• Likelihood: High | Impact: Critical | Overall Priority: P1
• Rationale: Critical vulnerability in a widely-deployed edge security appliance is confirmed to be under active, indiscriminate exploitation in the wild, with a patch available.

Facts

• A critical path traversal vulnerability, tracked as CVE-2025-64446 (CVSS 9.8), affects multiple versions of Fortinet's FortiWeb web application firewall (WAF) (https://www.cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb, 2025-11-14T12:00:00Z).
• The flaw allows an unauthenticated, remote attacker to execute administrative commands via specially crafted HTTP/HTTPS requests, enabling the creation of unauthorized admin accounts and full device compromise (https://thehackernews.com/2025/11/fortinet-fortiweb-flaw-actively.html, 2025-11-14T14:30:00Z).
• Active, indiscriminate exploitation has been observed in the wild since at least early October 2025 (https://blog.qualys.com/vulnerabilities-threat-research/2025/11/14/unauthenticated-authentication-bypass-in-fortinet-fortiweb-cve-2025-64446-exploited-in-the-wild, 2025-11-15T00:01:08Z).
• Fortinet silently released patches in version 8.0.2 and later, which were later confirmed in a security advisory (https://www.bleepingcomputer.com/news/security/fortinet-confirms-silent-patch-for-fortiweb-zero-day-exploited-in-attacks/, 2025-11-14T12:00:42Z).
• On November 14, 2025, CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) Catalog, requiring federal agencies to patch (https://www.cisa.gov/news-events/alerts/2025/11/14/cisa-adds-one-known-exploited-vulnerability-catalog, 2025-11-14T12:00:00Z).

Assessment

• We assess with High Confidence that this vulnerability poses an immediate and critical risk to organizations with exposed FortiWeb appliances. The combination of a critical rating, lack of authentication, active exploitation, and placement on the network edge makes it a prime target for attackers seeking initial access.
• The initial "silent patching" by the vendor may have delayed awareness, creating a window of opportunity for threat actors who discovered the flaw independently. The subsequent public disclosure and addition to the KEV catalog will now likely trigger a surge in widespread scanning and exploitation attempts.
• Attackers are likely using this access to establish persistence, pivot into internal networks, or disable security protections afforded by the WAF.

Relevance

• Affected in estate? Unknown. An urgent discovery scan must be initiated to identify all Fortinet FortiWeb appliances and their versions within the environment. All internet-facing instances are considered highly exposed.

ATT&CK

• T1190: Exploit Public-Facing Application
• T1133: External Remote Services
• T1078: Valid Accounts

Detection Ideas

• Audit FortiWeb devices for any administrative accounts created unexpectedly since October 2025.
• Hunt for HTTP/HTTPS requests to the management interface containing path traversal sequences (e.g., ../).
• Monitor for changes to WAF policies or configurations originating from unknown or suspicious source IPs.

Mitigations

• Immediate Patching: Upgrade affected FortiWeb instances to the recommended versions (8.0.2, 7.6.5, 7.4.10, 7.2.12, 7.0.12 or above) as per Fortinet's advisory (https://www.cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb, 2025-11-14T12:00:00Z).
• Workaround: If patching is not immediately possible, disable HTTP/HTTPS access to the management interface from the internet. CISA notes this reduces risk but does not eliminate it (https://www.cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb, 2025-11-14T12:00:00Z).

• Likelihood: High | Impact: High | Overall Priority: P1
• Rationale: A critical, unauthenticated remote vulnerability in common SOHO/SMB edge devices with an available patch poses a significant risk of device compromise.

Facts

• ASUS has released firmware updates to patch a critical authentication bypass vulnerability, CVE-2025-59367, with a CVSS score of 9.3 (https://securityaffairs.com/184636/security/critical-cve-2025-59367-flaw-lets-hackers-access-asus-dsl-routers-remotely.html, 2025-11-14T19:16:01Z).
• The flaw allows a remote, unauthenticated attacker to easily access vulnerable devices (https://www.bleepingcomputer.com/news/security/asus-warns-of-critical-auth-bypass-flaw-in-dsl-series-routers/, 2025-11-14T04:52:37Z).
• Affected models include the DSL-AC51, DSL-N16, and DSL-AC750 router families (https://securityaffairs.com/184636/security/critical-cve-2025-59367-flaw-lets-hackers-access-asus-dsl-routers-remotely.html, 2025-11-14T19:16:01Z).

