RadioCSIRT - English Edition

Welcome to your daily cybersecurity podcast.Amazon disclosed the detection of a North Korea-linked infiltration during an IT hiring process. A system administrator claimed to be US-based was identified through persistent keyboard latency exceeding 110 milliseconds to Seattle servers, indicating intercontinental remote operation. The control infrastructure was traced to China. Since April 2024, Amazon reports blocking more than 1,800 fraudulent hiring attempts linked to North Korea, with a 27 percent quarterly increase.A Russian APT actor is conducting a credential phishing campaign targeting government entities across the Baltics and the Balkans. The attacks rely on HTML attachments masquerading as PDF documents, embedding institutional decoys and fake authentication forms. Credentials are exfiltrated via formcarry.com, with consistent JavaScript and regex reuse observed since at least 2023.Microsoft confirmed a global Microsoft Teams outage impacting message delivery across all regions and clients. The incident started at 14:30 ET and was fully resolved one hour later. No indicators of malicious activity were reported.A malware campaign abuses Microsoft Office documents, SVG files, and compressed archives to compromise Windows systems. The attack chain exploits CVE-2017-11882, uses PNG steganography, and process hollowing via RegAsm.exe to deliver RATs and information stealers.ATM jackpotting attacks in the United States have been attributed to a criminal group deploying the Ploutus malware via physical access to ATMs. The tradecraft involves hard drive replacement or modification to control cash-dispensing modules. Losses are estimated to exceed $40 million since 2020.Don’t think, patch.Sources:Amazon infiltration:https://www.clubic.com/actualite-592366-amazon-infiltre-par-un-espion-nord-coreen-finalement-repere-a-cause-de-sa-frappe-clavier.htmlRussian APT phishing:https://strikeready.com/blog/russian-apt-actor-phishes-the-baltics-and-the-balkans/Microsoft Teams outage:https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-teams-is-down-and-messages-are-delayed/SVG and Office malware campaign:https://cybersecuritynews.com/hackers-weaponize-svg-files-and-office-documents/ATM jackpotting / Ploutus malware:https://www.theregister.com/2025/12/19/tren_de_aragua_atm/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.French authorities arrested a 22-year-old individual following Interior Ministry system compromise. The intrusion exposed email accounts and confidential documents including judicial records and wanted persons databases. The attack was claimed on BreachForums. The suspect maintained network persistence for several days. Paris Prosecutor charged unauthorized access to state systems as organized group, maximum ten years imprisonment.WatchGuard published advisory WGSA-2025-00027 addressing CVE-2025-14733, critical Out-of-bounds Write in Fireware OS iked process, CVSS 9.3. Confirmed active exploitation enables remote unauthenticated code execution. Affected versions 11.10.2 through 12.11.5 and 2025.1 through 2025.1.3. WatchGuard provides four threat actor IP addresses. Patched versions available.Riot Games disclosed four CVEs affecting UEFI in ASUS, Gigabyte, MSI, ASRock motherboards. IOMMU initialization failure enables pre-boot DMA attacks. Malicious PCIe device with physical access can modify system memory before OS load. Carnegie Mellon CERT/CC confirms broad impact. Firmware updates available.Cyderes documents CountLoader 3.2 via cracked software, establishing Google-mimicking persistence every thirty minutes for ten years. Nine capabilities including USB propagation, deploying ACR Stealer. Check Point reports GachiLoader via YouTube Ghost Network, one hundred videos, 220,000 views. Deploys Kidkadi with Vectored Exception Handling PE injection, Rhadamanthys stealer as final payload.CNIL issued one million euro penalty against Mobius Solutions for unlawful retention of 46 million Deezer records post-termination. Data leaked to darknet from unsecured test environment. CNIL confirms extraterritorial GDPR application.Don't overthink it. Patch.Sources:France Arrest: https://therecord.media/france-interior-ministry-hack-arrestWatchGuard: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027UEFI: https://www.bleepingcomputer.com/news/security/new-uefi-flaw-enables-pre-boot-attacks-on-motherboards-from-gigabyte-msi-asus-asrock/Loaders: https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.htmlCNIL: https://www.zdnet.fr/actualites/fuite-massive-sur-le-darknet-la-cnil-frappe-fort-contre-un-ancien-sous-traitant-de-deezer-487023.htmYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.The Clop ransomware group, also tracked as Cl0p, is conducting a new data theft extortion campaign targeting Internet-exposed Gladinet CentreStack servers. Ongoing investigations confirm active scanning, successful intrusions, and the placement of extortion notes on compromised systems. The initial access vector remains unidentified, raising the possibility of a zero-day vulnerability or exploitation of unpatched systems. This activity aligns with Clop’s established focus on file sharing and secure file transfer platforms.CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. CVE-2025-20393 affects multiple Cisco products through improper input validation. CVE-2025-40602 impacts SonicWall SMA1000 appliances due to a missing authorization flaw. CVE-2025-59374 targets ASUS Live Update, involving embedded malicious code within the update mechanism, highlighting a software supply chain compromise scenario.CERT-FR has issued advisory CERTFR-2025-AVI-1116 covering multiple vulnerabilities in Google Chrome. Affected versions include releases prior to 143.0.7499.146 on Linux and prior to 143.0.7499.146 or .147 on Windows and macOS. The advisory references CVE-2025-14765 and CVE-2025-14766, with limited public technical detail on the underlying impact.A critical FreeBSD vulnerability, CVE-2025-14558, enables remote code execution via crafted IPv6 Router Advertisement packets within the SLAAC mechanism. Insufficient validation of RA messages