{"id":21093,"date":"2025-11-24T12:18:46","date_gmt":"2025-11-24T10:18:46","guid":{"rendered":"https:\/\/kordon.app\/?p=21093"},"modified":"2025-11-24T12:18:46","modified_gmt":"2025-11-24T10:18:46","slug":"interesting-cybersecurity-news-of-the-week-summarised-2025-11-24","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/interesting-cybersecurity-news-of-the-week-summarised-2025-11-24\/","title":{"rendered":"Interesting Cybersecurity News of the Week Summarised &#8211; 2025-11-24"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>This week two topics stayed with me after putting this summary together. First, when did I last update my home router, because routers getting breached and bad guys replacing my software updates with malicious ones seems like a very scalable thing that the bad guys could do and hence, get to an unimportant me as well.<\/p>\n\n\n\n<p>Second thing that I wondered about was OAUTH and how this very secure way of authentication does not seem so safe anymore, and I might actually go and review what apps I have authorised access to my Google Account &#8230; because stealing oauth tokens is the new cool thing to do.<\/p>\n\n\n\n<p>P.S.<strong> If you enjoy this summary<\/strong>, then you can consider subscribing to it as <strong>a weekly newsletter <\/strong>straight to your inbox. (every Monday) <strong>Scroll to the bottom to subscribe.<\/strong><br>      <\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Cloudflare Attributes Six-Hour Global Outage to Database Permission Error<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>On Nov. 18, Cloudflare\u2019s distributed network went offline for nearly six hours after a routine<br>database permission update caused its Bot Management system to generate an oversized configuration<br>file, crashing proxy servers and triggering widespread 5xx errors. <\/strong>The outage\u2014the worst since 2019\u2014<br>disrupted CDN, security, and authentication services worldwide before engineers rolled back to a <br>known-good feature file and restored all services by 17:06 UTC.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The faulty database query doubled Bot Management feature entries from ~60 to over 200, breaching a hardcoded limit.<\/li>\n\n\n\n<li>Service began failing at 11:28 UTC with five-minute cycles of crashes and recoveries until full restoration at 17:06 UTC.<\/li>\n\n\n\n<li>Impacted offerings included core CDN, Workers KV, Turnstile CAPTCHA, dashboard\/API access, email security, WARP, and Access.<\/li>\n\n\n\n<li><strong>Cloudflare confirmed no cyberattack was involved; the outage stemmed solely from an internal configuration change.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit and tighten database permission change workflows.<\/strong><\/li>\n\n\n\n<li>Establish a global rollback or \u201ckill-switch\u201d for critical feature updates.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/technology\/cloudflare-blames-this-weeks-massive-outage-on-database-issues\/\">Bleeping Computer<\/a>, <a href=\"https:\/\/blog.cloudflare.com\/18-november-2025-outage\/\">Cloudflare Blog<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. WhatsApp Contact Discovery Flaw Exposed 3.5 Billion User Numbers<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A flaw in WhatsApp\u2019s contact matching allowed researchers to confirm 3.5 billion registered numbers worldwide and scrape associated public profile data at over 100 million queries per hour.<\/strong> The enumeration attack, which bypassed rate limits, highlights how metadata on encrypted messaging services remains vulnerable and could fuel targeted spam, phishing, or state surveillance.<strong> Meta has now introduced tighter rate-limiting and visibility controls.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attack spanned 245 countries at ~100 million checks\/hour from a single IP<\/li>\n\n\n\n<li><strong>Exposed confirmation of 3.5 billion numbers, plus public keys, profile photos, About text<\/strong><\/li>\n\n\n\n<li>Researchers inferred OS, account age, and linked devices from metadata leaks<\/li>\n\n\n\n<li><strong>Meta implemented rate-limiting and profile visibility restrictions after a year-long delay<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4093249\/whatsapp-flaw-allowed-discovery-of-the-3-5-billion-mobile-numbers-registered-to-the-platform.