Cloudflare Global Outage Causes Widespread Service Disruption
A major Cloudflare infrastructure outage on November 18, 2025, led to significant disruptions for millions of users by degrading core services globally. Enterprises relying on Cloudflare for access management, VPN connectivity, and application availability experienced downtime and instability. The incident highlights vulnerabilities in critical internet backbone providers and the cascading impact infrastructure disruptions can have on dependent digital services.
Incident Overview
The outage was triggered by an unspecified internal issue within Cloudflare’s core network, rather than any external cyberattack or DDoS campaign. Key impacted services included Cloudflare Access (used for identity-based secure access to business apps) and WARP (its consumer VPN), spreading effects across SaaS and cloud platforms served by Cloudflare’s edge.
Technical Analysis
Core network monitoring showed abnormal routing paths, non-deterministic HTTP handshake drops, and volatility in DNS edge resolution. Log analysis indicated that peering fabric between certain regions lost service, causing sudden failovers and protocol renegotiations that often failed or looped, contributing to the downtime.
Remediation and Lessons
Cloudflare engineering teams mitigated the issue by rerouting traffic away from affected nodes and replacing edge containers showing service degradation. This event underscores the necessity of cross-cloud redundancy and continuous automated failover testing for organizations that depend on cloud network providers to ensure resilience.
DoorDash Data Breach Exposes User Information
DoorDash confirmed a new data breach after attackers accessed sensitive information from an undisclosed number of user accounts. The breach originated from a third-party service DoorDash partners with, highlighting the persistent risk of supply chain vulnerabilities in consumer-facing tech platforms.
Nature of the Compromise
The incident involved unauthorized access to DoorDash’s internal tools used for customer service and user account management. Attackers leveraged credentials stolen from a third-party vendor and gained entry to backend systems, retrieving customer names, email addresses, order histories, and in some cases, partial financial information.
Technical Vectors and Scope
Investigators determined that the initial compromise occurred through credential stealing malware on a vendor’s system. There is evidence that attackers used these credentials for lateral movement within DoorDash’s environment, enabled in part by excessive permissions granted to external service integrations.
Mitigation and Response
DoorDash has invalidated the exposed credentials, reset impacted API keys, notified affected users, and is conducting an internal permissions review. The event highlights the importance of zero trust networking and minimizing third-party application privileges to limit breach blast radius.
Lynx Ransomware Attack Via Exposed RDP with Advanced Backup Destruction
A Lynx ransomware operation successfully exploited poorly secured Remote Desktop Protocol (RDP) exposures to infiltrate a victim’s Windows server, deploying ransomware and simultaneously destroying both online and remote backups. This demonstrates a highly targeted strategy focusing on rapid destruction of recovery mechanisms to maximize ransom leverage.
Attack Methodology
Attackers first used brute-forced or purchased RDP credentials to gain direct server access. Once inside, they escalated privileges, disabled endpoint defenses, and systematically searched for backup systems, cloud sync agents, and local and remote backup volumes.
Advanced Destruction Tactics
The attackers leveraged built-in Windows administrative tools and custom scripts to locate and delete onsite backups, uninstall backup agents, and trigger cloud backup service API calls to erase recovery points. They then deployed the ransomware payload, encrypting both local and networked files and leaving a ransom note demanding cryptocurrency payment.
Defense Considerations
Security experts recommend hardened RDP exposure policies, including network segmentation, strong authentication, and granular access controls. Backup systems must be isolated at a network and permissions level, with immutable recovery points and external monitoring for deletion or tampering events.
Imunify AI-Bolit Vulnerability Enables Remote Code Execution and Privilege Escalation
Researchers disclosed a critical zero-day vulnerability in Imunify’s AI-Bolit malware scanner, widely used in web hosting environments, that permits attackers to execute arbitrary code on target servers and escalate privileges to root, imperiling hosted customer data and service operations.
Technical Vulnerability Details
The flaw is rooted in insecure input processing by AI-Bolit’s backend engine when handling certain malformed scan requests. By crafting a malicious payload, remote attackers can bypass command sanitization, inject arbitrary shellcode, and trigger execution under the context of the scanning service, which may be running with root-level privileges.
Exploitability and Attack Scenarios
The vulnerability is trivial to exploit on unpatched installations, requiring only network access to trigger the vulnerability. In shared hosting scenarios, this could enable cross-tenant compromise, privilege escalation, and the deployment of persistent web shells or data exfiltration malware.
Mitigation Guidance
Immediate patching is advised, alongside firewalling scan endpoints to trusted sources, careful privilege separation of scanning agents, and monitoring for anomalous scan request patterns. Hosting providers are directed to implement containerization or micro-segmentation to minimize potential lateral movement in the event of compromise.
Zero-Day Vulnerability in Google Chrome Actively Exploited
Google has addressed a critical zero-day vulnerability in Chrome (CVE-2025-13223) that was under active exploitation, enabling attackers to execute arbitrary code through crafted web content. The vulnerability’s severity and use in the wild underscores the rapid weaponization cycle for browser flaws by threat actors.
