Cyber News 21NOV2025

General

• It took ten years from when they set up, but Samourai crypto-currency-mixer CEO (Rodriguez) and CTO (Hill) are both going to jail. They actively encouraged use of the service for cleaning dirty crypto-currency.

a user asked about the most “secure methods to clean dirty BTC” to make it “untraceable, clean” and ensure the user would “never get caught.” HILL responded by writing that “Samourai Whirlpool is a much better option”

In a WhatsApp exchange, when asked to explain the concept of “mixing,” RODRIGUEZ described the process as “money laundering for bitcoin.”

• https://www.justice.gov/usao-sdny/pr/founders-samourai-wallet-cryptocurrency-mixing-service-sentenced-five-and-four-years
• https://www.bleepingcomputer.com/news/security/samourai-cryptomixer-founders-sent-to-prison-for-laundering-over-237-million/
• https://therecord.media/samourai-wallet-crypto-mixer-founders-sentenced
• Shiny Hunters have their next pathway to Salesforce data - Gainsight (another integration, somewhat like the earlier Salesloft).
  • https://status.salesforce.com/generalmessages/20000233
  • https://www.linkedin.com/posts/austin-larsen_trust-status-activity-7397331617578610690-8FmH/
  • https://databreaches.net/2025/11/20/threat-actors-have-reportedly-launched-yet-another-campaign-involving-an-application-connected-to-salesforce/
  • https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/
  • https://www.theregister.com/2025/11/20/salesforce_gainsight_breach/
  • https://techcrunch.com/2025/11/20/salesforce-says-some-of-its-customers-data-was-accessed-after-gainsight-breach/
• The dangers of staff exiting the organisation. It's taken 4.5 years, but justice has caught up with a contractor that reset ~2500 credentials.
  • https://www.theregister.com/2025/11/20/it_contractor_sabotage/
• [US] As mentioned on in the 19NOV2025 news - FCC voted on security interpretation in CALEA. The Biden-era ruling has been reversed. We'll need to look elsewhere to ensure TelCos are taking security seriously, in the face of Salt Typhoon (CN) attacks.
  • https://therecord.media/fcc-removes-biden-era-cybersecurity-rules-telecoms-salt-typhoon

Getting Techy

• Searchlight Cyber uncover Pre-Authentication Remote Code Execution (RCE) in Oracle Identity Manager.
  • https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/
• Another Android banking trojan. Uses screen-reader (accessibility) features to read on-screen text from messaging programmes (end-to-end encryption, of course, means the data is readable, at one of those ends), overlays to capture inputs, VNC for screen-sharing, and a full-screen fake OS-update overlay to mask interactive actions.
  • https://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal
  • https://www.bleepingcomputer.com/news/security/multi-threat-android-malware-sturnus-steals-signal-whatsapp-messages/
  • https://therecord.media/new-android-malware-captures-private-messages
• Google Threat Intelligence takes a look at the evolution of APT24 (CN) - nothing fancy here, sorry!
  • https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks

Geo-Politics

• [RU] Going after game developers, because they don't like the narrative - S.T.A.L.K.E.R. dev labelled an undesirable organisation.
  • https://therecord.media/russia-blacklists-stalker-game-developer
• [UA] Ukraine jamming Russian air-launched ballistic missiles
  • https://www.404media.co/ukraine-is-jamming-russias-superweapon-with-a-song/
  • https://missilethreat.csis.org/missile/kinzhal/
• [US] Questions over a 'crash' at an ICE facility, that wiped out two weeks worth of footage, the day after a lawsuit is filed.
  • https://www.404media.co/ice-says-critical-evidence-in-broadview-abuse-case-was-lost-in-system-crash-a-day-after-it-was-sued/
• [US] Scientific process is being undermined - CDC is now posting debunked science.
  • https://arstechnica.com/health/2025/11/rfk-jr-s-loathesome-edits-cdc-website-now-falsely-links-vaccines-and-autism/
• [US] Four people charged with bypassing US CHIPS Act ban on exporting advanced chips (Nvidia Blackwell) to china.
  • (Wired) https://archive.is/jfFt3

Privacy

• [US] Unsurprising - once US venture capital bought NSO, the obvious move was to wind back US restrictions on the platform. It doesn't hurt to appoint a CEO aligned with the current administration.
  • https://therecord.media/nso-seeks-to-overturn-whatsapp-case

AI

• Aiming to spoil Google's Gemini party - OpenAI release GPT5.1 Codex, designed for agentic coding on long-running tasks.
  • https://openai.com/index/gpt-5-1-codex-max/
  • https://simonwillison.net/2025/Nov/19/gpt-51-codex-max/
  • https://www.bleepingcomputer.com/news/artificial-intelligence/openai-says-its-latest-gpt-51-codex-can-code-independently-for-hours/
• A little NSFW - Grok's been tweaked (4.1 release?) to say that Musk is the best at everything.
  • https://www.404media.co/elon-musk-could-drink-piss-better-than-any-human-in-history-grok-says/