Summary6 min read

Cyber Security Headlines — November 11, 2025

Podcast: CISO Series
Host: Rich Stroffolino
Episode Focus: Fast-breaking stories in information security, including CISA reauthorization, electric bus cybersecurity, AI and privacy laws in Europe, ransomware insurance trends, major Oracle EBS attacks, new phishing threats, prosecution of ransomware facilitators, and EU radio station hacks.

Main Theme and Purpose

This episode delivers a concise overview of the most pressing cybersecurity developments as of November 11, 2025. Major focus areas include regulatory moves in the U.S. and Europe, evolving cybercriminal tactics, a spike in insurance claims, and prominent security incidents impacting organizations, public services, and critical infrastructure.

Key Discussion Points & Insights

1. CISA (Cybersecurity Information Sharing Act) Reauthorization

Context: The 2015 CISA expired during the U.S. government shutdown, affecting information sharing frameworks.
Senate Deal: A provisional bill would reauthorize CISA only until January 30, 2026, highlighting the law's uncertain future.
Historical Moves: The House attempted to extend CISA by another decade, mirrored by a similar Senate bill, but progress was blocked by committee chair Rand Paul.
Insight: The temporary extension underscores both the importance and the political vulnerability of foundational cybersecurity legislation.
Quote:
- Rich Stroffolino [00:37]:
  “This is only a temporary stay of execution, as the reauthorization would only go through January 30, 2026.”

2. Electric Bus “Kill Switch” and Connected Vehicle Risks

Incident: Investigations in Norway and Denmark into electric buses from Dutch manufacturer VDL and Chinese manufacturer Yutong.
Key Finding: Yutong’s system architecture gave the company digital access to each bus via over-the-air (OTA) updates.
Response: Norway imposed stricter purchasing controls, and both countries are setting cybersecurity requirements for future contracts.
Clarification: The concern is about all connected vehicles, not just those from China.
Data Security: Yutong stores EU-region data in AWS European data centers with encryption and access restrictions.
Quote:
- Rich Stroffolino [01:42]:
  “This isn't a Chinese bus concern, but rather something to account for with any connected vehicle.”

3. Europe’s GDPR Overhaul for Artificial Intelligence

Background: Draft EU legislation intends to simplify digital laws, with major updates to GDPR for AI applications.
Details:
- AI companies may gain exemptions to process protected data for model training.
- Redefines personal data to exempt anonymized data.
- Grants site/app owners broader rights to track users.
Timeline: Full proposal will be unveiled November 19, 2025.
Insight: The changes would significantly reshape privacy standards and expand legal leeway for AI development.
Quote:
- Rich Stroffolino [02:21]:
  “The draft creates exemptions to allow AI companies to process protected categories of data for training and operating models.”

4. Surge in UK Cyber Insurance Claims

Findings:
- Cyber insurance payouts rose from £60 million in 2023 to £197 million in 2024.
- Ransomware comprised 51% of payouts, compared to 32% in 2023.
- Policy adoption in the UK grew by 17% in 2024.
Insight:
- The escalation in both volume and severity of attacks is forcing an insurance reckoning in the UK market.

5. Oracle EBS Attack & Clop Ransomware Campaign

Incident: The Clop group breached at least 29 organizations using a likely zero-day in Oracle E-Business Suite’s publisher integration component, exploited for two months.
Victims:
- Confirmed: Harvard, Washington Post, Envoy Air, Wits University
- Other notable: Logitech, Cox Enterprises, Schneider Electric
Data Leak: Clop published data from 18 organizations.
Forensics: Evidence points to data originating in Oracle environments.
Quote:
- Rich Stroffolino [04:06]:
  “Some of the named entities [...] already confirmed a breach, but most of the named victims have confirmed an attack, including Logitech, Cox Enterprises, and Schneider Electric.”

6. Novel “Rapport-Building” Phishing Campaign Using AI

Research: Veloxity studied a China-aligned APT (UTA0388) which used personalized, lengthy correspondence to build trust with victims.
Techniques:
- AI-powered (LLM) generation of phishing content and malware.
- Campaign leveraged tailored social engineering, deviating from typical “fire-and-forget” methods.
Red Flag: Messages often “lacked coherence,” suggesting limitations of unsupervised LLM usage.
Quote:
- Rich Stroffolino [05:04]:
  “This campaign marked a change in tactics for the group using extended conversations to build rapport with victims before delivering a payload.”

