Daily Brief

The U.S. Department of Justice indicted 54 individuals for a multi-million dollar ATM jackpotting scheme using Ploutus malware, linked to the Venezuelan gang Tren de Aragua. The scheme involved hacking ATMs across the U.S., forcing them to dispense cash, and laundering the proceeds to fund various criminal activities and terrorism. Tren de Aragua, designated a foreign terrorist organization, has been involved in drug trade, human trafficking, and other crimes, with sanctions imposed on its leaders. Two separate indictments charge individuals with bank fraud, burglary, and computer fraud, with potential prison sentences ranging from 20 to 335 years. The operation relied on methodical surveillance and burglary techniques to install malware, using either preloaded hard drives or thumb drives to compromise ATMs. Ploutus malware was designed to issue unauthorized commands to ATMs, delete evidence, and mislead bank employees, facilitating rapid cash withdrawals. Since 2021, the U.S. has recorded 1,529 jackpotting incidents, resulting in approximately $40.73 million in losses attributed to this international criminal network. The DOJ's actions aim to disrupt the financial operations of Tren de Aragua and mitigate the threat posed by such organized cybercriminal activities.

The Tren de Aragua gang faces charges for deploying Ploutus malware on ATMs across the U.S., stealing millions through sophisticated jackpotting schemes. Two indictments in Nebraska charge 54 alleged gang members, part of a broader crackdown on the Venezuelan organization known for violent and criminal activities. Ploutus malware, first seen in Mexico in 2013, targets ATM cash-dispensing modules, enabling attackers to force machines to dispense cash illicitly. The gang's method involved replacing or tampering with ATM hard drives to install the malware, sometimes using external thumb drives for deployment. The U.S. Department of Justice reports over $40 million stolen through ATM jackpotting since 2020, with an unspecified portion linked to Tren de Aragua. Law enforcement, including Homeland Security Investigations, is intensifying efforts to dismantle the gang's operations and prevent further criminal activities. The crackdown is part of a larger initiative led by the DOJ's Joint Task Force Vulcan, originally targeting MS-13, now expanded to include Tren de Aragua. The operation reflects ongoing U.S. efforts to combat transnational criminal organizations threatening national security and public safety.

Nigerian authorities arrested three individuals connected to the Raccoon0365 phishing platform, responsible for Microsoft 365 cyberattacks leading to global financial losses and data breaches. The arrests were facilitated by intelligence from Microsoft, shared through the FBI, enabling the Nigeria Police Force to target the operation effectively. Raccoon0365 automated the creation of fraudulent Microsoft login pages, compromising at least 5,000 accounts across 94 countries, before its disruption by Microsoft and Cloudflare. The primary suspect, Okitipi Samuel, allegedly developed the phishing platform and sold kits via a Telegram channel, accepting cryptocurrency as payment. Forensic analysis of seized digital equipment linked the suspects to the phishing scheme, although two of the arrested individuals lacked direct evidence of involvement. Cloudflare's analysis suggests the phishing service was predominantly used by cybercriminals based in Russia, indicating a broader international threat landscape. The operation underscores the importance of international cooperation and intelligence sharing in combating cybercrime effectively.

WatchGuard has issued an urgent advisory regarding CVE-2025-32978, a critical remote code execution flaw in Firebox firewalls, currently under active attack. The vulnerability, rated 9.3, allows unauthenticated remote attackers to execute arbitrary commands, potentially compromising the firewall if it is internet-accessible. The flaw resides in the Fireware OS Internet Key Exchange (IKE) service, affecting configurations with IKEv2 VPNs, even if certain configurations have been deleted. WatchGuard has released firmware updates to address the vulnerability and provided indicators of compromise to help organizations identify potential breaches. For those unable to patch immediately, a temporary workaround is available to mitigate risk until updates can be applied. This incident follows a pattern of rapid exploitation of firewall vulnerabilities, emphasizing the importance of timely patching and robust configuration management. Recent disclosures, including a long-running espionage campaign linked to Russian GRU, illustrate the ongoing threat landscape targeting network edge devices.

A Russia-aligned group, tracked as UNK_AcademicFlare, is conducting phishing attacks targeting U.S. and European government, think tanks, and transportation sectors since September 2025. The campaign leverages compromised email addresses from government and military organizations to initiate contact and build trust before executing account takeovers. Attackers use Cloudflare Worker URLs mimicking Microsoft OneDrive accounts to deceive victims into providing access tokens via device code authentication workflows. This technique allows threat actors to gain unauthorized access to Microsoft 365 accounts, posing significant risks to sensitive data and organizational integrity. Security firms like Proofpoint, Microsoft, and Volexity have documented these tactics, linking them to Russian threat clusters such as APT29 and Storm-2372. The campaign utilizes crimeware tools like the Graphish phishing kit, simplifying the execution of sophisticated attacks even by low-skilled actors. Organizations are advised to implement Conditional Access policies to block or restrict device code authentication, mitigating the risk of such phishing attacks.

