October '
'2025)',
'url': None}],
[{'date_accessed': '2025-10-13',
'source': 'Check Point Threat Intelligence Bulletin (October '
'2025)',
'url': None}],
[{'date_accessed': '2025-10-13',
'source': 'Check Point Threat Intelligence Bulletin (October '
'2025)',
'url': None}],
[{'date_accessed': '2025-10-13',
'source': 'Check Point Threat Intelligence Bulletin (October '
'2025)',
'url': None}],
[{'date_accessed': '2025-10-13',
'source': 'Check Point Threat Intelligence Bulletin (October '
'2025)',
'url': None}],
[{'date_accessed': '2025-10-13',
'source': 'Check Point Threat Intelligence Bulletin (October '
'2025)',
'url': None}],
[{'date_accessed': '2025-10-13',
'source': 'Check Point Threat Intelligence Bulletin (October '
'2025)',
'url': None}],
[{'date_accessed': '2025-10-13',
'source': 'Check Point Threat Intelligence Bulletin (October '
'2025)',
'url': None}],
[{'date_accessed': '2025-10-13',
'source': 'Check Point Threat Intelligence Bulletin (October '
'2025)',
'url': None}]],
'regulatory_compliance': [{'regulations_violated': 'Potential attorney-client '
'privilege violations'},
{'regulations_violated': 'Potential GDPR (EMEA '
'database)'},
{'regulations_violated': 'Potential state data '
'breach laws (USA)',
'regulatory_notifications': 'Likely (customer '
'notifications)'}],
'response': [{'recovery_measures': 'Restoring online municipal services'},
{'containment_measures': 'Securing email accounts',
'enhanced_monitoring': 'Likely (given high-profile nature)'},
{'enhanced_monitoring': 'Recommended',
'remediation_measures': 'AWS customers advised to rotate '
'credentials, review IAM policies, and '
'audit cloud assets'},
{'communication_strategy': 'Customer notifications',
'containment_measures': 'Account lockdowns, password resets for '
'affected customers'},
{'containment_measures': 'Check Point IPS protection '
'(CVE-2023-1389, CVE-2024-3721, '
'CVE-2024-12856)',
'enhanced_monitoring': 'Recommended',
'network_segmentation': 'Recommended',
'remediation_measures': 'Patch vulnerable devices, segment '
'networks'},
{'containment_measures': 'Check Point IPS protection '
'(CVE-2025-61882)',
'enhanced_monitoring': 'Recommended',
'remediation_measures': 'Apply Oracle patch, restrict BI '
'Publisher access'},
{'containment_measures': 'Check Point IPS protection '
'(CVE-2025-49844)',
'enhanced_monitoring': 'Recommended',
'network_segmentation': 'Recommended',
'remediation_measures': 'Patch Redis servers, enable '
'authentication, restrict exposure'},
{'containment_measures': 'Check Point Threat Emulation/Harmony '
'Endpoint protection (XWorm RAT)',
'enhanced_monitoring': 'Recommended',
'network_segmentation': 'Recommended',
'remediation_measures': 'Remove RAT, restore encrypted files, '
'rotate credentials'}],
'stakeholder_advisories': ['Residents advised of service outages and '
'workarounds for municipal payments.',
'Clients notified of email compromise (no central '
'database breach).',
'AWS customers advised to audit IAM policies and '
'rotate credentials.',
'Affected customers notified of data exposure and '
'recommended actions (e.g., password resets).',
'Device manufacturers and owners urged to patch '
'vulnerable systems.',
'Oracle EBS users advised to apply patches and '
'restrict component exposure.',
'Redis users advised to enable authentication and '
'patch immediately.'],
'threat_actor': ['Qilin Ransomware Group',
'Suspected China-Affiliated Threat Actors',
"Crimson Collective (in partnership with 'Scattered Lapsus$ "
"Hunters')",
'Cl0p (and other threat actors)'],
'title': ['Qilin Ransomware Attack on Asahi Brewing Company',
'Cyber Attack on Sugar Land City, Texas',
'Cyber Attack on Williams & Connolly Law Firm',
'Crimson Collective Targeting AWS Environments for Data Theft and '
'Extortion',
'Data Breach at Electronic Components Maker Avnet',
'Credential Stuffing Attack on DraftKings Customer Accounts',
'RondoDox Botnet Campaign Exploiting 56 Vulnerabilities',
'Oracle E-Business Suite Zero-Day (CVE-2025-61882) Exploited by '
'Cl0p',
'Redis Critical RCE Vulnerability (CVE-2025-49844) Actively '
'Exploited',
'Resurgence of XWorm RAT with Enhanced Ransomware Module'],
'type': ['Ransomware',
'Cyber Attack (Service Disruption)',
'Cyber Attack (Unauthorized Access)',
'Data Theft and Extortion',
'Data Breach',
'Credential Stuffing Attack',
'Botnet Campaign (Exploiting Vulnerabilities)',
'Zero-Day Exploitation (RCE)',
'Critical RCE Vulnerability Exploitation',
'RAT (Remote Access Trojan) Resurgence'],
'vulnerability_exploited': [['CVE-2023-1389 (TP-Link Archer AX21 Command '
'Injection)',
'CVE-2024-3721 (TBK DVR Devices Command '
'Injection)',
'CVE-2024-12856 (Four-Faith F3x Series Command '
'Injection)',
'30+ other CVEs'],
'CVE-2025-61882 (Oracle E-Business Suite RCE)',
'CVE-2025-49844 (Redis Use-After-Free RCE)']}