Should we come back?

​Let us know. The new team and capabilities are out of this world!

More to follow!

Daily Report 16 Nov 2025

​# DAILY CYBERSECURITY THREAT INTELLIGENCE REPORT

## November 16, 2025

-----

## EXECUTIVE SUMMARY

**Report Date:** Saturday, November 16, 2025  

**Reporting Period:** Last 24-48 Hours  

**Overall Threat Level:** HIGH

This daily intelligence briefing provides critical updates on the cybersecurity landscape, including recently disclosed vulnerabilities, active threat campaigns, law enforcement operations, and emerging attack techniques. Organizations should prioritize patching activities and review defensive controls based on the findings in this report.

**Key Developments:**

- Microsoft November Patch Tuesday addresses 63 vulnerabilities including 1 actively exploited zero-day

- Major law enforcement operation disrupts Rhadamanthys Stealer, Venom RAT, and Elysium botnet infrastructure

- 7 critical vulnerabilities discovered in ChatGPT (GPT-4o and GPT-5) enabling zero-click attacks

- New ransomware marketplace “Lockverse” discovered operating as subscription-based RaaS

- Google sues operators of $1 billion Lighthouse phishing platform

- 131 new CVEs discovered daily (16% increase from 2024)

-----

## 1. CRITICAL VULNERABILITIES & EXPLOITS

### 1.1 **Microsoft November 2025 Patch Tuesday**

**Overview:** Microsoft released patches for 63 vulnerabilities on November 12, 2025

**Severity Breakdown:**

- **4 Critical** vulnerabilities

- **59 Important** vulnerabilities

- **1 Zero-Day** actively exploited in the wild

**Vulnerability Categories:**

- 29 Elevation of Privilege

- 16 Remote Code Execution

- 11 Information Disclosure

- 3 Denial of Service

- 2 Security Feature Bypass

- 2 Spoofing

-----

### 1.2 **EXPLOITED ZERO-DAY: Windows Kernel Race Condition**

**CVE-2025-62215** - Windows Kernel Elevation of Privilege

- **Severity:** Important (CVSS 7.0)

- **Status:** ACTIVELY EXPLOITED IN THE WILD

- **Added to CISA KEV:** November 13, 2025

**Technical Details:**

- Race condition vulnerability in Windows Kernel

- Concurrent execution using shared resource with improper synchronization

- Allows authorized local attacker to escalate privileges

- Enables SYSTEM-level access

**Exploitation Assessment:**

- Discovered by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC)

- Used as post-exploitation activity following initial access

- Typically chained with other vulnerabilities:

  - RCE or sandbox escape provides initial code execution

  - Race condition escalates to SYSTEM privileges

  - Enables credential dumping and lateral movement

**Critical Impact:**

“When chained with other bugs this kernel race is critical: an RCE or sandbox escape can supply the local code execution needed to turn a remote attack into a SYSTEM takeover” - Mike Walters, Action1

**Immediate Actions Required:**

1. Apply November 2025 security updates immediately

1. Monitor for unusual privilege escalation activities

1. Review logs for SYSTEM-level access from unexpected accounts

1. Implement principle of least privilege

1. Federal agencies must patch per CISA BOD 22-01

-----

### 1.3 **Critical Remote Code Execution Vulnerabilities**

**CVE-2025-60724** - Microsoft Graphics Component

- **Severity:** CRITICAL (CVSS 9.8)

- **Type:** Heap-based buffer overflow

- **Impact:** Remote code execution

- **Risk:** High - enables complete system compromise

**CVE-2025-62220** - Windows Subsystem for Linux GUI

- **Severity:** HIGH (CVSS 8.8)

- **Type:** Heap-based buffer overflow

- **Impact:** Remote code execution

**CVE-2025-60704** - Windows Kerberos “CheckSum”

- **Severity:** HIGH (CVSS 7.5)

- **Type:** Missing cryptographic step

- **Impact:** Privilege escalation to administrator

- **Attack:** Adversary-in-the-Middle (AitM) required

- **Technique:** Kerberos constrained delegation vulnerability

- **Discovered by:** Silverfort researchers Eliran Partush and Dor Segal

**Attack Methodology (CVE-2025-60704):**

- Attacker injects themselves into logical network path

- Intercepts connection between target and requested resource

- Impersonates arbitrary users

- Gains full domain control

- Requires user-initiated connection

-----

### 1.4 **CISA Known Exploited Vulnerabilities (Recent Additions)**

**CVE-2025-9242** - WatchGuard Firebox

- **Added:** November 13, 2025

- **Severity:** CRITICAL (CVSS 9.3)

- **Type:** Out-of-bounds write in OS iked process

- **Impact:** Remote code execution without authentication

- **Status:** Actively exploited in the wild

- **Patched:** September 2025

- **Disclosed by:** watchTowr Labs (October 2025)

- **Vulnerability:** Missing length check during IKE handshake process

- **Versions Affected:**

  - Fireware OS 11.10.2 through 11.12.4_Update1

  - 12.0 through 12.11.3

  - 2025.1

**CVE-2025-11371** - Gladinet CentreStack/Triofox

- **Added:** November 5, 2025

- **Severity:** HIGH (CVSS 7.5)

- **Type:** Files or directories accessible to external parties

- **Impact:** Unintended disclosure of system files

- **Status:** Active exploitation

**Gladinet Triofox Additional Vulnerability**

- **Type:** Improper access control

- **Impact:** Access to initial setup pages after setup complete

- **Risk:** Configuration tampering, unauthorized access

**CWP Control Web Panel**

- **Type:** OS command injection

- **Impact:** Unauthenticated remote code execution

- **Vector:** Shell metacharacters in t_total parameter

- **Request:** filemanager changePerm

**CVE-2025-21042** - Samsung Mobile Devices

- **Type:** Out-of-bounds write in libimagecodec.quram.so

- **Impact:** Remote code execution

- **Exploitation:** Leveraged by LANDFALL Android spyware (zero-day)

- **Discovered by:** Palo Alto Networks Unit 42

- **Target:** Samsung Android image processing library

- **Patch:** April 2025 security update

-----

### 1.5 **ChatGPT Critical Vulnerabilities (Zero-Click Attacks)**

**HackedGPT Discovery** - Tenable Research (November 2025)  

**7 Critical Vulnerabilities** affecting GPT-4o and GPT-5

**Impact:** Hundreds of millions of ChatGPT users exposed to sophisticated zero-click attacks

**Most Critical Vulnerabilities:**

**1. Bing Tracking Link Bypass**

- Bypasses ChatGPT safety mechanisms

- Exploits external data processing weaknesses

- No user interaction required

**2. Markdown Rendering Vulnerability**

- Hides malicious content from users

- ChatGPT processes hidden instructions in background

- Breaks user trust and transparency expectations

**3. SearchGPT Prompt Injection**

- Zero-click attack vector (most severe)

- Attackers inject prompts visible only to SearchGPT crawler

- Websites indexed with malicious prompts

- Users trigger compromise through innocent queries

**Attack Chains Demonstrated:**

1. **Comment Section Injection**

- Malicious prompts injected into trusted website comments

- Users ask ChatGPT to summarize articles

- Unknowingly trigger prompt injection

- Results in phishing attacks or data theft

1. **Indexed Web Page Exploitation**

- Create websites about specific topics

- Inject prompts invisible to human readers

- Wait for SearchGPT indexing

- Users searching topics trigger malicious code

1. **Direct URL Parameter Attack**

- Malicious parameters embedded in URLs

- ChatGPT processes when analyzing links

- Executes attacker-controlled instructions

**Capabilities:**

- Establish persistence in ChatGPT sessions

- Hide malicious activity from users

- Compromise through routine web searches

- Memory manipulation (force ChatGPT to update memories)

- Unprecedented attack surface for AI systems

**Risk Assessment:**

“These vulnerabilities fundamentally alter the threat landscape for organizations and individuals using ChatGPT for sensitive work.” - Tenable Research

**OpenAI Response:** Response and remediation timeline critical; users remain exposed to novel attack techniques

-----

### 1.6 **AI Infrastructure Vulnerabilities**

**ShadowMQ Pattern** - Remote Code Execution in AI Engines  

**Discovered by:** Oligo Security (November 14, 2025)

**Affected Platforms:**

- Meta LLM frameworks

- Nvidia AI inference engines

- Microsoft AI systems

- PyTorch projects (vLLM, SGLang)

