Full Report
This week showed just how fast things can go wrong when no one’s watching. Some attacks were silent and sneaky. Others used tools we trust every day — like AI, VPNs, or app stores — to cause damage without setting off alarms. It’s not just about hacking anymore. Criminals are building systems to make money, spy, or spread malware like it’s a business. And in some cases, they’re using the same
Analysis Summary
# Incident Report: Multiple Weekly Cyber Incidents Summary (Nov Week of 17, 2025)
## Executive Summary
This summary covers several key incidents reported during the week of November 17, 2025, highlighting the evolving threat landscape where trusted tools (like AI, VPNs) are being weaponized, and large-scale criminal enterprises are operating as established businesses. Major events include the active exploitation ($\text{CVE-2025-64446}$) of a patched Fortinet WAF vulnerability, a massive law enforcement action dismantling the Operation Endgame infrastructure (affecting malware like Rhadamanthys and Venom RAT), and the shutdown of the Lighthouse Phishing-as-a-Service platform.
## Incident Details
- **Discovery Date:** Ongoing throughout the week, with specific enforcement actions noted between November 10 - 17, 2025.
- **Incident Date:** Exploitation of $\text{CVE-2025-64446}$ reported since early October 2025. Operation Endgame dismantling occurred Nov 10-13, 2025.
- **Affected Organization:** Fortinet FortiWeb users (for $\text{CVE-2025-64446}$); hundreds of thousands of global users targeted by Operation Endgame infrastructure; over 1 million users targeted by Lighthouse PhaaS.
- **Sector:** Multiple sectors (WAF users, general internet users, financial services targeted by Phishing).
- **Geography:** Global scope (Law enforcement action led by Europol/Eurojust; Lighthouse PhaaS targeted users across 120 countries).
---
## Timeline of Events
### Initial Access: Fortinet WAF Exploit
- **Date/Time:** Since early October 2025 (for $\text{CVE-2025-64446}$).
- **Vector:** Exploitation of $\text{CVE-2025-64446}$ in Fortinet FortiWeb Web Application Firewall (WAF).
- **Details:** This vulnerability, a combination of a path traversal flaw and an authentication bypass, allowed attackers to perform any privileged action on the affected WAFs.
### Initial Access: Phishing & Malware Infrastructure
- **Date/Time:** Lighthouse PhaaS actively running prior to November 2025; Operation Endgame disruption began November 10, 2025.
- **Vector:** Phishing-as-a-Service (PhaaS) kit deployment; widespread malware distribution (Rhadamanthys, Venom RAT, Elysium).
- **Details:** Lighthouse impersonated major entities (banks, government) to steal credentials globally. Konni group used Google's Find My Device functionality to wipe Android devices.
### Detection & Response (Fortinet)
- **Date/Time:** CISA added the flaw to the KEV catalog, requiring patching by November 21, 2025.
- **Details:** Fortinet had previously patched the vulnerability, but threat actors were actively exploiting the older, unpatched versions.
### Detection & Response (Criminal Infrastructure Dismantling)
- **Date/Time:** November 10 - 13, 2025 (Operation Endgame disruption). November 17, 2025 (Google lawsuit filed).
- **Actions Taken:** Coordinated international law enforcement action led by Europol and Eurojust resulted in the seizure of over 1,025 servers and 20 domains, arresting one individual linked to Venom RAT in Greece. Google filed a civil lawsuit against 25 unnamed China-based actors behind Lighthouse.
