Cisco 0-Days, AI Bug Bounties, Crypto Heists, State-Linked Leaks and 20 Extra Tales

The U.Ok. authorities has proposed a brand new Cyber Safety and Resilience Invoice that goals to strengthen nationwide security and safe public companies like healthcare, consuming water suppliers, transport, and power from cybercriminals and state-backed actors. Below the proposal, medium and enormous firms offering companies like IT administration, IT assist desk help, and cybersecurity to personal and public sector organisations just like the Nationwide Well being Service (NHS) will likely be regulated. Organizations lined by the brand new legislation must report extra dangerous cyber incidents to each their regulator and the Nationwide Cyber Safety Centre (NCSC) inside 24 hours, adopted by a full report despatched inside 72 hours. Penalties for severe violations beneath the brand new guidelines will attain each day fines equal to £100,000 ($131,000), or 10% of the group’s each day turnover – whichever is increased. “As a result of they maintain trusted entry throughout authorities, crucial nationwide infrastructure and enterprise networks, they might want to meet clear security duties,” the federal government
stated.
“This contains reporting vital or doubtlessly vital cyber incidents promptly to the federal government and their prospects in addition to having sturdy plans in place to take care of the implications.”

A former Intel worker has been accused of downloading hundreds of paperwork shortly after the corporate fired him in July, lots of them categorised as “High Secret.” The Oregonian, which
reported
on the lawsuit, stated Jinfeng Luo downloaded 18,000 recordsdata to a storage machine. After failing to get in contact with Luo at his house in Seattle and at two different addresses related to him, the chipmaker filed go well with looking for not less than $250,000 in damages.

The Open Net Software Safety Mission (OWASP) has
launched
a revised model of its High 10 listing of crucial dangers to internet functions, including two new classes, together with software program provide chain failures and mishandling of outstanding situations to the listing. Whereas the previous pertains to compromises occurring inside or throughout all the ecosystem of software program dependencies, construct techniques, and distribution infrastructure, the latter focuses on “improper error dealing with, logical errors, failing open, and different associated situations stemming from irregular situations that techniques might encounter.” Damaged Entry Management, Safety Misconfiguration, Cryptographic Failures, Injection, Insecure Design, Authentication Failures, Software program and Data Integrity Failures, and Logging & Alerting Failures take up the remaining eight spots.

A research of fifty main AI firms has discovered that 65% had leaked verified secrets and techniques on GitHub, together with API keys, tokens, and delicate credentials. “A few of these leaks might have uncovered organizational constructions, coaching information, and even non-public fashions,” Wiz researchers Shay Berkovich and Rami McCarthy
stated.
“If you happen to use a public Model Management System (VCS), deploy secret scanning now. That is your fast, non-negotiable protection towards straightforward publicity. Even firms with the smallest footprints might be uncovered to secret leaks as we now have simply proved.”

A brand new large-scale phishing marketing campaign is abusing Fb’s Enterprise Suite and facebookmail.com options to ship convincing pretend notifications (“Meta Company Associate Invitation” or “Account Verification Required”) that seem to return immediately from Meta. “This technique makes their campaigns extraordinarily convincing, bypasses many conventional security filters, and demonstrates how attackers are exploiting belief in well-known platforms,” Verify Level
stated.
“Whereas the amount of emails might recommend a spray-and-pray method, the credibility of the sender area makes these phishing makes an attempt much more harmful than odd spam.” Greater than 40,000 phishing emails have been recorded to this point, primarily focusing on entities within the U.S., Europe, Canada, and Australia that rely closely on Fb for promoting. To drag off the scheme, the attackers create pretend Fb Enterprise pages and use the Enterprise invitation function to ship phishing emails that mimic official Fb alerts. The truth that these messages are despatched from the “facebookmail[.]com” area means they’re perceived as reliable by electronic mail security filters. Current throughout the emails are hyperlinks that, when clicked, direct customers to bogus web sites which might be designed to steal credentials and different delicate data.

Mozilla has
added
extra fingerprint protections to its Firefox browser to forestall web sites from figuring out customers with out their consent, even when cookies are blocked or non-public shopping is enabled. The safeguards, beginning with Firefox 145, purpose to dam entry to sure items of knowledge utilized by on-line fingerprinters. “This ranges from strengthening the font protections to stopping web sites from attending to know your {hardware} particulars just like the variety of cores your processor has, the variety of simultaneous fingers your touchscreen helps, and the scale of your dock or taskbar,” Mozilla stated. Particularly, the brand new protections
embrace
introducing random information to pictures generated in canvas components, stopping regionally put in fonts from getting used to render textual content on a web page, reporting the variety of simultaneous touches supported by machine {hardware} as 0, 1, or 5, reporting Accessible Display Decision because the display top minus 48 pixels, and reporting the variety of processor cores as both 4 or 8.