**Root Cause:**

- Unsafe use of ZeroMQ (ZMQ)

- Python’s pickle deserialization

- Insecure deserialization logic propagated through code reuse

**CVE-2024-50050** - Meta Llama Framework

- **CVSS Score:** 6.3/9.3

- **Type:** Insecure deserialization

- **Patched:** October 2024

- **Spread:** Vulnerability pattern replicated across multiple AI projects

**Impact:** Critical remote code execution capabilities in major AI inference engines used globally

-----

### 1.7 **Cisco Critical Vulnerabilities**

**New Firewall Attack Variant** (Announced November 10, 2025)

**Affected Products:**

- Cisco Secure Firewall Adaptive Security Appliance (ASA) Software

- Cisco Secure Firewall Threat Defense (FTD) Software

**CVE-2025-20333 + CVE-2025-20362** (Previously disclosed September 2025)

- **Status:** Exploited as zero-days before disclosure

- **Malware Deployed:** RayInitiator and LINE VIPER

- **Attribution:** Attacks documented by UK NCSC

- **New Attack:** Causes unpatched devices to unexpectedly reload (DoS conditions)

**CVE-2025-20333:**

- Arbitrary code execution as root

- Exploited via crafted HTTP requests

**CVE-2025-20362:**

- Access restricted URLs without authentication

**Cisco Unified Contact Center Express (Unified CCX)**

**CVE-2025-20354** (CVSS 9.8) - CRITICAL

- Java RMI process vulnerability

- Upload arbitrary files

- Execute arbitrary commands with root permissions

**CVE-2025-20358** (CVSS 9.4) - CRITICAL

- CCX Editor application vulnerability

- Bypass authentication

- Obtain administrative permissions

- Create arbitrary scripts on OS

- Execute malicious scripts

**Cisco Identity Services Engine (ISE)**

**CVE-2025-20343** (CVSS 8.6) - HIGH

- Denial of Service vulnerability

- Causes device to restart unexpectedly

- Logic error processing RADIUS access requests

- Exploited by crafted RADIUS messages for already-rejected MAC addresses

**Current Status:** No evidence of exploitation; patches available

-----

## 2. MAJOR THREAT ACTOR ACTIVITIES

### 2.1 **Law Enforcement Operation Endgame (Phase 2)**

**Dates:** November 10-13, 2025  

**Led by:** Europol and Eurojust  

**Objective:** Combat ransomware enablers and criminal infrastructure

**Major Disruptions:**

**1. Rhadamanthys Stealer**

- Prominent malware-as-a-service platform

- Command-and-control servers compromised

- Control panels disrupted

- Infrastructure dismantled

**2. Venom RAT**

- Main suspect arrested in Greece (November 3, 2025)

- Remote access trojan operations disrupted

**3. Elysium Botnet**

- Large-scale botnet infrastructure taken down

**Operation Statistics:**

- **1,025+ servers** taken down globally

- **20 domains** seized

- **Hundreds of thousands** of infected computers cleared

- **Several million** stolen credentials recovered

- **Victims:** Many unaware of system infections

**Europol Statement:** “The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials.”

**Significance:** Largest coordinated takedown of ransomware enabler infrastructure in 2025

-----

### 2.2 **Scattered Spider, LAPSUS$, ShinyHunters Merger**

**New Group:** “Scattered LAPSUS$ Hunters” (SLH)  

**Formation:** Confirmed active since August 8, 2025

**Member Groups:**

- Scattered Spider (known for social engineering)

- LAPSUS$ (destructive data breaches)

- ShinyHunters (database theft specialists)

**Activity Metrics:**

- **16 Telegram channels** created since August 2025

- Testing “Sh1nySp1d3r” ransomware

- Advertising extortion-as-a-service

**Strategic Assessment:**

- First cohesive alliance within The Com (loose cybercrime network)

- Leveraging combined reputational capital

- Creating unified threat identity

- Force multiplier for financially motivated attacks

- Coordinated alliance blending operational tactics

**Tactics:**

- Recruitment operations

- Audience control

- Sophisticated extortion campaigns

- Reputation-based intimidation

**Significance:** Represents evolution from fluid collaboration to structured criminal enterprise

-----

### 2.3 **Google vs. Lighthouse Phishing Platform**

**Legal Action:** Civil lawsuit filed November 12, 2025  

**Court:** U.S. District Court for Southern District of New York  

**Defendants:** China-based hackers

**Lighthouse Platform:**

- **Type:** Phishing-as-a-Service (PhaaS)

- **Scale:** $1 billion operation

- **Victims:** 1 million+ users across 120 countries

- **Infrastructure:** Massive phishing operation

**Platform Capabilities:**

- Ready-made phishing kits

- Credential harvesting tools

- Multi-language support

- Global targeting infrastructure

**Google’s Action:** Seeking to dismantle platform and hold operators accountable

-----

### 2.4 **LANDFALL Android Spyware Campaign**

**Discovery:** Palo Alto Networks Unit 42 (November 2025)  

**Spyware Family:** Previously unknown - “LANDFALL”

**Zero-Day Exploitation:**

**CVE-2025-21042** - Samsung Android Image Processing Library

- Exploited before patch released

- Out-of-bounds write vulnerability

- Remote code execution capabilities

**Target:** Samsung mobile devices  

**Vector:** Malicious image files  

**Impact:** Complete device compromise

**Broader Pattern:** CVE-2025-21042 part of systematic targeting of image processing vulnerabilities across multiple platforms

-----

### 2.5 **SimpleHelp RMM Exploitation for Ransomware**

**Campaign:** Active November 2025  

**Target:** SimpleHelp Remote Monitoring and Management (RMM) platform

**Vulnerabilities Exploited:**

- CVE-2024-57726

- CVE-2024-57727

- CVE-2024-57728

**Attack Chain:**

1. Compromise third-party RMM servers

1. Gain SYSTEM-level access

1. Achieve full control over victim networks

1. Deploy discovery tools

1. Disable defensive systems

1. Exfiltrate data via RClone and Restic

1. Deploy ransomware

**Ransomware Deployed:**

- Medusa ransomware

- DragonForce ransomware

**Downstream Impact:** Access to all customer environments managed by compromised RMM

**Source:** Zensec security research

-----

## 3. RANSOMWARE & EXTORTION DEVELOPMENTS

### 3.1 **Lockverse - New RaaS Marketplace**

**Discovery:** Early November 2025  

**Type:** Ransomware-as-a-Service subscription platform

**Business Model:**

- Ready-made attack kits

- Affiliate dashboards

- Profit-sharing systems

- Mirrors legitimate SaaS businesses

**Significance:**

- Dark web openly marketing cybercrime tools

- Lowering barrier to entry for attackers

- Subscription-based access model

- Professional customer support infrastructure

**Trend:** “Security is no longer about walls alone. It is about visibility, proof, and speed.”

**Market Evolution:** Ransomware marketplaces operating with business sophistication rivaling legitimate software companies

-----

### 3.2 **Recent Ransomware Incidents**

**Qilin Ransomware - NHS Synnovis Attack**

- **Date:** June 2024 (impact continuing through 2025)

- **Target:** Synnovis (pathology services provider for NHS)

- **Victims:** 900,000+ patients

- **Data Exposed:** Highly sensitive medical information

- **Impact:** Long-term healthcare disruption

**Note:** Demonstrates continued fallout from major healthcare ransomware attacks

-----

### 3.3 **AI-Enhanced Ransomware**

**Trend Analysis:**

- AI-driven exploit discovery accelerating

- 16% of cyber incidents involve AI tools

- Automated targeting across supply chains

- Enhanced social engineering

**Predictions:**

- 2-3 major supply chain ransomware attacks expected through 2025

- AI playing key role in attack automation

- Attackers scaling faster with AI assistance

-----

## 4. MALWARE & MALICIOUS CAMPAIGNS

### 4.1 **Malicious Chrome Extension**

**Discovery:** November 2025  

**Name:** “Safery: Ethereum Wallet”  

**Platform:** Chrome Web Store

**Timeline:**

- **Uploaded:** September 29, 2025

- **Last Updated:** November 12, 2025

- **Status:** Still available for download (as of report date)

