It's been a pretty packed week in cyber, with some serious shifts in regulatory landscapes, active exploitation of critical vulnerabilities, and continued efforts to dismantle cybercrime infrastructure.
For a full recap, check out our latest episode: https://open.spotify.com/episode/2EQ2lzZnQA3DmYsExXXLnm?si=rBXJP2d5SNOnyVfd0hhroQ
Let's dive in:
Recent Cyber Attacks and Breaches ⚠️
- PowerSchool, an ed-tech giant, suffered a mega-breach in December 2024, impacting millions of student and staff records, with Canadian privacy watchdogs blaming school boards for poor security and oversight.
- Salesforce disclosed another third-party breach involving Gainsight-published applications, likely linked to the ShinyHunters group, which accessed customer Salesforce data via compromised OAuth tokens.
- These incidents highlight the critical need for robust third-party vendor management, strong contractual security clauses, and proper oversight of remote access, especially for sensitive data.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/20/powerschool_breach_reports/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/20/salesforce_gainsight_breach/
Insider Sabotage at Waste Management 💥
- An Ohio IT contractor, Maxwell Schultz, pleaded guilty to sabotaging his former employer's systems, allegedly Waste Management, causing over $862,000 in damages by resetting 2,500 passwords.
- Schultz impersonated another contractor after his credentials were revoked, demonstrating a critical lapse in access management and the persistent threat of malicious insiders.
- This incident underscores the importance of immediate credential revocation, robust monitoring for anomalous activity, and strong insider threat programmes.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/20/it_contractor_sabotage/
Vulnerabilities and Active Exploitation 🛡️
Fortinet FortiWeb Zero-Days 🚨
- Fortinet confirmed a second zero-day (CVE-2025-58034), an OS command injection flaw, actively exploited in its FortiWeb web application firewall, just days after disclosing another critical path traversal zero-day (CVE-2025-64446) in the same product.
- These two vulnerabilities likely form an exploit chain for unauthenticated remote code execution, with CISA adding CVE-2025-58034 to its Known Exploited Vulnerabilities catalog with a 7-day patch deadline.
- Organisations using FortiWeb should immediately update to the latest software versions and monitor for signs of compromise.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/19/fortinet_confirms_second_fortiweb_0day/
Critical Oracle Identity Manager RCE 🔓
- A critical pre-authentication RCE (CVE-2025-61757, CVSS 9.8) in Oracle Fusion Middleware's Identity Manager allows unauthenticated attackers to fully compromise susceptible systems via HTTP.
- The flaw, affecting versions 12.2.1.4.0 and 14.1.2.1.0, stems from logical flaws in Java's URI interpretation within authentication filters.
- Oracle has already patched this vulnerability, so ensure your Identity Manager instances are fully updated to prevent potential system takeover.
📰 The Hacker News | https://thehackernews.com/2025/11/threatsday-bulletin-0-days-linkedin.html
glob CLI Command Injection 💻
- A security flaw (CVE-2025-64756, CVSS 7.5) in glob CLI's -c/--cmd flag can lead to operating system command injection and remote code execution if filenames with shell metacharacters are passed.
- This vulnerability could compromise developer machines or facilitate supply chain poisoning via malicious packages, affecting Glob versions 10.2.0 through 11.0.3.
- Users should update to patched versions (10.5.0, 11.1.0, or 12.0.0) and note that only CLI tool usage is affected, not the library API.
📰 The Hacker News | https://thehackernews.com/2025/11/threatsday-bulletin-0-days-linkedin.html
Shelly Pro 4PM Smart Relay Vulnerability 🏠
- A critical flaw (CVE-2025-11243, CVSS 8.3) in the Shelly Pro 4PM smart relay allows attackers to cause device reboots by sending unexpected inputs to JSON-RPC methods.
- While not enabling code execution or data theft, this can systematically cause outages, impacting automation and visibility in smart home/building contexts.
- Users are advised to update to version 1.6.0 and avoid direct internet exposure for these devices.
📰 The Hacker News | https://thehackernews.com/2025/11/threatsday-bulletin-0-days-linkedin.html
Palo Alto GlobalProtect Scanning Surge 📈
- Malicious traffic targeting Palo Alto Networks' GlobalProtect portals surged almost 40-fold in 24 hours, hitting a 90-day high, with fingerprints suggesting repeat threat actors.
- This activity often precedes new vulnerability disclosures, as seen with Fortinet appliances, putting defenders on high alert for potential future exploitation.
- Organisations should tighten access controls, monitor for login anomalies, and be prepared to implement blocklists or IPS rules for exposed GlobalProtect portals.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/20/palo_alto_traffic_flood/
New Threat Research: Malware and Techniques 🔬
Iranian Cyber-Kinetic Targeting 🎯
- Amazon's threat intelligence observed Iran-linked Imperial Kitten (Tortoiseshell) conducting cyber reconnaissance, including mapping ship AIS data and accessing CCTV, days before a real-world missile strike attempt.
- This "cyber-enabled kinetic targeting" blurs the lines between digital and physical warfare, using cyber ops to support military objectives.
- The trend highlights the need for integrated security frameworks that address both digital and physical threats, as espionage can directly lead to kinetic attacks.
📰 The Hacker News | https://thehackernews.com/2025/11/iran-linked-hackers-mapped-ship-ais.html
ShadowRay 2.0 Cryptomining Botnet 🤖
- Oligo Security warns of ShadowRay 2.0, an evolution of a cryptomining botnet exploiting an unpatched, two-year-old authentication flaw (CVE-2023-48022, CVSS 9.8) in the Ray AI framework.
- This self-replicating botnet hijacks NVIDIA GPUs for XMRig mining, leveraging exposed Ray Job Submission APIs and pivoting laterally to non-internet-facing nodes.