A brand new phishing equipment referred to as Quantum Route Redirect is being wielded by risk actors to steal Microsoft 365 credentials. “Quantum Route Redirect comes with a pre-configured setup and phishing domains that considerably simplifies a as soon as technically complicated marketing campaign movement, additional ‘democratizing’ phishing for much less expert cybercriminals,” KnowBe4 Risk Labs
stated.
The phishing campaigns impersonate professional companies like DocuSign, or masquerade as fee notifications or missed voicemails to trick customers into clicking on URLs that constantly observe the sample “/([wd-]+.){2}[w]{,3}/quantum.php/” and are hosted on parked or compromised domains. Practically 1,000 such domains have been detected. The phishing equipment additionally permits browser fingerprinting and VPN/proxy detection to redirect security instruments to professional web sites. Campaigns leveraging the equipment have efficiently claimed victims throughout 90 international locations, with the U.S. accounting for 76% of affected customers.

AI coding platform Lovable has
partnered
with Guardio to embed its Secure Looking detection engine into the platform’s generative AI workflows, with an purpose to scan each website created on the platform to detect phishing, scams, impersonation, and different types of abuse. The event comes towards the backdrop of studies that discovered AI-powered coding assistants like Lovable to be prone to methods like
VibeScamming,
permitting unhealthy actors to arrange lookalike credential harvesting pages and perform scams.

Microsoft has formally launched native help for third-party passkey managers in Home windows 11. The function is obtainable with the Home windows November 2025 security replace. “This new functionality empowers customers to decide on their favourite passkey supervisor – whether or not it is Microsoft Password Supervisor or trusted third-party suppliers,” Microsoft
stated.
The corporate additionally famous it has built-in Microsoft Password Supervisor from Microsoft Edge into Home windows as a plugin, thereby making it attainable to make use of it in Microsoft Edge, different browsers, or any app that helps passkeys.

Risk actors starting from ransomware operators and arranged cybercriminal networks to state-sponsored APT teams are more and more focusing on the development business by exploiting the sector’s rising dependence on susceptible IoT-enabled heavy equipment, Constructing Data Modeling (BIM) techniques, and cloud-based challenge administration platforms. “Cybercriminals more and more goal development firms for preliminary entry and information leaks, exploiting weak security practices, outdated legacy techniques, and widespread use of cloud-based challenge administration instruments,” Rapid7
stated.
“Attackers generally make use of phishing electronic mail messages, compromised credentials, and provide chain assaults, making the most of inadequate worker coaching and lax vendor danger administration.” Attackers are additionally shifting to procuring preliminary entry to development firm networks by means of underground boards somewhat than conducting resource-intensive preliminary compromise operations themselves. These listings facilitate help for escrow companies to supply patrons with assurances concerning the validity of bought information. As soon as breached, the risk actors transfer swiftly throughout the community to exfiltrate worthwhile information and even extort it by means of ransomware.

Again in August, Google
introduced
plans to confirm the id of all builders who distribute apps on Android, even for many who distribute their software program exterior the Play Retailer. The transfer was
met with backlash,
elevating issues that it may very well be the tip of sideloading in Android. Whereas Google has claimed the intention behind the change was to sort out on-line scams and malware campaigns, significantly those who happen when customers obtain APK recordsdata distributed through third-party marketplaces, F-Droid painted the framing as disingenuous, on condition that there already exists Google Play Shield as a remediation mechanism. “Any perceived dangers related to direct app set up might be mitigated by means of consumer training, open-source transparency, and present security measures with out imposing exclusionary registration necessities,” F-Droid
stated.
In response to suggestions from “builders and energy customers,” Google
stated
it is “constructing a brand new superior movement that enables skilled customers to simply accept the dangers of putting in software program that is not verified.” Extra particulars are anticipated to be shared within the coming months.

The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has
issued
a
new alert,
stating it has recognized gadgets marked as “patched” as a part of Emergency Directive 25-03, however which have been “up to date to a model of the software program that’s nonetheless susceptible to the risk exercise” that entails the exploitation of
CVE-2025-20333 and CVE-2025-20362.
“CISA is conscious of a number of organizations that believed they’d utilized the required updates however had not in truth up to date to the minimal software program model,” the company stated. “CISA recommends all organizations confirm the proper updates are utilized.” Each vulnerabilities have come beneath energetic exploitation by a suspected China-linked hacking group often called
UAT4356
(aka Storm-1849).