A recent wave of OAuth phishing attacks is compromising Microsoft 365 accounts by exploiting the device code authorization mechanism, bypassing traditional credential theft and multi-factor authentication. Attackers deceive users into entering a device code on Microsoft’s legitimate login page, inadvertently granting access to attacker-controlled applications. The volume of these attacks has surged since September, involving financially motivated cybercriminals like TA2723 and state-aligned threat actors. Phishing kits such as SquarePhish and Graphish are employed, simplifying the attack process through QR codes and adversary-in-the-middle tactics. Proofpoint observed three distinct campaigns using these methods, marking a significant shift in phishing strategies. Organizations are advised to implement Microsoft Entra Conditional Access and review sign-in origin policies to mitigate these threats. The attacks demonstrate evolving phishing techniques that exploit legitimate authorization flows, posing a challenge to traditional security measures.

The University of Sydney reported unauthorized access to a code repository containing historical personal data of 27,000 individuals, including staff, students, and alumni. The breach involved data from 2010 to 2019, with information such as names, dates of birth, and contact details exposed. The university initiated an emergency lockdown of the affected system and engaged external cybersecurity experts to assist with the investigation. Notifications to affected individuals began on December 18, 2023, and will continue into January 2026 as the university verifies contact information. No evidence has been found of the data being misused or published, but the incident serves as a cautionary tale about the risks of retaining outdated data. The university has purged the compromised datasets and is exploring further security measures under its Privacy Resilience Program. Government authorities have been informed, and the investigation is ongoing to ensure comprehensive remediation and prevent future incidents.

A newly identified UEFI vulnerability affects motherboards from ASUS, Gigabyte, MSI, and ASRock, allowing pre-boot DMA attacks by bypassing early memory protections. The flaw, cataloged under CVE-2025-11901 and related identifiers, stems from improper IOMMU initialization, leaving systems open to physical access attacks. Riot Games researchers discovered the issue, impacting systems where their anti-cheat software Vanguard blocks games like Valorant from launching on compromised hardware. The vulnerability permits malicious PCIe devices to read or alter RAM during boot, with no alerts from security tools, as the operating system has not yet loaded. CERT/CC confirmed the wide impact, advising users to install firmware updates from affected manufacturers to mitigate risks. Riot Games updated Vanguard to prevent game launches on vulnerable systems, informing users about the necessary security measures. This flaw emphasizes the critical need for robust firmware security practices to prevent unauthorized access during the boot process.

Cybersecurity researchers identified a campaign using cracked software sites to distribute CountLoader, a modular loader delivering various malware, including Cobalt Strike and ACR Stealer. CountLoader exploits unsuspecting users downloading cracked software, redirecting them to malicious ZIP files containing disguised Python interpreters to execute malware. The malware establishes persistence by creating a scheduled task mimicking Google, running every 30 minutes for a decade, and adapting to security tool presence. CountLoader's latest version can spread via USB drives and execute malware in memory, showcasing advanced fileless execution tactics and signed binary abuse. Separately, GachiLoader, a JavaScript malware, uses compromised YouTube accounts to distribute malware, employing novel PE injection techniques to evade detection. The YouTube Ghost Network involved 39 compromised accounts and 100 flagged videos, with Google removing most, yet some still amassed significant views. GachiLoader can disable Microsoft Defender and uses anti-analysis checks to remain undetected, illustrating the evolving sophistication of malware distribution methods. These campaigns emphasize the need for proactive detection, layered defenses, and continuous updates on emerging malware techniques to protect against evolving threats.

Palo Alto Networks has integrated Criminal IP into its Cortex XSOAR platform, enhancing security operations with AI-driven threat intelligence and exposure analytics for faster incident response. The integration allows real-time external threat context and automated multi-stage scanning, improving incident accuracy and reducing the need for manual analyst intervention. Criminal IP provides enriched intelligence, including behavioral signals and exposure history, enabling SOC teams to evaluate suspicious IPs and domains more effectively. The integration supports automated workflows, linking internal telemetry with open-internet intelligence, and offering historical behavior and vulnerability assessments. This collaboration reflects a shift towards intelligence-driven autonomous security operations, addressing challenges like alert fatigue and improving incident classification accuracy. Criminal IP's presence in major cloud marketplaces and integration with over 40 security vendors highlights its expanding role in enterprise security ecosystems. AI SPERA's CEO emphasizes the importance of AI-driven threat intelligence in transitioning organizations towards fully autonomous defense architectures.

