Computing

⚡ Weekly Recap: Fortinet Exploit, Chrome 0-Day, BadIIS Malware, Record DDoS, SaaS Breach & More

News Room
News Room
⚡ Weekly Recap: Fortinet Exploit, Chrome 0-Day, BadIIS Malware, Record DDoS, SaaS Breach & More

Nov 24, 2025Ravie LakshmananCybersecurity / Hacking News

This week saw a lot of new cyber trouble. Hackers hit Fortinet and Chrome with new 0-day bugs. They also broke into supply chains and SaaS tools. Many hid inside trusted apps, browser alerts, and software updates.

Big firms like Microsoft, Salesforce, and Google had to react fast — stopping DDoS attacks, blocking bad links, and fixing live flaws. Reports also showed how fast fake news, AI risks, and attacks on developers are growing.

Here’s what mattered most in security this week.

⚡ Threat of the Week

Fortinet Warns of Another Silently Patched and Actively Exploited FortiWeb Flaw — Fortinet has warned that a new security flaw in FortiWeb has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS score of 6.7 out of a maximum of 10.0. It has been addressed in version 8.0.2. “An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands,” the company said. The development came days after Fortinet confirmed that it silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in version 8.0.2. Although the company has not clarified if the exploitation activity is linked, Orange Cyberdefense said it observed “several exploitation campaigns” chaining CVE-2025-58034 with CVE-2025-64446 to facilitate authentication bypass and command injection. Fortinet’s handling of the issue has come in for heavy criticism. It’s possible that the company was aware but chose not to disclose them to avoid alerting other threat actors to their existence until a majority of its customers had applied the patch. But what’s difficult to explain at this stage is why Fortinet opted to disclose the flaws four days apart.

🔔 Top News

  • Google Patches New Actively Exploited Chrome 0-Day — Google released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes. Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on November 12, 2025. Google has not shared any details on who is behind the attacks, who may have been targeted, or the scale of such efforts. However, the tech giant acknowledged that an “exploit for CVE-2025-13223 exists in the wild.” With the latest update, Google has addressed seven zero-day flaws in Chrome that have been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year.
  • Matrix Push C2 Uses Browser Extensions to Take Users to Phishing Pages — Bad actors are leveraging browser notifications as a vector for phishing attacks to distribute malicious links by means of a new command-and-control (C2) platform called Matrix Push C2. In these attacks, prospective targets are tricked into allowing browser notifications through social engineering on malicious or legitimate-but-compromised websites. Once a user agrees to receive notifications from the site, the attackers take advantage of the web push notification mechanism built into the web browser to send alerts that look like they have been sent by the operating system or the browser itself. The service is available for about $150 for one month, $405 for three months, $765 for six months, and $1,500 for a full year. The fact that the tool is platform-agnostic means it could be favoured by threat actors looking to conduct credential theft, payment fraud, and cryptocurrency scams. Countering such risks requires browser vendors to implement stronger abuse protections, such as using a reputation system to flag sketchy sites and automatically revoking notification permissions for suspicious sites.
  • PlushDaemon APT Uses EdgeStepper to Hijack Software Updates — The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks. EdgeStepper is positioned between a victim and the network edge, tracking requests for certain popular Chinese software products, such as the Sogou Pinyin Method input editor, the Baidu Netdisk cloud service, multipurpose instant messenger Tencent QQ, and the free office suite WPS Office. If one such software update request is found EdgeStepper will redirect it to PlushDaemon’s infrastructure, resulting in the download of a trojanized update. The attacks lead to the deployment of SlowStepper.
  • Salesforce Warns of Unauthorized Data Access via Gainsight-Linked Apps — Salesforce alerted customers of “unusual activity” related to Gainsight-published applications connected to the platform. The cloud services firm said it has taken the step of revoking all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce. It has also temporarily removed those applications from the AppExchange as its investigation continues. Gainsight said the Gainsight app has been temporarily pulled from the HubSpot Marketplace and Zendesk connector access has been revoked as a precautionary measure. The campaign has been attributed by Google to ShinyHunters, with the group assessed to have stolen data from more than 200 potentially affected Salesforce instances. Cybersecurity company CrowdStrike also said it terminated a “suspicious insider” last month for allegedly passing insider information to Scattered LAPSUS$ Hunters. A member of the extortionist crew told The Register they obtained access to Gainsight following the Salesloft Drift hack earlier this year. The incident once again underscores the security risk posed by the SaaS integration supply chain, where breaching a single vendor acts as a gateway into dozens of downstream environments.
  • Microsoft Mitigates Record 15.72 Tbps DDoS Attack — Microsoft disclosed that it automatically detected and neutralized a distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia that measured 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps). The tech giant said it was the largest DDoS attack ever observed in the cloud, and that it originated from a TurboMirai-class Internet of Things (IoT) botnet known as AISURU. It’s currently not known who was targeted by the attack. According to data from QiAnXin XLab, the AISURU botnet is powered by nearly 300,000 infected devices, most of which are routers, security cameras, and DVR systems. It has been attributed to some of the biggest DDoS attacks recorded to date. In a report published last month, NETSCOUT classified the DDoS-for-hire botnet as operating with a restricted clientele. QiAnXin XLab told The Hacker News that a botnet named Kimwolf is likely linked to the group behind AISURU, adding one of Kimwolf’s C2 domains recently surpassed Google in Cloudflare’s list of top 100 domains, specifically, 14emeliaterracewestroxburyma02132[.]su.

