Cybersecurity Update 15-30 November 2025

United States of America

SitusAMC — Key Third Party to Major Financial Institutions, Breached. On 22 November 2025, SitusAMC, which major banks use to manage their real-estate loans and mortgages, disclosed that a breach occurred on its corporate systems on 12 November 2025. “Corporate data associated with certain of our clients’ relationship with SitusAMC such as accounting records and legal agreements has been impacted. Certain data relating to some of our clients’ customers may also have been impacted.” The incident potentially includes data related to customers of their clients including JPMorgan Chase, Citi, and Morgan Stanley. SitusAMC says that it is working with the FBI but the incident highlights that little-known vendors such as SitusAMC typically receive far less scrutiny than the critical infrastructure providers that they serve, creating security gap - passed onto all of its customers. (SitusAMC Announcement, Cybersecurity Dive, CNN)

Another Salesforce-related Breach. On 20 November 2025, customer relationship management vendor Salesforce warned of “unusual activity” in add-on applications built with Gainsight tools that could allow unauthorized access to customers' Salesforce data. ShinyHunters ransom syndicate has claimed credit for the incident. Gainsight is relying on Salesforce and Mandiant, its incident response firm, to identify victims of the attack and provide detailed indicators of compromise. It is estimated that at least 200 customers had data stolen during the hack. Salesforce has published known IoCs so that network administrators can check for suspicious or malicious activity. Gainsight has published additional IoCs. Salesforce has temporarily disabled the connection between all Gainsight-published applications and Salesforce. This incident is quite similar to the Salesloft Drift breach of August 2025. Gainsight was one of victims of the Salesloft Drift attack. In its Telegram channel, Scattered Lapsus$ Hunters said it plans to launch a dedicated website to extort the victims of this campaign by next week. (CybersecurityDive, Gainsight Blog, Gainsight CEO Communication, Salesforce Blog, CyberScoop, HelpNetSecurity, The Register, TechCrunch)

Crowdstrike’s Insider Threat Program Activated. On 21 November 2025, Crowdstrike stated that "We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally.” The Scattered Lapsus$ Hunters published the screenshots in a Telegram channel, claiming to have gained access to CrowdStrike's systems after breaching Gainsight. CrowdStrike says these claims are false, stating that its "systems were never compromised and customers remained protected throughout." The company says the malicious actors obtained the screenshots from a malicious insider, whose access has been terminated. It is reported that a ShinyHunters member offered the insider $25,000 to grant access to CrowdStrike's networks, but the insider was detected and locked out before they could do so. (TechCrunch, Security Week, Bleeping Computer)

DOJ Announces Arrest of Semiconductor Smugglers. On 13 November 2025, the Department of Justice unsealed its indictment and announced the arrest of four people — Hon Ning Ho, Brian Curtis Raymond, Cham Li, and Jing Chen — who worked together to buy Nvidia chips through a sham real estate company in Florida and then resold them to Chinese companies. The hardware was allegedly shipped to China using doctored customs paperwork by way of Thailand and Malaysia. The DOJ’s indictment accuses the Chinese military of seeking these chips for “weapons design and testing, including for weapons of mass destruction as well as in connection with the PRC’s development and deployment of advanced AI surveillance tools.” One of the defendants, Brian Curtis Raymond, a 46-year-old resident of Huntsville, Alabama, was identified last week as the chief technology officer of an artificial intelligence cloud company in Virginia that announced plans for a merger that would allow its stock to be publicly traded. Raymond owned a technology products distributor company in Huntsville, which was “licensed to sell Nvidia GPUs [graphics processing units], among other products,” the indictment says.Raymond’s LinkedIn page says his company, Bitworks, is or was a “Nvidia Cloud Partner delivering H100, H200, and coming Blackwell / NVL72 clusters for customers.” All four defendants face a possible maximum sentence if convicted of 20 years in prison for violating the Export Control Reform Act of 2018. (Fortune, DoJ Indictment, CNBC, Wired, Court Watch, CyberNews)