leads to command injection into an internal shell script. Exploitation requires the attacker to be present on the same network segment. The vulnerability carries a CVSS score of 9.8.North Korean cyber operations reached a record level in 2025, with more than two billion dollars in cryptocurrency stolen, according to Chainalysis. These activities combine attacks against centralized services, large-scale personal wallet compromises, and advanced social engineering operations involving fake recruiters and purported investors.FIRST Foundation highlights the operational importance of incident communications, emphasizing the role of secure alternative channels, third-party coordination mechanisms, and controlled delegation of public communications to reduce secondary risk during major cyber incidents.Finally, a coordinated operation supported by Eurojust dismantled fraudulent call centre operations in Ukraine. The transnational criminal network relied on industrial-scale social engineering techniques, with identified losses exceeding ten million euros and forty-five suspects identified across multiple countries.Don’t overthink it. Patch.Sources:Clop / Gladinet: https://www.bleepingcomputer.com/news/security/clop-ransomware-targets-gladinet-centrestack-servers-for-extortion/CISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/17/cisa-adds-three-known-exploited-vulnerabilities-catalogCERT-FR Chrome: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1116/FreeBSD RCE: https://www.security.nl/posting/917946/Kritiek+beveiligingslek+in+FreeBSD+maakt+remote+code+execution+mogelijk?channel=rssDPRK Crypto: https://www.theregister.com/2025/12/18/north_korea_stole_2b_crypto_2025/FIRST Comms: https://www.first.org/blog/20251216-upskilling_communicationsEurojust Fraud: https://www.eurojust.europa.eu/news/fraudulent-call-centres-ukraine-rolledFrance Arrest: https://therecord.media/france-interior-ministry-hack-arrestYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.CISA adds CVE-2025-59718 to its Known Exploited Vulnerabilities catalog on December 16th. The flaw affects Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb through improper cryptographic signature verification in FortiCloud SSO SAML authentication. Unauthenticated attackers can bypass authentication via crafted SAML messages. Active exploitation confirmed. CVE-2025-59719 addresses the same underlying issue. Federal agencies face a December 23rd remediation deadline. No ransomware campaign linkage confirmed at this time.CERT-FR issues advisory CERTFR-2025-AVI-1117 concerning GLPI. Two vulnerabilities identified as CVE-2025-59935 and CVE-2025-64520 affect GLPI versions 9.1.0 through prior to 10.0.21. Risks include XSS injection and security policy bypass. Fixes available via GitHub security advisories GHSA-62p9-prpq-j62q and GHSA-j8vv-9f8m-r7jx published December 16th.Cisco reports CVE-2025-20393, a critical AsyncOS zero-day affecting Secure Email Gateway and Secure Email and Web Manager with Internet-exposed Spam Quarantine in non-standard configurations. Active exploitation since late November attributed to Chinese group UAT-9686 deploying AquaShell backdoors, AquaTunnel and Chisel reverse SSH tunnels, and AquaPurge log-clearing tools. Links identified to UNC5174 and APT41. No patch available. Cisco recommends access restriction, network segmentation, and rebuilding compromised appliances as sole eradication option.SonicWall patches CVE-2025-40602, a local privilege escalation in SMA1000 Appliance Management Console. Exploited in chain with CVE-2025-23006, a critical deserialization flaw with CVSS score 9.8 already fixed in January. Combined exploitation enables unauthenticated root remote code execution. Discovered by Google Threat Intelligence Group. Fixed version: build 12.4.3-02856 and higher. Over 950 SMA1000 appliances remain exposed according to Shadowserver.Finally, Recorded Future documents sustained APT28 phishing campaign targeting UKR.net users between June 2024 and April 2025. UKR.net-themed login pages hosted on Mocky distributed via PDF attachments in phishing emails. Links shortened via tiny.cc or tinyurl.com with some redirections through Blogger subdomains. Captures credentials and 2FA codes. Attackers transitioned to ngrok and Serveo proxy services following early 2024 infrastructure takedowns. GRU operation targeting Ukrainian intelligence collection amid ongoing conflict.Don't think, just patch!Sources:CISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-adds-one-known-exploited-vulnerability-catalogCERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1117/ Cisco AsyncOS: https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/SonicWall: https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-new-sma1000-zero-day-exploited-in-attacks/APT28: https://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.htmlYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.QNAP discloses a high-severity authentication bypass vulnerability tracked as CVE-2025-59385. The flaw allows remote attackers to spoof authentication mechanisms and access protected resources without credentials. The issue affects QTS and QuTS hero systems and is remotely exploitable with no user interaction. Patches are available in QTS 5.2.7.3297 and QuTS hero 5.2.7 and 5.3.1 builds released on October 24.A second QNAP vulnerability, CVE-2025-62848, exposes QTS and QuTS hero systems to remote denial-of-service attacks. The issue stems from a NULL pointer dereference condition and can be triggered over the network without authentication. Successful exploitation leads to system crashes and service disruption. Fixed versions mirror those released for CVE-2025-59385.Trend Micro reveals a previously unseen controller linked to BPFDoor malware, enabling encrypted reverse shells, direct shell access, and lateral movement across Linux servers. The backdoor leverages Berkeley Packet Filter mechanisms to remain stealthy and firewall-agnostic. Activity is attributed with medium confidence to the Earth Bluecrow APT group and targets telecommunications, finance, and retail sectors across Asia and the Middle East.CISA