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. FCC Reverses Post-Salt Typhoon Cybersecurity Mandates for U.S. Telecoms<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">The FCC voted to rescind its <strong>January 2025 Declaratory Ruling under CALEA that had required U.S. telecom carriers to adopt, document and annually certify cybersecurity risk-management plans following the Salt Typhoon breaches. <\/strong>Critics warn that removing these enforceable controls leaves critical communications networks vulnerable to future state-sponsored intrusions.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The January ruling mandated carriers to secure networks against \u201cunlawful access and interception\u201d and certify risk-management plans annually.<\/strong><\/li>\n\n\n\n<li>FCC Chair Brendan Carr called the rules \u201cunlawful and ineffective,\u201d citing voluntary carrier commitments, a new Council on National Security, and bans on foreign-controlled testing labs.<\/li>\n\n\n\n<li>Salt Typhoon hackers breached core systems at AT&amp;T, Verizon, T-Mobile, Charter, Lumen and others, exposing wiretap platforms and Call Detail Records.<\/li>\n\n\n\n<li><strong>Senators Maria Cantwell, Mark Warner and Anna Gomez (FCC Commissioner dissenting) argued the rollback removes the only binding federal response to one of telecom\u2019s largest breaches.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4094745\/fcc-reversal-removes-federal-cyber-safeguards-targeting-telecom-weaknesses-post-salt-typhoon-attacks.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. OAuth Tokens Stolen from Gainsight Apps Enable Unauthorized Access to 200+ Salesforce Instances<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Threat actors leveraged stolen OAuth credentials from Gainsight\u2019s Salesforce integration to access customer CRM data. <\/strong>Salesforce revoked all related tokens, pulled the apps from AppExchange, and Gainsight has engaged Mandiant for a forensic review.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Threat Intelligence ties the campaign to ShinyHunters, echoing August\u2019s Salesloft Drift attack.<\/li>\n\n\n\n<li><strong>Over 200 Salesforce instances may have been compromised; attackers reportedly obtained tokens for 285 orgs.<\/strong><\/li>\n\n\n\n<li>Salesforce revoked all active access and refresh tokens for Gainsight-published apps and removed them from AppExchange.<\/li>\n\n\n\n<li><strong>Gainsight also pulled its HubSpot listing, revoked Zendesk connector access, and is working with Mandiant.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit all connected apps in Salesforce and remove any unused integrations.<\/li>\n\n\n\n<li>Revoke and rotate OAuth tokens for high-risk or over-privileged apps.<\/li>\n\n\n\n<li>Enforce least-privilege scopes on third-party SaaS connections.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4094506\/oauth-token-compromise-hits-salesforce-ecosystem-again-gainsight-impacted.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Sneaky2FA Phishing Kit Adds Browser-in-the-Browser to Bypass Microsoft 365 MFA<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Sneaky2FA, a leading phishing-as-a-service platform targeting Microsoft 365, has integrated a browser-in-the-browser (BitB) pop-up that dynamically mimics legitimate Microsoft login windows to steal credentials and active session tokens\u2014even when multifactor authentication is enabled.<\/strong> This cosmetic deception layer leverages OS- and browser-specific styling on top of the kit\u2019s existing attacker-in-the-middle proxy, significantly raising the bar for detection by email gateways and static scanners.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The BitB pop-up is an iframe styled and resized to match Edge on Windows or Safari on macOS, complete<strong> with a fake URL bar showing the official domain.<\/strong><\/li>\n\n\n\n<li>Users land on a \u201c_previewdoc [.] c o m_\u201d phishing link, pass a Cloudflare Turnstile check, then see the BitB window loading a reverse-proxy Microsoft login page.<\/li>\n\n\n\n<li>HTML and JavaScript are heavily obfuscated\u2014UI text split with invisible tags, elements as encoded images\u2014to evade static detection and fingerprinting.<\/li>\n\n\n\n<li>Sneaky2FA\u2019s BitB support follows similar functionality in Raccoon0365\/Storm-2246, recently disrupted by Microsoft and Cloudflare.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Train users to drag pop-up windows outside the browser frame to spot iframes.