Top 10 USA Cybersecurity Incidents: October - November 2025

This report summarizes the top 10 most significant cybersecurity incidents in the United States over the past month, based on their impact, the involvement of critical infrastructure, government warnings, and the exploitation of zero-day vulnerabilities. The incidents highlight a range of threats, from nation-state attacks and sophisticated ransomware campaigns to major data breaches affecting millions of individuals.

1. F5 Networks Nation-State Breach

A sophisticated nation-state actor, reportedly linked to China, breached enterprise technology vendor F5, gaining long-term, persistent access to its production environment and engineering resource portal ^[1]. The attackers stole portions of the BIG-IP source code and information about undisclosed vulnerabilities. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering federal agencies to immediately identify and patch affected F5 devices, highlighting the severity of this supply chain attack ^[2].

Is my industry affected?

This breach has a broad impact across all sectors, as F5 products are widely used for application security and delivery. However, government, finance, and technology sectors are particularly at risk due to their reliance on F5 for protecting sensitive data and critical applications. Organizations in these sectors should immediately follow CISA’s guidance and apply the necessary patches.

2. FBI Warning: Interlock Ransomware

The FBI and CISA issued a joint alert regarding a new and aggressive ransomware group known as Interlock, which has been actively targeting businesses in the U.S. and Europe since September 2024 ^[3]. The group is known for its rapid and destructive attacks, making it a significant threat to organizations of all sizes. The alert urges businesses to take immediate steps to secure their networks against this emerging threat.

Is my industry affected?

Interlock appears to be opportunistic, targeting a wide range of industries. However, based on their tactics, small and medium-sized businesses (SMBs) with limited cybersecurity resources are the most vulnerable. These businesses often lack the advanced security controls and dedicated security teams needed to defend against such aggressive ransomware attacks.

3. Conduent Business Solutions Data Breach

A massive data breach at Conduent Business Solutions, a provider of services to state and local governments, exposed the personal information of over 10.5 million patients ^[4]. The breach, which went undetected for nearly three months, affected multiple state agencies and is one of the largest healthcare data breaches of the year. The compromised data includes sensitive personal and health information, putting millions at risk of identity theft and fraud.

Is my industry affected?

The healthcare and government services sectors are directly impacted by this breach. Any organization that provides services to or partners with government agencies, especially in the healthcare space, should review their own security posture and third-party risk management programs. The long-term consequences of this breach will likely include increased regulatory scrutiny and a greater emphasis on supply chain security in the public sector.

4. VMware Zero-Day Vulnerability (CVE-2025-41244)

A high-severity privilege escalation vulnerability in VMware Tools and VMware Aria Operations was exploited as a zero-day by a China-linked threat actor (UNC5174) ^[5]. The flaw, tracked as CVE-2025-41244, allows a local attacker to escalate privileges to the root user. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating that it is being actively exploited in the wild.

Is my industry affected?

Given the widespread use of VMware virtualization technologies across all industries, this vulnerability poses a significant threat to a vast number of organizations. Any business that utilizes VMware for its IT infrastructure is potentially at risk. It is critical for all organizations to apply the patches provided by Broadcom immediately to mitigate this threat.

5. BlackCat/ALPHV Ransomware and Rogue Cybersecurity Professionals

In a disturbing turn of events, three former employees of cybersecurity incident response firms DigitalMint and Sygnia were indicted for their alleged involvement in BlackCat (ALPHV) ransomware attacks ^[6]. The group targeted at least five U.S. companies, including a medical device manufacturer that paid a $1.27 million ransom. This case highlights the growing threat of insider threats, particularly from individuals with privileged access and knowledge of cybersecurity defenses.

Is my industry affected?

This incident is a stark reminder that no industry is immune to insider threats. However, the healthcare, manufacturing, and technology sectors were specifically targeted in this campaign. This incident should serve as a wake-up call for all organizations to strengthen their insider threat programs, including conducting thorough background checks and monitoring employee activity, especially for those in sensitive cybersecurity roles.

6. Simon Property Group - Medusa Ransomware Attack

Simon Property Group, a leading real estate investment trust (REIT), was targeted by the Medusa ransomware group ^[7]. This attack on a major player in the commercial real estate sector highlights the growing focus of ransomware gangs on high-value targets with the potential for significant disruption and substantial payouts.

Is my industry affected?

The commercial real estate and retail sectors are most directly affected by this attack. The incident highlights the vulnerability of large property management firms and the potential for disruption to their operations and tenants. Companies in these sectors should review their cybersecurity defenses and incident response plans to prepare for similar attacks.

7. CISA Warning: Active Exploitation of Old Linux Flaw (CVE-2024-1086)

CISA issued a warning that a critical use-after-free vulnerability in the Linux kernel (CVE-2024-1086), which was first disclosed over a year ago, is being actively exploited in ransomware attacks ^[8]. This highlights the persistent danger of unpatched vulnerabilities, even those that are not new. The fact that a decade-old flaw is still being successfully exploited is a testament to the importance of timely patch management.

