Cisco 0-Days, AI Bug Bounties, Crypto Heists, State-Linked Leaks and 20 More Stories

The U.Okay. authorities has proposed a brand new Cyber Safety and Resilience Invoice that goals to strengthen nationwide safety and safe public companies like healthcare, consuming water suppliers, transport, and power from cybercriminals and state-backed actors. Beneath the proposal, medium and huge corporations offering companies like IT administration, IT assist desk help, and cybersecurity to personal and public sector organisations just like the Nationwide Well being Service (NHS) will likely be regulated. Organizations coated by the brand new legislation must report extra dangerous cyber incidents to each their regulator and the Nationwide Cyber Safety Centre (NCSC) inside 24 hours, adopted by a full report despatched inside 72 hours. Penalties for critical violations underneath the brand new guidelines will attain day by day fines equal to £100,000 ($131,000), or 10% of the group’s day by day turnover – whichever is greater. “As a result of they maintain trusted entry throughout authorities, crucial nationwide infrastructure and enterprise networks, they might want to meet clear safety duties,” the federal government
mentioned.
“This consists of reporting vital or probably vital cyber incidents promptly to the federal government and their prospects in addition to having strong plans in place to cope with the implications.”

A former Intel worker has been accused of downloading hundreds of paperwork shortly after the corporate fired him in July, a lot of them categorised as “High Secret.” The Oregonian, which
reported
on the lawsuit, mentioned Jinfeng Luo downloaded 18,000 recordsdata to a storage system. After failing to get in contact with Luo at his dwelling in Seattle and at two different addresses related to him, the chipmaker filed go well with in search of no less than $250,000 in damages.

The Open Net Utility Safety Venture (OWASP) has
launched
a revised model of its High 10 record of crucial dangers to internet purposes, including two new classes, together with software program provide chain failures and mishandling of outstanding situations to the record. Whereas the previous pertains to compromises occurring inside or throughout all the ecosystem of software program dependencies, construct methods, and distribution infrastructure, the latter focuses on “improper error dealing with, logical errors, failing open, and different associated situations stemming from irregular situations that methods might encounter.” Damaged Entry Management, Safety Misconfiguration, Cryptographic Failures, Injection, Insecure Design, Authentication Failures, Software program and Information Integrity Failures, and Logging & Alerting Failures take up the remaining eight spots.

A examine of fifty main AI corporations has discovered that 65% had leaked verified secrets and techniques on GitHub, together with API keys, tokens, and delicate credentials. “A few of these leaks might have uncovered organizational constructions, coaching information, and even non-public fashions,” Wiz researchers Shay Berkovich and Rami McCarthy
mentioned.
“Should you use a public Model Management System (VCS), deploy secret scanning now. That is your fast, non-negotiable protection in opposition to simple publicity. Even corporations with the smallest footprints might be uncovered to secret leaks as we now have simply proved.”

A brand new large-scale phishing marketing campaign is abusing Fb’s Enterprise Suite and facebookmail.com options to ship convincing faux notifications (“Meta Company Associate Invitation” or “Account Verification Required”) that seem to come back immediately from Meta. “This technique makes their campaigns extraordinarily convincing, bypasses many conventional safety filters, and demonstrates how attackers are exploiting belief in well-known platforms,” Examine Level
mentioned.
“Whereas the quantity of emails might counsel a spray-and-pray method, the credibility of the sender area makes these phishing makes an attempt way more harmful than peculiar spam.” Greater than 40,000 phishing emails have been recorded thus far, primarily concentrating on entities within the U.S., Europe, Canada, and Australia that rely closely on Fb for promoting. To tug off the scheme, the attackers create faux Fb Enterprise pages and use the Enterprise invitation characteristic to ship phishing emails that mimic official Fb alerts. The truth that these messages are despatched from the “facebookmail[.]com” area means they’re perceived as reliable by e mail safety filters. Current throughout the emails are hyperlinks that, when clicked, direct customers to bogus web sites which are designed to steal credentials and different delicate data.

Mozilla has
added
extra fingerprint protections to its Firefox browser to forestall web sites from figuring out customers with out their consent, even when cookies are blocked or non-public shopping is enabled. The safeguards, beginning with Firefox 145, purpose to dam entry to sure items of knowledge utilized by on-line fingerprinters. “This ranges from strengthening the font protections to stopping web sites from attending to know your {hardware} particulars just like the variety of cores your processor has, the variety of simultaneous fingers your touchscreen helps, and the size of your dock or taskbar,” Mozilla mentioned. Particularly, the brand new protections
embody
introducing random information to pictures generated in canvas parts, stopping regionally put in fonts from getting used to render textual content on a web page, reporting the variety of simultaneous touches supported by system {hardware} as 0, 1, or 5, reporting Obtainable Display Decision because the display peak minus 48 pixels, and reporting the variety of processor cores as both 4 or 8.

