Latest Cybersecurity News

BlindEagle’s Advanced Campaign Against Colombian Government Agencies (September 2025)

• Target & Context
• The attack focused on a ministry‑level agency under Colombia’s Ministry of Commerce, Industry and Tourism (MCIT).

• BlindEagle—an emerging South‑American threat group—is now demonstrating a high level of operational sophistication.

• Initial Delivery: Social Engineering + Internal Credibility

• A phishing email was sent from an already compromised internal account, masquerading as a labor lawsuit notification.

• The use of an insider address bypassed external mail defenses and increased the likelihood that recipients would click the embedded link.

• File‑less Malware Chain
  1. SVG attachment – contained encoded HTML that redirected users to a counterfeit judicial portal.
  2. Three progressively deobfuscated JavaScript files (Base64 + custom tricks) that guided the victim through successive stages.
  3. PowerShell payload – downloaded an image from the Internet Archive, extracted a Base64‑encoded malicious module hidden inside it, and loaded that code into memory via .NET reflection—avoiding any disk writes.

• Execution & Persistence

• The in‑memory payload ran Caminho, a downloader with Portuguese artifacts, which then fetched DCRAT from Discord’s CDN.
• DCRAT included AMSI patching to disable Windows anti‑malware checks.

• Persistence was established through scheduled tasks and registry modifications, ensuring long‑term access.

• Evasion Techniques

• Steganography hidden payloads within image files.
• Legitimate services (Discord CDN) used for command & control traffic.

• AMSI patching and memory‑resident execution to evade traditional antivirus solutions.

• Overall Assessment
  BlindEagle’s campaign illustrates a mature blend of social engineering, file‑less delivery, sophisticated obfuscation, and legitimate‑service abuse. The result is a highly covert operation capable of compromising government infrastructure with minimal detection risk.

Linux Kernel POSIX CPU Timer Race Condition – CVE‑2025‑38352

• What is it?
  A race condition in the kernel’s handle_posix_cpu_timers() function that can trigger a use‑after‑free (UAF) of kernel memory. The flaw exists when the CONFIG_POSIX_CPU_TIMERS_TASK_WORK option is disabled, which is common on 32‑bit Android devices and many embedded Linux systems.

• How it works
  An attacker creates a POSIX CPU timer that fires after a specified CPU time interval. By forcing a thread into a zombie state while the kernel processes the timer signal, the attacker can prematurely delete the timer with timer_delete(). The kernel continues to access the now‑freed structure in posix_timer_queue_signal(), leading to a UAF and potentially allowing privilege escalation.

• Proof‑of‑Concept
  A public PoC has been released on GitHub by researcher Faraz Sth. It demonstrates the full exploitation chain: timer creation, zombie induction, timer deletion during signal handling, and the resulting kernel warning (KASAN or send_sigqueue()).

• Real‑world impact
  The flaw is actively exploited in targeted attacks. Reports from the Faith2dxy group confirm limited but real-world use of this vulnerability to compromise systems.

• Affected platforms
  All kernels where CONFIG_POSIX_CPU_TIMERS_TASK_WORK is disabled, notably:

• 32‑bit Android devices

• Various embedded Linux deployments

• Mitigation and patch status
  Kernel maintainers have released patches that close the race window by preventing zombie processes from executing timer handling code. The fix is already in stable branches.

• What you should do

• Update immediately to a patched kernel version, prioritizing Android devices and embedded systems.
• System administrators should audit for the disabled CONFIG_POSIX_CPU_TIMERS_TASK_WORK setting and apply updates as soon as possible.
• Keep an eye on vendor advisories and security mailing lists for any additional guidance.

Bottom line: The public availability of a PoC and evidence of active exploitation make patching urgent. Stay vigilant and update your systems without delay.

Microsoft Brokering File System (BFS.sys) Use‑After‑Free Vulnerability – CVE‑2025‑29970

• What it is
  A memory‑management flaw in the BFS minifilter driver, which manages file, pipe, and registry operations for isolated Win32 applications (AppContainer/AppSilo). The driver incorrectly frees the head of a linked list (DirectoryBlockList) while still iterating over its entries during policy‑entry deletion via the BfsProcessDeletePolicyEntryRequest IOCTL. This creates a classic use‑after‑free that can be abused to corrupt kernel memory and elevate privileges.

• How it works
  The vulnerability is triggered when an attacker with AppSilo token rights repeatedly creates and removes policy entries through the BFS device. Because the driver releases the list head before all iterations are complete, subsequent memory reuse leads to a dangling pointer that can be overwritten. Although only medium‑integrity processes can access the BFS device, sustained exploitation can cause a fatal system error (0x00000050) and result in local privilege escalation.

• Affected component
  bfs.sys versions up to 26100.4061 (and likely earlier releases before the January 2025 patch).

• Exploitation prerequisites

• Run as a medium‑integrity process with AppSilo token capabilities.
• Create policy entries and repeatedly trigger their deletion to force the vulnerable deallocation path.

• The attack is limited to processes that can access the BFS device, but this does not eliminate risk.

• Impact
  Local privilege escalation on Windows systems that use sandboxed applications (AppContainer/AppSilo). Repeated exploitation may crash the system with a blue‑screen error (0x00000050).

• Fix
  Microsoft restructured the deallocation logic by moving the list‑head free operation into BfsCloseRootDirectory, ensuring it occurs only after all entries have been processed. Patches were released in January 2025.

• Recommendations for organizations

• Apply the January 2025 patch immediately to all affected systems.
• Monitor for suspicious IOCTL activity on the BFS device originating from medium‑integrity processes.
• Consider restricting or sandboxing untrusted applications until the patch is applied.

This incident underscores that even kernel drivers designed for specialized security functions can contain subtle memory‑management bugs, highlighting the need for ongoing assessment and timely patching of all Windows kernel components.

Nissan Motor Corporation – Data Breach at Nissan Fukuoka Sales Co., Ltd.

