Summary5 min read

Cyber Security Headlines – November 6, 2025

Host: Sarah Lane, CISO Series
Main Theme: Rapidly evolving threat landscape: AI-adaptive malware, newly exploited vulnerabilities, high-profile incidents, and regulatory news.

1. Google Uncovers PROMPFLUX: AI-Driven Malware

[00:07]

Key Discussion:
- Google identified an experimental malware named PROMPFLUX, which leverages the Gemini AI to rewrite and obfuscate its VBScript code in real-time, evading detection.
- The malware queries the Gemini API for new obfuscation instructions, storing revised scripts to persist and move laterally.
- While PROMPFLUX is currently in limited testing and not yet weaponized, it signals a broader trend of threat actors employing AI to create adaptable malware.
Insight:
- This discovery highlights a “broader trend of threat actors using AI systems to dynamically adapt malware during execution.”
  (Sarah Lane, [00:25])

2. CISA Warns of Critical CentOS WebPanel Bug

[00:45]

Key Discussion:
- CISA issued an urgent alert regarding a critical remote code execution (RCE) vulnerability in CentOS WebPanel (CWP), enabling attackers with only a valid username to run arbitrary shell commands.
- Vulnerability exists in all versions before 0.9.8.1204; patch 1205 addresses the issue.
- Federal agencies have until November 25 to patch or discontinue using CWP.
- Flaw linked to unsanitized input in the “file manager change perm endpoint,” allowing for shell injection and reverse shell attacks.

3. New Threat Group Targets Academics and Think Tanks

[01:32]

Key Discussion:
- Proofpoint identified “Unk Smudge Serpent,” a previously unknown threat group targeting academics and foreign policy experts focused on Iran (June–August).
- Attackers initiated benign email conversations, then switched to credential theft and malware delivery by impersonating think tank staff and using spoofed health-themed infrastructure.
- Tactics overlap with Iranian-linked clusters, but attribution remains uncertain due to insufficient evidence.

4. Operational Technology (OT) Security Risks in Manufacturing

[02:02]

Key Discussion:
- Despite increased security awareness, manufacturers face ongoing OT risks: legacy systems, complex access points, human error, and integration of cloud/AI tech expand attack surfaces.
- Recent ransomware (e.g., on Asahi) underscores financial and supply chain disruption.
- Security experts urge identity-focused strategies, robust governance, and “full visibility across OT assets” to improve resilience.

5. [Advertisement Skipped]

(ThreatLocker sponsor segment omitted.)

6. Google Advances $32B Acquisition of Wiz

[03:03]

Key Discussion:
- Google’s $32 billion purchase of cloud security startup Wiz cleared U.S. antitrust review (DOJ), moving toward completion in early 2026.
- Initial $23B offer in 2024 rejected; final deal reached in March 2025 after renegotiation.
- Quote:
  - “While the DOJ approval is a milestone, the acquisition is not finalized but expected to close in early 2026.”
    (Sarah Lane, [03:25])

7. AMD Bug Undermines Cryptographic Security

[03:40]

Key Discussion:
- AMD releasing microcode patch for critical bug in Zen 5, Ryzen, Epyc CPUs; flaw in 16/32-bit red seed instruction can return 0 instead of random numbers, undermining cryptographic key generation.
- Exploitable only with local privileges, i.e., attackers must already have significant access.
- Workarounds: use 64-bit red seed or disable the vulnerable instruction.
- Fixes available for Epyc 9005; others expected by January.

8. Capital One Hacker Resentenced

[04:17]

Key Discussion:
- Federal judge reimposed Paige Thompson’s sentence for the 2019 Capital One breach affecting over 100 million.
- After time served, new sentence includes five years’ supervised release, three years of home confinement, 250 hours community service, and $40.7M restitution.
- Sentence reissued after Ninth Circuit vacated the earlier 2022 sentence.