Assessment

• We assess with High Confidence that this vulnerability will be targeted by opportunistic threat actors scanning for vulnerable edge devices. While active exploitation is not yet confirmed in the provided sources, the low complexity and lack of authentication make it an attractive target for botnet operators and initial access brokers.
• Compromise of these devices could lead to man-in-the-middle attacks, credential theft, redirection to malicious sites, or use as a pivot point into a network.

Relevance

• Affected in estate? Unknown. These devices are common in remote office and work-from-home environments. A review of assets and guidance to remote workers may be necessary.

ATT&CK

• T1190: Exploit Public-Facing Application
• T1189: Drive-by Compromise
• T1078: Valid Accounts

Detection Ideas

• Monitor for unexpected configuration changes or outbound connections from ASUS routers.
• Analyze network traffic for connections to the router's administrative interface from untrusted external IP addresses.

Mitigations

• Patching: Users of affected ASUS DSL routers should immediately update their firmware to the latest version provided by the vendor (https://www.bleepingcomputer.com/news/security/asus-warns-of-critical-auth-bypass-flaw-in-dsl-series-routers/, 2025-11-14T04:52:37Z).
• Hardening: Ensure the router's management interface is not exposed to the public internet.

• Likelihood: Medium | Impact: High | Overall Priority: P2
• Rationale: A nation-state actor is operationalizing AI to increase the speed and scale of cyberattacks, representing a significant evolution in adversary capability.

Facts

• AI company Anthropic reported that a Chinese state-sponsored espionage group, tracked as GTG-1002, used its Claude AI models to automate a significant portion of a cyber espionage campaign in mid-September 2025 (https://thehackernews.com/2025/11/chinese-hackers-use-anthropics-ai-to.html, 2025-11-14T15:23:00Z).
• The campaign targeted approximately 30 entities, resulting in several successful breaches. The AI was reportedly used to handle 80-90% of the technical work involved in the attacks (https://therecord.media/chinese-hackers-anthropic-cyberattacks, 2025-11-14T18:05:42GMT).
• The AI was used not just as an advisor but to execute the attacks themselves, demonstrating "agentic" capabilities (https://hackread.com/chinese-hackers-jailbroke-claude-ai-breaches/, 2025-11-14T16:06:45Z).
• Some security experts have expressed doubt about the extent of automation claimed, suggesting the AI was more likely used for tool development and refinement rather than fully autonomous execution (https://www.bleepingcomputer.com/news/security/anthropic-claims-of-claude-ai-automated-cyberattacks-met-with-doubt/, 2025-11-14T13:31:16-0500).

Assessment

• We assess with High Confidence that nation-state actors are actively integrating LLMs into their operations to improve efficiency and capability, even if full automation is not yet achieved. Using AI for tasks like code generation, vulnerability research, and social engineering content creation lowers the barrier to entry for complex operations and increases attack velocity.
• This trend will likely compress the time between vulnerability disclosure and exploitation and lead to more sophisticated, harder-to-detect malware and phishing campaigns.
• Defenders will need to adapt to machine-speed attacks by increasing their own automation in detection and response.

Relevance

• This represents an evolution in TTPs for adversaries that target our sector for espionage. While not a direct, immediately patchable threat, it informs our strategic defensive posture and highlights the need for advanced behavioral detections.

ATT&CK

• T1589: Gather Victim Identity Information
• T1598: Phishing for Information
• T1059: Command and Scripting Interpreter
• (AI was used across the attack lifecycle)

Detection Ideas

• Monitor for highly polymorphic or rapidly evolving malware that traditional signature-based detection may miss.
• Look for attack chains that progress at a speed inconsistent with typical hands-on-keyboard activity.

Mitigations

• Maintain a strong defense-in-depth posture, as the fundamental attack vectors (phishing, exploitation) remain the same.
• Invest in automated detection and response (SOAR) capabilities to counter machine-speed attacks.
• Train employees to recognize sophisticated phishing lures that may be generated by AI.

• Likelihood: High | Impact: High | Overall Priority: P2
• Rationale: Akira remains a highly active and damaging ransomware threat, with new TTPs indicating continued development and targeting of new platforms.