• Scope of the incident
• Approximately 21,000 customers of Nissan Fukuoka Sales (formerly Fukuoka Nissan Motor) were affected.

• The data exposed consisted solely of customer names, addresses, telephone numbers and partial email addresses; no credit‑card or payment details were compromised.

• How the breach occurred

• Unauthorized access was gained to Red Hat‑hosted servers that a third‑party contractor manages for Nissan’s customer‑management system.

• The attacker exploited weaknesses in the contractor’s security controls, allowing them to retrieve the customer database stored on those servers.

• Detection and notification timeline

• The intrusion was first identified by Red Hat on 26 September 2025.
• Nissan revoked the attacker’s access immediately and began containment measures.

• However, the company received notice from Red Hat only on 3 October 2025, a week after detection, prompting Nissan to file a report with the Personal Information Protection Commission that same day.

• Current status of the data

• No evidence has emerged that the stolen information was sold or misused on underground markets.

• The compromised dataset is limited to customer details used by the dealer network; no additional sensitive financial records were exposed.

• Customer notification and protection advice

• Nissan is informing each affected customer individually, explaining what data was accessed and how it could be exploited.

• Customers are urged to remain vigilant against phishing emails, scam calls and other social‑engineering attacks that might target the exposed information.

• Response measures and future safeguards

• The company is tightening oversight of its contractors and reviewing all third‑party access controls.
• Nissan plans to reinforce its overall security posture by aligning with ISO 27001, SOC 2, NIST, NIS 2, GDPR and other relevant frameworks.
• Additional monitoring and incident‑response capabilities will be implemented to prevent a recurrence of this nature.

This breach underscores the importance of robust third‑party governance and rapid notification processes in protecting customer data within automotive ecosystems.

• Campaign overview
• The SideWinder APT group has launched a sophisticated Windows backdoor campaign that targets users in South Asia, primarily India.

• Its objective is to install a silent, long‑term presence on victim machines, enabling the attackers to steal files, capture data, and exercise remote control.

• Initial delivery vector
  1. A phishing email masquerading as an official tax notice urges recipients to review an “inspection” document.
  2. The message contains a short link (surl.li) that redirects to a counterfeit Indian Income Tax portal hosted at gfmqvip.vip.
  3. From the fake portal, users are prompted to download Inspection.zip, which is actually a malicious bundle stored on store10.gofile.io.

• Malware contents and execution flow

• The ZIP archive contains three key files:
  • A fake review application (Inspection Document Review.exe, renamed from SenseCE.exe).
  • The malicious DLL (MpGear.dll) that is side‑loaded into trusted Windows processes.
  • A decoy certificate file (DMRootCA.crt).
• When the user runs the faux review app, Windows loads MpGear.dll.
• The DLL first checks whether the victim’s system time matches UTC+5:30 (South Asia) by querying public APIs such as timeapi.io and worldtimeapi.org.
• It then pauses for roughly three and a half minutes and scans running processes to avoid sandbox or virtual‑machine environments.

• After validation, the DLL contacts the command‑and‑control server at 180.178.56.230.

• Payload delivery and persistence

• From the C2 host, the malware downloads a small loader (1bin) from 8.217.152.225.
• The loader drops a resident agent named mysetup.exe into C:\ and creates a configuration file called YTSysConfig.ini that stores the C2 address and other flags.

• This establishes a persistent backdoor, giving attackers ongoing remote access to the compromised system.

• Detection and hunting clues

• Zscaler analysts identified the campaign by monitoring anomalous surl.li traffic within large Indian networks.

• The typical pattern—short link → fake tax portal → ZIP download → outbound contact with known SideWinder IP addresses—is a key indicator for investigators.

• Key takeaway
  A seemingly harmless, tax‑themed phishing email can trigger a carefully engineered chain of events that culminates in a stealthy Windows backdoor. The combination of social engineering, DLL side‑loading, and geolocation checks makes the attack both effective and difficult to detect without vigilant traffic analysis.

“Sleeping Bouncer” – Critical Motherboard Vulnerability

• What it is:
  A flaw discovered in Gigabyte, MSI, ASRock and ASUS motherboards that lets an attacker inject malicious code during the very first seconds of a PC’s boot sequence.

• How it works:

• The issue targets the IOMMU (DMA protection) hardware, which should stop rogue devices from accessing system memory before the operating system loads.
• Although BIOS settings show pre‑boot DMA protection enabled, the hardware fails to initialise fully in those first few seconds of booting.

• This creates a narrow window where malware can run with maximum privileges and remain hidden until security software (such as Riot’s Vanguard) starts.

• Impact:
  The vulnerability affects both consumer gaming PCs and high‑end workstations that use the affected motherboards, allowing compromise at startup before any operating‑system–level defenses are active.

• Remedy:
  All four manufacturers have released BIOS updates that fix the flaw. Users must immediately download and install the latest firmware from the official manufacturer websites.

• Additional measures by Riot Games:

• Vanguard will enforce stricter checks, blocking competitive play on systems with unpatched motherboards.

• A “VAN:Restriction” notice will be issued to affected users until they update their firmware.

• Why it matters:
  The flaw could have bypassed existing DMA detection technology, potentially enabling a devastating attack that evades all pre‑boot defenses. Prompt patching protects the gaming community from this serious security risk.

Docker Makes Secure Container Images Free for All Developers

• What changed:
  Docker has opened its Docker Hardened Images (DHI) to the public under an Apache 2.0 license, removing the subscription fee that previously applied.

• Why it matters:
  The decision follows the $60 billion in supply‑chain attack losses reported in 2025 and leverages Docker’s reach—over 20 billion monthly pulls on Docker Hub—to raise security standards across the industry. By making hardened images freely available, Docker aims to eliminate a “security poverty line” and make secure software delivery a baseline feature rather than a premium add‑on.

• Key features of the free DHI set:

• Minimal, production‑ready base images built with security in mind (Alpine, Debian, etc.) that require no changes to existing Dockerfiles.

• Hardened Helm charts for Kubernetes and trusted versions of security‑focused servers such as MongoDB, Grafana, and GitHub’s Model Context Protocol (MCP) server.

