Weekly Cyber News Rollup, November 14th, 2025
This is your weekly cyber news roll-up for the week ending November 14th, 2025.
You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
A newly exposed flaw in popular Samsung phones is being used to install stealthy spyware on targeted devices. Investigators say attackers trigger the bug with a crafted message or file and then quietly gain access to calls, texts, and location data. This is not a niche problem. It matters because employees often use these phones for work email and sign in codes, turning personal devices into quiet entry points. The most exposed groups are companies with bring your own device policies, and the immediate step is to push updates and watch mobile security alerts closely.
A group linked to North Korea is hijacking Google account recovery tools to track, lock, and even wipe Android phones remotely. They first steal credentials, then use built in find my device features as a kind of remote kill switch against targets. The technique blends into normal recovery traffic. It should worry organizations whose staff rely on Google accounts and Android devices for daily work and communication. Right now defenders are tightening phishing resistant multi factor authentication and reviewing high risk account actions in sign in and admin logs.
Malicious extensions inside the Visual Studio Code editor are posing as helpful tools while secretly stealing developer secrets. Once installed, these booby trapped add ons quietly harvest tokens, keys, and repository details from local machines and developer environments. That theft turns into a supply chain threat. Development and platform teams are most at risk because stolen credentials can unlock build pipelines, container registries, and internal source code far from the original laptop. The near term focus is auditing which extensions are allowed, pruning risky ones, and monitoring build systems for unusual access patterns tied to extension changes.
A breach at China based security firm Knownsec has spilled tools and data apparently tied to state aligned hacking teams. The exposed material includes command and control helpers, scanning playbooks, and target information for organizations in multiple regions and sectors. For defenders this leak functions like an early warning flare. Governments, telecom providers, financial institutions, and major cloud and internet companies are especially likely to see overlap with their own attack surface. Security teams are now mining the leaked details for infrastructure clues and turning them into fresh detections and hunting queries across network, endpoint, and cloud logs.
A ready made phishing kit known as Quantum Route is helping criminals steal Microsoft three sixty five logins at scale. The kit chains together convincing lookalike pages and smart redirects so victims believe they are still on trusted company or cloud sites. This automation lowers the bar for highly effective phishing. Executives, finance staff, and anyone who approves payments or handles sensitive documents are right in the blast radius. Defenders are responding by pushing phishing resistant multi factor authentication, tightening post login monitoring, and watching mailboxes for strange forwarding rules or payment requests that follow a sign in from new locations.
A Russian speaking criminal group has created thousands of fake hotel booking sites that mimic real brands to harvest card data. Unsuspecting travelers type in payment numbers, security codes, and personal trip details that flow straight to the attackers rather than to a legitimate reservation system. The scam turns travel planning into a quiet breach. Business travelers using corporate cards and loyalty accounts sit squarely in the risk zone along with the hotels whose reputations are being abused. Fraud and security teams are now tightening which booking sites are approved, warning staff, and looking for new hotel domains that suddenly appear in corporate logs.
New research into open source projects on GitHub found that several well known artificial intelligence companies had inadvertently exposed secrets there. Investigators saw passwords, tokens, and configuration files sitting in public or poorly controlled repositories where anyone could copy them. These were not obscure internal tools. The leaks show how rushed development cycles and complex machine learning pipelines can push sensitive data into version control systems that were never meant to store it. Organizations building advanced models are revisiting their source control practices and adding automated secret scanning and stronger review gates for projects that touch production systems and training data.
Criminals are abusing WhatsApp screen sharing and mirroring features to watch everything a victim does on their phone in real time. They pose as bank or support staff, then walk people through a fake fix that ends with a full screen share of live activity. At that point the account is wide open. The main victims are people managing personal or business finances on mobile devices while trusting unsolicited support calls or messages. Banks and security teams are warning customers about these tactics, adjusting help scripts, and increasing monitoring for rapid transfers or new payees created during or right after remote support sessions.
United States cyber authorities are warning that a critical flaw in widely used WatchGuard firewalls is being actively exploited on the internet. Attackers who reach these devices can seize powerful control over traffic flows and internal access without needing valid credentials or existing accounts. That makes every exposed edge device a potential beachhead. Small and mid sized organizations that rely on these firewalls at branch offices, remote sites, and managed service providers are most at risk. The immediate push is to apply vendor fixes, lock down remote management, and closely review administrator logins and configuration changes around the time patches are rolled out.