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/sneaky2fa-phaas-kit-now-uses-redteamers-browser-in-the-browser-attack\/\">BleepingComputer<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4094165\/sneaky2fa-phishing-tool-adds-ability-to-insert-legit-looking-urls.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Iranian APTs Used Maritime AIS and CCTV Hacks to Direct Missile Strikes<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Amazon Threat Intelligence linked two Iran-linked groups\u2014Imperial Kitten and MuddyWater\u2014to cyber espionage that precisely informed missile attacks in the Red Sea and on Israeli cities.<\/strong> Imperial Kitten accessed a ship\u2019s AIS tracking data days before Houthi rebels launched missiles at it, while MuddyWater tapped live CCTV feeds in Jerusalem prior to Iran\u2019s June strike. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Imperial Kitten (aka Tortoiseshell\/TA456) compromised a vessel\u2019s AIS system in December 2021 and searched its location data in January 2024.<\/strong><\/li>\n\n\n\n<li><strong>Days after the AIS reconnaissance, Houthi-launched missiles targeted the same commercial vessel in the Red Sea on February 1, 2024.<\/strong><\/li>\n\n\n\n<li>MuddyWater set up C2 infrastructure in May 2025 and used it to access live Jerusalem CCTV streams before Iran\u2019s June missile barrage on Tel Aviv and Jerusalem.<\/li>\n\n\n\n<li>Both APTs leveraged anonymizing VPNs and private command-and-control servers to collect real-time targeting intelligence.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"\" title=\"\"><strong>Audit CCTV and surveillance systems for unauthorized intrusions<\/strong><\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4093375\/iranian-apt-hacks-helped-direct-missile-strikes-in-israel-and-the-red-sea.html\">CSO Online<\/a>, <a href=\"https:\/\/aws.amazon.com\/blogs\/security\/new-amazon-threat-intelligence-findings-nation-state-actors-bridging-cyber-and-kinetic-warfare\/\">Amazon Threat Intelligence Blog<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Matrix Push C2 Hijacks Browser Notifications for Fileless Phishing<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A new command-and-control framework called Matrix Push uses legitimate browser push notifications to deliver phishing alerts and malicious links without dropping any files on the victim\u2019s device.<\/strong> <br><strong>Attackers lure users into granting notification permission on a malicious site, then push branded fake alerts (PayPal, MetaMask, Netflix, Cloudflare, TikTok, etc.) that direct victims to phishing pages<\/strong> and track real-time metrics like IP, location, OS, and crypto-wallet extensions.  <strong>Sold as a subscription-based MaaS on underground forums<\/strong>, Matrix Push bypasses traditional defenses by leveraging standard browser APIs and encrypted push channels.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Works in any major browser or OS via standard Push API and service workers<\/li>\n\n\n\n<li>Prebuilt notification and landing-page templates for top brands to improve click rates<\/li>\n\n\n\n<li>Dashboard shows live victim activity: online status, clicks, browser\/OS version, geolocation<\/li>\n\n\n\n<li>Subscription pricing: $150\/month, $405\/3 months, $765\/6 months, $1,500\/year<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Block or restrict Web Push API at network or endpoint level<\/strong><\/li>\n\n\n\n<li>Deploy detection rules for known Matrix Push infrastructure<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/matrix-push-c2-tool-hijacks-browser-notifications-phishing\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8. China-linked PlushDaemon Hijacks Software Updates via EdgeStepper Implant<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A China-aligned APT known as <strong>PlushDaemon is exploiting compromised routers with a new implant called EdgeStepper to intercept DNS queries and redirect legitimate software\u2010update traffic to attacker servers.<\/strong> Victims downloading routine updates receive a chain of malware\u2014LittleDaemon, DaemonicLogistics, and the SlowStepper backdoor\u2014enabling espionage across industries and regions. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>EdgeStepper is a Go\u2010based ELF implant for MIPS32 routers that redirects all UDP port 53 traffic via iptables rules to a malicious DNS proxy.