San Mateo, CA, November 17, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Password habits push companies toward passkeys
New survey data from Outpost24 suggests that organizations are accelerating their move toward passwordless authentication, a shift driven by the stubborn persistence of weak passwords. MFA briefly upped the security of peoples’ accounts, but security experts feel that MFA “can’t keep up with today’s threat landscape.” Outpost24’s review of 800 million leaked credentials showed that even holiday-themed passwords, such as “Santa” or “xmas,” appeared hundreds of thousands of times. The findings underscore that users will continue choosing easy options no matter how much warning they get. Analysts expect password dependency to shrink as platforms ship passkeys by default and real time phishing further erodes trust in passwords and one time codes. Read more.
Critical AI flaws hit major inference engines
AI researchers uncovered critical remote code execution flaws across major inference engines from Meta, Nvidia, Microsoft, vLLM, and SGLang. “These vulnerabilities all traced back to the same root cause: the overlooked unsafe use of ZeroMQ (ZMQ) and Python’s pickle deserialization,” said Oligo Security researcher Avi Lumelsky. Meta’s Llama framework vulnerability exposed network sockets that enabled arbitrary code execution, and Oligo found nearly identical logic copy-pasted into other projects. Compromise of one node could allow cluster takeover, model theft, or miner deployment. “Projects are moving at incredible speed, and it’s common to borrow architectural components from peers,” Lumelsky said. “But when code reuse includes unsafe patterns, the consequences ripple outward fast.” Read more.
Sora 2 rollout sparks deepfake and safety warnings
Open AI’s Sora video generation LLM is flooding the internet with fake content, most of which is not labeled as such, prompting concerns from Public Citizen. “The rushed release of Sora 2 exemplifies a consistent and dangerous pattern of OpenAI rushing to market with a product that is either inherently unsafe or lacking in needed guardrails,” wrote J.B. Branch, who leads AI accountability work at the organization. The group is urging OpenAI “to pause this deployment and engage collaboratively with legal experts, civil rights organizations, and democracy advocates to establish real, hard technological and ethical redlines.” Bala Kumar, chief product and technology officer at Jumio, said Sora 2 “lowers the barrier to deepfakes for everyone in the general public… “While there’s a small watermark on these videos, fraudsters can easily remove it.” Read more.
Global takedown disrupts three major malware operations
A single major law enforcement operation called Operation Endgame has taken down three malware strains popular with cybercriminals. Spanning 11 countries, Operation Endgame has disrupted infrastructure associated with the Rhadamanthys infostealer, VenomRAT, and the Elysium botnet. The operation also took down or disrupted more than 1,025 servers all over the world, seized 20 domains, searched 11 locations, and resulted in the arrest of the suspected main operator of VenomRAT in Greece. “The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware,” said Europol in a public statement. In addition to six EU countries, Australia, Canada, the U.K. and the U.S., the operation also collaborated with more than 30 private cybersecurity partners. Read more.
Amazon launches invite-only AI bug bounty
Amazon has launched a new bug bounty program inviting select researchers to test its NOVA large language models for vulnerabilities including prompt injection, jailbreaking and other real-world exploitation risks. The initiative, announced Tuesday, aims to strengthen the safety of Amazon’s generative AI ecosystem by rewarding participants for uncovering weaknesses that could lead to misuse, including the creation of chemical or biological weapons. Hudson Thrift, CISO of Amazon Stores, said “security researchers are the ultimate real-world validators that our AI models and applications are holding up under creative scrutiny.” The invite-only program will begin next year, expanding on Amazon’s broader bounty efforts, which have already paid $55,000 for 30 verified AI-related flaws. As NOVA models power services like Alexa and Amazon Bedrock, Amazon says the effort will help secure the next era of AI development. Read more.
