In today’s cybersecurity news…
CEO of retail giant Coupang resigns
South Korea’s Coupang CEO Park Dae-jun stepped down after a breach exposed data from around 34 million customers. The company said he resigned out of responsibility for the incident, discovered Nov. 18th. Coupang named Chief Administrative Officer Harold Rogers interim CEO, with a focus on stabilizing operations and reassuring users. South Korean authorities are investigating, including a raid on Coupang’s headquarters and a probe involving a former employee from China. (CNBC)
Pro-Russia hactivists target US infrastructure
US officials say pro-Russia hacktivist groups are breaking into poorly secured VNC connections tied to US critical infrastructure, mainly water, food, and energy systems. The groups: CARR, Z-Pentest, NoName057(16), and Sector16, are using brute-forced VNC access to reach HMI devices, capture screens, alter settings, disable alarms, and cause limited physical disruption. CISA warns the activity is unsophisticated but could become more dangerous as tactics evolve, and the DOJ has charged a Ukrainian national linked to CARR and NoName057(16). (Dark Reading)
Israeli cybersecurity funding hits record
Israeli cybersecurity startups pulled in a record $4.4 billion this year, according to YL Ventures. That’s a 9% jump from 2024 with 130 total rounds, up from 89. AI security and endpoint security saw the strongest momentum, and major players like Armis, Cato Networks, Cyera, Dream, and Island announced big raises. YL Ventures says the ecosystem has expanded more than 500% over the past decade. (SecurityWeek)
Aeroflot hacked through tech vendor
Russia’s flagship airline Aeroflot had a difficult summer after pro-Ukrainian hackers Silent Crow and the Belarusian Cyber-Partisans breached it through a small contractor called Bakka Soft, according to a new investigation from The Bell. The groups allegedly maintained long-term access, moved into Aeroflot’s Active Directory, grabbed high-privilege accounts, and deployed dozens of malware tools. The outage grounded more than a hundred flights and caused tens of millions in damages. Investigators say Aeroflot lacked two-factor authentication on key servers and let the vendor keep remote access. (The Record)
Huge thanks to our sponsor, Adaptive Security
Fortinet fixes authentication-bypass vulnerabilities
Fortinet released patches for 18 vulnerabilities, including two critical authentication-bypass bugs in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager when FortiCloud SSO is enabled. The issues let an attacker bypass FortiCloud SSO using a crafted SAML message because of improper signature verification. FortiCloud SSO is off by default but is automatically enabled during FortiCare registration unless manually disabled. Fortinet recommends turning off FortiCloud SSO until systems are updated. No evidence yet of exploitation. (Security Affairs)
Storm-0249 abuses EDR processes
Storm‑0249, a ransomware-access broker, is increasingly exploiting legitimate EDR software and Windows tools to move within networks, gather data, and maintain persistence. Its ClickFix campaigns trick users into running commands that install malware disguised as Microsoft support files or SentinelOne DLLs, letting attackers execute code without triggering alerts. The group also uses built-in utilities like curl.exe and fileless PowerShell scripts to blend in with normal operations. ReliaQuest warns these tactics highlight gaps in signature-based defenses and urge behavioral monitoring, EDR baselining, and strict LOLBin restrictions. (Dark Reading)
Gits battered in 0-day attacks
A zero-day vulnerability in Gogs, a self-hosted Git service, is actively being exploited, with more than 700 of roughly 1,400 internet-exposed instances already compromised. It lets authenticated users overwrite files outside repositories via symbolic links, leading to remote code execution. Attackers have used the Supershell C2 framework to deploy payloads, though post-compromise activity is largely unknown. Wiz researchers advise disabling open registration, limiting internet exposure, and monitoring for suspicious repositories or PutContents API use while Gogs works on a fix. (The Register)
ClickFix style attack uses Grok, ChatGPT for malware
A new ClickFix-style attack is using SEO poisoning and legitimate AI platforms like ChatGPT and Grok to deliver Mac infostealer malware. Users searching for common troubleshooting tasks are directed to AI chat links that provide instructions which secretly install malware, harvest credentials, and maintain persistence. Huntress warns this method exploits trust in AI and bypasses traditional protections, potentially becoming a major initial access vector for stealers over the next 6–18 months. Defenses include monitoring behavioral anomalies, restricting terminal command use, and practicing strong password hygiene. (Dark Reading)