• Commercial options remain:
  While the core hardened technology is now open source, Docker continues to offer a paid “DHI Enterprise” tier. This tier provides stricter service level agreements, extended support, and compliance guarantees for organizations operating in regulated environments.

• Broader impact:
  By democratizing access to secure container images, Docker hopes to set new industry norms that protect developers and end users alike from supply‑chain attacks, while still offering enterprise‑grade services for those who need them.

Lies‑in‑the‑Loop: A New Attack on AI Code Assistants

Researchers have identified a novel attack that turns the very safety mechanisms of popular AI code assistants—such as Claude Code and Microsoft Copilot Chat—into a vulnerability.

• What is it?
  The technique, dubbed Lies‑in‑the‑Loop, tricks users into approving malicious code execution by fabricating approval dialogs within Human‑in‑the‑Loop (HITL) systems. Attackers inject hidden or obfuscated text around dangerous commands so that the user scrolls past and clicks “Approve” without noticing the payload.

• How it works
  1. Poisoning the prompt – Malicious instructions are injected into the AI’s context through external sources (code repositories, webpages).
  2. Benign‑looking dialog generation – The assistant produces an approval dialog that appears harmless and is based on the poisoned instructions.
  3. User confirmation – When the user clicks “Approve,” the hidden malicious commands are executed (e.g., launching calculator.exe, but potentially more destructive payloads).
  Markdown‑injection vulnerabilities can amplify the trick by creating entirely fake dialogs that evade visual detection.

• Why it matters
  Current AI providers acknowledge the findings but do not yet treat them as a core threat model, citing the need for several non‑default steps to succeed. Nonetheless, the attack exposes a fundamental flaw: relying on unverified dialog content opens a social‑engineering vector at the human‑AI interface. As agents become more autonomous, traditional HITL safeguards must be rethought to counter such sophisticated manipulation.

• Bottom line
  Lies‑in‑the‑Loop demonstrates that safety dialogs can be subverted by carefully crafted prompt injection and hidden text, urging a redesign of how approval mechanisms are presented and verified in AI code assistants.

Exim 4.99 Vulnerabilities (CVE‑2025‑26794)

• What was found:
  NIST security researchers discovered two critical flaws that affect Exim 4.99 when it is compiled with SQLite hint‑database support. The issues allow a remote attacker to inject malicious code and, in some cases, corrupt memory on the server.

• Key technical details

• SQL Injection – An incomplete patch fails to escape single quotes in SQL queries that use the SQLite database. Attackers can craft SMTP commands (for example, malformed email addresses) that inject arbitrary SQL, potentially compromising the server’s database.

• Heap Buffer Overflow – Certain fields from the hint database are used as array bounds without validation. By sending specially crafted data, an attacker can overflow a heap buffer by up to roughly 1.5 MB, giving precise control over memory writes. Full remote code execution is currently difficult because of modern mitigations such as ASLR, but sophisticated attackers with more resources could still succeed.

• Exploitable configuration
  The flaws are triggered only when:

• Exim is built with SQLite hint‑database support.

• Rate‑limited ACLs use attacker‑controlled values (e.g., per_addr mode or unique parameters that rely on sender addresses).

• Current exploit status
  Researchers demonstrated memory corruption but were unable to achieve full remote code execution at present. The vulnerability remains a high‑risk threat for systems that meet the above configuration.

• What Exim maintainers are doing
  Patches are in progress and will include:

• Proper single‑quote escaping in all SQL queries.

• Validation checks on database field sizes to prevent overflows.

• Recommended actions for administrators
  1. Apply patches as soon as they become available – keep your Exim installation up to date.
  2. Disable SQLite hint‑database support temporarily if you cannot patch immediately.
  3. Restrict ACL configurations that use sender addresses in rate‑limit rules until the fix is applied.

• Coordinated disclosure
  The research team has notified Exim maintainers and is working with them under a coordinated disclosure window to give developers time to release a safe, comprehensive patch before detailed exploit information is made public.

• Stay informed – Follow the researchers on Google News, LinkedIn, and X for updates, or contact them if you need assistance securing your organization.

OAuth Device Code Phishing Attacks on Microsoft 365 – Key Takeaways

• What the attack looks like
  • Threat actors send emails or messages that link to a fake Microsoft login page.
  • The spoofed page displays a “device code” and asks users to enter it on the real microsoft.com/devicelogin site.
  • When the victim submits the code, attackers receive an OAuth token that grants full control of the M365 account.

• Who’s behind it
  • The technique is being used by a mix of financially motivated groups (e.g., TA2723) and state‑aligned actors (e.g., UNK_AcademicFlare).
  • Attacks have surged since September 2025, affecting government, academia, and private organizations.

• Tools that enable the campaigns
  – SquarePhish2: Automates phishing with QR codes and attacker‑hosted servers, lowering the skill barrier for attackers.
  – Graphish: Uses Azure App Registrations and reverse proxies to perform man‑in‑the‑middle attacks, capturing credentials and session tokens.

• Why it’s hard to detect
  • The flow uses legitimate Microsoft authentication endpoints, so standard security controls may not flag the activity.
  • Once a token is issued, attackers can move laterally within the tenant, exfiltrate data, or establish persistence.

• Effective defenses
  1. Conditional Access policies – block or limit device‑code flows to approved users, IP ranges, or devices.
  2. Device compliance and registration – require sign‑ins only from compliant, registered hardware.
  3. User awareness training – educate staff not to enter device codes on unfamiliar pages and to verify URLs before submitting credentials.

• Bottom line
  Attackers are exploiting a legitimate Microsoft feature—OAuth 2.0 device authorization—to bypass traditional security checks. By combining phishing, automated tools, and a deep understanding of Microsoft’s authentication mechanisms, they can achieve full account takeover with relative ease. Robust policy controls coupled with vigilant user education remain the best countermeasures against this evolving threat.

