Threat Intel

Why People Keep Flocking to Linux in 2025 (And It’s Not Just to Escape Windows)

Source: www.zdnet.com/article/w…

Industry observers have long encouraged users to consider moving from Windows to Linux. With Windows 10 approaching end of support, that message appears to be resonating.

Recent data highlights a marked uptick in adoption. Zorin OS, a well-regarded Linux distribution, reports that its latest version—Zorin OS 18—has surpassed one million downloads within just over a month of release. Notably, more than seventy-eight per cent of those downloads originated from Windows users.

This shift is significant. Enthusiasts routinely download multiple Linux distributions as part of their hobby, but Windows users do not typically download a three-and-a-half-gigabyte desktop operating system without serious intent. The trend suggests many are actively evaluating, and potentially preparing for, a move to Linux.

The WIRED Guide to Digital Opsec for Teens

Source: www.wired.com/story/dig…

Teenagers have long been formidable contributors to the hacking landscape. In recent years, some of the most high-profile and audacious cyber incidents have been linked to teen actors. Even if you are not a hacker, you are likely a heavy user of digital tools and social platforms. Whether you have never considered your digital privacy or have already begun tightening controls, this guide offers practical steps to strengthen your operations security. The goal is to help readers understand how others can infer personal information from digital activity—and how to minimize what is unintentionally exposed. Protecting digital privacy is not one-size-fits-all. Individuals differ in how much they share online and how comfortable they are with visibility. Even those who stream continuously can adopt opsec principles. Consider what your audience can see behind you, who appears in your content, and whether someone could determine your location from what is visible through a window. These same questions apply across all forms of digital observation—from platform operators and casual social-media viewers to people browsing your profiles or someone looking over your shoulder at your phone.

How CVSS v4.0 Works: Characterizing and Scoring Vulnerabilities Source: www.malwarebytes.com/blog/news… The Common Vulnerability Scoring System (CVSS) provides developers, testers, and security and IT teams with a standardized method to assess vulnerabilities. It enables organizations to evaluate the severity of each issue and prioritize mitigation based on risk. This article outlines how CVSS functions, explains its scoring components, and highlights the value of a consistent, structured assessment process. A software vulnerability is any weakness in a codebase that can be exploited. These weaknesses often stem from issues such as flawed logic, insufficient validation, or missing safeguards against buffer overflows. When exploited, vulnerabilities can allow attackers to gain unauthorized access, run arbitrary code, or interrupt system operations.

GreyNoise launches free scanner to check if you’re part of a botnet www.bleepingcomputer.com/news/secu…

GreyNoise Labs has launched a free tool called GreyNoise IP Check that lets users check if their IP address has been observed in malicious scanning operations, like botnet and residential proxy networks.

The threat monitoring firm that tracks internet-wide activity via a global sensor network says this problem has grown significantly over the past year, with many users unknowingly helping malicious online activity.

“Over the past year, residential proxy networks have exploded and have been turning home internet connections into exit points for other people’s traffic,” explains GreyNoise.

“Sometimes folks knowingly install software that does this in exchange for a few dollars. More often, malware sneaks onto devices, usually via nefarious apps or browser extensions, and quietly turns them into nodes in someone else’s infrastructure.”

While there are ways to determine if someone has become part of malicious botnet activity, like examining device logs, configurations, network traffic, and activity patterns, a tool that simply checks the IP address is the least intrusive method

MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants thehackernews.com/2025/11/m…

Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams.

“When users operate as guests in another tenant, their protections are determined entirely by that hosting environment, not by their home organization,” Ontinue security researcher Rhys Downing said in a report.

“These advancements increase collaboration opportunities, but they also widen the responsibility for ensuring those external environments are trustworthy and properly secured.”

The development comes as Microsoft has begun rolling out a new feature in Teams that allows users to chat with anyone via email, including those who don’t use the enterprise communications platform, starting this month. The change is expected to be globally available by January 2026.

Man behind in-flight Evil Twin WiFi attacks gets 7 years in prison www.bleepingcomputer.com/news/secu…

A 44-year-old man was sentenced to seven years and four months in prison for operating an “evil twin” WiFi network to steal the data of unsuspecting travelers during flights and at various airports across Australia.

The man, an Australian national, was charged in July 2024 after Australian authorities had confiscated his equipment in April and confirmed that he was engaging in malicious activities during domestic flights and at airports in Perth, Melbourne, and Adelaide.

