{"id":20964,"date":"2025-11-17T14:18:52","date_gmt":"2025-11-17T12:18:52","guid":{"rendered":"https:\/\/kordon.app\/?p=20964"},"modified":"2025-11-24T11:50:15","modified_gmt":"2025-11-24T09:50:15","slug":"interesting-cybersecurity-news-of-the-week-summarised-2025-17-11","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/interesting-cybersecurity-news-of-the-week-summarised-2025-17-11\/","title":{"rendered":"Interesting Cybersecurity News of the Week Summarised &#8211; 2025-17-11"},"content":{"rendered":"<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Not a huge week but I think that&#8217;s actually a good thing.<\/strong> However, Black Hat Europe is just a few weeks away so I am guessing we are going to get some very interesting thing in the next few weeks. <strong>If you&#8217;re an EU citizen,<\/strong> definitely check out the ombibus thing, the first version is out and maybe it&#8217;s time to share your thoughts with your local politicians \u2026<\/p>\n\n\n\n<p>P.S. <strong>What do you think if there was also a ~10 minute audio version of this summary?<\/strong> Would it be useful? Let me know at jaana@kordon.app or on LinkedIn<\/p>\n\n\n\n<p>P.S.S You can also get this weekly summary of interesting cybersecurity news to your inbox every Monday. <strong>Scroll to the bottom to subscribe.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Civil Society Warns EU Digital Omnibus Will Roll Back GDPR and AI Protections<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A coalition of 127 civil society groups and trade unions has condemned the European Commission\u2019s u<strong>pcoming Digital Omnibus package for weakening core GDPR, ePrivacy, Data Act, and AI Act safeguards,<\/strong> expanding cookie tracking and AI data processing while reducing consent and oversight. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>127 groups, including EDRi, Access Now, CDT Europe and noyb, signed an open letter<\/li>\n\n\n\n<li><strong>Proposal shifts cookies from opt-in consent to opt-out via a \u201clow-risk\u201d list<\/strong><\/li>\n\n\n\n<li><strong>GDPR scope narrowed to \u201cdirectly revealed\u201d data,<\/strong> excluding inferred\/pseudonymous data<\/li>\n\n\n\n<li><strong>AI training allowed under \u201clegitimate interests\u201d; <\/strong>public developer registry removed<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/therecord.media\/civil-society-privacy-rollback\">The Record<\/a>, <a href=\"https:\/\/noyb.eu\/sites\/default\/files\/2025-11\/EU-Kommission-Digital-Omnibus-A-Data-Act-und-DSGVO.pdf\" title=\"\">Regulation Draft<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. NPM Registry Flooded with 150,000 Packages in Token Farming Supply Chain Attack<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Amazon researchers identified over 150,000 auto-generated NPM packages exploiting the tea.xyz reward protocol by inflating download metrics through circular dependency chains.<\/strong> Tea.xys is a blockchain-based system designed to reward developers for open source contributions. Although the packages contain no overt malware, they pollute the registry, strain infrastructure resources, and pose a significant supply-chain integrity risk for development teams.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detection began Oct 24 using a new Amazon Inspector rule augmented with AI to flag suspicious package patterns.<\/li>\n\n\n\n<li>Collaborating with OpenSSF, researchers assigned malicious package identifiers (MAL-IDs) to 150,000+ packages by Nov 8.<\/li>\n\n\n\n<li>Attackers weaponized npm\u2019s package.json scripts and circular dependency chains to self-replicate on install.<\/li>\n\n\n\n<li><strong>Each package included a tea.yaml linking to blockchain wallet addresses for TEA token rewards.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/application-security\/150000-packages-flood-npm-registry-token-farming\">Dark Reading<\/a>, <a href=\"https:\/\/aws.amazon.com\/blogs\/security\/amazon-inspector-detects-over-150000-malicious-packages-linked-to-token-farming-campaign\/\">AWS Security Blog<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Malet Dataset and Katalina Tool Unveil Overlooked macOS Malware Threats<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">At Black Hat Europe, researchers Obinna Igbe and Godwin Attigah will release Malet\u2014a public dataset of over 48,000 malicious and 22,000 benign macOS binaries\u2014and <strong>Katalina, an open-source, platform-agnostic static analysis tool. <\/strong>Malet will be the largest public dataset of macOS malware to date. Katalina, the new, open source, high-performance static analysis tool capable of processing thousands of binaries per minute on commodity hardware. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Malet catalogs 48,400 malicious and 22,907 benign Mach-O executables.<\/li>\n\n\n\n<li>96.1% of malicious samples lack valid code signatures, undermining Apple\u2019s enforcement model.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/new-security-tools-target-growing-macos-threats\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Five Plead Guilty to Enabling North Korean IT Worker Infiltration; DOJ Forfeits $15 M in Crypto<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>The DOJ announced guilty pleas from five individuals who provided stolen or personal U.S. identities and \u201claptop farms\u201d to North Korean IT workers,<\/strong> allowing them to land jobs at 136 U.S. firms and generate over $2.2 million for the DPRK regime. In parallel civil complaints, the FBI seized more than $15 million in cryptocurrency tied to APT38\u2019s 2023 heists.<br><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audricus Phagnasay, Jason Salazar and Alexander Travis <\/strong>each lent their real identities and hosted remote-access laptops, facilitating $1.28 M in illicit salaries.<\/li>\n\n\n\n<li><strong>Oleksandr Didenko<\/strong> stole and sold U.S. citizen identities to North Korean operators for placement at 40 U.S. companies; forfeited $1.4 M.<\/li>\n\n\n\n<li><strong>Erick Prince\u2019s Taggcar Inc. <\/strong>laundered identities and ran a Florida laptop farm, earning ~$89,000 by placing workers at 64 firms.<\/li>\n\n\n\n<li>Seized crypto originates from four major 2023 breaches: <strong>Estonia<\/strong> ($37 M), <strong>Panama<\/strong> ($100 M + $138 M) and <strong>Seychelles<\/strong> ($107 M).