<\/li>\n\n\n\n<li><strong>When update domains are queried, the proxy returns attacker\u2010controlled IPs, causing victims to install a DLL downloader <\/strong>(_popup_4.2.0.2246.dll), then DaemonicLogistics, and finally the SlowStepper backdoor.<\/li>\n\n\n\n<li>Since 2019, ESET telemetry shows PlushDaemon targeting universities, electronics manufacturers, a Japanese auto plant in Cambodia, and users of Sogou Pinyin and IPany VPN.<\/li>\n\n\n\n<li><strong>SlowStepper enables system reconnaissance, file operations, command execution, browser data theft, keystroke logging, and credential harvesting.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Review and rotate all default or weak router\/IoT device credentials.<\/strong><\/li>\n\n\n\n<li><strong>Apply firmware patches<\/strong> for known vulnerabilities on edge network devices.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/plushdaemon-hackers-hijack-software-updates-in-supply-chain-attacks\/\">BleepingComputer<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Operation WrtHug Hijacks Over 50,000 End-of-Life ASUS WRT Routers<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A global campaign named Operation WrtHug has exploited six known ASUS WRT vulnerabilities to compromise more than 50,000 end-of-life or outdated routers, primarily in Taiwan but also across Southeast Asia, Russia, Central Europe, and the U.S.<\/strong> Attackers leveraged the ASUS AiCloud service to deploy a self-signed 100-year TLS certificate as an intrusion marker and maintain persistent SSH backdoors, potentially creating stealth relay networks for espionage. Organizations using affected devices face elevated risk of network interception, proxying of command-and-control traffic, and undetected lateral movement.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Six exploited flaws include CVE-2023-41345\/46\/47\/48, CVE-2023-39780, CVE-2024-12912 and critical CVE-2025-2492.<\/li>\n\n\n\n<li><strong>99% of infected AiCloud services present a custom self-signed TLS cert valid for 100 years, replacing ASUS\u2019s default 10-year certificate.<\/strong><\/li>\n\n\n\n<li><strong>Targeted models span AC-series and AX-series devices<\/strong> such as DSL-AC68U, GT-AX11000, RT-AC1200HP and 4G-AC55U.<\/li>\n\n\n\n<li>No infections observed in mainland China, suggesting possible China-linked actor focusing on external targets.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Apply the latest ASUS firmware patches that address all six vulnerabilities.<\/strong><\/li>\n\n\n\n<li><strong>Disable AiCloud and remote access <\/strong>on unsupported or end-of-life routers.<\/li>\n\n\n\n<li><strong>Scan networks for the 100-year self-signed TLS certificate as an IoC.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-wrthug-campaign-hijacks-thousands-of-end-of-life-asus-routers\/\">BleepingComputer<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            \n<p><!-- \/wp:post-content --><\/p>","protected":false},"excerpt":{"rendered":"<p>This week two topics stayed with me after putting this summary together. First, when did I last update my home router, because routers getting breached and bad guys replacing my software updates with malicious ones seems like a very scalable thing that the bad guys could do and hence, get to an unimportant me as well.<\/p>\n<p>Second thing that I wondered about was OAUTH and how this very secure way of authentication does not seem so safe anymore, and I might actually go and review what apps I have authorised access to my Google Account &#8230; because stealing oauth tokens is the new cool thing to do.<\/p>","protected":false},"author":1,"featured_media":21135,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-21093","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21093","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=21093"}],"version-history":[{"count":42,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21093\/revisions"}],"predecessor-version":[{"id":21137,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21093\/revisions\/21137"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/21135"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=21093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=21093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=21093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}