A brand new phishing equipment known as Quantum Route Redirect is being wielded by menace actors to steal Microsoft 365 credentials. “Quantum Route Redirect comes with a pre-configured setup and phishing domains that considerably simplifies a as soon as technically advanced marketing campaign move, additional ‘democratizing’ phishing for much less expert cybercriminals,” KnowBe4 Menace Labs
mentioned.
The phishing campaigns impersonate reputable companies like DocuSign, or masquerade as fee notifications or missed voicemails to trick customers into clicking on URLs that persistently observe the sample “/([wd-]+.){2}[w]{,3}/quantum.php/” and are hosted on parked or compromised domains. Almost 1,000 such domains have been detected. The phishing equipment additionally permits browser fingerprinting and VPN/proxy detection to redirect safety instruments to reputable web sites. Campaigns leveraging the equipment have efficiently claimed victims throughout 90 international locations, with the U.S. accounting for 76% of affected customers.

AI coding platform Lovable has
partnered
with Guardio to embed its Protected Shopping detection engine into the platform’s generative AI workflows, with an purpose to scan each website created on the platform to detect phishing, scams, impersonation, and different types of abuse. The event comes in opposition to the backdrop of experiences that discovered AI-powered coding assistants like Lovable to be inclined to methods like
VibeScamming,
permitting dangerous actors to arrange lookalike credential harvesting pages and perform scams.

Microsoft has formally launched native help for third-party passkey managers in Home windows 11. The characteristic is out there with the Home windows November 2025 safety replace. “This new functionality empowers customers to decide on their favourite passkey supervisor – whether or not it is Microsoft Password Supervisor or trusted third-party suppliers,” Microsoft
mentioned.
The corporate additionally famous it has built-in Microsoft Password Supervisor from Microsoft Edge into Home windows as a plugin, thereby making it doable to make use of it in Microsoft Edge, different browsers, or any app that helps passkeys.

Menace actors starting from ransomware operators and arranged cybercriminal networks to state-sponsored APT teams are more and more concentrating on the development business by exploiting the sector’s rising dependence on weak IoT-enabled heavy equipment, Constructing Data Modeling (BIM) methods, and cloud-based undertaking administration platforms. “Cybercriminals more and more goal building corporations for preliminary entry and information leaks, exploiting weak safety practices, outdated legacy methods, and widespread use of cloud-based undertaking administration instruments,” Rapid7
mentioned.
“Attackers generally make use of phishing e mail messages, compromised credentials, and provide chain assaults, profiting from inadequate worker coaching and lax vendor danger administration.” Attackers are additionally shifting to procuring preliminary entry to building firm networks by underground boards reasonably than conducting resource-intensive preliminary compromise operations themselves. These listings facilitate help for escrow companies to offer consumers with assurances concerning the validity of bought information. As soon as breached, the menace actors transfer swiftly throughout the community to exfiltrate precious information and even extort it by ransomware.

Again in August, Google
introduced
plans to confirm the id of all builders who distribute apps on Android, even for many who distribute their software program exterior the Play Retailer. The transfer was
met with backlash,
elevating issues that it could possibly be the tip of sideloading in Android. Whereas Google has claimed the intention behind the change was to sort out on-line scams and malware campaigns, significantly people who happen when customers obtain APK recordsdata distributed by way of third-party marketplaces, F-Droid painted the framing as disingenuous, provided that there already exists Google Play Shield as a remediation mechanism. “Any perceived dangers related to direct app set up might be mitigated by consumer training, open-source transparency, and current safety measures with out imposing exclusionary registration necessities,” F-Droid
mentioned.
In response to suggestions from “builders and energy customers,” Google
mentioned
it is “constructing a brand new superior move that permits skilled customers to simply accept the dangers of putting in software program that is not verified.” Extra particulars are anticipated to be shared within the coming months.

The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has
issued
a
new alert,
stating it has recognized units marked as “patched” as a part of Emergency Directive 25-03, however which had been “up to date to a model of the software program that’s nonetheless weak to the menace exercise” that entails the exploitation of
CVE-2025-20333 and CVE-2025-20362.
“CISA is conscious of a number of organizations that believed that they had utilized the required updates however had not in truth up to date to the minimal software program model,” the company mentioned. “CISA recommends all organizations confirm the proper updates are utilized.” Each vulnerabilities have come underneath lively exploitation by a suspected China-linked hacking group generally known as
UAT4356
(aka Storm-1849).

