This Week In Security

Another week, another reminder that the internet is basically a Rube Goldberg machine built on duct tape, DNS, and blind optimism.
In the spirit of This Week in Security from Hackaday, let’s take a tour through the latest chaos: record-breaking DDoS attacks,
evolving ransomware tactics, router facepalms, AI tools getting a little too helpful for criminals, and a firehose of fresh vulnerabilities
to keep security teams thoroughly caffeinated.

Cloudflare, Botnets, and the Internet Having a Panic Attack

If parts of your favorite sites looked like they took a lunch break recently, you weren’t imagining things. Hackaday’s recent
This Week in Security column highlighted a major Cloudflare issue that caused large pieces of the internet to wobble,
and for once, the root cause wasn’t DNS. Instead, it involved database management and a safety limit that failed
in exactly the wrong way, proving once again that “safeguards” can become single points of failure if they’re not carefully tested.

At nearly the same time, Cloudflare reported the largest distributed denial-of-service (DDoS) attack ever observed: an eye-watering
29.7 Tbps barrage, linked to the AISURU botnet and up to 4 million infected hosts. That’s not just someone running LOIC from
grandma’s basement that’s industrial-scale internet cannon fire aimed straight at core infrastructure.

What This Means for Defenders

The lesson from both the outage and the DDoS tsunami is simple but painful:

• Assume your critical provider will fail at the worst possible time. Build fallback DNS, alternate CDNs when feasible, and clear degradation modes for your app.
• Treat database limits and “safety valves” as production code. They must be tested under load, not just assumed to work.
• Revisit DDoS protection. With nearly 30 Tbps attacks now documented, capacity planning must assume “record breaking” is just a Tuesday.

For everyday users, the takeaway is friendlier: if your favorite site dies for an hour, it’s not always a breach. Sometimes the
plumbing just bursts under the pressure.

Ransomware Grows Up: Less Encryption, More Extortion

Ransomware crews are shifting tactics from “lock everything” to “steal everything and threaten to leak it.” Recent reports show
manufacturing and other sectors facing more data theft and extortion than traditional encryption-only attacks, with average
recovery costs around $1.3 million even before ransoms are counted.

In the U.S., a Texas-based fintech firm Marquis disclosed that attackers exploited a SonicWall firewall vulnerability back in August
to access internal files. The exposed data reportedly included names, addresses, Social Security numbers, taxpayer IDs, and some
financial information linked to banks and credit unions that use Marquis’ services.

Another U.S. company, Inotiv, revealed that a ransomware incident led to the theft of personal information from thousands of
individuals, including medical and financial details a nightmare combo for long-term fraud risk.

Public-sector organizations are also in the crosshairs. A recent cyberattack on several London councils disrupted IT systems and
services for residents and prompted warnings about potential misuse of copied historical data. While details are still emerging,
the pattern is familiar: steal data, disrupt operations, then pressure victims with exposure threats rather than just encryption.

Defensive Takeaways From the Ransomware Shift

• Backups alone aren’t enough. When attackers focus on exfiltration, your pristine off-site backup won’t prevent a data leak.
• Data minimization matters. If you don’t store it, it can’t be stolen. Review old archives, stale databases, and test environments full of real data.
• Segment internal networks. A single compromised firewall or VPN appliance shouldn’t give attackers a free tour of your entire data estate.
• Plan for disclosure. Have playbooks ready for notifying regulators, customers, and partners in a transparent but controlled way.

Agencies in the U.S. have even issued updated guidance against well-known ransomware families like Akira, reflecting just how
persistent and adaptable these groups have become.

Patch Now: Android, Windows, and a Router Facepalm

On the patching front, Android and Windows users got a fresh batch of “please update now” alerts. Google’s latest Android security
update addresses more than 100 vulnerabilities, including two high-severity framework zero-days that attackers may already be
exploiting for data access and privilege escalation.

CISA has since added related bugs to its Known Exploited Vulnerabilities catalog, effectively saying: “We know attackers are using
these in the wild; stop procrastinating and patch.” Federal civilian agencies have hard deadlines for these updates, but the same
urgency applies to enterprises and individuals.

