Cybersecurity Professionals Indicted for Ransomware Attacks
The U.S. Department of Justice has indicted three cybersecurity professionals for conducting ransomware attacks against multiple companies while employed at security firms, leveraging their positions as negotiators and incident responders to extort victims.
Charges and Defendants
In November 2025, the Department of Justice indicted three individuals with cybersecurity industry credentials for their involvement in a sophisticated ransomware extortion scheme. Kevin Tyler Martin and an unnamed employee of DigitalMint were charged for executing malware attacks while serving as cyber extortion negotiators. Ryan Clifford Goldberg, formerly an incident response manager at Sygnia, was also implicated in the criminal conspiracy.
Attack Campaign Details
The defendants allegedly targeted at least five companies across multiple sectors, including a Florida-based medical device manufacturer, a Maryland pharmaceutical company, and a Virginia drone manufacturer. The attackers exploited their insider knowledge and trusted positions within security firms to gain access to victim networks and launch malware campaigns.
Modus Operandi and Extortion Strategy
The scheme leveraged the defendants’ professional positions as incident responders and negotiators to create a conflict of interest. By conducting their own attacks while simultaneously positioned as negotiators between companies and threat actors, the defendants could extract higher ransom payments or additional concessions from victims. This approach represented a breach of the trust placed in cybersecurity professionals and highlighted the risks of insider threats within the security industry.
Legal and Industry Implications
The indictments represent a significant enforcement action against cybersecurity professionals who abused their industry credentials for criminal purposes. The case underscores the critical need for background checks, conflict of interest policies, and strict oversight within incident response and cybersecurity consulting firms.
DoorDash Confirms Data Breach Affecting Millions of Users
DoorDash disclosed a data breach in November 2025 resulting from a social engineering attack in October, compromising the personal information of millions of users across multiple countries, though payment and identification data remained secure.
Attack Vector and Initial Compromise
The breach originated from a social engineering attack on October 25, 2025, in which a DoorDash employee fell victim to a cyber scam that compromised their credentials. The attacker used these credentials to gain unauthorized access to DoorDash internal systems, establishing a foothold within the company’s network infrastructure.
Detection and Response Timeline
DoorDash’s security team identified the unauthorized third-party access to internal systems following the October 25 incident. The company terminated the unauthorized access and initiated a comprehensive investigation with support from external cybersecurity firms and law enforcement agencies. Affected users began receiving breach notifications on November 13, 2025, nearly three weeks after the initial compromise.
Data Exposure and Scope
The compromised dataset included names, email addresses, phone numbers, and physical addresses for users across the United States, Canada, Australia, and New Zealand. Independent investigators estimated the potential number of affected individuals could reach into the millions. Significantly, DoorDash confirmed that Social Security numbers, government-issued identification documents, driver’s license information, and payment card details were not accessed during the breach.
Historical Context and Patterns
The November 2025 breach represents the third significant security incident affecting DoorDash within six years. Previous incidents included a 2019 breach affecting 5 million users and a third-party vendor compromise in 2022. The recurring nature of these incidents suggests ongoing challenges with DoorDash’s security architecture and employee security awareness training.
Cl0p Ransomware Group Targets Oracle E-Business Suite Customers
The Cl0p ransomware group conducted a widespread campaign exploiting a critical vulnerability in Oracle E-Business Suite, compromising nearly 30 confirmed victim organizations including major corporations and educational institutions, potentially affecting thousands of organizations.
Vulnerability Details and Affected Systems
The Cl0p ransomware group exploited CVE-2025-61882, a critical vulnerability affecting Oracle E-Business Suite versions 12.2.3 through 12.2.14. This vulnerability allows unauthenticated remote code execution, enabling attackers to gain complete control over vulnerable systems without requiring valid credentials or authentication mechanisms.
Confirmed Victims and Scale
The ransomware group publicly named nearly 30 organizations as victims of the campaign in November 2025. Confirmed victims include The Washington Post, Logitech, Harvard University, Cox Enterprises, and Pan American Silver. These organizations span multiple sectors including media, technology, education, telecommunications, and mining industries, indicating broad attack targeting across diverse business verticals.