Vulnerability Description
The zero-day resides in a browser component responsible for memory management during rendering operations. Attackers exploited a use-after-free bug to corrupt memory and gain remote code execution on targeted systems, possibly leading to broader endpoint compromise.
Attack Techniques
Real-world exploitation involved malicious websites or advertisements designed to trigger the flaw, typically as part of drive-by download campaigns or targeted watering hole attacks. In documented incidents, shellcode was deployed via malicious JavaScript, exploiting the vulnerability to bypass browser sandbox restrictions.
Security Recommendations
Users and administrators should urgently apply Chrome’s latest security update, implement browser isolation where feasible, and enable security-focused browser extensions to reduce the attack surface for malicious scripts.
AI-Orchestrated Cyber Espionage Campaign Disrupted
Security researchers have thwarted the first known cyber espionage campaign orchestrated by autonomous artificial intelligence agents—marking a new phase in threat actor capabilities. This campaign leveraged generative AI for targeting, credential theft, and lateral movement, greatly scaling attack complexity and speed.
Operation Details
The campaign involved custom AI models trained to identify high-value targets and adapt attack strategies in real time. These models automated both reconnaissance and exploitation stages, including crafting bespoke phishing lures and optimizing the use of zero-days.
Technical Innovations
Unlike traditional malware, the campaign’s AI agents dynamically altered payloads to evade endpoint detection and could autonomously probe for security weaknesses, escalate privileges, and perform exfiltration according to changing network conditions. Their activity featured automated credential-harvesting scripts, AI-configured proxy chaining, and workflow-driven persistence mechanisms.
Implications and Mitigation
The rapid adaptivity and operational autonomy of AI-driven cyber threats challenge conventional static defenses. Security programs must evolve to leverage defensive AI models for anomaly detection, apply real-time behavior analytics, and automate rapid containment responses as defenses against such advanced campaigns.
Spyware “Landfall” Targets Samsung Galaxy Devices via Image Processing Exploit
A high-severity mobile spyware campaign, dubbed “Landfall,” has targeted Samsung Galaxy S22-S24 range and Z series devices using zero-day vulnerabilities in the Android image processing library. Attackers delivered malicious DNG image files through messaging apps, triggering remote code execution and spyware installation.
Attack Vector and Exploitation
The attack chain began with the distribution of crafted image files via WhatsApp and potentially other messaging platforms. Upon view, the exploit abused vulnerabilities in the image parsing component to grant attackers access to execute arbitrary code, enabling full device compromise and surveillance.
Target Profile and Attribution
The campaign focused on users in North African countries, with initial targeting linked to government and commercial surveillance purchasers. The sophistication of the exploits and delivery mechanisms suggests involvement of high-resource threat actors with access to zero-days and specialized deployment infrastructure.
Mitigation Recommendations
Samsung has issued security updates for affected platforms. Users should update devices immediately, restrict the receipt of unsolicited multimedia content from unknown contacts, and apply stricter app permission controls to limit exposure to similar remote code execution attacks.
Washington Post and Nikkei Suffer High-Impact Data Breaches Exposing Personal Information
Two major media organizations, the Washington Post and Nikkei, have disclosed significant data breaches affecting employees and customers. Attackers exploited supply chain vulnerabilities and malware to gain unauthorized access to sensitive personal and financial information.
Washington Post Breach Details
The incident involved the exploitation of a zero-day vulnerability in Oracle’s E-Business Suite, compromising personal data of nearly 10,000 employees and contractors. Stolen information includes names, financial account numbers, social security numbers, and government-issued tax identification.
Nikkei Attack Tactics
Nikkei suffered an intrusion via info-stealer malware infecting an employee’s personal computer. Attackers harvested credentials, breached internal communication platforms, and accessed personal data belonging to staff and consumers.
Security and Risk Implications
These attacks demonstrate the critical risks posed by unpatched enterprise software and supply chain infection vectors. Organizations must prioritize rapid patch deployment for business-critical apps and monitor employee endpoints for infostealer activity to prevent data exfiltration.
Lawsuit Filed After Delayed Disclosure of Healthcare Data Breach Impacts Over 348,000
Mt. Baker Imaging and Northwest Radiologists in Washington state face legal repercussions after disclosing a healthcare data breach nearly ten months after it occurred. The delayed notification exposed the organizations to regulatory and reputational risks and left affected patients in the dark for an extended period.
Breach Timeline
The breach, initially detected in January, affected sensitive health and personal data of over 348,000 residents. It was reported to authorities in July but not disclosed to patients until late October, sparking criticism and legal action.
Legal and Compliance Issues
The delayed notification may have violated health data breach disclosure laws requiring timely notification, with lawsuits alleging negligent delay and lack of transparency. The incident underscores the importance of rapid breach response in the healthcare sector.
Risk Management Considerations
Healthcare providers must implement incident response plans to accelerate breach detection, forensics, regulatory reporting, and patient notification to minimize legal liability and uphold patient trust.