7. Prosecution of Ransomware Broker (Yanlo Wong attacks)

Case: Russian national Alexei Volkov pleaded guilty to brokering access for ransomware crews from July 2021 through November 2022.
Economics: Sold access for $1,000 per network; received 16-20% cut of ransomware payments.
Restitution: Ordered to repay $9.1 million to six victims.
Outcome: One victim successfully restored from backups and limited losses—a rare bright spot.
Quote:
- Rich Stroffolino [05:47]:
  “Volkov charged $1,000 for access to business networks with pilfered credentials and received shares of ransom payments from 16 to 20%.”

8. Ransomware Disrupts European Radio Stations

Events:
- Dutch broadcaster RTC Njord knocked offline; staff reverted to playing CDs and LPs on air during show.
- On the same day, “Rezaida” ransomware group targeted Spanish station Kiss FM, demanding $300,000.
Operational Impact: Emergency comms via WhatsApp, partial service restoration after days.
Memorable Moment:
- Rich’s tongue-in-cheek comment on DJs using “CDs and LPs to the delight of hipsters everywhere” [06:24].

Notable Quotes & Memorable Moments

On CISA’s temporary fix:
“This is only a temporary stay of execution…” — Rich Stroffolino [00:37]
On connected vehicle security:
“This isn't a Chinese bus concern, but rather something to account for with any connected vehicle.” — Rich Stroffolino [01:42]
On GDPR draft changes:
“The draft creates exemptions to allow AI companies to process protected categories of data for training and operating models.” — Rich Stroffolino [02:21]
On changing phishing tactics:
“This campaign marked a change in tactics for the group using extended conversations to build rapport with victims before delivering a payload.” — Rich Stroffolino [05:04]
On the economics of ransomware brokerage:
“Volkov charged $1,000 for access to business networks with pilfered credentials and received shares of ransom payments from 16 to 20%.” — Rich Stroffolino [05:47]
On the RTC Njord hack:
“...with a morning show resorting to playing music on CDs and LPs to the delight of hipsters everywhere.” — Rich Stroffolino [06:24]

Timestamps for Key Segments

CISA Reauthorization: 00:30 – 01:18
Electric Bus kill switches & OTAs: 01:19 – 02:05
GDPR/A.I. Policy Changes: 02:06 – 02:53
UK Cyber Insurance Report: 02:54 – 03:16
Clop Ransomware/Oracle EBS: 04:00 – 05:00
Phishing with Rapport & AI: 05:01 – 05:45
Volkov Ransomware Broker Case: 05:46 – 06:10
Radio Station Ransomware: 06:11 – 06:44

Episode Flow & Tone

Rich Stroffolino keeps the tone direct, slightly wry, and highly informative, moving quickly between headlines but offering enough context for listeners to understand the implications. There’s an undercurrent of wit, particularly in moments like the “delight of hipsters everywhere” aside, but the delivery remains professional and focused on actionable awareness for security practitioners.