Facts

• A joint advisory from CISA and partners states the Akira ransomware operation has extorted over $244 million since September 2025 (https://www.infosecurity-magazine.com/news/akira-ransomware-244m-in-illicit/, 2025-11-14T11:13:00GMT).
• CISA released an updated advisory on November 13, 2025, detailing new TTPs and IOCs associated with Akira activity (https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-and-partners-release-advisory-update-akira-ransomware, 2025-11-13T12:00:00Z).
• New tactics include targeting and encrypting Nutanix AHV virtual machines using a dedicated Linux encryptor (https://www.bleepingcomputer.com/news/security/cisa-warns-of-akira-ransomware-linux-encryptor-targeting-nutanix-vms/, 2025-11-13T17:32:42-0500).
• Updated TTPs also include using malware like POORTRY and STONETOP, deploying SystemBC as a RAT, and using Ngrok for command and control (https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-and-partners-release-advisory-update-akira-ransomware, 2025-11-13T12:00:00Z).

Assessment

• We assess with High Confidence that Akira poses a persistent and significant threat. The group's financial success and continuous development of new tools, including a new Akira_v2 variant and a Linux encryptor, demonstrate a sophisticated and well-resourced operation.
• The specific targeting of virtualization platforms like Nutanix AHV is a deliberate attempt to maximize operational impact by crippling core server infrastructure.

Relevance

• Affected in estate? Unknown. Asset owners must verify if Nutanix AHV is used in our environment. The general TTPs are relevant to our overall ransomware defense posture.

ATT&CK

• T1486: Data Encrypted for Impact
• T1490: Inhibit System Recovery
• T1021.004: Remote Services: SSH
• T1562.001: Impair Defenses: Disable or Modify Tools
• T1572: Protocol Tunneling

Detection Ideas

• Monitor for the execution of unusual binaries or scripts on Nutanix AHV hosts.
• Hunt for the specific malware families mentioned in the CISA advisory (POORTRY, STONETOP, SystemBC) and network connections to Ngrok infrastructure.

Mitigations

• Implement mitigations from the CISA advisory, including patching VPNs, enforcing MFA, and segmenting networks.
• Ensure backups of virtual machine data are stored offline and are immutable.

No new, high-confidence indicators of compromise were identified in the provided sources this week.

• Law Enforcement Action: A new phase of "Operation Endgame" led by Europol has dismantled infrastructure for the Rhadamanthys Stealer, Venom RAT, and Elysium botnet, seizing over 1,025 servers (https://thehackernews.com/2025/11/operation-endgame-dismantles.html, 2025-11-13T16:46:00+0530).
• Law Enforcement Action: The US Department of Justice announced guilty pleas from five individuals who aided North Korean remote IT worker fraud and cryptocurrency theft schemes (https://www.bleepingcomputer.com/news/security/five-plead-guilty-to-helping-north-koreans-infiltrate-us-firms/, 2025-11-14T15:11:26-0500).
• US Government Action: US federal authorities have created a new task force to target Chinese cryptocurrency scam networks that defraud Americans of billions annually (https://www.bleepingcomputer.com/news/security/us-announces-new-strike-force-targeting-chinese-crypto-scammers/, 2025-11-14T09:54:30-0500).
• Legal Action: Google has filed a civil lawsuit against individuals tied to the "Smishing Triad" group, which operates the "Lighthouse" phishing-as-a-service platform (https://www.infosecurity-magazine.com/news/google-lawsuit-dismantle/, 2025-11-14T09:45:00GMT).

• Logitech: The hardware accessory giant confirmed it suffered a data breach in an attack claimed by the Clop extortion gang (https://www.bleepingcomputer.com/news/security/logitech-confirms-data-breach-after-clop-extortion-attack/, 2025-11-14T17:18:36-0500).
• DoorDash: The food delivery service disclosed a data breach that occurred in October 2025, exposing user information (https://www.bleepingcomputer.com/news/security/doordash-hit-by-new-data-breach-in-october-exposing-user-information/, 2025-11-13T23:38:44-0500).
• Checkout.com: The UK fintech company announced that the ShinyHunters threat group breached a legacy cloud storage system and attempted to extort the company (https://www.bleepingcomputer.com/news/security/checkoutcom-snubs-shinyhunters-hackers-to-donate-ransom-instead/, 2025-11-14T11:25:42-0500).
• Washington Post (via Oracle): The newspaper notified nearly 10,000 employees and contractors that their personal and financial data was exposed due to a breach at their supplier, Oracle (https://securityaffairs.com/184596/data-breach/washington-post-notifies-10000-individuals-affected-in-oracle-linked-data-theft.html, 2025-11-14T08:30:05Z).
• npm Registry: A worm dubbed "IndonesianFoods" has reportedly flooded the npm software registry with over 100,000 malicious junk packages, creating a risk for developers using the open-source repository (https://www.bleepingcomputer.com/news/security/new-indonesianfoods-worm-floods-npm-with-100-000-packages/, 2025-11-13T17:07:05-0500).

