Information Security News – 11/17/2025

Hackers Breach Texting Service Used by New York State, Sending Hundreds of Thousands of Scam Texts

Article Link: https://www.nbcnews.com/tech/security/text-scam-phone-sms-hack-message-fake-transaction-call-new-york-rcna243349

• Hackers briefly took over Mobile Commons, a mass texting provider for New York state and other clients, sending scam alerts from trusted short code numbers.
• An intruder had roughly four hours of window of access before midnight November 11, via spear phishing, and fired off transaction-themed texts that told recipients to call a single 888 number, which is now disconnected.
• About 160,000 of New York’s roughly 188,000 alert subscribers received the smishy text, and a major telecom logged more than 70,000 related messages, far above normal traffic for those codes.
• Mobile Commons reports its security controls stopped the attack with no evidence of database access, while the U.S. Short Code Registry calls on messaging platforms to add basic safeguards against account takeovers and illegal texts.

Cisco ASA Firewalls Still Under Attack; CISA Issues Guidance for Patch

Article Link: https://www.scworld.com/news/cisco-asa-firewalls-still-under-attack-cisa-issues-guidance-for-patch

• The U.S. agency CISA updated its September emergency directive after attacks on Cisco Adaptive Security Appliance, or ASA, firewalls through CVE-2025-20362 and CVE-2025-20333.
• Unit 42 tied the activity to China linked group Storm-1849, or ArcaneDoor, hitting unpatched ASA appliances while many organizations wrongly thought they met CISA patch baselines.
• Analysts say ASA and WatchGuard edge devices sit where trust, connectivity and control meet, so an intrusion there can bypass firewalling, spam filtering, and antivirus layers across networks.
• These flaws merit treatment as a high priority breach, directing teams to double-check their ASA software support and patch levels. Teams are also being guided to assume possible compromise by double checking configurations, rotating credentials, reviewing logs and packet captures, using factory resets where needed, updating WatchGuard firmware, tightening admin access controls with MFA and reassess admin access control lists.
• CISA ED: https://www.cisa.gov/news-events/alerts/2025/11/12/update-implementation-guidance-emergency-directive-cisco-asa-and-firepower-device-vulnerabilities

Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets

Article Link: https://thehackernews.com/2025/11/iranian-hackers-launch-spearspecter-spy.html

• Iranian state backed group APT42 runs an espionage campaign, SpearSpecter, identified by Israel National Digital Agency in September 2025, targeting senior defense and government officials and relatives linked to Iranian Revolutionary Guard (IRGC priorities.
• The operation uses patient personal lures, building trust before sending fake conference invites to spoofed WhatsApp messages, steering victims to credential stealing pages or links that install the TAMECAT PowerShell backdoor via weaponized LNK files through a Windows shortcut file dressed up as a PDF.
• APT42’s modus operandi has long record of this type of work. Once installed, TAMECAT provides remote access, using HTTPS, Discord, and Telegram to pull browser data and Outlook mailboxes, all the while covertly running in memory with encryption and obfuscation.
• Israel National Digital Agency says SpearSpecter is a long-term spying setup that blends modular PowerShell tooling with infrastructure that mixes legitimate cloud services and attacker controlled systems that keep command channels open in memory to discreetly steal data, making this attack much harder for defenders to detect on otherwise trusted platforms.

Checkout.com Snubs Hackers After Data Breach, to Donate Ransom Instead

Article Link: https://www.bleepingcomputer.com/news/security/checkoutcom-snubs-shinyhunters-hackers-to-donate-ransom-instead/

• UK payments firm Checkout.com says the dirty-rotten ShinyHunters group breached a third-party cloud file storage system from 2020 and earlier, stole merchant data, and is now demanding a ransom.
• The exposed system held internal documents and onboarding materials for less than 25 percent of current merchants, while also touching past customers.
• ShinyHunters, a data theft crew linked to phishing, OAuth, and social engineering intrusions plus recent Oracle and Salesforce related attacks, is using the stolen information to pressure the company.
• Checkout.com will not pay and instead plans to donate an equivalent sum to research at Carnegie Mellon University and the University of Oxford center, while committing to new safeguards for customers and better control of legacy cloud systems.

