Summary5 min read

Cyber Security Headlines – November 19, 2025

Host: Sara Lane, CISO Series
Main Theme:
A fast-paced overview of major cybersecurity incidents, industry updates, and national security threats reported on November 19, 2025, with particular focus on regulatory changes, election interference, cyber espionage, and new attack vectors.

Key Discussion Points & Insights

1. FCC to Scrap Salt Typhoon-Inspired Cybersecurity Rules

[00:07]

Context: The FCC is poised to vote on removing cybersecurity rules enacted after the 2024 "Salt Typhoon" cyberattacks, a China-linked espionage campaign.
Previous Mandates: Required telecoms to implement core security measures like multi-factor authentication (MFA), role-based access, and consistent patching.
Current Stance: The administration labels these requirements as "legally overreaching and ineffective." They want a “collaborative, voluntary approach” between industry and federal agencies instead.
Background on Salt Typhoon:
- The campaign targeted US government, telecom, and university networks.
- Impacted sensitive data of millions globally.

Notable Quote:

"Salt Typhoon, a China linked cyber espionage campaign compromised US Government, telecom and university networks, affecting sensitive data from millions globally." — Sara Lane [00:14]

2. DDoS Attacks Target Danish Political Party Websites

[00:45]

Attackers: Pro-Russian group Noname 05716 executed DDoS attacks.
Targets: Political parties—The Conservatives, Moderates, Social Democrats, Red-Green Alliance, and the Copenhagen Post—right before local elections.
Impact:
- Websites were briefly knocked offline.
- Voting process unharmed as ballots are hand-counted.
Patterns: Reflects a broader "nuisance style" DDoS spike from Russian-aligned groups across Europe during elections (Moldova, Poland, Romania).

Notable Quote:

"Officials say voting was unaffected because ballots are counted by hand." — Sara Lane [01:02]

3. MI5 Warns of Chinese Spy Activity via LinkedIn

[01:15]

Warning: MI5 cautions that Chinese Ministry of State Security is using LinkedIn and fake headhunter companies to approach UK lawmakers and policy influencers.
Details:
- Alert names two suspected recruiters.
- Economists, think tank staff, and officials reported as targets.
Backdrop:
- Follows a failed spying prosecution involving alleged Chinese agents in the UK.
- Part of ongoing concern around cyber espionage, political interference, and tech theft.

Notable Quote:

"Chinese operatives are trying to recruit and cultivate UK lawmakers and policy influencers through LinkedIn headhunters and front companies tied to China's Ministry of State Security." — Sara Lane [01:20]

4. Microsoft Teams Adds Way to Report False Positive Security Flags

[01:52]

Update: Teams users can now report messages incorrectly flagged as malicious.
Rollout: Feature available on desktop, mobile, web for organizations with Microsoft Defender for Office 365 Plan 2 or Defender XDR (enabled by default).
Other Safety Enhancements:
- Malicious link alerts
- Screen capture blocking
Admin Control: Setting manageable via Teams admin center.

5. npm Packages Abuse ADSpect Cloaking in Crypto Scam

[03:06]

Discovery: Seven hostile npm packages used cloaking to evade detection and direct users to crypto scam sites, filtering out researchers.
Threat Actor: “Dino Reborn.”
Mechanism:
- Gathers device/browser fingerprints
- Sends through proxy (ADSpect)
- Shows malicious captchas or decoy pages as needed
Current Status: Packages removed, but method likely to resurface.

Notable Quote:

"Researchers warn this cloaking plus open source distribution method will likely reappear under new names." — Sara Lane [03:36]

6. Sneaky2FA Phishing Kit Upgrades with Bitby Pop-Ups

[03:39]

Technique: Employs “browser in the browser” (Bitby pop-ups) to convincingly mimic Microsoft logins.
Protections: Uses bot defense, conditional loading, code obfuscation to foil detection.
Bypassing Security: Even phishing-resistant methods (like passkeys) vulnerable to downgrade or extension-based attacks.
Advice: Emphasized need for strong conditional access policies.