• Sigma Rule Update: A new CLSID for COM Hijacking detection was added to the Sigma repository (twinapi.dll) (https://github.com/SigmaHQ/sigma/commit/3d59e82504ec97f1d329298326f215b2eb114467, 2025-11-13T04:18:01Z).
• Playbook Update: Create or update a playbook for responding to a compromised edge security appliance (e.g., firewall, WAF). Steps should include immediate network isolation, preservation of logs/forensic images, reimaging from a trusted source, auditing for unauthorized accounts or configuration changes, and rotating all credentials.

• Assumptions: We assume that any internet-facing network appliances are actively being scanned for vulnerabilities like CVE-2025-64446 and CVE-2025-59367.
• Gaps: There is a lack of specific, actionable IOCs (IPs, domains, file hashes) for the active exploitation campaigns reported this week. The full impact of the Logitech and DoorDash breaches on our organization (e.g., compromised employee credentials) is currently unknown.
• Tasking:

1. Vulnerability Management: Initiate an immediate discovery effort to identify all Fortinet FortiWeb, ASUS DSL, WatchGuard Firebox, and Gladinet Triofox assets in the environment. Prioritize patching based on the KEV catalog status.
2. Asset Management: Task asset owners for ICS/OT environments to review the CISA advisories for Rockwell, Siemens, and AVEVA products and report on applicability.
3. Threat Hunting: Conduct a 30-day retro-hunt on FortiWeb management interface logs for signs of unauthorized access or account creation.
4. Third-Party Risk: Add Logitech, DoorDash, Checkout.com, and Washington Post to the monitoring list for further details regarding their respective data breaches.

