RadioCSIRT - English Edition

Welcome to your daily cybersecurity podcast.A new initiative brings together volunteer cybersecurity experts to help protect water utilities against growing cyber threats. Experienced professionals from the DEF CON Franklin community are paired with water service providers across several U.S. states to conduct assessments, map operational technology (OT) environments, and implement security measures tailored to critical infrastructure constraints. This community-driven model aims to offset limited internal resources and improve resilience against targeted industrial cyberattacks.MongoDB has issued an urgent warning urging administrators to immediately patch a severe remote code execution vulnerability affecting components of its ecosystem. The flaw could allow unauthenticated attackers to execute arbitrary code on exposed Node.js servers. Proof-of-concept exploits are publicly available, significantly increasing the risk of real-world exploitation.Security researchers have uncovered a large-scale compromise campaign involving the PCPcat malware, which exploited critical flaws in Next.js and React server components. More than 59,000 servers were compromised within 48 hours, with attackers harvesting credentials, SSH keys, and environment variables while establishing persistent access using stealthy processes and tunnels.In France, La Poste and its banking subsidiary, La Banque Postale, suffered major service disruptions following a distributed denial-of-service (DDoS) attack during the holiday period. Several online services, including parcel tracking and digital banking, were rendered unavailable. Authorities stated that no customer data was compromised.Finally, security teams are monitoring increased risks linked to modern JavaScript server stacks, highlighting how the rapid adoption of frameworks such as React and Next.js has expanded the attack surface for automated, industrial-scale exploitation.Sources:Cyber Volunteers / Water Utility / MSSP : https://therecord.media/cyber-volunteer-water-utility-msspMongoDB – Severe RCE Patch Warning : https://www.bleepingcomputer.com/news/security/mongodb-warns-admins-to-patch-severe-rce-flaw-immediately/PCPcat – React/Next.js Servers Breach : https://thecyberexpress.com/pcpcat-react-servers-nextjs-breach/La Poste – Outage After a Cyber Attack : https://securityaffairs.com/186064/security/la-poste-outage-after-a-cyber-attack.htmlDon’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast. CISA has added CVE-2023-52163 to its Known Exploited Vulnerabilities Catalog, confirming active exploitation of Digiever DS-2105 Pro network video recorders. This missing authorization flaw allows unauthenticated attackers to bypass security controls. While BOD 22-01 mandates federal agencies to remediate, CISA urges all organizations to prioritize firmware updates. This vulnerability serves as a frequent entry point for actors targeting IoT infrastructure and physical security networks.Genians Security Center reports on APT37's "Artemis" campaign targeting South Korean entities through malicious HWP documents. The attack chain leverages OLE objects and DLL side-loading via the legitimate VolumeId utility to deploy the RoKRAT module. The threat actor employs steganography within images and abuses cloud services like Yandex and pCloud for C2 operations. This multi-stage procedure leverages legitimate execution flows to evade detection by signature-based security solutions.SoundCloud disclosed a cyberattack targeting an ancillary service dashboard, resulting in a data leak affecting 26 million accounts. Exposed data includes email addresses and public profile information; passwords and financial data were not compromised. The incident was followed by DDoS attacks affecting availability. Remediation efforts, specifically reinforcing Identity and Access Management controls, inadvertently caused temporary connectivity issues for VPN users.Socket Security identified two malicious Chrome extensions, named Phantom Shuttle, stealing credentials from 170+ enterprise domains including AWS and GitHub. These extensions use onAuthRequired listeners to inject hardcoded proxy credentials and PAC scripts to reroute sensitive traffic. Operating as a Man-in-the-Middle, the malware exfiltrates plaintext credentials, session cookies, and API keys to the C2 server phantomshuttle[.]space every five minutes.Anna’s Archive released a 300-terabyte dataset containing 86 million scraped Spotify tracks. The breach was achieved through systematic stream-ripping using third-party user accounts over several months. Spotify responded by disabling offending accounts and implementing new safeguards to block automated playback patterns. This massive exfiltration of metadata and audio files represents a significant challenge for digital rights management and creator protection.Sources:CISA KEV Digiever : https://www.cisa.gov/news-events/alerts/2025/12/22/cisa-adds-one-known-exploited-vulnerability-catalogAPT37 Artemis : https://www.genians.co.kr/en/blog/threat_intelligence/dllSoundCloud Breach : https://www.theregister.com/2025/12/16/soundcloud_cyberattack_data_leak/Chrome Phantom Shuttle : https://thehackernews.com/2025/12/two-chrome-extensions-caught-secretly.htmlSpotify Scraping : https://therecord.media/spotify-disables-scraping-annasDon’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.Pornhub alerts Premium subscribers following data exposure on November 8, 2025, via analytics provider Mixpanel. Cybercriminals threaten to directly contact affected users by email. Mixpanel disputes that data originated from its November 8 security incident, stating no evidence of exfiltration from its systems. Pornhub confirms passwords, payment details, and financial information remain uncompromised, with exposure limited to a restricted set of analytics events. Attackers exploit this data for sextortion campaigns specifically targeting identified Premium users.Intezer documents a Goffee group campaign targeting Russian military personnel and defense organizations. The initial attack identified in October uses a malicious XLL file uploaded from Ukraine then Russia to VirusTotal, titled "enemy's planned targets". The file deploys EchoGather backdoor to collect system