⚠️ Tội phạm mạng đang chuyển hướng tấn công chuỗi cung ứng ứng dụng di động (iOS/Android), thỏa hiệp mã nguồn từ khâu xây dựng trước khi lên App Store/Play Store. Docker giải quyết triệt để bằng:
- Container hóa quy trình build → môi trường cách ly & "phù du"
- Kiểm tra điểm yếu: thư viện, CI, cache độc hại
- Loại bỏ rủi ro kế thừa trong build environment
Đặc biệt quan trọng cho app tài chính/y tế!
#SupplyChainSecurity #MobileSecurity #Docker #CyberSecurity #TấnCôngChuỗiCungỨng #BảoMậtDiĐộng

For the last couple of weeks, I've been deep diving into container supply chain security.

I built a full GitHub Actions demo pipeline:

• Vulnerability scanning

• SBOM generation

• Keyless signing + attestations

• SLSA build provenance

The stack: Trivy, Syft, Cosign, and Sigstore.

Zero long-lived secrets. GitHub Actions uses OIDC to obtain a short-lived certificate, signs the image (and publishes attestations), and records everything in a public transparency log. No keys to rotate or leak.

The post also covers hardened base images (distroless and Docker's new Hardened Images) and how to enforce signatures on the consumer side with Kubernetes admission policies.

Blog + companion repo to fork: https://lnkd.in/gtdNYWW8

#SupplyChainSecurity #SBOM #Sigstore #GitHubActions #DevSecOps #ZeroTrust

New York has enacted legislation focused on reducing supply-chain and data exposure risks by limiting technology procurement across state and local agencies.

The law mandates a centrally maintained restricted technology list, informed by security and homeland officials, with compliance required by 2027. The approach reflects growing alignment between procurement governance and cyber risk management.

Open to discussion on how procurement controls can complement technical security measures.

Source: https://statescoop.com/new-york-cybersecurity-law-tech-products-agencies-buying/

Follow TechNadu for balanced policy and threat analysis.

#InfoSec #SupplyChainSecurity #PublicSectorCyber #RiskManagement #CyberPolicy #GovTech

SBOMPlay v0.0.7

https://cyfinoid.com/sbomplay-v0-0-7/

EmEditor disclosed a supply chain compromise where a modified download link briefly delivered a malicious installer.

Third-party analysis indicates the payload functioned as an infostealer with credential harvesting, persistence via a browser extension, and clipboard hijacking capabilities. The incident reinforces ongoing challenges around software distribution integrity and monitoring.

Would welcome practitioner insights on mitigations for download-chain tampering and installer validation.

Follow TechNadu for practical, unbiased security coverage.

#InfoSec #SupplyChainSecurity #MalwareAnalysis #ThreatResearch #CredentialTheft #CyberDefense

Alright team, it's been a busy 24 hours in the cyber world with a slew of significant breaches, actively exploited vulnerabilities, new malware campaigns, and a critical look at how traditional security frameworks are falling short against AI threats. Let's dive in:

Recent Cyber Attacks & Breaches ⚠️

- Korean e-tailer Coupang reported an insider incident where a former employee allegedly stole a security key to access 33 million customer records, including order histories and building access codes for ~3,000 customers.
- The perpetrator attempted to destroy evidence by smashing a MacBook Air and throwing it into a river, but investigators recovered it and matched its serial number to the accused's iCloud.
- Coupang is now facing a substantial cost, gifting 33 million customers a ₩50,000 ($35) voucher, totalling $1.17 billion, alongside a government inquiry and potential fines.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/29/coupang_perpetrator_theft_details/

- Korean Air confirmed a data breach affecting thousands of employees after its former subsidiary and catering supplier, Korean Air Catering & Duty-Free (KC&D), was hacked.
- Approximately 30,000 employee records, including names and bank account numbers from KC&D's ERP system, were compromised.
- The Clop ransomware gang claimed responsibility for the KC&D attack in November, subsequently publishing the allegedly stolen data on their dark web leak site.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/korean-air-data-breach-exposes-data-of-thousands-of-employees/

- A former Coinbase customer service agent was arrested in India for allegedly helping hackers steal sensitive customer information earlier this year.
- The incident, which affected around 69,500 customers, exposed names, dates of birth, last four digits of SSNs, physical addresses, phone numbers, and email addresses, with some KYC documents also compromised.
- The breach was traced to TaskUs, a customer support outsourcing firm, where employees were reportedly bribed to grant system access.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/former-coinbase-support-agent-arrested-for-helping-hackers/