Specifically, the man was setting up an access point with a ‘WiFi Pineapple’ portable wireless access device and used the same name (SSID) for the rogue wireless network as the legitimate ones in airports.

Users connecting to the malicious access point were directed to a phishing webpage that stole their social media account credentials.

The man used these credentials to access women’s accounts to monitor their communications and steal private images and videos.

Microsoft to Block Unauthorized Scripts in Entra ID Logins with 2026 CSP Update Source: thehackernews.com/2025/11/m… Microsoft plans to tighten security for Entra ID authentication by blocking unauthorized script injections beginning in 2026. The change centres on an update to the platform’s Content Security Policy (CSP), which governs which scripts can run during the sign-in process at login.microsoftonline.com. Under the revised policy, only scripts sourced from trusted Microsoft domains will be permitted to execute. The goal is to prevent malicious or injected code from running during browser-based authentication flows. Microsoft stated that the update “strengthens security and adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication.” The change restricts script downloads to Microsoft-trusted CDN domains and allows inline script execution only when sourced from Microsoft. The update applies exclusively to browser-based sign-ins at login.microsoftonline.com. Microsoft Entra External ID will not be impacted.

Asahi Confirms Nearly Two Million Individuals’ Data May Be Exposed in Ransomware Attack Source: www.theregister.com/2025/11/2… Asahi has released updated findings on the ransomware attack that struck its Japanese operations in September, acknowledging that personal data tied to nearly two million people may have been compromised. The incident first came to light on September 29, when Asahi reported a “system failure caused by a cyberattack” that disrupted ordering, shipping, and call centre operations nationwide. The Qilin ransomware group later claimed responsibility, asserting it exfiltrated 27 GB of internal data, including employee information, contracts, financial documents, and other sensitive material. According to Asahi’s latest update, attackers gained access through compromised network equipment at a Group datacentre in Japan. Ransomware was deployed the same day, encrypting data across multiple active servers and several connected PCs. The attack forced a widespread operational shutdown, including suspension of order processing, halted shipments, and disabled customer service lines. Although the datacentre was isolated within hours, the intrusion window was sufficient for the attackers to encrypt systems and extract data.

Ransomware Elevates Cybersecurity to National Security Priority Source: www.databreachtoday.com/ransomwar… Relentless ransomware activity targeting the United Kingdom and the United States has elevated cybersecurity to a core national security issue, according to Anne Neuberger, former White House deputy national security adviser for cyber, speaking at an event in London. Governments are urging private-sector organizations to strengthen their defences following a series of major incidents with national-scale impact. In the U.K., high-profile attacks include the April breach of Marks & Spencer, which disrupted operations and resulted in nearly $400 million in recovery costs, and the September attack on Jaguar Land Rover, which halted production, affected supply chains, and has already cost an estimated $260 million. Broader economic effects could reach $2.5 billion. Neuberger emphasized that long-term resilience must include targeting the financial ecosystem that enables ransomware, particularly cryptocurrency channels that facilitate payment flows and laundering activities.

Zendesk Users Targeted as Scattered Lapsus$ Hunters Launch Fake Support Sites Source: www.theregister.com/2025/11/2… ReliaQuest has uncovered an emerging extortion campaign aimed at Zendesk customers, attributed to the Scattered Lapsus$ Hunters group. The operation uses newly created phishing domains and fraudulent helpdesk tickets to harvest credentials and engage support teams. Researchers identified more than forty typosquatted or impersonation domains over the past six months, including variants such as znedesk.com and vpn-zendesk.com. Some host fake single sign-on pages, while others are used to insert fraudulent tickets into Zendesk workflows. The domains share consistent traits: the same registrar (NiceNic), U.S. or U.K. contact details, and Cloudflare-masked nameservers. The infrastructure closely mirrors a previous impersonation campaign against Salesforce, leading analysts to suspect the same threat group is responsible. The activity highlights a broader shift among cybercriminals. Rather than exploiting zero-days or breaching networks directly, attackers are increasingly weaponizing identity, brand impersonation, and trust in SaaS platforms. Scattered Lapsus$ Hunters comprise members from several well-known groups, including social engineering actors from Scattered Spider, data-theft operators from ShinyHunters, and extortion specialists from Lapsus$, forming a combined crew optimized for modern enterprise environments.

