{"id":20888,"date":"2025-11-10T14:41:28","date_gmt":"2025-11-10T12:41:28","guid":{"rendered":"https:\/\/kordon.app\/?p=20888"},"modified":"2025-11-10T14:41:28","modified_gmt":"2025-11-10T12:41:28","slug":"interesting-cybersecurity-news-of-the-week-summarised-2025-11-10","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/interesting-cybersecurity-news-of-the-week-summarised-2025-11-10\/","title":{"rendered":"Interesting Cybersecurity News of the Week Summarised &#8211; 2025-11-10"},"content":{"rendered":"<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>This week I found less interesting cybersecurity news than usual, but you know what, I am not going to pad this list with more news just to hit a certain number of items. It is what it is, and my job is to deliver you interesting news. Quality over quantity, right? <\/p>\n\n\n\n<p>Since you will spend less time reading these than usual then I encourage you to check out the Microsoft Security Blog link under the first newsitem. Luckily, it&#8217;s fixed now but super interesting attack vector. I wonder, what similar techniques are in the works?<\/p>\n\n\n\n<p>P.S. You can also get this weekly summary of interesting cybersecurity news to your inbox every Monday. Scroll to the bottom to subscribe.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. \u2018Whisper Leak\u2019 Side-Channel Attack Exposes AI Chat Prompts in Encrypted Traffic<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A newly disclosed side-channel <strong>attack named Whisper Leak leverages packet sizes and timing in encrypted streaming AI chats to infer user prompts with over 98% accuracy on target topics<\/strong>. <br><strong>Why this matters?<\/strong> If a government agency or internet service provider were monitoring traffic to a popular AI chatbot, they could reliably identify users asking questions about specific sensitive topics\u2014whether that\u2019s money laundering, political dissent, or other monitored subjects\u2014even though all the traffic is encrypted.<br><strong>All mayor AI chat applications have deployed a mitigation that decreases the accuraccy to levels that no longer pose a risk.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attack classifies topics by analyzing TLS packet size and inter-arrival timing patterns.<\/li>\n\n\n\n<li>Proof-of-concept using LightGBM, Bi-LSTM, and BERT <strong>models achieved AUPRC scores above 98%.<\/strong><\/li>\n\n\n\n<li><strong>Simulated monitoring of 10,000 sessions yielded 100% precision and 5\u201350% recall for sensitive topics.<\/strong><\/li>\n\n\n\n<li><strong>OpenAI, Mistral, Microsoft Azure, and xAI implemented random token-length obfuscation to mitigate risk.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm your AI provider has deployed random-padding or batching defenses.<\/li>\n\n\n\n<li>Don&#8217;t use chat applications on open networks, alwats prefer using them over VPN<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/whisper-leak-toolkit\/\">Cybersecurity News<\/a>, <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/11\/07\/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models\/\">Microsoft Security Blog<\/a>, <a href=\"https:\/\/thehackernews.com\/2025\/11\/microsoft-uncovers-whisper-leak-attack.html\">The Hacker News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Commercial-Grade &#8216;LANDFALL&#8217; Spyware Exploits Samsung Zero-Day to Target Galaxy Devices<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Security researchers at Palo Alto Networks reveal \u201cLANDFALL,\u201d a sophisticated spywaretool exploiting CVE-2025-21042 in Samsung Galaxy phones via<strong> malicious DNG images sent over WhatsApp<\/strong>. <strong>Targets in the Middle East were surveilled for nine months, with full data exfiltration and zero-click capabilities.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CVE-2025-21042: out-of-bounds write in Samsung\u2019s image library, <strong>patched April 2025<\/strong><\/li>\n\n\n\n<li><strong>Delivered in malformed Digital Negative (DNG) files containing appended ZIP archives<\/strong><\/li>\n\n\n\n<li><strong>Zero-click<\/strong> vector via WhatsApp <strong>enabled microphone, camera, SMS, call log exfiltration<\/strong><\/li>\n\n\n\n<li>Infrastructure patterns overlap with Stealth Falcon campaigns in UAE-linked operations<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure all Galaxy OS updates are applied, including April 2025 patch<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/unit42.paloaltonetworks.com\/landfall-is-new-commercial-grade-android-spyware\/\">Palo Alto Networks Unit 42<\/a>, <a href=\"https:\/\/therecord.media\/landfall-spyware-middle-east-appears-commercial-grade\">The Record<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Vibe-coded Ransomware Extension Bypasses VS Code Marketplace Review<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A blatantly <strong>malicious VS Code extension<\/strong>\u2014<strong>\u201csusvsex\u201d\u2014appearing to be generated by AI, automatically compressed, encrypted, and exfiltrated files before replacement<\/strong>, and even included hard-coded decryption keys. <strong>Despite obvious red flags, it slipped past Microsoft\u2019s marketplace filters<\/strong> on Nov. 5 and remained live until researchers reported it two days later.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Published under \u201csuspublisher18.susvsex,\u201d the extension zipped and uploaded a test folder, then encrypted it using AES-256.<\/li>\n\n\n\n<li>Code contained obvious AI artifacts\u2014verbose comments, duplicate decryptors (Python\/Node), and hard-coded decryption key.<\/li>\n\n\n\n<li><strong>Used a private GitHub repo as a C2 channel, polling an index.html for commands and writing results back to requirements.txt.<\/strong><\/li>\n\n\n\n<li>Microsoft removed the extension Nov. 7 after Secure Annex\u2019s report; MSRC initially deemed it out of scope.