- Oltenia Energy Complex, Romania's largest coal-based energy producer, suffered a Gentlemen ransomware attack that took down its IT infrastructure, encrypting documents and making several applications unavailable.
- The attack partially affected company activity but did not jeopardise the operation of the National Energy System, with IT teams rebuilding systems from backups.
- Gentlemen ransomware, which emerged in August, is known for using compromised credentials and targeting internet-exposed services for initial access.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/romanian-energy-provider-hit-by-gentlemen-ransomware-attack/

- Trust Wallet reported that attackers compromised its browser extension (v2.68.0) just before Christmas, draining approximately $7 million from 2,596 cryptocurrency wallets.
- The malicious extension was likely published externally via a leaked Chrome Web Store API key, bypassing standard release checks and exfiltrating sensitive wallet data.
- Trust Wallet is reimbursing affected users and has warned of ongoing phishing campaigns impersonating support and pushing fake compensation forms.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/trust-wallet-says-7-million-crypto-theft-attack-drained-2-596-wallets/

- A group called "Lovely" has published email and home addresses of Wired magazine subscribers, claiming to have 40 million more entries from Conde Nast after an unheeded extortion attempt.
- The leak includes 2.3 million emails, 285,000 subscriber names, 108,000 home addresses, 32,000 phone numbers, and some user IDs, display names, and IP addresses.
- Security researchers confirmed the authenticity of the data, noting the attack bears hallmarks of infostealer malware like RedLine and Racoon, warning of doxxing, swatting, and phishing risks.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/29/wired_hack_subscriber_info_leaked/

- Artisans' Bank and VeraBank are the latest to notify thousands of customers about a data breach stemming from an August ransomware attack on their third-party vendor, Marquis Software.
- Artisans' Bank reported names and Social Security numbers of 32,344 people were leaked, while VeraBank confirmed 37,318 individuals had data stolen, though specific data types were omitted.
- The initial attack on Marquis Software, which provides data analytics and compliance solutions to hundreds of financial institutions, exploited a vulnerability in its SonicWall firewall.
🗞️ The Record | https://therecord.media/banks-marquis-software-ransomware/

Vulnerabilities Under Active Exploitation 🚨

- A recently disclosed MongoDB vulnerability, CVE-2025-14847 (CVSS 8.7), codenamed 'MongoBleed', is under active exploitation to remotely leak sensitive data from server memory.
- The flaw in zlib compression allows unauthenticated attackers to extract fragments of private data, including user information, passwords, and API keys, from over 87,000 potentially susceptible instances globally.
- Immediate updates to MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30 are advised, along with disabling zlib compression or restricting network exposure as temporary mitigations.
📰 The Hacker News | https://thehackernews.com/2025/12/mongodb-vulnerability-cve-2025-14847.html

- Fortinet has warned customers that threat actors are still actively exploiting CVE-2020-12812, a critical FortiOS vulnerability from July 2020, to bypass two-factor authentication (2FA) on vulnerable FortiGate firewalls.
- The flaw allows attackers to log in without a second factor by changing the case of a username when 2FA is enabled in 'user local' settings and linked to a remote authentication method like LDAP.
- Organisations must ensure FortiOS is updated to versions 6.4.1, 6.2.4, or 6.0.10 or newer, and if not possible, disable username-case-sensitivity and remove unnecessary secondary LDAP groups.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fortinet-warns-of-5-year-old-fortios-2fa-bypass-still-exploited-in-attacks/

New Threat Research & Malware 🕵️‍♀️

- A "sustained and targeted" spear-phishing campaign has leveraged 27 malicious npm packages across six aliases to create resilient phishing infrastructure for credential theft.
- Instead of requiring package installation, attackers use npm and package CDNs to host client-side HTML and JavaScript lures, impersonating document-sharing portals and Microsoft sign-in pages.
- The campaign primarily targets sales and commercial personnel at critical infrastructure-adjacent organisations in the U.S. and Allied nations, using anti-analysis techniques like bot filtering and honeypot fields.
📰 The Hacker News | https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html