Microsoft patches actively exploited zero-day
Microsoft’s November Patch Tuesday addressed more than 60 CVEs, including a zero-day that is under active exploitation. The flaw, CVE-2025-62215, is a “race-condition and double-free flaw [that] enables a locally accessible, low-privileged attacker to corrupt kernel memory and escalate to system privileges,” said Mike Walters, president and co-founder of Action1. “The attack requires local code execution or local access and successful timing of a race, which is complex and fragile and typically needs pool grooming and concurrent threads. The attacker only needs low privileges and no other user interaction.” Among the four critical flaws, CVE-2025-60724 in the GDI+ library received particular concern from Ben McCarthy of Immersive, who warned “with this vulnerability, when the server-side application automatically parses a specially crafted metafile, the vulnerable GDI+ library is called. This triggers the heap overflow, allowing the attacker to corrupt memory and gain RCE on the server.” Read more.
New phishing kit automates large-scale credential theft
A new phishing-as-a-service platform dubbed “Quantum Route Redirect” by KnowBe4 has been discovered automating large-scale credential theft across 90 countries. “Quantum Route Redirect is an advanced automation platform that streamlines the entire phishing campaign process, from traffic rerouting to victim tracking. Our security researchers have identified approximately 1000 domains currently hosting this tool,” the vendor explained. “The tool’s sophistication lies in its simplicity.” The platform, active since August, hosts around 1,000 domains and removes the technical barriers for launching sophisticated phishing campaigns. It detects and redirects security tools to legitimate sites while sending real users to fake Microsoft 365 login pages. Prebuilt dashboards, routing logic, and themed lures like DocuSign, payroll, or payment notices make it easy for low-skilled actors to operate. Read more.
North Korean hackers wipe Android phones via stolen accounts
North Korean hackers linked to the KONNI activity cluster are exploiting Google’s Find Hub tool to track the GPS locations of South Korean victims and remotely factory reset their Android devices. According to cybersecurity firm Genians, attackers associated with APT37 and Kimsuky initiate their campaigns through spear-phishing messages and KakaoTalk lures by impersonating government agencies. Once victims execute infected MSI files, KONNI malware installs remote access trojans such as RemcosRAT, QuasarRAT, and RftRAT, enabling credential theft from Google and Naver accounts. The stolen credentials are then used to access Google Find Hub, locate victims’ devices, and trigger data-wiping commands to isolate and silence them. Google confirmed no exploit in Find Hub itself, urging users to enable 2-Step Verification or passkeys. Read more.
New U.K. campaign warns men about rising crypto scams
The U.K.’s National Crime Agency has launched “Crypto Dream Scam Nightmare,” a new awareness campaign aimed at warning men under 45, the group most often targeted, about crypto-investment fraud. The NCA said over 17,000 such scams were reported last year. The scams often begin through social media, email, or dating sites in so-called romance baiting schemes. “Crypto-investment fraud is one of the fastest growing types of fraud in the U.K., experienced by those who believe their ‘investment’ will vastly grow their money,” warned Nick Sharp, deputy director fraud at the NCA’s National Economic Crime Centre (NECC). “The knowledge that their money has, in truth, been stolen and they will never see any returns is a financial and emotional loss. Lives are destroyed and people can sometimes never be made whole after falling victim to this crime.” The FBI estimates investment fraud cost victims nearly $6.6 billion last year. Read more
Google Maps adds tool to report extortion and review scams
Google has introduced a new reporting form for businesses on Google Maps to call out extortion attempts from threat actors who review bomb businesses with negativity and then demand ransoms for their removal. “Bad actors try to circumvent our moderation systems and flood a business’s profile with fake one-star reviews,” Laurie Richardson, vice president of Trust & Safety at Google, said. “Following this initial attack, the scammers directly contact the business owner, often through third-party messaging apps, to demand payment.” The company also warned of other scams, ranging from fraudulent job offers and fake AI products to malicious VPNs and “fraud recovery” schemes, and urged users to verify sources, avoid suspicious links, and download only trusted apps. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
