Interesting Cybersecurity News of the Week Summarised – 2025-11-24

This week two topics stayed with me after putting this summary together. First, when did I last update my home router, because routers getting breached and bad guys replacing my software updates with malicious ones seems like a very scalable thing that the bad guys could do and hence, get to an unimportant me as well.

Second thing that I wondered about was OAUTH and how this very secure way of authentication does not seem so safe anymore, and I might actually go and review what apps I have authorised access to my Google Account … because stealing oauth tokens is the new cool thing to do.

P.S. If you enjoy this summary, then you can consider subscribing to it as a weekly newsletter straight to your inbox. (every Monday) Scroll to the bottom to subscribe.

1. Cloudflare Attributes Six-Hour Global Outage to Database Permission Error

On Nov. 18, Cloudflare’s distributed network went offline for nearly six hours after a routine
database permission update caused its Bot Management system to generate an oversized configuration
file, crashing proxy servers and triggering widespread 5xx errors. The outage—the worst since 2019—
disrupted CDN, security, and authentication services worldwide before engineers rolled back to a 
known-good feature file and restored all services by 17:06 UTC.

Key Details

• The faulty database query doubled Bot Management feature entries from ~60 to over 200, breaching a hardcoded limit.
• Service began failing at 11:28 UTC with five-minute cycles of crashes and recoveries until full restoration at 17:06 UTC.
• Impacted offerings included core CDN, Workers KV, Turnstile CAPTCHA, dashboard/API access, email security, WARP, and Access.
• Cloudflare confirmed no cyberattack was involved; the outage stemmed solely from an internal configuration change.

Next Steps

• Audit and tighten database permission change workflows.
• Establish a global rollback or “kill-switch” for critical feature updates.

Read more at Bleeping Computer, Cloudflare Blog

2. WhatsApp Contact Discovery Flaw Exposed 3.5 Billion User Numbers

A flaw in WhatsApp’s contact matching allowed researchers to confirm 3.5 billion registered numbers worldwide and scrape associated public profile data at over 100 million queries per hour. The enumeration attack, which bypassed rate limits, highlights how metadata on encrypted messaging services remains vulnerable and could fuel targeted spam, phishing, or state surveillance. Meta has now introduced tighter rate-limiting and visibility controls.

Key Details

• Attack spanned 245 countries at ~100 million checks/hour from a single IP
• Exposed confirmation of 3.5 billion numbers, plus public keys, profile photos, About text
• Researchers inferred OS, account age, and linked devices from metadata leaks
• Meta implemented rate-limiting and profile visibility restrictions after a year-long delay

Read more at CSO Online

3. FCC Reverses Post-Salt Typhoon Cybersecurity Mandates for U.S. Telecoms

The FCC voted to rescind its January 2025 Declaratory Ruling under CALEA that had required U.S. telecom carriers to adopt, document and annually certify cybersecurity risk-management plans following the Salt Typhoon breaches. Critics warn that removing these enforceable controls leaves critical communications networks vulnerable to future state-sponsored intrusions.

Key Details

• The January ruling mandated carriers to secure networks against “unlawful access and interception” and certify risk-management plans annually.
• FCC Chair Brendan Carr called the rules “unlawful and ineffective,” citing voluntary carrier commitments, a new Council on National Security, and bans on foreign-controlled testing labs.
• Salt Typhoon hackers breached core systems at AT&T, Verizon, T-Mobile, Charter, Lumen and others, exposing wiretap platforms and Call Detail Records.
• Senators Maria Cantwell, Mark Warner and Anna Gomez (FCC Commissioner dissenting) argued the rollback removes the only binding federal response to one of telecom’s largest breaches.

Read more at CSO Online

4. OAuth Tokens Stolen from Gainsight Apps Enable Unauthorized Access to 200+ Salesforce Instances

Threat actors leveraged stolen OAuth credentials from Gainsight’s Salesforce integration to access customer CRM data. Salesforce revoked all related tokens, pulled the apps from AppExchange, and Gainsight has engaged Mandiant for a forensic review.

Key Details

• Google Threat Intelligence ties the campaign to ShinyHunters, echoing August’s Salesloft Drift attack.
• Over 200 Salesforce instances may have been compromised; attackers reportedly obtained tokens for 285 orgs.
• Salesforce revoked all active access and refresh tokens for Gainsight-published apps and removed them from AppExchange.
• Gainsight also pulled its HubSpot listing, revoked Zendesk connector access, and is working with Mandiant.

Next Steps

• Audit all connected apps in Salesforce and remove any unused integrations.
• Revoke and rotate OAuth tokens for high-risk or over-privileged apps.
• Enforce least-privilege scopes on third-party SaaS connections.

Read more at CSO Online

5. Sneaky2FA Phishing Kit Adds Browser-in-the-Browser to Bypass Microsoft 365 MFA

Sneaky2FA, a leading phishing-as-a-service platform targeting Microsoft 365, has integrated a browser-in-the-browser (BitB) pop-up that dynamically mimics legitimate Microsoft login windows to steal credentials and active session tokens—even when multifactor authentication is enabled. This cosmetic deception layer leverages OS- and browser-specific styling on top of the kit’s existing attacker-in-the-middle proxy, significantly raising the bar for detection by email gateways and static scanners.