information, execute commands, and exfiltrate files to a C2 server disguised as food delivery website. Phishing lures include fake concert invitation for senior military officers and letter impersonating Russia's Ministry of Industry and Trade requesting pricing justification documents for defense contracts.CISA and NIST release draft Interagency Report 8597 on protecting identity tokens and assertions against forgery, theft, and malicious use. The document addresses recent incidents at major cloud providers targeting theft, modification, or forgery of identity tokens to access protected resources. The report covers IAM controls for systems using digitally signed assertions and tokens in access decisions. NIST requests CSPs apply Secure by Design principles, prioritizing transparency, configurability, and interoperability. Federal agencies must understand architecture and deployment models of their CSPs to align risk posture and threat environment.Check Point Research documented GachiLoader, a heavily obfuscated Node.js loader malware distributed through the YouTube Ghost Network. The campaign leverages 39 compromised accounts spreading over 100 videos targeting game cheat users, accumulating 220,000 views since December 2024. The malware implements anti-analysis checks including 4 GB minimum RAM, 2 CPU cores, and blacklists for usernames, hostnames, and running processes. GachiLoader disables Windows Defender and adds exclusions for C:\Users, C:\ProgramData, C:\Windows, and the .sys extension. Two variants have been observed: the first downloads Rhadamanthys from C2 servers, while the second deploys Kidkadi.node utilizing Vectored Overloading technique to intercept system calls and load malicious PE.Sources:Pornhub sextortion: https://www.malwarebytes.com/blog/news/2025/12/pornhub-tells-users-to-expect-sextortion-emails-after-data-exposureGoffee APT: https://therecord.media/cyber-spies-fake-new-year-concert-russian-phishingNIST/CISA tokens: https://www.cisa.gov/news-events/alerts/2025/12/22/nist-and-cisa-release-draft-interagency-report-protecting-tokens-and-assertions-tampering-theft-and GachiLoader: https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/Don’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.Most newly registered and parked domains are now serving malicious content. Analysis shows an increasing shift of domain parking services toward hosting phishing pages, fake software updates, and redirects to scam infrastructures. These domains are used as short-lived infrastructure to bypass reputation-based defenses and accelerate fraud and malware delivery campaigns.The Iranian APT group Infy has resurfaced with a new targeted campaign. Operations rely on spear-phishing emails delivering weaponized documents using political and diplomatic lures. Payloads include updated backdoors, Windows registry-based persistence mechanisms, and obfuscated HTTP(S) C2 channels, indicating a structured operational comeback.NIST has released new security guidance for the use of smart speakers in home-based telehealth environments. Identified risks include interception of unencrypted voice traffic, exposure of sensitive health data, and the use of these devices as pivot points into hospital systems. Recommended mitigations focus on encrypted communications, network segmentation, and strict access control.Sources:Malicious domain parking: https://krebsonsecurity.com/2025/12/most-parked-domains-now-serving-malicious-content/APT Infy: https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.htmlNIST smart speakers: https://www.nist.gov/news-events/news/2025/12/securing-smart-speakers-home-health-care-nist-offers-new-guidelinesDon’t think, patch!Your feedback is welcome.Email: radiocsirt@gmail.comWebsite:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.Amazon disclosed the detection of a North Korea-linked infiltration during an IT hiring process. A system administrator claimed to be US-based was identified through persistent keyboard latency exceeding 110 milliseconds to Seattle servers, indicating intercontinental remote operation. The control infrastructure was traced to China. Since April 2024, Amazon reports blocking more than 1,800 fraudulent hiring attempts linked to North Korea, with a 27 percent quarterly increase.A Russian APT actor is conducting a credential phishing campaign targeting government entities across the Baltics and the Balkans. The attacks rely on HTML attachments masquerading as PDF documents, embedding institutional decoys and fake authentication forms. Credentials are exfiltrated via formcarry.com, with consistent JavaScript and regex reuse observed since at least 2023.Microsoft confirmed a global Microsoft Teams outage impacting message delivery across all regions and clients. The incident started at 14:30 ET and was fully resolved one hour later. No indicators of malicious activity were reported.A malware campaign abuses Microsoft Office documents, SVG files, and compressed archives to compromise Windows systems. The attack chain exploits CVE-2017-11882, uses PNG steganography, and process hollowing via RegAsm.exe to deliver RATs and information stealers.ATM jackpotting attacks in the United States have been attributed to a criminal group deploying the Ploutus malware via physical access to ATMs. The tradecraft involves hard drive replacement or modification to control cash-dispensing modules. Losses are estimated to exceed $40 million since 2020.Don’t think, patch.Sources:Amazon infiltration:https://www.clubic.com/actualite-592366-amazon-infiltre-par-un-espion-nord-coreen-finalement-repere-a-cause-de-sa-frappe-clavier.htmlRussian APT phishing:https://strikeready.com/blog/russian-apt-actor-phishes-the-baltics-and-the-balkans/Microsoft Teams outage:https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-teams-is-down-and-messages-are-delayed/SVG and Office malware campaign:https://cybersecuritynews.com/hackers-weaponize-svg-files-and-office-documents/ATM jackpotting / Ploutus malware:https://www.theregister.com/2025/12/19/tren_de_aragua_atm/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.French authorities arrested a 22-year-old individual following Interior Ministry system compromise. The intrusion exposed email accounts and confidential documents