• What’s happening?
  Shadowserver has confirmed that roughly 125 000 WatchGuard Firebox firewalls worldwide are affected by a critical zero‑day (CVE‑2025‑14733). The flaw is an out‑of‑bounds write in the IKEv2 VPN key‑exchange process, giving unauthenticated remote attackers the ability to run arbitrary code on the device. With a CVSS score of 9.8, the vulnerability is classified as critical.

• Who’s at risk?
  The attack vector targets firewalls that use IKEv2 for mobile or branch‑office VPNs, especially those configured with dynamic gateway peers. Even if an administrator deletes VPN settings, devices can remain vulnerable if static‑gateway tunnels are still active—often called “zombie” configurations.

• Why it matters now?
  Shadowserver reports that threat actors are actively exploiting the flaw in the wild. The exposure is a genuine zero‑day for unpatched devices, and WatchGuard has released indicators of compromise (IOCs) to help defenders detect activity.

• Key signs to look for:

• Certificate chain anomalies in firewall logs.
• Large IKE_AUTH payloads exceeding 2 000 bytes.

• Traffic from four IP addresses that have been identified as active exploiters.

• Immediate actions for organizations:
  1. Apply the latest patches to all affected Firebox devices without delay—multiple OS versions are impacted.
  2. Monitor VPN traffic and audit logs for suspicious IKEv2 activity, paying particular attention to the IOC patterns above.
  3. Rotate locally stored credentials on any appliances that may have been compromised.

• Background context:
  This is WatchGuard’s second major exposure highlighted by Shadowserver; a prior vulnerability (CVE‑2025‑9242) had already affected more than 75 000 devices.

Bottom line: The flaw is actively exploited and poses an immediate, severe threat. Prompt patching, vigilant monitoring of VPN activity, and credential rotation are essential to protect your network.

Microsoft Enhances External Access Control by Unifying Teams and Defender

Microsoft has announced a new feature that brings Microsoft Teams blocking capabilities directly into the Microsoft Defender portal. The change will let administrators manage blocked external users and domains from the Tenant Allow/Block List (TABL), eliminating the need to switch between separate admin centers.

What’s changing?
- From early‑mid January 2026, security teams can block or unblock specific email addresses or entire domains for Teams chats, messages, meetings, and calls through TABL in Defender.
- The integration keeps existing Teams settings intact while applying the new restrictions automatically.

Key benefits
- Centralized management: One interface to control external access across all Teams services.
- Improved security posture: Quickly prevent unwanted communications by blocking users or domains.
- Granular limits: Up to 4,000 domains or 200 individual email addresses can be blocked per tenant.
- Audit logging: Every block or unblock action is recorded for compliance and monitoring.

Requirements & rollout
- The feature requires Microsoft Defender for Office 365 Plan 1 or Plan 2.
- Teams must be configured to allow security teams to manage blocked domains.
- Worldwide availability is expected by mid‑January 2026, with the rollout beginning in early January.

By consolidating control into Defender, Microsoft aims to streamline threat defense across the Microsoft 365 ecosystem and reduce administrative overhead for security professionals.

Insider Recruitment Drives on the Darknet: What Organizations Need to Know

• Why insiders are the new “golden ticket” for cyber‑criminals
• Employees in high‑value sectors—banks, telecom operators, tech giants, and cryptocurrency exchanges—have privileged access that can bypass traditional perimeter defenses.

• By bribing or coercing these insiders, attackers gain entry to corporate networks, user devices, and cloud environments, enabling data theft, sabotage, or financial fraud.

• Targeted industries

• Financial & Crypto: Banks, Federal Reserve partners, Coinbase, Binance, Kraken, Gemini.
• Telecom: Employees who control SIM‑swap processes.

• Tech & Retail: Companies such as Apple, Samsung, Xiaomi, and other large vendors.

• How the recruitment operates

• Darknet forums (predominantly Russian language) and encrypted messaging platforms like Telegram host “job” postings.
• Advertisements employ emotional manipulation—promising escape from a monotonous job or quick financial freedom—to lure victims.

• Specific tasks are listed: disabling endpoint protection, handing over VPN or admin credentials, installing remote access tools, exfiltrating databases (e.g., a recent sale of 37 million crypto‑exchange user records for $25 k).

• Payment structure

• Payouts range from $3 000 to $15 000 per assignment; some long‑term gigs offer weekly payments around $1 000.

• Transactions are conducted in cryptocurrency (Bitcoin or Monero) to maintain anonymity.

• Why this trend matters

• Insiders can bypass external defenses, making detection and mitigation more difficult.
• Industries with direct access to funds or sensitive data face amplified risk of financial loss and reputational damage.

• The rise of insider‑based attacks underscores the need for proactive measures: continuous monitoring of privileged accounts, robust employee education on phishing and social engineering, and tighter controls over access rights.

• Key takeaway

• Cyber‑criminals are pivoting from pure external hacking to recruiting insiders inside high‑value organizations. This shift demands that companies strengthen internal security postures, treat insider threats as a top priority, and remain vigilant against the subtle recruitment tactics proliferating on darknet forums.

DIG AI – A New Dark‑Side Weapon for Cybercrime

Resecurity researchers have uncovered DIG AI, a fully uncensored artificial‑intelligence platform that now operates exclusively on the Tor network. Unlike mainstream models that embed safety filters, DIG AI is deliberately “jailbroken,” giving threat actors instant access to powerful text, code, and image generation tools without any ethical safeguards.

• Core Models
• DIG‑Uncensored – unrestricted text and code generation, ideal for crafting phishing scripts, ransomware payloads, or other malicious software.
• DIG‑GPT – a “jailbroken” ChatGPT Turbo clone that can produce detailed instructions for cyberattacks or illicit manufacturing processes.

• DIG‑Vision – a Stable Diffusion‑based image generator capable of creating deepfakes and child sexual abuse material (CSAM).

• Anonymity & Ease of Use
  • Accessible via the Tor network with no registration required, allowing users to remain completely anonymous.
  • Generates content in real time; premium paid tiers cut processing delays from several minutes to a few seconds.