SEC Drops Lawsuit Against SolarWinds. On 20 November 2025, the Securities and Exchange Commission (SEC) filed a joint disposition to dismiss the lawsuit against SolarWinds and its Chief Information Security Officer, Timothy G. Brown. The Commission’s decision to seek dismissal is “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.” In July 2025, SolarWinds and the SEC had reached a settlement. In October 2023, the SEC sued SolarWinds, stating that the company blindsided investors by downplaying the risks leading up to a data breach that affected hundreds of public companies and several federal agencies. The SEC alleged securities fraud and controls violations and also accused the company’s CISO, Tim Brown, of breaking securities laws by minimizing the incident. It was the first time the SEC sued a computer security executive for a cybersecurity related issue. The SEC at the time said the company failed to maintain adequate controls and shared general, hypothetical risks about cyber threats in its financial statements when serious problems were well documented by the CISO. In 2018, an internal presentation stated that the “current state of security leaves us in a very vulnerable state for our critical assets.” (Bloomberg, SEC Statement, The Register)

SEC Update on Project Crypto. On 12 November 2025, SEC Chairman Paul Atkins discussed the SEC’s ongoing work under “Project Crypto,” a regulatory initiative launched earlier this year to encourage crypto asset innovation and clarify how existing securities laws apply to such assets. Atkins emphasized the need for a clear token taxonomy to assist market participants navigating the current crypto assets regulatory landscape, which he described as a “securities-law minefield.” Atkins highlighted the following points:

• First, as contemplated in legislation currently before Congress, “digital commodities,” or “network tokens,” are, in my opinion, not securities. These crypto assets are intrinsically

linked to and derive their value from a programmatic operation of a crypto system that is “functional” and “decentralized,” rather than from the expectation of profits arising from the essential managerial efforts of others.

• Second, “digital collectibles”, in my opinion, are not securities. These crypto assets are designed to be collected and/or used and may represent or convey rights to artwork, music, videos, trading cards, in-game items, or digital representations or references to internet memes, characters, current events, or trends. Purchasers of digital collectibles are not expecting profits from the essential managerial efforts of others.

• Third, “digital tools”, in my opinion, are not securities. These crypto assets perform a practical function, such as a membership, ticket, credential, title instrument, or identity badge. Purchasers of digital tools are not expecting profits from the essential managerial efforts of others.

• Fourth, and finally, “tokenized securities” are and will continue to be securities. These crypto assets represent the ownership of a financial instrument enumerated in the definition of “security” that is maintained on a crypto network.

(Atkins Speech, Morrison and Foerster, Cooley, Project Crypto July 2025)

Department of Justice Issued Seizure Warrant to Starlink over Southeast Asia Scam Compounds. On 12 November 2025, a warrant was issued by US magistrate judge G. Michael Harvey, authorizing the seizure of nine Starlink terminals and two Starlink accounts allegedly used in scam compounds in Payathonzu, near Three Pagodas Pass at the Myanmar-Thai border. A linked affidavit, written by FBI investigators, claims that the Starlink devices and accounts played a “substantial role” in an alleged money laundering and wire fraud operation targeting US citizens—saying Starlink parent company SpaceX should “disable service” to the devices. It also claims that at least 26 Starlink dishes appeared to be on the roofs of several buildings making up one scam center of several in the Three Pagodas Pass area. In another warrant and affidavit, which was not issued to Starlink, the DOJ focused on seizing websites used for scamming, claiming that at least 79 Starlink dishes appear on the roofs of buildings at the Tai Chang compound in Myanmar. (Wired, MSN)

Department of Justice Announces Guilty Pleas to the North Korean IT Workers Scam. On 14 November 2025, the Department of Justice announced five guilty pleas (Four Americans and one Ukrainian national) and more than $15 million in civil forfeiture actions against the Democratic People’s Republic of Korea (DPRK) remote information technology (IT) work and virtual currency heist schemes. The DPRK government uses both types of schemes to fund its weapons and other priorities in violation of sanctions. “FBI investigations continue to expose the North Korean government’s relentless campaign to evade U.S. sanctions and generate millions of dollars to fund its authoritarian regime and weapons programs,” said Assistant Director Roman Rozhavsky of the FBI’s Counterintelligence Division. “These guilty pleas send a clear message: No matter who or where you are, if you support North Korea's efforts to victimize U.S. businesses and citizens, the FBI will find you and bring you to justice. We ask all our private sector partners to improve their security process for vetting remote workers and to remain vigilant regarding this emerging threat.” (Politico, DOJ)