including judicial records and wanted persons databases. The attack was claimed on BreachForums. The suspect maintained network persistence for several days. Paris Prosecutor charged unauthorized access to state systems as organized group, maximum ten years imprisonment.WatchGuard published advisory WGSA-2025-00027 addressing CVE-2025-14733, critical Out-of-bounds Write in Fireware OS iked process, CVSS 9.3. Confirmed active exploitation enables remote unauthenticated code execution. Affected versions 11.10.2 through 12.11.5 and 2025.1 through 2025.1.3. WatchGuard provides four threat actor IP addresses. Patched versions available.Riot Games disclosed four CVEs affecting UEFI in ASUS, Gigabyte, MSI, ASRock motherboards. IOMMU initialization failure enables pre-boot DMA attacks. Malicious PCIe device with physical access can modify system memory before OS load. Carnegie Mellon CERT/CC confirms broad impact. Firmware updates available.Cyderes documents CountLoader 3.2 via cracked software, establishing Google-mimicking persistence every thirty minutes for ten years. Nine capabilities including USB propagation, deploying ACR Stealer. Check Point reports GachiLoader via YouTube Ghost Network, one hundred videos, 220,000 views. Deploys Kidkadi with Vectored Exception Handling PE injection, Rhadamanthys stealer as final payload.CNIL issued one million euro penalty against Mobius Solutions for unlawful retention of 46 million Deezer records post-termination. Data leaked to darknet from unsecured test environment. CNIL confirms extraterritorial GDPR application.Don't overthink it. Patch.Sources:France Arrest: https://therecord.media/france-interior-ministry-hack-arrestWatchGuard: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027UEFI: https://www.bleepingcomputer.com/news/security/new-uefi-flaw-enables-pre-boot-attacks-on-motherboards-from-gigabyte-msi-asus-asrock/Loaders: https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.htmlCNIL: https://www.zdnet.fr/actualites/fuite-massive-sur-le-darknet-la-cnil-frappe-fort-contre-un-ancien-sous-traitant-de-deezer-487023.htmYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.The Clop ransomware group, also tracked as Cl0p, is conducting a new data theft extortion campaign targeting Internet-exposed Gladinet CentreStack servers. Ongoing investigations confirm active scanning, successful intrusions, and the placement of extortion notes on compromised systems. The initial access vector remains unidentified, raising the possibility of a zero-day vulnerability or exploitation of unpatched systems. This activity aligns with Clop’s established focus on file sharing and secure file transfer platforms.CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. CVE-2025-20393 affects multiple Cisco products through improper input validation. CVE-2025-40602 impacts SonicWall SMA1000 appliances due to a missing authorization flaw. CVE-2025-59374 targets ASUS Live Update, involving embedded malicious code within the update mechanism, highlighting a software supply chain compromise scenario.CERT-FR has issued advisory CERTFR-2025-AVI-1116 covering multiple vulnerabilities in Google Chrome. Affected versions include releases prior to 143.0.7499.146 on Linux and prior to 143.0.7499.146 or .147 on Windows and macOS. The advisory references CVE-2025-14765 and CVE-2025-14766, with limited public technical detail on the underlying impact.A critical FreeBSD vulnerability, CVE-2025-14558, enables remote code execution via crafted IPv6 Router Advertisement packets within the SLAAC mechanism. Insufficient validation of RA messages leads to command injection into an internal shell script. Exploitation requires the attacker to be present on the same network segment. The vulnerability carries a CVSS score of 9.8.North Korean cyber operations reached a record level in 2025, with more than two billion dollars in cryptocurrency stolen, according to Chainalysis. These activities combine attacks against centralized services, large-scale personal wallet compromises, and advanced social engineering operations involving fake recruiters and purported investors.FIRST Foundation highlights the operational importance of incident communications, emphasizing the role of secure alternative channels, third-party coordination mechanisms, and controlled delegation of public communications to reduce secondary risk during major cyber incidents.Finally, a coordinated operation supported by Eurojust dismantled fraudulent call centre operations in Ukraine. The transnational criminal network relied on industrial-scale social engineering techniques, with identified losses exceeding ten million euros and forty-five suspects identified across multiple countries.Don’t overthink it. Patch.Sources:Clop / Gladinet: https://www.bleepingcomputer.com/news/security/clop-ransomware-targets-gladinet-centrestack-servers-for-extortion/CISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/17/cisa-adds-three-known-exploited-vulnerabilities-catalogCERT-FR Chrome: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1116/FreeBSD RCE: https://www.security.nl/posting/917946/Kritiek+beveiligingslek+in+FreeBSD+maakt+remote+code+execution+mogelijk?channel=rssDPRK Crypto: https://www.theregister.com/2025/12/18/north_korea_stole_2b_crypto_2025/FIRST Comms: https://www.first.org/blog/20251216-upskilling_communicationsEurojust Fraud: https://www.eurojust.europa.eu/news/fraudulent-call-centres-ukraine-rolledFrance Arrest: https://therecord.media/france-interior-ministry-hack-arrestYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.CISA adds CVE-2025-59718 to its Known Exploited Vulnerabilities catalog on December 16th. The flaw affects Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb through improper cryptographic signature verification in FortiCloud SSO SAML authentication. Unauthenticated attackers can bypass authentication via crafted SAML messages. Active exploitation confirmed. CVE-2025-59719 addresses the same underlying issue. Federal agencies face a December 23rd remediation deadline. No ransomware campaign linkage confirmed at this time.CERT-FR issues advisory CERTFR-2025-AVI-1117 concerning GLPI. Two vulnerabilities identified as CVE-2025-59935 and CVE-2025-64520 affect GLPI versions 9.1.0 through prior