Cyber Threat Intelligence 19 November 2025
-
Industrial Sector
- METZ CONNECT EWIO2
"Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and control the device remotely or perform remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-05 - Schneider Electric EcoStruxure Machine SCADA Expert & Pro-Face BLUE Open Studio
"Successful exploitation of this vulnerability could lead to loss of confidentiality and integrity."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-01 - Shelly Pro 4PM
"Successful exploitation of this vulnerability could result in a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-02 - Shelly Pro 3EM
"Successful exploitation of this vulnerability could result in a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-03 - Schneider Electric PowerChute Serial Shutdown
"Successful exploitation of these vulnerabilities could allow an attacker to access user accounts or gain elevated system access."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-04 - OT Vulnerabilities Mount But Patching Still a Problem
"Patching is still the mortal weaknesses of operational technology environments, warns cybersecurity firm Trellix in a report assessing incidents in critical infrastructure settings during the middle two quarters of this year. Patching a programmable logic controller has never been as straightforward as updating a Windows laptop. But a mounting pile of cataloged OT vulnerabilities are creating opportunities for attackers, who increasingly have turned to the systems controlling critical infrastructure - whether to make a political statement or wreak havoc."
https://www.bankinfosecurity.com/ot-vulnerabilities-mount-but-patching-still-problem-a-30052
https://www.trellix.com/assets/reports/ot-threat-report-nov-2025.pdf
Vulnerabilities
- Google Issues Security Fix For Actively Exploited Chrome V8 Zero-Day Vulnerability
"Google on Monday released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes. "Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to a description of the flaw in the NIST National Vulnerability Database (NVD)."
https://thehackernews.com/2025/11/google-issues-security-fix-for-actively.html
https://www.bleepingcomputer.com/news/security/google-fixes-new-chrome-zero-day-flaw-exploited-in-attacks/
https://www.securityweek.com/chrome-142-update-patches-exploited-zero-day/
https://securityaffairs.com/184764/hacking/google-fixed-the-seventh-chrome-zero-day-in-2025.html
https://www.malwarebytes.com/blog/news/2025/11/chrome-zero-day-under-active-attack-visiting-the-wrong-site-could-hijack-your-browser
https://www.helpnetsecurity.com/2025/11/18/chrome-cve-2025-13223-exploited/
https://www.theregister.com/2025/11/18/google_chrome_seventh_0_day/ - Fortinet Warns Of New FortiWeb Zero-Day Exploited In Attacks
"Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks. Tracked as CVE-2025-58034, this web application firewall security flaw was reported by Jason McFadyen of Trend Micro's Trend Research team. Authenticated threat actors can gain code execution by successfully exploiting this OS command injection vulnerability in low-complexity attacks that don't require user interaction."
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortiweb-zero-day-exploited-in-attacks/
https://fortiguard.fortinet.com/psirt/FG-IR-25-513 - Cloud Break: IoT Devices Open To Silent Takeover Via Firewalls
"Researchers have demonstrated how to breach Internet of Things (IoT) devices through firewalls, without the need for any kind of software vulnerability. Typically, hackers breach IoT devices by obtaining their IP addresses and exploiting firmware vulnerabilities. This works well against organizations that, due to ignorance, disregard, delay, or genuine inability, can't apply patches in time to protect themselves. Businesses that don't expose their devices to the Web and patch diligently can rest easy knowing that hackers don't have a way in."
https://www.darkreading.com/cybersecurity-operations/cloud-iot-devices-takeover-firewalls
Malware
- Sinobi: The Bougie-Exclusive Ransomware Group That Wants To Be a Ninja
"The Sinobi ransomware brand emerged in mid-2025 and has quickly distinguished itself through calculated intrusions, disciplined operational security and a professional structure that reveals highly skilled and well-connected operators. Sinobi is a hybrid ransomware-as-a-service (RaaS) organization. Core members work with well-screened affiliates to maintain centralized control and distributed operational capability. The group’s techniques improve as the group matures. Sinobi operations are notable for quiet intrusions, modular tooling, selective targeting, and a strong emphasis on both stealth and leverage. The group is also known for its extensive, sophisticated use of living-off-the-land (LotL) and living-off-the-land binaries (LOLBins)."
https://blog.barracuda.com/2025/11/17/sinobi--the-bougie-exclusive-ransomware-group-that-wants-to-be-a - ShadowRay 2.0: Attackers Turn AI Against Itself In Global Campaign That Hijacks AI Into Self-Propagating Botnet
"In early November 2025, the Oligo Security research team identified an attack campaign exploiting the ShadowRay vulnerability (CVE-2023-48022) in Ray, a widely used open-source AI framework. This is the same flaw Oligo previously observed being exploited in late 2023 (see the new MITRE, ShadowRay, Campaign C0045). For the recent campaign, attackers leveraged DevOps-style infrastructure by using GitLab as a platform for updating and delivering region-aware malware. Oligo reported this activity to Gitlab and the attacker repository and account was removed on November 5, 2025. However, Oligo has determined that the attackers have migrated to GitHub in order to continue their campaign as of November 10, 2025, creating multiple accounts and new repos. It remains active."