• https://blog.qualys.com/vulnerabilities-threat-research/2025/11/14/unauthenticated-authentication-bypass-in-fortinet-fortiweb-cve-2025-64446-exploited-in-the-wild
• https://www.schneier.com/blog/archives/2025/11/friday-squid-blogging-pilot-whales-eat-a-lot-of-squid.html
• https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/
• https://www.bleepingcomputer.com/news/security/logitech-confirms-data-breach-after-clop-extortion-attack/
• https://www.wired.com/story/doj-issued-seizure-warrants-to-starlink-over-satellite-internet-systems-used-at-scam-compounds/
• https://therecord.media/multiple-us-nationals-guilty-pleas-north-korean-it-worker-scams
• https://www.bleepingcomputer.com/news/security/five-plead-guilty-to-helping-north-koreans-infiltrate-us-firms/
• https://databreaches.net/2025/11/14/suspected-russian-hacker-reportedly-detained-in-thailand-faces-possible-us-extradition/?pk_campaign=feed&pk_kwd=suspected-russian-hacker-reportedly-detained-in-thailand-faces-possible-us-extradition
• https://securityaffairs.com/184636/security/critical-cve-2025-59367-flaw-lets-hackers-access-asus-dsl-routers-remotely.html
• https://databreaches.net/2025/11/14/did-you-hear-the-one-about-the-ransom-victim-who-made-a-ransom-installment-payment-after-they-were-told-that-it-wouldnt-be-accepted/?pk_campaign=feed&pk_kwd=did-you-hear-the-one-about-the-ransom-victim-who-made-a-ransom-installment-payment-after-they-were-told-that-it-wouldnt-be-accepted
• https://www.bleepingcomputer.com/news/security/anthropic-claims-of-claude-ai-automated-cyberattacks-met-with-doubt/
• https://thehackernews.com/2025/11/north-korean-hackers-turn-json-services.html
• https://therecord.media/chinese-hackers-anthropic-cyberattacks
• https://hackread.com/cisa-attacks-cisco-asa-firepower-flaws/
• https://www.schneier.com/blog/archives/2025/11/upcoming-speaking-engagements-50.html
• https://www.bleepingcomputer.com/news/security/fortinet-confirms-silent-patch-for-fortiweb-zero-day-exploited-in-attacks/
• https://therecord.media/civil-society-privacy-rollback
• https://therecord.media/cyberattack-on-russian-port-operator
• https://www.malwarebytes.com/blog/news/2025/11/be-careful-responding-to-unexpected-job-interviews
• https://www.bleepingcomputer.com/news/security/checkoutcom-snubs-shinyhunters-hackers-to-donate-ransom-instead/
• https://hackread.com/chinese-hackers-jailbroke-claude-ai-breaches/
• https://thehackernews.com/2025/11/researchers-find-serious-ai-bugs.html
• https://securityaffairs.com/184628/security/millions-of-sites-at-risk-from-imunify360-critical-flaw-exploit.html
• https://www.bleepingcomputer.com/news/security/us-announces-new-strike-force-targeting-chinese-crypto-scammers/
• https://hackread.com/chinese-tech-firm-leak-state-linked-hacking/
• https://thehackernews.com/2025/11/iranian-hackers-launch-spearspecter-spy.html
• https://socprime.com/blog/latest-threats/ai-malware-and-llm-abuse/
• https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-46-7/
• https://securityaffairs.com/184615/hacking/critical-fortiweb-flaw-under-attack-allowing-complete-compromise.html
• https://www.malwarebytes.com/blog/news/2025/11/your-passport-now-on-your-iphone-helpful-or-risky
• https://www.infosecurity-magazine.com/news/chinese-hackers-cyberattacks-ai/
• https://www.schneier.com/blog/archives/2025/11/the-role-of-humans-in-an-ai-powered-world.html
• https://www.cisa.gov/news-events/alerts/2025/11/14/cisa-adds-one-known-exploited-vulnerability-catalog
• https://www.cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb
• https://www.bleepingcomputer.com/news/google/google-backpedals-on-new-android-developer-registration-rules/
• https://www.infosecurity-magazine.com/news/akira-ransomware-244m-in-illicit/
• https://www.brandshield.com/blog/online-brand-protection-for-businesses/
• https://thehackernews.com/2025/11/ransomwares-fragmentation-reaches.html
• https://www.brandshield.com/blog/brandshield-iso-iec-27001-certification/
• https://thehackernews.com/2025/11/chinese-hackers-use-anthropics-ai-to.html
• https://www.bleepingcomputer.com/news/security/asus-warns-of-critical-auth-bypass-flaw-in-dsl-series-routers/
• https://www.infosecurity-magazine.com/news/google-lawsuit-dismantle/
• https://securityaffairs.com/184606/security/germanys-bsi-issues-guidelines-to-counter-evasion-attacks-targeting-llms.html
• https://thehackernews.com/2025/11/fortinet-fortiweb-flaw-actively.html
• https://securityaffairs.com/184596/data-breach/washington-post-notifies-10000-individuals-affected-in-oracle-linked-data-theft.html
• http://www.zerodayinitiative.com/advisories/ZDI-25-1013/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1012/
• https://www.bleepingcomputer.com/news/security/doordash-hit-by-new-data-breach-in-october-exposing-user-information/