- A Lithuanian national has been arrested and extradited to South Korea for infecting 2.8 million systems worldwide with clipboard-stealing 'clipper' malware disguised as the KMSAuto tool for illegally activating Windows and Office.
- From April 2020 to January 2023, the malware swapped cryptocurrency addresses in the clipboard with attacker-controlled ones, stealing approximately $1.2 million across 8,400 transactions.
- This incident highlights the significant risks of using unofficial software activators, which are frequently used to distribute various forms of malware.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hacker-arrested-for-kmsauto-malware-campaign-with-28-million-downloads/

Threat Landscape Commentary 🌍

- Existing security frameworks like NIST CSF, ISO 27001, and CIS Controls are failing to protect organisations from AI-specific attack vectors, leading to a 25% increase in leaked secrets through AI systems in 2024.
- AI introduces novel attack surfaces like prompt injection, model poisoning, and AI supply chain attacks that don't map to traditional controls, allowing breaches even in compliant organisations.
- Organisations must go beyond compliance by conducting AI-specific risk assessments, implementing new technical capabilities like prompt validation and model integrity verification, and building AI security expertise within teams.
📰 The Hacker News | https://thehackernews.com/2025/12/traditional-security-frameworks-leave.html

Regulatory Issues ⚖️

- France’s data protection regulator, CNIL, has fined Nexpublica France €1.7 million ($2 million) for inadequate cybersecurity practices that led to a data breach in November 2022.
- The fine reflects the company's financial capacity, lack of basic security knowledge, the number of affected individuals, and the sensitivity of the data processed.
- Crucially, Nexpublica was aware of its security deficiencies prior to the incident but failed to address them until after the breach occurred, violating GDPR.
🗞️ The Record | https://therecord.media/french-software-fined-cnil/

#CyberSecurity #ThreatIntelligence #DataBreach #Ransomware #Vulnerability #ActiveExploitation #InsiderThreat #Phishing #Malware #AIsecurity #GDPR #InfoSec #CyberAttack #IncidentResponse #SupplyChainSecurity

Leanpub book LAUNCH 🚀 Code, Chips and Control: The Security Posture of Digital Isolation by Sal Kimmich

Watch here: https://youtu.be/KCURt43Rqhg

#books #leanpublishing #selfpublishing #booklaunch #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity #softwaresecurity #zerotrust #leanpubpodcast

NEW! A Leanpub Podcast Interview with Sal Kimmich, Author of Code, Chips and Control: The Security Posture of Digital Isolation

Watch here: https://youtu.be/kfeJVv7boNs

#books #leanpublishing #selfpublishing #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity #softwaresecurity #zerotrust #leanpubpodcast

Recently someone brought to my attention that you pin your actions, Security Advisories for GitHub Actions do not show up in the Dependency Graph. I set about a solution to solve that problem.

https://jessehouwing.net/github-actions-improved-dependency-submission/

@github #githubactions #supplychainsecurity

A Retrospective Survey of 2024/2025 Open Source Supply Chain Compromises

https://words.filippo.io/compromise-survey/

#cybersecurity #opensource #supplychainsecurity

It's been a busy 24 hours in the cyber world with significant updates on recent breaches, new malware techniques, a critical RCE, and important regulatory shifts. Let's dive in:

Recent Cyber Attacks & Breaches ⚠️

- The US Justice Department, with Estonian authorities, seized web3adspanels[.]org, a domain used to host and manage stolen bank login credentials. This operation disrupted a scheme that defrauded 19 victims of approximately $14.6 million by using fake search engine ads to redirect users to fraudulent bank websites.
- Baker University disclosed a data breach from December 2024, where attackers accessed its network and stole personal, health, and financial information of over 53,000 individuals, including names, dates of birth, driver's license numbers, and Social Security numbers.
- La Poste, France's national postal service, confirmed a "major network incident" that took all its information systems offline, disrupting digital banking and online services, with French media reporting a distributed denial-of-service (DDoS) attack as the cause.
- Insurance giant Aflac confirmed a June data breach exposed information for over 22 million customers, beneficiaries, employees, and agents, with stolen documents containing sensitive details like insurance claims, health data, and Social Security numbers.
- Nissan Motor Co. confirmed that personal information for approximately 21,000 customers in Fukuoka, Japan, was compromised due to a security breach at its vendor, Red Hat, with leaked data including names, addresses, phone numbers, and email addresses.
- The SEC has filed charges against multiple cryptocurrency companies for an alleged investment scam that defrauded retail investors of over $14 million, using deepfake videos and AI-generated tips in WhatsApp "investment clubs" to lure victims.