to 10.0.21. Risks include XSS injection and security policy bypass. Fixes available via GitHub security advisories GHSA-62p9-prpq-j62q and GHSA-j8vv-9f8m-r7jx published December 16th.Cisco reports CVE-2025-20393, a critical AsyncOS zero-day affecting Secure Email Gateway and Secure Email and Web Manager with Internet-exposed Spam Quarantine in non-standard configurations. Active exploitation since late November attributed to Chinese group UAT-9686 deploying AquaShell backdoors, AquaTunnel and Chisel reverse SSH tunnels, and AquaPurge log-clearing tools. Links identified to UNC5174 and APT41. No patch available. Cisco recommends access restriction, network segmentation, and rebuilding compromised appliances as sole eradication option.SonicWall patches CVE-2025-40602, a local privilege escalation in SMA1000 Appliance Management Console. Exploited in chain with CVE-2025-23006, a critical deserialization flaw with CVSS score 9.8 already fixed in January. Combined exploitation enables unauthenticated root remote code execution. Discovered by Google Threat Intelligence Group. Fixed version: build 12.4.3-02856 and higher. Over 950 SMA1000 appliances remain exposed according to Shadowserver.Finally, Recorded Future documents sustained APT28 phishing campaign targeting UKR.net users between June 2024 and April 2025. UKR.net-themed login pages hosted on Mocky distributed via PDF attachments in phishing emails. Links shortened via tiny.cc or tinyurl.com with some redirections through Blogger subdomains. Captures credentials and 2FA codes. Attackers transitioned to ngrok and Serveo proxy services following early 2024 infrastructure takedowns. GRU operation targeting Ukrainian intelligence collection amid ongoing conflict.Don't think, just patch!Sources:CISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-adds-one-known-exploited-vulnerability-catalogCERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1117/ Cisco AsyncOS: https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/SonicWall: https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-new-sma1000-zero-day-exploited-in-attacks/APT28: https://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.htmlYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.QNAP discloses a high-severity authentication bypass vulnerability tracked as CVE-2025-59385. The flaw allows remote attackers to spoof authentication mechanisms and access protected resources without credentials. The issue affects QTS and QuTS hero systems and is remotely exploitable with no user interaction. Patches are available in QTS 5.2.7.3297 and QuTS hero 5.2.7 and 5.3.1 builds released on October 24.A second QNAP vulnerability, CVE-2025-62848, exposes QTS and QuTS hero systems to remote denial-of-service attacks. The issue stems from a NULL pointer dereference condition and can be triggered over the network without authentication. Successful exploitation leads to system crashes and service disruption. Fixed versions mirror those released for CVE-2025-59385.Trend Micro reveals a previously unseen controller linked to BPFDoor malware, enabling encrypted reverse shells, direct shell access, and lateral movement across Linux servers. The backdoor leverages Berkeley Packet Filter mechanisms to remain stealthy and firewall-agnostic. Activity is attributed with medium confidence to the Earth Bluecrow APT group and targets telecommunications, finance, and retail sectors across Asia and the Middle East.CISA adds two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog. CVE-2025-14611 affects Gladinet CentreStack and Triofox via hard-coded cryptographic keys, while CVE-2025-43529 is a WebKit use-after-free flaw impacting multiple Apple products. Federal agencies are required to remediate under BOD 22-01, with strong recommendations extended to all organizations.Avast documents an emerging WhatsApp account takeover scam abusing the platform’s legitimate device-linking feature. Attackers trick users into authorizing rogue linked devices through fake verification pages, granting persistent access to conversations without stealing passwords or triggering security alerts.Finally, The Record reports major data breaches at Prosper Marketplace and 700Credit impacting nearly 20 million individuals. Exposed data includes Social Security numbers, financial records, and identity documents. Both incidents highlight ongoing systemic risks across the financial services supply chain.Don't think, just patch!Sources:CVE-2025-59385: https://cvefeed.io/vuln/detail/CVE-2025-59385CVE-2025-62848: https://cvefeed.io/vuln/detail/CVE-2025-62848BPFDoor: https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.htmlCISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/15/cisa-adds-two-known-exploited-vulnerabilities-catalogWhatsApp Scam: https://blog.avast.com/blog/onlinescams/whatsapppairingscamData Breaches: https://therecord.media/data-breaches-affecting-20-million-prosper-700creditYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.Horizon3.ai exposes three critical FreePBX vulnerabilities. The most severe, CVE-2025-66039 scored 9.3, enables complete authentication bypass via simple forged Authorization header. Two additional flaws provide SQL injection and PHP web shell upload for remote code execution. Patches available but require manual CLI configuration and audit of instances exposed before September.New BreachForums avatar claims major intrusion on French Interior Ministry infrastructure. Actor "Indra" asserts exfiltration of police databases TAJ and FPR with ransom demand under one-week deadline. Place Beauvau confirms email compromise and business application access. Emergency deployment of systematic two-factor authentication and password rotation. Investigation assigned to Anti-Cybercrime Office.BleepingComputer reveals how scammers hijacked PayPal infrastructure to send legitimate emails from service@paypal.com. Exploitation of "pause subscription" feature bypassed all spam filters enabling large-scale tech support scam campaigns. PayPal confirms loophole closure following investigation.CERT-FR issues advisory CERTFR-2025-AVI-1111 for Roundcube Webmail. Multiple XSS vulnerabilities affect versions prior to 1.5.12 and 1.6.12, enabling remote code injection and data confidentiality