Akira’s SonicWall Exploits Are Disrupting Large Enterprises Source: www.databreachtoday.com/akiras-so… The Akira ransomware group has found a path into large corporate networks by compromising SonicWall SSL VPN devices—hardware typically marketed to small- and medium-sized businesses. Once those firms are acquired by larger enterprises, these devices become high-value entry points for attackers. Akira began exploiting CVE-2024-40766 between September and December 2024. The flaw was also leveraged by the Fog ransomware group during the same period. A renewed wave of Akira activity surfaced this past summer, running from late July through at least September. According to Arctic Wolf, the volume and diversity of victims indicate opportunistic mass exploitation, rather than targeted attacks, with impacted organizations spanning multiple industries.

FCC Warns Broadcasters After Emergency Tones Used in Profanity-Laced Radio Hijacks Source: www.theregister.com/2025/11/2…

The US Federal Communications Commission (FCC) has issued a warning following a series of cyber intrusions in which attackers hijacked insecure studio-to-transmitter links (STLs) and injected fake alerts and vulgar audio into radio broadcasts.

The attacks allowed intruders to divert legitimate programming and replace it with their own content, including the “Attention Signal” tone associated with the Emergency Alert System (EAS). The FCC described this as a “recent string of cyber intrusions” targeting poorly secured broadcast infrastructure.

Broadcasters are urged to review security controls and report any suspected unauthorized access to both the FCC and the FBI’s Internet Crime Complaint Center (IC3).

This warning follows a notable 2013 incident when the EAS was compromised across several television stations, resulting in hoax “zombie apocalypse” alerts before authorities confirmed the messages were fraudulent.

The Mystery OAST Host Behind a Regionally Focused Exploit Operation Source: www.vulncheck.com/blog/myst… Out-of-band application security testing (OAST) endpoints are common in large-scale exploit scanning, with most threat actors favouring public services such as oast.fun because they require no dedicated infrastructure. That is why callbacks to detectors-testing.com stood out in VulnCheck’s Canary Intelligence telemetry. The activity suggested an attacker was operating a private OAST domain as part of a regionally targeted exploit campaign. VulnCheck observed approximately 1,400 exploit attempts tied to this infrastructure, covering more than 200 CVEs. Although most payloads resembled standard Nuclei templates, the attacker’s hosting decisions, tooling, and regional focus deviated from typical OAST behaviour.

Popular Forge Library Receives Fix for Signature Verification Bypass Flaw Source: www.bleepingcomputer.com/news/secu… A high-severity vulnerability in the node-forge package, a widely used JavaScript cryptography library, has been patched after researchers discovered a method to bypass digital signature verification. Tracked as CVE-2025-12816, the flaw stems from weaknesses in the library’s ASN.1 validation logic. The issue allowed specially crafted, malformed data to pass signature checks despite being cryptographically invalid. According to an advisory from Carnegie Mellon CERT-CC, the risk varies by implementation but may include: Authentication bypass Tampering with signed data Misuse or manipulation of certificate-related functionality CERT-CC noted that environments relying heavily on cryptographic verification could face particularly serious consequences. The potential impact is amplified by the library’s widespread adoption, with nearly 26 million weekly downloads on the NPM registry.

Incident: OpenAI API customer data exposed in Mixpanel analytics breach
Date of Incident (ET): Nov. 9, 2025
Date of Disclosure/Publication (ET): Nov. 27, 2025
Summary: OpenAI told ChatGPT API customers that analytics vendor Mixpanel exposed limited names, emails and usage metadata after a smishing-enabled compromise, but no passwords, API keys or model inputs were accessed.
Source: www.bleepingcomputer.com/news/secu…

Incident: Gainsight customer data targeted in ShinyHunters OAuth token abuse campaign
Date of Incident (ET): Oct. 23, 2025
Date of Disclosure/Publication (ET): Nov. 27, 2025
Summary: Customer-success vendor Gainsight reported that ShinyHunters abused compromised Salesforce OAuth tokens to access customer data, prompting Salesforce, Zendesk and other platforms to revoke integrations and publish indicators of compromise.
Source: thehackernews.com/2025/11/g…

Incident: Qilin ‘Korean Leaks’ campaign exploits South Korean MSP GJTec
Date of Incident (ET): Unknown
Date of Disclosure/Publication (ET): Nov. 26, 2025
Summary: Qilin ransomware exploited South Korean MSP GJTec in the Korean Leaks campaign, stealing over one million files and two terabytes of data from 28 mainly financial-sector victims across three publication waves.
Source: thehackernews.com/2025/11/q…