Wanna Bet? Scammers are Playing the Odds Better Than You Are

Article Link: https://www.helpnetsecurity.com/2025/11/13/cybercrime-online-betting-scams/

• Online gambling may reach 169 billion dollars by 2030, and 22 percent of Americans already have sportsbook accounts, giving scammers a huge pool of potential victims.
• These swindles include fake casinos and influencer style sites that demand small crypto “verification” payments or advertise a seemingly lucrative gambling app download and then vanish. The AI-voiced apps and deepfake promos, like the Heavenly Sphere con, steered people to unlicensed casinos.
• Security firm Group-IB has mapped large networks of fake gambling sites and ads, while breaches at Paddy Power, Betfair, the Luxembourg National Lottery, and the MGM show just how rich this data is for account takeovers and targeted phishing.
• For anyone betting online, know that “sure tip” accounts, surprise crypto fees, and instant win promises take your money, and promos and deepfake clips are your red flags to walk away.
  

Law and Disorder: How Cybercriminals Are Attacking the Legal Sector

Article Link: https://www.cyberdefensemagazine.com/law-and-disorder-how-cybercriminals-are-attacking-the-legal-sector/

• Law firms hold highly sensitive deal and case data, and breaches at Orrick, Gunster, Genova Burns and the American Bar Association show how widely legal information can be exposed.
• Attackers use business email compromise, credential theft, social engineering and tools like Gootloader, now boosted by generative AI that crafts convincing legal themed phishing and fake court notices with malware or payment fraud.
• Beyond firms, attackers probe associations, regulators, vendors and clients, with ABA figures showing nearly one third of firms reported a breach in 2023 and 60 percent of large firms were unsure.
• Defenses in the article center on leadership backed resources, role based training, phishing simulations, incident response plans, vendor reviews and technical controls, treating staff behavior as central to protecting legal data.

GlassWorm Malware Discovered in Three VS Code Extensions with Thousands of Installs

Article Link: https://thehackernews.com/2025/11/glassworm-malware-discovered-in-three.html

• Researchers say GlassWorm is hitting the VS Code ecosystem, hiding in three extensions and using them to steal developer credentials and drain funds from 49 cryptocurrency wallet extensions.
• GlassWorm hides its payload with invisible Unicode characters, reuses stolen credentials to compromise more extensions, and now directs infected machines to new command servers through low cost Solana blockchain transactions.
• Koi Security reports victims on four continents, including a major Middle Eastern government body, with stolen credentials and hijacked machines potentially serving as criminal proxy infrastructure and internal footholds.
• Open VSX removed earlier GlassWorm extensions and reset related tokens, while Koi Security and Aikido Security now describe new packages and stolen GitHub credentials being used to push malicious commits, outlasting the single clean up in the extension supply chain.

Clop Claims it Hacked ‘the NHS.’ Which Bit? Your Guess is as Good as Theirs

Article Link: https://www.theregister.com/2025/11/14/nhs_clop/

• Extortion group Clop has added NHS.uk to its leak site, claiming a hack on the UK health service but posting no data or naming which trust was hit.
• The crew has been abusing an Oracle E-Business Suite zero day against private organizations and lists NHS revenue as 234 billion dollars, a figure that appears to be taken from public budget data.
• NHS England has neither confirmed nor denied an intrusion, saying it is aware of the listing and that its security team is working with the National Cyber Security Centre to investigate.
• It notes that the health service does not pay ransoms, past extortion efforts have failed, and a proposed UK ban on ransom payments by public bodies would limit gang leverage while disruption still harms patients.
  

Western Governments Disrupt Trifecta of Cybercrime Tools

Article Link: https://www.cybersecuritydive.com/news/operation-endgame-third-phase-infostealer-rat-botnet/805549/

• US and eight partner governments spent three days dismantling infrastructure for Rhadamanthys, VenomRAT and the Elysium botnet, seizing more than 1,000 servers and 20 domains, and Greek police arrested the suspected VenomRAT operator.
• Europol says the network relied on hundreds of thousands of infected computers and millions of stolen credentials, and that the Rhadamanthys controller alone had access to over 100,000 crypto wallets worth millions.
• Rhadamanthys ran as a modular, tiered service used by many gangs, and VenomRAT appeared in hotel and hospitality attacks by TA558, which Proofpoint tracks as a key user.
• As part of Operation Endgame, this phase brought in united action across nine countries with security and telecom partners. CrowdStrike’s Adam Meyers says disrupting infostealers, loaders, and access brokers early makes life a little harder for the wider e-crime market.