Notable Quote:

"Identity based attacks remain the leading cause of breaches and urges users and orgs to exercise caution and enforce conditional access policies to prevent account takeovers." — Sara Lane [04:20]

7. Chrome Issues Emergency Patches for Two Zero-Days

[04:24]

Bugs: Two high-severity V8 JavaScript engine zero-days (type confusion flaws).
Status: Actively exploited; Google urges immediate upgrade.
Discovery:
- First by Clement Lessing (Google Tag)
- Second by "Big Sleep" tool at Google
2025 Tally: These are the 7th and 8th Chrome zero days patched this year.

Notable Quote:

"If you're keeping track, and I know you are, these are the 7th and 8th Chrome 0 days patched in 2025." — Sara Lane [04:56]

8. Data Breach at French Childcare Social Security Service

[05:07]

Incident: Posen Pleis (France's child care social security service) breach possibly exposed personal data of over 1.2 million.
Data Exposed: Names, birthplaces, postal addresses, social security numbers, banking institutions, internal IDs.
Safe: No IBANs, emails, phone numbers, or passwords accessed.
Risk: Targeted phishing attempts anticipated—service warning all affected users.

Memorable Moments & Quotes

On the effectiveness of election interference:
“Officials say voting was unaffected because ballots are counted by hand.” [01:02]
On the persistent threat of identity-based attacks:
“Identity based attacks remain the leading cause of breaches and urges users and orgs to exercise caution and enforce conditional access policies to prevent account takeovers.” [04:20]
Tracking Chrome zero-day explosions:
“If you're keeping track, and I know you are, these are the 7th and 8th Chrome 0 days patched in 2025.” [04:56]

Timeline of Key Segments

| Segment | Timestamp | |----------------------------------------------------------|---------------| | FCC to scrap Salt Typhoon rules | 00:07 | | Danish party websites hit by DDoS | 00:45 | | MI5: Chinese spies recruiting via LinkedIn | 01:15 | | Teams: Users can report false security flags | 01:52 | | npm malicious packages/crypto scam | 03:06 | | Sneaky2FA phishing kit & Bitby pop-ups | 03:39 | | Chrome emergency security updates | 04:24 | | French childcare data breach | 05:07 |