📰 The Hacker News | https://thehackernews.com/2025/12/us-doj-seizes-fraud-domain-behind-146.html
🗞️ The Record | https://therecord.media/us-disrupts-bank-account-takeover-operation-web3adspanels
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/baker-university-data-breach-impacts-over-53-000-individuals/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cyberattack-knocks-offline-frances-postal-banking-services/
🗞️ The Record | https://therecord.media/22-million-impacted-aflac-breach
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/nissan-says-thousands-of-customers-exposed-in-red-hat-breach/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/23/21k_nissan_customers_data_stolen/
🗞️ The Record | https://therecord.media/sec-sues-crypto-firms-defrauding-investors-14-million

New Malware & Techniques 🦠

- A malicious npm package, 'lotusbail', with over 56,000 downloads, masqueraded as a WhatsApp Web API library to steal messages, credentials, contacts, and hijack WhatsApp accounts, maintaining access even after uninstallation.
- Two malicious Chrome extensions named 'Phantom Shuttle' are actively stealing user credentials and sensitive data by posing as proxy service plugins, routing all user web traffic through attacker-controlled proxies.
- The WebRAT malware is now being distributed through fake GitHub repositories that claim to host proof-of-concept exploits for recently disclosed vulnerabilities, luring users into downloading a dropper that disables Windows Defender and executes WebRAT.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/whatsapp_npm_package_message_steal/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-extensions-in-chrome-web-store-steal-user-credentials/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/webrat-malware-spread-via-fake-vulnerability-exploits-on-github/

Vulnerabilities 🚨

- A critical vulnerability, CVE-2025-68613 (CVSS 9.9), has been disclosed in the n8n workflow automation platform, allowing arbitrary code execution under specific conditions by authenticated attackers.
- The flaw affects versions 0.211.0 and higher, below 1.120.4, with patches available in 1.120.4, 1.121.1, and 1.122.0. Over 103,000 instances are potentially vulnerable.
- Users are advised to apply updates immediately or limit workflow creation/editing permissions to trusted users and deploy n8n in a hardened environment.

📰 The Hacker News | https://thehackernews.com/2025/12/critical-n8n-flaw-cvss-99-enables.html

Threat Landscape & AI Security 🤖

- Agentic AI browsers, like OpenAI’s Atlas, automate web browsing but significantly expand the enterprise attack surface by acting autonomously on users' behalf.
- New attack vectors include indirect prompt injection, clipboard/credential artifacts, opaque execution flows, and over-privileged automation, which conventional browser security measures are not designed to handle.
- Enterprises should implement strict controls such as requiring approval for actions, using role-based access, keeping critical systems out of scope, insisting on transparent logs, and providing user training.

🤫 CyberScoop | https://cyberscoop.com/agentic-ai-browsers-security-enterprise-risk/

Regulatory & Data Privacy ⚖️

- The US FCC has banned all drones and critical components made in foreign countries, adding them to its Covered List due to national security concerns, aiming to keep China-made drones out of the US market.
- Italy's competition authority (AGCM) has fined Apple €98.6 million ($116 million) for abusing its dominant market position in mobile app advertising through its App Tracking Transparency (ATT) framework.
- The AGCM argues that Apple's ATT policy forces third-party apps to request consent twice, while Apple's own apps are exempt, a stance disputed by Apple who plans to appeal.

📰 The Hacker News | https://thehackernews.com/2025/12/fcc-bans-foreign-made-drones-and-key.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/italy-fines-apple-116-million-over-app-store-tracking-privacy-practices/

Law Enforcement Actions 👮

- INTERPOL's Operation Sentinel in Africa led to 574 arrests, recovery of $3 million, and takedown of over 6,000 malicious links, focusing on business email compromise (BEC), digital extortion, and ransomware.
- Separately, a 35-year-old Ukrainian national, Artem Aleksandrovych Stryzhak, pleaded guilty in the US to conspiracy to use Nefilim ransomware, operating as an affiliate and targeting companies for double extortion.
- Stryzhak was encouraged to target companies with over $200 million in annual revenue in the US, Canada, and Australia, highlighting the financial motivations and global reach of ransomware affiliates.