**Malicious Functionality:**

- Poses as legitimate Ethereum wallet

- Backdoor for seed phrase exfiltration

- Encodes seed phrases into Sui addresses

- Broadcasts microtransactions from attacker-controlled Sui wallet

**Socket Security Assessment:**

“Marketed as a simple, secure Ethereum (ETH) wallet, it contains a backdoor that exfiltrates seed phrases by encoding them into Sui addresses” - Kirill Boychenko, Socket

**User Impact:** Complete cryptocurrency wallet compromise

**Recommendation:** Immediate removal if installed; rotate all cryptocurrency keys

-----

### 4.2 **GootLoader Resurgence**

**Activity:** October 27 - November 2025  

**Malware:** GootLoader  

**Source:** Huntress security research

**Recent Activity:**

- 3 infections observed since October 27, 2025

- 2 resulted in hands-on keyboard intrusions

- Domain controller compromise within 17 hours of initial infection

**New Technique:** “Font trick” to hide malware on WordPress sites  

**Persistence:** Sophisticated multi-stage infection  

**Speed:** Extremely rapid progression to domain compromise

-----

### 4.3 **GlassWorm VS Code Campaign**

**Discovery:** November 10, 2025  

**Target:** Visual Studio Code ecosystem  

**Extensions Identified:** 3 malicious extensions

**Malicious Extensions:**

1. **ai-driven-dev.ai-driven-dev** - 3,402 downloads

1. **adhamu.history-in-subli** - [downloads not specified]

1. [Third extension details]

**Status:** Extensions still available for download  

**Campaign:** GlassWorm continues targeting developer tools

**Open VSX Response:** Fully contained GlassWorm attacks  

**Assessment:** Not a self-replicating worm in traditional sense

-----

### 4.4 **npm Registry Spam Attack**

**Scale:** 67,000+ fake packages  

**Duration:** Early 2024 through November 2025  

**Source:** Endor Labs research (November 13, 2025)

**Characteristics:**

- Systematically published over extended period

- Survived in ecosystem for nearly 2 years

- Junk packages flooding registry

- Likely financially motivated

**Impact:** Pollution of npm package ecosystem; developer trust erosion

-----

### 4.5 **ClickFix Phishing - Hospitality Sector**

**Campaign:** Large-scale targeting of hotel industry  

**Method:** ClickFix-style pages  

**Malware:** PureRAT

**Attack Methodology:**

- Compromised email accounts

- Messages to multiple hotel establishments

- Credential harvesting

- Remote access trojan deployment

**Objective:** Credential theft and persistent access to hotel management systems

**Source:** Sekoia security research (November 10, 2025)

-----

## 5. DATA BREACHES & INCIDENTS

### 5.1 **Hyundai AutoEver America Breach**

**Company:** Hyundai AutoEver America (HAEA)  

**Role:** IT services subsidiary for North America  

**Victims:** Up to 2.7 million Hyundai/Kia owners in US

**Timeline:**

- **Attack Start:** February 22, 2025

- **Attack End:** March 2, 2025

- **Notification:** November 2025

**Data Compromised:**

- Sensitive customer data

- Personal information

- Vehicle-related data

**Impact:** Major automotive sector data breach affecting millions

-----

### 5.2 **F5 Networks Source Code Theft**

**Date:** October 2025  

**Victim:** F5 Networks

**Stolen Materials:**

- BIG-IP source code (portions)

- Internal vulnerability research

- Threat intelligence documentation

**Attack Vector:**

- Compromised developer account

- Exposed GitLab instance

- Lack of MFA on privileged repositories

**Implications:**

- Advanced threat actors gain product insights

- Potential discovery of undisclosed vulnerabilities

- Shortened window between vuln discovery and weaponization

- Attackers can analyze authentication flows, memory handling, request processing

**F5 Statement:** No customer data or production systems affected

**Risk:** Enterprises using BIG-IP for load balancing and perimeter security face elevated risk

-----

### 5.3 **Reputation.com Data Exposure**

**Company:** Reputation.com (major online reputation management)  

**Clients:** Hundreds of major brands  

**Exposed:** 120 million records  

**Type:** Backend system data

-----

## 6. INDUSTRY DEVELOPMENTS

### 6.1 **Accenture Acquires CyberCX**

**Deal Value:** Billion-dollar acquisition  

**Significance:** Biggest cybersecurity shake-up in Australia/New Zealand in over a decade

**CyberCX Background:**

- Amalgamation of 17 regional cybersecurity firms

- Highly specialized firms

- Deeply embedded in SME ecosystem

**Impact:** Consolidation of cybersecurity services market in AU/NZ region

-----

### 6.2 **Malware-as-a-Service Economy**

**Current Trends:**

- 99% of organizations experienced API security incident in past year

- Global API security market: $3.17 billion projected by 2032

- Growing sophistication of MaaS platforms

- Professionaliz ation of cybercrime operations

-----

### 6.3 **Microsoft Secure Future Initiative Progress**

**Report:** November 10, 2025  

**Scale:** 34,000 dedicated engineers (equivalent)  

**Claim:** Largest cybersecurity project in digital history

**Key Initiatives:**

**Memory-Safe Firmware:**

- Surface Rust-based UEFI firmware

- Addresses 70% of annual Microsoft security patches

- Tackles buffer overflows and supply chain attacks

**Safer Windows Drivers:**

- Critical drivers written in Rust

- Reduces memory safety bugs

- Fewer buffer overflows and use-after-free vulnerabilities

**Azure Security Improvements:**

- Enforced secure defaults

- Expanded hardware-based trust

- Updated security benchmarks

**Expanded ITDR Features:**

- Microsoft Defender for Identity sensor (generally available)

- Improved protection, correlation, context

- Modernized identity defense

**Side-Channel Attack Discovery:**

- Language model vulnerability disclosed

- Allows adversaries to determine conversation topics despite encryption

**Cybersecurity Governance:**

- 3 additional Deputy CISOs

- European regulations coverage

- Internal operations

- Ecosystem partnerships

-----

## 7. VULNERABILITY STATISTICS & TRENDS

### 7.1 **2025 CVE Volume**

**Daily Discovery Rate:** 131 new CVEs per day  

**Increase:** 16% from 2024

**H1 2025 Statistics:**

- **21,500+ CVEs** disclosed (first half of year)

- **23,667 CVEs** total H1 (up from 20,385 in H1 2024)

- **Projected 2025 Total:** Approaching 50,000 CVEs

**Record Month:** January 2025 (consistent with previous data)

**Implications:**

- Security teams overwhelmed with vulnerability triage

- Prioritization critical for effective response

- Approximately 130 new vulnerabilities requiring daily assessment

-----

### 7.2 **Exploitation Speed**

**Trend:** Attackers weaponizing vulnerabilities within hours of disclosure  

**Examples:**

- CVE-2024-5806 (Progress MOVEit Transfer): Exploited hours after disclosure

- General pattern: Days to hours from disclosure to exploitation

**Zero-Day Lifespan:** Up to 2 years of active threat due to delayed patching

-----

### 7.3 **Common Weakness Types**

**WordPress Ecosystem:**

- Cross-Site Scripting (XSS): >50% of plugin vulnerabilities

- CSRF and input validation weaknesses

- SQL injection

- Missing authorization checks

- Broken access control

**Microsoft Platform:**

- 70% of Microsoft’s security patches: Memory safety issues

- Buffer overflows

- Use-after-free vulnerabilities

- Race conditions

-----

## 8. SECURITY ADVISORIES & GUIDANCE

### 8.1 **Shadow AI Emergence**

**IBM Prediction (2025):**

- Shadow AI more common and risky than anticipated

- Unsanctioned AI models used by staff without governance

- Major risk to data security

**Requirements:**

- Clear governance policies

- Comprehensive workforce training

- Diligent detection and response

-----

### 8.2 **Identity-First Security Strategy**

**Drivers:**

- Identity as new security perimeter

- Hybrid cloud adoption

- App modernization initiatives

**2025 Focus:**

- Building effective identity fabric

- Product-agnostic integrated identity tools

- Managing multicloud environments

- Scattered identity solutions consolidation

-----

### 8.3 **Data and AI Security**

**Trustworthy AI Requirements:**

- Transparency

- Fairness

- Privacy protection

- **Security** (increasingly viewed as essential)