Over in Windows-land, Microsoft’s November Patch Tuesday fixed 63 vulnerabilities, including a Windows kernel zero-day under active
exploitation and several critical flaws capable of remote code execution. Security researchers note that while the number of bugs
is lower than some record-setting months, the impact of the most serious vulnerabilities remains high.

And then there are routers the unsupervised toddlers of the security world. ASUS issued patches for a critical vulnerability in
its AiCloud feature that allowed unauthenticated remote command execution thanks to flawed Samba integration. Affected firmware
includes multiple branches, and even some end-of-life models remain at risk if still exposed to the internet.

How to Prioritize This Week’s Patching

• Patch internet-facing devices first. Routers, VPN appliances, and gateways should be at the top of your list.
• Move mobile endpoints up the queue. With Android zero-days under active exploitation, phones and tablets are not “later” items.
• Bundle Windows updates with testing. Use a small pilot group to detect breaking changes, then roll widely.
• Disable risky services. If you rely on cloud file-sharing features like AiCloud or Samba, lock them down or turn them off until fully patched.

ICS and OT: When “Always On” Becomes “Always Targeted”

Industrial control systems (ICS) and operational technology (OT) remained under heavy fire this year, and the last week has been no
exception. CISA has released multiple new ICS advisories, highlighting serious vulnerabilities affecting devices from several vendors
used in critical infrastructure and manufacturing environments.

A broader recap shows more than 450 ICS advisories published in 2025 alone, with vulnerabilities in products from major players like
Rockwell Automation, Siemens, Mitsubishi Electric, and Schneider Electric. Researchers note an alarming trend: state-linked and
hacktivist groups are exploiting fresh ICS vulnerabilities within weeks of disclosure, shrinking the window for defenders to respond.

For OT environments that rely on “if it’s running, don’t touch it” as an unofficial policy, this is a problem. Legacy systems, long
upgrade cycles, and minimal downtime make timely patching hard but the threat actors aren’t waiting politely for maintenance windows.

OT Reality Check

• Know what you own. Asset inventories for ICS gear must be accurate, not aspirational.
• Isolate critical systems. Network segmentation and monitored gateways should strictly regulate IT–OT traffic.
• Use virtual patching where you must. Intrusion prevention systems and strict firewall rules can mitigate risks when firmware updates aren’t feasible immediately.
• Practice incident response for OT. Tabletop exercises should include scenarios like PLC manipulation and safety system failure, not just website defacement.

AI and Automation: When Your Assistant Becomes an Accomplice

AI tools are supposed to make security operations easier, but they can also open new attack surfaces. Researchers recently demonstrated
how an automation “Skills” plug-in for a popular AI assistant could be modified to deploy ransomware. Because Skills can execute code
and interact with real systems, a malicious or trojanized plug-in effectively hands an attacker a remote operations console wrapped in
a friendly conversational interface.

Meanwhile, threat intel reports describe long-running campaigns where malicious browser extensions were used to compromise millions of
users, and a high-end remote access toolkit bundled with crypter and hidden desktop access is being sold as a turnkey solution for
would-be attackers.

Securing AI and Automation Workflows

• Treat AI plug-ins like third-party software. Vet them, restrict who can install them, and monitor their behavior.
• Limit permissions aggressively. If an AI tool only needs read-only access, don’t grant it admin rights “just in case.”
• Monitor extension ecosystems. Browser extensions and automation connectors should be audited regularly and pruned ruthlessly.
• Educate teams about supply-chain abuse. Developers and power users must assume that seemingly helpful automation can be weaponized.

The Vulnerability Firehose Keeps Blasting

If it feels like you’re always behind on vulnerabilities, you’re not alone. The Zero Day Initiative’s advisory list continues to grow,
documenting newly disclosed flaws across operating systems, enterprise apps, and industrial gear.

Recent analyses of Patch Tuesday and related updates highlight dozens of critical bugs, including a Windows kernel zero-day and other
high-impact issues across Microsoft and SAP products. At the same time, threat-focused writeups from
security vendors track exploitation of specific CVEs in Android, Windows, and enterprise software, helping teams triage what matters
most in the near term.