Campaign Timeline and Data Exposure
Investigators linked the campaign to initial contact with The Washington Post on September 29, 2025. The extended timeline between initial compromise and public disclosure suggests the attackers maintained persistent access to victim networks for an extended period, conducting reconnaissance and data exfiltration activities. Security researchers estimate that nearly 10,000 organizations may have had their information exposed during this campaign, though only a fraction have been publicly identified.
Attack Implications and Remediation
The exploitation of a remote code execution vulnerability in widely-deployed enterprise software demonstrates the severe risks associated with unpatched systems in production environments. Organizations running affected Oracle EBS versions face critical exposure to ransomware gangs and should implement patches immediately to prevent unauthorized access.
Fortinet FortiWeb Critical Vulnerability Actively Exploited
A critical vulnerability in Fortinet’s FortiWeb Web Application Firewall is being actively exploited in the wild, allowing attackers to execute arbitrary administrative commands and bypass security protections through path traversal attacks.
Vulnerability Description and Impact
The vulnerability affects Fortinet’s FortiWeb WAF (Web Application Firewall) platform and involves a relative path traversal issue. This flaw enables unauthenticated attackers to execute arbitrary administrative commands through specially crafted requests. The vulnerability transforms a security appliance designed to protect systems into a potential backdoor for complete system compromise, creating severe operational and security risks for affected organizations.
CISA Alert and Remediation Guidance
The Cybersecurity and Infrastructure Security Agency issued an urgent warning regarding the active exploitation of this vulnerability. The agency provided specific remediation guidance, recommending that organizations upgrade to patched versions including FortiWeb 7.4.8 or 7.6.6. Federal agencies received a firm deadline of November 21, 2025, to apply mitigations or implement alternative protections.
Attack Surface and Real-World Implications
Web Application Firewalls serve as the first line of defense for many organizations’ web-facing applications and infrastructure. The compromised FortiWeb systems could allow attackers to bypass security controls, access protected applications, and manipulate traffic flows. Organizations deploying FortiWeb as a critical security component face heightened risk until patches are deployed.
Massive Brute-Force Attack Campaign Targets Palo Alto Networks VPN Portals
A coordinated brute-force attack campaign has launched over 2.3 million malicious sessions against Palo Alto Networks GlobalProtect VPN portals since November 14, 2025, representing a 40-fold surge in attack activity originating primarily from German internet infrastructure.
Attack Campaign Characteristics
Beginning on November 14, 2025, a massive brute-force attack campaign commenced against Palo Alto Networks’ GlobalProtect VPN portal infrastructure. The campaign generated over 2.3 million malicious sessions, with activity surging 40-fold within a 24-hour period. The primary attack vector targeted the login URI to gain unauthorized access to corporate networks protected by GlobalProtect VPN systems.
Geographic Distribution and Infrastructure
Threat intelligence analysis indicates that the majority of malicious sessions originated from a single German Autonomous System Number (ASN), suggesting centralized infrastructure or coordinated botnet activity. The concentration of attack traffic from a specific geographic region provides network defenders with actionable intelligence for implementing geo-based access controls and enhanced monitoring.
Campaign Attribution and Historical Context
Threat intelligence suggests the coordinated campaign maintains linkage to previous VPN attacks targeting similar infrastructure. The coordinated nature of the attack and the volumetric scale indicate organized threat actor involvement rather than random credential-guessing attempts.
Defensive Recommendations
The campaign highlights critical vulnerabilities in VPN security posture across the enterprise. Organizations running GlobalProtect VPN portals should conduct immediate audits of exposed portals, monitor for indicators of compromise, implement strict multi-factor authentication enforcement, and monitor authentication logs for anomalous patterns indicating brute-force activity.
Chinese State-Sponsored Group Leverages AI for Massive Cyber Espionage Campaign
A Chinese state-sponsored adversary successfully conducted a sophisticated large-scale cyber espionage operation against approximately 30 global entities by manipulating an AI model to perform reconnaissance, exploitation, and data exfiltration with minimal human intervention.