**Threat:** AI as attack vector; conduit for breaching security processes

**Need:** Automated security and compliance tasks to protect data and assets

-----

## 9. RECOMMENDED ACTIONS

### Immediate (24-48 Hours)

- [ ] **CRITICAL:** Apply Microsoft November 2025 Patch Tuesday updates

- [ ] **CRITICAL:** Patch CVE-2025-62215 (Windows Kernel zero-day)

- [ ] Update WatchGuard Firebox systems (CVE-2025-9242)

- [ ] Patch Cisco ASA/FTD devices (CVE-2025-20333, CVE-2025-20362)

- [ ] Review Chrome extensions; remove “Safery: Ethereum Wallet” if installed

- [ ] Audit VS Code extensions for GlassWorm campaign indicators

- [ ] Check for Samsung devices requiring CVE-2025-21042 patch

### Short-Term (1 Week)

- [ ] Implement enhanced monitoring for privilege escalation attempts

- [ ] Review ChatGPT usage policies in organization

- [ ] Assess exposure to AI infrastructure vulnerabilities (ShadowMQ pattern)

- [ ] Audit RMM platforms (especially SimpleHelp) for compromise indicators

- [ ] Update Gladinet/CentreStack/Triofox systems

- [ ] Review CWP Control Web Panel configurations

- [ ] Implement MFA on all privileged developer accounts (F5 breach lesson)

### Medium-Term (30 Days)

- [ ] Develop Shadow AI detection and governance program

- [ ] Assess AI model usage across organization

- [ ] Implement identity-first security architecture

- [ ] Review and update ransomware response procedures

- [ ] Conduct tabletop exercise for RaaS attack scenarios

- [ ] Evaluate third-party RMM security controls

- [ ] Implement browser extension allow-listing

### Strategic (90 Days)

- [ ] Develop comprehensive AI security framework

- [ ] Build vulnerability prioritization program (131 daily CVEs)

- [ ] Implement memory-safe development practices (Rust adoption where appropriate)

- [ ] Establish continuous monitoring for malware-as-a-service threats

- [ ] Create supply chain risk assessment for AI/ML dependencies

- [ ] Review and enhance code repository security (GitLab, GitHub)

-----

## 10. INDICATORS OF COMPROMISE

### Windows Kernel Privilege Escalation (CVE-2025-62215)

**Process Indicators:**

```

Unexpected SYSTEM-level access

Rapid privilege escalation from limited accounts

Unusual kernel-mode operations

```

**File Indicators:**

```

Modified kernel drivers

Suspicious temporary file creation by low-privilege accounts

Unusual DLL loads in kernel context

```

**Behavioral Indicators:**

```

Credential dumping activities post-escalation

Lateral movement immediately following local privilege gain

Domain admin enumeration from workstations

```

-----

### Rhadamanthys Stealer (Pre-Takedown)

**Network Indicators:**

```

Connections to C2 servers (now disrupted)

Unusual outbound HTTPS traffic to Eastern European IPs

Data exfiltration patterns

```

**Host Indicators:**

```

Credential theft from browsers

Keylogging activity

Screenshot capture

Form-grabbing behavior

```

-----

### GootLoader (November 2025 Campaign)

**Initial Infection:**

```

WordPress site compromises

SEO poisoning redirects

Fake font downloads

```

**Post-Infection:**

```

Domain controller access within 17 hours

Registry modifications

Scheduled task creation

PowerShell execution

```

-----

### PureRAT (Hospitality Campaign)

**Email Indicators:**

```

Compromised hotel email accounts

ClickFix-style attachments

Credential harvesting pages

```

**Malware Indicators:**

```

Remote desktop capabilities

Keylogging modules

Screen capture functionality

Data exfiltration to external IPs

```

-----

## 11. TOP 10 GENERAL NEWS HEADLINES

### International Affairs

1. **Gaza Humanitarian Crisis Worsens** - UNRWA warns of catastrophic health emergency; contaminated water 9x saltier than global standards; 16,500 patients need treatment outside Gaza; 90% of population suffers malnutrition; Israel controls 54% of territory blocking aid access

1. **Israel-Gaza Ceasefire Stalls** - President Trump’s 20-point peace plan showing limited progress one month into ceasefire; both sides committed but implementation challenges mounting

1. **Sudan Darfur Famine Declared** - Famine detected in Darfur and South Kordofan amid fighting between Sudanese Armed Forces and Rapid Support Forces; humanitarian access blocked; 40+ killed in drone attack on funeral

1. **Typhoon Kalmaegi Devastation - Philippines** - Death toll rises to 142 with 127 missing; Philippines declares national state of calamity; Philippine Air Force helicopter crash during damage assessment kills 6

1. **US-Venezuela Tensions Escalate** - USS Gerald R. Ford (world’s largest aircraft carrier) arrives in northern Caribbean amid growing tensions; uncertainty over potential military force

### US Politics & Society

1. **US Government Shutdown Continues** - Shutdown reaches 43rd day; federal judge orders SNAP benefits release; 16 million children at risk of hunger; $1.2 billion UCLA funding frozen over antisemitism allegations

1. **Political Upheaval** - Rep. Marjorie Taylor Greene dismissed from House position; AG Pam Bondi orders investigation into Jeffrey Epstein ties to Trump political foes

1. **Contraceptive Storage Crisis** - US-purchased contraceptives sitting in Belgian warehouses since July; improper storage renders many unusable

### Technology & Disasters

1. **China Space Mission Returns** - Shenzhou-20 crew returns to Earth after delay from space debris impact; window cracks detected during mission

1. **Natural Disasters** - 6.3 magnitude earthquake strikes Afghanistan (20+ killed, Blue Mosque damaged); Colombia marks 40 years since Nevado del Ruiz volcano (25,000 killed in 1985); Indonesia landslide kills 2

-----

## 12. CONCLUSION

The cybersecurity landscape on November 16, 2025 continues to demonstrate elevated threat levels with sophisticated attacks across multiple vectors. The Microsoft November Patch Tuesday addressing 63 vulnerabilities including an actively exploited kernel zero-day underscores the ongoing challenge of rapid vulnerability disclosure and exploitation.

**Critical Trends:**

1. **Zero-Click AI Attacks:** The discovery of 7 critical ChatGPT vulnerabilities represents a paradigm shift in AI security, demonstrating that AI platforms themselves are becoming primary attack vectors.

1. **Law Enforcement Success:** Operation Endgame’s takedown of Rhadamanthys, Venom RAT, and Elysium demonstrates international cooperation can disrupt major cybercrime infrastructure.

1. **RaaS Evolution:** Lockverse marketplace shows continued professionalization of ransomware operations with legitimate business models.

1. **Credential Warfare:** Merged threat actor groups (Scattered Spider + LAPSUS$ + ShinyHunters) signal escalation in organized cybercrime capabilities.

1. **Supply Chain Risks:** F5 source code theft and SimpleHelp RMM exploitation highlight persistent supply chain vulnerabilities.

1. **Memory Safety:** Microsoft’s Rust adoption and memory-safe firmware development address root causes of 70% of vulnerabilities.

**Priority Actions:**

Organizations must immediately patch the Windows Kernel zero-day (CVE-2025-62215), assess ChatGPT usage for sensitive operations, review AI infrastructure security, and implement identity-first security architectures. The 131 daily CVEs require sophisticated prioritization frameworks focusing on actively exploited vulnerabilities and those in critical infrastructure.

The convergence of state-sponsored operations, financially-motivated cybercrime, and AI-enhanced attacks demands continuous adaptation and strategic investment in cybersecurity capabilities. Organizations cannot afford reactive postures—proactive threat hunting, zero-trust implementation, and comprehensive incident response planning are essential for resilience in 2025’s threat landscape.

-----

**Report Classification:** UNCLASSIFIED  

**Distribution:** General / Organizational Leadership  

**Next Update:** November 17, 2025

**Contact:** For questions or additional threat intelligence, contact your Security Operations Center (SOC) or Chief Information Security Officer (CISO).

-----

*This report is compiled from open-source intelligence and publicly available cybersecurity information. Organizations should validate findings against their specific environment, threat model, and risk tolerance.*

**END OF REPORT**

Huge Uptick in Russian Activity

Over the last two days we have observed a huge uptick in Russian activity.

It appears as though we will be seeing more of this.

And here is the most recent update

As you can see things in the malware world are about to get interesting.