📰 The Hacker News | https://thehackernews.com/2025/12/interpol-arrests-574-in-africa.html

Industry News & Product Reviews 💼

- Palo Alto Networks is significantly expanding its partnership with Google Cloud, migrating "key internal workloads" and deepening integrations between its security tools and Google Cloud's AI infrastructure. This multi-billion-dollar agreement is expected to lead to "cloud cost efficiencies" for Palo Alto.
- ServiceNow has agreed to acquire cybersecurity firm Armis for $7.75 billion in cash, aiming to expand its cyber exposure and security capabilities across IT, OT, and medical devices. This acquisition reflects a broader industry trend towards continuous, integrated security functions and a focus on AI-native capabilities.
- Passwd is a password manager designed specifically for Google Workspace organisations, offering secure credential storage, controlled sharing, and seamless Workspace integration with AES-256 encryption, a zero-knowledge architecture, and audit logs.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/22/palo_alto_google_cloud_ai_integration/
🤫 CyberScoop | https://cyberscoop.com/servicenow-armis-acquisition-ai-cybersecurity/
📰 The Hacker News | https://thehackernews.com/2025/12/passwd-walkthrough-of-google-workspace.html

Product Security Updates 🛡️

- Microsoft Teams will automatically enable messaging safety features by default starting January 12, 2026, for tenants using default configurations, to strengthen defenses against malicious content.
- This update activates weaponizable file type protection, malicious URL detection (with warning labels), and a system for reporting false positives.
- The move is part of Microsoft's broader response to increased scrutiny of security vulnerabilities and cybercriminal targeting of Teams users.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-strengthens-messaging-security-by-default-in-january/

Other Noteworthy Incidents 🎵

- Spotify disabled user accounts after Anna's Archive, an open-source group, published a database of 86 million tracks scraped from the music streaming platform.
- Anna's Archive systematically violated Spotify’s terms by "stream-ripping" music over months, creating a 300 terabyte archive for preservation.
- Spotify clarified this was not a "hack" of its business systems but a terms-of-service violation, and has implemented new safeguards.

🗞️ The Record | https://therecord.media/spotify-disables-scraping-annas

#CyberSecurity #ThreatIntelligence #DataBreach #Malware #Ransomware #Vulnerability #RCE #AI #Privacy #Regulation #LawEnforcement #InfoSec #CyberAttack #IncidentResponse #SupplyChainSecurity #DDoS

🚨 FCC CRITICAL ban: All foreign-made drones & components now restricted due to national security risks (espionage, data exfiltration). Review supply chains, prioritize trusted tech, enhance drone monitoring. Details: https://radar.offseq.com/threat/fcc-bans-foreign-made-drones-and-key-parts-over-us-4fba9572 #OffSeq #DroneSecurity #SupplyChainSecurity

OpenSSF-funded improvements to Sigstore’s rekor-monitor are making transparency logs easier to monitor for malicious package releases and identity misuse.

Great work by @trailofbits, with support from the sigstore maintainer community including Hayden Blauzvern and @mihaimaruseac.

🔗 https://openssf.org/blog/2025/12/19/catching-malicious-package-releases-using-a-transparency-log/

#OpenSourceSecurity #sigstore #SupplyChainSecurity

Alright team, it's been a packed 24 hours in the cyber world! We've got a flurry of actively exploited zero-days and critical vulnerabilities to cover, alongside some significant breaches, new threat actor insights, and a few noteworthy law enforcement actions. Let's dive in:

