Daily Security Briefing #078

November 19, 2025 | Read Online

Legal limits on vulnerability disclosure, PlushDaemon’s update hijack attacks, and Sysmon’s arrival on Windows headline today’s cybersecurity briefing…

Executive Summary

Today’s cybersecurity landscape highlights increasing friction around vulnerability disclosures as legal restrictions undermine researcher efforts. China-linked PlushDaemon hackers continue leveraging advanced network implants to hijack legitimate software updates, demonstrating evolving supply chain risks. Meanwhile, organizations relying on Cloudflare experienced a brief outage, inadvertently testing their reliance on third-party defenses. The release of Sysmon for Windows promises enhanced system visibility for admins and security teams. Emerging AI-centric threats in ServiceNow and new phishing tech underscore the growing attack surface around automation and AI integrations.

Top Articles

Legal Restrictions on Vulnerability Disclosure
Kendra Albert’s presentation at USENIX Security critiques current legal frameworks that restrict security researchers from disclosing vulnerabilities, while companies often delay or avoid fixing the flaws. This reversal of the early responsible disclosure ethos raises concerns about transparency and security improvement. The discussion revisits a decades-old debate over the merits and risks of vulnerability disclosure.
Schneier

Check Point Launches Managed Rules for AWS Network Firewall
Check Point introduces managed security rules tailored for AWS Network Firewall to ease the complexity of securing multiple cloud subnets and deployments. This solution aims to reduce manual effort and improve threat protection by automating rule deployment and updates across cloud environments, addressing scalability challenges inherent in cloud firewall management.
CheckPoint

Chinese PlushDaemon Hackers Exploit EdgeStepper Tool to Hijack Legitimate Updates
ESET researchers reveal how the PlushDaemon group uses an advanced implant called EdgeStepper to intercept and manipulate DNS queries, replacing legitimate software updates with malicious trojanized versions. This adversary-in-the-middle operation represents a sophisticated supply chain attack targeting network devices to spread malware stealthily.
GBHackers

Seraphic Becomes the First and Only Secure Enterprise Browser Solution to Protect Electron-Based Applications
Seraphic announces native protection for Electron-based applications such as ChatGPT desktop, Teams, and Slack, becoming the sole enterprise browser security platform securing these widely used business apps. This development addresses new attack vectors as AI and SaaS apps increasingly run inside browser environments.
GBHackers

The Cloudflare Outage May Be a Security Roadmap
A brief Cloudflare outage affected numerous websites, prompting some customers to pivot away temporarily. Security experts view this event as an unintentional penetration test on organizations heavily reliant on Cloudflare’s defense mechanisms, emphasizing the importance of diversified defenses and incident preparedness.
KrebsOnSecurity

Hackers Can Exploit Default ServiceNow AI Assistants Configurations to Launch Prompt Injection Attacks
A newly discovered vulnerability in ServiceNow’s Now Assist AI platform enables attackers to execute second-order prompt injection attacks by exploiting default configurations. These attacks can manipulate AI agents to perform unauthorized operations and leak sensitive information, spotlighting risks in AI integration within enterprise tools.
CyberPress

Sysmon Coming to Windows: the Go-To Tool for IT Admins, Security Professionals, and Threat Hunters
Sysmon, a critical tool for visibility into Windows system activity, is becoming more widely available and easier to deploy across enterprises. Its capabilities support detecting credential theft, lateral movement, and forensic investigations, positioning it as a foundational security utility for admins and threat hunters.
CyberPress

Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)
The U.K. NHS England Digital warns of active exploitation of a remote code execution vulnerability in 7-Zip (CVE-2025-11001). Despite patches released in version 25.00, many systems remain exposed to attacks that leverage symbolic link manipulation, underscoring the need for immediate updates.
TheHackerNews

Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices
Researchers detail a campaign spreading the Eternidade Stealer banking trojan through a Python-based worm leveraging WhatsApp hijacking and social engineering. The malware dynamically updates its command-and-control endpoints via IMAP, targeting financial data on Brazilian devices.
TheHackerNews

Sneaky2FA PhaaS Kit Now Uses Redteamers’ Browser-in-the-Browser Attack
The Sneaky2FA phishing-as-a-service framework incorporates Browser-in-the-Browser (BitB) attack techniques to enhance deception and efficacy in phishing campaigns. This advancement offers cybercriminal customers more convincing interfaces for credential theft.
BleepingComputer

The Hidden Risks in Your DevOps Stack Data—and How to Address Them
DevOps repositories on popular platforms like GitHub, GitLab, and Azure DevOps face vulnerabilities from weak access controls and misconfigurations. GitProtect offers immutable backups and fast recovery solutions to secure DevOps data against accidental loss and outages.
BleepingComputer

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.