https://www.oligo.security/blog/shadowray-2-0-attackers-turn-ai-against-itself-in-global-campaign-that-hijacks-ai-into-self-propagating-botnet
https://www.bleepingcomputer.com/news/security/new-shadowray-attacks-convert-ray-clusters-into-crypto-miners/
https://cyberscoop.com/ray-ai-cryptojacking-vulnerability-exposed-clusters-attack-oligo-security/
https://www.theregister.com/2025/11/18/selfreplicating_botnet_ray_clusters/ - License To Encrypt: “The Gentlemen” Make Their Move
"Cybereason Threat Intelligence Team recently conducted an analysis of "The Gentlemen" ransomware group, which emerged around July 2025 as a ransomware threat actor group with relatively advanced methodologies. The Gentlemen group employs a dual-extortion strategy, not only encrypting sensitive files but also exfiltrating critical business data and threatening to publish it on dark web leak sites unless a ransom is paid. The group has demonstrated a unique approach by combining established ransomware techniques with newer strategies, making them quick to adapt to new attack vectors, allowing them to remain a persistent to evolving threat to organizations worldwide."
https://www.cybereason.com/blog/the-gentlemen-ransomware - Frontline Intelligence: Analysis Of UNC1549 TTPs, Custom Tools, And Malware Targeting The Aerospace And Defense Ecosystem
"Last year, Mandiant published a blog post highlighting suspected Iran-nexus espionage activity targeting the aerospace, aviation, and defense industries in the Middle East. In this follow-up post, Mandiant discusses additional tactics, techniques, and procedures (TTPs) observed in incidents Mandiant has responded to. Since mid-2024, Mandiant has responded to targeted campaigns by the threat group UNC1549 against the aerospace, aviation and defense industries. To gain initial access into these environments, UNC1549 employed a dual approach: deploying well-crafted phishing campaigns designed to steal credentials or deliver malware and exploiting trusted connections with third-party suppliers and partners."
https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense
https://thehackernews.com/2025/11/iranian-hackers-use-deeproot-and.html
https://www.darkreading.com/cybersecurity-operations/iran-nexus-threat-actor-unc1549-takes-aim-aerospace
https://www.bankinfosecurity.com/google-finds-new-malware-backdoors-linked-to-iran-a-30063 - Analyzing The Latest Sneaky2FA Browser-In-The-Browser Phishing Page
"PhaaS kits make up the vast majority of phishing sites intercepted by Push and dominate the phishing landscape, with kits like Tycoon, NakedPages, Flowerstorm, Salty2FA, and various Evilginx variations proving very popular among attackers targeting Push customers. PhaaS kits are incredibly important to cybercrime because they make sophisticated and continuously evolving capabilities available to the criminal marketplace, lowering the barrier to entry for criminals running advanced phishing campaigns. This is not unique to phishing: Ransomware-as-a-Service, Credential Stuffing-as-a-Service, and many more for-hire tools and services exist for criminals to use for a fee."
https://pushsecurity.com/blog/analyzing-the-latest-sneaky2fa-phishing-page
https://thehackernews.com/2025/11/sneaky-2fa-phishing-kit-adds-bitb-pop.html - Morphisec Thwarts Sophisticated Tuoni C2 Attack On U.S. Real Estate Firm
"In October 2025, Morphisec’s anti-ransomware prevention platform stopped a highly advanced cyberattack targeting a major U.S. real estate company. The campaign leveraged the emerging Tuoni C2 framework, a relatively new, command-and-control (C2) tool (with a free license) that delivers stealthy, in-memory payloads. Notably, while Tuoni itself is a sophisticated but traditional C2 framework, the delivery mechanism showed signs of AI assistance in code generation, evident from the scripted comments and modular structure of the initial loader."
https://www.morphisec.com/blog/morphisec-thwarts-sophisticated-tuoni-c2-attack-on-us-real-estate-firm/
https://thehackernews.com/2025/11/researchers-detail-tuoni-c2s-role-in.html
https://www.infosecurity-magazine.com/news/ai-tuoni-framework-targets-us-real/ - Pro-Russian Group Claims Hits On Danish Party Websites As Voters Head To Polls
"Cyberattacks claimed by pro-Russian hackers briefly knocked offline Danish political party and government websites on the eve of local elections, officials said, adding that the incidents did not disrupt voting. Several party websites — including those of the Conservatives, the Red-Green Alliance, the Moderates and the ruling Social Democrats — were hit by distributed denial-of-service (DDoS) attacks on Monday, temporarily preventing access. DDoS attacks flood targeted servers with traffic to disrupt normal operations."