Actively Exploited Zero-Days and Critical Vulnerabilities ⚠️

- Cisco is battling a maximum-severity zero-day (CVE-2025-20393) in its AsyncOS software for Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Suspected Chinese-government-linked threat actors (UAT-9686) have been exploiting this flaw since late November, deploying persistent Python-based backdoors like AquaShell, along with tunneling tools. There's no patch yet, so Cisco advises customers to assess exposure, limit internet access to the Spam Quarantine feature, and rebuild compromised appliances.
- The React2Shell vulnerability (CVE-2025-55182) in React Server Components continues to spread, with Microsoft confirming hundreds of compromised machines across diverse organisations. Attackers are leveraging this RCE flaw for reverse shells, lateral movement, data theft, and even ransomware deployment (Weaxor ransomware). This critical bug now holds the highest verified public exploit count of any CVE, with new related defects (CVE-2025-55183, CVE-2025-67779, CVE-2025-55184) also emerging. Patching is crucial, but won't evict existing attackers.
- HPE has patched a maximum-severity RCE flaw (CVE-2025-37164) in its OneView infrastructure management software, affecting all versions prior to v11.00. This vulnerability allows unauthenticated attackers to execute arbitrary code with low complexity. Admins should update immediately as no workarounds exist.
- SonicWall is warning customers about an actively exploited zero-day (CVE-2025-40602) in its SMA 1000 remote-access appliance. This bug, stemming from insufficient authorisation checks, can be chained with a previously patched flaw (CVE-2025-23006) to achieve unauthenticated root-level RCE. Immediate updates and restricting console access to trusted networks are advised.
- CISA has added CVE-2025-59374, a critical supply chain compromise impacting ASUS Live Update, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, linked to 2019's Operation ShadowHammer, allowed attackers to distribute trojanised software to specific targets. ASUS Live Update has reached end-of-support, so federal agencies are urged to discontinue its use.
- The Zeroday Cloud hacking competition in London saw researchers demonstrate 11 zero-day vulnerabilities in critical cloud infrastructure components like Redis, PostgreSQL, Grafana, MariaDB, and the Linux kernel. This highlights significant security gaps in widely used cloud systems, including a container escape flaw in the Linux kernel that could break isolation between cloud tenants.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/17/attacks_pummeling_cisco_0day/
📰 The Hacker News | https://thehackernews.com/2025/12/cisco-warns-of-active-attacks-exploiting-unpatched-0-day-in-asyncos-email-security-appliances.html
🗞️ The Record | https://therecord.media/chinese-attackers-zero-day
🤫 CyberScoop | https://cyberscoop.com/react2shell-vulnerability-fallout-spreads/
📰 The Hacker News | https://thehackernews.com/2025/12/threatsday-bulletin-whatsapp-hijacks.html (React2Shell Exploited in Ransomware Attacks)
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/18/react2shell_exploitation_spreads_as_microsoft/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hpe-warns-of-maximum-severity-rce-flaw-in-oneview-software/
📰 The Hacker News | https://thehackernews.com/2025/12/hpe-oneview-flaw-rated-cvss-100-allows-unauthenticated-remote-code-execution.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/18/sonicwall_sma_1000_0day/
📰 The Hacker News | https://thehackernews.com/2025/12/cisa-flags-critical-asus-live-update-flaw-after-evidence-of-active-exploitation.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/zeroday-cloud-hacking-event-awards-320-0000-for-11-zero-days/

Recent Cyber Attacks and Breaches 🔒

- Amazon's AWS GuardDuty team has warned of an ongoing cryptomining campaign leveraging compromised IAM credentials to exploit Elastic Compute Cloud (EC2) and Elastic Container Service (ECS) instances. Attackers establish persistence by disabling API termination, hindering incident response.
- France's Ministry of the Interior confirmed a cyberattack on its internal email servers, compromising document files. A 22-year-old suspect, previously convicted for similar offences, has been arrested. The notorious BreachForums claimed responsibility, citing revenge for prior arrests, and alleged the theft of 16 million police records, though French authorities have not confirmed this.
- PornHub and SoundCloud have both disclosed data breaches stemming from a compromise at their data analytics service provider, Mixpanel. PornHub stated limited analytics events were extracted, while SoundCloud reported email addresses and public profile information for approximately 20% of its 200 million users were accessed. The ShinyHunters group has allegedly taken credit for the Mixpanel attacks.
- DXS International, a tech supplier for the NHS, is investigating a cyberattack on its internal office servers. While the company claims minimal impact on frontline clinical services, the incident highlights the ongoing risk to critical infrastructure via third-party suppliers.
- The University of Sydney suffered a data breach after hackers accessed an online coding repository, stealing personal information of over 27,000 current and former staff, affiliates, students, and alumni. The stolen data includes names, dates of birth, phone numbers, home addresses, and job details, though no evidence of online publication or misuse has been found yet.
- French authorities arrested a Latvian crew member of an Italian passenger ferry, suspected of installing malware that could allow remote control of the vessel. The incident is being investigated as suspected foreign interference.
- The Clop ransomware gang is actively targeting internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign. It's currently unclear if Clop is exploiting a new zero-day or an unpatched N-day vulnerability, but over 200 CentreStack servers are potentially vulnerable.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/amazon-ongoing-cryptomining-campaign-uses-hacked-aws-accounts/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/18/crypto_crooks_use_stolen_aws/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/france-arrests-suspect-tied-to-cyberattack-on-interior-ministry/
🗞️ The Record | https://therecord.media/france-interior-ministry-hack-arrest
🗞️ The Record | https://therecord.media/millions-impacted-pornhub-soundcloud-breaches
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/18/nhs_tech_supplier_cyberattack/
🗞️ The Record | https://therecord.media/uk-nhs-tech-provider-dxs-discloses-hack
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/university-of-sydney-suffers-data-breach-exposing-student-and-staff-info/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/france-arrests-latvian-for-installing-malware-on-italian-ferry/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/clop-ransomware-targets-gladinet-centrestack-servers-for-extortion/