‎️‍🔥 Trending CVEs

Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected.

This week’s list includes — CVE-2025-9501 (W3 Total Cache plugin), CVE-2025-62765 (Lynx+ Gateway), CVE-2025-36251, CVE-2025-36250 (IBM AIX), CVE-2025-60672, CVE-2025-60673, CVE-2025-60674, CVE-2025-60676 (D-Link DIR-878 routers), CVE-2025-40547, CVE-2025-40548, CVE-2025-40549 (SolarWinds Serv-U), CVE-2025-40601 (SonicWall SonicOS), CVE-2025-50165 (Windows Graphics), CVE-2025-9316, CVE-2025-11700 (N-able N-central), CVE-2025-13315, CVE-2025-13316 (Twonky Server), CVE-2024-24481, CVE-2025-13207 (Tenda N300 series and Tenda 4G03 Pro), CVE-2025-13051 (ASUSTOR), CVE-2025-49752 (Azure Bastion), CVE-2024-48949, CVE-2024-48948 (elliptic), and a TLS verification bypass vulnerability in GoSign Desktop (no CVE).

📰 Around the Cyber World

  • Malicious VS Code Extension Taken Down — A malicious Visual Studio Code extension was found attempting to capitalize on the legitimate “Prettier” brand to harvest sensitive data. The extension, named “publishingsofficial.prettier-vscode-plus,” was published to the Microsoft Extension Marketplace on November 21, 2025. The extension, once installed, launches a batch script that’s responsible for running a Visual Basic Script file designed to execute a stealer malware. “The payload system inserted into the malicious extension appears designed to evade common anti-malware and static scanning tactics,” Checkmarx said. “It’s a multi-stage attack that ends with deploying and running what appears to be a variant of the Anivia Stealer malware; this malware acquires and exfiltrates credentials, metadata, and private information like WhatsApp chats from Windows machines.” The extension has since been taken down.
  • 100s of English-Language Websites Link to Pro-Kremlin Propaganda — A new study from the Institute for Strategic Dialogue (ISD) has revealed that hundreds of English-language websites between July 2024 and July 2025, including news outlets, fact-checkers, and academic institutions, are linking to articles from a pro-Kremlin network named Pravda that’s flooding the internet with disinformation. “Roughly 900 sites from across the political spectrum, ranging from major news outlets to fringe blogs, have linked to Pravda network articles over the observed year-long period,” ISD said. “A reviewed sample of more than 300 English-language sites included U.S. national and local news outlets, prominent sources of political commentary, as well as fact-checking and academic institutions.” It’s assessed that the Pravda network uses a high-volume strategy to influence large language models (LLMs) like of ChatGPT and Gemini and seed them with pro-Russia narratives, a process referred to as LLM grooming. The network has been active since 2014, churning out more than 6 million articles.
  • Anthropic Finds Reward Hacking Leads to More Misalignment — A new study from artificial intelligence (AI) company Anthropic revealed that large language models (LLMs) trained to “reward hack” by cheating on coding tasks exhibit even more misaligned behavior, including sabotaging AI safety research. “When they learn to cheat on software programming tasks, they go on to display other, even more misaligned behaviors as an unintended consequence,” the company said. “These include concerning behaviors like alignment faking and sabotage of AI safety research.”
  • Microsoft to Include Sysmon into Windows 11 — Microsoft said it will add Sysmon, a third-party app from the Sysinternals package, into future versions of Windows 11 to help with security log analysis. “Next year, Windows updates for Windows 11 and Windows Server 2025 will bring Sysmon functionality natively to Windows,” the tech giant said. “Sysmon functionality allows you to use custom configuration files to filter captured events. These events are written to the Windows event log, enabling a wide range of use cases, including by security applications.”
  • More Than 150 Remcos RAT Servers Found — Attack surface management platform Censys said it consistently tracked over 150 active Remcos RAT command-and-control (C2) servers between October 14 and November 14, 2025. “Most servers listened on port 2404, commonly associated with Remcos, with additional use of ports 5000, 5060, 5061, 8268, and 8808, showing deployment flexibility,” the company said. “A subset of hosts exposed Server Message Block (SMB) and Remote Desktop Protocol (RDP), suggesting some operators also use native Windows services for administration. Hosting concentrated in the United States, the Netherlands, and Germany, with smaller clusters in France, the United Kingdom, Turkey, and Vietnam.”
