CyberNews: 21/11/2025 Edition

Today’s roundup

Summary

The China-nexus threat actor APT24 has been observed deploying a previously undocumented malware, BADAUDIO, in an almost three-year-long espionage campaign. This operation has established persistent remote access to compromised networks, notably impacting Taiwan and over 1,000 domains, with recent shifts towards more sophisticated targeting vectors.

Salesforce has identified unusual activity involving Gainsight-published applications, leading to potential unauthorized access to customer data. The company has revoked all active access and refresh tokens for these apps and temporarily removed them from the AppExchange. Investigations suggest the activity is linked to the ShinyHunters threat group, which claims to have stolen data from nearly 1,000 organizations across this and a prior Salesloft campaign. Salesforce stated no platform vulnerability was found.

A threat actor has claimed to steal 2.3 terabytes of data from Almaviva, an IT services provider for Italy's national railway operator, FS Italiane Group. This breach has resulted in the exposure of data belonging to the railway operator.

SonicWall has urged customers to patch a high-severity SonicOS SSLVPN security flaw. This vulnerability could allow attackers to crash vulnerable firewalls. The company has released patches to address this critical issue.

The U.S., Australia, and the UK have imposed coordinated sanctions on Media Land, a Russia-based bulletproof hosting provider, and its associated entities and individuals, for allegedly supporting ransomware operations and cybercrime groups including LockBit, BlackSuit, and Play. The sanctions also targeted the Aeza Group for rebranding efforts to evade earlier measures. CISA and Five Eyes partners concurrently issued a joint advisory with guidance for ISPs and network defenders to mitigate risks associated with bulletproof hosting providers.

Oligo Security has reported ongoing attacks, codenamed ShadowRay 2.0, exploiting a two-year-old unpatched security flaw in the Ray open-source artificial intelligence framework. This campaign is constructing a self-replicating cryptocurrency mining botnet by converting infected NVIDIA GPU clusters into mining infrastructure. The activity marks an evolution from a previous wave observed between September 2023 and March 2024.

Researchers at the University of Vienna discovered a WhatsApp flaw that facilitated the scraping of 3.5 billion user accounts through a phone number enumeration technique. Despite Meta's rate limiting, researchers could probe over 100 million numbers per hour without being blocked. Meta has since patched the vulnerability, which allowed access to profile pictures, “about” texts, and E2EE public keys if user settings permitted, though private messages and contacts were not exposed.

Researchers from DARKNAVY demonstrated a supply-chain attack against the Cypherock X1 hardware wallet at GEEKCON 2025. They successfully bypassed secure boot and device authenticity verification by tampering with the firmware and exploiting multiple vulnerabilities within the X1 Vault's Microcontroller Unit (MCU), thereby gaining control over newly generated mnemonic phrases. The attack highlighted significant flaws in the firmware upgrade logic and authentication process.

A significant increase in malicious scanning targeting Palo Alto Networks GlobalProtect portals has been observed since November 14, 2025. Approximately 2.3 million scan sessions have been detected, indicating widespread reconnaissance efforts against these VPN gateways.

Four individuals have been indicted in an alleged conspiracy to smuggle supercomputers and Nvidia chips to China. A federal prosecutor indicated that one defendant boasted of his father's involvement in similar business activities for the Chinese Communist Party, raising significant national security concerns regarding technology export controls.

Want to dig deeper?

Cyber Groups