Russia’s Digital Improvement Ministry has
disclosed
that telecom operators within the nation have launched a brand new mechanism to fight drones on the request of regulators. “If a SIM card is introduced into Russia from overseas, it should be confirmed that it’s utilized by an individual and never embedded in a drone,” the ministry stated in a put up on Telegram. “Till then, cell web and SMS companies on this SIM card will likely be quickly blocked.” The mechanism is being examined as of November 10, 2025. The ministry additionally famous that subscribers with Russian SIM playing cards are eligible for a 24-hour cooling-off interval if the SIM has been inactive for 72 hours or upon getting back from worldwide journey. Subscribers can restore entry by fixing a CAPTCHA supplied by the service or calling their service supplier and verifying their id over the cellphone. The event comes a month after Moscow imposed the same 24-hour blackout for individuals coming into Russia with overseas SIM playing cards, citing related causes.

Cybersecurity firm watchTowr Labs has printed particulars a few newly patched
mirrored cross-site scripting
(XSS) flaw (CVE-2025-12101, CVSS rating: 6.1) in NetScaler ADC and NetScaler Gateway when the equipment is configured as a Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) or Authentication, Authorization, and Auditing (AAA) digital server. The
vulnerability
was patched by Citrix
earlier this week.
Sina Kheirkhah of watchTowr stated the vulnerability stems from the appliance’s dealing with of the RelayState parameter, permitting an attacker to execute an arbitrary XSS payload by the use of a specifically crafted HTTPS request containing a RelayState parameter with a Base64-encoded worth. “Whereas this will likely not look sensible as a usable vulnerability (and we might agree given the low hanging fruit elsewhere), it’s broadly nonetheless usable through CSRF – because the NetScaler’s /cgi/logout endpoint accepts an HTTP POST request containing a legitimate SAMLResponse and a modified RelayState,” Kheirkhah
stated.

A brand new report from Netskope has discovered that roughly 22 out of each 10,000 customers within the manufacturing sector encounter malicious content material each month. “Microsoft OneDrive is now essentially the most generally exploited platform, with 18% of organizations reporting malware downloads from the service every month,” the cybersecurity firm
stated.
GitHub got here in second at 14%, adopted by Google Drive (11%) and SharePoint (5.3%). To counter the chance, organizations are suggested to examine all HTTP and HTTPS downloads, together with all internet and cloud visitors, to forestall malware from infiltrating the enterprise community.

A financially motivated risk actor often called
Payroll Pirates
(aka Storm-2657) has been noticed hijacking payroll techniques, credit score unions, and buying and selling platforms throughout the U.S. by orchestrating malvertising campaigns. The malicious exercise, described as persistent and adaptive, dates again to Could 2023, when the risk actors arrange phishing websites that impersonated payroll platforms. These websites have been promoted through Google Adverts, tricking workers into logging into pretend HR portals with the objective of stealing their credentials. As soon as the login particulars have been captured, the attackers rerouted salaries to their very own accounts. Subsequent iterations got here outfitted with capabilities to bypass two-factor authentication (2FA). Verify Level, which has been monitoring a current surge in these campaigns, stated it discovered a single Telegram bot that is used to seize the 2FA codes in real-time throughout credit score unions, payroll, well being care advantages, and buying and selling platforms, suggesting a “unified community.” Whereas one set of assaults has been discovered to depend on cloaking methods to make sure that solely meant victims are redirected to the phishing websites, a second cluster targets monetary establishments utilizing Microsoft Adverts. “Domains are aged for months and host dozens of phishing pages with randomized URLs,” Verify Level
stated.
“A cloaking service from adspect.ai determines which web page to indicate primarily based on browser fingerprinting. Each clusters use the identical phishing kits. Pages adapt dynamically primarily based on operator suggestions, making it straightforward to bypass most authentication strategies.”

The
DanaBot
malware has returned with a brand new model 669, practically six months after legislation enforcement’s Operation Endgame disrupted its exercise in Could. The brand new variant has a command-and-control (C2) infrastructure that includes Tor domains and BackConnect nodes, per
Zscaler.
It is also utilizing 4 totally different pockets addresses to steal cryptocurrency: 12eTGpL8EqYowAfw7DdqmeiZ87R922wt5L (BTC), 0xb49a8bad358c0adb639f43c035b8c06777487dd7 (ETH), LedxKBWF4MiM3x9F7zmCdaxnnu8A8SUohZ (LTC), and TY4iNhGut31cMbE3M6TU5CoCXvFJ5nP59i (TRX).

A brand new Android distant entry trojan (RAT) referred to as KomeX RAT is being
marketed
on the market on cybercrime boards for a month-to-month value of $500 or $1,200 for a lifetime license. Potential patrons may acquire entry to all the codebase for $3,000. In keeping with claims made by the vendor, the Trojan relies on
BTMOB,
one other Android distant management software that emerged earlier this 12 months as an evolution of SpySolr. Different options embrace the flexibility to accumulate all needed permissions, bypass Google Play Shield, log keystrokes, harvest SMS messages, and extra. The risk actor additionally claims the RAT works worldwide with none geographic restrictions. Apparently, a
Fb web page for SpySolr
states that the malware is developed by
EVLF,
which was unmasked in 2023 as a Syrian risk actor behind CypherRAT and CraxsRAT.

