News Week: November 24th to November 30th, 2025

Harvard breach linked to voice-phishing and possible zero-day activity

Harvard University revealed that attackers gained access to its Alumni Affairs and Development systems through a targeted voice-phishing scheme, exposing contact details and engagement records of alumni, donors, staff, and some students. While no passwords, financial data, or Social Security numbers were stored in the affected systems, the incident still impacts multiple university-related groups. Harvard is working with law enforcement and external cybersecurity specialists to trace the intrusion and has issued notifications urging individuals to watch for suspicious emails, calls, or texts. The disclosure comes shortly after a separate claim from a ransomware group asserting they breached Harvard by exploiting a zero-day vulnerability, raising further concerns about broader systemic targeting. As investigations continue, the university emphasizes vigilance and warns that attackers may attempt follow-up communications impersonating official departments.

Dartmouth hit by data theft linked to Clop ransomware and Oracle zero-day abuse

Dartmouth College has confirmed a security incident after Clop ransomware operators published files allegedly taken from the school’s Oracle E-Business Suite servers. According to the college’s breach filing, attackers exploited an Oracle EBS zero-day to extract sensitive records, including names, Social Security numbers, and, in some cases, financial account information. While 1,494 individuals were formally notified, the real number is expected to be higher, as the institution has not yet issued disclosures in all relevant states. The attack is part of a broader Clop ransomware campaign abusing zero-day vulnerability CVE-2025-61882 to infiltrate numerous organizations. Other major victims reportedly include Harvard University, Logitech, GlobalLogic, and several media and airline entities. Dartmouth continues investigating the breach and urges those potentially affected to remain alert to follow-up scams, as Clop ransomware groups typically leverage stolen data for further extortion attempts.

CodeRED outage traced to INC Ransom RaaS attack and legacy platform compromise

The OnSolve CodeRED emergency alert system suffered a major disruption after a cyberattack linked to the INC Ransom ransomware-as-a-service (RaaS) group. Crisis24, which operates the platform, confirmed that attackers breached the legacy CodeRED environment, prompting a full shutdown and rebuild of the system. During the intrusion, threat actors stole resident data—names, addresses, phone numbers, email addresses, and even passwords used within CodeRED profiles. Although Crisis24 says there’s no evidence the stolen data has surfaced publicly, INC Ransom’s leak site has already posted screenshots showing clear-text credentials, a common tactic used by RaaS groups to pressure victims. Because backups dated back to March 31, 2025, many user accounts are now missing as the service is restored. The incident has caused widespread outages across U.S. cities and public safety agencies, underscoring how RaaS-driven attacks can disrupt critical infrastructure on a national scale.

Asahi cyberattack exposes millions, with Qilin ransomware behind the breach

Asahi Group Holdings has concluded its investigation into the September cyberattack and now estimates that up to 1.9 million people were affected. The intrusion, ultimately claimed by the Qilin ransomware group, led to the exposure of personal data including names, genders, addresses, phone numbers, and email details—information that can be weaponized for phishing campaigns. Qilin ransomware operators previously posted samples of the stolen files on their leak site, confirming both data theft and the scale of the breach. Impacted groups range from over 1.5 million customers to external contacts, current and former employees, and family members. Asahi states that no payment card data was involved, but restoration efforts are still ongoing two months after the attack. The company plans extensive security upgrades, reinforcing network controls, threat detection, and business-continuity measures to prevent future Qilin-style ransomware incidents.

Conclusion

In summary, the recent wave of cyber incidents targeting universities, emergency alert platforms, and global enterprises highlights the increasing sophistication of ransomware operators and zero-day exploitation. These attacks reinforce the urgent need for proactive security strategies, rapid detection capabilities, and strong incident readiness across all sectors.

As specialists in ransomware recovery and cybersecurity, we provide comprehensive support through our Ransomware Recovery Services, expert guidance with Ransomware Negotiation Services, and ongoing protection via our Incident Response Retainer. If you want to strengthen your defenses or need immediate assistance after an attack, reach out to our team today.