breach. Patches available since December 13 with immediate application recommended for all exposed webmail instances.Don't think, just patch!Sources:FreePBX: https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.htmlInterior Ministry: https://www.zdnet.fr/actualites/lattaque-informatique-contre-le-ministere-de-linterieur-revendiquee-par-un-nouvel-avatar-de-breachforums-486636.htmPayPal: https://www.malwarebytes.com/blog/news/2025/12/paypal-closes-loophole-that-let-scammers-send-real-emails-with-fake-purchase-noticesRoundcube: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1111/ Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.Apple and Google rush to fix actively exploited Zero-Day flaws. CISA has added CVE-2025-14174 to its KEV catalog, flagging a critical memory corruption vulnerability in the Chromium engine that affects Chrome, Edge, and Brave. Simultaneously, Apple has deployed patches for this same flaw alongside CVE-2025-43529, a WebKit Use-After-Free bug. Discovered by Google's Threat Analysis Group, these vulnerabilities are currently leveraged in "extremely sophisticated" attacks allowing Remote Code Execution (RCE) on iPhones, iPads, and macOS devices via malicious web content. Updating to iOS 26.2 and the latest browser versions is mandatory to break this infection chain.CERT-FR issues a massive alert regarding the Ubuntu Linux kernel. The security advisory covers a wide array of vulnerabilities impacting every supported version, from LTS 18.04 up to intermediate releases like 25.10. These kernel-level flaws allow attackers to trigger remote Denial of Service and bypass security policies, posing a severe threat to process isolation and container environments. System administrators must not only apply the listed USN patches but must imperatively schedule production reboots to ensure the new kernel image is actually loaded into memory.A historic data leak exposes 4.3 billion professional records. Researchers have discovered an unsecured 16-terabyte MongoDB database left open to the public, containing detailed profiles likely aggregated from LinkedIn and Apollo.io. The dataset includes names, emails, phone numbers, and career histories, creating the ultimate weapon for AI-assisted social engineering. Although secured on November 25th, this exposure provides cybercriminals with the context needed to automate large-scale Spear-Phishing and Business Email Compromise (BEC) campaigns targeting Fortune 500 employees.President Trump signs an Executive Order establishing a deregulated national framework for AI. The order effectively bans states from enacting their own regulations, threatening to withhold federal funding from jurisdictions enforcing laws deemed "onerous," such as Colorado’s algorithmic bias statutes. For CISOs and GRC teams, this eliminates external legal guardrails and shifts the entire burden of model safety and ethics onto internal controls, creating an environment that prioritizes rapid innovation over safety compliance.Don't think, just patch!Sources:Apple: https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-day-flaws-exploited-in-sophisticated-attacks/CISA : https://www.cisa.gov/news-events/alerts/2025/12/12/cisa-adds-one-known-exploited-vulnerability-catalog-0CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1106/Data Breach: https://securityaffairs.com/185661/data-breach/experts-found-an-unsecured-16tb-database-containing-4-3b-professional-records.htmlAI Regulation: https://therecord.media/trump-executive-order-ai-national-frameworkYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.Palo Alto Networks Unit 42 exposes Ashen Lepus, a Hamas-affiliated APT actor active since 2018. The group deploys a new .NET modular malware suite named AshTag, targeting governmental and diplomatic entities across the Middle East with confirmed geographic expansion toward Oman and Morocco. The multi-stage infection chain initiates through Arabic-language PDF lures on Palestinian geopolitical themes. Victims download RAR archives containing a binary that side-loads the AshenLoader loader. The group abandoned its proprietary C2 infrastructure in favor of API and authentication subdomains on legitimate domains like api.healthylifefeed.com, which masks malicious traffic. The C2 architecture now integrates geofencing and anti-sandbox verification before payload delivery. Secondary modules are Base64-encoded and hidden in commented HTML tags with AES-CTR-256 encryption. Ashen Lepus uses Rclone to exfiltrate targeted diplomatic documents.Malwarebytes publishes a technical analysis on real VPN privacy following worldwide usage surge post-UK age-verification rules. The document exposes the massive gap between marketing promises and concrete implementation, particularly critical for enterprise deployments protecting sensitive data. Full infrastructure ownership eliminates uncontrolled intermediaries unlike cloud rental. RAM-only servers instantly destroy all traces upon shutdown, which cancels any physical seizure vector. WireGuard protocol drastically reduces attack surface through its minimal auditable codebase, while OpenVPN and IPSec now represent legacy technologies. The major risk for organizations comes from employees using non-validated commercial VPNs that create encrypted tunnels bypassing DLP controls and exfiltrating corporate data through third-party infrastructure never audited.Kali Linux releases version 2025.4, the final update of the year, integrating three new penetration testing tools, major desktop environment improvements, and full Wayland support on GNOME. The three new tools include bpf-linker for BPF static compilation, evil-winrm-py enabling command execution on remote Windows machines via WinRM, and hexstrike-ai allowing AI agents to autonomously execute tools through MCP server. GNOME moves to version 49 and definitively removes X11 support, now running exclusively on Wayland with full VM support for VirtualBox, VMware, and QEMU. NetHunter extends Android 16 support on Samsung Galaxy S10 and OnePlus Nord, restores terminal with interactive Magisk compatibility, and integrates Wifipumpkin3 in preview with Facebook, Instagram, iCloud, and Snapchat phishing templates.CISA adds CVE-2018-4063 to the KEV Catalog on December 12, 2025, following