Ticker feed

Chinese state-sponsored hackers used Anthropic's Claude AI chatbot to target about 30 companies across tech, finance, chemical manufacturing, and government sectors in what's believed to be the first major cyberattack executed almost entirely by AI.

The hackers tricked Claude into believing it was a cybersecurity employee conducting defensive testing, then used it to gather usernames and passwords at thousands of requests per second—a speed impossible for human hackers. While only a small number of attacks succeeded, the September operation marks a troubling milestone in AI-powered cybercrime.

Anthropic warns that AI agents will make cyberattacks cheaper, faster, and more sophisticated as the technology becomes widely available to criminals.

Source: CBS News

The Washington Post confirmed hackers stole personal data from nearly 10,000 current and former employees and contractors through a breach of its Oracle system. The Clop ransomware group exploited a zero-day vulnerability in Oracle E-Business Suite between July 10 and August 22, accessing names, Social Security numbers, and bank account details.

Clop contacted the newspaper on September 29 demanding ransom, with some victims facing demands up to $50 million. The Washington Post joins dozens of Oracle customers targeted in this campaign, including Envoy Air and GlobalLogic. Oracle patched the vulnerability in October, but Clop has threatened to leak stolen data from nearly 30 organizations unless paid.

Source: CyberScoop

Amazon's threat intelligence team discovered that sophisticated attackers exploited two critical vulnerabilities as zero-days before vendors issued patches. The unnamed advanced persistent threat (APT) group targeted CitrixBleed 2 (CVE-2025-5777) in Citrix NetScaler systems and a maximum-severity bug (CVE-2025-20337) in Cisco Identity Service Engine for a month before disclosure.

The CitrixBleed 2 flaw allows attackers to hijack admin sessions and join any NetScaler session, while the Cisco vulnerability enables remote code execution as root. Amazon observed the same attackers hitting both systems simultaneously, deploying custom web shells designed to remain hidden in memory.

This "patch-gap" exploitation technique highlights how advanced threat actors target identity and access management infrastructure. Organizations should assume edge devices are vulnerable, implement blast radius reduction, and shift from patch-centric to exposure-centric security approaches.

Source: Dark Reading

Google filed a federal lawsuit against Chinese cybercriminals running "Lighthouse," a massive text-message phishing network that compromised 15-100 million credit cards and affected over one million victims in the U.S.

The scammers sent fake texts about "stuck packages" or "unpaid tolls" to steal passwords and credit card information. Google's general counsel Halimah DeLaine Prado said they're using the RICO Act—typically reserved for organized crime—to target 25 unknown operators who built a "phishing-as-a-service" platform.

The lawsuit aims to deter future criminals rather than recover victim losses. While prosecuting overseas scammers is challenging, experts say it could disrupt similar operations and prevent these individuals from traveling to the U.S.

Source: CBS News

Google filed a lawsuit against Smishing Triad, a Chinese cybercrime group operating since 2023. The group uses their "Lighthouse" phishing kit to send fake SMS messages impersonating delivery services like USPS, banks, and healthcare organizations.

The scam has reached over one million users across 120+ countries, with an estimated 12-115 million stolen credit cards in the US alone. Google discovered more than 100 phishing templates copying its own brand.

The lawsuit targets the group under federal racketeering and fraud laws, allowing Google to seize malicious domains and unmask the criminals' identities. Google also supports new congressional bills aimed at protecting retirees and blocking foreign robocalls.

Source: Security Week

Microsoft released its November 2025 Patch Tuesday updates on November 11, fixing 63 security flaws across Windows, Office, Azure, and Visual Studio. The most urgent concern is CVE-2025-62215, a zero-day Windows Kernel vulnerability already being exploited by attackers to escalate privileges on compromised systems.

Five critical vulnerabilities lead the pack, including CVE-2025-62199 in Microsoft Office that allows remote code execution through malicious documents, and CVE-2025-60724 in GDI+ enabling network-based attacks on graphics applications.

The remaining 57 "Important" rated flaws primarily target privilege escalation, affecting everything from Smart Card services to Kerberos authentication. Security teams should prioritize patching internet-facing systems immediately, as no workarounds exist for the exploited zero-day.

Source: Cyber Security News

The Qilin ransomware group has ramped up attacks on small and medium businesses, particularly in construction, healthcare, and finance sectors. Security firm S-RM reports that 88% of 2025 cases involved both data theft and file encryption, with stolen information posted on dark web sites when ransoms aren't paid.

Qilin exploits basic vulnerabilities like unpatched VPNs, missing multi-factor authentication, and exposed management interfaces. The group operates like a tech business, renting tools to affiliates including members of Scattered Spider.

While major attacks like the 2024 UK healthcare breach grab headlines, most victims are smaller organizations. S-RM urges companies to patch VPNs regularly, enable multi-factor authentication, and monitor networks for intrusion signs.

Source: Infosecurity Magazine

UK transport and cyber-security officials are investigating whether hundreds of Chinese-made Yutong buses operating across Britain could be remotely controlled by their manufacturer. The probe follows Norwegian findings that Yutong buses could theoretically be "stopped or rendered inoperable" through over-the-air software updates via mobile networks.

Yutong buses run in Bristol, Essex, Leicester, Nottingham, and other UK locations. The company has exported nearly 110,000 buses to over 100 countries, capturing 10% of the global market. Denmark also launched an investigation after Norway's discovery.

While there's no evidence of actual interference, the case highlights growing concerns about Chinese involvement in British infrastructure and the security risks of connected vehicles.

Source: The Guardian

The Cl0p ransomware group has publicly named 29 organizations allegedly hit in a cyberattack targeting Oracle's E-Business Suite customers. The campaign, linked to threat actor FIN11, involved extortion emails sent to executives in late September.

Confirmed victims include Harvard University, South Africa's Wits University, American Airlines subsidiary Envoy Air, and The Washington Post. Major corporations like Schneider Electric, Emerson, Logitech, and Cox Enterprises appear on the list but haven't confirmed breaches.

The hackers leaked data from 18 victims, sometimes releasing terabytes of files. The attacks likely exploited Oracle EBS vulnerabilities CVE-2025-61882 and CVE-2025-61884, which allow remote access without authentication. Most targeted organizations remain silent while conducting investigations.

Source: SecurityWeek

Elastic disclosed a high-severity vulnerability (CVE-2025-37735) in its Defend security software for Windows that could let attackers escalate privileges to gain admin control. The flaw affects versions up to 8.19.5 and 9.0.0 through 9.1.5, scoring 7.0 on the CVSS scale.

The bug stems from improper file permission handling in the Defend service, which runs with SYSTEM-level privileges. Attackers with local access could exploit this to delete arbitrary files and potentially gain full system control.

Elastic urges immediate upgrades to fixed versions 8.19.6, 9.1.6, or 9.2.0. Organizations unable to patch immediately should consider upgrading to Windows 11 24H2, which makes exploitation much harder.

Source: Cybersecurity News