It's been a busy 24 hours in the cyber world with significant updates on recent breaches, actively exploited vulnerabilities, new malware and threat actor insights, and a stark warning about AI's impact on the threat landscape. Let's dive in:
Recent Cyber Attacks and Breaches 🚨
- The University of Phoenix has confirmed a data breach impacting nearly 3.5 million individuals, including students, staff, and suppliers. The Clop ransomware gang exploited a zero-day vulnerability (CVE-2025-61882) in the Oracle E-Business Suite (EBS) to steal sensitive personal and financial information. Harvard and the University of Pennsylvania were also hit by this same Clop campaign.
- Romania's national water management agency, Administrația Națională Apele Române (Romanian Waters), was hit by a ransomware attack that compromised approximately 1,000 systems. Attackers used Windows' built-in BitLocker for encryption, leaving ransom notes, but operational technology (OT) systems and water infrastructure remain unaffected. The National Cyber Security Directorate (DNSC) advises against negotiation.
- France's national postal service, La Poste, and its banking arm, La Banque Postale, experienced service disruptions due to a suspected Distributed Denial-of-Service (DDoS) attack just days before Christmas. While no customer data compromise was reported, online services and parcel distribution were affected. This follows the recent arrest of a 22-year-old suspect for hacking the French Interior Ministry's email server.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/university-of-phoenix-data-breach-impacts-nearly-35-million-individuals/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/around_1000_systems_compromised_in/
🗞️ The Record | https://therecord.media/romania-national-water-agency-ransomware-attack
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/romanian-water-authority-hit-by-ransomware-attack-over-weekend/
🗞️ The Record | https://therecord.media/la-poste-france-ddos-disruption-days-before-christmas
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/21/infosec_news_in_brief/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/asia_tech_news_roundup/
Vulnerabilities and Active Exploitation ⚠️
- Over 115,000 WatchGuard Firebox devices exposed online remain unpatched against a critical remote code execution (RCE) vulnerability, CVE-2025-14733, which is actively being exploited. This flaw affects Fireware OS 11.x, 12.x, and 2025.1, allowing unauthenticated attackers to execute arbitrary code. CISA has added it to its Known Exploited Vulnerabilities (KEV) Catalog, ordering federal agencies to patch immediately.
- Multiple network security products from Fortinet, SonicWall, and Cisco have also seen vulnerabilities actively exploited. A China-nexus APT, UAT-9686, is abusing CVE-2025-20393 in Cisco AsyncOS to deploy malware like ReverseSSH. SonicWall fixed CVE-2025-40602, a local privilege escalation flaw, which combined with CVE-2025-23006, leads to unauthenticated RCE on SMA 100 series appliances.
- CISA recently added CVE-2025-59374, related to the 2018-2019 "ShadowHammer" supply-chain attack on ASUS Live Update, to its KEV catalog. However, it's crucial to note this is a retrospective classification for an End-of-Life (EoL) product and does not indicate a newly emerging threat or renewed urgency for currently supported systems.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/over-115-000-watchguard-firewalls-vulnerable-to-ongoing-rce-attacks/
⚡ The Hacker News | https://thehackernews.com/2025/12/weekly-recap-firewall-exploits-ai-data.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/not-all-cisa-linked-alerts-are-urgent-asus-live-update-cve-2025-59374/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/21/infosec_news_in_brief/
New Threat Research and Tradecraft 🛡️
- Android malware operations are becoming increasingly sophisticated, merging droppers, SMS theft, and RAT capabilities. "Wonderland" (formerly WretchedCat) is targeting Uzbekistan via malicious droppers, using Telegram for C2, stealing SMS/OTPs, and exfiltrating contacts. Other new Android malware like Cellik (RAT with Play Store integration), Frogblight (SMS phishing for banking creds in Turkey), and NexusRoute (government-branded phishing for RAT in India) highlight this trend.
- A malicious npm package named `lotusbail`, masquerading as a legitimate WhatsApp Web API library, has been found stealing WhatsApp authentication tokens, session keys, intercepting messages, and exfiltrating contacts and media files. The package, a fork of WhiskeySockets Baileys, also grants attackers persistent access to victims' WhatsApp accounts even after removal.
- The MacSync information stealer for macOS has evolved its distribution method, now delivered via a digitally signed and notarised Swift application. This new dropper successfully evades macOS Gatekeeper checks, though the certificate has since been revoked. MacSync is capable of stealing iCloud keychain credentials, browser passwords, cryptocurrency wallet data, and files.
- Ukrainian national Artem Aleksandrovych Stryzhak pleaded guilty to his role as an affiliate in the Nefilim ransomware gang, which targeted high-revenue businesses globally. Stryzhak received 20% of ransom payments and used "Corporate Leaks" sites to pressure victims. Co-conspirator Volodymyr Tymoshchuk, an alleged administrator for Nefilim, LockerGoga, and MegaCortex, remains at large with an $11 million reward offered for information.
- A pro-Ukrainian cyberespionage group, Goffee (also known as Paper Werewolf), is targeting Russian military personnel and defense-industry organisations with phishing campaigns. Lures include fake New Year concert invitations and official-looking letters from the Ministry of Industry and Trade, often featuring AI-generated decoys with linguistic errors. The group deploys the EchoGather backdoor to collect system information and execute commands.