New Threat Research on Threat Actors, Malware, and Techniques 🛡️

- North Korea's state-backed cybercriminals plundered over $2 billion in cryptocurrency in 2025, a 51% increase year-on-year, accounting for 76% of all crypto service compromises. This surge is largely attributed to a $1.5 billion theft from Bybit and an increased focus on personal wallets, often facilitated by social engineering tactics like posing as IT workers or recruiters.
- The Kimsuky threat actor is distributing a new DocSwap Android malware variant via QR codes on phishing sites mimicking CJ Logistics. The malware uses social engineering to bypass security warnings and provides extensive RAT capabilities, including keystroke logging, audio capture, and file operations.
- GreyNoise observed an automated password spraying campaign targeting Palo Alto Networks GlobalProtect and Cisco SSL VPN gateways. Originating from over 10,000 unique IPs, the attacks use common username/password combinations, indicating scripted credential probing rather than vulnerability exploitation.
- A new modular information stealer, SantaStealer, is being advertised on underground forums, designed to operate in-memory and exfiltrate sensitive documents, credentials, and wallets from a wide range of applications.
- Threat actors are using a new "GhostPairing" social engineering technique to hijack WhatsApp accounts by luring victims to scan QR codes or enter phone numbers on fake Facebook viewer pages, abusing the legitimate device-linking feature.
- Bad actors are observed hosting videos on RuTube, advertising Roblox cheats that lead to Trojan and stealer malware like Salat Stealer, mirroring tactics seen on YouTube.
- An analysis of DDoSia's multi-layered command-and-control (C2) infrastructure reveals an average of 6 control servers active at any given time, with short lifespans, used by pro-Russian hacktivist group NoName057(16) to target Ukraine, European allies, and NATO states.
- A phishing campaign, attributed to Russian APT actors, is targeting entities in the Baltics and Balkans, spoofing government bodies with credential phishing emails that use blurred decoy documents and pop-ups to harvest credentials.
- New "ClickFix" attacks are leveraging fake CAPTCHA checks to trick users into running the `finger.exe` tool to retrieve malicious PowerShell code, attributed to clusters KongTuke and SmartApeSG.
- Threat actors are abusing Google's Application Integration service to send highly convincing phishing emails from authentic @google.com addresses, bypassing SPF, DKIM, and DMARC checks to steal Microsoft 365 credentials.
- Cato Networks observed large-scale reconnaissance and exploitation attempts targeting Modbus devices, including those controlling solar panel output. The rise of agentic AI tools is accelerating these attacks, reducing execution time from days to minutes.
- Bitsight research found approximately 1,000 Model Context Protocol (MCP) servers exposed on the internet without authorisation, leaking sensitive data and potentially allowing RCE or Kubernetes cluster management.
- A phishing campaign impersonating India's Income Tax Department is deploying legitimate remote access tools like LogMeIn Resolve, using tax irregularity themes to create urgency and bypass traditional Secure Email Gateway defenses.
- A previously unknown, China-aligned hacker group, LongNosedGoblin, is targeting government institutions across Southeast Asia and Japan. The group abuses Windows Group Policy to deploy malware like NosyHistorian (browser history collector) and NosyDoor (backdoor), with NosyDoor potentially offered as a commercial service.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/18/north_korea_stole_2b_crypto_2025/
🗞️ The Record | https://therecord.media/over-3-billion-crypto-stolen-2025-north-korea
📰 The Hacker News | https://thehackernews.com/2025/12/kimsuky-spreads-docswap-android-malware-via-qr-phishing-posing-as-delivery-app.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-password-spraying-attacks-target-cisco-pan-vpn-gateways/
📰 The Hacker News | https://thehackernews.com/2025/12/threatsday-bulletin-whatsapp-hijacks.html (SantaStealer, GhostPairing, RuTube, DDoSia, APT phishing, ClickFix, Google service abused, AI-driven ICS scans, Exposed MCP servers, Fake tax scam)
🗞️ The Record | https://therecord.media/new-china-linked-hacker-group-spies-on-governments-in-southeast-asia-japan