Is my industry affected?

This vulnerability affects a wide range of industries that rely on Linux-based systems, which is a vast number of organizations. However, the technology, cloud services, and web hosting sectors are particularly at risk due to their extensive use of Linux. Any organization that uses Linux in their environment should ensure that their systems are patched and up-to-date.

8. QNAP NAS Zero-Day Vulnerabilities

Seven zero-day vulnerabilities in QNAP Network Attached Storage (NAS) devices were successfully exploited at the Pwn2Own hacking competition ^[9]. These flaws could allow attackers to gain remote access to and control of vulnerable devices. QNAP is a popular brand of NAS devices used by both consumers and businesses for data storage and backup, making these vulnerabilities a significant concern.

Is my industry affected?

Small and medium-sized businesses (SMBs) are particularly vulnerable to these types of attacks, as they often rely on NAS devices for affordable and convenient data storage. Many SMBs lack the resources to properly secure and manage these devices, making them an attractive target for attackers. All QNAP users should update their devices to the latest firmware as soon as possible.

9. Malicious NuGet Packages with Time Bomb" Payloads

Malicious packages were discovered on the NuGet package manager containing “time bomb” payloads scheduled to activate in 2027 and 2028 ^[10]. These packages target database implementations and Siemens S7 industrial control systems, posing a significant future threat to the software supply chain and critical infrastructure. This incident highlights the growing trend of attackers using open-source repositories to distribute malware and the long-term risks associated with these types of attacks.

Is my industry affected?

The software development and industrial manufacturing sectors are the primary targets of this attack. Any organization that uses NuGet for package management or relies on Siemens S7 industrial control systems should be on high alert. This incident also serves as a broader warning to all organizations about the importance of vetting open-source components and securing their software supply chain.

10. Microsoft Teams Vulnerabilities

Security researchers discovered vulnerabilities in Microsoft Teams that could allow attackers to impersonate executives and manipulate messages ^[11]. Given the widespread use of Teams for business communication, these flaws represent a significant risk for corporate espionage, social engineering, and the spread of misinformation. Microsoft has been a major target for both nation-state and financially motivated cybercriminals.

Is my industry affected?

As Microsoft Teams is used across virtually all industries, this vulnerability has a broad impact. However, large enterprises and government agencies are particularly at risk due to the high value of their internal communications. Organizations should ensure they are following Microsoft’s security best practices for Teams and are educating their employees about the risks of social engineering attacks.

References

[1] Geller, E. (2025, October 15). Nation-state hackers breached sensitive F5 systems, stole customer data. Cybersecurity Dive. https://www.cybersecuritydive.com/news/f5-supply-chain-breach-nation-state-cisa/802887/

[2] CISA. (2025, October 15). ED 26-01: Mitigate Vulnerabilities in F5 Devices. https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices

[3] TotalCare IT. (2025, November 7). FBI Warns of New “Interlock” Ransomware Attacks Targeting U.S. Businesses. https://www.totalcareit.net/blog/fbi-warns-of-new-interlock-ransomware-attacks-targeting-u.s.-businesses

[4] HIPAA Journal. (2025, October 28). More Than 10.5 Million Patients Affected by Conduent Business Solutions Data Breach. https://www.hipaajournal.com/conduent-business-solutions-data-breach/

[5] Lakshmanan, R. (2025, October 31). CISA Flags VMware Zero-Day Exploited by China-Linked Hackers in Active Attacks. The Hacker News. https://thehackernews.com/2025/10/cisa-flags-vmware-zero-day-exploited-by.html

[6] Gatlan, S. (2025, November 3). US cybersecurity experts indicted for BlackCat ransomware attacks. BleepingComputer. https://www.bleepingcomputer.com/news/security/us-cybersecurity-experts-indicted-for-blackcat-ransomware-attacks/

[7] Ransomware.live. (2025, November 7). Simon Property Group. https://ransomware.live/

[8] Cybersecurity Review. (2025, November 4). US government warns Linux CVE-2024-1086 flaw is now being exploited for ransomware attacks. https://www.cybersecurity-review.com/us-government-warns-linux-cve-2024-1086-flaw-is-now-being-exploited-for-ransomware-attacks/

[9] BleepingComputer. (2025, November 7). QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own. https://www.bleepingcomputer.com/news/security/qnap-fixes-seven-nas-zero-day-flaws-exploited-at-pwn2own-tokyo/

[10] BleepingComputer. (2025, November 7). Malicious NuGet packages drop disruptive ‘time bomb’ payloads. https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-drop-disruptive-time-bomb-payloads/

[11] SC World. (2025, November 5). Microsoft Teams flaws let attackers impersonate execs, manipulate messages. https://www.scworld.com/news/microsoft-teams-flaws-let-attackers-impersonate-execs-manipulate-messages