The episode offers a concise, actionable summary of major risks and responses across the cybersecurity landscape as of November 19, 2025, highlighting the evolving nature of threats and the regulatory, organizational, and technical moves to address them.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Wednesday, November 19, 2025. I'm Sara Lane. FCC to torch rules from Salt Typhoon the FCC is set to vote on scrapping former cybersecurity rules imposed after the 2024 salt typhoon attacks, which required telecoms to implement basic security controls like MFA role based access and patching. The FCC under the current administration argues the rules were legally overreaching and ineffective, favoring a collaborative, voluntary approach with industry and federal agencies. Instead, Salt Typhoon, a China linked cyber espionage campaign compromised US Government, telecom and university networks, affecting sensitive data from millions globally. Group claims hits on Danish party websites Pro Russian group Noname 05716 briefly knocked several Danish political party sites offline with DDoS attacks ahead of local elections, but officials say voting was unaffected because ballots are counted by hand. Targets included the Conservatives, Moderates, Social Democrats, Red Green alliance and the Copenhagen Post. Danish authorities reported a broader spike in nuisance style DDoS attacks from Russian aligned groups in the week before the vote, mirroring similar activity seen during elections in Moldova, Poland and Romania. MI5 warns Chinese spies are using LinkedIn Britain's domestic intelligence service issued a warning that Chinese operatives are trying to recruit and cultivate UK lawmakers and policy influencers through LinkedIn headhunters and front companies tied to China's Ministry of State Security. The alert names two suspected recruiters and says economists, think tank staff and government officials have also been approached. It comes as the UK faces criticism over a collapsed spying case involving two men accused of aiding China and follows earlier warnings about Chinese political interference, cyber espionage and theft of tech secrets. Teams Users can report messages wrongly flagged as threats Microsoft is adding a new option in Teams that lets users report messages that were incorrectly flagged as malicious. The feature, first introduced back in September, is rolling out globally by the end of November and and will be enabled by default for organizations using Microsoft Defender for Office 365, Plan 2 or Defender XDR. Users on desktop, mobile and web will be able to flag false positives and admins can manage the setting in the Teams admin center. The new option arrives alongside other recent safety updates, including malicious link alerts and screen capture blocking. Huge thanks to our sponsor Know before. Your email gateway isn't catching everything, and cybercriminals know that. That's why there's KnowBe4's Cloud Email Security platform. It's not just another filter, it's a dynamic AI powered layer of defense that detects and stops advanced threats before they reach your users inboxes. Request a demo of KnowBe4's Cloud Email Security at knowbe4.com or or visit them this week at Microsoft Ignite booth 5532 npm packages abuse adspec in crypto scam socket Researchers found seven malicious npm packages using adspec cloaking to filter victims from security researchers before redirecting users to crypto themed scam sites. The packages, uploaded by a threat actor called Dino Reborn, collect detailed device and browser fingerprints, send them through a proxy to ADSpect, and decide whether to show a fake captcha that leads to a malicious crypto site or a decoy page meant to fool analysts. All packages have been removed from NPM, but researchers warn this cloaking plus open source distribution method will likely reappear under new names. Sneaky2FA phishing kit adds bitby pop ups the Sneaky2FA phishing as a Service kit now uses browser in the browser, also known as Bitby popups, to mimic Microsoft login pages, tricking victims into giving credentials and session data. The attacks employ bot protection, conditional loading and obfuscation to evade detection. Researchers warn that phishing resistant methods like passkeys can be bypassed via malicious browser extensions or downgrade attacks. Push security emphasizes that identity based attacks remain the leading cause of breaches and urges users and orgs to exercise caution and enforce conditional access policies to prevent account takeovers. Google Chrome bug exploited as a zero day Google issued emergency patches for two high severity Chrome zero days in the V8 JavaScript engine, a type confusion flaw and actively being exploited in the wild. Both can allow arbitrary code execution and potential full system compromise. The first was discovered by Clement Lessing of Google Tag and the second by Google's Big Sleep tool. Users are urged to update immediately to prevent exploitation. If you're keeping track, and I know you are, These are the 7th and 8th Chrome 0 days patched in 2025. Pas en Pleis reports data breach Posen plots France's Social Security Service for parents and home based childcare workers says a breach discovered on November 14 may have exposed data on more than 1.2 million people. The stolen information could include names, birthplaces, postal addresses, Social Security numbers, banking institutions and internal identifiers. Though no ibans, emails, phone numbers or passwords seem to be accessed, the service warns affected individuals to watch for targeted phishing attempts. Hey you, Be sure you're subscribed to the CISO series YouTube channel we've been posting daily shorts. There's always something new to enjoy. Plus, you can get notified when we're going live with the Department of Knowledge. You can see original interviews and demos and a lot more. Just search for CISO series on YouTube and then subscribe. If you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbackisoseries.com we really want to hear from you. I'm Sarah Lane, reporting for the CISO series. Stay Classy. Planet Earth.
[07:20]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines lines.

Cyber Security Headlines – November 19, 2025

Key Discussion Points & Insights

1. FCC to Scrap Salt Typhoon-Inspired Cybersecurity Rules

[00:07]

Context: The FCC is poised to vote on removing cybersecurity rules enacted after the 2024 "Salt Typhoon" cyberattacks, a China-linked espionage campaign.
Previous Mandates: Required telecoms to implement core security measures like multi-factor authentication (MFA), role-based access, and consistent patching.
Current Stance: The administration labels these requirements as "legally overreaching and ineffective." They want a “collaborative, voluntary approach” between industry and federal agencies instead.
Background on Salt Typhoon:
- The campaign targeted US government, telecom, and university networks.
- Impacted sensitive data of millions globally.

Notable Quote:

"Salt Typhoon, a China linked cyber espionage campaign compromised US Government, telecom and university networks, affecting sensitive data from millions globally." — Sara Lane [00:14]

2. DDoS Attacks Target Danish Political Party Websites

[00:45]

Attackers: Pro-Russian group Noname 05716 executed DDoS attacks.
Targets: Political parties—The Conservatives, Moderates, Social Democrats, Red-Green Alliance, and the Copenhagen Post—right before local elections.
Impact:
- Websites were briefly knocked offline.
- Voting process unharmed as ballots are hand-counted.
Patterns: Reflects a broader "nuisance style" DDoS spike from Russian-aligned groups across Europe during elections (Moldova, Poland, Romania).