Incident: Cyberattack disrupts shared IT for three London councils
Date of Incident (ET): Nov. 24, 2025
Date of Disclosure/Publication (ET): Nov. 26, 2025
Summary: A cyberattack on shared IT infrastructure disrupted online services and phone systems for the Kensington and Chelsea, Westminster, and Hammersmith and Fulham councils, forcing contingency arrangements for core public services.
Source: www.bleepingcomputer.com/news/secu…

Incident: INC Ransom attack cripples Crisis24 OnSolve CodeRED emergency alert platform
Date of Incident (ET): Nov. 10, 2025
Date of Disclosure/Publication (ET): Nov. 25, 2025
Summary: INC Ransom breached Crisis24’s OnSolve CodeRED emergency alert platform, stealing user data and encrypting systems, forcing decommissioning of a legacy environment and disrupting alerting for multiple U.S. municipalities.
Source: www.bleepingcomputer.com/news/secu…

Incident: ‘JackFix’ phishing variant undermines ClickFix-style awareness controls
Date of Incident (ET): Unknown
Date of Disclosure/Publication (ET): Nov. 25, 2025
Summary: Researchers detailed a ‘JackFix’ phishing variant that bypasses traditional ClickFix-style user training by chaining multi-stage emails, fake escalation calls and urgent payment demands to pressure victims into approving fraudulent transactions.
Source: www.darkreading.com/threat-in…

Incident: Harvard alumni and donor records exposed after voice phishing compromise
Date of Incident (ET): Nov. 18, 2025
Date of Disclosure/Publication (ET): Nov. 24, 2025
Summary: Harvard University reported that voice phishing led to unauthorized access to Alumni Affairs and Development systems, exposing contact, event and donation data for alumni, donors, parents, some students, and staff worldwide.
Source: www.bleepingcomputer.com/news/secu…

Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025 securelist.com/ntlm-abus…

Flip phones were surging, Windows XP was new on the desktop, Apple had just launched the iPod, torrent-based file sharing was emerging, and MSN Messenger dominated online chat. That was the landscape in 2001, the year Sir Dystic of Cult of the Dead Cow released SMBRelay — the proof-of-concept that turned NTLM relay attacks from theory into practice and introduced a powerful new class of authentication-relay exploits.

Since then, NTLM’s weaknesses have been widely recognized, and year after year new vulnerabilities and more sophisticated attack techniques have continued to appear. Microsoft has responded with mitigations and by advancing NTLM’s successor, Kerberos. Yet, more than two decades later, NTLM remains deeply embedded in modern systems — spanning enterprise networks, legacy applications, and internal infrastructures that still depend on its outdated authentication methods.

This blog post examines the growing roster of NTLM-related vulnerabilities identified over the past year and explores the cybercriminal campaigns that have actively weaponized them across various regions worldwide.

Influencers in the crosshairs: How cybercriminals are targeting content creators www.welivesecurity.com/en/social…

Social media influencers offer reach, credibility, and amplification — traits that make them attractive targets for fraud, scams, and malware distribution. Strong account protection remains essential in disrupting these threats.

Compounding the issue, influencers are increasingly being singled out by cybercriminals. A recent spear-phishing campaign, which impersonated brands such as Tesla and Red Bull, underscores the growing risks.

An account compromise can cause significant harm to the creator, their followers, and their commercial relationships. For anyone building or maintaining a digital audience, now is a prudent time to review account security practices.

The Golden Scale: ’Tis the Season for Unwanted Gifts unit42.paloaltonetworks.com/new-shiny…

In October 2025, Unit 42 published two Insights reports examining threat activity linked to the cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH). After several weeks of relative quiet, the group has re-emerged aggressively, according to open-source reporting and discussions uncovered in a new Telegram channel titled scattered LAPSUS$ hunters part 7.

This latest Insights blog highlights Unit 42’s notable observations since mid-November and offers guidance to help organizations brace for increased threat activity as the holiday season approaches.

Fake LinkedIn jobs trick Mac users into downloading Flexible Ferret malware www.malwarebytes.com/blog/news…

Researchers have uncovered a new Mac-targeted attack that directs victims to a fraudulent job site and persuades them to install malware disguised as a software update.

Threat actors impersonate recruiters on LinkedIn and encourage targets to apply for a role. As part of the supposed application process, victims are asked to record a short video introduction and upload it to a dedicated website.

Once there, users are prompted to install a fake update for the FFmpeg media-processing tool. The download is actually a backdoor linked to the Contagious Interview campaign, which has previously been attributed to the Democratic People’s Republic of Korea (DPRK).