For the latest discoveries in cyber research for the week of 10th November, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
- The US Congressional Budget Office (CBO) has confirmed a cyber attack that resulted in a suspected foreign threat actor breaching its network and potentially exposing sensitive communications between congressional offices and CBO analysts. The incident may have led to the compromise of draft reports, economic forecasts, internal emails, and other confidential data. The attack has been attributed to the Chinese state-sponsored APT group known as Silk Typhoon.
- Hyundai AutoEver America was hit by a cyber attack that resulted in unauthorized access to its IT environment, exposing sensitive personal information, including names, Social Security Numbers, and driver’s license numbers. The attack, which occurred between February 22 and March 2, 2025, affected employees, customers, or users, although the exact number of affected individuals remains unclear.
- Swedish IT systems supplier Miljödata has suffered a data breach that resulted in the exposure and theft of personal data belonging to up to 1.5 million individuals, including names, email addresses, physical addresses, phone numbers, government IDs, and dates of birth. The incident disrupted operations across multiple Swedish municipalities, affecting both children and protected identity subjects. The stolen data was published on the dark web by the threat group Datacarry.
- Japanese media giant Nikkei has experienced a cyber-attack caused by malware infection. The attack resulted in unauthorized access to its Slack messaging platform, exposing the personal information of over 17,000 employees and business partners, including names, email addresses, and chat histories.
- Polish online loan platform SuperGrosz, operated by AIQLABS, has disclosed a breach exposing personal data of at least 10,000 customers, including names, addresses, ID and tax numbers, phone contacts, employment details, and bank account numbers. The disclosure follows a separate distributed denial-of-service (DDoS) attack on a Polish mobile payment leader Blik that disrupted instant transfers and cash withdrawals. No actor has claimed responsibility, though Polish authorities have suggested a possible Russian link to the Blik attack.
- SonicWall has confirmed that a state-sponsored threat actor was behind the September attack that resulted in the theft of all firewall configuration files stored in its cloud backup environment via an API call. The breach exposed encrypted credentials and device configuration data contained in those files, enabling potential targeted attacks. All customers who used the cloud backup service were affected.
VULNERABILITIES AND PATCHES
- Check Point Research has uncovered four critical vulnerabilities in Microsoft Teams that allow attackers to impersonate users, manipulate messages, notifications, displayed names and forge caller identities in video and audio calls. Microsoft fixed the flaws and officially tracked the notification spoofing flaw as CVE-2024-38197.
- Check Point Research detected an exploit that drained $128.64M from Balancer V2. The attacker combined a rounding error vulnerability in a certain function with carefully crafted batchSwap operations. It allowed the attacker to artificially suppress Balancer Pool Token prices and extract value through repeated arbitrage cycles
- A critical remote command execution vulnerability, CVE-2025-48703, affecting CentOS Web Panel (CWP) versions prior to 0.9.8.1204 is actively being exploited in the wild. It enables remote, unauthenticated attackers with knowledge of a valid username to execute arbitrary shell commands as that user. A patch addressing the issue was released in version 0.9.8.1205.
Check Point IPS provides protection against this threat (CentOS Web Panel Command Injection (CVE-2025-48703))
- Cisco warns of a new attack variant targeting Secure Firewall ASA and FTD that exploits CVE-2025-20333 (RCE as root via crafted HTTP) and CVE-2025-20362 (unauthenticated restricted-URL access), causing unpatched devices to reload into DoS. Both flaws were previously abused as zero-days in late September to deliver RayInitiator and LINE VIPER malware.
Check Point IPS provides protection against this threat (Cisco Multiple Products Buffer Overflow (CVE-2025-20333); Cisco Multiple Products Authentication Bypass (CVE-2025-20362))
THREAT INTELLIGENCE REPORTS
- Check Point Research demonstrated a new way to use ChatGPT for malware analysis directly from the web interface, analyzing XLoader malware. The workflow using exported IDA data enables static analysis, rapid decryption, IoC extraction, and hidden C2 discovery.
Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Trojan.Wins.Xloader; Trojan.Win.Xloader; Trojan.Wins.Xloader.ta.*)
- Check Point discovered AI-driven pharma scams that deepfake doctors and clinics to sell counterfeit drugs. Infrastructure shows more than 500 fake social pages daily using shared IPs, cloned site kits, AI imagery, deepfake ads/voice cloning, and spoofed clinic sites, with automated “fraud kits”.
- Researchers identified AI-powered malware families, including FRUITSHELL, PROMPTSTEAL and QUIETVAULT which were observed in operations. These malware strains leveraged LLMs like Gemini for evasive, dynamic attacks on Ukraine and worldwide victims. The researchers also found PROMPTFLUX, an experimental malware family that employed AI capabilities mid-execution to dynamically alter the malware’s behavior.