---
## Attack Methodology
| Category | Fortinet $\text{CVE-2025-64446}$ | Operation Endgame (Stolen Info) | Lighthouse PhaaS | Konni Group (Android) |
| :--- | :--- | :--- | :--- | :--- |
| **Initial Access** | Path Traversal + Authentication Bypass on FortiWeb. | Used various malware families (Rhadamanthys, Venom RAT, Elysium). | Via smishing campaigns impersonating legitimate entities. | Via malicious applications targeting Android/Windows. |
| **Persistence** | N/A (Focus on privileged action execution). | Infrastructure seizure indicates high persistence prior to takedown. | Service model implied continuous access capability for customers. | Utilized Google's Find Hub service (abuse of existing functionality). |
| **Privilege Escalation** | Achieved via combined vulnerability exploitation to gain administrative rights. | N/A (Focus on malware execution). | N/A (Focus on credential theft). | Unknown specific technique, likely leveraging malware execution context. |
| **Defense Evasion** | Exploited a known, but potentially unpatched, vulnerability. | Infected systems were reported to be unknown to the victims ("Many of the victims were not aware"). | Relied on social engineering and familiar impersonations. | Abuse of a legitimate cloud service feature (Find My Device). |
| **Credential Access** | Allowed for *any privileged action* on the WAF. | Resulted in the capture of several million stolen credentials. | Designed specifically to steal personal and financial information. | Data theft from targeted devices. |
| **Lateral Movement** | N/A (Focus on elevated control on the WAF appliance). | Implied by the use of botnets and RATs. | N/A (Focus on initial user compromise). | Unknown beyond initial device access. |
| **Collection** | N/A (Focus on gaining control). | Stole credentials across various compromised computers. | Collected PII and financial details via phishing forms. | Data theft from Android/Windows devices. |
| **Exfiltration** | N/A (Focus on gaining control). | N/A (Infrastructure seized prior to full analysis). | Data routed through the PhaaS customer's control. | Data exfiltration from compromised devices. |
| **Impact** | Ability to perform *any privileged action* on WAF. | Disruption affecting hundreds of thousands of computers; millions of credentials stolen. | Over 1 million unique users ensnared across 120 countries. | Remote device wiping capability. |
---
## Impact Assessment
- **Financial:** Not quantified in the provided text, but the Lighthouse operation involved the impersonation of banks and crypto exchanges, suggesting massive potential financial fraud.
- **Data Breach:** Several million stolen credentials were recovered from the Operation Endgame infrastructure alone. PII and financial data were the targets of the Lighthouse PhaaS.
- **Operational:** Large-scale enforcement actions temporarily disrupted major criminal operations, including the takedown of malware distribution networks.
- **Reputational:** Incidents highlight risks associated with relying on WAF solutions that may have unpatched zero-days, and the dangers of utilizing apparently trusted cloud services for nefarious purposes (Konni).
## Indicators of Compromise
*Note: Specific IOCs were generally not available as this is a summary of enforcement actions and vulnerability reports.*
- **Behavioral Indicators:** Active exploitation of WAF devices using a combination of path traversal and authentication bypass techniques; Smishing campaigns impersonating major financial/government entities; Routine use of legitimate cloud services (e.g., Google Find Hub) for malicious remote actions.
## Response Actions
- **Containment:** CISA issued binding operational directives for FCEB agencies regarding Fortinet patching deadline ($\text{Nov 21, 2025}$).
- **Eradication:** Law enforcement seized over 1,025 servers and 20 domains associated with Operation Endgame malware infrastructure; Lighthouse PhaaS platform subsequently shut down.
- **Recovery:** Affected victims of Operation Endgame may require extensive remediation due to the scale of credential theft.
## Lessons Learned
- **Patch Management Criticality:** Zero-day exploitation occurred on a flaw that had already been patched by the vendor (Fortinet), emphasizing that the gap between patch release and enterprise deployment remains a major risk vector ($\text{CVE-2025-64446}$).
- **Trusted Tool Weaponization:** Attackers are successfully embedding malicious activity within trusted ecosystems, utilizing AI services, VPNs, app stores, and even cloud management tools (like Google Find Hub) to evade traditional boundary defenses.
- **Cybercrime Professionalization:** Threat actors are operating sophisticated criminal business models (PhaaS) that are robust enough to require international law enforcement coordination to dismantle.
## Recommendations
- **Immediate Patching Enforcement:** Ensure all Fortinet FortiWeb instances are updated immediately to mitigate active exploitation of $\text{CVE-2025-64446}$.
- **Enhanced Evasion Monitoring:** Deploy NDR/EDR solutions capable of detecting suspicious *behavior* (e.g., unusual administrative API usage, anomalous internal logins) rather than relying solely on known signatures, especially in areas where trusted tools operate.
- **Zero Trust and Least Privilege:** Regularly audit access controls, particularly concerning services that handle sensitive data or device control functions (like cloud productivity tools), as these are increasingly used as novel lateral movement or impact vectors.