• Malicious Capabilities

• Produces obfuscated JavaScript backdoors and web shells that can steal data, redirect traffic, or inject malware into victim systems.
• Provides step‑by‑step instructions for building explosives or illicit drugs.

• Enables the creation of CSAM through its Vision model.

• Business Model
  Operated under the alias “Pitch,” DIG AI is marketed on underground marketplaces as a “Crime‑as‑a‑Service.” Sellers offer paid options that reduce generation time and provide additional support, effectively turning AI into a turnkey weapon for cybercriminals.

• Threat Landscape

• Since its first detection on September 29, 2025, usage of DIG AI has surged—particularly during the holiday season.
• The platform is part of a broader wave of “Dark LLMs” (e.g., FraudGPT, WormGPT) that have seen more than a 200% increase in forum mentions from 2024 to 2025.

• Because threat actors can run these models on their own infrastructure, detection by traditional security platforms is exceedingly difficult.

• Implications for Global Security

• DIG AI represents a “fifth domain of warfare,” where weaponized AI is already operational and can be deployed at scale without oversight.
• Its availability threatens major upcoming events such as the Milan Winter Olympics and the FIFA World Cup in 2026, raising concerns about coordinated cyberattacks on critical infrastructure or mass‑communication systems.

Bottom Line

DIG AI lowers the barrier for sophisticated cybercrime by providing uncensored, high‑performance AI tools that can automate attacks and produce limitless illegal content. The cybersecurity community must respond with immediate countermeasures, policy updates, and international cooperation to mitigate this emerging threat.

Cybersecurity Landscape – Week‑in‑Review

• Shift to “quiet” attacks

• Attackers are moving away from headline‑making breaches and instead targeting everyday, trusted software and devices—firewalls, browser extensions, smart TVs, even embedded browsers in consumer electronics. A single unpatched flaw can become an entry point for many others.

• Exploits of network security products

• Fortinet, SonicWall, Cisco and WatchGuard all suffered real‑world exploitation of CVEs this week. For example, Cisco’s AsyncOS (CVE‑2025‑20393) was used by a China‑based APT to drop ReverseSSH; SonicWall SMA 100 RCE via CVE‑2025‑40602 was also leveraged.

• Browser extension data theft

• A popular Chrome/Edge extension that harvested every AI chat prompt from over 8 million users was discovered and removed from the store. This shows how even benign-looking add‑ons can become mass‑data harvesters.

• Targeted campaigns against governments

• The “Ink Dragon” threat actor is focusing on European, Asian and African government entities, repurposing compromised hosts as covert infrastructure.

• In Southeast Asia and Japan, the “LongNosedGoblin” group abuses Group Policy to deploy malware (NosyDoor) across governmental networks.

• IoT botnets and QR‑code delivery

• The Kimwolf botnet now controls roughly 1.8 million Android TVs worldwide, spreading globally and potentially linked to earlier DDoS incidents.

• North Korean actors are using phishing sites that host QR codes impersonating package‑delivery services to push Android malware.

• Business Email Compromise (BEC) scale

• “Scripted Sparrow” is sending over three million emails per month, posing as executive coaching consultancies and using dozens of bank accounts to siphon funds.

• Android adware campaigns

• GhostAd is a large‑scale Android adware targeting users in the Philippines, Pakistan and Malaysia, running persistent background advertising engines that drain resources.

• Outdated browsers on smart devices

• A study found many smart TVs, e‑readers and gaming consoles ship embedded web browsers that are up to three years behind. This creates a hidden attack surface for phishing and other exploits.

• Insider recruitment on the dark web

• Dark‑web ads offering $3 k–$15 k to insiders who can provide privileged access to finance, crypto firms, Accenture, Netflix, Spotify and more highlight the growing importance of deep‑web monitoring.

• AI‑powered malware evolution

• New MaaS offerings like AuraStealer spread via TikTok “Scam‑Yourself” videos, harvesting browsers, wallets, credentials and screenshots. Other stealers such as Stealka and Phantom are also active.

• Large Language Models (LLMs) are being used to accelerate ransomware lifecycles—automating reconnaissance, phishing email drafting and even code generation.

• Regulatory and legal actions

• The FBI has warned of campaigns impersonating U.S. government officials through smishing/vishing, urging vigilance against social‑engineering scams that request authentication codes or personal data.
• Denmark’s Defence Intelligence Service blamed pro‑Russian hacktivist groups for recent cyberattacks on a water utility and pre‑election DDoS attacks.

• The Texas Attorney General sued major TV manufacturers (Sony, Samsung, LG, Hisense, TCL) over alleged covert viewing‑data collection via automatic content recognition.

• Trending CVEs

• Over 30 critical bugs were highlighted this week across various products—including Cisco AsyncOS, SonicWall SMA 100, WatchGuard, HPE OneView, NVIDIA & Microsoft Windows Admin Center, Apache and others—underscoring the need for rapid patching.

• Industry events and tools

• A virtual Cyber Forum 2026 is slated to focus on AI innovation in security operations.
• Open‑source tools such as Tracecat (workflow orchestration) and Metis (AI‑powered code review) are emerging, though they require careful use.

Bottom line:
Attackers now rely on low‑profile, high‑frequency exploits targeting everyday infrastructure. Immediate patching of highlighted CVEs, stricter vetting of browser extensions, vigilance against social‑engineering scams, and proactive monitoring of IoT devices are critical to prevent these quiet breaches from escalating into larger incidents.

• The article argues that everyday internet use—heavy tabbing, intrusive ads, and a laundry‑list of extensions—drains device power and creates unnecessary digital waste.
• A “green” browser should address this by using fewer resources, cutting out redundant data loads, and operating with minimal background processes while still feeling like any modern browser.

• Wave Browser is presented as a leading example:

• Built‑in tools such as an ad blocker, memory‑saving features, split view, sidebar, reading list, and content organizer mean users rarely need third‑party extensions.

