Sign in Subscribe
11 min read Newsletters

this week in security — november 9 2025 edition

SonicWall blames nation-state for theft of firewall backups, CBO hacked, Korea Telecom covered up hacks, North Korea's remote IT workers' scheme, and more.
~ ~

SonicWall blames nation-state for customer firewall backup theft, pledges changes
The Register: The incredible @carlypage has been closely following this SonicWall saga since the beginning and this week brings the latest twist. In short, the enterprise network device maker now blames unspecified government hackers for stealing the firewall backups of all of its corporate customers who uploaded their firewall configs to its cloud; files that could make it easier for malicious hackers to target affected customers' networks. The company said that this mass backup theft was unrelated to other hacks at the time involving the Akira ransomware gang targeting SonicWall customers. All to say, SonicWall has had a bruising year, but now is trying to turn things around by baking in "secure by design" into its tech. It's better late than never!
More: SonicWall | Cybersecurity Dive | SecurityWeek | HelpNetSecurity

Congressional Budget Office breached by suspected foreign hacker
Washington Post ($): The CBO, the congressional office responsible for providing U.S. federal lawmakers with nonpartisan economic advice, was hacked, according to a CBO spokesperson. The Post reports it was a suspected foreign hacker, so that's an… uh… wide pool of possibilities. It's thought that communications between lawmakers and the office might have been taken, as well as office chat logs. It's not clear how the hackers got in, but the CBO was on a list of government agencies that hadn't patched its Cisco ASA routers before the government shutdown on October 1, per @doublepulsar (who brings receipts!), but — weird timing — the CBO pulled its Cisco box offline just a few days ago. It's not 100% confirmed as linked, but the timing makes you go hmmm! 
More: Cyberscoop | TechCrunch | Politico | Reuters ($) | Axios ($)

Korea Telecom concealed malware infections and cyber failures before data breach
Korea Times: We're off to South Korea, where Korea Telecom (aka KT), the country's second largest phone company, is facing the heat after a government-led report found that the company concealed a number of malware infections and was slow to report the hacks after they were discovered. KT found dozens of internal servers infected with the BPFDoor malware, allowing hackers to maintain long-term persistent access to the company's network, but the telco thought it could handle the hacks itself. The same malware was also used to breach SK Telecom, the country’s largest mobile operator, which is a whole separate mess in itself. The Korean government is looking at whether KT should face fines and compensate customers.
More: Yonhap | DataBreaches.net | @campuscodi

Thousands of North Koreans have secretly infiltrated U.S. and European companies
~this week in security~ ($): And now to a very different Korea… For my blog, I wrote an extremely long article on the ongoing and very present North Korean IT workers' threat. This article explains how literally thousands of North Koreans are secretly working as remote IT workers for U.S. and European firms, unbeknownst to the companies they're working for. All this so that Kim Jong Un can fuel his sanctioned nuclear weapons program — and it's clearly working — raking in hundreds of millions of dollars for the regime every year. This week, the Treasury sanctioned even more North Koreans involved in the global scheme, but it's very much a whac-a-mole effort until businesses begin to understand just the scale of how pervasive and widespread this threat is. On the bright side, I include a ton of advice that everyone can use to spot suspected North Koreans before it's too late.
More: Cyberscoop | Politico ($) | Bleeping Computer

a sticker on a laptop with a cartoon photo of Kim Jong Un crying, with the words: "Don't hire a spy, say somethjing to make Kim cry."

Meta is earning billions in revenue from scam ads
Reuters ($): Incredible reporting here by @jeffhorwitz citing a cache of previously unreported documents revealing that Meta, the parent company of Facebook and Instagram, made in the region of $16 billion in revenue on scam ads and banned goods that were seen by users on its platforms. That accounted for around 10% of Meta's 2024 projected revenue, revealing the sheer size of the problem. It's a reminder that especially large companies with a financial incentive do not have your best interests at heart, and that big tech isn't necessarily any better at solving these problems — but will sure as hell still profit from it.
More: Sherwood News | Wired ($) | Cory Doctorow

~ ~

PLEASE SUPPORT THIS NEWSLETTER!

~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing-up for a paying subscription starting at $10/month for exclusive articles, analysis, and more.

Subscribe to support this newsletter

~ ~

Hackers and crime rings using remote access tools to steal cargo 
Proofpoint: Interesting new research into how hackers and organized crime gangs are using elaborate email attack chains to target the shipping and logistics industry, such as trucking and freight brokers, to hijack cargo freight and steal physical goods. Bloomberg ($) has a good write-up on the ripple effect on supply chains.

2B email addresses were exposed, now they're in Have I Been Pwned
Troy Hunt: During 2025, a threat intelligence company called Synthient aggregated two billion email addresses (which also contained 1.3 billion passwords) from public lists generated by info-stealing malware. These lists are sold to hackers who use the stolen credentials to gain access to a person's accounts. The data was given to data breach notification service Have I Been Pwned, run by Hunt, to get those folks notified and their accounts secured. 