adds two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog. CVE-2025-14611 affects Gladinet CentreStack and Triofox via hard-coded cryptographic keys, while CVE-2025-43529 is a WebKit use-after-free flaw impacting multiple Apple products. Federal agencies are required to remediate under BOD 22-01, with strong recommendations extended to all organizations.Avast documents an emerging WhatsApp account takeover scam abusing the platform’s legitimate device-linking feature. Attackers trick users into authorizing rogue linked devices through fake verification pages, granting persistent access to conversations without stealing passwords or triggering security alerts.Finally, The Record reports major data breaches at Prosper Marketplace and 700Credit impacting nearly 20 million individuals. Exposed data includes Social Security numbers, financial records, and identity documents. Both incidents highlight ongoing systemic risks across the financial services supply chain.Don't think, just patch!Sources:CVE-2025-59385: https://cvefeed.io/vuln/detail/CVE-2025-59385CVE-2025-62848: https://cvefeed.io/vuln/detail/CVE-2025-62848BPFDoor: https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.htmlCISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/15/cisa-adds-two-known-exploited-vulnerabilities-catalogWhatsApp Scam: https://blog.avast.com/blog/onlinescams/whatsapppairingscamData Breaches: https://therecord.media/data-breaches-affecting-20-million-prosper-700creditYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.Horizon3.ai exposes three critical FreePBX vulnerabilities. The most severe, CVE-2025-66039 scored 9.3, enables complete authentication bypass via simple forged Authorization header. Two additional flaws provide SQL injection and PHP web shell upload for remote code execution. Patches available but require manual CLI configuration and audit of instances exposed before September.New BreachForums avatar claims major intrusion on French Interior Ministry infrastructure. Actor "Indra" asserts exfiltration of police databases TAJ and FPR with ransom demand under one-week deadline. Place Beauvau confirms email compromise and business application access. Emergency deployment of systematic two-factor authentication and password rotation. Investigation assigned to Anti-Cybercrime Office.BleepingComputer reveals how scammers hijacked PayPal infrastructure to send legitimate emails from service@paypal.com. Exploitation of "pause subscription" feature bypassed all spam filters enabling large-scale tech support scam campaigns. PayPal confirms loophole closure following investigation.CERT-FR issues advisory CERTFR-2025-AVI-1111 for Roundcube Webmail. Multiple XSS vulnerabilities affect versions prior to 1.5.12 and 1.6.12, enabling remote code injection and data confidentiality breach. Patches available since December 13 with immediate application recommended for all exposed webmail instances.Don't think, just patch!Sources:FreePBX: https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.htmlInterior Ministry: https://www.zdnet.fr/actualites/lattaque-informatique-contre-le-ministere-de-linterieur-revendiquee-par-un-nouvel-avatar-de-breachforums-486636.htmPayPal: https://www.malwarebytes.com/blog/news/2025/12/paypal-closes-loophole-that-let-scammers-send-real-emails-with-fake-purchase-noticesRoundcube: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1111/ Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.Apple and Google rush to fix actively exploited Zero-Day flaws. CISA has added CVE-2025-14174 to its KEV catalog, flagging a critical memory corruption vulnerability in the Chromium engine that affects Chrome, Edge, and Brave. Simultaneously, Apple has deployed patches for this same flaw alongside CVE-2025-43529, a WebKit Use-After-Free bug. Discovered by Google's Threat Analysis Group, these vulnerabilities are currently leveraged in "extremely sophisticated" attacks allowing Remote Code Execution (RCE) on iPhones, iPads, and macOS devices via malicious web content. Updating to iOS 26.2 and the latest browser versions is mandatory to break this infection chain.CERT-FR issues a massive alert regarding the Ubuntu Linux kernel. The security advisory covers a wide array of vulnerabilities impacting every supported version, from LTS 18.04 up to intermediate releases like 25.10. These kernel-level flaws allow attackers to trigger remote Denial of Service and bypass security policies, posing a severe threat to process isolation and container environments. System administrators must not only apply the listed USN patches but must imperatively schedule production reboots to ensure the new kernel image is actually loaded into memory.A historic data leak exposes 4.3 billion professional records. Researchers have discovered an unsecured 16-terabyte MongoDB database left open to the public, containing detailed profiles likely aggregated from LinkedIn and Apollo.io. The dataset includes names, emails, phone numbers, and career histories, creating the ultimate weapon for AI-assisted social engineering. Although secured on November 25th, this exposure provides cybercriminals with the context needed to automate large-scale Spear-Phishing and Business Email Compromise (BEC) campaigns targeting Fortune 500 employees.President Trump signs an Executive Order establishing a deregulated national framework for AI. The order effectively bans states from enacting their own regulations, threatening to withhold federal funding from jurisdictions enforcing laws deemed "onerous," such as Colorado’s algorithmic bias statutes. For CISOs and GRC teams, this eliminates external legal guardrails and shifts the entire burden of model safety and ethics onto internal controls, creating an environment that prioritizes rapid innovation over safety compliance.Don't think, just patch!Sources:Apple: https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-day-flaws-exploited-in-sophisticated-attacks/CISA : https://www.cisa.gov/news-events/alerts/2025/12/12/cisa-adds-one-known-exploited-vulnerability-catalog-0CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1106/Data Breach: