DJBSEC's CyberNews 2025-11-14
Cybersecurity Podcast Stories – November 14, 2025
1. Palo Alto PAN-OS Vulnerability Puts Firewalls at Risk
A critical vulnerability in Palo Alto Networks PAN-OS has been identified, potentially allowing unauthenticated attackers to bypass security controls on devices with GlobalProtect enabled. This could result in remote code execution or full firewall compromise. The flaw affects specific versions of PAN-OS, and Palo Alto has released security patches with mitigation steps. Enterprises are urged to update immediately to protect perimeter defenses.
2. Zero-Day Exploits Hit Cisco ISE and Citrix in Coordinated APT Campaign
Security researchers have uncovered a coordinated advanced persistent threat (APT) campaign exploiting zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler appliances. The attackers used these flaws to gain initial access, move laterally, and exfiltrate sensitive data. This campaign appears to be highly targeted, and both vendors have released advisories and patches. Organizations should monitor for unusual network activity and apply updates immediately.
3. Microsoft Defender for Office 365 Gets Screenshot Alert Feature
Microsoft Defender for Office 365 now includes a feature that detects when users take screenshots of sensitive emails or content. This addition enhances insider threat detection and data loss prevention by monitoring behavior that might signal intentional or accidental data leakage. Admins can configure alerts tied to compliance policies. It’s another step in Microsoft’s effort to provide more granular visibility into risky end-user actions.
4. XWorm Malware Hidden in PNG Files via Steganography
Security researchers have identified a new malware campaign using steganography to embed the XWorm remote access trojan in PNG images. The malware remains hidden within image metadata or pixels and is extracted via malicious scripts or droppers. This tactic allows attackers to bypass traditional antivirus tools and blend in with legitimate traffic. Users are advised to inspect suspicious image downloads and monitor for XWorm indicators of compromise.
5. RCE Flaw in ImunifyAV Threatens Millions of Linux-Hosted Websites
A newly discovered remote code execution (RCE) flaw in ImunifyAV, a popular Linux antivirus for web hosts, could allow attackers to compromise entire servers. The vulnerability affects millions of websites hosted by providers using the software. A public proof-of-concept exploit is circulating, increasing the urgency for patching. Admins are urged to update immediately and monitor systems for unauthorized access.
6. FBI and CISA Issue Joint Advisory on Akira Ransomware
The FBI and CISA have issued a joint alert about the rising threat of Akira ransomware, which has compromised over 100 organizations worldwide. Akira actors use double-extortion tactics—encrypting data and threatening public leaks. The ransomware targets a wide range of industries and includes both Windows and Linux variants. Agencies recommend strong MFA, regular patching, and segmentation to reduce risk.
7. Akira Ransomware Linux Variant Targets Nutanix Environments
The Linux variant of Akira ransomware has evolved to specifically target Nutanix virtual machines, disrupting cloud and hybrid infrastructure. Attackers use SSH access to drop payloads and encrypt data in enterprise environments. CISA warns that Nutanix customers should review their exposure, secure credentials, and apply updated detection measures. This represents a notable shift in ransomware tactics toward virtualization platforms.
8. Chinese APT Campaign Targets Claude AI Users for Espionage
A suspected Chinese state-sponsored group is targeting users of Claude AI, a competitor to ChatGPT, in an espionage campaign. Attackers use phishing and malicious client applications to steal API tokens and session data. The goal appears to be gathering proprietary prompts, research, and corporate intelligence. Security teams are advised to validate AI platform access and monitor for API misuse.
9. FortiWeb Vulnerability Actively Exploited to Create Admin Accounts
A critical flaw in Fortinet’s FortiWeb application firewall is being actively exploited to create rogue admin users. A public proof-of-concept exploit is available, and attackers are leveraging it to gain persistent access to web security appliances. Fortinet has released patches and mitigation guidance. Organizations should prioritize patching and restrict admin access interfaces.
10. Checkout.com Suffers Security Breach, Merchant API Keys Compromised
Checkout.com, a major payment gateway, confirmed a security breach that potentially exposed merchant API keys and sensitive integration data. While full payment details are not believed to be leaked, compromised API keys could allow fraudulent transaction attempts. Checkout.com is urging clients to rotate credentials and audit logs for anomalies. The company is working with forensic investigators to assess the breach scope.
11. Kraken Ransomware Benchmarks Devices to Optimize Encryption
Kraken ransomware has introduced a unique feature—system benchmarking—to choose the fastest encryption method for a victim’s hardware. Before encrypting data, the malware runs diagnostic routines to determine optimal performance settings, reducing execution time and evasion chances. This technique marks a new level of sophistication in ransomware tooling. Organizations should monitor for unusual benchmarking activity or processor-intensive processes on endpoints.
Enjoy Reading This Article?
Here are some more articles you might like to read next: