Nov 20, 2025

Subject: Risky Bulletin: Microsoft to Integrate Sysmon into Windows 11

Sender: risky-biz@ghost.ioD

Summary:

– Microsoft announces integration of Sysmon, a tool from the Sysinternals suite, directly into future versions of Windows 11 to enhance security log analysis.

– Microsoft Intune will add features such as Windows point-in-time restore and installation media delivery to enable system rebuilds remotely.

– Several major cybersecurity incidents: Russian surveillance vendor Protei hacked; Russian port operator Port Alliance disrupted by cyberattack; NHS affected by Oracle zero-day exploit; Logitech breach linked to Clop ransomware; LG Energy Solution suffers a ransomware attack by Akira group.

– Multiple breaches reported including DoorDash, Princeton University, Somali e-visa system, Kenyan government websites, Under Armour, Eurofiber, Pajemploi, and schools in Victoria, Australia.

– Apple updates app developer guidelines to require disclosure of AI data sharing and user permissions.

– Cloudflare had a major outage on November 18 due to software crash caused by configuration file size.

– Thunderbird 145 now supports Microsoft Exchange email accounts natively.

– npm portal shortens default lifespan of auth tokens from 30 days to 7 days (max 90 days).

– Australian telco TPG involved in controversy after a Samsung phone failed to connect to emergency services due to outdated software, resulting in a death.

– Political and policy updates: Danish officials pursue Chat Control encryption-breaking law quietly; European Court of Human Rights dismisses CatalanGate spyware case; Germany expands bans on Chinese equipment; Taiwan warns of pro-CCP propaganda in Chinese AI; UK’s ransomware payment ban faces pushback; CISA plans to hire extensively after staff reductions.

– US IRS accessed flight and travel data without warrant; some US states consider banning VPN products; US government invests quietly in cyberwarfare AI agents.

– Security conferences Fluxcon 2025 and Nullcon Berlin 2025 posted videos online.

– Risky Business podcast episodes highlight new cyber tactics including Russian wiper attacks on Ukrainian grain sector.

– Multiple cybercrime arrests and law enforcement seizures reported worldwide.

Subject: MI5 Warns China Uses LinkedIn to Recruit British Lawmakers

Sender: info@metacurity.comD

Summary:

– MI5 issues a warning that China’s Ministry of State Security is using covert recruitment via LinkedIn and headhunters to target British members of Parliament, government staff, political consultants, and think tank employees. Two headhunters identified as recruitment fronts. China’s embassy denies claims as fabrication.

– WhatsApp feature vulnerability allowed Austrian researchers to extract 3.5 billion users’ phone numbers and profile data. Meta has since fixed the issue with rate-limiting but the exposure had existed for years.

– South Korean police raided telco KT’s offices investigating a data breach scandal involving suspected evidence concealment.

– Mandiant reports Iran-linked threat actor UNC1549 targeting aerospace, aviation, and defense sectors using sophisticated spear-phishing, credential theft, backdoors, and custom tools to maintain persistence.

– TP-Link files lawsuit against Netgear alleging a smear campaign costing $1 billion in sales due to false cybersecurity claims; US lawmakers wary of Chinese-made router exploitation.

– LG Energy Solution confirms cyberattack on an overseas facility; Akira ransomware group claims to have stolen 1.7 TB of company data.

– Airlines Reporting Corporation (ARC) will stop selling flight data to government agencies after public pressure over privacy concerns.

– Toronto area schools not prepared for PowerSchool data breach affecting students and staff personal information.

– ESET reveals China-backed PlushDaemon threat using the new EdgeStepper implant to hijack software update traffic for cyberespionage.

– Oligo reports ongoing exploitation of vulnerable Ray AI framework servers by attacker IronErn440 for cryptomining, DDoS, and data theft.

– US Cyber Director previews new cyber strategy focusing on shaping adversary behavior, regulatory simplification, private sector cooperation, and workforce growth.

– US Senate debate ongoing over reauthorization of CISA 2015 cybersecurity sharing law.

– Congressional Budget Office reports cyberattack contained with no evidence of unauthorized email access; investigation ongoing.

– Cloudflare outage caused by software-generated configuration file growing beyond expected size crashing traffic systems.

– HOPE hacker conference banned from St. John’s University allegedly due to claims of “anti-police agenda”.

Subject: Webinar: Inside the First 72 Hours of a Cyber Event – Register Now

Sender: news@securityweek.comD

Summary:

– Upcoming live webinar on December 9th focusing on coordinated response between Governance, Risk & Compliance (GRC) and Security Operations Center (SOC) during rapid cyber incidents.

– Key topics include building integration platforms between GRC and SOC, leveraging threat intelligence to accelerate action, communicating exposure clearly internally and to boards, and managing third-party risks when vendors are affected.

– Presents a strategy for unified security response breaking down silos to improve detection and remediation speed during the critical first 72 hours of cyberattacks.

– Additional webinars available including Cyber AI & Automation Summit and CISO Forum 2026 Outlook Series.

Subject: The CyberWire 11.19.25: Cloudflare Outage Caused by Enlarged Configuration File

Sender: editor@thecyberwire.comD

Summary:

– Cloudflare outage on November 18 was caused by an automatically generated threat traffic management file that exceeded its expected size, crashing systems and interrupting multiple Cloudflare services. Incident not caused by cyberattack.

– CISA issues emergency directive for Federal agencies to patch actively exploited FortiWeb firewall vulnerability (CVE-2025-58034) by November 25.

– ESET publishes report on PlushDaemon Chinese cyberespionage group deploying new EdgeStepper implant that redirects software update traffic to attacker-controlled infrastructure in Cambodia and other countries.

– Upcoming and on-demand cyber events and webinars highlight AI-driven SOC approaches and AI-tokenization for data security.

– Selected readings highlighted new ransomware strains, zero-day vulnerabilities, and espionage targeting UK lawmakers by Chinese spies.

Subject: Amazon Details Iran’s Cyber-Enabled Kinetic Attacks

Sender: news@securityweek.comD

Summary:

– Amazon reports detail Iran’s use of cyber-enabled kinetic attacks linking digital espionage with physical strikes.

– Microsoft announces new identity, defense, and compliance security enhancements.

– Fortinet discloses second actively exploited FortiWeb zero-day vulnerability within a week.

– Microsoft Azure suffered one of its largest DDoS attacks powered by the Aisuru botnet.

– Ongoing attacks exploit a two-year-old vulnerability in Ray AI framework, with widespread vulnerable servers on the internet.

– AI is accelerating phishing attacks; several security experts provide advice on combating these threats.

– Other cybersecurity news highlights include:

* Meta paid out over $4 million in bug bounties during 2025.

* Data breaches confirmed at Princeton University, DoorDash, Eurofiber France, Logitech, and others.

* Cyber threat campaigns and ransomware attacks ongoing globally.

* Security events scheduled virtually for cybersecurity education and industry updates.

Stay Well!