https://securityaffairs.com/185661/data-breach/experts-found-an-unsecured-16tb-database-containing-4-3b-professional-records.htmlAI Regulation: https://therecord.media/trump-executive-order-ai-national-frameworkYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.Palo Alto Networks Unit 42 exposes Ashen Lepus, a Hamas-affiliated APT actor active since 2018. The group deploys a new .NET modular malware suite named AshTag, targeting governmental and diplomatic entities across the Middle East with confirmed geographic expansion toward Oman and Morocco. The multi-stage infection chain initiates through Arabic-language PDF lures on Palestinian geopolitical themes. Victims download RAR archives containing a binary that side-loads the AshenLoader loader. The group abandoned its proprietary C2 infrastructure in favor of API and authentication subdomains on legitimate domains like api.healthylifefeed.com, which masks malicious traffic. The C2 architecture now integrates geofencing and anti-sandbox verification before payload delivery. Secondary modules are Base64-encoded and hidden in commented HTML tags with AES-CTR-256 encryption. Ashen Lepus uses Rclone to exfiltrate targeted diplomatic documents.Malwarebytes publishes a technical analysis on real VPN privacy following worldwide usage surge post-UK age-verification rules. The document exposes the massive gap between marketing promises and concrete implementation, particularly critical for enterprise deployments protecting sensitive data. Full infrastructure ownership eliminates uncontrolled intermediaries unlike cloud rental. RAM-only servers instantly destroy all traces upon shutdown, which cancels any physical seizure vector. WireGuard protocol drastically reduces attack surface through its minimal auditable codebase, while OpenVPN and IPSec now represent legacy technologies. The major risk for organizations comes from employees using non-validated commercial VPNs that create encrypted tunnels bypassing DLP controls and exfiltrating corporate data through third-party infrastructure never audited.Kali Linux releases version 2025.4, the final update of the year, integrating three new penetration testing tools, major desktop environment improvements, and full Wayland support on GNOME. The three new tools include bpf-linker for BPF static compilation, evil-winrm-py enabling command execution on remote Windows machines via WinRM, and hexstrike-ai allowing AI agents to autonomously execute tools through MCP server. GNOME moves to version 49 and definitively removes X11 support, now running exclusively on Wayland with full VM support for VirtualBox, VMware, and QEMU. NetHunter extends Android 16 support on Samsung Galaxy S10 and OnePlus Nord, restores terminal with interactive Magisk compatibility, and integrates Wifipumpkin3 in preview with Facebook, Instagram, iCloud, and Snapchat phishing templates.CISA adds CVE-2018-4063 to the KEV Catalog on December 12, 2025, following confirmed active exploitation. This vulnerability affects Sierra Wireless AirLink ALEOS and enables unrestricted upload of dangerous files without type or extension validation, leading to arbitrary code execution on cellular routers deployed across vehicle fleets, industrial IoT infrastructure, and M2M networks. Critical point: the CVE dates from 2018, but its late KEV inclusion confirms a resurgence of exploitation specifically targeting unpatched legacy equipment. AirLink devices provide cellular connectivity for SCADA systems, mobile payment terminals, and telematics platforms.Don't think, just patch!Sources:Unit 42: https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/Malwarebytes: https://www.malwarebytes.com/blog/inside-malwarebytes/2025/12/how-private-is-your-vpnBleepingComputer: https://www.bleepingcomputer.com/news/security/kali-linux-20254-released-with-3-new-tools-desktop-updates/CISA: https://www.cisa.gov/news-events/alerts/2025/12/12/cisa-adds-one-known-exploited-vulnerability-catalog Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to this special RadioCSIRT cybersecurity briefing.In this episode, we take an in-depth look at the MITRE Top 25 Common Weakness Enumerations (CWE) for 2025, moving beyond a simple ranking to analyze the structural weaknesses that continue to drive real-world compromises.This analysis focuses on how recurring flaws such as cross-site scripting, sql injection, missing authorization, memory corruption, and business logic failures remain dominant attack enablers despite years of awareness, tooling, and secure development frameworks.We examine why these weaknesses persist, how they are actually exploited in production environments, and what they reveal about systemic failures in application design, governance, and security architecture.Special attention is given to the operational impact for CERT/CSIRT and SOC teams, including:how cwe analysis supports anticipation of future vulnerabilities,why root-cause driven prioritization is more effective than cve-based triage alone,and how logic flaws and authorization failures increasingly evade automated detection.This episode also highlights key 2025 trends, including the rise of business logic vulnerabilities, the gap between modern frameworks and real implementations, and the growing weight of technical and organizational debt.A  synthesis of this analysis is available on my blog.Sources:MITRE – Top 25 CWE 2025: https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.htmlBlog : https://blog.marcfredericgomez.com/top-25-cwe-2025-technical-analysis/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.The Linux kernel 5.4 officially reaches end-of-life. After years of LTS support, this version—massively deployed across Ubuntu, Android, and embedded systems—will no longer receive upstream security patches. This creates a critical risk for industrial and network equipment remaining on this version without a rapid migration path.Check Point dissects the ValleyRAT backdoor and its kernel-mode rootkit following a public builder leak. The malware features 19 plugins and a digitally signed driver for file hiding and process protection. 