CISA Warns of Active Attacks on Critical FortiWeb Security Flaws
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a serious flaw in Fortinet’s FortiWeb security appliance to its list of vulnerabilities that are already being exploited by hackers. The weakness, found in multiple FortiWeb versions, allows attackers to send specially crafted web requests that trick the device into running administrative commands—essentially giving them powerful, unauthorized control.
CISA is urging federal agencies to fix this vulnerability by November 21, 2025, and Fortinet recommends disabling public web access to the device until updates are installed. Security researchers have also recently uncovered an even more severe authentication bypass issue that lets attackers take full control of FortiWeb systems. This second flaw has already been abused in real-world attacks, and Fortinet has released an update to fix it.
Researchers from multiple cybersecurity groups have confirmed that hackers are actively attempting to break into FortiWeb devices using these flaws, even creating new fake administrator accounts on compromised systems. While it is still unknown who is behind the attacks, both government agencies and private organizations are being advised to review the known vulnerabilities and update their systems quickly to reduce the risk of compromise.
RondoDox Botnet Exploits Critical XWiki Flaw
RondoDox, a botnet malware, has been targeting unpatched XWiki installations by exploiting a critical security flaw (CVE-2025-24893) that allows attackers to run malicious code remotely. This vulnerability, which was patched in February 2025, has been used to deliver cryptocurrency miners, create reverse shells, and recruit systems into botnets for distributed denial-of-service (DDoS) attacks. Exploitation attempts have sharply increased in November, suggesting that multiple threat actors are actively scanning for vulnerable systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches by November 20. Security experts emphasize the importance of timely patching, noting that once one attacker exploits a vulnerability, others quickly follow, amplifying the threat. The RondoDox activity highlights the ongoing risk to unpatched software and the need for strong cybersecurity practices.
Hackers Revive Old “Finger” Command to Deliver Stealthy Windows Attacks
Cybercriminals have recently revived an old computer command called “finger”, which was originally used decades ago to look up basic information about users on remote systems. Although the command is still included in Windows, it’s rarely used today making its sudden return in cyberattacks unexpected. Hackers are now abusing the Finger protocol to secretly deliver and run harmful commands on victims’ computers.
Recent attacks trick people into running commands on their Windows machines by disguising them as harmless “Verify you are human” prompts, often through fake CAPTCHA messages. When victims follow the instructions, the finger command quietly retrieves malicious scripts from a hacker-controlled server and runs them automatically. These scripts download hidden malware packages, such as information-stealing tools or remote-access programs like NetSupport Manager, which let attackers control the victim’s computer.
Some versions of the attack even check whether malware-analysis tools are present and stop running if they detect them—showing increasing sophistication. Because the technique relies on the little-used Finger protocol, many people and security systems don’t expect it. Experts warn that the best defense is to block outgoing connections on TCP port 79, which Finger uses, and to avoid running unfamiliar commands prompted by websites or pop-ups.
Defensible Strategies
Learn from those who have been attacked
Logitech Confirms Data Breach Linked to Clop Extortion Gang
Logitech has confirmed that it suffered a data breach after hackers stole company information in a cyberattack. The company says the incident did not affect its products, manufacturing, or day-to-day operations. Once the breach was discovered, Logitech brought in outside cybersecurity experts to investigate and contain the issue.
According to Logitech, the stolen data appears to include limited information about employees, customers, and business partners. The company does not believe highly sensitive details—such as national ID numbers or credit card information—were taken. The attack was carried out through a previously unknown software flaw in a third-party system, which was patched as soon as a fix became available.
The Clop extortion gang has claimed responsibility, saying it stole nearly 1.8 terabytes of data from Logitech. This group is known for exploiting undisclosed software vulnerabilities to steal large amounts of information from organizations around the world. The same type of vulnerability used in this incident has also affected other major organizations, including universities, airlines, and media companies.
Five Plead Guilty in U.S. Scheme That Helped North Korean IT Fraud Operations
The U.S. Department of Justice announced that five people have pleaded guilty to helping North Korea secretly earn money by enabling fraudulent remote IT work at U.S. companies. These individuals allowed overseas North Korean workers to use stolen or borrowed American identities so they could pose as U.S.-based employees, pass hiring checks, and get paid by U.S. firms. In some cases, the defendants even hosted company laptops in their homes and completed drug tests on behalf of the overseas workers.
One of the key participants, Oleksandr Didenko, ran a website that sold stolen identities to foreign IT workers and helped operate “laptop farms,” where U.S.-issued computers were kept so overseas workers could access them remotely. His operation enabled hundreds of fake worker profiles and funneled more than $1.4 million before authorities shut it down. Another defendant, Erick Prince, ran a company that supplied supposedly “certified” IT workers to U.S. businesses, while supporting North Korean workers overseas.
Altogether, these schemes affected over 136 U.S. companies and generated more than $2.2 million for North Korea, money that authorities say helps support the country’s weapons programs. In related actions, the U.S. government also moved to seize more than $15 million in cryptocurrency stolen by a North Korean hacking group involved in global cyber thefts. These efforts are part of a broader push to disrupt North Korea’s long-running strategy of using fake remote workers and cybercrime to evade sanctions and fund its government programs.
Google Sues to Shut Down Massive Global Phishing Service “Lighthouse”
Google has filed a major lawsuit against more than two dozen unknown individuals behind “Lighthouse,” a powerful phishing service based in China. This service helps scammers impersonate trusted companies—like postal services, toll agencies, banks, and online stores—and trick people worldwide into giving up their credit card information. Google says Lighthouse has already harmed more than one million victims in over 120 countries.
Lighthouse is part of a larger criminal network known as the “Smishing Triad,” which sends millions of fake text messages designed to lure people to convincing phishing websites. Once a victim enters their payment information, the scammers immediately try to link that card to a mobile wallet—such as Apple Pay or Google Wallet—on a device they control. With that link in place, criminals can make fraudulent purchases, sometimes days later, without the victim realizing what happened.
Google’s lawsuit aims not only to stop Lighthouse, but also to identify the people running it and disrupt the broader phishing-as-a-service ecosystem. Researchers say the operation is large and well-organized, involving developers, spammers, data suppliers, and fraud specialists. While the legal action may temporarily slow the group down, experts believe the market is so profitable that Lighthouse operators are likely to rebrand or rebuild rather than shut down permanently.