Cyber News 17NOV2025

General

• Android performance flagging might help with malware identification. Try to do too much in the background, and apps will get a battery-usage warning banner in the Play store.
  • https://www.bleepingcomputer.com/news/security/google-to-flag-android-apps-with-excessive-battery-use-on-the-play-store/
• After earlier announcing that all apps must come from developer accounts with verified identities (even those installed outside the Play store), Google has - at least partially - backed down.

"This will allow you to distribute your creations to a limited number of devices without going through the full verification requirements."

• https://android-developers.googleblog.com/2025/11/android-developer-verification-early.html
• https://developer.android.com/developer-verification/guides/early-access#expandable-1
• https://www.bleepingcomputer.com/news/google/google-backpedals-on-new-android-developer-registration-rules/
• Another hilariously bad Fortinet fail. What year is it again?

"send HTTP POST requests to the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi Fortinet endpoint to create local admin-level accounts."

• https://www.pwndefend.com/2025/11/13/suspected-fortinet-zero-day-exploited-in-the-wild/
• https://www.bleepingcomputer.com/news/security/fortiweb-flaw-with-public-poc-actively-exploited-to-create-admin-users/
• https://www.bleepingcomputer.com/news/security/fortinet-confirms-silent-patch-for-fortiweb-zero-day-exploited-in-attacks/
• https://www.theregister.com/2025/11/14/fortinet_active_exploit_cve_2025_64446/
• Performance-optimisation in ransomware - Kraken checks if the computer is fast enough for full-file-encryption, otherwise falls back to partial encryption.
  • https://www.bleepingcomputer.com/news/security/kraken-ransomware-benchmarks-systems-for-optimal-encryption-choice/
• Copycat malware in NPM. After Shai-Hulud then GlassWorm, attackers have realised that self-replication in package dependencies is an easy target.
  • https://aws.amazon.com/blogs/security/amazon-inspector-detects-over-150000-malicious-packages-linked-to-token-farming-campaign/
  • https://www.bleepingcomputer.com/news/security/new-indonesianfoods-spammer-floods-npm-with-150-000-packages/
  • https://www.endorlabs.com/learn/the-great-indonesian-tea-theft-analyzing-a-npm-spam-campaign
  • https://www.theregister.com/2025/11/14/selfreplicating_supplychain_attack_poisons_150k/
  • https://socket.dev/blog/tea-protocol-spam-floods-npm-but-its-not-a-worm
• Yet another crim uses Brian Krebs' name in their branding - this time a vishing panel.
  • https://infosec.exchange/@briankrebs/115561449163796719
• [AU] Social media companies preparing for the teen social media ban - guess first, use age-assurance apps if challenged.
  • https://archive.is/08x0g
• [RU] Moscow Internet disrupted for 8 hours - could be an attack, more likely just human error.
  • https://mastodon.social/@netblocks/115555860051811398
• [US/CN] Chinese-speaking scammers using fake surgery invoice to extract information and funds.
  • https://www.ic3.gov/PSA/2025/PSA251113
  • https://www.theregister.com/2025/11/14/fbi_chinese_speaker_health_insurance/
• [US] Targeting the weak-link in the North Korean IT Worker scheme - identities and bank accounts. US DoJ announces five guilty pleas. US$15m in stable-coin seized.
  • https://www.justice.gov/opa/pr/justice-department-announces-nationwide-actions-combat-illicit-north-korean-government
  • https://www.bleepingcomputer.com/news/security/five-plead-guilty-to-helping-north-koreans-infiltrate-us-firms/
  • https://techcrunch.com/2025/11/14/five-people-plead-guilty-to-helping-north-koreans-infiltrate-us-companies-as-remote-it-workers/
  • https://therecord.media/multiple-us-nationals-guilty-pleas-north-korean-it-worker-scams
• [US] More attention is starting to be paid to Starlink's use in scam-compounds in Myanmar and Cambodia.