85% of detected samples appeared in the last six months, complicating attribution to specific state actors.Google patches CVE-2025-13223, the eighth actively exploited Chrome zero-day of the year. This type-confusion vulnerability in the V8 JavaScript engine allows memory manipulation without complex user interaction, continuing a pattern of espionage-focused exploitation.Anonymous hackers breach Mikord, the alleged developer of Russia's unified military registry. Internal documents and source code were transferred to the anti-war NGO Idite Lesom, confirming the firm's role in the military project. The breach occurs amidst a context of bidirectional cyber escalation following attacks on Ukrainian registries.Flare identifies over 10,000 Docker Hub images exposing active credentials. The leak affects Fortune 500 companies and includes 4,000 AI model API tokens. The primary vector is Shadow IT, with unmonitored contractor accounts exposing client data that remains valid even after the images are deleted.Finally, CISA adds two vulnerabilities to its Known Exploited Vulnerabilities catalog. The flaws affect WinRAR (CVE-2025-6218), allowing arbitrary code execution via archives, and the Windows Cloud Files driver (CVE-2025-62221), enabling privilege escalation. Both are confirmed to be exploited in the wild.We don't think, we patch!Sources:Linux Journal: https://www.linuxjournal.com/content/linux-kernel-54-reaches-end-life-time-retire-workhorseCheck Point Research: https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/Malwarebytes: https://www.malwarebytes.com/blog/news/2025/12/another-chrome-zero-day-under-attack-update-nowThe Record: https://therecord.media/hackers-reportedly-breach-developer-involved-in-russian-military-databaseBleeping Computer: https://www.bleepingcomputer.com/news/security/over-10-000-docker-hub-images-found-leaking-credentials-auth-keys/Security Affairs: https://securityaffairs.com/185523/security/u-s-cisa-adds-microsoft-windows-and-winrar-flaws-to-its-known-exploited-vulnerabilities-catalog.htmlYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.Microsoft refuses to fix a critical RCE vulnerability in the .NET framework affecting the SoapHttpClientProtocol class. Revealed at Black Hat Europe by researcher Piotr Bazydło from WatchTowr, the flaw enables arbitrary file writes through SOAP URL manipulation. Exploitation relies on unexpected support for FILE and FTP protocols by a class designed to handle HTTP only. Confirmed vulnerable products include Ivanti Endpoint Manager, Umbraco 8 CMS, and Barracuda Service Center, but the actual number of affected applications is likely massive.CERT-FR publishes advisory CERTFR-2025-AVI-1088 concerning four critical vulnerabilities in Ivanti Endpoint Manager 2024. CVE-2025-10573, CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662 enable remote arbitrary code execution, security policy bypass, and XSS injection. Only versions prior to 2024 SU4 SR1 are affected. The patch has been available since December 9th, 2025.CERT-FR also issues advisory CERTFR-2025-AVI-1084 concerning 17 Fortinet security bulletins covering 18 CVEs. The entire Fortinet portfolio is affected: FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiWeb, FortiSandbox, FortiExtender, FortiAuthenticator, FortiVoice, FortiSOAR, FortiPAM, FortiSRA, FortiSASE, FortiSwitchManager, and FortiPortal. Critical vulnerabilities include remote code execution, privilege escalation, and SQL injection.Finally, Spanish National Police arrests a 19-year-old individual in Igualada for theft and sale of 64 million personal data records from nine companies. Exfiltrated data includes DNI numbers, addresses, phone numbers, emails, and IBAN codes. The suspect used six online accounts and five pseudonyms to sell databases on underground forums. Authorities seized electronic equipment and froze a crypto wallet.We don't think, we patch!Sources:The Register: https://www.theregister.com/2025/12/10/microsoft_wont_fix_net_rce/CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1088/CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1084/The Record: https://therecord.media/spain-arrests-teen-suspect-data-theft-and-saleYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com 

🚨 CRITICAL ALERT: CISA, FBI, and NSA issue joint advisory AA25-343A on December 9, 2025, warning of active campaigns by four pro-Russia hacktivist groups exploiting VNC vulnerabilities in OT/ICS systems worldwide.THREAT ACTORS IDENTIFIED:Cyber Army of Russia Reborn (CARR) - GRU Unit 74455 linkedNoName057(16) - Kremlin CISM creationZ-Pentest - CARR/NoName merger, OT-specializedSector16 - Emerging January 2025ATTACK VECTOR: Mass exploitation of exposed VNC services (ports 5900-5910) with default/weak credentials on HMI devices. Direct SCADA access causing parameter modifications, alarm disabling, and operational disruptions across water, energy, and agriculture sectors.IMMEDIATE ACTIONS:Scan external attack surface, eliminate default credentials, implement MFA, enforce IT/OT segmentation, and deploy continuous monitoring for unauthorized VNC connections.TARGET AUDIENCE:CERT, CSIRT, SOC Teams, CISOs, Critical Infrastructure OperatorsDURATION: 8 minutes of dense technical intelligencePRODUCED BY:RadioCSIRT - Daily cyber threat intelligence for operational defense teams#Cybersecurity #OT #ICS #SCADA #ThreatIntelligence #CriticalInfrastructure #CISA #InfoSec

