Featured image of post Cybersecurity Week in Review: November 11–17, 2025
NEWS

Cybersecurity Week in Review: November 11–17, 2025

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Senthorus SOC

Major Data Breaches

Volvo Group Supply Chain Data Breach

A significant data breach impacted Volvo Group through its third-party HR software provider, Miljödata, which suffered a ransomware attack in late August 2025. This supply-chain incident led to the exposure of sensitive personal data, including names, addresses, dates of birth, and Social Security Numbers for some U.S. employees. Approximately 870,000 records were leaked across the vendor’s client base, affecting Volvo North America employees. The attack was attributed to the DataCarry ransomware group and highlights the ongoing risks associated with third-party vendors and supply-chain security failures. The breach underscores the need for stronger vendor oversight and rapid breach response protocols, as millions of individuals’ data were compromised worldwide during a surge of incidents in September 2025, with repercussions continuing into November1.

Significant Cyberattacks

Microsoft SharePoint On-Premises Attacks

A major, ongoing cyberattack campaign targeted on-premises Microsoft SharePoint servers, exploiting unpatched vulnerabilities. The attacks, which began earlier in 2025 and continued through November, have been linked to China-based threat actors and involve the “ToolShell” malware. Microsoft has released patches, but researchers warn that attackers will continue to exploit these vulnerabilities for months. The campaign has caused widespread disruption, with federal agencies and private companies among the victims. The FBI and cybersecurity experts emphasize that this is likely just the beginning of broader exploitation efforts2.

Scattered Spider and SafePay Ransomware Activity

The notorious hacker group Scattered Spider continued to target high-profile companies in sectors such as retail, insurance, and aviation, causing significant disruption. Additionally, the SafePay ransomware group accelerated its attacks, including a disruptive incident against IT distribution giant Ingram Micro. These groups represent a growing trend of new, aggressive threat actors in the cybercrime landscape2.

Pakistan-India Cyber Warfare: APT36 Campaign

Following a major terror attack in Pahalgam, India, state-sponsored cyber warfare escalated between India and Pakistan. Pakistani-affiliated APT36 (Transparent Tribe) launched a large-scale campaign targeting Indian defense, government, and diplomatic entities. The group used Crimson RAT malware and phishing campaigns mimicking Indian government websites. This campaign is one of the most significant state-sponsored cyber offensives of 2025, with attacks intensifying after India’s military response3.

Critical Vulnerabilities

XWiki Remote Code Execution (CVE-2025-24893)

The RondoDox botnet exploited a critical vulnerability (CVE-2025-24893, CVSS 9.8) in unpatched XWiki servers, allowing arbitrary remote code execution via the “/bin/get/Main/SolrSearch” endpoint. The flaw was patched in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1 in late February 2025. Despite the patch, exploitation continued into late October and November, with attackers using a two-stage attack chain to deploy cryptocurrency miners. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to address it4.

Government Responses

U.S. Department of Justice Action Against North Korean IT Worker Fraud

The U.S. Department of Justice announced guilty pleas from five individuals who assisted North Korea’s illicit revenue generation by enabling IT worker fraud. These individuals allowed North Korean IT workers to use their U.S. identities to secure jobs at American firms, violating international sanctions. The scheme involved hosting company-issued laptops and installing remote desktop software to create the appearance of U.S.-based remote work. This action is part of broader efforts to counter North Korean cyber-enabled financial crime4.

CISA Vulnerability Catalog Updates

CISA added the XWiki CVE-2025-24893 vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate the flaw. This move reflects the agency’s ongoing efforts to address actively exploited vulnerabilities and protect critical infrastructure4.

  • Ransomware attacks surged by 126% globally in 2025, with organizations facing an average of 1,925 attacks per week.
  • Attackers are increasingly leveraging AI, social engineering, and advanced persistent threat (APT) techniques.
  • Supply-chain attacks and third-party compromises remain a critical risk, as demonstrated by the Volvo Group breach and others.
  • The cyber threat landscape is marked by the emergence of new threat groups and the operationalization of vulnerabilities for long-term exploitation213.

Summary

The week of November 11–17, 2025, was marked by high-impact data breaches, ongoing exploitation of critical vulnerabilities, state-sponsored cyber warfare, and robust government responses. Organizations are urged to prioritize patch management, strengthen supply-chain security, and remain vigilant against evolving threat actor tactics.

Sources:
1234

© 2025 Senthorus Blog