#CyberSecurity #ThreatIntelligence #ZeroDay #RCE #Vulnerability #Ransomware #APT #CyberAttack #DataBreach #InfoSec #IncidentResponse #CloudSecurity #SupplyChainSecurity #CryptoCrime

AI-generated code is reshaping the software supply chain - but governance gaps remain.
Only 24% of orgs fully assess IP, licensing, security & quality risks. SBOM validation strongly correlates with faster remediation.

Details:
https://www.technadu.com/the-imperative-of-software-supply-chain-security-ai-generated-code-risks-secure-sdlc-practices-and-sbom-validation/615999/

#AppSec #SBOM #SupplyChainSecurity

AI-generated code is reshaping the software supply chain - but governance gaps remain.
Only 24% of orgs fully assess IP, licensing, security & quality risks. SBOM validation strongly correlates with faster remediation.

Details:
https://www.technadu.com/the-imperative-of-software-supply-chain-security-ai-generated-code-risks-secure-sdlc-practices-and-sbom-validation/615999/

#AppSec #SBOM #SupplyChainSecurity

A new investigation highlights how contractor access allegedly played a central role in a major cyber disruption at Russia’s flagship airline.

The attackers reportedly leveraged access from a small software vendor, escalated privileges inside the environment, and deployed multiple malware tools - ultimately causing extensive operational impact.

The case underscores persistent challenges around vendor oversight and third-party access management.

How can organizations better balance operational convenience with stringent access controls?

Source: https://therecord.media/russia-flagship-airline-hacked-through-little-known-vendor

Follow @technadu for ongoing threat intelligence updates.

#CyberSecurity #ThreatIntel #IncidentResponse #SupplyChainSecurity #VendorRisk #AviationSecurity #InfoSec

Think browser extensions are harmless? Think again. A multi-year campaign turned popular, trusted browser add-ons into full-blown spyware featuring remote code execution, session hijacking, token theft and real-time browsing surveillance.

If you’re managing enterprise security, audit all extensions now, enforce allow-lists, and treat them as part of your software supply chain.

Read the blog here: https://www.lmgsecurity.com/4-3-million-reasons-to-rethink-browser-extension-security/

#browserextensions #cyberrisk #threatintelligence #endpointsecurity #supplychainsecurity #identityprotection #enterpriseIT

🚨 Supply Chain Attack Simulation on Drupal (PoC, not a CVE)

What if a malicious actor hijacked the update server for your favorite CMS?
I built a full lab scenario to demonstrate how it could happen — and how to defend against it.

🔬 Techniques covered:

MITM + rogue CA, fake update feeds, trojanized package → RCE & persistence.
Full doc + PDF PoC.

Full documentation: attack steps, scripts (in PDF), hardening tips

⚠️ Not a Drupal 0-day — this is a controlled, educational simulation for awareness and training.

💡 Why it matters

Supply chain attacks are no longer theoretical.
This demo helps Blue Teams, Red Teams, developers, and trainers strengthen detection, review processes, and update security.

👉 Repo :
https://github.com/privlabs/-Supply-Chain-Attack-Simulation-on-Drupal-RCE-via-Malicious-Update-Server-PoC-not-a-CVE-

Questions or feedback?
DM me or email me (contact in README).

All in lab, all safe

#cybersecurity #infosec #securityresearch #offensivesecurity #blueteam
#redteam #supplychainsecurity #drupal #websecurity #devsecops
#softwaresecurity #rce #mitm

Leanpub Book LAUNCH 🚀 Code, Chips and Control: The Security Posture of Digital Isolation by Sal Kimmich

Through the lens of the top 100 hacks since 1985, learn cybersecurity through real-world examples of what went wrong to convince us of “best practices".

Watch on our blog here:

https://leanpub.com/blog/leanpub-book-launch-code-chips-and-control-the-security-posture-of-digital-isolation-by-sal-kimmich

#books #leanpublishing #selfpublishing #booklaunch #cybersecurity #infosec #securityarchitecture #supplychainsecurity #opensource #devsecops #hardwaresecurity #softwaresecurity #zerotrust