Threat Analysis

Rhysida Malvertising, KEV Patch-Now, EY & Nikkei Breaches - Copied

Rhysida fake Teams ads (OysterLoader/Latrodectus), new CISA KEV vulns, EY & Nikkei breaches—actionable takeaways for EU/NIS2 teams.
Ev
Evangeline
Nov 11, 2025
Rhysida Malvertising, KEV Patch-Now, EY & Nikkei Breaches - Copied
Contents
This Week in Cyber — Nov 3–10, 2025Executive summary (60s)Top breaches & attacksVulnerabilities & exploitation (patch-now signals)Trends to brief your boardWhat to do before Monday (practical, high-yield)Trivia & “did you know?”Sources & further reading

This Week in Cyber — Nov 3–10, 2025

Analysis Date: November 10, 2025

Source: Trescudo Intelligence • Author: Evangeline Smith, MarCom

Executive summary (60s)

  • Malvertising returns big: Rhysida is poisoning Bing ads for “Microsoft Teams,” dropping OysterLoader/Latrodectus and paving the way to ransomware. Train users to avoid ad results, enforce app allowlists, and watch for those loaders. (TechRadar)

  • KEV updates: CISA added actively exploited flaws (incl. Gladinet, Control Web Panel, and WordPress plugin issues). Patch or implement compensating controls now; KEV means real-world exploitation. (The Hacker News)

  • Fresh breaches & fraud: Roundups flag EY data exposure, Nikkei staff PII breach (~17k), uptrend in LinkedIn phishing, and a Telegram-automated credential harvest. Reinforce brand-abuse monitoring and SSO risk checks. (Kaseya)

  • Crypto/DeFi note: Balancer recovers part of its $128M loss; highlights systemic risk in Web3 integrations. If you touch DeFi rails, review vendor/API isolation. (SecurityWeek)

Top breaches & attacks

  • Rhysida malvertising → fake Teams sites
    Spoofed Bing ads funnel victims to look-alike download pages; initial payloads (OysterLoader, Latrodectus) bring second-stage malware/ransomware. Block ads at the endpoint/DNS, prefer direct vendor URLs, and monitor for those loaders. (TechRadar)

  • EY + LinkedIn phishing + Telegram bot harvesting (roundup)
    Weeklies flag a major EY exposure, LinkedIn lure campaigns, and kits that post stolen creds via Telegram Bot API. Treat LinkedIn OAuth and email aliases as high-risk; add detections for mass-created accounts and unusual OAuth grants. (Kaseya)

  • Nikkei breach (Week 46)
    Reported 17,000+ staff impacted. If you do business with Nikkei or share SSO with media vendors, rotate tokens and watch for spear-phish referencing HR data. (dbdigest.com)

Vulnerabilities & exploitation (patch-now signals)

  • New KEV addsGladinet, Control Web Panel, WordPress plugins
    CISA and industry outlets warn these are actively exploited. If internet-facing, patch or isolate; add WAF rules and hunt for web-shells/unusual child processes. (The Hacker News)

  • Weekly vuln highlights
    Trackers call out high-risk CVEs this week (e.g., IBM InfoSphere XXE), plus a wave of Visio use-after-free CVEs (client-side). Prioritize server-side and internet-exposed surfaces first; for client CVEs, focus on fleet update coverage. (cyble.com)

  • Adversary in the ad slot: Malvertising is back as a mainstream initial access vector; your “go to the vendor site” training must explicitly say “don’t click ad results.” (TechRadar)

  • KEV as a to-do list: If it’s in KEV, assume ongoing exploitation. Tie your KEV MTTR to performance goals and publish deltas weekly. (CISA)

  • Credential automation: Telegram-connected kits lower the barrier to mass theft; push FIDO2/passkeys for risky cohorts and monitor impossible travel + suspicious OAuth. (dbdigest.com)

  • Third-party gravity: EY/Nikkei headlines reinforce supplier risk. Demand 1-hour notify and hourly updates in vendor IR SLAs; run joint tabletops. (Kaseya)

What to do before Monday (practical, high-yield)

  1. Malvertising guardrails: Block ad domains at DNS/endpoint; distribute a 1-pager: “Type the URL or use your corporate portal—never ads.” Add detections for OysterLoader/Latrodectus beacons. (TechRadar)

  2. KEV sprint: Cross-reference assets against CISA KEV; patch/isolate Gladinet/CWP/WordPress exposures; run web-shell sweeps and credential rotation where web admin panels were exposed. (The Hacker News)

  3. SSO hygiene: Force passkeys/MFA on execs/admins; rotate stale tokens; audit OAuth for risky scopes and unused grants tied to LinkedIn/marketing tools. (Kaseya)

  4. Phish-report muscle memory: Run a micro-campaign; reward first reporter behavior. Aim to cut time-to-first report (your best early-warning KPI).

  5. Vendor check-in: Ask critical suppliers for current exposure statements (internet-facing admin panels, WAF status, last KEV patch timing).

Trivia & “did you know?”

  • Loader du jour: Latrodectus is often a loader stage, not the endgame—treat any detection as a probable hands-on-keyboard precursor. (TechRadar)

  • KEV deadlines matter: Many agencies align controls and due dates directly to KEV entries; use KEV to justify emergency change windows. (CISA)

  • DeFi recovery mechanics: Balancer’s partial fund recovery underscores how protocol design and partnerships affect post-incident outcomes—useful when assessing fin-tech integrations. (SecurityWeek)

Sources & further reading

  • Rhysida malvertising (fake Teams ads → loaders) — TechRadar summary of Expel’s research. (TechRadar)

  • CISA Known Exploited Vulnerabilities (KEV) Catalog — authoritative list; treat as exploit-in-the-wild. (CISA)

  • KEV new adds (Gladinet, CWP, WordPress plugins) — The Hacker News coverage. (The Hacker News)

  • Weekly breach/vuln roundups — Kaseya (EY breach, LinkedIn phishing) and Data Breaches Digest (Nikkei, phishing via Telegram bots, AI scoring). (Kaseya)

  • DeFi/crypto — SecurityWeek on Balancer partial recovery from $128M heist. (SecurityWeek)

  • Additional weekly vuln intelligence — Cyble weekly vulnerability report; SOS Intelligence CVE chatter. (cyble.com)

Share article

Trescudo Blog

RSS·Powered by Inblog