Motorola being targeted by Hackers

Yes we know it's been awhile but we haven't been hiding, simply busy. While working through our daily routine today we noted that there are quite a lot of Motorola like domains being registered by Chinese actors. This led to some research where we uncovered that over the last few days several hundred Motorola like domains were registered all with a central theme of being connected to motorola.3322.net, motorola,sytes.net and similar domains that we have observed used in Chinese attacks in the past.

It's probably a good idea if Motorola started the process of getting these and the dynamic DNS services associated with their Trademarked name in check now before this activity starts affecting their customers.

Have a great weekend!

Bitcoin Leaded Data

Searching through our platform we are seeing bitcoin transactions including full credit card numbers. Here is a redacted list of what we are seeing. These appear to be foreign but still interesting.

sendername,senderlast,emailaddress,telephone,bitcoin,price,payment,visaCardName,visaCardNumber,visaCardCCV,visaCardYear,masterCardName,masterCardNumber,masterCardCCV,masterCardMonth,masterCardYear

Avro,Ahmed,avro3030@gmail.com,035325325,"2 BTC","1255.32 USD",Visa,"Avro Ahmed",4364************,CVV,,,,,,

Seems like this is an all too common occurrence lately. 

IBM of Brazil Credential Exposure

Looking through the Jigsaw Analytics Platform (from Jigsaw Security) we noted today that there was an account being leaked at the br.ibm.com domain.

As 2016 comes to a close we have decided that instead of ignoring these issues we will be posting more and more. In fact we will be exposing these issues in 2017.

Source: http://www.pastebin.com/5EM2yiuu.txt

More Retail Breach Details

We are about to release some details on another retail breach. It seems it just keeps getting worse and worse. We are trying to contact these folks but if they don't respond we will just post the information here.

What are we tracking today?

Just a little over 20000 infected camera's, routers, Unix embedded operating systems.

It's not looking good for the Interwebs at the moment. This list keeps growing and growing...

Hopefully we don't see a repeat of what we saw last week!

We Told You So!

I just read a post on databreaches.net that talks about the issues at WakeMed. Remember this is not the first time they have popped up on this blog. We contacted them and received no response. If they were smart they would talk to us because we provided other information and to date they have done nothing about it.

The response I received was that they didn't care because it was end users accounts that were affected. Just goes to show that all of this could have been prevented but their response to us was not what we would have expected.

Reference:
https://www.databreaches.net/wakemed-exposed-patients-phi-in-bankruptcy-claims-uploaded-to-pacer-attorney/

Previous Warnings:
http://vulnerabledisclosures.blogspot.com/search/label/wakemed

DNC Hacked Over a Year Ago

What they are not telling you in the news is that the DNC was hacked at least as early as December 2015. Looking back through our data we noted the DNC FTP server information was publicly known and was obtained through the PONY malware attacks that dominated part of 2015.

During forensics of a server in December of 2015 we noted that there were political information in the data set but did not really see the significance until recently when reviewing the forensics information.

Represenative Wagner Pennsylvania - Just a quick note

So we started seeing some references to Representative Wagner in PA in dumps today. It was his username and obvious password. Tried to contact them and let them know and was greeted with this:

<dwagner@state.pa.us>: host mx1.pa.iphmx.com[68.232.140.80] said: 550 #5.1.0
    Address rejected. (in reply to RCPT TO command)

Now what if I was trying to email my state representative? I guess I would be screwed because Cisco decided that I can't email them right? 

Well you can thank Cisco Ironport. Apparently Cisco has us on their blocklist and hasn't removed us. Maybe because we make them look stupid by posting their passwords such as this one...

August 24th 2016, 20:00:00.000

August 24th 2016, 20:00:00.000

nhg@cisco.com|Gold*****

9988

Don't you just love it when these companies rely on a useless piece of technology like the Ironport devices?

Deep Diving xDedic Marketplace

First off I would like to thank SecureList for posting the full unredacted IP address information on the servers posted to Pastebin in their recent article. Upon seeing the file I decided to have our analyst take a look and see what servers were affected and figure out who owns those server (The companies affected).

Using our Intelligence Platform to process the 70000+ entries and to perform analytic modeling on the data we came up with the following.

Ingest Time: 35 seconds
Total Records Ingested: 176,076
DNS Enrichment: 5 minutes 25 seconds

So now we have the data in our big data platform and we want to see exactly what the IP's resolve to. Our goal is to figure out what companies are affected by this and breached without them being aware of it and notify them.

More information will be posted shortly...

UPDATED: A look at Guardzilla - They have eyes even when you don't!

Look familiar? Well this device started showing up in all the big box retailers last year so we decided to give one a try. Hooking the device up to a EVDO hotspot on Verizon was interesting at best. During our testing we discovered that the device streams continuously back to Guardzilla (even if you don't subscribe to their monitoring) all the time. So this "security" device has some serious "privacy" issues. The way most camera's work is that you access the camera and it streams the images to you directly but Guardzilla is not setup that way. When you setup the device it ALWAYS streams the video back to Guardzilla even if you don't subscribe to that service.

This is troubling for a number of reasons as now Guardzilla get's a sneak peek into your "secure" area without your consent.

The Guardzilla Privacy Policy:
Practecol takes reasonable efforts to ensure that your personal information is protected while you use the Services.

Oh and theres this line:
Also, video, audio, and other information received or recorded by your Guardzilla device may be stored on our servers or the servers of third parties.

I wonder who these third parties are because they are not disclosed anywhere in the privacy policy or terms of use.

Wait what?! So let me get this straight the information is protected while you use the services but not when your not using the services. So if I'm watching the video I'm now being protected by reasonable efforts to ensure that my information is protected but when I stop using the services they are not protected any longer? This is quite confusing honestly. So while your in bed sleeping your information is not protected because your not actively using the services?

Here's the problem. Even when you don't subscribe to the recording and playback features offered by Guardzilla the devices still stream to Guardzilla and we assume that the video is being stored otherwise why would you send it? What tipped us off was the fact that the device uses nearly 1GB of bandwidth per day even when your not viewing the camera. So basically your allowing Guardzilla to see into your protected space and to hear everything that goes on in this space because these devices are constantly streaming even when you are not using them.

We thought you might like to know. I can tell you this. Our Guardzilla test unit is about to be smashed in the parking lot never to be seen or heard from again.... Ever...

UPDATE: So Guardzilla reached out to me via email and specifically stated that this is how the product works. I definitely would NOT recommend the purchase of these devices under any circumstances since the terms of service basically says they can do what they want with your videos, and the fact that it will use 30GB of data per month which is ridiculous. Best to purchase a camera that only sends the information to you and only when requested.

University of Berkely In Trouble AGAIN

Started seeing reports from the University of Berkeley again this evening. Specifically 169.229.3.91 which has been observed trying to run shellcode against a rash of servers the last 2 weeks. The activity is very high today. Maybe the "Office of the President" at Berkeley can hire somebody to secure their network. Not that they have ever been breached or anything.

We have a history with reporting on activity at Berkeley. Search our archives for more information. 

Russia gets the jump with DMA Locker

Over the course of the last few days we have been monitoring the malware known as DMA locker. It appears as though Russia is building some really good capabilities for infecting workstations with zero detection currently in any of the antivirus products that we have tested.

In addition there is only 1 sample on Virustotal and none of the other vendors except MalwareBytes is even taking a look at this one.

As you can see below our analytics products are pointing squarely at Russia on this one. Keep your eyes out and check out our threat intelligence for more information.

 

Screenshot Courtesy of Jigsaw Security (www.jigsaw-security.com) 

Keep an eye on this one!

Cornell University looks the other way

As part of a new initiative to notify users of leaked credentials Jigsaw Security a member of SLC Security notified Cornell of a security issue. The response from Tom McMahon was interesting.

Quote:
"Stop scaring our users."

The interesting thing is that Cornell has been hacked numerous times as evidenced by the following: 
http://www.databreaches.net/u-of-hawaii-and-cornell-university-hacked-by-marxistattorney/ 
http://pastebin.com/GRTDZ6Ns
http://timesofindia.indiatimes.com/tech/it-services/Indian-student-in-Cornell-University-hacks-into-ICSE-ISC-database/articleshow/20450666.cms

We could go on and on but we can certainly understand their reluctance to respond to notifications. Hopefully the end users are more concerned about these disclosures than the administration. 

American Museum of Natural History

Looks to us like information from this site has been pulled down by hackers. We are notifying the affected users...