Welcome to your daily cybersecurity briefing.The UK’s NCSC has released critical guidance regarding Generative AI security, warning that treating Prompt Injection like SQL Injection is a dangerous misconception. Unlike traditional databases, LLMs lack a rigid boundary between instructions and data, creating an "Inherently Confusable Deputy" problem. The agency advises that the only effective mitigation is architectural: strictly restricting the privileges of tools accessible by the AI, rather than relying on input filters.A critical authentication bypass vulnerability has been discovered in the Ruby SAML library. Tracked as CVE-2025-25293, the flaw allows attackers to exploit XML parsing differences to forge valid signatures via XML Signature Wrapping. Organizations relying on this library for Single Sign-On must upgrade to version 1.18.0 immediately to prevent unauthorized access.Polish police have arrested three Ukrainian nationals in Warsaw found in possession of sophisticated hardware hacking equipment, including Flipper Zero devices, radio antennas, and counter-surveillance tools. The seizure points to potential "Close Access" operations targeting critical defense infrastructure and telecommunications networks physically.Threat actor Storm-0249 is escalating its tactics, shifting from simple access brokerage to advanced ransomware preparation. The group is now employing "ClickFix" social engineering and DLL side-loading techniques—specifically targeting SentinelOne agents—to steal system identifiers (MachineGuid) and maintain persistence.Swiss hosting provider Infomaniak has launched "Euria," a sovereign AI alternative to US-based models. Hosted in Switzerland and powered by renewable energy, the platform guarantees that user data is never used for model training, offering a compliant solution for handling sensitive enterprise data without Cloud Act exposure.The Australian Signals Directorate (ASD) is warning of a global surge in Infostealer malware activity. These threats are evolving beyond credential theft to mass-exfiltrate session cookies, effectively bypassing Multi-Factor Authentication (MFA) and serving as a primary entry vector for corporate network breaches.Finally, a reminder that today is the last Patch Tuesday of the year. Expect critical updates from Microsoft today.Don’t Think – Patch Now!Sources:NCSC UK: https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injectionCyberPress: https://cyberpress.org/critical-ruby-saml-flaw/Warsaw Police: https://srodmiescie.policja.gov.pl/rs/aktualnosci/145521,Podrozowali-po-Europie-z-detektorem-urzadzen-szpiegowskich-i-sprzetem-hakerskim.htmlSecurity Affairs: https://securityaffairs.com/185480/cyber-crime/polish-police-arrest-3-ukrainians-for-possessing-advanced-hacking-tools.htmlThe Hacker News: https://thehackernews.com/2025/12/storm-0249-escalates-ransomware-attacks.htmlGoodTech: https://goodtech.info/euria-ia-gratuite-suisse-alternative-chatgpt-chauffage/Cyber.gov.au (ASD): https://www.cyber.gov.au/about-us/view-all-content/news/information-stealers-are-on-the-rise-are-you-at-riskPatch Tuesday Microsoft: https://blog.marcfredericgomez.com/december-2025-patch-tuesday-analysis/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity briefing.CERT-FR has issued a security advisory regarding a vulnerability affecting the MISP threat-intelligence platform. Under specific configurations, the flaw may allow unauthorized access to internal components or data. Organizations relying on MISP are strongly encouraged to apply the recommended patches without delay to mitigate potential exploitation.CERT-FR has also released a warning for iPhone users following the identification of active exploitation campaigns using sophisticated exploit chains capable of achieving remote code execution. Devices lacking the latest security updates are especially vulnerable, highlighting the necessity of rapid patch deployment across Apple ecosystems.Google Chrome is introducing a new security layer designed to reinforce protections around Gemini-powered agentic browsing. This additional safeguard aims to prevent malicious websites from manipulating automated AI-driven actions during complex web interactions, strengthening overall browser security in environments relying on AI navigation.A service outage affecting Porsche’s connected-vehicle ecosystem in Russia is drawing attention to the systemic risks inherent in modern automotive platforms. The incident underscores the growing dependency on digital infrastructure for critical operational functions and the potential impact of disruptions on both safety and service availability.Don’t Think – Patch Now! Sources:CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1076/CERT-FR: https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-010/BleepingComputer: https://www.bleepingcomputer.com/news/security/google-chrome-adds-new-security-layer-for-gemini-ai-agentic-browsing/SecurityAffairs: https://securityaffairs.com/185398/security/porsche-outage-in-russia-serves-as-a-reminder-of-the-risks-in-connected-vehicle-security.htmlYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity briefing.The FBI has issued a public service announcement regarding the evolution of "virtual kidnapping" scams, where criminals are now using AI-altered images from social media to fabricate proof-of-life. By manipulating photos to depict physical harm or captivity, threat actors are successfully pressuring families into paying ransoms for loved ones who are actually safe, marking a dangerous shift in extortion tactics.Threat actors are actively exploiting a command injection vulnerability in Array Networks AG Series VPNs to implant webshells and establish persistence. Critical to note is that while the vendor patched this flaw in May, no CVE identifier was assigned, leaving many organizations blind to the risk as automated vulnerability scanners fail to detect the unpatched appliances.A sophisticated new Android banking trojan dubbed "FvncBot" has been detected in the wild, utilizing custom code rather than leaked sources. The malware distinguishes itself by using H.264 video streaming to bypass standard anti-screen-capture protections (FLAG_SECURE), allowing attackers to steal credentials and remotely control devices in near real-time.New research indicates that 97% of U.S. medical professionals have their personal home addresses and family details exposed on people-search databases. This massive leak of Personally Identifiable Information (PII) significantly escalates physical security risks for healthcare staff, enabling targeted harassment and doxxing by disgruntled patients or hostile actors.Mozilla is officially terminating its Monitor Plus partnership with privacy vendor Onerep following a critical third-party risk management failure. The decision comes after investigations revealed that the founder of the privacy service—hired