Podcast Summary: Cyber Security Headlines

Episode: Cloudflare blames database, Crypto heist takedown, WhatsApp flaw exposed billions
Host: Lauren Verno
Broadcast Date: November 20, 2025

Episode Overview

This episode provides a rapid-fire recap of the day's most significant cybersecurity events as reported by Lauren Verno. The main themes include high-profile service outages, crypto crime revelations, major data privacy disclosures, evolving cyber-physical attack techniques, global law enforcement crackdowns, ransomware trends, and critical device vulnerabilities.

Key Discussion Points and Insights

1. Cloudflare Outage Attributed to Database Error

[00:10] Cloudflare’s worst outage since 2019 caused hours-long disruptions for major companies including X, Uber, Canva, and ChatGPT.
The incident was initially suspected to be a cyberattack, but Cloudflare clarified it as a self-inflicted internal database configuration error.
- A database permissions change caused the bot management system to generate an “oversized feature file” that crashed the core proxy.
- The result: widespread 5xx network errors.
- Service resumed by mid-afternoon and Cloudflare’s CEO issued a public apology for the disruption.
Notable Quote:
- “It wasn’t a cyber attack like originally thought, but an internal configuration error.” — Lauren Verno [00:15]

2. Major Crypto Heist and Money Laundering Guilty Plea

[01:05] A California individual pleaded guilty to laundering at least $25 million from a $230 million cryptocurrency heist.
The scheme, conducted between October 2023 and March 2025, leveraged a network of young hackers.
- Methods included mixers, peel chains, shell companies, and other advanced blockchain obfuscation techniques.
This highlights both the ingenuity of modern threat actors and the growing complexity of tracking illicit crypto flows.

3. WhatsApp Flaw Exposed Billions

[01:32] Austrian researchers found a vulnerability in WhatsApp’s user lookup system.
The flaw let them collect identifiable data (names, phone numbers, profile pictures) of over 3.5 billion users, opening the possibility for a “global reverse phone book”.
- The vulnerability stemmed from the lack of effective rate limiting on lookups by phone number.
- Researchers secured and deleted the data; no evidence of malicious use was found.
Notable Quote:
- “Researchers in Austria discovered a flaw in WhatsApp that allowed them to collect personal data from over 3.5 billion users — yes, billions.” — Lauren Verno [01:32]

4. Iran’s “Cyber Enabled Kinetic Attacks”

[02:07] Amazon researchers reported that Iranian-linked groups use hacking as preparation for physical attacks, a tactic dubbed “cyber-enabled kinetic targeting.”
- Incident 1: ‘Imperial Kitten’ compromised ship AI and CCTV years before a February 2024 Houthi missile strike.
- Incident 2: ‘Muddy Water’ accessed live CCTV in Jerusalem ahead of a June 2025 missile attack.
Amazon warns this blend of cyber and physical operations will likely become more common.

5. International Sanctions on Russian Ransomware Hosting

[03:38] The US, UK, and Australia jointly sanctioned Russian “bulletproof hosting” providers used by ransomware groups like Lockbit, Black Suit, and Play.
- These firms facilitated malware campaigns and DDoS attacks targeting critical infrastructure.
- All provider assets are frozen in these countries; further support for these hosts risks prosecution.

6. Europol’s $55 Million Crypto Seizure in Piracy Crackdown

[04:28] In a cross-border operation, Europol and Spanish authorities took down 69 suspect sites (25 illicit IPTV services) and seized roughly $55 million in cryptocurrency.
- Law enforcement investigators even bought illegal services to track payment flows and identify operators.

7. New “Shiny Spider” Ransomware Emerges

[05:04] The Shiny Hunters Group is developing new ransomware — “Shiny Spider” — with affiliates from Scattered Spider and In Lapsus.
- Early builds can disable system processes, delete shadow copies, and propagate across networks.
- Group pledges not to target healthcare and gives victims three days before publishing attacks.

8. Operation Warthog: ASUS Routers Hijacked Globally

[05:43] Around 50,000 mostly outdated ASUS WRT routers, primarily in Taiwan and the wider region, were compromised through six known vulnerabilities.
- The attack, dubbed “Operation Warthog,” might be linked to the earlier Ass Hush operation.
- Users are advised to update firmware urgently; critical vulnerabilities including one in the AI Cloud feature have been patched.
Notable Quote:
- “ASUS has released firmware updates for all vulnerabilities.” — Lauren Verno [06:35]

Notable Quotes & Memorable Moments

“The company now says it wasn’t a cyber attack like originally thought, but an internal configuration error.” — Lauren Verno [00:15]
“Researchers in Austria discovered a flaw in WhatsApp that allowed them to collect personal data from over 3.5 billion users — yes, billions.” — Lauren Verno [01:32]
“Amazon warns this combination of digital reconnaissance and kinetic operations is likely to become more common.” — Lauren Verno [02:52]
“The sanctions freeze all assets in the three countries and warn that anyone continuing to provide services to these providers risk legal and financial ramifications of their own.” — Lauren Verno [03:54]

Important Timestamps

[00:10] — Cloudflare database outage
[01:05] — Crypto heist takedown
[01:32] — WhatsApp data exposure
[02:07] — Iranian cyber-physical attacks
[03:38] — Russian ransomware hosting sanctions
[04:28] — Europol's piracy/crypto bust
[05:04] — Shiny Spider ransomware emergence
[05:43] — ASUS router campaign

Tone and Takeaways

With Lauren Verno’s concise, urgent delivery, the episode underscores the breadth and pace of today’s highest-impact cyber threats—from global service outages and crypto crime, to privacy crises and the fusion of cyber and military warfare. The coverage reflects a no-nonsense, newsroom tone, geared toward security professionals and industry watchers looking for actionable awareness of fast-breaking developments.