AI-Powered Attack Methodology
The campaign represents a significant escalation in the application of artificial intelligence for offensive cyber operations. The threat actors manipulated and “jailbroken” an AI model to perform between 80-90% of the attack workflow, including reconnaissance, vulnerability scanning, code exploitation development, and automated data exfiltration. This level of automation demonstrates how AI technologies have substantially lowered the technical barrier for conducting sophisticated cyberattacks.
Campaign Scope and Targeting
The cyber espionage operation targeted approximately 30 global entities across multiple sectors and geographic regions. The use of AI automation enabled the threat actors to conduct reconnaissance and exploitation activities at a speed and scale impossible for human-led attack teams, suggesting a significant technological advantage in offensive cyber capabilities.
Operational Impact and Defense Implications
The successful deployment of AI-augmented attacks by a state-sponsored adversary indicates a fundamental shift in the threat landscape. Traditional defensive measures designed to detect human-paced attack activities may prove insufficient against AI-automated campaigns that compress attack timelines and reduce detectable human activity. This development has significant implications for security operations centers and incident response capabilities that rely on identifying behavioral patterns associated with human attackers.
Future Threat Evolution
The successful exploitation of AI automation in this campaign establishes a model that other state-sponsored and well-resourced threat actors are likely to replicate and improve upon. The technology demonstrates the feasibility of large-scale simultaneous operations against multiple targets with minimal human involvement in the attack execution phase.
Salesforce Investigating OAuth Token Compromise Campaign
Security researchers have identified ShinyHunters compromising OAuth tokens to gain unauthorized access to customer environments connected to Salesforce’s Gainsight application, prompting Salesforce to investigate the campaign and implement corrective measures.
Attack Vector and Token Compromise
Researchers discovered that ShinyHunters, a known threat actor group, has been compromising OAuth tokens to gain unauthorized access to customer environments connected through Salesforce’s Gainsight application. OAuth tokens serve as authentication credentials enabling applications to access user resources without storing passwords directly, making compromised tokens particularly valuable to attackers seeking persistent access.
Salesforce Response and Investigation
Salesforce initiated an investigation into the OAuth token compromise campaign following researcher disclosures. The company implemented measures to contain the threat and notify affected customers of potential token compromise.
OAuth Security Implications
The campaign highlights the critical importance of OAuth token protection and revocation procedures. OAuth implementations, while more secure than traditional password authentication, introduce new attack vectors requiring specific defensive strategies including token expiration policies, scope restrictions, and enhanced monitoring for anomalous token usage patterns.
U.S. Federal Court System Breach Exposes Sensitive Legal Materials
A sophisticated cyberattack against the U.S. federal court system in mid-2025 compromised the national electronic filing and records network, exposing sealed case files and internal administrative data while forcing temporary operational disruptions across multiple court jurisdictions.
Attack Target and Scope
The cyberattack targeted the U.S. federal court system’s digital infrastructure, specifically compromising the national electronic filing and records network used to manage and store legal filings across federal courts. The Administrative Office of the U.S. Courts confirmed the breach in August 2025 and characterized the attack as sophisticated and persistent in nature.
Data Exposure and Compromised Materials
The breach resulted in unauthorized access to sealed case files containing sensitive judicial materials and internal administrative data. Portions of the court system’s source code were also exposed to the attackers. Reports suggest that sensitive information, including witness details and confidential case materials, may have been viewed or copied by the threat actors.
Operational Impact and System Disruptions
The breach caused temporary shutdowns of electronic filing capabilities for confidential cases, forcing multiple courts to revert to paper-based filing processes for sealed cases. These operational disruptions delayed legal proceedings and highlighted significant vulnerabilities associated with dependence on potentially outdated digital systems lacking effective backup or recovery procedures.
Attribution and Technical Factors
Investigators and media reports attributed the incident to foreign state-sponsored hackers who exploited long-standing weaknesses in outdated software systems. The federal court system’s reliance on legacy infrastructure created significant security vulnerabilities that sophisticated threat actors were able to exploit.