Useful for Listeners Who Missed the Episode

This episode is essential for CISOs, security analysts, and policymakers needing a brisk but impactful orientation to fast-moving regulatory, technical, and threat trends. The cross-section of legislative, industrial, and criminal activity covered offers a snapshot of key challenges and responses shaping cybersecurity as 2025 draws to a close.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, November 11, 2025. I'm Rich Strofalino. CISA reauthorized One of the impacts of the prolonged U.S. government shutdown was the expiration of the 2015 Cybersecurity Information Sharing act, or CESA, at the end of September. One provision in a deal to reopen the government advancing through the Senate as of this recording, would reauthorize the law. However, this is only a temporary stay of execution, as the reauthorization would only go through January 30, 2026. The House Homeland Security Committee approved legislation in September that would extend CESA for another decade. Two members of the Senate Homeland Security Committee introduced a similar bill, but a vote on it was blocked by committee chair Rand Paul during the shutdown. Denmark and Norway investigating electric bus kill switches earlier this month, the Norwegian bus operator Ruder investigated the connected capabilities of two bus models, one from the Dutch manufacturer VDL and the other from the Chinese firm Utong. It found that because of the way Utong buses receive over the air updates, the company has direct digital access to each individual bus. The company said it put in stricter controls for new vehicle purchases and will collaborate with local authorities on clear cybersecurity requirements going forward. Danish public transport provider Movia also said it's investigating its Utah buses for any issues. However, COO Jeppe Gerd clarified that this isn't a Chinese bus concern, but rather something to account for with any connected vehicle. Utah said that all of its vehicle data in the region is stored in an EU based AWS data center protected by storage, encryption and access control measures. European Commission looking to simplify privacy laws for AI Draft documents obtained by Politico show that as part of a digital omnibus package meant to simplify tech laws, the European Commission will make considerable changes to the General Data Protection Regulation. The draft creates exemptions to allow AI companies to process protected categories of data for training and operating models. The changes would also redefine what constitutes personal data, allowing for anonymized data to not be covered by gdpr. The draft also adds provisions to allow site and app owners more legal grounds to justify user tracking. The EC will officially unveil the draft proposal on November 19th. UK cyber insurance claims triple According to a new report from the association of British insurers, or ABI, UK insurers paid out over 197 million pounds for cyber insurance claims in 2024, up from 60 million pounds in 2023. Ransomware related claims accounted for 51% of that total, up from 32% in 2023. ABI also reported that the number of cyber insurance policies in the UK increased 17% on the year in 2024. And now, thanks to today's episode sponsor Vanta, what's your 2am Security worry? Is it do I have the right controls in place or are my vendors secure? Or the really scary one? How do I get out from under these old tools and manual processes? Enter Vanta. Vanta automates manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling up endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and get back to sleep. Get started at Vanta.com headlines dozens of victims named an Oracle EBS Campaign the Clop Ransomware group named 29 organizations impacted by its recent campaign. This targeted Oracle's E business suite, likely with a zero day impacting its publisher integration component, which which was exploited for two months before being patched. Some of the named entities like the Washington Post, Envoy, Air, Harvard and Wits University already confirmed a breach, but most of the named victims have confirmed an attack, including Logitech, Cox Enterprises and Schneider Electric. Klopp also released data from 18 of these organizations allegedly obtained in the attack. An initial investigation by Security Week found they likely originated from an Oracle environment. I guess we need to worry about rapport building phishing now Researchers at Velexity studied a campaign linked to the China aligned APT UTA0388, operating from June through August 2025. This used tailored messages to each victim coming from impersonated senior researchers and trying to get them to download Govershell malware archive files. Veloxity noted this campaign marked a change in tactics for the group using extended conversations to build rapport with victims before delivering a payload. The researchers also found signs that the threat group used large language models to both draft these highly tailored messages and develop malware, saying this campaign consistently lacked coherence in a way that's more suggestive of context unaware automation Russian national pleads guilty to helping Yanlo Wong attacks Alexei Volkov pleaded guilty to charges related to working as an initial access broker for the ransomware crew. These stem from the Yanlo Wang attacks planned from July 2021 through November 2022. I looked it up. We covered them on the show. This indictment offers insight into the economics of this type of work. Volkov charged $1,000 for access to business networks with pilfered credentials and received shares of ransom payments from 16 to 20%. Volkov was ordered to pay US$9.1 million in restitution to six of the seven named victims. One victim restored successfully from backups, and he awaits further sentencing. EU Radio Stations getting Hacked Last week, two European radio stations had operations disrupted due to seemingly unrelated cyber attacks. The Dutch broadcaster RTC Njord discovered its computer systems were inaccessible on November 6, with a morning show resorting to playing music on CDs and LPs to the delight of hipsters everywhere. While some operations were resumed days after the attack, the RTV newsroom could only be reached via WhatsApp and indicating comms systems were still down. This attack came on the same day that the Rezaida ransomware gang claimed responsibility for an attack on Kiss FM, a Spanish radio station, and demanded a $300,000 ransom. Calling all Boston cybersecurity folks, students, practitioners, CISOs, everyone's welcome at our November 24th meetup at City Tap House Boston. It's a chance to build real connections with your local security community. Don't don't miss it. Register now@cisoseries.com events and if you have any thoughts about the news from today or about the show in general, be sure to reach out to us feedbacksoseries.com we would love to hear from you. Reporting from the CISO series, I'm Rich Stroffelino, reminding you to have a super sparkly day.
[07:17]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.
[07:28]
B
Sam.