Over 25,000 Fortinet devices are exposed online with FortiCloud SSO enabled, vulnerable to an authentication bypass flaw. The vulnerability, tracked as CVE-2025-59718 and CVE-2025-59719, allows threat actors to gain admin-level access via malicious SAML messages. Sensitive data such as hashed passwords and network configurations are at risk, potentially leading to further exploitation. Shadowserver and Macnica scans indicate significant exposure, with over 5,400 devices in the U.S. and nearly 2,000 in India. CISA has mandated U.S. government agencies to patch the flaw by December 23rd under Binding Operational Directive 22-01. Fortinet vulnerabilities have been frequently targeted by cyber-espionage and cybercrime groups, emphasizing the need for prompt patching. Fortinet has patched the flaw, but the number of secured devices remains unclear, posing ongoing risks to affected organizations.

Hewlett Packard Enterprise has identified a critical remote code execution vulnerability in OneView, affecting versions 5.20 through 10.20, with a CVSS score of 10.0. The vulnerability, CVE-2025-37164, allows unauthenticated attackers to execute code on the OneView management platform, posing significant risks to enterprise environments. OneView serves as a central management hub for servers and storage, making this vulnerability particularly dangerous due to its deep network integration and extensive privileges. HPE advises customers to upgrade to OneView 11.0 or apply an emergency hotfix immediately to mitigate the risk of unauthorized access. Rapid7's analysis indicates the flaw is linked to a specific REST API endpoint, with the hotfix blocking access at the web server level to prevent exploitation. While no active exploitation has been reported, the potential for significant impact makes this vulnerability an attractive target for cybercriminals. Organizations are advised to reassess network segmentation and security assumptions around infrastructure management platforms to prevent future breaches.

Danish Defence Intelligence Service (DDIS) attributes cyberattacks on Denmark's water utility to Russian state-linked group Z-Pentest, part of broader hybrid warfare tactics. NoName057(16), another Russian-linked group, conducted DDoS attacks targeting Denmark's local elections, aiming to destabilize and attract public attention. These cyber operations are part of Russia's strategy to undermine Western support for Ukraine amidst ongoing geopolitical tensions. Denmark has been a vocal supporter of Ukraine, providing military, financial, and training assistance, which may have prompted these cyberattacks. Denmark's defense minister condemned the attacks, highlighting the seriousness of hybrid warfare threats in Europe and the need for robust cybersecurity measures. The Danish foreign office plans to summon the Russian ambassador for explanations, indicating diplomatic repercussions for these cyber incidents. This situation reflects a pattern of Russian cyber activities targeting critical infrastructure across Europe, as noted in recent advisories by global cybersecurity agencies.

WatchGuard has issued patches for a critical Fireware OS vulnerability (CVE-2025-14733) actively exploited, allowing remote code execution through out-of-bounds write in the iked process. The flaw affects VPN configurations using IKEv2 with dynamic gateway peers, potentially leaving devices vulnerable even after configuration changes. Active exploitation attempts have been traced to specific IP addresses, including one linked to recent Fortinet vulnerabilities, raising concerns about coordinated attack efforts. WatchGuard has provided indicators of compromise (IoCs) to help device owners identify potential breaches and assess their exposure to the threat. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a related WatchGuard vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing the urgency for patch application. Administrators are advised to apply updates promptly and implement temporary mitigations, such as disabling dynamic peer BOVPNs and adjusting firewall policies, to protect against ongoing attacks. The situation underscores the critical need for timely vulnerability management and proactive defense strategies in safeguarding network infrastructure.

The UK Foreign Office confirmed a cyberattack, initially reported in October, with ongoing investigations into the incident's specifics and potential links to Chinese state-sponsored actors. Trade Minister Sir Chris Bryant stated that while a breach occurred, the extent of data theft, particularly regarding visa applications, remains speculative at this stage. The Foreign Office assured that the technical vulnerability was swiftly addressed, minimizing the risk of individual harm or compromise from the attack. The incident surfaces as security experts highlight China's expanding cyber-espionage efforts across European governments, though specific targets remain undisclosed. UK intelligence agencies, including GCHQ, prioritize countering China's cyber capabilities, reflecting the nation's strategy to address long-term geopolitical threats. The UK continues to collaborate with international allies and industry partners to strengthen defenses against nation-state cyber threats and maintain strategic security. This attack underscores the persistent cyber risks posed by geopolitical adversaries, necessitating ongoing vigilance and resource allocation to safeguard national interests.