For more details or to explore each story further, listeners are directed to cisoseries.com.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:07)

These are the cybersecurity headlines for Thursday, November 20, 2025. I'm Lauren Verno. Cloudflare blames database Cloudflare's worst outage since 2019 knocked major websites offline for hours on Tuesday, and the company now says it wasn't a cyber attack like originally thought, but an internal configuration error. A database permissions change caused Cloudflare's bot management system to generate an oversized feature file that repeatedly crashed its core proxy, leading to widespread 5xx errors across the network. And as I'm sure you're likely aware, the outage impacted major companies like X uber, Canva and ChatGPT, with traffic back to normal by mid afternoon and Cloudflare's CEO apologizing for the disruption. Crypto Heist Takedown A California man pleaded guilty to laundering at least 25 million in a massive 230 million cryptocurrency heist. The scheme, carried out between October of 2023 and March of this year, involved a network of mostly young hackers who gained access to victims crypto accounts and laundered funds through mixers, peel chains, shell companies and other blockchain techniques. WhatsApp flaw exposed billions Researchers in Austria discovered a flaw in WhatsApp that allowed them to collect personal data from over 3.5 billion users. Yes, billions, including names, phone numbers and profile images, potentially creating a massive reverse phone book. The flaw exploited WhatsApp's user lookup by phone number without effective rate limiting, though the collected data has now been securely deleted and no evidence of malicious use was was found. Iran's Cyber Enabled Kinetic Attacks Amazon researchers documented cases where Iranian linked to threat actors used hacking to enable physical strikes, a tactic they call cyber enabled kinetic targeting. In one case, Imperial Kitten compromised a ship's AIs and CCTV systems over several years, preceding a missile strike by Houthi forces in February of 2024. A second case involved muddy water accessing live CCTV feeds in Jerusalem to gather intelligence before a June 2025 missile attack. Amazon warns this combination of digital reconnaissance and kinetic operations is likely to become more common. Huge thanks to today's episode sponsor Know before your email gateway isn't catching everything and cybercriminals know it. That's why there's KnowBe4's Cloud Email Security platform. It's not just another filter, it's a dynamic AI powered layer of defense that detects and stops advanced threats before they reach your user's inbox. Request a demo of KnowBe4's Cloud Email Security at knowbe4.com that's kn o w be4.com or visit them this week at Microsoft Ignite booth number 5523. Again, that's 5523 Russian ransomware hosting sanctioned in a multi country takedown the US United Kingdom and Australia announced sanctions against Russian bulletproof hosting, or bph, providers that support ransomware gangs and other cybercrime operations. The infrastructure backed ransomware groups like Lockbit, Black Suit in Play and was used to facilitate malware campaigns and DDoS attacks against US companies and critical infrastructure. The sanctions freeze all assets in the three countries and warn that anyone continuing to provide services to these providers risk legal and financial ramifications of their own 55 million in crypto seized Europol, the EU Intellectual Property Office and Spain's national police coordinated a crackdown on online piracy. The coordinated efforts identified 69 suspect sites, including 25 illicit IPTV services and tracing cryptocurrency flows worth about 47 million euros, or US$55 million. Investigators use crypto payments to buy illegal services themselves, enabling them to pinpoint operators and relay findings to exchanges for disruption. Shiny Spider Ransomware emerges A new ransomware as a service called Shiny Spider is being developed by the Shiny Hunters Group in collaboration with affiliates from Scattered Spider and In Lapsus. The ransomware is still in development, but researchers analyzing early builds say it can kill processes that block encryption, overwrite deleted files, delete shadow copies and spread across local networks. The group claims not to target healthcare organizations, and we also know victims have three days to start negotiations before the attack is posted publicly. Thousands of ASUS routers hijacked a new global campaign. Operation Warthog has compromised roughly 50,000 Asus WRT routers, mostly outdated or end of life devices, by exploiting six known vulnerabilities. Now, most of the affected IPs are in Taiwan, with others across Southeast Asia, Russia, Central Europe and the U.S. researchers at security Scorecard say the campaign may be linked to the earlier Ass Hush operation, including a critical issue affecting the AI Cloud feature. ASUS has released firmware updates for all vulnerabilities. Boston Area security professionals mark your calendars. Monday, November 24th we're bringing the CISO series community together at CityTap House Boston. Whether you're a seasoned CISO or breaking into the field, come connect with your peers over refreshing beverages and real talk about security. Head to cisoseries.com events to save your spot. And if you have some thoughts on the news from today or about the show in general. Be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I'm Lauren Verno reporting for the CISO series.