9. Cyberattack Erodes Marks & Spencer’s Profits

[04:54]

Key Discussion:
- UK retailer Marks & Spencer suffered a devastating cyberattack (April), causing profits to fall from £391.9M to just £3.4M.
- Attack closed the website, disrupted systems, and led to inventory/food waste; direct cost was £1.6M, partially offset by £100M in insurance.
- Linked to the “Scattered Lapsus Hunters” gang, which also targeted Co-op, Harrods, and Jaguar Land Rover.
- Quote:
  - “How much does a cyber attack affect the bottom line? Well, a dramatic example is UK retailer Marks & Spencer...”
    (Sarah Lane, [05:08])

10. WordPress Plugin Vulnerability Affects 400K+ Sites

[05:50]

Key Discussion:
- POST SMTP plugin, used by over 400,000 sites, has a critical flaw—missing capability checks allow unauthenticated password resets (even for admins), enabling total site takeover.
- Exploitation began Nov 1; over 4,500 attacks blocked so far.
- Version 3.6.1 released October 29 fixes the issue—users advised to update immediately amid ongoing attack campaigns.

11. Security Principle in the Spotlight: “Is Least Privilege Dead?”

[06:32]

Key Discussion:
- Brief mention of the enduring challenge in implementing the principle of “least privilege” in real-world environments.
- Teaser for deeper analysis in the latest Defense in Depth podcast:
  - “Despite being around for decades, everyone still seems to be struggling with it. So if we can't realize this principle, is it worth chasing in the first place?”
    (Sarah Lane, [06:37])

Notable Quotes & Memorable Moments

On AI Malware Evolution:
- “The discovery reflects a broader trend of threat actors using AI systems to dynamically adapt malware during execution.”
  (Sarah Lane, [00:25])
On Cyberattack Impact:
- “How much does a cyber attack affect the bottom line? Well, a dramatic example is UK retailer Marks & Spencer, whose pre tax profits fell from 391.9 million pounds to 3.4 million pounds after an April attack...”
  (Sarah Lane, [05:08])
On Least Privilege:
- “Despite being around for decades, everyone still seems to be struggling with it. So if we can't realize this principle, is it worth chasing in the first place?”
  (Sarah Lane, [06:37])

Summary Table: Key Segments and Timestamps

| Segment | Timestamp | |-----------------------------------------------|------------| | PROMPFLUX AI-Driven Malware | 00:07 | | CentOS WebPanel Bug Alert | 00:45 | | New Threat Group Attacks Academics | 01:32 | | OT Security Risks in Manufacturing | 02:02 | | Google-Wiz $32B Acquisition | 03:03 | | AMD Cryptography Bug | 03:40 | | Capital One Hacker Resentenced | 04:17 | | Marks & Spencer Cyberattack Losses | 04:54 | | WordPress POST SMTP Critical Flaw | 05:50 | | The Fate of Least Privilege | 06:32 |