to remove users from data broker lists—was simultaneously operating an active people-search data broker business.Don’t Think – Patch Now!Sources:BleepingComputer: https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapping-ransom-scams-using-altered-social-media-photos/BleepingComputer: https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/CyberPress: https://cyberpress.org/android-users-hit-by-fvncbot-malware/HelpNetSecurity: https://www.helpnetsecurity.com/2025/12/05/incogni-healthcare-staff-data-exposure-report/KrebsOnSecurity: https://krebsonsecurity.com/2025/11/mozilla-says-its-finally-done-with-two-faced-onerep/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity briefing.The Australian Cyber Security Centre has released new guidance for critical infrastructure regarding the secure integration of Artificial Intelligence into Operational Technology environments. This strategic framework aims to help organizations anticipate physical safety risks caused by algorithmic automation in industrial systems.CERT-FR (ANSSI) has issued a series of security advisories (AVI-1062 to 1067) flagging multiple critical vulnerabilities requiring immediate attention. System administrators are urged to consult the official feed to identify affected products within their fleets and apply corrective measures without delay.Barts Health NHS Trust has confirmed a leak of administrative data following the exploitation of an Oracle E-Business Suite zero-day flaw by the Clop ransomware gang. While patient medical records remain unaffected, this incident highlights the persistent threat targeting vital ERP components in the healthcare sector.A maximum severity vulnerability (CVSS 10.0) has been discovered in Apache Tika, a content analysis tool ubiquitous in solutions like Solr and Elasticsearch. This XXE flaw allows attackers to execute code via malicious PDF files, necessitating an emergency update of the "tika-core" library.Asus has admitted that a cyberattack against one of its third-party suppliers exposed source code for its smartphone camera modules. The Everest group claims to have stolen one terabyte of data, illustrating once again how the supply chain remains a prime vector for accessing the intellectual property of tech giants.Don’t Think – Patch Now!Sources:Australian Cyber Security Centre: https://www.cyber.gov.au/about-us/view-all-content/news/new-guidance-for-critical-infrastructure-on-integrating-ai-securely-into-operational-technology-environmentsCERT-FR (Advisory 1062): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1062/CERT-FR (Advisory 1063): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1063/CERT-FR (Advisory 1064): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1064/CERT-FR (Advisory 1067): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1067/BleepingComputer: https://www.bleepingcomputer.com/news/security/barts-health-nhs-discloses-data-breach-after-oracle-zero-day-hack/Security Affairs: https://securityaffairs.com/185363/security/maximum-severity-xxe-vulnerability-discovered-in-apache-tika.htmlThe Register: https://www.theregister.com/2025/12/05/asus_supplier_hack/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity briefing.Cloudflare has attributed today's major service outage to the deployment of an emergency patch intended to mitigate the critical "React2Shell" vulnerability. The incident highlights the delicate balance between security responsiveness and operational stability: the attempt to rapidly mitigate an active flaw resulted in a global software regression, serving as a stark reminder that even the most robust infrastructures remain vulnerable to the side effects of precipitated updates.CISA has updated its Known Exploited Vulnerabilities (KEV) catalog and simultaneously released technical analysis report AR25-338a. This new entry imposes a strict remediation timeline for federal agencies, signaling active exploitation in the wild. The associated report provides defenders with crucial Indicators of Compromise (IoCs) and observed tactics, which are indispensable for strengthening detection and response against this specific threat.CERT-FR, the French National Cybersecurity Agency, has issued a security advisory regarding multiple vulnerabilities affecting the PostgreSQL database management system. These flaws, if exploited, could allow a remote or local attacker to compromise data confidentiality and integrity, or trigger a denial of service. Database administrators are urged to apply security patches without delay to protect production instances.The "smishing" landscape is evolving dangerously as the holiday season approaches, according to an analysis by Brian Krebs. Cybercriminals are gradually pivoting away from classic package delivery lures to focus on more targeted scenarios, such as expiring loyalty points, fake tax adjustments, and online retailer impersonation. This shift toward financial and administrative pretexts aims to maximize click-through rates by leveraging urgency and the fear of financial loss.Don’t Think – Patch Now! Sources:https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-outage-on-emergency-react2shell-patch/https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-cataloghttps://www.cisa.gov/news-events/analysis-reports/ar25-338ahttps://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1061/https://krebsonsecurity.com/2025/12/sms-phishers-pivot-to-points-taxes-fake-retailers/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity briefing.Russia has blocked access to Apple’s FaceTime platform and Snap’s Snapchat service, citing their alleged use in coordinating terrorist operations, recruiting criminal actors, and facilitating large-scale fraud against Russian citizens. The decision follows a pattern of escalating restrictions targeting foreign communication platforms, including recent bans on Roblox, Viber, and Signal, with WhatsApp now reportedly under consideration for nationwide blocking.Google has released a critical Chrome update addressing thirteen security issues, four classified as high severity. One of the flaws, CVE-2025-13633, is a use-after-free