Cyber News 25NOV2025

General

• An effort to fight bad security advice - Hacklore. See The Letter, for a list of the names behind the project.

Hacklore is a blend of hacking and folklore—modern urban legends about digital safety ... But like most folklore, it isn’t grounded in reality, no matter how plausible it sounds. Hacklore focuses on preventing dramatic, spy-thriller-style attacks, not the everyday threats the average person actually encounters.

Hacklore.org exists to separate myth from reality.

• https://www.hacklore.org/
• https://www.hacklore.org/letter
• https://www.theregister.com/2025/11/24/hacklore_launch/
• Package repository worms - the gift that keeps on giving.
  A second wave of "Shai-Halud" attacks on NPM, now called "Sha1-Hulud: The Second Coming". Socket list 553 impacted packages.

At publishing time, GitHub returned 27,600 results corresponding to entries related to the recent attack.

• https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
• https://socket.dev/blog/shai-hulud-strikes-again-v2
• https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/
• https://www.theregister.com/2025/11/24/shai_hulud_npm_worm/
• Salesforce/Gainsight update - Scattered Lapsus$ Hunters (SLH) appear to have compromised the data of quite a few organisations.

Google Threat Intelligence Group, said that the company “is aware of more than 200 potentially affected Salesforce instances.”

The hacking group claimed responsibility for hacks affecting Atlassian, CrowdStrike, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.

• https://techcrunch.com/2025/11/21/google-says-hackers-stole-data-from-200-companies-following-gainsight-breach/
• Brian Krebs dives into cheap Android TV boxes, being sold in major stores in the US. Offering free Pay-TV streaming for a single up-front monetary cost, the real cost is in your privacy and bandwidth.

the Superbox devices immediately contacted a server at the Chinese instant messaging service Tencent QQ, as well as a residential proxy service called Grass IO.
“This thing DNS hijacked my router, did ARP poisoning to the point where things fall off the network so they can assume that IP, and attempted to bypass controls”

• https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/
• 404 Media looks at the ways people are monetising social-media accounts, targeting US view from outside the US. Unsurprisingly it's (almost?) all AI slop. Pivots off the recent X experiment showing account locations.
  • https://www.404media.co/americas-polarization-has-become-the-worlds-side-hustle/
• Multiple vulnerabilities found in the popular open-source "Logs, Metrics and Traces processor" Fluent Bit (part of Fluentd). Worst-case, chaining could lead to a Kubernetes cluster takeover.

a single compromised log agent can cascade into full node and cluster takeover

• https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover
• https://www.theregister.com/2025/11/24/fluent_bit_cves/
• More impressive quality-control from Microsoft - Windows 11 24H2 package-registration-timing bug causing crashes.
  • https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-11-24h2-bug-crashes-key-system-components/
  • Focusing on more features instead of stability - https://www.bleepingcomputer.com/news/microsoft/microsoft-tests-file-explorer-preloading-for-faster-launches/
• [NZ] Nerds just going to nerd....KawaiiCon built their own public CO2 monitoring system to allow conference attendees to check air quality throughout the venue.
  • https://kawaiicon.org/health-and-safety/
  • https://learn.adafruit.com/matrix-portal-room-co2-monitor/overview
  • https://arstechnica.com/security/2025/11/this-hacker-conference-installed-a-literal-antivirus-monitoring-system/
  • (Wired) https://archive.is/7y2eQ
• [UK] Reacting to the Jaguar Land Rover (JLR) attack, that impacted the UK economy so heavily, the Business and Trade Committee is asking the government to respond.

“introducing liability for software developers, incentivising business investment in cyber resilience, and mandatory reporting following a malicious cyber incident.”
The current situation externalizes the cost of insecurity onto the users of the software, rather than internalizing it by forcing the developers to accept the costs of designing better software.

• https://therecord.media/software-companies-liable-britain-security

Getting Techy

• Flaw in Azure Bastion scores CVSS 10! Not good, for a product designed to provide secure RDP and SSH access to Azure VM's.
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49752/
  • https://github.com/boogabearbombernub/cve-2025-49752-lab
• Huntress pulls apart a multi-part, obfuscated loader, which even uses steganography to hide one stage. Lots of effort to deliver LummaC2 aka Lumma Stealer
  • (Huntress) https://archive.is/gxgDH
  • Background - CISA advisory on Lumma - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b

Geo-Politics

• [RU] Ukrainian Cyber Alliance (UCA) takes down Donbas Post in the occupied areas of Donetsk and Luhansk.
  • https://therecord.media/hackers-knock-out-systems-russia-operated-post-ukraine

Privacy

• [UK] Advocacy groups call on the Information Commissioner's Office (ICO) to step up enforcement actions in the face of increasing data breaches.

alleges that a lack of enforcement actions by the ICO, particularly against public sector agencies, has led to an 11% increase in reported breaches and an 8% increase in data protection complaints.

• https://www.openrightsgroup.org/press-releases/70-organisations-and-experts-demand-action-over-failing-ico/
• https://therecord.media/privacy-regulator-ico-collapse

AI

• Amazon starts to release details on their "Autonomous Threat Analysis" red- and blue-team agents
  • https://www.amazon.science/blog/how-amazon-uses-ai-agents-to-anticipate-and-counter-cyber-threats
  • (Wired) https://archive.is/Vq28p#selection-875.72-875.104
• [AU] Bendigo Bank deepening Google relationship, rolling out Gemini to all staff
  • https://www.itnews.com.au/news/bendigo-bank-taps-google-cloud-for-first-major-ai-project-622004