DJBSEC's CyberNews 2025-11-20

1. Attackers Hit Palo Alto Networks’ GlobalProtect VPN Portals

Hackers launched over 2.3 million malicious sessions against Palo Alto Networks’ GlobalProtect VPN portals between November 14–20, marking a 40-fold surge within 24 hours. Attackers targeted the /global-protect/login.esp path, using brute-force attempts to gain unauthorized access to corporate networks. Telemetry shows this is the highest spike in GlobalProtect scanning seen in 90 days. Organizations are urged to harden VPN authentication, enforce MFA, and review access logs for signs of intrusion.

2. Palo Alto to Acquire Chronosphere for $3.35 Billion

Palo Alto Networks announced plans to acquire observability company Chronosphere for $3.35 billion. The acquisition aims to enhance Palo Alto’s unified security and observability strategy by integrating Chronosphere’s large-scale monitoring and analytics capabilities. This move aligns with the industry trend of consolidating observability and cybersecurity into a single operational ecosystem. Analysts expect Palo Alto to offer tighter SIEM, monitoring, and automation integrations as a result.

3. Fortinet Hit with Another FortiWeb Zero-Day Flaw

Fortinet is dealing with yet another FortiWeb WAF zero-day vulnerability that allows authenticated attackers to execute OS-level commands. The flaw follows multiple recent zero-days affecting the company’s product line, raising concerns over vendor patch velocity and disclosure practices. Researchers warn that some versions may have been silently patched before public advisories. Organizations are urged to patch immediately and hunt for rogue admin accounts or suspicious system activity.

4. AI “Agentic Systems” Increase Cyber Attack Surface

New research shows that AI agents capable of autonomous decision-making and code execution significantly expand the enterprise attack surface. Attackers can exploit flaws in agent tools—such as VS Code extensions exploiting CVE-2025-53773—to run unauthorized tasks. As organizations adopt AI-driven automation, these agents become privileged entities that require stricter access controls. Security leaders are being urged to treat AI platforms like high-risk operational systems.

5. CISA Adds Google Chromium V8 Flaw to KEV Catalog

CISA added a Google Chromium V8 type-confusion flaw (CVE-2025-13223) to its Known Exploited Vulnerabilities catalog. The bug allows remote code execution through malicious web pages and has confirmed active exploitation in the wild. Federal agencies must patch the vulnerability by December 10, 2025, under binding operational directive rules. Enterprises using Chrome or Chromium-based browsers should prioritize updates immediately.

6. Western Nations Sanction “Bulletproof” Hosting Provider Media Land

The U.S., U.K., and Australia jointly sanctioned Russia’s Media Land LLC, an infrastructure provider accused of supporting ransomware gangs. The company allegedly supplied resilient hosting, DDoS services, and IP infrastructure to groups like LockBit and BlackSuit. Officials say the sanctions aim to disrupt the cybercrime ecosystem by targeting enablers—not just threat actors. Firms are advised to verify that none of their vendors or upstream hosts rely on Media Land infrastructure.

7. Operation WrtHug Hijacks 50,000 ASUS Routers

Researchers uncovered a global botnet operation—dubbed “WrtHug”—that hijacked over 50,000 ASUS routers. Attackers exploited known vulnerabilities in outdated or end-of-life firmware to conscript devices into a large anonymization and proxy infrastructure. These routers are being used to relay malicious traffic and disguise attacker origins. Security experts warn organizations to patch or replace exposed consumer-grade hardware immediately.

8. Amazon Warns About Cyber-Enabled Kinetic Targeting

Amazon’s threat intelligence team reported that nation-state hackers are increasingly using cyber intrusions to support physical, kinetic operations. Adversaries have leveraged compromised CCTV feeds, maritime systems, and GPS tools to coordinate real-world attacks. The report highlights the blurring boundary between cyber operations and battlefield targeting. Organizations managing critical infrastructure are urged to assume their digital systems have physical-world consequences.

9. Sysmon to Become a Native Windows Feature

Microsoft announced that Sysmon—one of the most widely used Windows telemetry tools—will become a built-in component of Windows 11 and Server 2025. This shift means enterprises will no longer need custom deployments or manual installation to collect deep process and event telemetry. Native integration is expected to significantly boost security monitoring capabilities across enterprise fleets. Administrators should prepare to update Sysmon configs and SIEM ingestion rules.

10. U.S. Sanctions Russian Hosting Provider Media Land Over Ransomware Activity

The U.S. Treasury Department issued sanctions against Media Land, accusing the provider of enabling ransomware infrastructure. The company allegedly supported operators behind major ransomware families and sold “bulletproof” hosting designed to evade law enforcement. The sanctions block U.S. interactions with the provider and freeze any associated assets. Officials hope the move will disrupt cybercrime logistics and reduce attacker resilience.

11. Hackers Actively Exploiting 7-Zip Vulnerability

A dangerous 7-Zip vulnerability (CVE-2025-11001) is under active exploitation, allowing attackers to achieve remote code execution using malicious symbolic links inside ZIP archives. Proof-of-concept exploits are public, and researchers warn threat actors are integrating it into phishing and malware campaigns. The flaw impacts all versions prior to 25.00, making patching urgent. Organizations should audit automated extraction workflows for compromise.

12. Cloudflare Outage Blamed on Internal Error, Not Attack

Cloudflare confirmed that a recent global outage was caused by an internal configuration error, not a cyberattack. The issue disrupted websites, APIs, and services dependent on Cloudflare’s global edge network. While no threat actor was involved, the incident highlights the systemic risk of third-party infrastructure failures. Organizations are being urged to assess their reliance on single-vendor cloud platforms and build redundancy into critical services.