This Month in Cybersecurity – November Edition

Stay up to date with the most important developments shaping the cybersecurity landscape. This month’s roundup brings you curated highlights and concise summaries of the key stories you need to know to stay ahead of emerging threats.

Let’s dive in!

Cloudflare Reveals Database Permissions Bug Caused Six-Hour Global Outage

Cloudflare experienced its worst outage in six years, lasting nearly six hours on Tuesday, after a routine update to database access controls triggered a cascading failure across its Global Network, which provides essential content delivery and security services worldwide. The outage, which was not caused by a cyberattack, began when the permission change caused the company’s Bot Management system to generate an oversized configuration file containing duplicate entries that exceeded hardcoded size limits, leading the software to crash. As this problematic file propagated across the network, it triggered system panics and 5xx errors, effectively crashing the core proxy system responsible for processing traffic, blocking access to numerous websites until engineers identified the root cause and reverted the faulty file approximately three hours later. Passbolt was among the services impacted during this event and you can read our full incident report.

The ClickFix Scam: How a Single Command Can Put Your Family’s Digital Security at Risk

ClickFix is a growing, highly effective security threat that targets both macOS and Windows users by tricking them into executing a single malicious command. The attack often begins with a high-trust entry point, such as an email from a compromised hotel booking account or a malicious link at the top of Google search results, directing the user to a fake CAPTCHA challenge. The user is then instructed to copy a string of text and paste it into their computer’s terminal and press Enter. This one-line action covertly downloads and installs credential-stealing malware (like Shamos or PureRAT) onto the machine. The scam is particularly dangerous because the use of native system capabilities (“Living Off the Land” binaries) and the method of command execution often allows the malware to bypass standard endpoint protection software and security sandboxes, making public awareness the most crucial defense.

Holiday Heist: Cybercriminals Exploiting Black Friday with Highly Deceptive Sites

Cybercriminals are aggressively exploiting the urgency of the Black Friday and holiday shopping season, intensifying phishing efforts to steal consumer data through highly convincing spoof websites. Phishing activity spiked by 36% leading up to Black Friday, with fake Amazon websites increasing by 232% and eBay impersonations surging by 525% in one month alone. Experts warn that this threat is compounded by the fact that over two-thirds of consumers cannot reliably identify a phishing website, making rushed shoppers vulnerable to malicious emails and fraudulent sites that mimic major retailers. To stay safe, consumers must avoid clicking unsolicited promotional links, verify that a website’s URL begins with “https://” and displays a padlock symbol, and maintain vigilance against deals that seem too good to be true.

FS Italiane Group, Exposed After Cyberattack on IT Services Firm Almaviva

The national railway operator of Italy, FS Italiane Group, has had a massive amount of sensitive data exposed after a threat actor successfully breached its major IT services provider, Almaviva. The hacker claims to have stolen 2.3 terabytes of recent, confidential data, including internal shares, contracts with public entities, HR archives, and complete datasets from several FS Group companies; and subsequently leaked the material on a dark web forum. Almaviva, a large global IT firm, confirmed the cyberattack, stating that its security procedures isolated the intrusion and ensured the continued full operation of critical services, and it has since informed Italian authorities including the national cybersecurity and data protection agencies. The incident highlights the severe supply chain risk posed by third-party vendor breaches, though it remains unclear if passenger information or data from other Almaviva clients were compromised.

ToddyCat APT Group Deploys New Toolset to Steal Corporate Outlook Emails and Microsoft 365 Tokens

The advanced persistent threat (APT) group ToddyCat has updated its methods to focus on stealing corporate email data and authentication tokens using a new, specialized toolset. The group now uses a PowerShell variant of TomBerBil to run on privileged domain controllers, remotely accessing browser files via SMB to capture encrypted credentials, cookies, and the necessary DPAPI keys for local decryption. To exfiltrate email correspondence, ToddyCat utilizes a custom C++ tool named TCSectorCopy, which bypasses file locks by copying local Outlook OST files sector-by-sector, with the contents then extracted using XstReader. Furthermore, the group attempts to steal Microsoft 365 OAuth 2.0 access tokens directly from memory using tools like SharpTokenFinder and the legitimate ProcDump utility to ensure continuous, non-perimeter access to corporate mail, demonstrating the group’s constant evolution of techniques to remain undetected within compromised networks.

Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys

New research by watchTowr Labs has revealed a severe data leak where developers from organizations across critical national infrastructure, government, and finance are unintentionally exposing thousands of credentials and sensitive configuration files by pasting them into popular, untrusted online tools like JSONFormatter and CodeBeautify. The issue stems from the sites’ “Save” functionality, which generates a shareable, semi-permanent URL for the data, and a predictable URL format that allows threat actors to easily crawl and harvest the content. By analyzing over 80,000 saved files, researchers uncovered vast amounts of exposed data, including Active Directory credentials, cloud keys, and sensitive Know Your Customer (KYC) records. The rapid attempt to abuse fake credentials uploaded by the researchers confirmed that the exposed data is actively being scraped, emphasizing that this problem is caused by the misuse of basic tools, not sophisticated exploits, and necessitates immediate internal policy changes.

Malware Can Be Delivered Through Microsoft Teams Guest Chat Flaw

A significant architectural flaw in Microsoft Teams’ B2B guest chat feature, allows attackers to effectively bypass the victim’s Defender for Office 365 security policies, including Safe Links and Safe Attachments. The vulnerability arises because, in guest scenarios, security policies are enforced by the resource tenant (the host of the conversation), not the user’s home organization. Attackers exploit this by quickly setting up a basic, unsecured tenant, sending legitimate-looking invitations that evade email filters, and luring victims into a chat where malicious links and files are delivered unchecked by the victim’s Defender safeguards, thus creating an unprotected zone for phishing, malware delivery, and subsequent data theft or lateral movement that is invisible to the home organization’s security team. Organizations must mitigate this risk by proactively restricting B2B guest invites to allow listed domains using Entra ID External collaboration settings and through targeted user training.

That’s a wrap! We’d love to hear your thoughts. Don’t hesitate to share any comments or additional news we might have missed in the Passbolt community forum.