Cyber Threat Weekly – #108
The week of December 15th through December 21st, roughly 365 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about how AI is powering fraud.
We are only starting to see the effects of AI on fraud. Deepfake voice and video has and will continue to be used for scams and fraud, phishing text is polished and emotion evoking leading to higher open, click, and win rates for attackers, and this is just the beginning. As models and our understanding of AI get better, so will the attackers use of it. Yesterday's nation state attack is tomorrows commodity attack.
Let’s start with ongoing deepfake impersonation of U.S. gov officials. Two network edge device vendors with zero-day bugs exploited. ClickFix has grown wildly popular, another story to keep the technique front and center.
Researchers share intelligence insights December 2025. Phishing kits lead to OAuth device code authorization. Researchers identify another darknet AI assistant. Even human-in-the-loop AI dialogs can be manipulated.
A new Android remote access trojan (RAT). Threat Report H2 2025.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
VPN gateways from all vendors are under constant attack.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – December 15th to December 21st:
CVE-2025-14611 – Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability:
This bug degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication.
CVE-2025-43529 – Apple Multiple Products Use-After-Free WebKit Vulnerability:
Affecting Apple iOS, iPadOS, macOS, and other Apple products, processing maliciously crafted web content may lead to memory corruption. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.
CVE-2025-59718 – Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability:
Affecting Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb, may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message. Please be aware that CVE-2025-59719 pertains to the same problem and is mentioned in the same vendor advisory. Ensure to apply all patches mentioned in the advisory.
CVE-2025-59374 – ASUS Live Update Embedded Malicious Code Vulnerability:
Contains an embedded malicious code vulnerability client distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2025-40602 – SonicWall SMA1000 Missing Authorization Vulnerability:
Could allow for privilege escalation on appliance management console (AMC) of affected devices.
CVE-2025-20393 – Cisco Multiple Products Improper Input Validation Vulnerability:
Affecting Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances, allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.
CVE-2025-14733 – WatchGuard Firebox Out of Bounds Write Vulnerability:
May allow a remote unauthenticated attacker to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN using IKEv2 when configured with a dynamic gateway peer.
Deepfake Impersonation of U.S Gov Officials Ongoing, says FBI
Unknown threat actors have continued to use AI voice cloning tools to extract sensitive or classified information or conduct scams while impersonating gov officials. The public service announcement includes tactics and talking points. This behavior can be used against any organization; you should consider mitigations for such activity.
https://cyberscoop.com/fbi-says-ongoing-deepfake-impersonation-of-us-officials-dates-back-to-2023/
https://www.ic3.gov/PSA/2025/PSA251219
WatchGuard and SonicWall VPN Bugs Exploited
There seems to be a constant barrage of VPN n-day bugs and zero-days actively exploited. All vendors are under the cross hairs. This week it’s WatchGuard and SonicWall. It’s time to take a look at what you have exposed to the Internet, does it need to be exposed? Architecture and zero trust network access go a long way to minimizing your network ingress footprint and close a few doors into your environments.
https://www.darkreading.com/vulnerabilities-threats/sonicwall-edge-devices-zero-day-attacks
ClickFix Attack Leads to Ransomware
This attack appears to be kicked off by an initial access broker (IAB). A legit but compromised domain used ClickFix to deploy NetSupport Manager. Later StealC was downloaded and a malicious DLL was sidloaded leading to Qilin ransomware.
https://www.sophos.com/en-us/blog/i-am-not-a-robot-clickfix-used-to-deploy-stealc-and-qilin
Intelligence Insights: December 2025
This report covers the happenings in November 2025. Topping the list is JustAskJacky, Sha1-Hulud: The Second Coming is second, ScreenConnect and NetSupport Manager remote access management tools are third and fourth respectively. A couple of mainstays, Impacket and Mimikatz are pat of a tie for 10th.
https://redcanary.com/blog/threat-intelligence/intelligence-insights-december-2025/
Researchers Spot Uptick in Microsoft Device Code Phishing
While not a new technique, a sharp increase has been observed. Abusing Microsoft’s OAuth device code authorization starts with phishing leading the victim to Microsoft’s device login page. Victims are prompted to enter a code, then attackers have to their accounts. The growth is attributed to readily available phishing kits.
https://www.infosecurity-magazine.com/news/oauth-phishing-campaigns/
Popular Dark Web AI Assistant Identified
Researchers find and test the popular DIG AI dark web LLM. DIG AI doesn’t require an account and can be accessed via the Tor browser. The researchers leveraged taxonomy dictionaries related to explosives, drugs, fraud, and more.
The AI Attack Surface Sucks – Lies-in-the-Loop
Researchers share a technique to manipulate human-in-the-loop (HITL) agentic AI safety dialogs to execute malicious code. Typically used to mitigate excessive agency or prompt injection, the safety mechanism can be turned against us.
https://www.infosecurity-magazine.com/news/lies-loop-attack-ai-safety-dialogs/
https://checkmarx.com/zero-post/turning-ai-safeguards-into-weapons-with-hitl-dialog-forging/
New Android Remote Access Trojan Malware – Cellik
With Google Play store integration, attackers can bundle legit apps with the malicious payload using the RATs built-in toolkit. The malware has an extensive feature set including screen streaming, keylogging, notification interception, and more.
https://www.securityweek.com/new-150-cellik-rat-grants-android-control-trojanizes-google-play-apps/
https://iverify.io/blog/meet-cellik—a-new-android-rat-with-play-store-integration
Threat Report H2 2025
Researchers share threats observed from June to November 2025. A few trend highlights: ransomware is on the rise, EDR killers (bring your own vulnerable driver) are still a significant trend, malicious email is trending up, and more.
https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22025.pdf
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