• The interface stays familiar—no new habits or friction are required; it simply runs more efficiently behind the scenes.

• Wave partners with 4ocean: every download or usage supports verified ocean‑cleanup projects aimed at removing 300,000 pounds of trash by 2028. Progress is displayed on the browser’s homepage and in monthly reports.

• By eliminating extra scripts, data requests, and background activity, Wave keeps devices cooler and reduces power consumption over time.

• The takeaway is that choosing an eco‑conscious browser like Wave lets users maintain performance while making a scalable, low‑effort contribution to environmental sustainability—particularly in the fight against ocean plastic pollution.

Mobile Malware Landscape in Central Asia and South Asia – Key Takeaways

• Wonderland (formerly WretchedCat) – Uzbekistan
• A sophisticated Android SMS‑stealing campaign that uses dropper apps disguised as legitimate Google‑Play, video or dating‑app downloads.
• After installation the dropper silently installs a second payload without requiring an internet connection, enabling real‑time theft of OTPs, bank card data and other personal information via Telegram‑based command & control (C2).
• Distribution tactics include fake Google‑Play web pages, Facebook ads, dating‑app profiles, stolen Telegram sessions sold on dark‑web markets, and a “install update” trick that forces users to enable “unknown sources.”
• The operation is organized with a hierarchical structure: owners, developers, validators and workers who receive a cut of the stolen funds.

• Two distinct dropper families (MidnightDat – Aug 2025; RoundRift – Oct 2025) each rotate C2 domains to defeat blacklists. A dedicated Telegram bot creates malicious APKs that are sold to contractors.

• Emerging Threats in the Region

• Cellik – a RAT that offers an easy‑to‑use one‑click APK builder, allowing attackers to embed keylogging, remote camera/mic access, screen streaming and data wiping inside legitimate Google‑Play apps.

• Frogblight – targets Turkish users through SMS phishing about court documents; it harvests banking credentials, call logs, installed apps and can send arbitrary SMS.

• NexusRoute – India

• A professionally engineered Remote Access Trojan (RAT) distributed via fake government‑service portals that redirect to malicious APKs hosted on GitHub/GitHub Pages.
• The malware steals phone numbers, vehicle data, UPI PINs, OTPs, card details, contacts, call logs, files, screenshots, microphone input and GPS location. It exploits Android accessibility services and prompts users to set the RAT as their default launcher.

• NexusRoute’s use of official‑looking branding demonstrates a growing trend of weaponizing trust to lower the barrier for mobile malware deployment.

• Common Themes Across Campaigns

• Dropper Architecture – Bypasses security checks, reduces visibility and complicates reverse engineering.
• Dynamic C2 Infrastructure – Frequent domain churn and Telegram‑based controls make blacklisting ineffective.
• Social Engineering & Trust Exploitation – Fake app stores, government portals, dating profiles and paid Telegram sessions lure victims into sideloading malicious code.

• Financial Motivation – All campaigns are part of larger organized operations that profit from SMS fraud, card skimming and data theft.

• Overall Assessment
  The mobile malware ecosystem in Uzbekistan and India is maturing rapidly. Attackers now combine advanced obfuscation, dropper delivery, dynamic command‑and‑control, and sophisticated social‑engineering to evade detection and maximize revenue. Users should remain vigilant against unfamiliar app sources, verify official portals, and keep device security settings (e.g., unknown source permissions) strictly controlled.

ASUS Live Update CVE‑2025‑59374 – What It Really Means

• The vulnerability is a historical case, not a new threat.
  The CVE documents a supply‑chain attack that took place in 2018–2019 (often referred to as “ShadowHammer”) where malicious code was inserted into ASUS Live Update binaries and delivered to a limited number of devices.

• Affected product is no longer supported.
  ASUS Live Update reached End‑of‑Support (EOS) in October 2021. No current ASUS hardware uses the vulnerable version, and the last released build—3.6.15—was already superseded long before the CVE was published.

• Recent updates are for record‑keeping only.
  The ASUS FAQ page was refreshed on December 6 2025 to reflect that EOS had been declared on December 4 2025 and to note the final supported version. No new patches or remediation steps were introduced, and the guidance remains unchanged.

• CISA’s KEV listing is retrospective.
  CISA included CVE‑2025‑59374 in its Known Exploited Vulnerabilities catalog as part of a comprehensive documentation effort. The agency explicitly states that inclusion does not imply active exploitation or an immediate risk.

• No urgent action required for users.
  Because the software is unsupported and no modern devices are affected, there is no pressing need to upgrade or apply additional safeguards beyond what was already done when the product reached EOS.

• Lesson for security teams:
  Treat CVEs that appear on CISA’s KEV list with nuance, especially when they involve legacy or retired software. Verify whether a vulnerability poses an active threat before allocating resources to patching or monitoring.

Bottom line: The CVE is a formal record of an old supply‑chain attack against an end‑of‑life ASUS product; it does not represent a new, exploitable risk today.

Ukrainian national pleads guilty to Nefilim ransomware conspiracy

• Artem Aleksandrovych Stryzhak, 35, admitted in a U.S. federal court that he helped orchestrate the Nefilim ransomware campaign, which targeted high‑revenue firms across the United States, Norway, France, Switzerland, Germany and the Netherlands.
• He was arrested in Spain in June 2024, extradited to the U.S. on April 30 2025, and now faces up to 10 years in prison. Sentencing is scheduled for May 6 2026.

Key details of the operation

• Stryzhak gained access to the Nefilim code in June 2021 by trading a share of ransom proceeds (estimated at 20 %) for the software.
• The group custom‑coded malware for each victim, supplied decryption keys, and issued tailored ransom demands.
• Initial targets were firms with more than $100 million in annual revenue; later they focused on companies earning over $200 million.
• They used public data platforms such as ZoomInfo to vet prospects and threatened to leak stolen data via “Corporate Leaks” sites if ransoms weren’t paid.