confirmed active exploitation. This vulnerability affects Sierra Wireless AirLink ALEOS and enables unrestricted upload of dangerous files without type or extension validation, leading to arbitrary code execution on cellular routers deployed across vehicle fleets, industrial IoT infrastructure, and M2M networks. Critical point: the CVE dates from 2018, but its late KEV inclusion confirms a resurgence of exploitation specifically targeting unpatched legacy equipment. AirLink devices provide cellular connectivity for SCADA systems, mobile payment terminals, and telematics platforms.Don't think, just patch!Sources:Unit 42: https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/Malwarebytes: https://www.malwarebytes.com/blog/inside-malwarebytes/2025/12/how-private-is-your-vpnBleepingComputer: https://www.bleepingcomputer.com/news/security/kali-linux-20254-released-with-3-new-tools-desktop-updates/CISA: https://www.cisa.gov/news-events/alerts/2025/12/12/cisa-adds-one-known-exploited-vulnerability-catalog Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to this special RadioCSIRT cybersecurity briefing.In this episode, we take an in-depth look at the MITRE Top 25 Common Weakness Enumerations (CWE) for 2025, moving beyond a simple ranking to analyze the structural weaknesses that continue to drive real-world compromises.This analysis focuses on how recurring flaws such as cross-site scripting, sql injection, missing authorization, memory corruption, and business logic failures remain dominant attack enablers despite years of awareness, tooling, and secure development frameworks.We examine why these weaknesses persist, how they are actually exploited in production environments, and what they reveal about systemic failures in application design, governance, and security architecture.Special attention is given to the operational impact for CERT/CSIRT and SOC teams, including:how cwe analysis supports anticipation of future vulnerabilities,why root-cause driven prioritization is more effective than cve-based triage alone,and how logic flaws and authorization failures increasingly evade automated detection.This episode also highlights key 2025 trends, including the rise of business logic vulnerabilities, the gap between modern frameworks and real implementations, and the growing weight of technical and organizational debt.A  synthesis of this analysis is available on my blog.Sources:MITRE – Top 25 CWE 2025: https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.htmlBlog : https://blog.marcfredericgomez.com/top-25-cwe-2025-technical-analysis/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.The Linux kernel 5.4 officially reaches end-of-life. After years of LTS support, this version—massively deployed across Ubuntu, Android, and embedded systems—will no longer receive upstream security patches. This creates a critical risk for industrial and network equipment remaining on this version without a rapid migration path.Check Point dissects the ValleyRAT backdoor and its kernel-mode rootkit following a public builder leak. The malware features 19 plugins and a digitally signed driver for file hiding and process protection. 85% of detected samples appeared in the last six months, complicating attribution to specific state actors.Google patches CVE-2025-13223, the eighth actively exploited Chrome zero-day of the year. This type-confusion vulnerability in the V8 JavaScript engine allows memory manipulation without complex user interaction, continuing a pattern of espionage-focused exploitation.Anonymous hackers breach Mikord, the alleged developer of Russia's unified military registry. Internal documents and source code were transferred to the anti-war NGO Idite Lesom, confirming the firm's role in the military project. The breach occurs amidst a context of bidirectional cyber escalation following attacks on Ukrainian registries.Flare identifies over 10,000 Docker Hub images exposing active credentials. The leak affects Fortune 500 companies and includes 4,000 AI model API tokens. The primary vector is Shadow IT, with unmonitored contractor accounts exposing client data that remains valid even after the images are deleted.Finally, CISA adds two vulnerabilities to its Known Exploited Vulnerabilities catalog. The flaws affect WinRAR (CVE-2025-6218), allowing arbitrary code execution via archives, and the Windows Cloud Files driver (CVE-2025-62221), enabling privilege escalation. Both are confirmed to be exploited in the wild.We don't think, we patch!Sources:Linux Journal: https://www.linuxjournal.com/content/linux-kernel-54-reaches-end-life-time-retire-workhorseCheck Point Research: https://research.checkpoint.com/2025/cracking-valleyrat-from-builder-secrets-to-kernel-rootkits/Malwarebytes: https://www.malwarebytes.com/blog/news/2025/12/another-chrome-zero-day-under-attack-update-nowThe Record: https://therecord.media/hackers-reportedly-breach-developer-involved-in-russian-military-databaseBleeping Computer: https://www.bleepingcomputer.com/news/security/over-10-000-docker-hub-images-found-leaking-credentials-auth-keys/Security Affairs: https://securityaffairs.com/185523/security/u-s-cisa-adds-microsoft-windows-and-winrar-flaws-to-its-known-exploited-vulnerabilities-catalog.htmlYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity podcast.Microsoft refuses to fix a critical RCE vulnerability in the .NET framework affecting the SoapHttpClientProtocol class. Revealed at Black Hat Europe by researcher Piotr Bazydło from WatchTowr, the flaw enables arbitrary file writes through SOAP URL manipulation. Exploitation relies on unexpected support for FILE and FTP protocols by a class designed to handle HTTP only. Confirmed vulnerable products include Ivanti Endpoint Manager, Umbraco 8 CMS, and Barracuda Service Center, but the actual number of affected applications is likely massive.CERT-FR publishes advisory CERTFR-2025-AVI-1088 concerning four critical vulnerabilities in Ivanti Endpoint Manager 2024. CVE-2025-10573, CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662 enable remote arbitrary code execution, security policy bypass, and XSS injection. Only versions prior to 2024 SU4 SR1 are affected. The patch has been available since December 9th, 2025.CERT-FR also issues advisory