  • PyPI to Require Email Verification for TOTP Logins — The Python Package Index (PyPI) portal will now require email-based verification for all Time-based One-Time Password (TOTP) logins coming from new developer devices. “Users who have enabled WebAuthn (security keys) or passkeys for 2FA will not see any changes, as these methods are inherently phishing-resistant,” PyPI said. “They cryptographically bind the authentication to the specific website (origin), meaning an attacker cannot trick you into authenticating on a fake site, unlike TOTP codes, which can be phished.”
  • Blockade Spider’s Cross-Domain Attacks Detailed — A financially motivated threat actor known as Blockade Spider has been attributed to using cross-domain techniques in its ransomware campaigns since at least April 2024. The e-crime group uses Embargo ransomware and data theft to monetize their operations. “They gain access through unmanaged systems, dump credentials, and move laterally to virtualized infrastructure to remotely encrypt files with Embargo ransomware,” CrowdStrike said. “They’ve also demonstrated the ability to target cloud environments.” In one case previously flagged by the company, the threat actor added compromised users to a “No MFA” Active Directory group, circumvented security controls, and deployed ransomware while evading traditional detection systems.
  • JSGuLdr Loader Delivers Phantom Stealer — A new multi-stage JavaScript-to-PowerShell loader has been put to use in cyber attacks, delivering an information stealer called Phantom Stealer. “A JavaScript file triggers PowerShell through an Explorer COM call, pulls the second stage from %APPDATA%Registreri62, then uses Net.WebClient to fetch an encrypted payload from Google Drive into %APPDATA%Autorise131[.]Tel,” ANY.RUN said. “The payload is decoded in memory and loaded, with PhantomStealer injected into msiexec.exe.” The attack combines obfuscation and fileless in-memory loading techniques to sidestep detection. Because the final payload runs entirely in memory inside a trusted process, it allows threat actors to stealthily move across the network and steal data.
  • Apple Updates App Store Developer Guidelines — Apple updated its developer guidelines to require every app to disclose if it collects and shares user data with AI companies, as well as ask users for permissions. “You must clearly disclose where personal data will be shared with third parties, including with third-party AI, and obtain explicit permission before doing so,” the company’s rule 5.1.2(i) now states. The changes went into effect on November 13, 2025.
  • Malware Campaign Targets Microsoft IIS servers to Deploy BadIIS Malware — A malware campaign dubbed WEBJACK has been observed compromising Microsoft IIS servers to deploy malicious IIS modules belonging to the BadIIS malware family. “The hijacked servers are being abused for SEO poisoning and fraud, redirecting users to casino, gambling, or betting websites,” WithSecure said. “The threat actor has compromised high-profile targets, including government institutions, universities, tech firms, and many other organizations, abusing their domain reputation to serve fraudulent content through search engine results pages (SERPs).” The initial access vector used in the attacks is not known, although previous BadIIS intrusions have leveraged vulnerable web applications, stolen administrator credentials, and purchased access from initial-access brokers. The tools and operational characteristics observed point to a strong Chinese nexus, a pattern evidenced by the discovery of similar clusters in recent months, such as GhostRedirector, Operation Rewrite, UAT-8099, and TOLLBOOTH.