<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enforce hardware-based MFA<\/strong> for all remote IT contractors<\/li>\n\n\n\n<li><strong>Audit and restrict off-site hosting of corporate devices<\/strong><\/li>\n\n\n\n<li><strong>Consider face to face interviews <\/strong>for even off-seas aplicants<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-announces-nationwide-actions-combat-illicit-north-korean-government\">U.S. Department of Justice<\/a>, <a href=\"https:\/\/therecord.media\/multiple-us-nationals-guilty-pleas-north-korean-it-worker-scams\">The Record<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Quantum Route Redirect Enables One-Click Phishing Campaigns Targeting Microsoft 365<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A new phishing tool called Quantum Route Redirect streamlines Microsoft 365 credential theft into a one-click operation<\/strong> while evading email and web security controls.  <br><br>Researchers from <strong>KnowBe4<\/strong> have observed over <strong>1,000 domains hosting the tool since August, with successful attacks in 90 countries.  <\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Approximately 1,000 domains currently host Quantum Route Redirect, active since August.<\/li>\n\n\n\n<li>Campaigns have compromised users in 90 countries; 76% of victims are in the United States.<\/li>\n\n\n\n<li><strong>Pre-packaged templates impersonate DocuSign, payroll notices, payment alerts, voicemails and QR-code links.<\/strong><\/li>\n\n\n\n<li>Intelligent redirects detect security scanners versus humans, routing scanners to safe sites and real users to phishing pages.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enable time-of-click URL analysis in email security<\/strong> and WAF solutions<\/li>\n\n\n\n<li><strong>Implement sandboxing<\/strong> for inbox attachments and embedded links<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/blog.knowbe4.com\/quantum-route-redirect-anonymous-tool-streamlining-global-phishing-attack\">KnowBe4 Blog<\/a>, <a href=\"https:\/\/www.darkreading.com\/endpoint-security\/phishing-tool-smart-redirects-bypass-email-security\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. DPRK Hackers Use JSON Storage Services to Covertly Deliver BeaverTail Malware via Trojanized Code<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>North Korean \"Contagious Interview\" actors now host obfuscated payloads on legitimate services like JSON Keeper, JSONsilo and npoint.io,<\/strong> <strong>embedding links in Base64-encoded config files within trojanized GitHub\/GitLab demo projects.<\/strong> When developers run these Node.js projects, they pull the BeaverTail infostealer and InvisibleFerret Python backdoor\u2014augmented by TsunamiKit from Pastebin\u2014exfiltrating crypto-wallet data and system information while blending in with legitimate traffic.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Config file \u201cserver\/config\/.config.env\u201d holds a Base64 \u201cAPI key\u201d that decodes to a JSON service URL.<\/li>\n\n\n\n<li>Obfuscated JavaScript fetched via Node.js deploys BeaverTail to steal wallet info and system data.<\/li>\n\n\n\n<li>BeaverTail drops InvisibleFerret backdoor; campaign now also fetches TsunamiKit from Pastebin.<\/li>\n\n\n\n<li><strong>Attackers use LinkedIn social engineering\u2014posing as recruiters\u2014to lure developers since 2023.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Inspect any unsolicited code repos for Base64-encoded URLs or fake \u201cAPI keys.\u201d<\/strong><\/li>\n\n\n\n<li><strong>Monitor Node.js processes for outbound calls to JSON Keeper, JSONsilo and npoint.io.<\/strong><\/li>\n\n\n\n<li>Block or closely log traffic to public JSON storage services at the network perimeter.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/11\/north-korean-hackers-turn-json-services.html\">The Hacker News<\/a>, <a href=\"https:\/\/blog.nviso.eu\/2025\/11\/13\/contagious-interview-actors-now-utilize-json-storage-services-for-malware-delivery\/\">NVISO Labs<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. SilentButDeadly Tool Cuts Off EDR and AV Cloud Connectivity<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>SilentButDeadly is an open-source utility that uses the Windows Filtering Platform to temporarily block outbound telemetry and inbound commands for EDR and antivirus agents without terminating processes. <\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Implements bidirectional WFP filters at ALE connect\/recv layers with high-priority weights.<\/strong><\/li>\n\n\n\n<li><strong>Automatically cleans up <\/strong>dynamic sessions flagged with FWPM_SESSION_FLAG_DYNAMIC unless \u201c\u2013persistent\u201d is used.<\/li>\n\n\n\n<li><strong>Targets common EDR processes: <\/strong>SentinelOne\u2019s SentinelAgent.exe, Defender\u2019s MsMpEng.exe and MsSense.exe.<\/li>\n\n\n\n<li>Requires administrator privileges; leaves local detection intact while severing cloud telemetry.<\/li>\n\n\n\n<li>Detection vectors include WFP event logs (IDs 5441, 5157) and service startup type changes.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor WFP logs for unexpected ALE filter additions.<\/li>\n\n\n\n<li><strong>Validate EDR resilience by simulating cloud connectivity loss.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/silentbutdeadly-neutralizes-edr-av\/\">CybersecurityNews.com<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>","protected":false},"excerpt":{"rendered":"<p>Latest Interesting Cybersecurity News from November 2025.<\/p>","protected":false},"author":1,"featured_media":20976,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-20964","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20964","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=20964"}],"version-history":[{"count":22,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20964\/revisions"}],"predecessor-version":[{"id":21132,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20964\/revisions\/21132"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/20976"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=20964"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=20964"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=20964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}