Information Security News – 12/1/2025

Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim ‘Korean Leaks’ Data Heist

Article Link: https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.html

• Bitdefender labels Korean Leaks as a Qilin ransomware campaign against Korea’s financial sector that began with MSP GJTec and left 28 victims, 1 million files, and 2 TB stolen.
• The operation combined Qilin’s Ransomware-as-a-Service model, possible North Korean Moonstone Sleet involvement, and three waves of leaks mixing political messaging with claims of exposing corruption in Korea’s markets.
• Bitdefender saw Korea log 25 Qilin victims in September 2025, up from about two a month, mainly in finance, and said the leaks could pose a severe risk to the Korean financial market.
• The report suggests multi-factor authentication, least-privilege access, segmentation of key systems and sensitive data, and reducing exposed services, noting that one vendor or MSP breach can spread ransomware widely.

Emergency Alerts Go Dark After Cyberattack on OnSolve CodeRED

Article Link: https://securityaffairs.com/185075/cyber-crime/emergency-alerts-go-dark-after-cyberattack-on-onsolve-codered.html

• An attack on OnSolve’s CodeRED alert platform disrupted emergency messages for U.S. state and local governments, police, and fire agencies for calls, texts, emails, and mobile messages.
• The City of University Park, Texas, said a criminal group breached the third-party system in November, possibly accessing names, addresses, emails, phone numbers, and account passwords, while city networks stayed unaffected and no financial data was exfiltrated.
• The provider states CodeRED was decommissioned and replaced with a new platform in a separate environment after an audit and penetration testing, while INC Ransom claimed it accessed OnSolve’s infrastructure on November 1 and encrypted files on November 10.
• The city has asked residents to change any reused passwords, and the provider is currently migrating customers to the more security-conscious alert platform as investigators continue reviewing breach.

FCC Eliminates Cybersecurity Requirements for Telecom Companies

Article Link: https://www.cybersecuritydive.com/news/fcc-eliminates-telecom-cybersecurity-requirements/806052/

• The Federal Communications Commission voted 2 to 1 to reverse its CALEA interpretation and drop proposed minimum security rules for U.S. telephone and internet carriers.
• Chair Brendan Carr and Commissioner Olivia Trusty backed the rollback, calling the late-term rules unlawful and ineffective and saying the agency will instead focus on strengthening communications networks.
• Democratic Commissioner Anna Gomez and Senators Gary Peters and Maria Cantwell say dropping the rules after China’s Salt Typhoon spying leaves Americans and national security more exposed and weakens FCC oversight.
• Peters, Cantwell, and Gomez want binding standards, warning that voluntary cooperation invites another breach, while Carr and telecom firms instead point to faster patching, fewer connections, more threat hunting, and broader information sharing.

GreyNoise Launches Free Scanner to Check if You’re Part of a Botnet

Article Link: https://www.bleepingcomputer.com/news/security/greynoise-launches-free-scanner-to-check-if-youre-part-of-a-botnet/

• GreyNoise Labs has introduced GreyNoise IP Check, a free scanner that lets people see if their IP address appears in malicious scanning, botnets, or residential proxy activity.
• According to the company, residential proxy services have grown this year, sometimes through paid bandwidth-sharing apps and sometimes through malware in apps or extensions that quietly use home connections.
• The site returns three labels, Clean, Malicious or Suspicious, or Common Business Service and, when activity is linked to that IP, shows a simple 90-day history.
• When results show Malicious or Suspicious, GreyNoise suggests running malware scans on all devices, focusing on routers and smart TVs, updating firmware, changing admin passwords, and turning off remote access not needed.
• GreyNoise Scanner: https://check.labs.greynoise.io/

Campbell’s CISO Canned After Lawsuit Alleges Hour-Long Rant Against Staff and Customers

Article Link: https://www.theregister.com/2025/11/25/campbells_ciso_lawsuit/

• Campbell’s placed its U.S. CISO, Martin Bally, on leave while it investigates a lawsuit claiming he was secretly recorded in September 2024 ranting about customers, products, and Indian staff.
• The lawsuit by former analyst Robert Garza alleges Bally mocked Campbell’s food with profanity, admitted being high on cannabis edibles at work, and made xenophobic remarks about Indian employees.
• Garza says he gave the recording to a supervisor in January 2025, was fired 20 days later despite no bad reviews, and later sued Campbell’s after months without a job.
• Campbell’s told news outlets it has opened an internal investigation, kept Bally on leave, and said that if the recording is real, the comments are unacceptable and do not reflect company values.

