Coupang Data Breach Affects 33.7M; India Mandates Pre-Installed Mobile Security App; Singapore Issues Directive to Prevent Government Spoofing

The Holiday Hack Challenge offers hands-on, real-world challenges designed to teach and improve your security skills. Explore topics like Quantum computing, defanging IoCs, using SUDO, port discovery, forensic analysis, basic networking, and much more!

https://www.sans.org/cyber-ranges/holiday-hack-challenge

South Korean online retailer Coupang has acknowledged that a cybersecurity incident resulted in the compromise of personal data belonging to nearly 34 million customers, more than half of the country's population. The compromised data include "customer names, email addresses, phone numbers, shipping addresses, partial order histories, and certain delivery metadata." The incident was first detected on November 18, 2025, and a subsequent investigation indicates the intruders had access to Coupang's systems starting on June 24, 2025. Local media reports suggest that the data leak was instigated by a Coupang employee who has since left the company. Last week, Coupang reportedly received emailed threats that stolen data would be leaked. In a November 20 statement, Coupang wrote, "We have confirmed that customer personal information was accessed without authorization," and "We have confirmed that there are no signs of external intrusion into Coupang's system or internal network."

India's government is reportedly ordering smartphone manufacturers to pre-install a cybersecurity app to help protect citizens from fraud. The app, Sanchar Saathi, has the ability to identify incoming international phone calls that are spoofing India's country code to appear that they are coming from a domestic number. Other features of the app include reporting fraud, spam, and malicious web links through call, SMS, and WhatsApp, and blocking stolen devices. India's November 21, 2025, directive instructs phone manufacturers to push the app in an update to devices already in the supply chain, and that the app be "readily visible and accessible to the end users [when phones are first use or during set-up] ... and that its functionalities are not disabled or restricted." Furthermore, the government is requiring that users not be able to delete or disable the app. The directive has prompted concerns about privacy and government surveillance.

In an attempt to protect users from scams that impersonate Singapore's government, the Singapore Ministry of Home Affairs (MHA) has directed Apple and Google to implement restrictions that prevent the unauthorized use of the "gov[.]sg" sender ID and names of Singaporean government agencies on their messaging platforms. The implementation directives order Apple and Google "to put in place measures to prevent the spoofing of Singapore Government agencies via iMessage and ... Google Messages" by the end of November 2025. Singapore's "government agencies have been using the ‘gov[.]sg’ SMS sender ID to send SMSes since July 2024 to help the public identify legitimate government SMSes easily." The directives require Apple and Google to "prevent accounts and group chats from displaying names which spoof ‘gov[.]sg’ or Singapore Government agencies, or filter messages from accounts and group chats with names which spoof ‘gov.sg’ or Singapore Government agencies; and ... ensure the profile names of unknown senders are not displayed or are displayed less prominently than their phone numbers. This would help users better identify and be wary of unknown senders."

A ransomware attack against the OnSolve CodeRED emergency notification system has forced parent company Crisis24 to decommission the service's legacy environment. Crisis24 is now rebuilding the platform in a new environment. The attack compromised certain data, including names, addresses, email addresses, phone numbers, and passwords affiliated with CodeRED user profiles. The system is being rebuilt based on backups from March 31, 2025, which means some user accounts will be missing from the new system. "OnSolve CodeRED [is] a voluntary, opt-in emergency notification system used by law enforcement agencies and municipalities across the country" to keep residents informed about severe weather, AMBER alerts, and other public safety issues.

Three of London's borough Councils who share some IT services experienced a cyberattack in the last week of November, 2025. Starting Tuesday, November 25, Westminster city council (WCC) and the Royal Borough of Kensington and Chelsea (RBKC) disclosed a cybersecurity issue detected the previous day, also affecting the London Borough of Hammersmith and Fulham (H&F). In updates posted by all three boroughs in the days since the attack, the councils note that IT teams shut down and isolated affected systems and activated business continuity and emergency plans, working with the National Crime Agency (NCA) and National Cyber Security Centre (NCSC) as well as third-party experts to mitigate damage, protect and restore systems, and maintain critical services. RBKC confirmed on November 28 that purportedly just "historical data" were copied and exfiltrated by an unauthorized actor, though the nature of the affected data has not been specified and remains under investigation. RBKC and WCC phone lines were initially down, though emergency numbers are functional, and RBKC states that access to its website and online forms may be inconsistent due to "planned maintenance relating to ongoing management of the incident." While H&F states "there is no evidence of H&F systems being compromised," the borough has enhanced its security measures and points residents to a page of service and IT updates to check system availability, at the time of this writing showing disruption to certificate ordering and online forms for residential, financial, business, fine payment, and property licensing purposes. RBKC anticipates "at least two weeks of significant disruption."