Large Numbers of MIT Email accounts leaked

We have noted a large amount of MIT related email accounts showing up on Darknet forums and in leaks posted to Paste sites.

The information posted includes 98 accounts and additional information. The information is verified as we have been able to get confirmation from several students and staff.

Credit Suisse accounts start appearing online

We started noticing credit-suisse accounts showing up online this evening. Our system that collects information on compromised accounts started alerting to accounts at the firm. It is not known if the accounts detected are end user accounts or corporate accounts.

State of Virginia DHRM fails to respond to notification

On 1-7-2016 a researcher that assist Jigsaw Security noted some issues with documents posted on the DHRM website. A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.

The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.

As of the posting of this article the document remains on the web1.dhrm.virginia.gov website and there has been no response for the contact Nancy Tobin identified as the documents author. Our email was not returned as undeliverable.

We can't show you the actual email because it would expose the actual issue but we did what we could to notify them of the issue. 

We we notified them and followed up but no response. 

 

So basically they tried to do the right thing by blocking out personally identifiable information in these documents but the method used was inadequate. 

It is unknown of the individuals affected by this issue are still employed by the State of Virginia as we have not received any response to our inquiry. 

Hopefully bringing this information to light will prevent this type of information disclosure in the future but the lack of response is troubling. 

UPDATE:

As of 14 January, 2016 a response was received indicating that the issue is being corrected.

"DHRM takes any possible data breach very seriously, and we wanted to notify you that measures are being taken to address the issue:

·         Removal of the referenced documents and links from DHRM’s servers so that data is no longer exposed that might impact employee privacy and security;

·         Software that has proper redacting capability supplied to users;

·         Staff training introduced to ensure that no lapses will occur in the future.

Thank you for bringing this matter to our attention."

2 Big Stories Next Week

We are currently reviewing 2 issues both of which are confirmed issues of PII and/or PHI data that we uncovered in the course of reading user submissions this week. Both involve some high profile entities of which neither has replied to our request for comments.

We have provided evidence of the issues to both and are awaiting any response.

Walmart Leaked Data Appearing Online

With the holiday season right around the corner we started noting post on forums with a list of usernames and passwords. We have begun notifying the end users of the leaked information to see if we can verify if they re legitimate.

Of the 5 people that responded so far 3 of the accounts were legitimate and 2 were old login details that were no longer valid so the data looks somewhat dated. We are still notifying individuals of the leaked information.

chaffey.edu Breached

A database containing the personal contact information at chaffey.edu was reported today. It appears through our research that the information is legitimate.

In addition to name, phone number the breach also indicates if the employee is full or part time, departments and additional information that should not have been posted.

It's interesting watching as these organizations fall victim to SQLi attacks.

WakeMed again in the HIPAA Hot Seat

While I previously have taken down a post at the request of WakeMed I felt that I had to report this one. As reported on WRAL:

WRAL in North Carolina reports:

A Cary law firm has filed a motion against WakeMed, accusing the hospital of releasing patients’ private information, including Social Security numbers, making them susceptible to identity theft.
Cort Walker, a bankruptcy and civil business litigation attorney at Sasser Law Firm, said he noticed a problem while reviewing records WakeMed had filed to collect debts from former patients who had declared bankruptcy.
[…]
The law firm says it found 158 cases involving its clients dating back to 2013 where WakeMed violated federal bankruptcy code by including Social Security numbers, full dates of birth and medical records.

Read more on WRAL.

As they note in their report, and as noted in the motion for contempt, sanctions, and damages,  Duke University Health System had a similar situation three years ago. I had covered that breach at the time, and noted that it had been reported to HHS as a HIPAA breach. WakeMed will almost certainly report their incident to HHS, although depending on how many patients, total, have had their PHI exposed,  we may not see it in the public breach tool.

Like most HIPAA-covered entities, WakeMed has been noted on this site before. Most recently, in 2014, this site noted reports by SLC Security that WakeMed was leaking patient PHI and they had reached out to them and spoken to them, but the leaks persisted, and WakeMed did not respond to attempts by SLC Security or this site to alert them and get a response from them.  It is not known to this site whether WakeMed ever reported the alleged leaks to HHS, but there is no entry in HHS’s public breach tool.

Credit to DataBreaches.net for the heads up on this one. 

Previously we reported on a problem with communications from the EPIC system that is even more troubling. This entity continues to have issues. Maybe they should hire us to do a full assessment?

Grace Life Church Compromised

gracelifechurchct.com appears to be distributing malware and appears to have been compromised. Login to the Threat Intelligence portal for more information.

Trinity College host being used as C2 by credential stealing malware (157.252.245.49)

We notified Trinity College of the issue and have not gotten a response.

New Blog Location

Please update your blog location to our new blog.

Goodbye Bloggers

As many of you know we have been running this site in a volunteering capacity for awhile now. We have decided to shut down this blog and move everything to our commercial offering. That being said don't expect any new post on this blog.

If you would like more information on our offerings please call (919)441-7353 to subscribe.

While we enjoy volunteering our time it has occurred to use that we cannot sustain and in order to improve and grow we need to find more creative ways to get the word out and to support the analyst that spend ours protecting our customers.

Signing off... Kevin, Rick, Ashley, Michael, Kurt, Mark, Steven, Tommy and Ashley II...

If you want notifications you can join the alertfeeds list (heavily restricted) or you can visit our website in a few weeks and sign up for our commercial offering! Until then, chill out, grab a coffee, learn a new skill, take a break or go Kayaking...

CONFIRMED BREACHED: August Benefits Inc - Attack on SLC Security

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

Our Security Operations Center has detected a US company attempting to hack into our network. We believe this host to be compromised and have sent a notification to August Benefits to alert them of the situation.

173.220.57.150 - Observed in Attacks

Alert Posted

A new critical alert was posted for SLC Security clients in regards to a new unknown APT like activity that was detected by the SOC. This activity has been ongoing for over a year so if you received the bulletin it may be a good time to check your networks and infrastructure.

Why did Ashley Madison lie about the data breach initially and who was responsible for the fake torrents that appeared?

So it's been nothing short of an interesting week for Ashley Madison and the information that has come out of the breach. Initially we reported that the data was incomplete but that was because the information we obtained was an earlier "purported" breach that had bad data in it. So the question then becomes where did that information come from? Also during this same time the Avid Life Media stated that full credit card data was not leaked.

Upon researching with one of our partner firms the public data shows only partial card numbers but the fact that the CEO's email was leaked in the 2nd wave of leaked data shows that the hacker(s) more than likely had access to everything or that it was an inside job.

Surprisingly some media has decided to share the information without redaction. We are not sure of the legal ramifications of doing so but it's very interesting to watch this play out. I would be willing to bet that a jilted spouse is either responsible for this activity or is actively supporting this activity.

What is interesting is that many attorneys are sure to be dancing with Joy at the influx of new cases heading their way and law firms responsible for protecting Ashley Madison will have jobs for the foreseeable future when the legal drums start beating.

We still wonder who is responsible for the previous data that was leaked as there are some crossover of data indicating that this may not have been the first time the company had been breached.

We are watching this as it unfolds...

US Government and Military Hacked by ISIS?

Absolutely. It's the same information I posted yesterday.

See this article - Click Here

Now we have seen information being leaked and cannot name individual companies at this time but they are getting in through Government contractors. Information has been shared to confirm that they have actively stolen information on communications facilities and may have used that information in farther attacks. We have 6 days left in our notification wait period and then we will post the information we received in our Threat Intelligence Platform to our subscribers.

Government contracting companies should start looking through their systems and get real security vendors to help you protect your networks.

Here we go again...

BREACH: habbo.nl

The system at www.habbo.nl has been compromised and user information has since been posted to several forums. The information on this incident is available in the SLC Security Services LLC threat intelligence platform.

SLC Security HIDS Client

SLC Security Services has developed a HIDS client that works with the open source MISP system (www.misp-project.org). The platform was designed with business and point of sales terminals in mind and comes with some really useful features such as: IP Source and Destination monitoring, MD5, SHA256 and SHA1 malware hash checking as well as a feature to disconnect any compromised system or deny network access to any device that is detected going to any malicious sites present in the MISP platform.

