Daily Digest

Cisco Firewalls Under Siege by New DoS Attacks; AI Supercharges Ransomware Campaigns

Cisco Firewalls Under Siege by New DoS Attacks; AI Supercharges Ransomware Campaigns

November 7, 2025
7 articles (6 new, 1 updated)
21 min read

Summary

In the period covering November 6-7, 2025, the cybersecurity landscape was dominated by new attack variants targeting critical Cisco firewall vulnerabilities, causing persistent denial-of-service conditions. Concurrently, reports emerged detailing how threat actors are leveraging AI to drastically shorten ransomware attack timelines, with Europe becoming a primary target. Other major developments include a sophisticated global phishing campaign against Booking.com users, the discovery of Android spyware delivered via a Samsung zero-day, and a record-breaking month for software supply chain attacks driven by ransomware groups like Qilin and Akira.

Filter by Category

New Articles (6)

Massive 'I Paid Twice' Phishing Scheme Defrauds Booking.com Hotels and Guests

HIGH

Global 'I Paid Twice' Phishing Campaign Uses Compromised Hotel Accounts on Booking.com to Defraud Travelers

A sophisticated global phishing campaign named 'I Paid Twice' is targeting hotels on Booking.com and Expedia, compromising their administrative accounts to defraud guests. Since at least April 2025, attackers have been using social engineering and the PureRAT malware to gain access to hotel systems. Once in, they impersonate hotel staff to send fraudulent payment requests to travelers with upcoming reservations, tricking them into paying a second time via a malicious portal. Security firm Sekoia.io, which discovered the operation, reports that the campaign is highly active and has resulted in financial losses for an unknown number of victims.

November 7, 2025
5 min read
PhishingMalwarePureRATBooking.comHospitality +1 more
Massive 'I Paid Twice' Phishing Scheme Defrauds Booking.com Hotels and Guests
Phishing
Malware
Cyberattack

Samsung Zero-Day Exploited in the Wild to Install 'LANDFALL' Android Spyware

CRITICAL

Actively Exploited Zero-Day (CVE-2025-21042) in Samsung Devices Used to Deploy LANDFALL Spyware via WhatsApp

A now-patched zero-day vulnerability, CVE-2025-21042, in Samsung Galaxy devices was actively exploited to install a commercial-grade Android spyware known as LANDFALL. Researchers from Palo Alto Networks' Unit 42 discovered that attackers sent malicious DNG image files via WhatsApp to targets in the Middle East. The flaw, an out-of-bounds write in an image processing library, allowed for remote code execution. This incident highlights the growing trend of exploiting mobile image parsing libraries to deliver spyware, echoing similar attacks against Apple devices.

November 7, 2025
5 min read
Zero-DaySpywareAndroidSamsungMobile Security +1 more
Samsung Zero-Day Exploited in the Wild to Install 'LANDFALL' Android Spyware
Vulnerability
Malware
Mobile Security

State-Backed Hacking Escalates: Russia Targets Ukraine, China Eyes Latin America

HIGH

ESET Report: Russia- and China-Aligned APTs Intensify Cyber Operations Globally

A new report from ESET reveals a significant escalation in cyber operations by state-sponsored threat groups from Russia and China between April and September 2025. Russia-aligned groups, notably Sandworm, have accelerated destructive wiper malware attacks against Ukraine's critical infrastructure, including energy and logistics. Simultaneously, China-aligned actors like FamousSparrow have increased espionage activities targeting governmental entities in Latin America, potentially in response to shifting geopolitical dynamics. The report highlights a global landscape of heightened cyber conflict driven by national interests.

November 7, 2025
6 min read
APTThreat IntelligenceSandwormWiperEspionage +1 more
State-Backed Hacking Escalates: Russia Targets Ukraine, China Eyes Latin America
Threat Intelligence
Threat Actor
Cyberattack

Patient Sabotage: Malicious NuGet Packages with Time-Delayed ICS Payloads Discovered

CRITICAL

Malicious NuGet Packages with Time-Delayed Industrial Sabotage Code Found on Official Repository

Security researchers have discovered nine malicious packages on the NuGet repository, downloaded over 9,400 times, containing hidden, time-delayed sabotage code. One package, 'Sharp7Extend,' was specifically designed to corrupt write operations in industrial control systems (ICS) by silently causing them to fail after a grace period. This could lead to physical damage or production failures. The code was set to trigger on specific dates, some as far in the future as 2028, demonstrating a patient and highly destructive approach to supply chain attacks.

November 7, 2025
6 min read
Supply Chain AttackICSOTNuGetSabotage +1 more
Patient Sabotage: Malicious NuGet Packages with Time-Delayed ICS Payloads Discovered
Supply Chain Attack
Industrial Control Systems
Malware

Software Supply Chain Attacks Skyrocket to Record High, Driven by Ransomware Gangs

HIGH

Cyble Report: Software Supply Chain Attacks Surge to Record High in October 2025

Software supply chain attacks reached an all-time high in October 2025, with 41 claimed incidents, according to a new report from Cyble. This figure is over 30% higher than the previous monthly record. Ransomware groups, particularly Qilin and Akira, are identified as the primary drivers of this trend, responsible for a majority of attacks in 2025. The information technology, finance, and energy sectors are the most heavily targeted, highlighting a strategic shift by attackers to compromise organizations through their trusted third-party suppliers.

November 7, 2025
5 min read
Supply Chain AttackRansomwareQilinAkiraCyble +1 more
Software Supply Chain Attacks Skyrocket to Record High, Driven by Ransomware Gangs
Supply Chain Attack
Ransomware
Threat Intelligence

Amazon Patches High-Severity Flaw in WorkSpaces Linux Client

HIGH

AWS Patches High-Severity Authentication Token Leak Vulnerability (CVE-2025-12779) in Amazon WorkSpaces for Linux

Amazon Web Services (AWS) has patched a high-severity vulnerability, CVE-2025-12779, in its WorkSpaces client for Linux. The flaw, rated 8.8 CVSS, could allow a local attacker on a shared computer to extract another user's authentication token and gain unauthorized access to their virtual desktop session. The issue affects Linux client versions 2023.0 through 2024.8. AWS has released a patched version and recommends all users upgrade immediately to mitigate the risk.

November 7, 2025
4 min read
AWSCloud SecurityVulnerabilityCVE-2025-12779Linux +1 more
Amazon Patches High-Severity Flaw in WorkSpaces Linux Client
Vulnerability
Cloud Security
Patch Management

Updated Articles (1)

CISA Adds Actively Exploited Control Web Panel RCE Flaw to KEV

CRITICAL

CISA Warns of Active Exploitation of Critical RCE Vulnerability (CVE-2025-48703) in Control Web Panel, Adds to KEV Catalog

Update:

New information clarifies that CVE-2025-48703 in Control Web Panel (CWP) allows unauthenticated remote code execution with root privileges, a higher impact than previously detailed. The prerequisite for exploitation is knowing any valid username, including 'root'. CISA has also added a critical remediation step, advising federal agencies and other organizations to discontinue the use of CWP if patching is not immediately possible. Additional detection methods like process monitoring and a strong recommendation to hunt for compromise post-patching have also been highlighted, emphasizing the severe nature of this actively exploited vulnerability.

November 6, 2025
Updated: November 7, 2025
5 min read
CISAKEVVulnerabilityRCECVE-2025-48703 +2 more
CISA Adds Actively Exploited Control Web Panel RCE Flaw to KEV
Vulnerability
Patch Management
Cyberattack

📢 Share This Publication

Help others stay informed about cybersecurity threats