Russia’s Digital Growth Ministry has
disclosed
that telecom operators within the nation have launched a brand new mechanism to fight drones on the request of regulators. “If a SIM card is introduced into Russia from overseas, it have to be confirmed that it’s utilized by an individual and never embedded in a drone,” the ministry mentioned in a publish on Telegram. “Till then, cell web and SMS companies on this SIM card will likely be quickly blocked.” The mechanism is being examined as of November 10, 2025. The ministry additionally famous that subscribers with Russian SIM playing cards are eligible for a 24-hour cooling-off interval if the SIM has been inactive for 72 hours or upon getting back from worldwide journey. Subscribers can restore entry by fixing a CAPTCHA supplied by the service or calling their service supplier and verifying their id over the cellphone. The event comes a month after Moscow imposed the same 24-hour blackout for folks coming into Russia with international SIM playing cards, citing related causes.

Cybersecurity firm watchTowr Labs has printed particulars a few newly patched
mirrored cross-site scripting
(XSS) flaw (CVE-2025-12101, CVSS rating: 6.1) in NetScaler ADC and NetScaler Gateway when the equipment is configured as a Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) or Authentication, Authorization, and Auditing (AAA) digital server. The
vulnerability
was patched by Citrix
earlier this week.
Sina Kheirkhah of watchTowr mentioned the vulnerability stems from the applying’s dealing with of the RelayState parameter, permitting an attacker to execute an arbitrary XSS payload by way of a specifically crafted HTTPS request containing a RelayState parameter with a Base64-encoded worth. “Whereas this may occasionally not look lifelike as a usable vulnerability (and we would agree given the low hanging fruit elsewhere), it’s broadly nonetheless usable by way of CSRF – because the NetScaler’s /cgi/logout endpoint accepts an HTTP POST request containing a sound SAMLResponse and a modified RelayState,” Kheirkhah
mentioned.

A brand new report from Netskope has discovered that roughly 22 out of each 10,000 customers within the manufacturing sector encounter malicious content material each month. “Microsoft OneDrive is now probably the most generally exploited platform, with 18% of organizations reporting malware downloads from the service every month,” the cybersecurity firm
mentioned.
GitHub got here in second at 14%, adopted by Google Drive (11%) and SharePoint (5.3%). To counter the chance, organizations are suggested to examine all HTTP and HTTPS downloads, together with all internet and cloud visitors, to forestall malware from infiltrating the enterprise community.

A financially motivated menace actor generally known as
Payroll Pirates
(aka Storm-2657) has been noticed hijacking payroll methods, credit score unions, and buying and selling platforms throughout the U.S. by orchestrating malvertising campaigns. The malicious exercise, described as persistent and adaptive, dates again to Could 2023, when the menace actors arrange phishing websites that impersonated payroll platforms. These websites had been promoted by way of Google Adverts, tricking staff into logging into faux HR portals with the aim of stealing their credentials. As soon as the login particulars had been captured, the attackers rerouted salaries to their very own accounts. Subsequent iterations got here geared up with capabilities to bypass two-factor authentication (2FA). Examine Level, which has been monitoring a current surge in these campaigns, mentioned it discovered a single Telegram bot that is used to seize the 2FA codes in real-time throughout credit score unions, payroll, well being care advantages, and buying and selling platforms, suggesting a “unified community.” Whereas one set of assaults has been discovered to depend on cloaking methods to make sure that solely supposed victims are redirected to the phishing websites, a second cluster targets monetary establishments utilizing Microsoft Adverts. “Domains are aged for months and host dozens of phishing pages with randomized URLs,” Examine Level
mentioned.
“A cloaking service from adspect.ai determines which web page to indicate based mostly on browser fingerprinting. Each clusters use the identical phishing kits. Pages adapt dynamically based mostly on operator suggestions, making it simple to bypass most authentication strategies.”

The
DanaBot
malware has returned with a brand new model 669, almost six months after legislation enforcement’s Operation Endgame disrupted its exercise in Could. The brand new variant has a command-and-control (C2) infrastructure that includes Tor domains and BackConnect nodes, per
Zscaler.
It is also utilizing 4 completely different pockets addresses to steal cryptocurrency: 12eTGpL8EqYowAfw7DdqmeiZ87R922wt5L (BTC), 0xb49a8bad358c0adb639f43c035b8c06777487dd7 (ETH), LedxKBWF4MiM3x9F7zmCdaxnnu8A8SUohZ (LTC), and TY4iNhGut31cMbE3M6TU5CoCXvFJ5nP59i (TRX).

A brand new Android distant entry trojan (RAT) known as KomeX RAT is being
marketed
on the market on cybercrime boards for a month-to-month worth of $500 or $1,200 for a lifetime license. Potential consumers may also get hold of entry to all the codebase for $3,000. In response to claims made by the vendor, the Trojan relies on
BTMOB,
one other Android distant management software that emerged earlier this 12 months as an evolution of SpySolr. Different options embody the flexibility to amass all obligatory permissions, bypass Google Play Shield, log keystrokes, harvest SMS messages, and extra. The menace actor additionally claims the RAT works worldwide with none geographic restrictions. Apparently, a
Fb web page for SpySolr
states that the malware is developed by
EVLF,
which was unmasked in 2023 as a Syrian menace actor behind CypherRAT and CraxsRAT.