- Other notable threat actor activities include China-aligned Ink Dragon targeting European governments and repurposing victims for further operations, and LongNosedGoblin using Group Policy to deploy the NosyDoor backdoor in Southeast Asia and Japan. North Korean Kimsuky is spreading DocSwap Android malware via QR codes on phishing sites, while Arcane Werewolf targets Russian manufacturing with the Loki 2.1 implant. RansomHouse has upgraded its encryption to a two-factor scheme, making decryption significantly harder.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-macsync-malware-dropper-evades-macos-gatekeeper-checks/
⚡ The Hacker News | https://thehackernews.com/2025/12/android-malware-operations-merge.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-npm-package-steals-whatsapp-accounts-and-messages/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ukrainian-hacker-admits-affiliate-role-in-nefilim-ransomware-gang/
🗞️ The Record | https://therecord.media/nefilim-ransomware-hacker-fraud
🗞️ The Record | https://therecord.media/cyber-spies-fake-new-year-concert-russian-phishing
⚡ The Hacker News | https://thehackernews.com/2025/12/weekly-recap-firewall-exploits-ai-data.html
AI's Impact on the Threat Landscape 🤖
- Sanaz Yashar, CEO of Zafran Security and former IDF Unit 8200 "hacking architect," warns that the "WannaCry of AI will happen." She highlights that AI is accelerating the "time-to-exploit" (TTE) to a negative value, meaning vulnerabilities are being weaponised and exploited *before* patches are released.
- Yashar notes that 78% of vulnerabilities are now being weaponised by LLMs and AI, and the increasing use of AI in corporate systems expands the attack surface through prompt injection and AI agent manipulation.
- The greatest danger, she argues, comes from "junior" hackers using AI, who may not understand the full collateral damage of their actions, potentially shutting down critical infrastructure without intent. The solution, she suggests, is also AI, through proactive threat exposure management platforms.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/spy_turned_startup_ceo/
Data Privacy Concerns 🔒
- South Korea will now require facial recognition scans for new mobile phone number registrations to combat widespread scams and identity theft. This move comes after two major data breaches this year impacted over half the nation's population, including SK Telecom, which was fined $100 million and ordered to compensate 23 million customers $1.55 billion for poor infosec practices.
- Google is discontinuing its "Dark Web Report" email service, stating it didn't provide "helpful next steps." Users are directed to existing tools like security checkups and password managers, but the "Results about you" tool, which flags personal info in Google Search, requires significant personal data submission.
- A popular Chrome and Microsoft Edge extension, Urban VPN Proxy (with over 7.3 million installs), was caught stealthily harvesting every prompt users entered into AI chatbots like ChatGPT, Claude, and Copilot. This highlights a significant risk of data exposure through seemingly innocuous browser extensions.
- Texas Attorney General Ken Paxton has sued Sony, Samsung, LG, Hisense, and TCL, accusing them of illegally spying on customers by using Automated Content Recognition (ACR) technology in smart TVs. The lawsuit claims ACR captures screenshots and monitors viewing activity without informed consent to serve targeted ads.
- Privacy non-profit noyb has filed GDPR complaints against TikTok, AppsFlyer, and Grindr, alleging unlawful cross-app tracking. A user's Grindr usage, including details about their sexual orientation, was reportedly sent to TikTok via AppsFlyer, raising serious concerns about sensitive data handling.
- A California federal judge has denied NSO Group's request to stay an order preventing them from using WhatsApp infrastructure for spyware attacks. The court found NSO went "far beyond their authorized use" in targeting 1,400 WhatsApp users with Pegasus spyware in 2019.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/south_korea_facial_verification/
🗞️ The Record | https://therecord.media/south-korea-facial-recognition-phones
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/21/infosec_news_in_brief/
⚡ The Hacker News | https://thehackernews.com/2025/12/weekly-recap-firewall-exploits-ai-data.html
🗞️ The Record | https://therecord.media/judge-rules-nso-cannot-continue-whatsapp-spyware
Regulatory Actions and Law Enforcement ⚖️
- In response to Japan’s Mobile Software Competition Act (MSCA), Apple and Google have reluctantly begun allowing developers to distribute apps through third-party stores and accept alternative payment providers. Both tech giants expressed concerns about potential increases in malware, fraud, and privacy risks due to these changes.
- An Interpol-coordinated initiative, "Operation Sentinel," led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents across Africa. The operation also took down over 6,000 malicious links and decrypted six distinct ransomware variants.
- US authorities have seized the servers and infrastructure of the E-Note cryptocurrency exchange, alleging it laundered over $70 million from ransomware and account takeover attacks since 2017. The site's operator, a 39-year-old Russian national, has been indicted on conspiracy to launder monetary instruments charges.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/asia_tech_news_roundup/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/interpol-led-action-decrypts-6-ransomware-strains-arrests-hundreds/
⚡ The Hacker News | https://thehackernews.com/2025/12/weekly-recap-firewall-exploits-ai-data.html
#CyberSecurity #ThreatIntelligence #Ransomware #Vulnerability #RCE #ZeroDay #APT #Malware #AndroidSecurity #macOSSecurity #DataPrivacy #AI #IncidentResponse #LawEnforcement #InfoSec
TechNadu
AdwaitX
SOC Goulash
mecambioaMac 
Henry Fisher
The DefendOps Diaries