  • Phishing Scheme Targets WhatsApp Accounts — Hundreds of victims across the Middle East, Asia, and beyond have been ensnared in a new scam that leverages cloned login portals, low-cost domains, and WhatsApp’s own “Linked Devices” and one-time password workflows to hijack WhatsApp accounts. “Threat actors behind this campaign create fraudulent websites that closely imitate legitimate WhatsApp interfaces, using urgency-driven tactics to trick users into compromising their accounts,” CTM360 said. The campaign has been codenamed HackOnChat. Over 9,000 phishing URLs have been uncovered to date, with the sites hosted on domains registered with low-cost or less regulated top-level domains such as .cc, .net, .icu, and .top. In the last 45 days, more than 450 incidents were recorded. “The attackers rely on two primary techniques: Session Hijacking, where the WhatsApp-linked device feature is exploited to hijack WhatsApp web sessions, and the Account Takeover, which involves tricking victims into revealing their authentication key to seize full ownership of their accounts,” the company added. “Malicious links are using templates of fake security-alert verification, deceptive WhatsApp Web imitation pages, and spoofed group invitation messages, all designed to lure users into these traps and enable the hacking process.”
  • Spike in Palo Alto Networks GlobalProtect Scanning — Threat intelligence firm GreyNoise has warned of another wave of scanning activity targeting Palo Alto Networks GlobalProtect portals. “Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high,” the company said. Between November 14 and 19, 2.3 million sessions hitting the */global-protect/login.esp URI were observed. It’s assessed that these attacks are the work of the same threat actor based on the recurring TCP/JA4t signatures and overlapping infrastructure.
  • JustAskJacky is the Most Prevalent Threat in October 2025 — A malware family known as JustAskJacky emerged as the most pervasive threat in October 2025, followed by KongTuke, Rhadamanthys, NetSupport RAT, and TamperedChef, according to data from Red Canary. JustAskJacky, which emerged earlier this year, is a “family of malicious NodeJS applications that masquerade as a helpful AI or utility tool while conducting reconnaissance and executing arbitrary commands in memory in the background.”
  • NSO Group Seeks to Overturn WhatsApp Case — Last month, a U.S. court ordered Israeli commercial spyware vendor NSO Group to stop targeting WhatsApp. In response, the company has filed an appeal to overturn the ruling, arguing that the company will “suffer irreparable, potentially existential injuries” and be forced it out of business. “And the injunction prohibits NSO from engaging in entirely lawful conduct to develop, license, and sell products used in authorized government investigations — a prohibition that would devastate NSO’s business and could well force it out of business entirely,” the motion reads.
  • Ohio Contractor Pleads Guilty to Hacking Former Employer — Maxwell Schultz, a 35-year-old man from Ohio, pleaded guilty to charges related to hacking into the network of his former employer. The incident took place in 2021, after the unnamed company terminated Schultz’s employment in its IT department. According to the U.S. Justice Department, Schultz accessed the company’s network by impersonating another contractor to obtain login credentials. “He ran a PowerShell script that reset approximately 2,500 passwords, locking thousands of employees and contractors out of their computers nationwide,” the department said. “Schultz also searched for ways to delete logs, PowerShell window events and cleared multiple system logs.” The incident caused the company $862,000 in losses. Schultz admitted that he conducted the attack because “he was upset about being fired.” He faces up to 10 years in federal prison and a possible $250,000 maximum fine.
  • Security Flaws in Cline Bot AI — Security vulnerabilities have been discovered in an open-source AI coding assistant called Cline that could expose them to prompt injection and malicious code execution when opening specially crafted source code repositories. The issues were addressed in Cline v3.35.0. “System prompts are not harmless configuration text. They shape agent behavior, influence privilege boundaries, and significantly increase attacker leverage when exposed verbatim,” Mindgard researcher Aaron Portnoy said. “Treating prompts as non-sensitive overlooks the reality that modern agents combine language, tools, and code execution into a single operational surface. Securing AI agents like Cline requires recognizing that prompts, tool wiring, and agent logic are tightly connected, and each must be handled as part of the security boundary.”