Federal Communications Commission Removes Cybersecurity Requirements on Telecommunications Operators. On 20 November 2025, the Federal Communications Commission (FCC) voted along party lines to remove several cybersecurity regulations put in place after Chinese malicious actors (Salt Typhoon) breached multiple telecommunications providers in the United States and in key Allied countries. In a speech, Chairman Brendan Carr called the rules “neither lawful nor effective” and claimed the FCC has “worked directly with carriers who have agreed to make extensive, coordinated efforts to harden their networks against a range of cyber intrusions.” Commissioner Gomez stated, “What we know is that we had this major hack and the commission is probably the best positioned agency to ensure we don’t have something like this happen again.” “And we adopted the [rules] because we needed immediate action and we sought to create accountability, establish clear cybersecurity obligations and put in place an enforceable framework to harden the networks before the next breach.” The FCC Rule under the Biden Administration used the 1994 Communications Assistance for Law Enforcement Act to require telecom companies to lock down networks. The reversal comes at the direct result of heavy lobbying by carriers to return to voluntary measures to strengthen and harden their service. (FCC Meeting, The Record, CyberScoop, MeriTalk)

Aisuru Botnet Takes Aim at Azure. On 17 November 2025, Microsoft said that the Aisuru botnet hit its Azure network with a 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps) Distributed Denial of Service (DDoS) attack — launched from over 500,000 IP addresses across various regions. “Malicious traffic was effectively filtered and redirected, maintaining uninterrupted service availability for customer workloads," Microsoft said. (Tech Radar, Bleeping Computer)

Cloudflare Outage Caused by a System Error. On 18 November 2025, Cloudflare’s network began experiencing significant failures to deliver core network traffic causing a worldwide outage. This incident was triggered by a change to one of Cloudflare’s database systems' permissions which caused the database to output multiple entries into a “feature file” used by Its Bot Management system. That feature file, in turn, doubled in size. The larger-than-expected feature file was then propagated to all the machines that make up our network. That caused the software to fail. Because Cloudflare was able to identify what had gone wrong, normal operation resumed a little over three hours after the initial outage, with full recovery a few hours later. (TechRadar, Cloudflare Blog)

The Chicago Mercantile Exchange Knocked Offline — Due to Datacenter Failure. On 27 November 2025, trading of futures and options on the Chicago Mercantile Exchange was halted by a data-center fault, causing ~10 hours of disruption to markets across equities, foreign exchange, bonds and commodities. The outage disrupted global financial markets halting trades ranging from gold to palm oil well into 28 November 2025. The outage was caused by a cooling system malfunction at a data center in the Chicago area, operated by CyrusOne. (Bloomberg)

New Ransomware Variants Targeting Amazon S3 Services Leveraging Misconfigurations and Access Controls. On 18 November 2025, Trend Micro published a blog that examines how ransomware actors are increasingly targeting cloud-native assets, what makes these resources appealing targets for malicious actors. "A new wave of ransomware attacks is targeting cloud storage environments, specifically focusing on Amazon Simple Storage Service (S3) buckets that contain critical business data. Compute snapshots – point-in-time copies of virtual machine disks or volumes – like Amazon Elastic Block Store (EBS) snapshots could be targeted, as organizations rely on them for rapid recovery of EC2 instances after failure or compromise. Without snapshots, rebuilding systems from scratch could take days. “The Server-Side Encryption with Customer-Provided Keys (SSE-C) variant represents one of the most dangerous attack methods because it creates permanently unrecoverable encrypted data.” “After identifying target buckets without proper protections, attackers initiate encryption by providing a locally stored AES-256 encryption key through specific HTTP request headers or AWS command-line tools.” Trend Micro identified five S3 ransomware variants, combining both observed attack techniques and potential future vectors. (Cybersecurity News, Trend Micro Blog)