Making the Vulnerability Deluge Manageable

• Adopt a risk-based approach. Prioritize vulnerabilities that are exploitable, internet-facing, or tied to critical business processes.
• Leverage KEV and vendor intel. Lists of known exploited bugs from CISA and major vendors should heavily influence what gets patched first.
• Automate where possible. Use patch management tools and configuration management to standardize updates.
• Track exceptions. When you can’t patch, document the reason and the compensating controls and revisit frequently.

From the Trenches: A Week in Security, Lived Experience

So what does all of this actually feel like if you’re the person wearing the “security” hat whether that’s in a Fortune 500 SOC or
as the de facto IT department for a 50-person company that just wants email to work?

Picture Monday morning. You sit down with coffee, open your inbox, and get hit with a mix of vendor bulletins, CISA advisories, and
news alerts about Android zero-days, Windows kernel flaws, and an ugly new router vulnerability. You don’t have the luxury of reading
every blog post in full, so you skim for three things: is it exploited?, is it internet-facing?, and
do we run this?

By mid-morning, you’ve built a quick patch plan: pilot group for the latest Windows updates, a staged rollout for mobile devices, and
a “nag your ISP and router vendor” note for that AiCloud-style bug. You log into your firewall and double-check that no weird file-sharing
ports are open to the world. Then you scan router logs for suspicious traffic, just in case someone started poking before you saw the news.

Tuesday, your SIEM lights up with some odd outbound connections. They turn out to be browser extensions gone wild not full-blown
ShadyPanda spyware, but close enough to make you nervous. You push a new policy: only a small, pre-approved list of extensions is allowed.
The dev team grumbles, but you explain that “infinite browser freedom” is how millions of users ended up compromised in long-running campaigns.

Mid-week, an executive forwards an article about AI tools being abused to deploy ransomware and asks, “We’re using this kind of thing are we safe?”
You take a deep breath and answer honestly: “We’re safer if we treat those AI plug-ins like any other third-party software.” You review
the permission scopes, limit who can create or install new automations, and set up additional logging. Now, if a rogue Skill tries to run
an unexpected script, you at least have a chance of catching it.

By Thursday, you’re in OT territory. A plant manager pings you with a worried message: “I saw something about ICS advisories does this
affect our line?” You pull up the latest CISA bulletins and vendor notes, map them against your asset list, and discover that one PLC model
is indeed on the list. Rebooting it in the middle of a production run is off the table, so you coordinate a maintenance window, put tighter
firewall rules around that segment, and set up temporary monitoring to watch for suspicious traffic.

Friday afternoon, someone inevitably asks, “Are we good now?” You resist the urge to laugh. Security is never “done”; it’s just
“better than last week.” You point out the wins: mobile devices and Windows endpoints are patched, risky router features are locked down,
browser extensions are under control, AI automations are tightened up, and critical ICS assets are at least shielded while you plan
longer-term fixes.

The unglamorous truth is that most real-world security work looks less like Hollywood hacking and more like continuous gardening:
pruning unnecessary access, pulling out vulnerable software, watering your monitoring and logging, and occasionally fencing off a
new threat. Weeks like this one with DDoS records, ransomware shifts, AI abuse, and industrial bugs just make it abundantly clear
why that gardening has to be ongoing.

Conclusion: Same Internet, Sharper Teeth

This week’s security stories share a common thread: everything is more connected, more automated, and more valuable to attackers than ever.
Cloudflare outages remind us how fragile the backbone of the web can be. Ransomware’s shift to data theft shows that backups alone won’t save you.
Android and Windows zero-days, router vulnerabilities, ICS advisories, and AI tool abuse all combine into one message: proactive, risk-based
security is no longer optional.

The good news? Defenders have better tools, richer intelligence, and clearer guidance than ever before. The organizations that win are the
ones that patch quickly, limit blast radius, treat data as toxic when mishandled, and assume that every shiny new feature from cloud add-ons
to AI plug-ins comes with a security bill to be paid.