Researchers from Oligo Security have published research disclosing five critical vulnerabilities in open-source logging tool Fluent Bit that could be chained to achieve remote code execution and compromise cloud and Kubernetes infrastructure. Oligo notes that Fluent Bit is ubiquitous in major systems, including "AI labs, banks, car manufacturers, all the major cloud providers such as AWS, Google Cloud, and Microsoft Azure," highlighting the ecosystem-level risk posed by a single widespread trusted component. CVE-2025-12972 has existed for eight of the eleven years Fluent Bit has existed, and can allow an attacker to achieve remote code execution by injecting path traversal sequences in unsanitized tag values used to generate output filenames. CVE-2025-12970 gives an attacker control over the host's Fluent Bit agent by triggering crashes or executing code due to a stack buffer overflow in the Docker input. CVE-2025-12978 allows an attacker to compromise logs, filters, and records by spoofing trusted tags, due to a flaw in tag-matching logic. CVE-2025-12977 can enable log corruption or broader output-based attacks when an attacker injects malicious code in tags derived from user-controlled fields that bypass sanitization. CVE-2025-12969 allows an attacker to compromise logs, telemetry, and detection systems while maintaining the appearance of security, because Fluent Bit forwarders configured with Security.Users silently disable authentication. Users should update to Fluent Bit v4.1.1 / 4.0.12; avoid using dynamic tags for routing; set fixed output paths and destinations; enforce read-only configuration mounts; and use least-privilege runtime settings. Oligo states that due to open source maintainers' limited resources and unclear escalation path, remediation required the involvement of AWS and took over a week after responsible disclosure, and CVE assignment took several more weeks, noting, "the security reporting and CVE assignment process for critical open-source infrastructure is still fragmented and fragile, and collaboration between maintainers, cloud providers, and security researchers is essential to keep the global software supply chain secure."

Brian Krebs warns that certain Android-based video streaming devices are equipped to hijack users' home networks to relay malicious internet traffic associated with advertising fraud, account takeovers, and possibly distributed denial-of-service (DDoS) botnets. The “Superbox” claims to offer unlimited streaming for a one-time fee as an alternative to multiple subscriptions. Devices such as the Superbox operate outside Google's official Android TV system and Google Play app ecosystem, requiring a third-party marketplace's custom apps to enable questionably legal media streaming, while simultaneously appropriating network bandwidth into a residential proxy network. A senior solutions engineer from Censys security observed a Superbox device conducting ARP poisoning and attempting to bypass controls, also noting that the device contains network analysis tools tcpdump and netcat. In June 2025 the FBI provided six indicators of home IoT botnet compromise: "The presence of suspicious marketplaces where apps are downloaded. Requiring Google Play Protect settings to be disabled. Generic TV streaming devices advertised as unlocked or capable of accessing free content. IoT devices advertised from unrecognizable brands. Android devices that are not Play Protect certified. [And] unexplained or suspicious Internet traffic." Separately, SmartTube, a popular open-source YouTube client for Android TV, recently received a malicious update first reported by a GitHub user in version 30.46 after the developer's digital keys were compromised. The added malicious library "runs silently in the background without user interaction, fingerprints the host device, registers it with a remote backend, and periodically sends metrics and retrieves configuration via an encrypted communications channel." Play Protect initially flagged and blocked the unsafe app, and while the developer has revoked the old signature and plans to publish a new version under a separate app ID, only beta and test builds of a fixed version have been released. Users should avoid versions of SmartTube not known to be safe, reset Google credentials, check for unauthorized access in the account console, and remove unrecognized services.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an alert warning that threat actors are "actively leveraging commercial spyware to target users of mobile messaging applications," including Signal and WhatsApp. The threat actors' tactics include zero-click exploits, impersonation of messaging app platforms, phishing, and malicious QR codes. Once they have access to targeted devices, the threat actors then deliver spyware to "current and former high-ranking government, military, and political officials, as well as civil society organizations (CSOs) and individuals across the United States, Middle East, and Europe." CISA recommends that users refer to the recently updated Mobile Communications Best Practice Guidance as well as the Guidance for Mitigating Cyber Threats with Limited Resources.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two CVEs to the Known Exploited Vulnerabilities (KEV) catalog. On Friday, November 21, CISA added a critical missing authentication for critical function vulnerability in Oracle Fusion Middleware Identity Manager. The flaw (CVE-2025-61757) could be exploited to take control of vulnerable systems. Oracle disclosed and released a patch for the vulnerability in mid-October. US Federal Civilian Executive Branch (FCEB) agencies have until December 12 to mitigate the vulnerability. On Friday, November 28, CISA added a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR to the KEV catalog; the flaw (CVE-2021-26829) could be exploited to execute arbitrary code. Earlier this fall, researchers at Forescout observed attackers exploiting the vulnerability to target a researchers' honeypot. The flaw affects OpenPLC ScadaBR through 1.12.4 on Windows and OpenPLC ScadaBR through 0.9.1 on Linux; a patch has been available since June 2021. FCEB agencies have until December 19 to mitigate the vulnerability.

Japanese beer maker Asahi now says that the ransomware attack the company suffered in late September appears to have compromised information belonging to roughly 1.5 million customers. Asahi's latest update about the attack includes additional details: "The investigation revealed that the attacker gained unauthorized access to the data center network through network equipment, ... [and] the impact of the attack on [Asahi] systems is limited to those managed in Japan." Asahi plans to notify affected individuals. An Australian man has been sentenced to more than seven years in prison for launching "Evil Twin" Wi-Fi network attacks at airports in Perth, Melbourne, and Adelaide, and aboard domestic flights in Australia. The attacks mimicked legitimate Wi-Fi access points and harvested account access credentials, which were then used to steal personal data.