Closing cracks before hackers do.

Patch Tuesday. Google sues a “phishing-as-a-service” network linked to global SMS scams, and launches “private ai compute.” Hyundai notifies vehicle owners of a data breach. Amazon launches a bug bounty program for its AI models. The Rhadamanthys infostealer operation has been disrupted. An initial access broker is set to plead guilty in U.S. federal court. Our guest is Bob Maley, CSO from Black Kite, discussing a new AI assessment framework. “Bitcoin Queen’s” $7.3 billion crypto laundering empire collapses. 

Today is Wednesday November 12th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Patch Tuesday 

Microsoft’s November Patch Tuesday addressed more than 60 security flaws, including one actively exploited in the wild. Among them, CVE-2025-62215, a race-condition and double-free bug, allows low-privileged attackers to corrupt kernel memory and escalate to full system privileges. While exploitation requires precise timing and local access, chaining it with other flaws could enable full system compromise, credential theft, and ransomware deployment.

Researchers also warned about CVE-2025-60724, a critical remote code execution bug in the Windows GDI+ graphics library with a CVSS score of 9.8. The flaw can be triggered by uploading a crafted image file, making it a top patching priority for any internet-facing systems.

This update cycle also marks the first after Windows 10’s end of life, with Microsoft issuing an out-of-band fix for enrollment issues in its Extended Security Updates program.

In the industrial-control systems (ICS) sphere, major vendors including Siemens, Rockwell Automation, Aveva and Schneider Electric issued advisories for a batch of vulnerabilities affecting their ICS/OT (operational technology) products.   This includes an Aveva flaw that also impacts Schneider Electric solutions, underscoring vendor inter-dependencies. Although exploitation evidence is not detailed in the reporting, the risks revolve around unauthorized access and potential disruption of industrial processes.

Meanwhile, Adobe Inc. released updates addressing 29 vulnerabilities across products such as InDesign, InCopy, Photoshop, Illustrator, Substance 3D Stager and Format Plugins.   Several of the flaws permit arbitrary code execution, and one involves a security-bypass issue in Adobe Pass. Adobe assigned all bugs a priority rating of “3” (which indicates that exploitation is not expected) and noted no current evidence of these vulnerabilities being used in the wild.

In the hardware and firmware space, Intel Corporation published around 30 new advisories covering more than 60 vulnerabilities in areas including Xeon processors, Slim Bootloader, graphics, QAT (QuickAssist Technology), and firmware/driver modules.   The issues include high-severity flaws that could enable privilege escalation, denial-of-service (DoS) and information disclosure.

Ivanti and Zoom released patches this week for multiple vulnerabilities, including several rated high severity. Ivanti fixed three flaws in its Endpoint Manager platform that could enable remote code execution or privilege escalation, affecting all versions before 2024 SU4. The company says there’s no evidence of exploitation so far.

Zoom also issued nine advisories addressing three high-severity and six medium-severity bugs across its desktop and mobile apps. The most serious issues could allow privilege escalation, though none are known to be exploited.

Google sues a “phishing-as-a-service” network linked to global SMS scams, and launches “private ai compute.”

Google has filed a lawsuit in U.S. federal court against a China-based criminal network it calls “Lighthouse,” accused of running a large-scale “Phishing-as-a-Service” operation. The group allegedly sells software kits and fake website templates that mimic major U.S. organizations, including Google itself, to power widespread “smishing” scams sent via text message.

According to the suit, Lighthouse has operated more than 32,000 fraudulent sites impersonating the U.S. Postal Service and may have compromised millions of credit cards across 120 countries. The defendants’ real identities are unknown, identified only by online aliases on Telegram.

Google’s goal isn’t prosecution but deterrence, seeking a court declaration that Lighthouse’s infrastructure is illegal to help other platforms shut it down and protect users from future phishing campaigns.

Elsewhere, Google has introduced a new platform called Private AI Compute, designed to bring its Gemini AI models to the cloud while keeping user data private. The system processes information in a sealed, hardware-secured environment, using encryption and remote attestation to prevent access, even by Google itself.

The company says the approach delivers the speed and capability of cloud AI with the privacy of on-device processing. It’s part of Google’s broader push to prove that powerful AI can also be privacy-preserving.

Hyundai notifies vehicle owners of a data breach.  

Hyundai AutoEver America, the digital arm of Hyundai Motor Group, is notifying vehicle owners about a data breach that exposed names, Social Security numbers, and driver’s license details. Hackers accessed company systems for nine days between February and March before detection.

While the company serves over 2.7 million users, only about 2,000 were affected. Hyundai AutoEver says it’s investigating with outside experts and offering two years of credit monitoring. The breach underscores growing industry concern over how automakers protect driver data.

Amazon launches a bug bounty program for its AI models. 

Amazon has announced a new bug bounty program inviting select researchers to probe its NOVA large language models for security flaws. The program will reward discoveries involving prompt injection, jailbreaking, and other vulnerabilities with real-world exploitation potential.

Participants, chosen through an invite-only process, will also test whether NOVA could be manipulated to aid in developing weapons of mass destruction. Amazon says the effort aims to strengthen AI safety across its ecosystem, which powers services like Alexa and AWS Bedrock.

The Rhadamanthys infostealer operation has been disrupted. 

The Rhadamanthys infostealer operation has been disrupted, leaving many of its criminal “customers” unable to access their servers. Researchers say users are reporting lost SSH access and new certificate-based logins, signs suggesting law enforcement intervention.

Rhadamanthys, a subscription-based malware that steals credentials and cookies, is typically spread through fake software and ads. Investigators believe German police or Operation Endgame, a multinational campaign targeting cybercriminal infrastructure, may be behind the takedown. The malware’s Tor sites are offline but not officially seized.

An initial access broker is set to plead guilty in U.S. federal court. 

Russian national Aleksey Olegovich Volkov, 25, is set to plead guilty in U.S. federal court for helping ransomware gangs gain access to victim networks. Prosecutors say Volkov acted as an “initial access broker,” selling stolen credentials to the Yanluowang ransomware group in exchange for a share of ransom payments, earning over $256,000.

Arrested in Rome in 2023 and extradited to the U.S., Volkov has agreed to pay more than $9 million in restitution. His case highlights the growing specialization within ransomware operations.

“Bitcoin Queen’s” $7.3 billion crypto laundering empire collapses. 

London’s Southwark Crown Court has officially dethroned the “Bitcoin Queen.” Zhimin Qian, also known as Yadi Zhang, was sentenced to 11 years and eight months in prison after laundering a staggering $7.3 billion from a Chinese crypto scam that fleeced more than 128,000 victims.

Qian, who fled China under a false identity, tried to reinvent herself in London’s luxury property market, apparently forgetting that the blockchain remembers everything. Police eventually seized 61,000 Bitcoin worth £5.5 billion, the largest cryptocurrency haul ever recorded.

Her accomplices didn’t fare much better: one’s serving nearly seven years, another five. British officials called it a landmark case in tracking digital crime, proving that while money may talk, in crypto it also leaves a paper trail, just with fewer trees.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.