🎥 Cybersecurity Webinars

  • Guardrails for Chaos: How to Patch Fast Without Opening the Door to Attackers — Community tools like Chocolatey and Winget help teams patch software fast. But they can also hide risks — old code, missing checks, and unsafe updates. Gene Moody from Action1 shows how to use these tools safely, with clear steps to keep speed and security in balance.
  • Meet WormGPT, FraudGPT, and SpamGPT — the Dark Side of AI You Need to See — AI tools are now helping criminals send fake emails. Names like WormGPT, FraudGPT, and SpamGPT can write or send these messages fast. They make emails that look real and can fool people and filters. Many security tools can’t keep up. Leaders need to see how these attacks work and learn how to stop them before passwords get stolen.
  • Misconfigurations, Misuse, and Missed Warnings: The New Cloud Security Equation — Hackers are finding new ways to break into cloud systems. Some use weak identity settings in AWS. Others hide bad AI models by copying real ones. Some take too many permissions in Kubernetes. The Cortex Cloud team will show how their tools can spot these problems early and help stop attacks before they happen.

🔧 Cybersecurity Tools

  • YAMAGoya — A new free tool from JPCERT/CC. It helps find strange or unsafe actions on Windows in real time. It watches files, programs, and network moves, and checks memory for hidden threats. It uses Sigma and YARA rules made by the security community. You can run it with a window or from the command line. It also saves alerts to Windows logs so other tools can read them.
  • Metis — A free tool made by Arm’s Product Security Team. It uses AI to check code for security problems. It helps find small bugs that normal tools miss. It works with C, C++, Python, Rust, and TypeScript. You can run it on your computer or add it to your build system.

Disclaimer: These tools are for learning and research only. They haven’t been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws.

Conclusion

Each week proves that the cyber threat landscape never stands still. From patched vulnerabilities to sprawling botnets and inventive new attack methods, defenders are locked in a constant race to stay ahead. Even small lapses — a missed update or a weak integration — can create major openings for attackers.

Staying ahead demands attention to detail, lessons from every breach, and quick action when alerts appear. As the boundary between software and security continues to blur, awareness remains our strongest line of defense.

Stay tuned for next week’s RECAP, where we track the threats, patches, and patterns shaping the digital world.

Share This Article
Previous Article Apple’s latest surprise accessory is all about accessibility Apple’s latest surprise accessory is all about accessibility
Next Article Dreamy Black Friday Deal: Get Secure Cloud Storage at Just .99 Monthly Dreamy Black Friday Deal: Get Secure Cloud Storage at Just $1.99 Monthly
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Latest News

Chief data officers hire for tech innovation | Computer Weekly
Chief data officers hire for tech innovation | Computer Weekly
News
X’s new location feature exposes fake accounts worldwide – here’s how
X’s new location feature exposes fake accounts worldwide – here’s how
News
Safety should be front and center in India’s vision for its AI Impact Summit
Safety should be front and center in India’s vision for its AI Impact Summit
News
Jony Ive and Sam Altman say they finally have an AI hardware prototype
Jony Ive and Sam Altman say they finally have an AI hardware prototype
News
Lost your password?