Co‑conspirator hunt

• The U.S. State Department is offering up to $11 million for information that leads to the arrest of Volodymyr Tymoshchuk, a co‑conspirator who remains at large and is wanted by the FBI and EU.
• Tymoshchuk has been accused of administering multiple ransomware operations—including LockerGoga, MegaCortex and Nefilim—that harmed hundreds of companies worldwide from July 2020 to October 2021.

Side note on identity & access management

• A brief editorial highlights that poor Identity & Access Management (IAM) is not merely an IT problem but a broader organizational risk.
• It outlines why conventional IAM solutions fail today, showcases effective IAM practices, and offers a checklist for building scalable strategies, citing companies such as Bitpanda, KnowBe4 and PathAI as examples.

WatchGuard Firebox Vulnerability – CVE‑2025‑14733

• Severity & Impact
• Classified as Critical by WatchGuard and CISA.
• Allows unauthenticated remote code execution (RCE) without any user interaction.

• Over 115,000 unpatched Fireboxes were found online; Shadowserver reported more than 124 k devices on a single day.

• Affected Products

• Fireware OS versions: 11.x+ (including 11.12.4_Update1), 12.x+ (including 12.11.5), and 2025.1 up to 2025.1.3.

• Devices must be configured for IKEv2 VPN, especially those using dynamic gateway peers or Branch‑Office VPNs (BOVPN) to static gateways.

• Exploitation Status

• The flaw is actively exploited in the wild; attackers can gain full control of a vulnerable firewall.

• Vendor Response & Mitigation Steps
  1. Patch immediately – WatchGuard released security updates on the same day as the advisory.
  2. If patching cannot occur right away:

  • Disable dynamic‑peer BOVPNs.
  • Add new firewall policies and disable default system policies that handle VPN traffic.
    3. Rotate locally stored secrets on any device that shows signs of compromise.

• Regulatory Actions

• CISA added CVE‑2025‑14733 to its Known Exploited Vulnerabilities (KEV) catalog.

• Federal Civilian Executive Branch agencies were ordered to patch by December 26 under BOD 22‑01, mirroring previous directives for earlier WatchGuard flaws.

• Historical Context

• This is part of a pattern of high‑impact RCE vulnerabilities affecting WatchGuard devices in recent years (e.g., CVE‑2025‑9242, CVE‑2022‑23176).

• Shadowserver routinely reports tens of thousands of vulnerable Fireboxes worldwide, underscoring ongoing exposure risks.

• Broader Implications

• The incident highlights the intersection between identity and access management (IAM) practices and core network infrastructure security.
• Vulnerabilities in foundational devices can cascade through an organization’s entire IT ecosystem.

Bottom Line:
Organizations operating WatchGuard Firebox firewalls—especially federal agencies under the current BOD—must prioritize applying the latest patches or, if that is not immediately possible, implement the outlined temporary mitigations. This event reinforces the necessity of proactive vulnerability management and integrated IAM/IT security strategies.

Supply‑Chain Attacks Reveal Rising Sophistication in Package Registry Threats

• WhatsApp API hijack on npm
• A package called “lotusbail” masquerades as a legitimate WhatsApp Web API wrapper.
• It has been downloaded more than 56,000 times, with a recent spike of roughly 700 downloads per week.
• The code intercepts the @whiskeysockets/baileys library to steal credentials, capture every message and media file, harvest contacts, and install a persistent back‑door.
• A hard‑coded pairing token links the attacker’s device to the victim’s WhatsApp account, giving continuous access even after the app is uninstalled.

• The malware encrypts exfiltrated data before sending it to an attacker‑controlled server and includes anti‑debugging measures that stall any debugging attempts.

• Malicious NuGet packages targeting crypto developers

• Fourteen deceptive packages have appeared on NuGet, impersonating popular blockchain libraries such as Nethereum, Solnet, Binance, and Coinbase.
• When a developer calls functions in these libraries, the code redirects transfers above $100 to attacker wallets or exfiltrates private keys and seed phrases.
• One package named GoogleAds.API steals OAuth tokens for Google Ads accounts, allowing attackers full control over advertising budgets.
• The bad actors inflate download counts, release frequent version updates, and use multiple publisher accounts to create a façade of legitimacy.

Key Takeaways

• These incidents underscore how supply‑chain attacks exploit the trust developers place in third‑party libraries.
• Traditional security controls that focus on obvious malicious signatures may miss such threats because the payload is hidden behind legitimate-looking functionality.
• Developers should review dependencies carefully, monitor download trends for sudden spikes, and consider runtime integrity checks or static analysis that looks beyond surface behavior to detect hidden hooks.

Bottom line: Legitimate‑looking packages can harbor sophisticated malware that activates only during normal use, making vigilant dependency management essential in today’s software development environment.

Malicious NPM Package “lotusbail” Targets WhatsApp Users

• A package called lotusbail, disguised as a legitimate WhatsApp Web API wrapper, has been pulled from npm more than 56 000 times in the last six months.
• The library is a fork of the real WhiskeySockets Baileys module but contains hidden code that:
• Captures WhatsApp authentication tokens and session keys during login.
  ‑ Intercepts every message sent or received, as well as contacts, media files, and documents.
   – Exfiltrates this data to an attacker’s server using a multi‑layer encryption scheme (custom RSA, Unicode tricks, LZString compression, AES).
• By hijacking the WebSocket communication, the malware also links the attacker’s device to the victim’s WhatsApp account during the pairing process. This grants persistent access even after the malicious package is removed; the link remains until the user manually unlinks it in WhatsApp settings.

What Developers Should Do

1. Remove the dependency from any Node.js project that includes lotusbail.
2. Audit your own WhatsApp accounts for unauthorized linked devices and unlink them immediately.
3. Monitor runtime behavior of new dependencies: watch for unexpected outbound connections or abnormal activity during authentication flows, rather than relying solely on static code reviews.

Broader Context

The article also highlights how weak Identity & Access Management (IAM) practices can lead to widespread business risk, citing examples from Bitpanda, KnowBe4, and PathAI. It offers a practical guide and checklist for building a more scalable IAM strategy, underscoring that security is not just about code but also about how access is managed across an organization.

