Welcome to your daily cybersecurity podcast.

Amazon disclosed the detection of a North Korea-linked infiltration during an IT hiring process. A system administrator claimed to be US-based was identified through persistent keyboard latency exceeding 110 milliseconds to Seattle servers, indicating intercontinental remote operation. The control infrastructure was traced to China. Since April 2024, Amazon reports blocking more than 1,800 fraudulent hiring attempts linked to North Korea, with a 27 percent quarterly increase.

A Russian APT actor is conducting a credential phishing campaign targeting government entities across the Baltics and the Balkans. The attacks rely on HTML attachments masquerading as PDF documents, embedding institutional decoys and fake authentication forms. Credentials are exfiltrated via formcarry.com, with consistent JavaScript and regex reuse observed since at least 2023.

Microsoft confirmed a global Microsoft Teams outage impacting message delivery across all regions and clients. The incident started at 14:30 ET and was fully resolved one hour later. No indicators of malicious activity were reported.

A malware campaign abuses Microsoft Office documents, SVG files, and compressed archives to compromise Windows systems. The attack chain exploits CVE-2017-11882, uses PNG steganography, and process hollowing via RegAsm.exe to deliver RATs and information stealers.

ATM jackpotting attacks in the United States have been attributed to a criminal group deploying the Ploutus malware via physical access to ATMs. The tradecraft involves hard drive replacement or modification to control cash-dispensing modules. Losses are estimated to exceed $40 million since 2020.

Don’t think, patch.

Sources:

• Amazon infiltration:https://www.clubic.com/actualite-592366-amazon-infiltre-par-un-espion-nord-coreen-finalement-repere-a-cause-de-sa-frappe-clavier.html
• Russian APT phishing:https://strikeready.com/blog/russian-apt-actor-phishes-the-baltics-and-the-balkans/
• Microsoft Teams outage:https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-teams-is-down-and-messages-are-delayed/
• SVG and Office malware campaign:https://cybersecuritynews.com/hackers-weaponize-svg-files-and-office-documents/
• ATM jackpotting / Ploutus malware:https://www.theregister.com/2025/12/19/tren_de_aragua_atm/

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.

French authorities arrested a 22-year-old individual following Interior Ministry system compromise. The intrusion exposed email accounts and confidential documents including judicial records and wanted persons databases. The attack was claimed on BreachForums. The suspect maintained network persistence for several days. Paris Prosecutor charged unauthorized access to state systems as organized group, maximum ten years imprisonment.

WatchGuard published advisory WGSA-2025-00027 addressing CVE-2025-14733, critical Out-of-bounds Write in Fireware OS iked process, CVSS 9.3. Confirmed active exploitation enables remote unauthenticated code execution. Affected versions 11.10.2 through 12.11.5 and 2025.1 through 2025.1.3. WatchGuard provides four threat actor IP addresses. Patched versions available.

Riot Games disclosed four CVEs affecting UEFI in ASUS, Gigabyte, MSI, ASRock motherboards. IOMMU initialization failure enables pre-boot DMA attacks. Malicious PCIe device with physical access can modify system memory before OS load. Carnegie Mellon CERT/CC confirms broad impact. Firmware updates available.

Cyderes documents CountLoader 3.2 via cracked software, establishing Google-mimicking persistence every thirty minutes for ten years. Nine capabilities including USB propagation, deploying ACR Stealer. Check Point reports GachiLoader via YouTube Ghost Network, one hundred videos, 220,000 views. Deploys Kidkadi with Vectored Exception Handling PE injection, Rhadamanthys stealer as final payload.

CNIL issued one million euro penalty against Mobius Solutions for unlawful retention of 46 million Deezer records post-termination. Data leaked to darknet from unsecured test environment. CNIL confirms extraterritorial GDPR application.

Don't overthink it. Patch.

Sources:

• France Arrest: https://therecord.media/france-interior-ministry-hack-arrest
• WatchGuard: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027
• UEFI: https://www.bleepingcomputer.com/news/security/new-uefi-flaw-enables-pre-boot-attacks-on-motherboards-from-gigabyte-msi-asus-asrock/
• Loaders: https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.html
• CNIL: https://www.zdnet.fr/actualites/fuite-massive-sur-le-darknet-la-cnil-frappe-fort-contre-un-ancien-sous-traitant-de-deezer-487023.htm

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.

CISA adds CVE-2025-59718 to its Known Exploited Vulnerabilities catalog on December 16th. The flaw affects Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb through improper cryptographic signature verification in FortiCloud SSO SAML authentication. Unauthenticated attackers can bypass authentication via crafted SAML messages. Active exploitation confirmed. CVE-2025-59719 addresses the same underlying issue. Federal agencies face a December 23rd remediation deadline. No ransomware campaign linkage confirmed at this time.