The Akira ransomware operation has expanded its targeting to include virtual machines running on Nutanix platforms, not just standard file servers. By striking the virtualization layer, the group can disrupt many applications and datasets at once rather than encrypting systems one by one. The change increases the blast radius of any successful breach. Data center and cloud operations teams that rely heavily on Nutanix clusters for critical workloads face the greatest exposure. Right now defenders are validating backups, tightening privileged access paths into these platforms, and tuning detections for suspicious activity at the hypervisor and management plane levels.
A sophisticated threat actor has chained zero day flaws in Cisco identity services and Citrix NetScaler appliances to quietly burrow into identity systems. By abusing these weaknesses, the group can bypass normal authentication controls and move laterally using the very platforms that manage logins and single sign on. That undercuts trust in the core of access infrastructure. Large enterprises and service providers that run these identity and access products sit in the direct line of fire. Incident responders are urgently checking for signs of compromise, applying emergency updates, and hardening monitoring around identity infrastructure that was once assumed to be a reliable gatekeeper.
The breach notification service Have I Been Pwned has added nearly two billion records from a company called Synthient to its database. Exposed information includes email addresses and related details that can help criminals tune phishing, password stuffing, and social engineering campaigns. It is a massive new trove. People whose addresses now appear in the service and the organizations they belong to face elevated risk of targeted messages that feel unusually personal. Security teams are using the updated data to refine awareness campaigns and to justify stronger authentication and monitoring wherever these exposed email identities can access sensitive systems.
Investigators have revealed that a China linked group quietly maintained access inside a United States policy nonprofit for an extended period. The attackers used that foothold to monitor internal discussions, study draft reports, and understand how foreign policy thinking was evolving behind the scenes. Such access offers strategic insight rather than quick financial gain. Policy staff, researchers, and the organizations they advise stand to have their work shaped or anticipated by this kind of espionage. The case is driving renewed scrutiny of security controls at nonprofits and think tanks and renewed interest in targeted monitoring around email, conferencing, and document systems they rely on.
Criminals are abusing Booking dot com style workflows with an I Paid Twice themed scam that delivers the PureRAT malware to hotel guests. Victims receive messages that appear to come from real properties, complete with booking details that make the outreach feel legitimate and urgent. That realism quickly lowers normal suspicion. Guests and hotel partners who click through these messages risk installing a remote access tool that can harvest passwords, browser cookies, and stored wallet data. Hotels and travel platforms are updating guidance to staff and guests while investigating how criminals are abusing legitimate communication channels to inject these poisoned instructions.
Google Maps has introduced a new tool that lets business owners report and challenge review extortion attacks directly inside the platform. In these schemes, attackers threaten to flood a page with negative reviews unless the business pays up, then follow through if ignored. The damage can arrive very fast. Restaurants, clinics, hotels, and small retailers that rely on search visibility and ratings are prime targets. The new reporting channel is meant to speed investigation and takedown, and affected businesses are being encouraged to document abusive reviews quickly so that support teams can see patterns and act decisively.
Another WhatsApp related issue has come to light, this time involving an image based zero day that let the LANDFALL spyware hijack Samsung phones. The exploit package arrived through seemingly harmless media, then activated when the device parsed the image content in the background. Victims never had to tap anything. People using these phones for personal and work communication, especially in sensitive roles, faced silent exposure of messages, microphone audio, and device data. Emergency patches are now available, and organizations are pressing for rapid installation while also revisiting how they monitor mobile fleets for signs of advanced spyware infections.
Serious flaws in the runC container runtime have been disclosed that allow a malicious container to escape into the underlying Kubernetes host. By abusing these weaknesses an attacker who compromises a single container can gain far broader control, including access to other workloads that were assumed to be isolated. This changes the risk model for many clusters. Teams that pack multiple applications onto shared hosts and rely on multi tenant container platforms face the largest impact. Cloud providers and distributions have issued fixes, and security teams are racing to patch, review cluster designs, and expand detection around container startup and host level activity.
That’s the BareMetalCyber Weekly Roll-Up for the week ending November 14th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’ll be back next week.