Amazon has change into the newest firm to open its giant language fashions to exterior security researchers by instituting a bug bounty program to establish security points in
NOVA,
the corporate’s suite of foundational AI fashions. “By way of this program, researchers will take a look at the Nova fashions throughout crucial areas, together with cybersecurity points and Chemical, Organic, Radiological, and Nuclear (CBRN) risk detection,” the tech big
stated.
“Certified contributors can earn financial rewards, starting from $200 to $25,000.”

Austrian privateness non-profit None of Your Enterprise (noyb) has condemned the European Fee’s
leaked plans
to overtake the bloc’s landmark privateness regulation, known as the Normal Data Safety Regulation (GDPR), together with doubtless permitting AI firms to make use of private information of residents within the area for mannequin coaching. “As well as, the particular safety of delicate information like well being information, political beliefs or sexual orientation can be considerably lowered,” noyb
stated.
“Additionally, distant entry to private information on PCs or smartphones with out the consent of the consumer can be enabled.” Max Schrems, founding father of noyb, stated the draft represents a large downgrade of consumer privateness, whereas primarily benefiting Massive Tech. The Fee is planning to introduce the amendments on November 19.

A U.Ok. courtroom has
sentenced
a 47-year-old Chinese language girl,
Zhimin Qian
(aka Yadi Zhang), to 11 years and eight months in jail for laundering bitcoin linked to a $5.6 billion funding scheme. Till her arrest in April 2024, the defendant had been on the run since 2017 after finishing up a large-scale rip-off in China between 2014 and 2017, which defrauded greater than 128,000 individuals. Qian, nicknamed Bitcoin Queen, entered Europe utilizing pretend passports and settled in Britain beneath a pretend title — Yadi Zhang. She
pleaded responsible
to offenses associated to buying and possessing felony property (i.e., cryptocurrency) again in September. The investigation additionally led to the seizure of 61,000 bitcoin, now valued at over $6 billion, making it the biggest cryptocurrency seizure in historical past.

Cybersecurity researchers have found two new second-stage malware households referred to as LeakyInjector and LeakyStealer which might be designed to focus on cryptocurrency wallets and browser historical past. “LeakyInjector makes use of low-level APIs for injection to keep away from detection and injects LeakyStealer in ‘explorer.exe,'” Hybrid Evaluation
stated.
“The duo performs reconnaissance on an contaminated machine and targets a number of crypto wallets, together with browser extensions comparable to crypto wallets. The malware additionally appears for browser historical past recordsdata from Google Chrome, Microsoft Edge, Courageous, Opera, and Vivaldi.” LeakyStealer implements a polymorphic engine that modifies reminiscence bytes utilizing particular hard-coded values at runtime. It additionally beacons to an exterior server at common intervals to execute Home windows instructions and obtain and run extra payloads.

Final month, OpenAI launched a set of security instruments referred to as
Guardrails security framework
to detect and block doubtlessly dangerous mannequin habits, reminiscent of jailbreaks and immediate injections. This contains detectors that depend on giant language fashions (LLMs) to find out whether or not an enter or output poses a security danger. AI security firm HiddenLayer stated this method is basically flawed, as it may be exploited by an attacker to the Guardrails framework. “If the identical kind of mannequin used to generate responses can be used to guage security, each might be compromised in the identical means,” it
stated.
“This experiment highlights a crucial problem in AI security: self-regulation by LLMs can’t totally defend towards adversarial manipulation. Efficient safeguards require impartial validation layers, pink teaming, and adversarial testing to establish vulnerabilities earlier than they are often exploited.”

A
data breach
at a Chinese language security vendor referred to as Knownsec has led to the leak of over 12,000 categorised paperwork, per Chinese language security weblog MXRN, “together with data on Chinese language state-owned cyber weapons, inside instruments, and international goal lists.” The trove can be stated to have apparently included proof of RATs that may break into Linux, Home windows, macOS, iOS, and Android gadgets, in addition to particulars concerning the firm’s contracts with the Chinese language authorities. The Android code can reportedly extract data from standard Chinese language messaging apps and from Telegram. Additionally current within the leak information was a spreadsheet itemizing 80 abroad targets Knownsec has efficiently attacked, plus 95GB of immigration information obtained from India, 3TB of name data stolen from South Korean telecom operator LG U-Plus, 459GB of street planning information obtained from Taiwan, passwords for Taiwanese Yahoo accounts, and information on Brazilian LinkedIn accounts. It is at the moment not identified who’s behind the leaks. There are indications that the leak is from an previous data breach of Knownsec from 2023, per
NetAskari.