Ticker feed

Google released November 2025 Android security updates addressing two critical vulnerabilities in the System component. The most serious flaw, CVE-2025-48593, affects Android versions 13-16 and allows remote code execution without user interaction or additional privileges. It stems from insufficient input validation.

A second vulnerability, CVE-2025-48581, affects Android 16 devices and could block security updates through a logic error in apexd.cpp code.

This marks another departure from Google's traditional monthly update pattern. After skipping July and October entirely, the company resolved over 100 vulnerabilities in August and September. Devices with security patch level 2025-11-01 are protected against these threats.

Source: SecurityWeek

The Biden administration is weighing a ban on TP-Link routers, which control about 65% of the US router market, citing national security risks tied to China. Multiple federal agencies including Commerce, Defense, and Justice have investigated the company since December 2023.

TP-Link Systems, headquartered in California but with 11,000 employees in China, denies being controlled by the Chinese government. The company was founded in Shenzhen in 1996 and split into two entities in 2024 amid congressional pressure.

Lawmakers worry about router vulnerabilities and potential cyberattacks, while the Justice Department separately probes possible predatory pricing. Over 300 internet providers currently distribute TP-Link routers to customers nationwide.

Source: CNET

The Congressional Budget Office confirmed Thursday it was hacked, potentially exposing sensitive government data to malicious actors. The 275-employee agency provides cost estimates for nearly every congressional bill and handles massive datasets on policy issues ranging from deportation plans to tariffs and tax cuts.

According to The Washington Post, four sources identified the attackers as suspected foreign actors, though the CBO hasn't confirmed this detail. Spokeswoman Caitlin Emma said the agency contained the breach and implemented new security controls while investigations continue.

The timing is particularly concerning given the CBO's access to data on major policy initiatives including the Trump administration's mass deportation plans and sweeping tariff implementations.

Source: Security Week

Security researchers discovered sophisticated spyware called "Landfall" that secretly targeted Samsung Galaxy users across Iraq, Iran, Turkey, and Morocco from mid-2024 through April 2025. The malware exploited a critical zero-day vulnerability in Samsung's image processing library, delivered through weaponized image files sent via WhatsApp.

Landfall could record conversations, track locations, capture photos, and steal contacts from high-end Galaxy devices like the S22, S23, and S24 series. Palo Alto Networks' Unit 42 team found the spyware had advanced detection evasion capabilities and linked it to commercial-grade surveillance operations similar to NSO Group's Pegasus.

Samsung patched the vulnerability after researchers privately reported it, but the campaign highlights how commercial spyware vendors increasingly target mobile platforms for government surveillance.

Source: Dark Reading

The Congressional Budget Office fell victim to a cybersecurity breach, with suspected foreign attackers potentially accessing communications between lawmakers and agency researchers. CBO spokesperson Caitlin Emma confirmed the incident Thursday, saying the agency quickly contained it and added new security measures.

The nonpartisan office, established in 1974 to provide budget analysis to Congress, employs 275 staff members and recently requested $76 million for fiscal 2026 - with nearly half the budget increase earmarked for cybersecurity improvements. Officials believe they caught the intrusion early, and the investigation continues while normal operations proceed.

Source: CyberScoop

Cybersecurity researchers have discovered LeakyInjector and LeakyStealer, a dangerous malware pair that specifically targets cryptocurrency wallets and browser information on Windows computers.

The attack starts with LeakyInjector quietly installing LeakyStealer into the explorer.exe process using advanced injection techniques that bypass security software. LeakyStealer then hunts for popular crypto wallets including Electrum, Exodus, MetaMask, and Coinbase Wallet, while also stealing browser history from Chrome, Edge, Brave, Opera, and Vivaldi.

Both malware components use valid digital certificates to appear legitimate and employ a "polymorphic engine" that modifies memory to evade detection. The malware establishes persistence by disguising itself as "MicrosoftEdgeUpdateCore.exe" and survives system restarts.

Users should update security software, avoid untrusted downloads, and consider hardware wallets for crypto storage.

Source: Cybersecurity News

SonicWall confirmed a state-sponsored attacker breached its customer portal and stole firewall configuration files from every customer using the company's cloud backup service. CEO Bob VanKirk said the attack was contained to the backup system, but security experts warn the stolen files contain sensitive data like encrypted credentials and firewall rules.

The company initially downplayed the breach's scope, claiming it affected less than 5% of customers before walking back that assessment. Critical details remain unclear, including the exact number of impacted customers and how long attackers had access. SonicWall detected suspicious activity in September but hasn't disclosed which nation was responsible.

Source: CyberScoop

The Chinese APT group Bronze Butler exploited a critical zero-day vulnerability in Lanscope, an endpoint management platform used by 25% of listed Japanese companies and 33% of the country's financial institutions. The flaw (CVE-2025-61932) scored 9.8/10 severity and allowed hackers complete system access through missing security checks.

Sophos researchers discovered Bronze Butler had been exploiting this vulnerability since mid-2025, months before its October disclosure. The attackers deployed their Gokcpdoor backdoor and stole sensitive data from multiple organizations.

Motex has released a patch, and only 50-160 on-premises servers were exposed online. CISA added the vulnerability to its Known Exploited list, while Japanese authorities confirmed domestic victims since April 2025.

Source: Dark Reading

Marks and Spencer's Easter cyber attack has cost the retailer £136 million in direct response and recovery expenses, nearly eliminating its statutory profit for the first half of the year. Profits plummeted from £391.9m to just £3.4m as ransomware hackers infiltrated systems through a third-party contractor, knocking online shopping offline until June.

The attack devastated sales, with fashion and beauty dropping 16.4% and international sales down 11.6%. Click and collect services weren't restored until August. M&S expects to claim back £100m through insurance and anticipates profits will recover to last year's levels in the second half. Despite the setback, food sales remained strong with three consecutive years of monthly growth.

Source: Sky News

Iranian government hackers launched targeted phishing attacks against prominent US think tanks between June and August 2025, impersonating influential policy experts like Brookings Institution's Suzanne Maloney. The mysterious group, dubbed "UNK_SmudgedSerpent" by Proofpoint researchers, sent fake collaboration emails to 20 think tank members, later directing victims to credential-stealing Microsoft 365 login pages disguised as OnlyOffice or Teams links.

What makes this campaign unusual is how it blends tactics from multiple known Iranian hacking groups. The phishing approach mirrors Charming Kitten's methods, while the infrastructure resembles TA455's setup, and it's the only Iranian group besides MuddyWater known to use remote monitoring software. This hybrid approach suggests possible reorganization, collaboration, or resource-sharing between Iran's cyber units.

Source: Dark Reading