Romanian National Water Authority hit by ransomware – critical infrastructure remains operational

• What happened:
  The national water management agency (Administrația Națională Apele Române) was targeted in a ransomware attack that compromised about 1,000 computer systems across its headquarters and all but one regional office.

• Systems affected:
  The breach hit servers and workstations running geographic information systems, databases, email, web services, Windows machines and DNS servers. Operational‑technology controls that drive water infrastructure were not touched, so pumps, valves and other critical equipment stayed online.

• How the attack unfolded:
  Hackers encrypted files with Windows BitLocker and left a ransom note demanding payment within seven days. The exact entry point into the network remains under investigation, and no group has claimed responsibility.

• Operational impact:
  Despite widespread IT disruption, day‑to‑day water‑management functions – dispatch centers, voice communications, local service crews, forecasting and flood protection – continued normally. No hydrotechnical assets were affected.

• Response and investigation:
  Romanian cyber‑security agencies (DNSC, National Cyberint Center, Intelligence Service’s Cyberint Center) are probing the incident. The water authority was not previously covered by the national critical‑infrastructure cybersecurity system; integration into protective measures is underway.

• Broader context:
  This attack follows a series of ransomware incidents against Romanian critical infrastructure, including the Lynx gang’s breach of Electrica Group and a February 2024 attack that hit more than 100 hospitals. International bodies such as CISA, FBI, NSA and EC3 have warned that pro‑Russia hacktivist groups are increasingly targeting essential services worldwide.

• Bottom line:
  While the ransomware caused significant IT setbacks, Romania’s water operations remained uninterrupted. Authorities continue to investigate the attack vector and are bolstering cyber defenses for the sector.

University of Phoenix data breach – key facts

• In August 2025 the Clop ransomware gang breached the University of Phoenix (UoPX) network by exploiting a zero‑day flaw (CVE‑2025‑61882) in Oracle E‑Business Suite (EBS), the university’s financial application.
• The attackers stole personal data for roughly 3.5 million people, including students, staff, suppliers and former employees. Exposed information consisted of names, dates of birth, Social Security numbers, bank account and routing numbers, as well as other contact details.
• UoPX discovered the breach in late November after Clop posted the stolen data on its leak site. The university publicly disclosed the incident on December 1 via its website and an SEC 8‑K filing.
• Affected individuals received notification letters (including those residing in Maine) and are offered a free identity‑protection package: up to $1 million fraud reimbursement, 12 months of credit monitoring, dark‑web search and identity‑theft recovery services.

Broader context

• Clop has carried out a coordinated campaign against several U.S. universities—Harvard, the University of Pennsylvania, Princeton—and other sectors, all targeting Oracle EBS and using file‑transfer tools such as GoAnywhere MFT, Accellion FTA, MOVEit Transfer, Cleo and Gladinet CentreStack.
• The U.S. Department of State has announced a $10 million reward for information that links Clop’s attacks to a foreign government, reflecting the international dimension of the threat.

Implications for cybersecurity strategy

• The incident exposes the limits of traditional, siloed Identity & Access Management (IAM) approaches. Ransomware groups like Clop can exploit single points of failure—such as an unpatched Oracle application—to access vast amounts of sensitive data.
• Organizations must adopt more integrated IAM solutions that provide continuous monitoring, least‑privilege enforcement, and rapid incident response across all departments, not just IT.
• A practical guide is recommended for building scalable, modern IAM strategies that close these gaps and reduce the risk of future breaches.

In summary, Clop’s zero‑day attack on Oracle EBS enabled a massive exfiltration from UoPX and other universities, prompting widespread notification, identity protection offers and government incentives to trace foreign involvement. The event underscores the urgent need for robust, enterprise‑wide IAM frameworks that can withstand sophisticated ransomware campaigns.

Coupang Data Breach – A National Security Shock

• Scale & Impact
  South Korea’s largest e‑commerce platform, Coupang, confirmed a data breach that exposed the personal information of 33.7 million customers—nearly two‑thirds of the country’s population. It is the biggest e‑commerce security incident in Korean history and could trigger fines up to ₩1.2 trillion (≈$900 million) under the amended Personal Information Protection Act, which allows penalties up to 3 % of annual revenue.

• Timeline & Discovery

• Unauthorized access began on June 24 and continued until November 8.

• The breach was first detected on November 6, but full discovery took over two weeks.

• What Was Leaked

• Usernames, phone numbers, email addresses

• Delivery address books and purchase histories
  (Note: none of this data were legally required to be encrypted in Korea.)

• Suspect & Access Method
  A former Coupang employee retained access keys after resignation and had privileges to authentication services. The attacker’s long‑term presence was enabled by the company’s delayed detection.

• Why It Matters
  Even though the leaked data were not subject to mandatory encryption, combining names, addresses, phone numbers, emails, and purchase details can reveal lifestyle patterns, family structures, and enable targeted spear‑phishing or physical threats. Cross‑matching with previously exposed payment data could allow precise re‑identification.

• Business Implications

• Loss of customer trust
• Regulatory fines and costly recovery operations

• Highlights the gap between legal requirements and actual risk protection

• Recommended Solution – Penta Security’s D.AMO Platform

• Enterprise‑grade encryption platform with a standalone key‑management system.
• Deployable via API, plug‑in, or kernel‑level methods without altering existing applications—rollout can be achieved in days instead of months.
• Offers column‑level selective encryption to minimize performance impact, centralized control, auditing, monitoring, and compatibility across on‑premise, cloud, multi‑cloud, and hybrid environments.

• Already adopted by over 10 000 enterprises worldwide, including banks, public sector bodies, and large corporates.

• Takeaway
  The Coupang breach demonstrates that data not legally required to be encrypted can still pose severe risks when aggregated. Companies should adopt robust encryption solutions with centralized key management—such as Penta Security’s D.AMO—to protect customer information beyond the minimum legal requirements and avoid costly breaches, fines, and reputational damage.