Meta Agrees to Pay $190M Related to Cambridge Analytics Privacy Violations. On 20 November 2025, Meta’s Directors agreed to a $190 million settlement of claims they failed to rectify repeated violations of Facebook users’ privacy and improperly agreed to a $5 billion US Federal Trade Commission settlement to personally shield Mark Zuckerberg from personal liability. The settlement will be paid via the D&O insurance policy covering Meta directors. The settlement requires Meta to strengthen its privacy monitoring and making it harder to retaliate against employees who point out privacy missteps. Meta also agreed to set up a code of conduct for directors focused on avoiding conflicts of interest and beefing up compliance with “laws and regulations.” (Reuters, Bloomberg)

International Items of Interest

Somalia Confirms Major Data Breach in Electronic Visa System. On 16 November 2025, Somalia’s Immigration and Citizenship Agency confirmed that malicious actors breached its electronic visa platform, exposing sensitive personal data of travelers who used the system. At least 35,000 people, including thousands of American citizens, may have had their data compromised when “unidentified hackers” penetrated the system. Leaked data from the breach included visa applicants’ names, photos, dates and places of birth, email addresses, marital status, and home addresses. (AlJazeera, US Embassy Alert, BBC)

Jaguar Land Rover Slides to Quarterly Deficit of £500m after Cyberattack. On 14 November 2025, Jaguar Land Rover factories reported a quarterly loss of almost £500m or down 24% year over year. JLR made pre-tax losses of £485m in the three months to 30 September 2025, with production shut down throughout September due to the hack – a brutal turnaround from the £398m profit it recorded in the same period a year earlier, and ending 11 consecutive quarters of profit. JLR chief executive, Adrian Mardell, said: “JLR has made strong progress in recovering its operations safely and at pace after the cyber incident. In our response we prioritized client, retailer and supplier systems and I am pleased to confirm that production of all our luxury brands has resumed. With factories only now returning to full output after a phased restart in October, the total financial impact of the hack on JLR is yet to be quantified.” (JLR Earnings, The Guardian, CybersecurityDive)

Malicious Actors Steal 2.3TB Data from Italian Rail Group’s Third Party — Almaviva. Data from Italy's national railway operator, the FS Italiane Group, has been exposed after a malicious actor breached the organization's IT services provider, Almaviva. Almaviva is a large Italian company that operates globally, providing services such as software design and development, system integration, IT consulting, and customer relationship management (CRM) products. The leaked data was published on a TOR network and includes documents from the third quarter of 2025. The malicious actors claims to have stolen 2.3 terabytes of data and leaked data includes multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and even complete datasets from several FS Group companies. On 19 November 2025, Almaviva, confirmed that the confidential data of the FS Group as well as its own confidential data has been published. FS Italiane Group (FS) is a 100% state-owned railway operator and one of the largest industrial companies in the country, with more than $18 billion in annual revenue. It manages railway infrastructure, passenger and freight rail transport, and also bus services and logistics chains. (BleepingComputer, Andrea Draghetti LinkedIn Post, Cybersecurity Italia)

Nexperia Semiconductor Accused of Colluding with Dutch Authorities to Move Supply of Wafters Outside of China. On 19 November 2025, Dutch Economic Affairs Minister Vincent Karremans said that the Netherlands has made a decision to suspend the seizure and control of semiconductor chip company Nexperia, and hand the asset back to its Chinese owners, WingTech Technology. “We see this as a show of goodwill,” Karremans said. “We will continue to engage in constructive dialogue with the Chinese authorities in the period ahead.” The Netherlands' economic minister seized control of Nexperia—headquartered in the country’s eastern city of Nijmegen—in September 2025. The decision followed a threat by the United States that it would place Nexperia on a trade blacklist unless the company shed its Chinese leadership. China retaliated by halting exports of Nexperia's finished chips, causing significant disruption to the global automotive supply chain — as Nexperia controls at least 40% of the global market share for a certain semiconductor used in cars. On 28 November 2025, WingTech accused Nexperia of conspiring to build a non-Chinese supply chain and permanently strip it of its control, escalating tensions. In an open letter published on 27 November 2025, Nexperia and its Dutch managers defended its plan to invest $300 million into expanding capacity at Nexperia’s Malaysian site. Nexperia China countered that the investment was intended to shift much of the company’s output overseas and isolate the Dongguan facility, which handles a significant share of the firm’s assembly and test work. (WSJ, Investing, Reuters, Toms Hardware)