- Mitigation includes configuring firewalls, adding authorisation to Ray Dashboard port (8265), and using Anyscale's "Ray Open Ports Checker" tool to prevent accidental exposure, as over 230,500 Ray servers are publicly accessible.
📰 The Hacker News | https://thehackernews.com/2025/11/shadowray-20-exploits-unpatched-ray-flaw-to-build-self-spreading-gpu-cryptomining-botnet.html
NovaStealer macOS Malware 🍎
- A new macOS stealer, NovaStealer, has been detailed, capable of exfiltrating crypto wallet files, collecting telemetry, and replacing legitimate Ledger/Trezor applications with tampered copies.
- The malware uses a script orchestrator under ~/.mdrivers and a LaunchAgent to pull and run b64-encoded scripts from its C2, supporting updates and restarts.
- macOS users, especially those with crypto wallets, should be vigilant for suspicious processes and ensure applications are downloaded from official sources.
📰 The Hacker News | https://thehackernews.com/2025/11/threatsday-bulletin-0-days-linkedin.html
Sturnus Android Banking Trojan 📱
- ThreatFabric uncovered Sturnus, a new Android banking trojan that can intercept decrypted messages from apps like WhatsApp, Telegram, and Signal, and steal banking credentials via fake login screens.
- Sturnus offers attackers near-total remote control, including injecting text, observing activity, and executing transactions while hiding operations with a black overlay.
- While in development, its advanced capabilities and targeted geography (Southern/Central Europe) suggest preparation for wider, coordinated campaigns.
🗞️ The Record | https://therecord.media/new-android-malware-captures-private-messages
LLM-Generated Malware: Reality Check 🧠
- Researchers found that while LLMs like GPT-3.5-Turbo and GPT-4 can generate malicious code (e.g., Python scripts for anti-VM detection), it's currently "too unreliable and ineffective for operational deployment."
- GPT-5 showed improved code quality but also stronger safety guardrails, making it harder to bypass and subverting malicious intent.
- Despite advancements, fully autonomous, operational LLM-based attacks remain theoretical, still requiring human intervention and review.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/11/20/llmgenerated_malware_improving/
SharpParty: PoolParty in C# 💉
- Cybersecurity researchers have released SharpParty, a C# implementation of PoolParty, a collection of process injection techniques targeting Windows Thread Pools.
- This re-engineering aims to evade Endpoint Detection and Response (EDR) systems by leveraging inline MSBuild tasks in XML files.
- Defenders should be aware of these advanced injection techniques and ensure EDR solutions are configured to detect subtle anomalies in thread pool activity.
📰 The Hacker News | https://thehackernews.com/2025/11/threatsday-bulletin-0-days-linkedin.html
Malicious Browser Extensions 🚫
- Threat actors are using malicious VPN and ad-blocking extensions for Chrome and Edge browsers (e.g., "VPN Professional," "Ads Blocker") to steal sensitive data.
- These extensions, installed about 31,000 times, can intercept web traffic, collect browsing data, modify/disable security tools, and route traffic through attacker-controlled servers.
- Users should exercise extreme caution with browser extensions, only installing those from trusted developers and regularly reviewing permissions.
📰 The Hacker News | https://thehackernews.com/2025/11/threatsday-bulletin-0-days-linkedin.html
Phishing with Microsoft Entra Invites 🎣
- A new phishing campaign weaponises legitimate Microsoft Entra guest user invitations (from invites@microsoft[.]com) to bypass email filters and establish trust.
- The goal is to trick recipients into making phone calls to attackers posing as Microsoft support in "TOAD" (Telephone-Oriented Attack Delivery) attacks.
- Organisations should educate users about the risks of unsolicited invitations and verify requests through official channels, even if they appear legitimate.
📰 The Hacker News | https://thehackernews.com/2025/11/threatsday-bulletin-0-days-linkedin.html
Data Privacy and Regulatory Issues ⚖️
EU GDPR and AI Act Changes 🇪🇺
- The European Commission proposed major changes to GDPR and the AI Act, aiming to simplify GDPR and clarify "personal data" definition to allow AI training without prior consent under "legitimate interest."
- This "digital omnibus" package also amends cookie consent rules for one-click preferences, but critics argue it rolls back digital protections and panders to Big Tech.
- The changes could give authorities and companies more room to process personal data with limited oversight, potentially increasing profiling and intrusive monitoring.
📰 The Hacker News | https://thehackernews.com/2025/11/threatsday-bulletin-0-days-linkedin.html
FCC Rolls Back Telecom Cyber Regulations 🏛️
- The FCC, in a party-line vote, reversed Biden-era cybersecurity regulations that would have mandated telecoms to secure networks and submit annual risk management certifications, following the Salt Typhoon Chinese hack.
- Chairman Brendan Carr argued the rules were "unlawful nor effective" and that voluntary industry collaboration is sufficient, despite Commissioner Anna Gomez's strong dissent, warning of continued vulnerability.
- This move leaves U.S. communications infrastructure potentially less protected against state-sponsored threats, relying on "handshake agreements" over enforceable standards.
🤫 CyberScoop | https://cyberscop.com/fcc-cybersecurity-vote-china-hack-telecoms-anna-gomez/
🗞️ The Record | https://therecord.media/fcc-removes-biden-era-cybersecurity-rules-telecoms-salt-typhoon
#CyberSecurity #ThreatIntelligence #Vulnerability #ZeroDay #RCE #Malware #Ransomware #APT #NationState #DataPrivacy #GDPR #RegulatoryAffairs #Cybercrime #LawEnforcement #AI #LLM #InfoSec #IncidentResponse