CERT-FR issues advisory CERTFR-2025-AVI-1117 concerning GLPI. Two vulnerabilities identified as CVE-2025-59935 and CVE-2025-64520 affect GLPI versions 9.1.0 through prior to 10.0.21. Risks include XSS injection and security policy bypass. Fixes available via GitHub security advisories GHSA-62p9-prpq-j62q and GHSA-j8vv-9f8m-r7jx published December 16th.

Cisco reports CVE-2025-20393, a critical AsyncOS zero-day affecting Secure Email Gateway and Secure Email and Web Manager with Internet-exposed Spam Quarantine in non-standard configurations. Active exploitation since late November attributed to Chinese group UAT-9686 deploying AquaShell backdoors, AquaTunnel and Chisel reverse SSH tunnels, and AquaPurge log-clearing tools. Links identified to UNC5174 and APT41. No patch available. Cisco recommends access restriction, network segmentation, and rebuilding compromised appliances as sole eradication option.

SonicWall patches CVE-2025-40602, a local privilege escalation in SMA1000 Appliance Management Console. Exploited in chain with CVE-2025-23006, a critical deserialization flaw with CVSS score 9.8 already fixed in January. Combined exploitation enables unauthenticated root remote code execution. Discovered by Google Threat Intelligence Group. Fixed version: build 12.4.3-02856 and higher. Over 950 SMA1000 appliances remain exposed according to Shadowserver.

Finally, Recorded Future documents sustained APT28 phishing campaign targeting UKR.net users between June 2024 and April 2025. UKR.net-themed login pages hosted on Mocky distributed via PDF attachments in phishing emails. Links shortened via tiny.cc or tinyurl.com with some redirections through Blogger subdomains. Captures credentials and 2FA codes. Attackers transitioned to ngrok and Serveo proxy services following early 2024 infrastructure takedowns. GRU operation targeting Ukrainian intelligence collection amid ongoing conflict.

Don't think, just patch!

Sources:
CISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-adds-one-known-exploited-vulnerability-catalog
CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1117/ Cisco AsyncOS: https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/
SonicWall: https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-new-sma1000-zero-day-exploited-in-attacks/
APT28: https://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.html

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.

QNAP discloses a high-severity authentication bypass vulnerability tracked as CVE-2025-59385. The flaw allows remote attackers to spoof authentication mechanisms and access protected resources without credentials. The issue affects QTS and QuTS hero systems and is remotely exploitable with no user interaction. Patches are available in QTS 5.2.7.3297 and QuTS hero 5.2.7 and 5.3.1 builds released on October 24.

A second QNAP vulnerability, CVE-2025-62848, exposes QTS and QuTS hero systems to remote denial-of-service attacks. The issue stems from a NULL pointer dereference condition and can be triggered over the network without authentication. Successful exploitation leads to system crashes and service disruption. Fixed versions mirror those released for CVE-2025-59385.

Trend Micro reveals a previously unseen controller linked to BPFDoor malware, enabling encrypted reverse shells, direct shell access, and lateral movement across Linux servers. The backdoor leverages Berkeley Packet Filter mechanisms to remain stealthy and firewall-agnostic. Activity is attributed with medium confidence to the Earth Bluecrow APT group and targets telecommunications, finance, and retail sectors across Asia and the Middle East.

CISA adds two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog. CVE-2025-14611 affects Gladinet CentreStack and Triofox via hard-coded cryptographic keys, while CVE-2025-43529 is a WebKit use-after-free flaw impacting multiple Apple products. Federal agencies are required to remediate under BOD 22-01, with strong recommendations extended to all organizations.

Avast documents an emerging WhatsApp account takeover scam abusing the platform’s legitimate device-linking feature. Attackers trick users into authorizing rogue linked devices through fake verification pages, granting persistent access to conversations without stealing passwords or triggering security alerts.

Finally, The Record reports major data breaches at Prosper Marketplace and 700Credit impacting nearly 20 million individuals. Exposed data includes Social Security numbers, financial records, and identity documents. Both incidents highlight ongoing systemic risks across the financial services supply chain.

Don't think, just patch!

Sources:

• CVE-2025-59385: https://cvefeed.io/vuln/detail/CVE-2025-59385
• CVE-2025-62848: https://cvefeed.io/vuln/detail/CVE-2025-62848
• BPFDoor: https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html
• CISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
• WhatsApp Scam: https://blog.avast.com/blog/onlinescams/whatsapppairingscam
• Data Breaches: https://therecord.media/data-breaches-affecting-20-million-prosper-700credit

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.