Key Details

• The BitB pop-up is an iframe styled and resized to match Edge on Windows or Safari on macOS, complete with a fake URL bar showing the official domain.
• Users land on a “_previewdoc [.] c o m_” phishing link, pass a Cloudflare Turnstile check, then see the BitB window loading a reverse-proxy Microsoft login page.
• HTML and JavaScript are heavily obfuscated—UI text split with invisible tags, elements as encoded images—to evade static detection and fingerprinting.
• Sneaky2FA’s BitB support follows similar functionality in Raccoon0365/Storm-2246, recently disrupted by Microsoft and Cloudflare.

Next Steps

• Train users to drag pop-up windows outside the browser frame to spot iframes.

Read more at BleepingComputer, CSO Online

6. Iranian APTs Used Maritime AIS and CCTV Hacks to Direct Missile Strikes

Amazon Threat Intelligence linked two Iran-linked groups—Imperial Kitten and MuddyWater—to cyber espionage that precisely informed missile attacks in the Red Sea and on Israeli cities. Imperial Kitten accessed a ship’s AIS tracking data days before Houthi rebels launched missiles at it, while MuddyWater tapped live CCTV feeds in Jerusalem prior to Iran’s June strike. 

Key Details

• Imperial Kitten (aka Tortoiseshell/TA456) compromised a vessel’s AIS system in December 2021 and searched its location data in January 2024.
• Days after the AIS reconnaissance, Houthi-launched missiles targeted the same commercial vessel in the Red Sea on February 1, 2024.
• MuddyWater set up C2 infrastructure in May 2025 and used it to access live Jerusalem CCTV streams before Iran’s June missile barrage on Tel Aviv and Jerusalem.
• Both APTs leveraged anonymizing VPNs and private command-and-control servers to collect real-time targeting intelligence.

Next Steps

• Audit CCTV and surveillance systems for unauthorized intrusions

Read more at CSO Online, Amazon Threat Intelligence Blog

7. Matrix Push C2 Hijacks Browser Notifications for Fileless Phishing

A new command-and-control framework called Matrix Push uses legitimate browser push notifications to deliver phishing alerts and malicious links without dropping any files on the victim’s device. 
Attackers lure users into granting notification permission on a malicious site, then push branded fake alerts (PayPal, MetaMask, Netflix, Cloudflare, TikTok, etc.) that direct victims to phishing pages and track real-time metrics like IP, location, OS, and crypto-wallet extensions.  Sold as a subscription-based MaaS on underground forums, Matrix Push bypasses traditional defenses by leveraging standard browser APIs and encrypted push channels.

Key Details

• Works in any major browser or OS via standard Push API and service workers
• Prebuilt notification and landing-page templates for top brands to improve click rates
• Dashboard shows live victim activity: online status, clicks, browser/OS version, geolocation
• Subscription pricing: $150/month, $405/3 months, $765/6 months, $1,500/year

Next Steps

• Block or restrict Web Push API at network or endpoint level
• Deploy detection rules for known Matrix Push infrastructure

Read more at Dark Reading

8. China-linked PlushDaemon Hijacks Software Updates via EdgeStepper Implant

A China-aligned APT known as PlushDaemon is exploiting compromised routers with a new implant called EdgeStepper to intercept DNS queries and redirect legitimate software‐update traffic to attacker servers. Victims downloading routine updates receive a chain of malware—LittleDaemon, DaemonicLogistics, and the SlowStepper backdoor—enabling espionage across industries and regions. 

Key Details

• EdgeStepper is a Go‐based ELF implant for MIPS32 routers that redirects all UDP port 53 traffic via iptables rules to a malicious DNS proxy.
• When update domains are queried, the proxy returns attacker‐controlled IPs, causing victims to install a DLL downloader (_popup_4.2.0.2246.dll), then DaemonicLogistics, and finally the SlowStepper backdoor.
• Since 2019, ESET telemetry shows PlushDaemon targeting universities, electronics manufacturers, a Japanese auto plant in Cambodia, and users of Sogou Pinyin and IPany VPN.
• SlowStepper enables system reconnaissance, file operations, command execution, browser data theft, keystroke logging, and credential harvesting.

Next Steps

• Review and rotate all default or weak router/IoT device credentials.
• Apply firmware patches for known vulnerabilities on edge network devices.

Read more at BleepingComputer

9. Operation WrtHug Hijacks Over 50,000 End-of-Life ASUS WRT Routers

A global campaign named Operation WrtHug has exploited six known ASUS WRT vulnerabilities to compromise more than 50,000 end-of-life or outdated routers, primarily in Taiwan but also across Southeast Asia, Russia, Central Europe, and the U.S. Attackers leveraged the ASUS AiCloud service to deploy a self-signed 100-year TLS certificate as an intrusion marker and maintain persistent SSH backdoors, potentially creating stealth relay networks for espionage. Organizations using affected devices face elevated risk of network interception, proxying of command-and-control traffic, and undetected lateral movement.

Key Details

• Six exploited flaws include CVE-2023-41345/46/47/48, CVE-2023-39780, CVE-2024-12912 and critical CVE-2025-2492.
• 99% of infected AiCloud services present a custom self-signed TLS cert valid for 100 years, replacing ASUS’s default 10-year certificate.
• Targeted models span AC-series and AX-series devices such as DSL-AC68U, GT-AX11000, RT-AC1200HP and 4G-AC55U.
• No infections observed in mainland China, suggesting possible China-linked actor focusing on external targets.

Next Steps

• Apply the latest ASUS firmware patches that address all six vulnerabilities.
• Disable AiCloud and remote access on unsupported or end-of-life routers.
• Scan networks for the 100-year self-signed TLS certificate as an IoC.

Read more at BleepingComputer

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.