Amazon has grow to be the newest firm to open its massive language fashions to exterior safety researchers by instituting a bug bounty program to establish safety points in
NOVA,
the corporate’s suite of foundational AI fashions. “Via this program, researchers will take a look at the Nova fashions throughout crucial areas, together with cybersecurity points and Chemical, Organic, Radiological, and Nuclear (CBRN) menace detection,” the tech big
mentioned.
“Certified members can earn financial rewards, starting from $200 to $25,000.”

Austrian privateness non-profit None of Your Enterprise (noyb) has condemned the European Fee’s
leaked plans
to overtake the bloc’s landmark privateness regulation, known as the Common Information Safety Regulation (GDPR), together with possible permitting AI corporations to make use of private information of residents within the area for mannequin coaching. “As well as, the particular safety of delicate information like well being information, political beliefs or sexual orientation could be considerably lowered,” noyb
mentioned.
“Additionally, distant entry to non-public information on PCs or smartphones with out the consent of the consumer could be enabled.” Max Schrems, founding father of noyb, mentioned the draft represents an enormous downgrade of consumer privateness, whereas primarily benefiting Large Tech. The Fee is planning to introduce the amendments on November 19.

A U.Okay. court docket has
sentenced
a 47-year-old Chinese language lady,
Zhimin Qian
(aka Yadi Zhang), to 11 years and eight months in jail for laundering bitcoin linked to a $5.6 billion funding scheme. Till her arrest in April 2024, the defendant had been on the run since 2017 after finishing up a large-scale rip-off in China between 2014 and 2017, which defrauded greater than 128,000 folks. Qian, nicknamed Bitcoin Queen, entered Europe utilizing faux passports and settled in Britain underneath a faux identify — Yadi Zhang. She
pleaded responsible
to offenses associated to buying and possessing felony property (i.e., cryptocurrency) again in September. The investigation additionally led to the seizure of 61,000 bitcoin, now valued at over $6 billion, making it the biggest cryptocurrency seizure in historical past.

Cybersecurity researchers have found two new second-stage malware households known as LeakyInjector and LeakyStealer which are designed to focus on cryptocurrency wallets and browser historical past. “LeakyInjector makes use of low-level APIs for injection to keep away from detection and injects LeakyStealer in ‘explorer.exe,'” Hybrid Evaluation
mentioned.
“The duo performs reconnaissance on an contaminated machine and targets a number of crypto wallets, together with browser extensions equivalent to crypto wallets. The malware additionally appears to be like for browser historical past recordsdata from Google Chrome, Microsoft Edge, Courageous, Opera, and Vivaldi.” LeakyStealer implements a polymorphic engine that modifies reminiscence bytes utilizing particular hard-coded values at runtime. It additionally beacons to an exterior server at common intervals to execute Home windows instructions and obtain and run extra payloads.

Final month, OpenAI launched a set of security instruments known as
Guardrails security framework
to detect and block probably dangerous mannequin conduct, similar to jailbreaks and immediate injections. This consists of detectors that depend on massive language fashions (LLMs) to find out whether or not an enter or output poses a safety danger. AI safety firm HiddenLayer mentioned this method is essentially flawed, as it may be exploited by an attacker to the Guardrails framework. “If the identical kind of mannequin used to generate responses can be used to guage security, each might be compromised in the identical approach,” it
mentioned.
“This experiment highlights a crucial problem in AI safety: self-regulation by LLMs can not absolutely defend in opposition to adversarial manipulation. Efficient safeguards require unbiased validation layers, purple teaming, and adversarial testing to establish vulnerabilities earlier than they are often exploited.”

A
information breach
at a Chinese language safety vendor known as Knownsec has led to the leak of over 12,000 categorised paperwork, per Chinese language safety weblog MXRN, “together with data on Chinese language state-owned cyber weapons, inside instruments, and international goal lists.” The trove can be mentioned to have apparently included proof of RATs that may break into Linux, Home windows, macOS, iOS, and Android units, in addition to particulars concerning the firm’s contracts with the Chinese language authorities. The Android code can reportedly extract data from in style Chinese language messaging apps and from Telegram. Additionally current within the leak information was a spreadsheet itemizing 80 abroad targets Knownsec has efficiently attacked, plus 95GB of immigration information obtained from India, 3TB of name information stolen from South Korean telecom operator LG U-Plus, 459GB of highway planning information obtained from Taiwan, passwords for Taiwanese Yahoo accounts, and information on Brazilian LinkedIn accounts. It is at the moment not recognized who’s behind the leaks. There are indications that the leak is from an previous information breach of Knownsec from 2023, per
NetAskari.