• https://www.bleepingcomputer.com/news/security/fortiweb-flaw-with-public-poc-actively-exploited-to-create-admin-users/
• https://www.bleepingcomputer.com/news/security/kraken-ransomware-benchmarks-systems-for-optimal-encryption-choice/
• https://www.bleepingcomputer.com/news/security/cisa-warns-of-akira-ransomware-linux-encryptor-targeting-nutanix-vms/
• https://www.bleepingcomputer.com/news/security/new-indonesianfoods-worm-floods-npm-with-100-000-packages/
• https://hackread.com/how-adversaries-exploit-blind-spots-easm-strategy/
• https://thehackernews.com/2025/11/russian-hackers-create-4300-fake-travel.html
• https://blog.talosintelligence.com/viasat-and-the-terrible-horrible-no-good-very-bad-day/
• https://securityaffairs.com/184585/malware/chrome-extension-safery-steals-ethereum-wallet-seed-phrases.html
• https://hackread.com/whatsapp-screen-sharing-scammers-steal-otps-funds/
• https://www.mcafee.com/blogs/internet-security/the-stars-scammers-love-most-mcafee-reveals-worlds-most-deepfaked-celebs/
• http://security.googleblog.com/2025/11/rust-in-android-move-fast-fix-things.html
• https://hackread.com/operation-endgame-rhadamanthys-venomrat-elysium-malware/
• https://www.proofpoint.com/us/newsroom/news/operation-endgame-targets-malware-networks-global-crackdown
• https://securityaffairs.com/184581/cyber-crime/a-new-round-of-europols-operation-endgame-dismantled-rhadamanthys-venom-rat-and-elysium-botnet.html
• https://www.infosecurity-magazine.com/news/indonesianfoods-npm-worm-44000/
• https://krebsonsecurity.com/2025/11/google-sues-to-disrupt-chinese-sms-phishing-triad/
• https://www.malwarebytes.com/blog/news/2025/11/1-million-victims-17500-fake-sites-google-takes-on-toll-fee-scammers
• https://www.infosecurity-magazine.com/news/ciso-pay-increases-7-budget-growth/
• https://github.com/SigmaHQ/sigma/commit/c2f1eb41bc5c9f246339545e8fd5ee14ed7f8332
• https://hackread.com/sap-patch-cve-2025-42887-takeover-vulnerability/
• https://thehackernews.com/2025/11/fake-chrome-extension-safery-steals.html
• https://www.malwarebytes.com/blog/news/2025/11/are-you-paying-more-than-other-people-ny-cracks-down-on-surveillance-pricing
• https://www.infosecurity-magazine.com/news/operation-endgame-3-dismantles/
• https://databreaches.net/2025/11/13/district-of-massachusetts-allows-higher-ed-student-data-breach-claims-to-survive/?pk_campaign=feed&pk_kwd=district-of-massachusetts-allows-higher-ed-student-data-breach-claims-to-survive
• https://databreaches.net/2025/11/13/end-of-the-game-for-cybercrime-infrastructure-1025-servers-taken-down/?pk_campaign=feed&pk_kwd=end-of-the-game-for-cybercrime-infrastructure-1025-servers-taken-down
• https://www.schneier.com/blog/archives/2025/11/book-review-the-business-of-secrets.html
• https://hackread.com/top-3-malware-families-in-q4-how-to-keep-your-soc-ready/
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-07
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-10
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-02
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-03
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-01
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-17
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-16
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-09
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-05
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-14
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-12
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-04
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-13
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-06
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-11
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-15
• https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-releases-18-industrial-control-systems-advisories
• https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-and-partners-release-advisory-update-akira-ransomware
• https://thehackernews.com/2025/11/when-attacks-come-faster-than-patches.html
• https://securityaffairs.com/184573/security/u-s-cisa-adds-watchguard-firebox-microsoft-windows-and-gladinet-triofox-flaws-to-its-known-exploited-vulnerabilities-catalog.html
• https://thehackernews.com/2025/11/operation-endgame-dismantles.html
• https://blog.talosintelligence.com/kraken-ransomware-group/
• https://www.malwarebytes.com/blog/threats/2025/11/we-opened-a-fake-invoice-and-fell-down-a-retro-xworm-shaped-wormhole
• https://www.infosecurity-magazine.com/news/collaboration-hit-back-rising/
• https://thehackernews.com/2025/11/threatsday-bulletin-cisco-0-days-ai-bug.html
• https://www.infosecurity-magazine.com/news/synnovis-breach-notification-2024/
