Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 22-28 November
ASUS fixes critical authentication bypass vulnerability in routers with AiCloud
ASUS has released new firmware to mitigate nine vulnerabilities, notably CVE-2025-59366 (CVSSv4 9.2 according to the manufacturer), a critical authentication bypass exploitable on routers with AiCloud enabled. The flaw stems from side effects in Samba functionality and allows unauthenticated remote attackers to execute unauthorized functions using a low-complexity path traversal and command injection chain.
Versions 3.0.0.4_386, 3.0.0.4_388, and 3.0.0.6_102 incorporate patches for multiple CVEs. ASUS did not detail the affected models but published mitigation measures for end-of-life devices, recommending disabling services exposed to the Internet and blocking remote access to vulnerable AiCloud devices. It also urges users to strengthen passwords and limit the exposed surface area.
In April, the company already fixed another critical bypass previously exploited in Operation WrtHug to hijack thousands of ASUS WRT routers and use them as ORB nodes in campaigns attributed to Chinese actors.
Iberia confirms security breach affecting customers
Iberia Airlines has confirmed that it suffered a cyberattack on the weekend of November 22-23, 2025, which compromised the personal data of some of its customers due to unauthorized external access to the systems of an external technology provider that hosts a communication repository.
The leaked information includes first names, last names, and email addresses and, to a lesser extent, telephone numbers and Iberia Club membership numbers, as well as some reservation codes for future flights.
The airline has assured that no complete or usable data on payment methods or access codes to Iberia accounts has been obtained. As a mitigation measure, the company has reported the incident to the Spanish Data Protection Agency (AEPD) and the Central Operational Unit (UCO) of the Civil Guard, contacting affected customers and implementing two-factor authentication for reservation management. In addition, it has made a toll-free telephone number available to answer questions while the investigation continues.
Insider facilitates leak of internal information at CrowdStrike
CrowdStrike confirmed the termination of an employee who leaked internal information to the Scattered Lapsus$ Hunters coalition, made up of members of Scattered Spider, LAPSUS$, and ShinyHunters. The insider shared screenshots of internal dashboards, including access to corporate resources and the Okta SSO page.
The attackers claimed to have exploited the third-party platform Gainsight and obtained authentication cookies, but CrowdStrike ruled out any technical intrusion or infrastructure compromise. The internal investigation determined that the leak was limited to screenshots taken locally by the employee, who was allegedly incentivized with an offer of $25,000 for access to the network. Monitoring systems detected anomalous activity early on, preventing further unauthorized access.
The company maintains that there was no operational impact or customer exposure and referred the case to the appropriate authorities.
Leaked documents reveal the organisational and strategic evolution of APT35
The leak in October 2025 of internal documents from APT35 (Charming Kitten), a cyber espionage group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), revealed a highly bureaucratic and militarised operational structure. The files show a system with performance metrics, strict supervision, and teams specialising in phishing, exploiting vulnerabilities such as ProxyShell and Ivanti, and monitoring compromised mailboxes to obtain human intelligence (HUMINT).
Active since 2022, the campaign targets diplomatic, government, and corporate networks in Turkey, Saudi Arabia, Lebanon, Kuwait, Korea, and within Iran itself, following a systematic cycle of exploitation, credential theft, and chained phishing campaigns. Technical analysis shows a transition from manual procedures to increasing automation, which improves the scale, persistence and capacity for continuous information gathering.
Taken together, these elements reflect an increasingly centralised state cyber intelligence apparatus, whose strategic objective is to obtain information to influence foreign policy, security and the regional economy.
Recent activity by Scattered LAPSUS$ Hunters and expansion of their offensive capabilities
According to Unit 42 researchers, since mid-November 2025, Scattered LAPSUS$ Hunters (SLSH) has resumed operations with new data theft campaigns linked to the compromise of Gainsight applications and their integration with Salesforce, enabled by OAuth tokens stolen in previous attacks on Salesloft Drift. Salesforce confirmed unauthorized access to customer data and published relevant IoCs.
SLSH, through its Telegram channel, announced a possible leak site and set an implicit deadline for extortion demands. In parallel, the group is promoting the development of the Ransomware-as-a-Service ShinySp1d3r, currently functional on Windows, with versions for Linux and ESXi in preparation, and has threatened to deploy it against New York State infrastructure. It also continues its strategy of recruiting insiders, offering payments for access to corporate networks, following an incident involving a former CrowdStrike employee. Gainsight suspended integrations with other SaaS and recommended key rotation.
SLSH claims to have compromised around 1,500 victims in 2025 and anticipates more leaks during the shopping season, increasing the risk for sectors such as retail, which are highly active at this time of year.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