Troy Hunt post on Bluesky: "This has been an extraordinary set of data to process: 1.3B unique passwords, 2B unique email addresses (including mine 😭) and almost 3M of our @haveibeenpwned.com subscribers in there. It’s been weeks of processing to get this loaded, and finally, it’s done."

Breach post-mortem reveals how a ransomware gang hacked Nevada's government
Bleeping Computer: This detailed post-mortem explains how Nevada's state government was hacked in August and what officials did to remedy the attack. As Bleeping notes, it's a rare — if not refreshing transparent — case of a government explaining what went wrong. Plenty of lessons in here. I won't spoil the surprise, but I will say it's why you should use an ad-blocker! The full report, including details about the costs incurred, is on DocumentCloud

Zohran Mamdani just inherited the NYPD surveillance state
Wired ($): There's Zohran Mamdani fever in New York after the 34-year-old became the youngest person to be elected mayor of New York City. As the clock crosses into 2026, Mamdani will inherit the city's massive police department and its surveillance state. The short version is… it's not going to be easy. But then again, neither is winning a mayoral election! Speaking of surveillance and staying with Wired ($), the online magazine also has a feature on how Mexico City has become the most surveilled city in the Americas, and yet these huge numbers of cameras don't seem to be curbing crime. 

Louvre security camera password was reportedly "louvre"
Liberation.fr: According to French media, and seemingly confirmed by ABC News, the Louvre's video surveillance system's mot de passe was simply "louvre" at the time of its recent break-in that saw thieves steal millions of dollars worth of treasures from the museum. As bad as the password was (they did change it… right?) it likely didn't factor into the heist itself.

Italian political consultant says he was targeted with Paragon spyware 
TechCrunch ($): Governments keep claiming that they need spyware for hunting terrorists and organized criminals, and yet journalists, activists, lawyers, and now an Italian political consultant(?!) are among the latest to have been targeted by government-grade spyware. WhatsApp sent this latest victim a notification saying he was targeted with Paragon, a vendor that sold to Italy. "Why me?" the consultant said. Yeah… that's an entirely fair question.

Norway's buses had backdoors that nobody knew about
Associated Press: Ruter, the largest transport operator in Norway, said it found vulnerabilities in its fleet of electric buses that allow them to be remotely deactivated from China, where the bus was manufactured. Ruter said the China-based bus manufacturer could remotely install software updates on its buses, which could be used to effectively brick them. Ruter found no evidence of malicious activity (yet). The Guardian ($) has more on how the bus backdoors are also affecting neighboring Denmark.

German thinktank says EU is too reliant on U.S. digital infrastructure
SWP: This report by the German Institute for International Security Affairs (as flagged by @InfoSecSherpa) says that the global cybersecurity ecosystem is "highly dependent on the United States," but warns that changes in the U.S.' political priorities *cough* or if the U.S. weaponizes these dependencies in conflict with Europe *heavy coughing* then German and EU leaders "should act now to reduce these dependencies and protect Europe’s cybersecurity in the long term." More data sovereignty reasons in The Register.

~ ~

Flock not fully enforcing MFA: Lawmakers asked the FTC to open a probe into surveillance camera giant Flock, which has tens of thousands of license plate-scanning cameras around the U.S., after the company admitted it didn't fully enforce multi-factor authentication among its government customers. Security researchers also found Flock logins openly for sale online, suggesting they had been compromised by info-stealing malware. I asked Flock why 3% of its some 5,000 government customers aren't using MFA and the spokesperson went weirdly quiet after that! (via 404 Media ($), Ron Wyden)

Landfall spyware caught in Middle East: Palo Alto Networks' researchers found an Android spyware dubbed Landfall that specifically targeted Samsung Galaxy devices during a near-yearlong campaign. The spyware exploited a zero-day by embedding malware in regular images sent via a messaging app, which abused an image-processing library in Galaxy phones. Samsung fixed the zero-day in April 2025. (via TechCrunch ($), Palo Alto Networks)

AI ransomware flops in tests: Thankful for @dangoodin for his counter-BS coverage. This week it's AI ransomware, and the results really aren't as great as some news outlets suggested. Five ransomware samples developed with generative AI, including the academic-created PromptLock, were actually pretty naff, lacked basic adversarial "features" (like persistence and evasion tactics), and were easily detected by antivirus scanners. While AI lowers the bar for entry, it doesn't necessarily guarantee any level of actual success. (via Ars Technica, Google Threat Intelligence)

UPenn confirms data breach after mass-emails: The University of Pennsylvania confirmed it had a data breach (reportedly at least 1.2 million people's data and more) after a hacker mass-emailed staff, students, and alumni, "We got hacked," from official UPenn email addresses. (via UPenn email, UPenn incident page, Govtech)