CERTFR-2025-AVI-1084 concerning 17 Fortinet security bulletins covering 18 CVEs. The entire Fortinet portfolio is affected: FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiWeb, FortiSandbox, FortiExtender, FortiAuthenticator, FortiVoice, FortiSOAR, FortiPAM, FortiSRA, FortiSASE, FortiSwitchManager, and FortiPortal. Critical vulnerabilities include remote code execution, privilege escalation, and SQL injection.Finally, Spanish National Police arrests a 19-year-old individual in Igualada for theft and sale of 64 million personal data records from nine companies. Exfiltrated data includes DNI numbers, addresses, phone numbers, emails, and IBAN codes. The suspect used six online accounts and five pseudonyms to sell databases on underground forums. Authorities seized electronic equipment and froze a crypto wallet.We don't think, we patch!Sources:The Register: https://www.theregister.com/2025/12/10/microsoft_wont_fix_net_rce/CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1088/CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1084/The Record: https://therecord.media/spain-arrests-teen-suspect-data-theft-and-saleYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com 

🚨 CRITICAL ALERT: CISA, FBI, and NSA issue joint advisory AA25-343A on December 9, 2025, warning of active campaigns by four pro-Russia hacktivist groups exploiting VNC vulnerabilities in OT/ICS systems worldwide.THREAT ACTORS IDENTIFIED:Cyber Army of Russia Reborn (CARR) - GRU Unit 74455 linkedNoName057(16) - Kremlin CISM creationZ-Pentest - CARR/NoName merger, OT-specializedSector16 - Emerging January 2025ATTACK VECTOR: Mass exploitation of exposed VNC services (ports 5900-5910) with default/weak credentials on HMI devices. Direct SCADA access causing parameter modifications, alarm disabling, and operational disruptions across water, energy, and agriculture sectors.IMMEDIATE ACTIONS:Scan external attack surface, eliminate default credentials, implement MFA, enforce IT/OT segmentation, and deploy continuous monitoring for unauthorized VNC connections.TARGET AUDIENCE:CERT, CSIRT, SOC Teams, CISOs, Critical Infrastructure OperatorsDURATION: 8 minutes of dense technical intelligencePRODUCED BY:RadioCSIRT - Daily cyber threat intelligence for operational defense teams#Cybersecurity #OT #ICS #SCADA #ThreatIntelligence #CriticalInfrastructure #CISA #InfoSec

Welcome to your daily cybersecurity briefing.The UK’s NCSC has released critical guidance regarding Generative AI security, warning that treating Prompt Injection like SQL Injection is a dangerous misconception. Unlike traditional databases, LLMs lack a rigid boundary between instructions and data, creating an "Inherently Confusable Deputy" problem. The agency advises that the only effective mitigation is architectural: strictly restricting the privileges of tools accessible by the AI, rather than relying on input filters.A critical authentication bypass vulnerability has been discovered in the Ruby SAML library. Tracked as CVE-2025-25293, the flaw allows attackers to exploit XML parsing differences to forge valid signatures via XML Signature Wrapping. Organizations relying on this library for Single Sign-On must upgrade to version 1.18.0 immediately to prevent unauthorized access.Polish police have arrested three Ukrainian nationals in Warsaw found in possession of sophisticated hardware hacking equipment, including Flipper Zero devices, radio antennas, and counter-surveillance tools. The seizure points to potential "Close Access" operations targeting critical defense infrastructure and telecommunications networks physically.Threat actor Storm-0249 is escalating its tactics, shifting from simple access brokerage to advanced ransomware preparation. The group is now employing "ClickFix" social engineering and DLL side-loading techniques—specifically targeting SentinelOne agents—to steal system identifiers (MachineGuid) and maintain persistence.Swiss hosting provider Infomaniak has launched "Euria," a sovereign AI alternative to US-based models. Hosted in Switzerland and powered by renewable energy, the platform guarantees that user data is never used for model training, offering a compliant solution for handling sensitive enterprise data without Cloud Act exposure.The Australian Signals Directorate (ASD) is warning of a global surge in Infostealer malware activity. These threats are evolving beyond credential theft to mass-exfiltrate session cookies, effectively bypassing Multi-Factor Authentication (MFA) and serving as a primary entry vector for corporate network breaches.Finally, a reminder that today is the last Patch Tuesday of the year. Expect critical updates from Microsoft today.Don’t Think – Patch Now!Sources:NCSC UK: https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injectionCyberPress: https://cyberpress.org/critical-ruby-saml-flaw/Warsaw Police: https://srodmiescie.policja.gov.pl/rs/aktualnosci/145521,Podrozowali-po-Europie-z-detektorem-urzadzen-szpiegowskich-i-sprzetem-hakerskim.htmlSecurity Affairs: https://securityaffairs.com/185480/cyber-crime/polish-police-arrest-3-ukrainians-for-possessing-advanced-hacking-tools.htmlThe Hacker News: https://thehackernews.com/2025/12/storm-0249-escalates-ransomware-attacks.htmlGoodTech: https://goodtech.info/euria-ia-gratuite-suisse-alternative-chatgpt-chauffage/Cyber.gov.au (ASD): https://www.cyber.gov.au/about-us/view-all-content/news/information-stealers-are-on-the-rise-are-you-at-riskPatch Tuesday Microsoft: https://blog.marcfredericgomez.com/december-2025-patch-tuesday-analysis/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity briefing.CERT-FR has issued a security advisory regarding a vulnerability affecting the MISP threat-intelligence platform. Under specific configurations, the flaw may allow unauthorized access to internal components or data. Organizations relying on MISP are strongly encouraged to apply the recommended patches without delay to mitigate potential exploitation.CERT-FR has also released a warning for iPhone users following the identification of active exploitation campaigns using sophisticated exploit chains capable of achieving remote code execution. Devices lacking the latest security updates are especially vulnerable, highlighting the necessity of rapid patch deployment across