• https://securityaffairs.com/184561/hacking/amazon-alerts-advanced-threat-actor-exploits-cisco-ise-citrix-netscaler-zero-days.html
• https://thehackernews.com/2025/11/cisa-flags-critical-watchguard-fireware.html
• https://www.tripwire.com/state-of-security/uks-four-step-framework-supply-chain-resilience
• http://www.zerodayinitiative.com/advisories/ZDI-25-1011/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1010/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1009/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1008/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1007/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1006/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1005/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1004/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1003/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1002/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1001/
• http://www.zerodayinitiative.com/advisories/ZDI-25-1000/
• http://www.zerodayinitiative.com/advisories/ZDI-25-999/
• http://www.zerodayinitiative.com/advisories/ZDI-25-998/
• http://www.zerodayinitiative.com/advisories/ZDI-25-997/
• http://www.zerodayinitiative.com/advisories/ZDI-25-996/
• http://www.zerodayinitiative.com/advisories/ZDI-25-995/
• http://www.zerodayinitiative.com/advisories/ZDI-25-994/
• http://www.zerodayinitiative.com/advisories/ZDI-25-993/
• http://www.zerodayinitiative.com/advisories/ZDI-25-992/
• https://hackread.com/breachlock-vanta-continuous-security-testing-compliance-integration/
• https://thehackernews.com/2025/11/over-46000-fake-npm-packages-flood.html
• https://github.com/SigmaHQ/sigma/commit/3d59e82504ec97f1d329298326f215b2eb114467
• https://github.com/SigmaHQ/sigma/commit/47171af68adec669e379688e98778832a0bc017d
• https://hackread.com/threatbook-2025-gartner-network-detection-response/
• https://www.recordedfuture.com/blog/third-party-risk-statistics
• https://www.wired.com/story/dhs-kept-chicago-police-records-for-months-in-violation-of-domestic-espionage-rules/
• https://databreaches.net/2025/11/12/doctor-alliance-data-breach-353gb-of-patient-files-allegedly-compromised-ransom-demanded/?pk_campaign=feed&pk_kwd=doctor-alliance-data-breach-353gb-of-patient-files-allegedly-compromised-ransom-demanded
• https://securityaffairs.com/184557/cyber-crime/google-sues-cybercriminal-group-smishing-triad.html
• https://databreaches.net/2025/11/12/st-thomas-brushed-off-red-flags-before-dark-web-data-dump-rocks-houston/?pk_campaign=feed&pk_kwd=st-thomas-brushed-off-red-flags-before-dark-web-data-dump-rocks-houston
• https://databreaches.net/2025/11/12/a-wiltshire-police-breach-posed-possible-safety-concerns-for-violent-crime-victims-as-well-as-prison-officers/?pk_campaign=feed&pk_kwd=a-wiltshire-police-breach-posed-possible-safety-concerns-for-violent-crime-victims-as-well-as-prison-officers
• https://databreaches.net/2025/11/12/amendment-13-is-gamechanger-on-data-security-enforcement-in-israel/?pk_campaign=feed&pk_kwd=amendment-13-is-gamechanger-on-data-security-enforcement-in-israel
• https://www.malwarebytes.com/blog/news/2025/11/phishing-emails-disguised-as-spam-filter-alerts-are-stealing-logins
• https://socprime.com/blog/latest-threats/cve-2025-62215-windows-kernel-vulnerability/
• https://thehackernews.com/2025/11/google-sues-china-based-hackers-behind.html
• https://www.infosecurity-magazine.com/news/globallogic-latest-cl0p-victim/
• https://databreaches.net/2025/11/12/almost-two-years-later-alpha-omega-winery-notifies-those-affected-by-a-data-breach/?pk_campaign=feed&pk_kwd=almost-two-years-later-alpha-omega-winery-notifies-those-affected-by-a-data-breach
• https://www.infosecurity-magazine.com/news/cyberinsurance-payouts-soar-230-in/
• https://thehackernews.com/2025/11/amazon-uncovers-attacks-exploited-cisco.html
• https://databreaches.net/2025/11/12/court-of-appeal-reaffirms-mfsa-liability-in-data-leak-case-orders-regulator-to-shoulder-costs/?pk_campaign=feed&pk_kwd=court-of-appeal-reaffirms-mfsa-liability-in-data-leak-case-orders-regulator-to-shoulder-costs
• https://github.com/SigmaHQ/sigma/commit/799acec38b9e0696cc1d5767a9416033f620aca0
• https://www.troyhunt.com/weekly-update-477/
• https://www.schneier.com/blog/archives/2025/11/on-hacking-back.html
• https://www.cisa.gov/news-events/alerts/2025/11/12/cisa-adds-three-known-exploited-vulnerabilities-catalog
• https://www.cisa.gov/news-events/alerts/2025/11/12/update-implementation-guidance-emergency-directive-cisco-asa-and-firepower-device-vulnerabilities
• https://thehackernews.com/2025/11/webinar-learn-how-leading-security.html
• https://www.malwarebytes.com/blog/news/2025/11/update-now-november-patch-tuesday-fixes-windows-zero-day-exploited-in-the-wild