A linked affidavit, written by FBI investigators, claims that the Starlink devices and accounts played a “substantial role” in an alleged money laundering and wire fraud operation targeting US citizens

• (Wired) https://archive.is/7Y78b

Getting Techy

• Using the old 'finger' protocol for early-stage malware delivery. Might bypass some filtering.
  • https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
• WatchTowr labs pulls apart the latest Fortinet vulnerability. Fortinet definitely implements defence-in-depth...right? 🤦🏻‍♀️
  • https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/
• Unit-42 looks at a chinese-targeted set of attacks, impersonating chinese brands. Lots of domains, very small number of IPs.
  • https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/

Geo-Politics

• [AU] West-coast submarine base gets three new subsea Internet cables
  • https://www.itnews.com.au/news/australias-aukus-base-to-connect-to-subsea-cables-621790
• [CN] Countries need to consider not just the availability of critical (e.g. rare-earth) minerals, but also the sourcing of equipment used in its extraction and refinement.
  • https://www.aspistrategist.org.au/even-out-of-chinas-hands-mines-still-rely-on-its-equipment/
• [TH] Mystery Russian national detained in Thailand at the behest of the US. Possibly a GRU officer.
  • https://therecord.media/russian-hacker-detained-thailand-possible-us-extradition
• [RU/UA] DDoS attacks on Russian port operator, aimed at disrupting Russian finances
  • https://therecord.media/cyberattack-on-russian-port-operator
• [RU/UA] Overview of the drones being used in the Russia/Ukraine conflict, with visuals and reference sizes.
  • https://theconversation.com/a-visual-guide-to-14-of-the-drones-wreaking-havoc-in-ukraine-russia-and-beyond-267229
• [LV] Europe looking at their own ant-drone capabilities
  • https://www.nbcnews.com/world/europe/russia-ukraine-war-drone-wall-europe-interceptors-uavs-rcna243171

Privacy

• [EU] Pushback on the EU's overhaul of GDPR (including carve-outs for AI training).
  • https://therecord.media/civil-society-privacy-rollback
  • Maybe not enough https://www.france24.com/en/live-news/20251115-eu-bows-to-pressure-on-loosening-ai-privacy-rules
• [US] OpenAI fights massive legal over-reach in New York Times case

"To be clear: anyone in the world who has used ChatGPT in the past three years must now face the possibility that their personal conversations will be handed over to The Times to sift through at will in a speculative fishing expedition"

• (Reuters) https://archive.is/fsbcP
• [US] Warnings that ICE is using the National Law Enforcement Telecommunications System (NLETS) to access state data on residents, including Department of Motor Vehicles (DMV) records.
  • https://techcrunch.com/2025/11/12/lawmakers-warn-democratic-governors-that-states-are-sharing-drivers-data-with-ice/

AI

• Anthropic claims a Chinese state-sponsored threat actor was able to automate 80-90% of a hacking campaign. Scepticism abounds.

Claude frequently overstated findings and occasionally fabricated data during autonomous operations, claiming to have obtained credentials that didn’t work or identifying critical discoveries that proved to be publicly available information.

• (Anthropic) https://archive.is/7f58i
• https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf
• https://arstechnica.com/security/2025/11/researchers-question-anthropic-claim-that-ai-assisted-attack-was-90-autonomous/
• https://www.bbc.com/news/articles/cx2lzmygr84o
• https://www.bleepingcomputer.com/news/security/anthropic-claims-of-claude-ai-automated-cyberattacks-met-with-doubt/
• https://www.cybersecuritydive.com/news/anthropic-state-actor-ai-tool-espionage/805550/
• https://therecord.media/chinese-hackers-anthropic-cyberattacks
• https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks/
• [CN] Baidu launches the latest in chinese sovereign AI-chip capabilities. They also announced the massive Ernie 5.0 model with 2.4t params.
  • https://www.scmp.com/tech/big-tech/article/3332596/baidu-unveils-ai-chips-boost-chinas-self-sufficiency-drive
• [US] Microsoft pushing to use AI to speed up compliance paperwork for nuclear reactors - what could possibly go wrong?
  • https://www.404media.co/power-companies-are-using-ai-to-build-nuclear-power-plants/