Horizon3.ai exposes three critical FreePBX vulnerabilities. The most severe, CVE-2025-66039 scored 9.3, enables complete authentication bypass via simple forged Authorization header. Two additional flaws provide SQL injection and PHP web shell upload for remote code execution. Patches available but require manual CLI configuration and audit of instances exposed before September.

New BreachForums avatar claims major intrusion on French Interior Ministry infrastructure. Actor "Indra" asserts exfiltration of police databases TAJ and FPR with ransom demand under one-week deadline. Place Beauvau confirms email compromise and business application access. Emergency deployment of systematic two-factor authentication and password rotation. Investigation assigned to Anti-Cybercrime Office.

BleepingComputer reveals how scammers hijacked PayPal infrastructure to send legitimate emails from service@paypal.com. Exploitation of "pause subscription" feature bypassed all spam filters enabling large-scale tech support scam campaigns. PayPal confirms loophole closure following investigation.

CERT-FR issues advisory CERTFR-2025-AVI-1111 for Roundcube Webmail. Multiple XSS vulnerabilities affect versions prior to 1.5.12 and 1.6.12, enabling remote code injection and data confidentiality breach. Patches available since December 13 with immediate application recommended for all exposed webmail instances.

Don't think, just patch!

Sources:
FreePBX: https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html
Interior Ministry: https://www.zdnet.fr/actualites/lattaque-informatique-contre-le-ministere-de-linterieur-revendiquee-par-un-nouvel-avatar-de-breachforums-486636.htm
PayPal: https://www.malwarebytes.com/blog/news/2025/12/paypal-closes-loophole-that-let-scammers-send-real-emails-with-fake-purchase-notices
Roundcube: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1111/

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.

Apple and Google rush to fix actively exploited Zero-Day flaws. CISA has added CVE-2025-14174 to its KEV catalog, flagging a critical memory corruption vulnerability in the Chromium engine that affects Chrome, Edge, and Brave. Simultaneously, Apple has deployed patches for this same flaw alongside CVE-2025-43529, a WebKit Use-After-Free bug. Discovered by Google's Threat Analysis Group, these vulnerabilities are currently leveraged in "extremely sophisticated" attacks allowing Remote Code Execution (RCE) on iPhones, iPads, and macOS devices via malicious web content. Updating to iOS 26.2 and the latest browser versions is mandatory to break this infection chain.

CERT-FR issues a massive alert regarding the Ubuntu Linux kernel. The security advisory covers a wide array of vulnerabilities impacting every supported version, from LTS 18.04 up to intermediate releases like 25.10. These kernel-level flaws allow attackers to trigger remote Denial of Service and bypass security policies, posing a severe threat to process isolation and container environments. System administrators must not only apply the listed USN patches but must imperatively schedule production reboots to ensure the new kernel image is actually loaded into memory.

A historic data leak exposes 4.3 billion professional records. Researchers have discovered an unsecured 16-terabyte MongoDB database left open to the public, containing detailed profiles likely aggregated from LinkedIn and Apollo.io. The dataset includes names, emails, phone numbers, and career histories, creating the ultimate weapon for AI-assisted social engineering. Although secured on November 25th, this exposure provides cybercriminals with the context needed to automate large-scale Spear-Phishing and Business Email Compromise (BEC) campaigns targeting Fortune 500 employees.

President Trump signs an Executive Order establishing a deregulated national framework for AI. The order effectively bans states from enacting their own regulations, threatening to withhold federal funding from jurisdictions enforcing laws deemed "onerous," such as Colorado’s algorithmic bias statutes. For CISOs and GRC teams, this eliminates external legal guardrails and shifts the entire burden of model safety and ethics onto internal controls, creating an environment that prioritizes rapid innovation over safety compliance.

Don't think, just patch!

Sources:

• Apple: https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-day-flaws-exploited-in-sophisticated-attacks/
• CISA : https://www.cisa.gov/news-events/alerts/2025/12/12/cisa-adds-one-known-exploited-vulnerability-catalog-0
• CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1106/
• Data Breach: https://securityaffairs.com/185661/data-breach/experts-found-an-unsecured-16tb-database-containing-4-3b-professional-records.html
• AI Regulation: https://therecord.media/trump-executive-order-ai-national-framework

Your feedback is welcome.
Email: radiocsirt@gmail.com
Website: https://www.radiocsirt.com
Weekly Newsletter: https://radiocsirtintl.substack.com