CyberNews: 16/12/2025 Edition

Today’s roundup

Summary

Threat actors are actively exploiting critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719, CVSS 9.1) in Fortinet FortiGate, FortiWeb, FortiProxy, and FortiSwitchManager products. Arctic Wolf observed malicious SSO logins targeting admin accounts, with attackers exporting system configuration files containing hashed credentials just days after patches were released on December 9, 2025.

Check Point Research has detailed the "Ink Dragon" espionage cluster, a PRC-aligned threat group active since early 2023. The group uses sophisticated tactics, including a ShadowPad IIS Listener Module, to convert compromised government, telecom, and public-sector infrastructure into a distributed relay network for long-term espionage, focusing on Southeast Asia, South America, and increasingly Europe.

Amazon's threat intelligence team has uncovered a years-long cyber campaign by Russia's GRU (military intelligence agency) targeting Western critical infrastructure. The state-sponsored activity, observed between 2021 and 2025, focused on energy sector organizations and entities with cloud-hosted network infrastructure, disrupting operations through attacks on edge network devices.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two actively exploited zero-day vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-43529, a WebKit use-after-free flaw affecting Apple products, and CVE-2025-14611, a hardcoded cryptographic key vulnerability in Gladinet CentreStack and Triofox. These flaws are reportedly used in sophisticated, targeted attacks by nation-state actors and commercial spyware vendors, with federal agencies mandated to patch by January 5, 2026.

A Google Chrome extension named "Urban VPN Proxy," boasting six million users and a "Featured" badge, has been discovered silently intercepting all user prompts entered into major AI-powered chatbots, including OpenAI ChatGPT, Anthropic Claude, and Google Gemini, raising significant privacy concerns.

Fintech company Prosper Marketplace and car dealership services provider 700Credit have reported data breaches collectively affecting nearly 20 million individuals. This expands on a previous disclosure by 700Credit, revealing a broader impact across financial services.

Venezuela's state-owned oil company, Petróleos de Venezuela (PDVSA), confirmed a cyberattack over the weekend that disrupted its export operations. The company accused the United States of orchestrating the attack, linking it to a recent tanker seizure, while stating that operations have continued.

A new study by Infoblox indicates a significant rise in malicious activity on parked domains. Researchers found that over 90% of visits to expired or typosquatted domains now lead to redirects to illegal content, scams, scareware, or malware, often through complex chains of advertisers, particularly when accessed from residential IP addresses.

The "React2Shell" remote code execution vulnerability is being actively exploited by threat actors to deploy various Linux backdoors, including the professionally engineered KSwapDoor and ZnDoor malware families. This exploitation activity has been confirmed by findings from Palo Alto Networks Unit 42 and NTT Security.

A new malicious NuGet package, "Tracer.Fody.NLog," has been discovered typosquatting the legitimate .NET tracing library "Tracer.Fody." The rogue package, which was present on the repository for nearly six years, is designed to steal cryptocurrency wallet data from unsuspecting developers and users.

Want to dig deeper?

Vulnerabilities