Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 1-7 November
Emergency update fixes critical vulnerabilities in Google Chrome
Google has released an emergency security update for Chrome (versions 142.0.7444.134 and 142.0.7444.135) that fixes five high- and medium-severity vulnerabilities in core browser components.
The most critical flaw, CVE-2025-12725, corresponds to an out-of-bounds write error in the WebGPU implementation, with potential for remote code execution. Other high-severity vulnerabilities (CVE-2025-12726 and CVE-2025-12727) affect the Views and V8 modules, related to interface rendering and JavaScript execution, respectively.
Two additional vulnerabilities, CVE-2025-12728 and CVE-2025-12729, of medium severity, impact the Omnibox component. Deployment began on November 5, 2025, for Windows, macOS, Linux, and Android, while iOS received the equivalent version 142.0.7444.128.
Google will temporarily restrict technical details of the flaws until patch distribution is complete. It is recommended to update immediately to mitigate potential exploits.
FIN7 maintains stealthy access via SSH backdoor on Windows
The FIN7 (Savage Ladybug) cybercriminal group continues to use an SSH-based backdoor infrastructure for Windows, active since 2022 with minimal modifications. Using an install.bat script and compromised OpenSSH tools, they establish reverse SSH and SFTP tunnels that allow persistent remote access and covert data exfiltration.
This method turns Windows computers into externally controllable nodes, evading firewalls when initiating outgoing connections. Their use of legitimate tools makes detection by traditional mechanisms difficult. FIN7 has chosen to keep this technique stable and proven, making only minor adjustments to evade security signatures. SFTP encryption allows information to be stolen by simulating legitimate traffic.
Organisations are advised to strengthen their monitoring of SSH logs, anomalous access and unauthorised clients, as well as applying segmentation and behavioural analysis to detect reverse tunnels.
Android fixes critical vulnerabilities with November 2025 security patch
Google published the November 2025 Android security bulletin, which fixes multiple critical vulnerabilities affecting versions 13, 14, 15, and 16 of the system. The most serious (CVE-2025-48593) allows remote code execution (RCE) without user interaction, while another (CVE-2025-48581) enables privilege escalation (EoP) in Android 16. Devices with patch level 2025-11-01 or later are protected against these flaws.
Google will release the patches to the AOSP repository within 48 hours of publication. In addition, Google Play Protect continues to mitigate active exploitation risks. No new vulnerabilities were reported in the Mainline system updates.
Google recommends that manufacturers apply all fixes and that users keep their devices up to date to reduce exposure to attacks.
Google detects a new phase in the use of AI by threat actors
The Google Threat Intelligence Group (GTIG) has identified a significant change in 2025: threat actors have moved from using artificial intelligence for technical support to integrating it directly into operational malware. Families such as PROMPTFLUX and PROMPTSTEAL use Large Language Models (LLM) to generate malicious code, dynamically rewrite themselves, and evade detection.
These capabilities mark the beginning of "just-in-time malware," capable of modifying its behaviour during execution. State actors use generative AI for all phases of the attack, from reconnaissance to exfiltration, while underground forums sell AI-based tools for phishing and exploitation. Some groups, such as APT28 or APT41, use Gemini to develop C2 or conduct technical research, using social engineering to circumvent the model's security measures.
Google has responded by deactivating malicious accounts and strengthening Gemini's classifiers to prevent future abuse.
Campaign to steal cargo by remotely installing RMMs in transport companies
Proofpoint researchers have identified a series of campaigns targeting freight brokers and carriers, primarily in North America, with the aim of installing remote management tools (RMM) such as ScreenConnect, SimpleHelp, PDQ Connect, and LogMeIn Resolve.
The attacks, active since January 2025, use social engineering emails that impersonate legitimate freight negotiation communications. Through malicious links, attackers induce victims to download .EXE or .MSI installers that allow full control of compromised systems, facilitating account hijacking and manipulation of transport reservations.
The intrusions allow attackers to redirect goods, delete notifications, and impersonate legitimate companies to coordinate the physical theft of cargo. The combined use of RMMs and information stealers such as NetSupport, Lumma Stealer, and DanaBot has been observed. The activities suggest collaboration with organized criminal groups with inside knowledge of the logistics sector.
It is recommended to restrict the installation of unauthorized RMMs and block executable files in email gateways.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