Washington Post, GlobalLogic confirmed victims of Oracle hack: The Washington Post and digital engineering giant GlobalLogic (which has at least 20,000 employees) have both confirmed they had data stolen in the recent mass-hacks involving Oracle E-Business apps. The Clop extortion gang listed the Post earlier this week, suggesting it hadn't paid the hackers' ransom. GlobalLogic wasn't listed (so maybe it paid?). Harvard and Envoy have already been confirmed as victims. (via Reuters ($), California AG)

Ransomware negotiators caught launching ransomware: Prosecutors have accused two ransomware negotiators at DigitalMint (and a third cybersecurity professional at Sygnia) of launching ransomware attacks on behalf of the notorious ALPHV/BlackCat ransomware gang. The alleged hackers were indicted in October, but news only emerged this week. Both companies confirmed their now-former employees were fired. (via Chicago Sun-Times, TechCrunch, Bleeping Computer). Am I the only one who immediately thought this(?):

a meme of three Spidermen pointing at each other, with the BlackCat ransomware gang's logo over the heads of each Spiderman. This is a very badly made image, I'm sorry. It's very "web design is my passion" energy, but you get the idea.

U.S. expands border biometric checks: The WSJ ($) reports that U.S. Homeland Security is now "directing border-patrol agents to screen all foreign travelers with facial recognition tools as they enter and leave the U.S." to search for immigration violations. Security experts say this database "risks becoming a rich source for deepfakes and other cybercrimes." And the U.S. government hasn't exactly been secure of late… so many examples; not just the CBO! Adjust your threat models accordingly. (More via Nextgov.)

Tracking EU officials: Netzpolitik has some excellent words in German (if you can read 'em; ou en français) looking at how journalists were able to get a massive dataset from a data broker containing hundreds of millions of phone location data points — including senior officials at the European Union — despite ostensibly strong GDPR rules across the continent. While this story raises the issue in Europe, this is very much a global problem that affects everyone. (via Politico ($), L'Echo)

Firefighters blamed for city's fluff-up: The City of Houston is blaming firefighters — wrongly, might I add — for a security failure that exposed the firefighters' personal data, including Social Security numbers, to others. The firefighters' union is rightly unhappy about it. Shame on the city for passing the buck. (via Click2Houston, @metacurity)

~ ~

a person on a TV show seen wiping his brow and pulling a face that suggests "pheeeeww".

And not a moment sooner, we've earned this! Welcome back to the happy corner.

The U.S. government is buying access to billions of plane tickets every year, and it does this without need for a warrant because the airline industry is, well, grosser than you might think. But on the plus side, it turns out you can opt-out of some of this surveillance by… simply asking them! As 404 Media ($) found out, you can email the data broker, Airlines Reporting Corporation, to request that they don't sell your travel data to the government. 

Some of the biggest telcos and phone companies in the U.K. have signed on to a pact that will see them (hopefully) cut down on the number of spoofed and fake phone calls made through their networks. It makes sense to do, given that so much fraud stems from merely people picking up the phone. The U.K. government explains more, which mentions call tracing technology for tracking down scammers. 

Catalin Cimpanu post on Bluesky: "-Top UK mobile carriers will block spoofed phone numbers starting next year -Six telcos to participate -Network upgrades underway -Telcos will mark calls coming from abroad to prevent scams -Also roll out "advanced call tracing technology" to let police hunt down scammers"

And… in some rare good news, mobile surveillance software, aka stalkerware, is getting its collective ass kicked by the antivirus industry, per the EFF's latest findings (via @evacide). At TechCrunch, we've counted at least 26 hacks, leaks or data exposures involving stalkerware to date, showing this industry is pervasive and continues to proliferate. There's still a way to go, but it's good to see that the antivirus industry is getting better at detecting this stuff.

Got good news to share? Get in touch! this@weekinsecurity.com.

~ ~

This week's cyber cat is Ruby, who can be seen here socially engineering their human into giving them treats with that fuzzy, fluffy belly. But beware, that's the danger zone. Tickle at your peril! Thanks so much to Simon H. for sending in!

Ruby is a white kitty with a grey tail, who can be seen here on a wooden floor curled up on her back with her belly exposed and her paws up.

🐈 Send in your cyber cats! 🐈‍⬛ Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter!

~ ~

Are we done? Going once... going twice... yeah, let's call it. That was one hell of a week in cybersecurity. But we made it, and we're better off for it. Thanks so much for reading this busy edition of this week in security. Join me again next Sunday for everything you need to know in the world of cyber, plus cybercats and more.

It's a real joy and privilege to send this newsletter every week. I can't tell you how much I appreciate you for reading. For those who subscribe for articles and other exclusive content, I really can't thank you enough! Please consider a paying subscription for more from me, including mid-week dispatches and the important analysis you need to know.

On that note, I bid you adieu. Have a great week out there. I can't wait to do this again next week!

Catch you on the interwebs,
@zackwhittaker

Published by:

Zack Whittaker