Notable Quote:

"Officials say voting was unaffected because ballots are counted by hand." — Sara Lane [01:02]

3. MI5 Warns of Chinese Spy Activity via LinkedIn

[01:15]

Warning: MI5 cautions that Chinese Ministry of State Security is using LinkedIn and fake headhunter companies to approach UK lawmakers and policy influencers.
Details:
- Alert names two suspected recruiters.
- Economists, think tank staff, and officials reported as targets.
Backdrop:
- Follows a failed spying prosecution involving alleged Chinese agents in the UK.
- Part of ongoing concern around cyber espionage, political interference, and tech theft.

Notable Quote:

"Chinese operatives are trying to recruit and cultivate UK lawmakers and policy influencers through LinkedIn headhunters and front companies tied to China's Ministry of State Security." — Sara Lane [01:20]

4. Microsoft Teams Adds Way to Report False Positive Security Flags

[01:52]

Update: Teams users can now report messages incorrectly flagged as malicious.
Rollout: Feature available on desktop, mobile, web for organizations with Microsoft Defender for Office 365 Plan 2 or Defender XDR (enabled by default).
Other Safety Enhancements:
- Malicious link alerts
- Screen capture blocking
Admin Control: Setting manageable via Teams admin center.

5. npm Packages Abuse ADSpect Cloaking in Crypto Scam

[03:06]

Discovery: Seven hostile npm packages used cloaking to evade detection and direct users to crypto scam sites, filtering out researchers.
Threat Actor: “Dino Reborn.”
Mechanism:
- Gathers device/browser fingerprints
- Sends through proxy (ADSpect)
- Shows malicious captchas or decoy pages as needed
Current Status: Packages removed, but method likely to resurface.

Notable Quote:

"Researchers warn this cloaking plus open source distribution method will likely reappear under new names." — Sara Lane [03:36]

6. Sneaky2FA Phishing Kit Upgrades with Bitby Pop-Ups

[03:39]

Technique: Employs “browser in the browser” (Bitby pop-ups) to convincingly mimic Microsoft logins.
Protections: Uses bot defense, conditional loading, code obfuscation to foil detection.
Bypassing Security: Even phishing-resistant methods (like passkeys) vulnerable to downgrade or extension-based attacks.
Advice: Emphasized need for strong conditional access policies.

Notable Quote:

"Identity based attacks remain the leading cause of breaches and urges users and orgs to exercise caution and enforce conditional access policies to prevent account takeovers." — Sara Lane [04:20]

7. Chrome Issues Emergency Patches for Two Zero-Days

[04:24]

Bugs: Two high-severity V8 JavaScript engine zero-days (type confusion flaws).
Status: Actively exploited; Google urges immediate upgrade.
Discovery:
- First by Clement Lessing (Google Tag)
- Second by "Big Sleep" tool at Google
2025 Tally: These are the 7th and 8th Chrome zero days patched this year.

Notable Quote:

"If you're keeping track, and I know you are, these are the 7th and 8th Chrome 0 days patched in 2025." — Sara Lane [04:56]

8. Data Breach at French Childcare Social Security Service

[05:07]

Incident: Posen Pleis (France's child care social security service) breach possibly exposed personal data of over 1.2 million.
Data Exposed: Names, birthplaces, postal addresses, social security numbers, banking institutions, internal IDs.
Safe: No IBANs, emails, phone numbers, or passwords accessed.
Risk: Targeted phishing attempts anticipated—service warning all affected users.

Memorable Moments & Quotes

On the effectiveness of election interference:
“Officials say voting was unaffected because ballots are counted by hand.” [01:02]
On the persistent threat of identity-based attacks:
“Identity based attacks remain the leading cause of breaches and urges users and orgs to exercise caution and enforce conditional access policies to prevent account takeovers.” [04:20]
Tracking Chrome zero-day explosions:
“If you're keeping track, and I know you are, these are the 7th and 8th Chrome 0 days patched in 2025.” [04:56]