Apple ecosystems.Google Chrome is introducing a new security layer designed to reinforce protections around Gemini-powered agentic browsing. This additional safeguard aims to prevent malicious websites from manipulating automated AI-driven actions during complex web interactions, strengthening overall browser security in environments relying on AI navigation.A service outage affecting Porsche’s connected-vehicle ecosystem in Russia is drawing attention to the systemic risks inherent in modern automotive platforms. The incident underscores the growing dependency on digital infrastructure for critical operational functions and the potential impact of disruptions on both safety and service availability.Don’t Think – Patch Now! Sources:CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1076/CERT-FR: https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-010/BleepingComputer: https://www.bleepingcomputer.com/news/security/google-chrome-adds-new-security-layer-for-gemini-ai-agentic-browsing/SecurityAffairs: https://securityaffairs.com/185398/security/porsche-outage-in-russia-serves-as-a-reminder-of-the-risks-in-connected-vehicle-security.htmlYour feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity briefing.The FBI has issued a public service announcement regarding the evolution of "virtual kidnapping" scams, where criminals are now using AI-altered images from social media to fabricate proof-of-life. By manipulating photos to depict physical harm or captivity, threat actors are successfully pressuring families into paying ransoms for loved ones who are actually safe, marking a dangerous shift in extortion tactics.Threat actors are actively exploiting a command injection vulnerability in Array Networks AG Series VPNs to implant webshells and establish persistence. Critical to note is that while the vendor patched this flaw in May, no CVE identifier was assigned, leaving many organizations blind to the risk as automated vulnerability scanners fail to detect the unpatched appliances.A sophisticated new Android banking trojan dubbed "FvncBot" has been detected in the wild, utilizing custom code rather than leaked sources. The malware distinguishes itself by using H.264 video streaming to bypass standard anti-screen-capture protections (FLAG_SECURE), allowing attackers to steal credentials and remotely control devices in near real-time.New research indicates that 97% of U.S. medical professionals have their personal home addresses and family details exposed on people-search databases. This massive leak of Personally Identifiable Information (PII) significantly escalates physical security risks for healthcare staff, enabling targeted harassment and doxxing by disgruntled patients or hostile actors.Mozilla is officially terminating its Monitor Plus partnership with privacy vendor Onerep following a critical third-party risk management failure. The decision comes after investigations revealed that the founder of the privacy service—hired to remove users from data broker lists—was simultaneously operating an active people-search data broker business.Don’t Think – Patch Now!Sources:BleepingComputer: https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapping-ransom-scams-using-altered-social-media-photos/BleepingComputer: https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/CyberPress: https://cyberpress.org/android-users-hit-by-fvncbot-malware/HelpNetSecurity: https://www.helpnetsecurity.com/2025/12/05/incogni-healthcare-staff-data-exposure-report/KrebsOnSecurity: https://krebsonsecurity.com/2025/11/mozilla-says-its-finally-done-with-two-faced-onerep/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

Welcome to your daily cybersecurity briefing.The Australian Cyber Security Centre has released new guidance for critical infrastructure regarding the secure integration of Artificial Intelligence into Operational Technology environments. This strategic framework aims to help organizations anticipate physical safety risks caused by algorithmic automation in industrial systems.CERT-FR (ANSSI) has issued a series of security advisories (AVI-1062 to 1067) flagging multiple critical vulnerabilities requiring immediate attention. System administrators are urged to consult the official feed to identify affected products within their fleets and apply corrective measures without delay.Barts Health NHS Trust has confirmed a leak of administrative data following the exploitation of an Oracle E-Business Suite zero-day flaw by the Clop ransomware gang. While patient medical records remain unaffected, this incident highlights the persistent threat targeting vital ERP components in the healthcare sector.A maximum severity vulnerability (CVSS 10.0) has been discovered in Apache Tika, a content analysis tool ubiquitous in solutions like Solr and Elasticsearch. This XXE flaw allows attackers to execute code via malicious PDF files, necessitating an emergency update of the "tika-core" library.Asus has admitted that a cyberattack against one of its third-party suppliers exposed source code for its smartphone camera modules. The Everest group claims to have stolen one terabyte of data, illustrating once again how the supply chain remains a prime vector for accessing the intellectual property of tech giants.Don’t Think – Patch Now!Sources:Australian Cyber Security Centre: https://www.cyber.gov.au/about-us/view-all-content/news/new-guidance-for-critical-infrastructure-on-integrating-ai-securely-into-operational-technology-environmentsCERT-FR (Advisory 1062): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1062/CERT-FR (Advisory 1063): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1063/CERT-FR (Advisory 1064): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1064/CERT-FR (Advisory 1067): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1067/BleepingComputer: https://www.bleepingcomputer.com/news/security/barts-health-nhs-discloses-data-breach-after-oracle-zero-day-hack/Security Affairs: https://securityaffairs.com/185363/security/maximum-severity-xxe-vulnerability-discovered-in-apache-tika.htmlThe Register: https://www.theregister.com/2025/12/05/asus_supplier_hack/Your feedback is welcome.Email: radiocsirt@gmail.comWebsite: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com