Cyber Threat Weekly – #105
The week of November 24th through November 30th, roughly 273 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about proactive security measures.
It feels like we are always reacting to the loudest news, not necessarily the most prolific attacker behavior. Most successful cyber attacks could have been prevented with simple foundational security practices. We need to consider self-assessments with an attackers view of our environments. Once we understand what they see, we can prioritize the exposures most likely to lead to a breach.
Let’s start with researcher scans GitLab Cloud for secrets. Open-source repository attack stories. Scattered Lapsus$ Hunters appear to target Zendesk. Malicious large language model usage appears to be on the rise.
Overall identity fraud reduced, but sophisticated fraud increased 180% in 2025. WatchTower research into code formatting platforms. AI Browser Indirect prompt injection example. New ClickFix campaign abuses fake Windows Update.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – November 24th to November 30th:
CVE-2021-26829 – OpenPLC ScadaBR Cross-site Scripting Vulnerability:
The cross-site scripting vulnerability via system_settings.shtm.
Repository Scanning for Sensitive Secrets
A little ingenuity, an open-source scanner, and a whole lot of secrets exposed. These are the simple things that adversaries are doing to get a leg up on defenders. In this case, a researcher was capable of discovering a ton of secrets across multiple repositories. A reminder that you should be scanning your repositories ensuring secrets aren’t exposed.
https://trufflesecurity.com/blog/scanning-5-6-million-public-gitlab-repositories-for-secrets
Stories Around Open-Source Repositories like npm, PyPI, Etc.
This first one is North Korea threat actors flood the npm registry. Another wave of Shai Hulud targets npm and spreads to Maven.
https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html
https://socket.dev/blog/north-korea-contagious-interview-npm-attacks
https://thehackernews.com/2025/11/second-sha1-hulud-wave-affects-25000.html
https://socket.dev/blog/shai-hulud-strikes-again-v2
https://cycode.com/blog/shai-hulud-second-coming-supply-chain-attack/
https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.html
Scattered Lapsus$ Hunters are on the Hunt
Current target appears to be Zendesk users, using over 40 fake domains hosting realistic looking Zendesk login screens. Other domains included multiple different organizations names or brands. The attackers even submitted fake tickets to real Zendesk portals. The group promised more to come with 3 to 4 campaigns running currently.
https://reliaquest.com/blog/zendesk-scattered-lapsus-hunters-latest-target/
https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/
Attackers Actively Using WormGPT4 and other Malicious Models
Researchers study two LLMs designed for offensive operations. It’s already known AI is being used for social engineering messages. Malicious LLMs can also be used for malicious scripts and customized malware. The result is inexperienced attackers have a leg up and can scale quickly.
https://www.darkreading.com/threat-intelligence/dark-llms-petty-criminals
https://unit42.paloaltonetworks.com/dilemma-of-ai-malicious-llms/
Identity Fraud Report 2025-2026 – Sumsub
Couple of highlights from the report, the overall fraud rate decreased from 2.6% to 2.2%. AI assisted forgery rose from 0% to 2%, with that sophisticated fraud was up 180% YoY. Fraud production is becoming industrialized.
https://www.darkreading.com/cyberattacks-data-breaches/digital-fraud-industrial-scale-2025
Researches Scarfed Tons of Secrets from Code Formatting Platforms
Thousands of secrets found within JSON files from JSONFormatter and CodeBeautify platforms. WatchTower analyzed around 80,000 JSON files, easily accessible from the websites. They are pretty funny walking through the data, got a good laugh. Sad part, a lot of organizations showed up within the dataset. Using canary tokens, they found others are scraping the databases too.
https://www.securityweek.com/thousands-of-secrets-leaked-on-code-formatting-platforms/
GenAI Indirect Prompt Injection – HashJack
Researchers share another example of indirect prompt injection affecting AI browsers. This is an interesting use case, mostly fixed now. The lesson here is that as agentic AI is increasingly deployed, we will see novel abuse of indirect prompt injection.
https://www.infosecurity-magazine.com/news/hashjack-indirect-prompt-injection/
https://www.catonetworks.com/blog/cato-ctrl-hashjack-first-known-indirect-prompt-injection/
Fake Windows Update Lure in New ClickFix Campaign
Ingenuity never seems to end as cybercriminals find unique ways to abuse social engineering techniques. In this case, a fake Windows Update is used as a ClickFix lure with a side of steganography.
https://www.huntress.com/blog/clickfix-malware-buried-in-images
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