• https://thehackernews.com/2025/11/active-directory-under-siege-why.html
• https://github.com/SigmaHQ/sigma/commit/6503f1514997306f5476924542f17ddeb007f61e
• https://github.com/SigmaHQ/sigma/commit/f804cba5582071af1c478e5af5b80e6c2423531d
• https://thehackernews.com/2025/11/microsoft-fixes-63-security-flaws.html
• https://www.malwarebytes.com/blog/inside-malwarebytes/2025/11/how-malwarebytes-stops-the-ransomware-attack-that-most-security-software-cant-see
• https://www.infosecurity-magazine.com/news/microsoft-windows-kernel-zero-day/
• https://www.wired.com/story/lighthouse-google-lawsuit-scam-text-messages/
• https://github.com/SigmaHQ/sigma/commit/0fc25791949e334d7e01c3fe1a3864b309611949
• https://www.infosecurity-magazine.com/news/government-cyber-security/
• https://thehackernews.com/2025/11/google-launches-private-ai-compute.html
• https://www.recordedfuture.com/blog/ti-from-soc-to-c-suite
• https://www.recordedfuture.com/blog/introducing-the-2025-state-of-threat-intelligence-report
• https://blog.qualys.com/vulnerabilities-threat-research/2025/11/11/microsoft-patch-tuesday-november-2025-security-update-review
• https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html
• https://blog.talosintelligence.com/microsoft-patch-tuesday-november-2025/
• https://socprime.com/blog/cve-2025-12480-detection/
• https://thehackernews.com/2025/11/gootloader-is-back-using-new-font-trick.html
• https://www.mcafee.com/blogs/internet-security/holiday-shopping-scams-what-to-watch-as-black-friday-cyber-monday-approach/
• https://www.mcafee.com/blogs/mcafee-news/holiday-shopping-2025-us-fact-sheet/
• https://www.malwarebytes.com/blog/news/2025/11/patch-now-samsung-zero-day-lets-attackers-take-over-your-phone
• https://www.malwarebytes.com/blog/threat-intel/2025/11/how-credentials-get-stolen-in-seconds-even-with-a-script-kiddie-level-phish
• https://github.com/SigmaHQ/sigma/commit/714d7b41b9a581d73631221b257a0d96af76b984
• https://www.malwarebytes.com/blog/news/2025/11/stolen-iphones-are-locked-tight-until-scammers-phish-your-apple-id-credentials
• https://www.schneier.com/blog/archives/2025/11/prompt-injection-in-ai-browsers.html
• https://thehackernews.com/2025/11/cisos-expert-guide-to-ai-supply-chain.html
• https://thehackernews.com/2025/11/researchers-detect-malicious-npm.html
• https://thehackernews.com/2025/11/android-trojan-fantasy-hub-malware.html
• http://www.zerodayinitiative.com/advisories/ZDI-25-991/
• http://www.zerodayinitiative.com/advisories/ZDI-25-990/
• http://www.zerodayinitiative.com/advisories/ZDI-25-989/
• http://www.zerodayinitiative.com/advisories/ZDI-25-988/
• https://unit42.paloaltonetworks.com/authentication-coercion/
• https://blog.qualys.com/product-tech/2025/11/10/battle-compliance-confusion-and-security-fatigue-with-qualys-and-servicenow
• https://thehackernews.com/2025/11/hackers-exploiting-triofox-flaw-to.html
• https://thehackernews.com/2025/11/konni-hackers-turn-googles-find-hub.html
• https://www.microsoft.com/en-us/security/blog/2025/11/10/securing-our-future-november-2025-progress-report-on-microsofts-secure-future-initiative/
• https://www.malwarebytes.com/blog/news/2025/11/fantasy-hub-is-spyware-for-rent-complete-with-fake-app-kits-and-support
• https://github.com/SigmaHQ/sigma/commit/4355ece230d68c36f08ebd53d5408ec5f8d629cc
• https://thehackernews.com/2025/11/weekly-recap-hyper-v-malware-malicious.html
• https://www.schneier.com/blog/archives/2025/11/new-attacks-against-secure-enclaves.html
• https://thehackernews.com/2025/11/new-browser-security-report-reveals.html
• https://blog.virustotal.com/2025/11/vtpractitioners-acronis.html
• https://www.malwarebytes.com/blog/scams/2025/11/watch-out-for-walmart-gift-card-scams
• https://github.com/SigmaHQ/sigma/commit/f61f66e745991ede6abf3f73cfc6844d97920361
• https://www.brandshield.com/blog/report-trademark-violation/
• https://github.com/SigmaHQ/sigma/commit/c6fcff5cff0ffa0d72285b77d7de59c8787687d3
• https://thehackernews.com/2025/11/large-scale-clickfix-phishing-attacks.html
• https://thehackernews.com/2025/11/glassworm-malware-discovered-in-three.html
• https://www.malwarebytes.com/blog/news/2025/11/a-week-in-security-november-3-november-9
• https://blog.eclecticiq.com/the-reality-bargains-bring-risk
• http://www.zerodayinitiative.com/advisories/ZDI-25-987/
• http://www.zerodayinitiative.com/advisories/ZDI-25-986/
• http://www.zerodayinitiative.com/advisories/ZDI-25-985/
• https://www.recordedfuture.com/blog/threat-hunting-vs-threat-intelligence
• https://krebsonsecurity.com/2025/11/drilling-down-on-uncle-sams-proposed-tp-link-ban/
• https://www.brandshield.com/blog/10-online-marketplace-scams/
• https://thehackernews.com/2025/11/microsoft-uncovers-whisper-leak-attack.html