New Legislation Targets Scammers That Use AI to Deceive

Article Link: https://cyberscoop.com/new-legislation-targets-scammers-that-use-ai-to-deceive/

• House lawmakers introduced the AI Fraud Deterrence Act to raise penalties on people who use AI tools to make fake audio, video, or texts for scams.
• The bill from Reps. Ted Lieu and Neal Dunn would raise fines for mail, wire, bank fraud, and money laundering to $1–2 million and set 20–30 year maximum sentences when AI is used.
• It follows recent incidents where unknown parties used AI tools to mimic officials including Susie Wiles and Marco Rubio in calls, texts, and deepfake clips sent to senior leaders.
• The sponsors say stronger penalties are meant to discourage AI-driven scams that drain victims’ savings and reduce the risk that fake government voices or images could be used to mislead the public.
• Full Text of the Bill: https://lieu.house.gov/sites/evo-subsites/lieu.house.gov/files/evo-media-document/lieu_040_xml-41.pdf

North Korean Hackers Deploy 197 NPM Packages to Spread Updated OtterCookie Malware

Article Link: https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html

• These North Korean operators were behind the Contagious Interview campaign that uploaded 197 malicious node package managers (NPMs), which were downloaded 31,000 times, and delivered an updated OtterCookie tool built from earlier OtterCookie and BeaverTail code.
• Certain packages such as bcryptjs-node and node-tailwind connected to a Vercel link, fetched the payload from a removed GitHub account, then created remote access and took data including browser records and crypto wallet details.
• Researchers link this activity to Cisco Talos discoveries about a fake job interview that pushed a harmful Node.js app, along with ClickFake Interview sites that used camera or microphone “fix” pages to install GolangGhost.
• Analysts say GolangGhost stays active through a macOS LaunchAgent, which sends passwords to a Dropbox. It goes after applicants by hiding threats inside staged interviews, malicious coding exercises, and sham recruiting sites, using the job process as the attack path.
• If an interviewer sends you a link to repair your audio or video, treat it as unsafe. Legitimate companies don’t operate this way.

Major AI Copyright Lawsuit Settlement Involves University of Georgia Press Authors

Article Link: https://www.redandblack.com/uganews/major-ai-copyright-lawsuit-settlement-involves-university-of-georgia-press-authors/article_8155290f-aee8-41c2-ab8a-4d88ecdc2373.html

• Anthropic reached a proposed class settlement worth 1.5 billion dollars in Bartz v. Anthropic, offering up to 3,000 dollars per work to authors whose books appear in the database.
• The lawsuit followed Judge William Alsup’s ruling that training Claude on legally obtained books was fair use, while a central library of shadow library copies counted as infringement.
• Hundreds of University of Georgia Press titles are listed, and staff are cross-referencing ISBNs with their records so authors and other rights holders worldwide can be contacted about possible claims.
• The court granted initial approval, with claim forms due March 23, 2026, a January 7, 2026, deadline to opt out, and a later fairness hearing and appeals before any payments become final.

Report Names Teen in Scattered LAPSUS$ Hunters, Group Denies

Article Link: https://hackread.com/report-names-teen-scattered-lapsus-hunters-group/

• A report from Brian Krebs links the Scattered LAPSUS$ Hunters admin “Rey” to a teenager named Saif Al-Din Khader from Jordan, based on password leaks, chat clues, and data tied to a shared family computer.
• Krebs says Rey used aliases including Hikki-Chan and @wristmug, served as an admin on BreachForums, and helped run groups tied to breaches at Salesforce systems while promoting a ransomware service called ShinySp1d3r.
• SLSH denies the findings on Telegram and mocks the investigation, while saying Krebs twisted the teen’s comments about wanting to leave hacking and work with law enforcement.
• Hudson Rock’s Alon Gal says earlier infostealer data also pointed to Khader but includes inconsistencies in behavior and skill, leaving open whether he leads the group or just planted clues.