This Week #23/24 - Ending 19th December 2025
A Christmas bumper special - thought not as exciting as the TV Guide... Combination of some of the top stories over the past couple of weeks. (ish)
I missed last week due to personal commitments, so this week you get a two-week-electric-christmas-boogaloo..
As usual, this is a mix of opinion and reporting including sources.
News
Vendor/ security and attack surface updates
Mostly updates on specific vendors security/not-security news items.
Over 25,000 FortiCloud SSO devices exposed to remote attacks - “Fortinet patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company's FortiCare support service”. Fortinet claim that that its not vulnerable UNTIL you enable the FortiCare service therefore not on by default - something which is pretty bad - basically if you have a support service enabled with you might be vulnerable.
Shadowserver said it's tracking over 25,000 IP addresses with a FortiCloud SSO fingerprint, though no detail on specific patch level present. Admins should look to diable the FortiCloud SSO until patched. We have seen some fairly big threat actors use Fortinet vulnerabilities such as theChinese Volt Typhoon hacking group backdoored a Dutch Ministry of Defence military network using custom Coathanger remote access trojan (RAT) malware after exploiting two FortiOS SSL VPN flaws. bleepingcomputer.com.
RCE flaw in HPE OneView software - OneView is HPE's infrastructure management software for infrastructure devices - CVE-2025-37164 affects all versions prior to v11.00 and given how trivial exploitation of this is researchers expect exploitation to become more common. bleepingcomputer.com.
HPE added a REST command, executeCommand, which requires no authentication to execute commands. Obviously, this is dumb and now patched out
Being on OneView allows attacker to access VMware, 3PAR storage etc by design
Expect exploitation in the wild as it’s so simple
The vulnerability (executeCommand) was introduced around 2020, feels like a vulndoor
Zero-Day in Cisco Secure Email Gateway and Secure Email and Web Manager - Per Talos UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor who has been using these flaws since November at least - CVE-2025-20393. THis is due to diagnostic interfaces being exposed on the internet - Cisco are recommending these interfaces are restricted in normal configuration. Users who are affected have been advised that re imaging devices is the only way to safely remove the APT. talosintelligence.com
We assess with moderate confidence that the adversary, who we are tracking as UAT-9686, is a Chinese-nexus advanced persistent threat (APT) actor whose tool use and infrastructure are consistent with other Chinese threat groups.
As part of this activity, UAT-9686 deploys a custom persistence mechanism we track as “AquaShell” accompanied by additional tooling meant for reverse tunneling and purging logs.
Our analysis indicates that appliances with non-standard configurations, as described in Cisco’s advisory, are what we have observed as being compromised by the attack.
Addtional IOC for this “trendmicro-update.com”
Sonicwall SMA1000 Zero-Day - CVE-2025-40602 which targets the AMC interface - attackers combine CVE-2025-40602 with CVE-2025-23006, a critical pre-authentication deserialization vulnerability (CVSS: 9.8), to achieve unauthenticated remote code execution at root level. This doesn’t affect SSLVPN configurations.
A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC)
SoundCloud breach and ShinyHunters extortion - SoundCloud disclosed that an ancillary dashboard was breached, exposing the email addresses and public profile data of roughly 28 million accounts (about 20 % of users). While no passwords were stolen, the ShinyHunters gang is reportedly extorting SoundCloud and other Mixpanel customers bleepingcomputer.com.
WatchGaurd warn of active exploitation in Fireware OS - WatchGaurd has released fixes to address a vulnerability in their firewalling OS that affects VPN usage with IKEv2. CVE-2025-14733 with (CVSS score: 9.3) thehackernews.com
IOCs:
A log message stating “Received peer certificate chain is longer than 8. Reject this certificate chain” when the Firebox receives an IKE2 Auth payload with more than 8 certificates
An IKE_AUTH request log message with an abnormally large CERT payload size (greater than 2000 bytes)
During a successful exploit, the iked process will hang, interrupting VPN connections
After a failed or successful exploit, the IKED process will crash and generate a fault report on the Firebox
Shadowserver Foundation shows that there are 117,490 internet-exposed WatchGuard instances vulnerable to this.
Credential‑spraying attacks on VPN gateways - GreyNoise have observed a coordinated spraying campaign against PaloAlto and Cisco SSL VPN portal. Traffic originated almost exclusively from a hosting provider based in Germany. greynoise.io
8 Million Users’ AI Conversations Sold for Profit by “Privacy” Extensions - Urban-VPN a chrome extension with over 6 million users recently changed to target and collect data inputed into certain AI platforms and then used to sell onwards. Recent changes in their terms do cover this but not user-facing way to know this or disable. koi.ai
Forescout research finds Industrial Routers are heavily targeted in OT attacks - OT perimeter devices take the brunt of attacks focused towards OT environments compared to OT assets (PLCs/HMIs) 67% compared to 33%.