https://therecord.media/denmark-election-political-government-websites-ddos-incidents - MI5 Warns Of Chinese Spies Using LinkedIn To Gain Intel On Lawmakers
"The U.K.’s domestic security and intelligence agency warned members of the Houses of Parliament on Tuesday that Chinese spies were actively attempting to target them through LinkedIn. The alert from MI5 was circulated among politicians by the speakers of both the House of Commons and House of Lords. “This activity involves a covert and calculated attempt by a foreign power to interfere in our sovereign affairs in favour of its own interests, and this government will not tolerate it,” said Security Minister Dan Jarvis before the House of Commons on Tuesday."
https://therecord.media/mi5-warns-chinese-spies-using-linkedin-lawmakers - Breaking Down S3 Ransomware: Variants, Attack Paths And Trend Vision One
Defenses
"Ransomware has long been a persistent threat, traditionally targeting on-premises environments through tactics such as network intrusions, phishing emails, malicious attachments, and exploitation of outdated or vulnerable software. However, as organizations shift to the cloud, ransomware tactics are adapting: In cloud environments, attackers are increasingly exploiting customer misconfigured storage resources and stolen credentials. Unlike traditional ransomware that relies heavily on encryption malware, cloud-focused variants often leverage native cloud features to delete or overwrite data, suspend access, or extract sensitive content – all while staying under the radar of traditional security tools."
https://www.trendmicro.com/en_us/research/25/k/s3-ransomware.html - Anatomy Of An Akira Ransomware Attack: When a Fake CAPTCHA Led To 42 Days Of Compromise
"Unit 42 recently assisted a global data storage and infrastructure company that experienced a destructive ransomware attack. This attack was orchestrated by Howling Scorpius, the distributors of Akira ransomware. What began with a single click on what appeared to be a routine website CAPTCHA evolved into a 42-day (yes, we see the irony, too!) compromise that exposed critical gaps. This incident underscores the fact that having security tools deployed is not the same as having security coverage with full visibility into your environment."
https://unit42.paloaltonetworks.com/fake-captcha-to-compromise/ - DigitStealer: a JXA-Based Infostealer That Leaves Little Footprint
"During analysis of executable samples collected through our in-house detection rules, Jamf Threat Labs identified a family of malicious stealers that we are tracking under the name "DigitStealer." Security experts continue to track an expanding ecosystem of these threats, and over time it became evident that most stealers share the same core objectives and follow a fairly linear path to achieve them. Occasionally, however, we see fresh techniques or creative implementations that stand out. Similar to our writeup on the Odyssey infostealer, this blog post will put focus on many of the unique traits of this newly discovered stealer."
https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/
Breaches/Hacks/Leaks
- Half a Million Stolen FTSE 100 Credentials Found On Criminal Sites
"Security experts have warned the UK’s largest companies that they’re at risk of being breached, after finding hundreds of thousands of corporate credentials on cybercrime sites. Socura teamed up with Flare to monitor “cybercrime communities” across the clear and dark web for FTSE 100 company domains. Its resulting report, FTSE 100 for Sale, revealed 460,000 compromised credentials belonging to employees at these firms. Some firms had as many as 45,000 leaked credentials, while 15 companies had more than 10,000 each. Although this is a problem across multiple sectors, financial services (70,000+) was particularly affected."
https://www.infosecurity-magazine.com/news/half-million-stolen-ftse-100/ - French Agency Pajemploi Reports Data Breach Affecting 1.2M People
"Pajemploi, the French social security service for parents and home-based childcare providers, has suffered a data breach that may have exposed personal information of 1.2 million individuals. The incident impacts registered professional caregivers working for private employers, typically parents using the Pajemploi service part of URSSAF - the French organization that collects social security contributions from employers and individuals. "The Pajemploi service has been the victim of a theft of personal data belonging to employees of private employers using the Pajemploi service," reads the announcement from the agency."
https://www.bleepingcomputer.com/news/security/french-agency-pajemploi-reports-data-breach-affecting-12m-people/ - LG Battery Subsidiary Says Ransomware Attack Targeted Overseas Facility
"One of the world’s largest battery makers confirmed it was affected by ransomware following claims made by a cybercriminal gang that the FBI spotlighted last week. A spokesperson for South Korea-based LG Energy Solution said the company recently identified an attack and is currently implementing security measures to address the situation."