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit and remove unverified VS Code extensions<\/strong> in your environment<\/li>\n\n\n\n<li><strong>Enforce allow-lists and use extension-management tools<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/application-security\/ransomvibing-infests-visual-studio-extension-market\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Critical RCE Flaw in React Native CLI Exposes Developer Machines to Remote Attack<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A critical remote-code execution vulnerability (CVE-2025-11953, CVSS 9.8) in the @react-native-community\/cli and its cli-server-api lets attackers run arbitrary OS commands on any network-accessible development server instance. <\/strong>By default, the Metro bundler binds to 0.0.0.0\u2014not localhost\u2014enabling remote exploitation via its unsafe \/open-url endpoint. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bug affects @react-native-community\/cli-server-api versions 4.8.0\u201320.0.0-alpha.2<\/li>\n\n\n\n<li>Metro dev server prints \u201clocalhost\u201d but listens on all interfaces (0.0.0.0) by default<\/li>\n\n\n\n<li><strong>Windows exploit demonstrated full OS command execution;<\/strong> macOS\/Linux paths likely exploitable<\/li>\n\n\n\n<li><strong>Patch released in cli-server-api v20.0.0 <\/strong>to sanitize input and bind correctly<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Upgrade @react-native-community\/cli-server-api to v20.0.0 or later<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4085797\/rce-in-react-native-cli-opens-dev-servers-to-attacks.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Russian APT Curly COMrades Abuses Hyper-V to Hide Malware in Linux VMs<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A Russia-aligned APT group dubbed Curly COMrades<\/strong> covertly enables Windows Hyper-V on compromised hosts to <strong>deploy a lean Alpine Linux VM that runs custom malware, bypassing host-based EDR by routing C2 traffic through the legitimate host network.<\/strong> <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alpine VM footprint: 120 MB disk, 256 MB RAM, deployed via DISM and PowerShell cmdlets.<\/li>\n\n\n\n<li><strong>CurlyShell establishes an HTTPS reverse shell; CurlCat tunnels SSH over HTTPS to evade network monitoring.<\/strong><\/li>\n\n\n\n<li><strong>VM named \u201cWSL\u201d to mimic Windows Subsystem for Linux, reducing operator scrutiny.<\/strong><\/li>\n\n\n\n<li>Group also used PowerShell scripts to inject Kerberos tickets into LSASS and <strong>create domain accounts via Group Policy.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Monitor DISM\/PowerShell for unexpected Hyper-V feature changes.<\/strong><\/li>\n\n\n\n<li><strong>Alert on Import-VM\/Start-VM cmdlet usage and abnormal VM names.<\/strong><\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4085272\/russian-apt-abuses-windows-hyper-v-for-persistence-and-malware-execution.html\">CSO Online<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/russian-hackers-abuse-hyper-v-to-hide-malware-in-linux-vms\/\">BleepingComputer<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/russian-hackers-abuse-hyper-v-to-hide-malware-in-linux-vms\/\">BleepingComputer<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4085272\/russian-apt-abuses-windows-hyper-v-for-persistence-and-malware-execution.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Google Detects First Live Malware Using LLMs for Real-Time Code Generation and Obfuscation<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Google\u2019s Threat Intelligence Group has <strong>identified the first operational malware\u2014PROMPTSTEAL and PROMPTFLUX\u2014that invokes large language models mid-executionto craft commands, rewrite scripts, and evade detection dynamically. <\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>PROMPTSTEAL, linked to Russia-backed APT28<\/strong>, <strong>uses the Hugging Face API and Qwen2.5-Coder-32B-Instruct to generate Windows theft commands under the guise of an image-generation tool.<\/strong><\/li>\n\n\n\n<li><strong>PROMPTFLUX dropper queries Google\u2019s Gemini API hourly to rewrite its VBScript, <\/strong>creating a \u201cthinking robot\u201d that mutates code for persistence and antivirus evasion.<\/li>\n\n\n\n<li><strong>Attackers also deploy social-engineering prompts<\/strong>\u2014posing as CTF participants or students\u2014to bypass LLM safety guardrails and obtain exploit guidance.<\/li>\n\n\n\n<li>Underground marketplaces now offer AI-powered malware creation, deepfake generators, and phishing kits on subscription models, lowering the technical bar for attackers.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Monitor and block unusual outbound requests to known LLM API endpoints.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4085494\/google-researchers-detect-first-operational-use-of-llms-in-active-malware-campaigns.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>","protected":false},"excerpt":{"rendered":"<p>Latest interesting cybersecurity news from November 2025.<\/p>","protected":false},"author":1,"featured_media":20910,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-20888","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20888","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=20888"}],"version-history":[{"count":22,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20888\/revisions"}],"predecessor-version":[{"id":20912,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20888\/revisions\/20912"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/20910"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=20888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=20888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=20888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}