What I see all too often in OT environments is often unmonitored and isolated networks that don’t forgo the same level of scrutiny as corporate assets, while in normal networks phishing or identity related attacks are easier - OT networks can be a little harder to get into in the same way. itsecurityguru.org
Threat Actors tricking big tech firms into sharing data - A report by Wired, Attackers are pretending to be US Law enforcement to request data about users as part of a doxing-as-a-service operation. wired.com
But officers can also make emergency data requests, or EDRs, in cases involving a threat of imminent harm or death. These requests typically bypass any additional verification steps by the companies who are under pressure to fulfill the request as quickly as possible.
Recent Windows updates break VPN access for WSL users - KB5067036 breaks VPN applications for people that use WSL and includes Octobers Cumltive patch also affected., no fix or workaround. bleepingcomputer.com
This issue happens because the VPN application's virtual interface doesn't respond to ARP (Address Resolution Protocol) requests," Microsoft said. "Home users of Windows Home or Pro editions are unlikely to experience this issue. It primarily affects connectivity to enterprise resources over VPN, including DirectAccess.
Amazon expose that Russian cyber threat group targeting Western critical infrastructure - A “years-long” state-sponsored campaign targeting certain wester companies with a bigger pivot this year into enterprise VPN boxes. Attributed to the Russian Main Intelligence (GRU) with some overlap with APT44. aws.amazon.com thehackernews.com
The activity is notable for using as initial access vectors misconfigured customer network edge devices with exposed management interfaces, as N-day and zero-day vulnerability exploitation activity declined over the time period – indicative of a shift in attacks aimed at critical infrastructure, the tech giant said.
Primary targets:
Energy sector organizations across Western nations
Critical infrastructure providers in North America and Europe
Organizations with cloud-hosted network infrastructure
Amazon blocked 1,800 suspected North Korean scammers seeking jobs - Since 2024 they have stopped 1800 attempts at DPRK affiliated groups to join AWS and have seen a 27% increase. theregister.com
Regulatory/ Organisational & Governmental Items.
Items regarding Government/ Regulations of updates on bigger breaches.
UK NCSC Cyber Deception Trials - Update from the UL NCSC on Cyber Deception trials and what they have learned so far. ncsc.gov.uk
UK Foreign office breach in October confirmed by Ministers - Chris Bryant confirmed "there certainly has been a hack" but details remain sketchy, The Sun on Friday reported that Chinese state-sponsored attackers were behind the intrusion and stole details related to tens of thousands of visa applications. He says “I'm not able to say whether it is directly related to Chinese operatives, or indeed the Chinese state” theregister.com
Russia is responsible for destructive and disruptive cyberattacks against Denmark - Danish Defence Intelligence Service (DDIS) assesses that Russia was behind a destructive cyber-attack on a Danish water utility in 2024 and a series of DDoS attacks on Danish websites in the run-up to the 2025 municipal and regional council elections. fe-ddis.dk
US Army release Cyber Defence Review - Covering cyber resliance and cyber disruption. cyberdefensereview.army.mil
Google to Shut down Dark Web Monitoring Tools - Intially for Google one account holders and later expanded to all, Google is shutting down this service effective February 16 2026 - “We're making this change to instead focus on tools that give you more clear, actionable steps to protect your information online.” All data will be deleted on this date including previous reports. google.com
NIST Publish Draft Cybersecurity Framework for AI - Draft for public comment. nist.gov
The Cyber AI Profile addresses the following Focus Areas:
Securing AI System Components (Secure)
Conducting AI-Enabled Cyber Defense (Defend)
Thwarting AI-enabled Cyber Attacks (Thwart)
Last Pass fined £1.2 Million by the ICO - 2022 data breach that compromised the personal information of up to 1.6 million of its UK users in two seperate incidents and were found to;
failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database.
While the ICO have said they do not belived passwords were unencrypted Krebs did report that a slew of Crypto related hacks could be tied to the hack. therecord.media
Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.
Resource Picks
Guidance: Cyber Essentials Supply Chain Playbook - UK NCSC
This guide will help you protect your business from cyber attacks by supporting you to embed Cyber Essentials in your supply chain.
Updating our guidance on security certificates, TLS and IPsec by ncsc.gov.uk
Today, the NCSC has published updated guidance on deploying and managing security certificates, taking into account trends and practice in the international certificates ecosystem
Guidance: Provisioning and managing certificates in the Web PKI by ncsc.gov.uk
This guidance focuses on server authentication rather than client authentication. Most use cases for client authentication are better served with a privately hosted Public Key Infrastructure (PKI), which the NCSC address in separate guidance.
Dismantling Defenses: Trump 2.0 Cyber Year in Review by krebsonsecurity.com
The Trump administration has pursued a staggering range of policy pivots this past year that threaten to weaken the nation’s ability and willingness to address a broad spectrum of technology challenges, from cybersecurity and privacy to countering disinformation, fraud and corruption. These shifts, along with the president’s efforts to restrict free speech and freedom of the press, have come at such a rapid clip that many readers probably aren’t even aware of them all.
Power tool for incident responders in a Microsoft eco-system by Bert-Jan
KustoHawk is a incident triage and response tool for Microsoft Defender XDR and Sentinel environments.