For more details or to revisit any headline, check out CISOseries.com.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Thursday, November 6, 2025. I'm Sarah Lane. Google uncovers Prompt Flux Malware Google says it identified an experimental malware called Prompt Flux that uses Gemini to continuously Rewrite its own VBScript code. To avoid detection, the malware requests new obfuscation instructions from the Gemini API and saves updated versions to persist and spread. Though it currently appears to be in testing and lacks full attack capabilities, the discovery reflects a broader trend of threat actors using AI systems to dynamically adapt malware during execution. CISA warns of CentOS webpanel bug CISA warned that a critical remote code execution flaw in CentOS Webpanel or CWP is being actively exploited, letting unauthenticated attackers with a valid username execute arbitrary shell commands. It affects all CWP versions before 0.9.8.1204 and was patched in version 1205. Federal agencies must apply updates or stop using CWP by November 25th. The flaw stems from unsanitized input in the file manager change perm endpoint, enabling shell injection and reverse shells. Threat group targets Academics proofpoint identified a previously unknown threat group dubbed Unk Smudge Serpent that targeted academics and foreign policy experts focused on Iran. Between June and August, the group initiated benign email conversations before moving to credential theft and malware delivery, impersonating think tank figures and using spoofed collaboration links tied to health themed infrastructure. The campaign blended tactics associated with several Iranian linked clusters, but researchers say the overlap isn't strong enough for firm attribution. Operational Technology Security poses manufacturing risks despite rising awareness, manufacturers continue to face major operational technology or OT security challenges, according to Dark Reading. Legacy systems, sprawling access points and human error are all leaving factories vulnerable, while the integration of cloud and AI driven tools is expanding attack surfaces. Recent incidents, including a ransomware attack on Asahi, have highlighted both financial and supply chain impacts. Security experts say identity focused strategies, governance and full visibility across OT assets are essential to reduce risks and improve resiliency. Huge thanks to our sponsor ThreatLocker. Cybercriminals don't knock. They sneak in through the cracks other tools miss. That's why organizations are turning to ThreatLocker as a zero trust endpoint protection platform. Threat ThreatLocker puts you back in control, blocking what doesn't belong and stopping attacks before they spread. Zero trust security starts here with ThreatLocker. Google gets the green light to acquire Wiz. Google's $32 billion acquisition of Cloud Security Startup. Wiz cleared U.S. antitrust review, moving the deal closer to completion. Wiz CEO Asaf Rappaport said that while the DOJ approval is a milestone, the acquisition is not finalized but expected to close in early 2026. Google initially offered $23 billion in 2024, which was rejected, later agreeing to the $32 billion deal in March 2025 after renewed negotiations. AMD bug kills cryptographic security AMD is releasing a micro code patch for a high severity flaw affecting Zen 5, Ryzen and Epyc CPUs that use the 16 bit and 32 bit red seed instruction. The bug can return 0 instead of a random number, potentially weakening cryptographic keys. Exploitation requires local privileges, meaning attackers already have significant system access. Workarounds include using 64 bit root red seed or disabling the function via Boot VM options. Patches are available for EPIC 9005 series. Fixes for Ryzen and other EPIC embedded series are expected by January. Court reimposes original sentence for capital1 hacker US District Judge Robert Lasnick reimposed former Amazon Web services engineer Paige Thompson's sentence for the 2019 Capital One breach affecting over 100 million people. After time served, she will undergo five years of supervised release, three years of home confinement, 250 hours of community service and maintain $40.7 million in restitution. The resentencing follows a Ninth Circuit ruling vacating her original 2022 sentence. Marks and Spencer profits tumble after cyber attack how much does a cyber attack affect the bottom line? Well, a dramatic example is UK retailer Marks & Spencer, whose pre tax profits fell from 391.9 million pounds to 3.4 million pounds after an April attack disrupted its systems, closed its website and caused stock and food waste issues. The incident cost the company one £1.6 million, partly offset by £100 million in cyber insurance. The attack was linked to the Scattered Lapsus Hunters gang, also affecting Co Op Harrods and Jaguar Land Rover. Critical flaw affects WordPress sites A vulnerability in the WordPress plugin POST SMTP, installed on more than 400,000 sites, lets attackers take over accounts and websites. The flaw stems from missing capability checks, letting unauthenticated actors reset passwords, including for Admins. Attacks began November 1st with 4,500 blocks so far. POST SMTP released version 3.6.1 on October 29th to patch the issue. Users are urged to update immediately when with broader exploitation campaigns expected. The idea of least privilege has become accepted wisdom in cybersecurity. Despite being around for decades, everyone still seems to be struggling with it. So if we can't realize this principle, is it worth chasing in the first place? That's what we dive deep into on our latest episode of Defense In Depth. Look for the episode is Least Privilege Dead. But wherever you get your podcasts and if you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbackisoseries.com we want to hear from you. I am Sarah Lane, reporting for the CISO series. Thank you so much for listening. Talk to you tomorrow.
[07:40]
A
Cybersecurity headlines are available every weekday. Head to CISO series.com for the full stories behind the headlines.
[07:47]
B
It.