DJBSEC's CyberNews 2025-11-26

1. U.S. Officials Warn of Rising Cyber Threats Amid Holiday Travel Season

U.S. federal agencies issued alerts warning that cybercriminals are increasingly targeting transportation networks, travelers, and airport systems during the busy holiday period. Officials report a spike in phishing campaigns impersonating airlines and TSA services, aiming to steal personal and financial data. Threat groups are also attempting to compromise airport Wi-Fi and booking portals. Travelers are urged to avoid public Wi-Fi, verify message senders, and use MFA on all travel-related accounts.

2. Popular Tools JSONFormatter & CodeBeautify Exposed Sensitive Data for Years

Researchers discovered that JSONFormatter and CodeBeautify, two widely used online formatting tools, inadvertently logged and exposed sensitive data for years. Users—including banks, government agencies, and corporations—often pasted API keys, passwords, credentials, and internal data into these tools. This information was cached and indexed by search engines, making it accessible to attackers. The platforms have since removed exposed logs, but organizations are urged to rotate any credentials potentially leaked.

3. Firefox Releases Patch for Actively Exploited CVE-2025-13016

Mozilla released an urgent Firefox update addressing CVE-2025-13016, a high-severity vulnerability already exploited in the wild. The flaw allowed attackers to achieve remote code execution through malicious web content. Researchers warn that simply visiting a compromised site could trigger exploitation. Users are advised to update immediately across desktop and enterprise deployments.

4. New ClickFix Wave Uses Hidden Malware in Images & Fake Windows Updates

A new wave of ClickFix attacks is distributing malware hidden inside image files and fraudulent Windows update notifications. Attackers lure users into clicking “Fix Now” prompts, triggering the execution of concealed payloads. These attacks bypass traditional email filters by using benign-looking media files. Security researchers advise organizations to train users to avoid clicking unexpected pop-ups and to validate update sources.

5. Cybercriminals Stole $262M by Impersonating Bank Support Teams

The FBI reports that since January, threat actors stole $262 million by posing as bank customer-support staff. Criminals contacted victims through spoofed phone numbers and fraudulent messages, tricking them into granting remote access or revealing account details. Many scams used “panic tactics,” such as warnings of fraudulent withdrawals, to pressure victims. Authorities urge financial institutions to adopt stronger caller-verification procedures and public awareness campaigns.

6. Tor Switches to New “Counter Galois” Onion Encryption Algorithm

The Tor Project has rolled out a major upgrade, adopting the Counter Galois (CG) algorithm to strengthen onion-relay encryption. The new algorithm improves performance while offering stronger resistance to traffic analysis attacks. Tor developers say the shift is part of a long-term modernization effort to defend against nation-state-level surveillance. Users should update their Tor clients to take advantage of the enhanced security.

7. KawaiiGPT: Black Hat AI Tool Supports Malware and Phishing Operations

Security researchers uncovered KawaiiGPT, a black-hat AI tool designed to help cybercriminals generate phishing emails, malware code, and social-engineering scripts. Unlike legitimate AI models, KawaiiGPT bypasses safety filters and is trained on malicious datasets. The tool has been spotted in underground forums and is being adopted by low-skill threat actors. Experts warn this could accelerate the volume and sophistication of cyberattacks.

8. Russian & North Korean Hackers Form Alliances

Threat intelligence analysts say Russian and North Korean hacking groups are forming loose alliances to share infrastructure, tools, and stolen data. This collaboration appears to be driven by geopolitical alignment and the desire to evade international sanctions. Joint operations have reportedly targeted Western defense firms, financial institutions, and government systems. Officials warn that these alliances could lead to more coordinated and persistent cyber espionage.

9. Code-Beautifiers Leak Credentials from Banks, Government & Tech Orgs

A new investigation reveals that multiple online “code beautifier” tools have been storing and exposing sensitive user submissions, including credentials from banks, governments, and major tech companies. These platforms logged user-submitted content for debugging, unintentionally creating massive troves of exposed secrets. Some logs were publicly accessible and indexed by search engines. Organizations are urged to rotate credentials and prohibit staff from using online paste/formatting tools.

10. Spyware & RATs Target WhatsApp and Signal Users

CISA warns of new campaigns deploying spyware and RATs targeting WhatsApp and Signal through malicious apps, fake updates, and phishing links. Attackers aim to intercept messages, steal device data, and gain persistent access to victims’ phones. These campaigns are attributed to both criminal groups and suspected state-linked operators. Users are urged to download apps only from official stores and enable device-level protections.

11. Threat Actors Exploit Black Friday Shopping Hype

Cybercriminals are exploiting Black Friday shopping hype by launching fake discount sites, phishing emails, and malicious shopping apps. These scams steal credit card data, passwords, and personal information from unsuspecting shoppers. Researchers warn that AI-generated websites and scam ads make these campaigns harder to identify. Users should verify retailers, avoid promo links in emails, and use virtual card numbers when possible.

12. Dartmouth College Confirms Data Breach After Clop Extortion Attack

Dartmouth College confirmed a data breach after the Clop ransomware group claimed responsibility for stealing sensitive data. The attackers exfiltrated files before issuing an extortion threat demanding payment. Dartmouth has begun notifying affected individuals and is working with law enforcement and cybersecurity partners. The college says academic systems remain operational, but the investigation is ongoing.

13. Canon Breached via Clop Ransomware Using Oracle EBS Exploit

Canon confirmed it was breached through a Clop ransomware attack that exploited an Oracle E-Business Suite vulnerability. The attackers accessed corporate systems, stole sensitive data, and used double-extortion tactics to pressure the company. Early reports suggest Canon’s ERP environment was the initial attack vector. Security teams are urging organizations using Oracle EBS to ensure they have applied the latest patches.