The initial release will only be for our paying customers with an open source version planned that will connect to ANY MISP server allowing a company to use the open source product to protect their network assets. Currently the supported platforms are Windows 95,98, NT, XP, 2000, 2008, Windows 7/8/10 and Linux (via Wrapper that is not included in the Open Source Version). The open source version will be released on 1 September 2015 and the closed source version is now available to SLC Security Services LLC customers and business partners.

For more information please email the soc for a 30 day trial of our MISP platform with integrated Host Intrusion Detection client. The free open source version will be posted to our GITHUB account in early September.

Screenshot of threat detection (this was just a test)

Minimal Hardware Resources Required (4MB of RAM)

Large Telecommunications Company Appears to have been Breached

SLC Security researchers have located information indicating that a large telecommunications company servicing Government clients has had a database compromised. We are in the process of notifying the affected company and will wait our standard 7 days until we release the information that we have located.

Notifications Sent: 8-11-2015

After farther review it appears as though the information found may also impact a large Government contractor. Additional research is currently being performed but it appears as though the leaked information is confirmed based on OSINT research that was conducted earlier.

Related Article: http://www.nbcnews.com/storyline/isis-terror/isis-group-claims-have-hacked-information-military-personnel-n408236

8-12-2015: As of 8-12-2015 none of the notified entities have responded to our notification. We will wait 6 more days before posting the entities involved giving them time to perform remediation on any issues they may have discovered as part of this incident. 

8-19-2015: None of the notified entities have responded. SLC Security Services LLC has posted information concerning the release of proprietary information from Zayo concerning facilities in Northern Virginia. to our Threat Intelligence Platform. 

For a trial of of our threat intelligence platform please visit www.slcsecurity.com. 

Recent Attackers

Seems these attackers would like to be blocked on 400+ corporations networks.

Domain,IP,Subnet,"MX Hostname","MX IP",DNS,"IP ISP","ISP City","ISP Region","ISP Country","IP Organization","Org City","Org Region","Org Country"
125.ip-92-222-221.eu,92.222.221.125,92.222.221.0,-,,-,"OVH SAS",france,Unknown,FR,"OVH SAS",france,Unknown,FR
freelive.arvixevps.com,198.58.95.13,198.58.95.0,-,,-,"Arvixe, LLC","Santa Rosa",CA,US,"Arvixe, LLC","Santa Rosa",CA,US
101.212.67.21,101.212.67.21,101.212.67.0,-,,-,Unknown,gurgaon,Unknown,IN,AIRCEL-Kolakta-MobileBroadband-Customer,gurgaon,Unknown,IN
nairobi.pollmans.co.ke,196.207.30.180,196.207.30.0,smtpin.accesskenya.com.,127.255.255.255,-,"African Network Information Center",Ebene,Unknown,MU,NET-196-207-30-180,Unknown,Unknown,KE
89.121.207.234,89.121.207.234,89.121.207.0,-,,-,Unknown,vitan,Unknown,RO,"Romtelecom Data Network",vitan,Unknown,RO
199.58.185.178,199.58.185.178,199.58.185.0,-,,-,"Total Server Solutions L.L.C.",Atlanta,GA,US,"Total Server Solutions L.L.C.",Atlanta,GA,US
193.0.200.135,193.0.200.135,193.0.200.0,-,,-,Unknown,moscow,Unknown,RU,"MediaServicePlus Ltd",moscow,Unknown,RU
193.0.200.134,193.0.200.134,193.0.200.0,-,,-,Unknown,moscow,Unknown,RU,"MediaServicePlus Ltd",moscow,Unknown,RU
asco-78-120.dns-iol.com,195.200.78.120,195.200.78.0,-,,-,"INFORMATIQUE ON LINE SARL",france,Unknown,FR,"INFORMATIQUE ON LINE SARL",france,Unknown,FR
101.212.72.107,101.212.72.107,101.212.72.0,-,,-,Unknown,gurgaon,Unknown,IN,AIRCEL-Kolakta-MobileBroadband-Customer,gurgaon,Unknown,IN
185.40.4.32,185.40.4.32,185.40.4.0,-,,-,Hostgrad,ivanovo,Unknown,RU,Hostgrad,ivanovo,Unknown,RU
118.98.75.78,118.98.75.78,118.98.75.0,-,,-,"PT TELKOM INDONESIA",Unknown,Unknown,ID,"PT TELKOM INDONESIA",Unknown,Unknown,ID
190.144.93.54,190.144.93.54,190.144.93.0,-,,-,Unknown,bogota,Unknown,CO,"Telmex Colombia S.A.",bogota,Unknown,CO
50-193-219-125-static.hfc.comcastbusiness.net,50.193.219.125,50.193.219.0,-,,-,"Comcast Cable Communications Holdings, Inc","Mt Laurel",NJ,US,"Comcast Cable Communications Holdings, Inc","Mt Laurel",NJ,US
23.238.235.108,23.238.235.108,23.238.235.0,-,,-,"Psychz Networks",Walnut,CA,US,"Psychz Networks",Walnut,CA,US
ip-97-74-114-49.ip.secureserver.net,97.74.114.49,97.74.114.0,-,,-,"GoDaddy.com, LLC",Scottsdale,AZ,US,"GoDaddy.com, LLC",Scottsdale,AZ,US
cri8.ro,80.97.51.238,80.97.51.0,mx2.zohomail.com.,74.201.154.201,ns1.cri8.ro.,"SC Full Duplex SRL",lacul,Unknown,RO,"SC Full Duplex SRL",lacul,Unknown,RO
ns3006932.ip-151-80-35.eu,151.80.35.207,151.80.35.0,-,,-,"RIPE Network Coordination Centre",Amsterdam,Unknown,NL,"OVH SAS",france,Unknown,FR
124.2.53.233,124.2.53.233,124.2.53.0,-,,-,Unknown,seoul,Unknown,KR,"SK Networks co., Ltd",seoul,Unknown,KR
76.66.232.19,76.66.232.19,76.66.232.0,-,,-,"Bell Canada",Ottawa,ON,CA,"Medix School",Scarborough,ON,CA
201.137.62.171,201.137.62.171,201.137.62.0,-,,-,"Gesti?n de direccionamiento UniNet",mexico,Unknown,MX,"Gesti?n de direccionamiento UniNet",mexico,Unknown,MX
180.250.214.34,180.250.214.34,180.250.214.0,-,,-,Unknown,jakarta,Unknown,ID,"PT TELKOM INDONESIA",jakarta,Unknown,ID
75.126.79.105-static.reverse.softlayer.com,75.126.79.105,75.126.79.0,-,,-,"SoftLayer Technologies Inc.",Dallas,TX,US,"SoftLayer Technologies Inc.",Dallas,TX,US
119.94.3.26,119.94.3.26,119.94.3.0,-,,-,PLDT_JNEHUBS002_DHCP,makati,Unknown,PH,PLDT_JNEHUBS002_DHCP,makati,Unknown,PH
ns3007688.ip-151-80-97.eu,151.80.97.75,151.80.97.0,-,,-,"RIPE Network Coordination Centre",Amsterdam,Unknown,NL,"OVH SAS",france,Unknown,FR

OMB Credit Monitoring Failure

It has come to our attention that many of the affected individuals have not been able to sign up for credit monitoring. As part of the CSID program that was setup after the OMB breach potentially thousands of former contractors and employees are not being covered or have not received a PIN number to register for credit monitoring. In addition the system is a best effort attempt to reach affected individuals.

Several of our staff members who are active duty and reserve, employees and contractors have not been notified even though the addresses last used on SF-86's are up to date.

This is troubling in that unless you are still contracting they seem to have forgotten or have failed to notify said individuals.

Some people that have never had clearances or have never even applied for a clearance have been notified and are also scratching their heads.

One individual that has held at least a secret clearance since 1992 through this year has not received a notification. The question then becomes how are they determining if your information was stolen or if you are affected. Based on the provided time frame put out by the media this individual should have been affected since not only did they hold a DOD clearance but were also a former Federal Employee as well as active duty military and subsequently an Active Ready Reservist during the times indicated by OMB.

It seems as though OMB has turned their backs on some people either in an attempt to save money or because they simply don't care. This looks all too familiar to how private industry has handled breaches and is quite alarming.

Are we tired of this already??? - A look at the notorious Inbound Fax Messages

As most of you already know the incoming fax messages that show up in your email are infected. Many admins already block the content (as do we). Over the past few years we have noted several different malware variants being emailed into organizations in this way so we wanted to revisit it.