https://therecord.media/lg-energy-solution-ransomware-incident-battery-maker
General News
- What Security Pros Should Know About Insurance Coverage For AI Chatbot Wiretapping Claims
"AI-powered chatbots raise profound concerns under federal and state wiretapping and eavesdropping statutes that is being tested by recent litigation, creating greater exposure to the companies and developers that use this technology. Security professionals that integrate AI-chatbots into their business face uncertainty about whether insurance will cover privacy-related claims arising from these technologies. In this Help Net Security interview, Stephanie Gee, Insurance Recovery Counsel at Reed Smith, discusses the development of these privacy claims as they pertain to AI bots and common coverage issues and solutions for security professionals as they seek to protect against these risks."
https://www.helpnetsecurity.com/2025/11/18/stephanie-gee-reed-smith-ai-chatbot-legal-risks/ - How Attackers Use Patience To Push Past AI Guardrails
"Most CISOs already assume that prompt injection is a known risk. What may come as a surprise is how quickly those risks grow once an attacker is allowed to stay in the conversation. A new study from Cisco AI Defense shows how open weight models lose their footing over longer exchanges, a pattern that raises questions about how these models should be evaluated and secured."
https://www.helpnetsecurity.com/2025/11/18/open-weight-ai-model-security/ - The Privacy Panic Around Machine Learning Is Overblown
"We often hear warnings about how machine learning (ML) models may expose sensitive information tied to their training data. The concern is understandable. If a model was trained on personal records, it may seem reasonable to assume that releasing it could reveal something about the people behind those records. A study by Josep Domingo-Ferrer examines this assumption and finds that the situation is less threatening than current discussions suggest."
https://www.helpnetsecurity.com/2025/11/18/machine-learning-privacy-risk-training-data/ - The Realities Of CISO Burnout And Exhaustion
"CISOs are facing unprecedented challenges to their mental health due to today’s rapidly evolving threat landscape. They are often held accountable if a breach or disruption occurs, and the average tenure for a CISO tends to decrease significantly after such incidents. This constant pressure makes it difficult for them to find peace, let alone get a good night’s sleep. Meanwhile, threats are increasing in speed and complexity, but budgets and board interest are starting to decline: a bad combination."
https://cyberscoop.com/ciso-burnout-mental-health-cybersecurity-exhaustion-op-ed/ - GenAI And Deepfakes Drive Digital Forgeries And Biometric Fraud
"AI technology is being adopted by fraudsters in ever growing numbers to commit new account fraud (NAF) and circumvent even biometric-based checks, according to a new report from Entrust. The security vendor analyzed data from over one billion identity verifications in 30+ sectors and 195 countries, between September 2024 and September 2025, to compile its 2026 Identity Fraud Report. It revealed that, while physical counterfeits accounted for almost half (47%) of document fraud attempts, digital forgeries now comprise over a third (35%). The latter has been driven by “the accessibility and scalability of modern editing tools” and generative AI (GenAI), which enables the creation of “hyper-realistic replicas” of identity documents, it said."
https://www.infosecurity-magazine.com/news/genai-deepfakes-digital-forgeries/ - Can a Global, Decentralized System Save CVE Data?
"The current challenges with tracking vulnerabilities, enriching reported data in a timely manner, and maintaining the collection of information calls for a revamping of the Common Vulnerabilities and Enumeration (CVE) system, according to security data analyst Jerry Gamblin. As a result, the National Vulnerability Database (NVD) — the de facto repository of data maintained by MITRE and the National Institute of Standards and Technology (NIST) — continues to lag in analyzing vulnerabilities. In the past five years, more than 155,000 identifiers have been assigned as part of the Common Vulnerabilities and Enumeration (CVE) process, but only a quarter (26%) have been analyzed and enriched with additional data, according to Gamblin's analysis, which he will present at the Black Hat Europe conference in December."
https://www.darkreading.com/cybersecurity-operations/can-global-decentralized-system-save-cve-data - Bug Bounty Programs Rise As Key Strategic Security Solutions
"Bug bounty programs have emerged as a cornerstone of modern cybersecurity strategy, fundamentally transforming how organizations approach vulnerability management and security testing. These programs offer a compelling alternative to traditional security assessments by harnessing the collective expertise of global researcher communities while increasingly becoming a key strategic security solution."
https://www.darkreading.com/cybersecurity-operations/bug-bounty-programs-rise-as-key-strategic-security-solutions - Russian Suspect Detained In Thailand Is Allegedly Tied To Void Blizzard Group
"A suspected Russian hacker arrested in Thailand earlier this month is reportedly linked to a relatively new Kremlin-aligned threat actor that has targeted government and critical infrastructure networks across Europe and North America, according to media reports. Thai police last week confirmed the detention of a “world-famous hacker” wanted by the United States for cyberattacks on government agencies. Russian state-controlled outlet RT later identified the suspect as 35-year-old Denis Obrezko, a Stavropol native who previously worked for major Russian IT firms “developing high-tech systems for domestic industries.”"
https://therecord.media/russian-arrested-thailand-allegedly-void-blizzard-apt-member
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- METZ CONNECT EWIO2