vulnerability in Chrome’s Digital Credentials feature that could enable heap corruption through a malicious HTML payload once the renderer process is compromised. Given Chrome’s massive global user base, timely patching is essential across both Chrome and Chromium-derived browsers.FIRST Fondation  highlights how its A4 program is strengthening national CSIRTs by transforming raw threat intelligence into actionable operational outputs. Through on-site engagements with teams in The Bahamas, Cameroon, Malawi, and Trinidad and Tobago, A4 focuses on analysis workflows, communication readiness, stakeholder coordination, and integration into global trust networks such as the Multi-Stakeholder Ransomware SIG.A new Python-based CVE-2025-55182 Surface Scanner has been released to detect exposed React Server Components endpoints in ReactJS and Next.js environments. Instead of attempting exploitation, the tool identifies systems that accept RSC protocol traffic and Next.js action headers, signalling a potential attack surface that may lead to remote code execution if further module-mapping and gadget enumeration confirm the presence of exploitable conditions.Don’t Think – Patch Now!Listen to the full show here.Sources:https://www.bleepingcomputer.com/news/security/russia-blocks-facetime-and-snapchat-over-use-in-terrorist-attacks/https://www.malwarebytes.com/blog/news/2025/12/google-fixes-13-security-issues-affecting-billionshttps://www.first.org/blog/20251201-NatCSIRThttps://cyberpress.org/new-scanner-tool-for-detecting/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity briefing.DeepSeek Releases V3.2 Open Source Model Rivaling GPT-5 The Chinese AI startup DeepSeek has officially released its V3.2 and V3.2-Speciale models under a fully permissive MIT license. Claiming to outperform GPT-5 in reasoning tasks, the release utilizes a novel "Sparse Attention" architecture to maximize efficiency, marking a significant shift in the open-source AI landscape.CISA Adds Android Framework Flaws to KEV CatalogCISA has updated its Known Exploited Vulnerabilities (KEV) catalog with two critical flaws affecting the Android Framework. The vulnerabilities, involving privilege escalation and information disclosure, are currently being exploited in the wild, requiring immediate attention from federal agencies and mobile fleet managers.CERT-FR Warns of Critical Python Denial of Service RisksFrance's CERT-FR has issued an alert regarding multiple vulnerabilities within the Python runtime environment. These flaws allow remote attackers to trigger Denial of Service (DoS) conditions on unpatched systems, threatening the availability of backend infrastructure and web applications relying on the language.Microsoft Silently Mitigates Windows LNK Zero-DayMicrosoft has deployed a silent mitigation for a high-severity LNK vulnerability (CVE-2025-9491) actively exploited by state-sponsored groups. The update changes how shortcut target fields are displayed to reveal malicious whitespace padding, though experts warn it does not fully block the execution of malicious payloads.Critical Security Advisory Issued for Next.js FrameworkA new security advisory has been published for Next.js, the popular React framework. The vulnerability, detailed in a GitHub Security Advisory, poses risks to applications using affected versions. Developers are urged to review the disclosure and upgrade their dependencies to the latest stable release immediately.Don’t Think – Patch Now!Sources:GitHub – DeepSeek V3.2 Release https://github.com/deepseek-ai/DeepSeek-V3.2-ExpCISA – KEV Catalog Update https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-adds-two-known-exploited-vulnerabilities-catalogCERT-FR – Python Vulnerability Alert https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1060/BleepingComputer – Microsoft LNK Mitigation https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/GitHub – Next.js Security Advisory https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mpYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity briefing.Raspberry Pi Raises Prices Amid Rising Production CostsRaspberry Pi has announced a price increase across several models, citing sustained rises in manufacturing and component costs. The company explains that it can no longer absorb global supply chain pressures. The adjustment will particularly impact integrators, IoT builders, and embedded system deployments relying on low-cost hardware.Massive Coupang Data Breach Exposes 337 Million IndividualsE-commerce giant Coupang has confirmed a major data breach affecting approximately 337 million users. Exposed data includes personal identification details, contact information, and other sensitive records. The scale of the incident poses significant risks of fraud, identity theft, and highly targeted phishing operations.Advanced Steganography Techniques Emerge in the WildA new analysis highlights the emergence of highly advanced steganography methods used to conceal malicious payloads within multimedia content. These refined techniques improve stealth, evade conventional detection tools, and offer threat actors new covert channels for exfiltration and command-and-control.India Orders Phone Makers to Pre-Install Government AppsThe Indian government has issued a directive requiring smartphone manufacturers to pre-install official government applications on all devices sold in the country. The decision raises serious concerns around privacy, data collection, user autonomy, and broader digital sovereignty implications.Don’t Think – Patch Now!Sources:01net – Raspberry Pi Price Increasehttps://www.01net.com/actualites/hausse-des-couts-raspberry-pi-na-pas-dautre-choix-que-daugmenter-les-prix-de-ses-petits-ordinateurs.htmlBleepingComputer – Coupang Data Breachhttps://www.bleepingcomputer.com/news/security/retail-giant-coupang-suffers-data-breach-impacting-337-million-people/CyberPress – Advanced Steganographyhttps://cyberpress.org/advanced-steganography/The Hacker News – India Orders Pre-Installed Appshttps://thehackernews.com/2025/12/india-orders-phone-makers-to-pre.htmlYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com