Let's look at the message (some items redacted)

From hqkojrw@brainspinepro.com Thu Jul 30 12:05:30 2015
Received: from [116.58.202.20] (port=52406 helo=banglalinkgsm.com)
 by www.slcsecurity.com with esmtp (Exim 4.85)
 (envelope-from <hqkojrw@brainspinepro.com>)
 id 1ZKqKh-0003xS-Pv; Thu, 30 Jul 2015 12:05:29 -0400
Received: from 9197.slcsecurity.com (10.34.222.15) by slcsecurity.com (10.0.0.89) with Microsoft SMTP Server id 2Z31JORQ; Thu, 30 Jul 2015 21:11:59 +0600
Date: Thu, 30 Jul 2015 21:11:59 +0600
From: "Incoming Fax" <Incoming.Fax@slcsecurity.com>
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: <31DA69X079P7LBBJSZI4VZ7CIPTWMO758HB32B@slcsecurity.com>
X-MS-Exchange-Organization-AuthSource: N1H9TKQAUB454EE@slcsecurity.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 08
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;8;0;0 0 0
X-Priority: 3 (Normal)
Message-ID: <M3GL0YSLTX1N4Q9Q9OBT1X1PMHSYE0S37QZ6GW@slcsecurity.com>
To: docs8@slcsecurity.com
Subject: Incoming Fax
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_Next_13154_4863437313.0814823955998"
X-Spam-Status: No, score=0.3
X-Spam-Score: 3
X-Spam-Bar: /
X-Ham-Report: Spam detection software, running on the system "www.slcsecurity.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 
 Content preview:  INCOMING FAX REPORT Date/Time: Thu, 30 Jul 2015 21:11:59
   +0600 Speed: 4393bps Connection time: 03:07 Pages: 5 Resolution: Normal Remote
    ID: 496-347-5344 Line number: 2 DTMF/DID: Description: Internal only [...]
    
 
 Content analysis details:   (0.3 points, 5.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                             domains are different
  0.0 SPF_HELO_FAIL          SPF: HELO does not match SPF record (fail)
 [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=banglalinkgsm.com;ip=116.58.202.20;r=www.slcsecurity.com]
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
  0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS
  1.4 RCVD_IN_MSPIKE_ZBI     No description available.
X-Spam-Flag: NO
X-BoxTrapper-Match: white: 99: incoming.fax@slcsecurity.com

------=_Next_13154_4863437313.0814823955998
Content-Type: text/plain; 
Content-Transfer-Encoding: 8bit

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Thu, 30 Jul 2015 21:11:59 +0600
Speed: 4393bps
Connection time: 03:07
Pages: 5
Resolution: Normal
Remote ID: 496-347-5344
Line number: 2
DTMF/DID:
Description: Internal only

To download / view please download attached file

*********************************************************

------=_Next_13154_4863437313.0814823955998
Content-Type: application/zip; name="Incoming Fax_496-347-5344.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Incoming Fax_496-347-5344.zip"

As you can see the message makes it through the spam filter. It also makes it by boxtrapper without detection because of the spoofed domain. So let's have a look and see what we can find out about the incoming "fax" message. 

A phone number appears as 496-347-5344. Well we can tell you right off that if this is an SLC Security Services employee we must have an office in cyberspace somewhere because area code 496 doesn't exist. This just goes to show that these actors are blindly making up information to try and make it look legit. Normally I would just stop here but let's keep going and have a closer look. 

The source of the message is 116.58.202.20 so let's look and see what SLC Security Services LLC Threat Intelligence Platform knows about this IP. 

So after a quick search by IP source here is what we find:

Event ID 454  
Org SLC Security Services LLC   
Email
soc@slcsecurity.com  
Tags
TLP:AMBER 
Source Malware   
Description
Upatre Sample Received by Customers

So as you can see it's not the first time we have seen this particular malware from this source. 

Let's look at the binary attachment:

When sending this to the sandbox immediately the file is identified as a threat:

Incoming Fax_496-347-5344.zip
Submitted on August 3rd 2015 17:27:24 (CDT) with target system Windows 7 32 bit
Report generated by VxStream Sandbox v2.10 © Payload Security

41/55 Antivirus vendors marked sample as malicious (74% detection rate)

Filename Incoming Fax_496-347-5344.zip
Size 47KiB (47616 bytes)
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Architecture 32 Bit
MD5 7e01d9705da0a983af63906edffb5b08
SHA1 63433b4a2ced77ed330327b0cdb6704edc811654
SHA256 e11575f7d8abee81f345f6a754d0d42b2bf42f6b05b3a9c64b531830b4268d24
SHA512 436f98941b3627bf1eb38a992aee58e3c2a1122ff3fd566a53847e5aba87fad4d287f4545a43edfbf4f9b6ab008d6bb5fbe42cce124680763e562ef58ea390f9
SSDEEP 768:OpVuoqbBLfCei7s8sOY5JvW5JxVIAA3FLH6UVrx:OqPbA1sOwJvW5JvIAA3dH
IMPHASH b477cb958ff28fadb9e15660c99a77fe

We are so over these incoming fax messages...

AshleyMadison data appearing in the underground

Our researchers have started uncovering large amounts of information possibly from the AshleyMadison breach. We have identified several files containing the name, phone number and billing information as well as profile locations on the Ashley Madison website over the last several hours.

It appears as though some of the high frequency users of the systems information is starting to be posted so we are watching to see if a full dump of the stolen data appears.

UPDATE 8/5/2015:
As of today we have not seen a full dump of data on very specific information on high frequency users of the system. We are seeing some additional personal information being posted as well such as employment information which may be an attempt to ruin the persons reputation. This makes sense as the attacker had stated via Twitter that he wanted to get back at the immoral use of these sites.

If we see any additional information we will be posting it to our Threat Intelligence Platform. If you would like to get access to our threat intelligence platform please goto http://ui.slcsecurity.com/ and click on create an account. This service is only available to paid subscribers or trusted industry partners.

Potentially Breached Entities (From Sensor Data) - 7-23-2015 6:44PM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

• doa.la.gov - Confirmed breached
• bonescan.bidmc.harvard.edu - Confirmed breached

We have previously reported on Harvard and now they are serving up APT29 malware samples. I would seriously hope they start to contain their incidents or we will be forced to start blocking them via DNS at client sites. 

UPDATE:
It appears as though doa.la.gov has removed the infected file and bonescan.bidmc.harvard.edu has been removed from DNS records so it's not longer accessible. 

Potentially Breached Entities (From Sensor Data) - 7-21-2014 11:19PM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

• University of California - San Diego, CA (Multiple Systems Detected)
• Deluth Holiday Inn Gwinneth (Still owned)

An interesting note is that there is a node with reverse dns of fbi-vps hosted in the data center of Data Shack in North Kansas City, MO. Was also seen by 3 other companies in the last 24 hours according to our stats. 

Potentially Breached Entities (From Sensor Data) - 7-15-2014 2:59 (M EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

• Concord Consortium - Concord, MA
• American Credit Card - Huntington, NY
• Atlas Professional Services - Tampa, FL
• Grand Plaza Owners LLC - Plano, TX

We have not notified the individual companies but we have archived the logs if needed. 

BREACHED: University of Maryland Serving up CVE-2015-5119??? I sure hope not! - UPDATED

An analyst reported to us today that University of Maryland is serving up exploits from CVE-2015-5119. That's not good but we alerted to University of Maryland issues in the past. Looks like somebody else has been inside for awhile now.

I haven't personally looked into this but I trust my source.

Update: After I found a few minutes to review this is in fact infected. Notifying University of Maryland to see if we can get a response.

UPDATE: It looks like they have removed the malicious SWF file from their servers as of 2:20PM EST.

Potentially Breached Entities (From Sensor Data) - 7-14-2014 1:32 AM EST

The following host have been detected as being potentially breached based on data from SLC Security owned and operated sensors. We have decided that we would start publishing a daily list to help these organizations get their network under control. While we believe these host to be breached they may also be involved in hacking attempts on other entities or may be used by hackers as a jump point to conduct other attacks. The following list are the bad entities for the last 24 hours. Our volunteers have detected the following attackers:

• American Industrial Partners - New York
• Micro-Globe ITS - Raleigh 

Well that's all for today... Hope your all having a great work week!