Daily Brief

MITRE, in collaboration with HSSEDI and CISA, has unveiled the 2025 list of the most dangerous software weaknesses, impacting over 39,000 vulnerabilities disclosed within the past year. Cross-Site Scripting (CWE-79) remains the most critical vulnerability, while Missing Authorization and Null Pointer Dereference have climbed significantly in the rankings. New entries include various buffer overflow types and improper access control, highlighting evolving threats that can lead to system takeovers and data breaches. The list is derived from an analysis of 39,080 CVE Records, with each weakness scored on severity and frequency, guiding organizations in prioritizing security measures. CISA and MITRE urge organizations to incorporate the list into software security strategies and adopt Secure by Design practices to mitigate risks. Recent CISA alerts have emphasized the need to address persistent vulnerabilities, with particular focus on those exploited by state-sponsored actors in ongoing campaigns. The U.S. government has extended MITRE's funding to ensure the continuity of the CVE program, underscoring the importance of addressing software vulnerabilities.

The Alliance for Creativity and Entertainment (ACE) dismantled MKVCinemas, a leading piracy service in India with over 142 million visits in two years. Backed by major studios like Disney and Warner Bros, ACE's actions included criminal referrals and civil litigation to combat illegal streaming. The operator in Bihar, India, ceased operations and transferred control of 25 related domains, redirecting users to ACE's "Watch Legally" portal. A file-cloning tool aiding piracy in India and Indonesia was also shut down, having facilitated 231 million visits by concealing media sources. Recent ACE efforts, in collaboration with law enforcement, have targeted multiple large-scale piracy networks, including Streameast and Rare Breed TV. ACE's ongoing operations emphasize a commitment to disrupting illegal streaming, supporting a secure and sustainable digital content marketplace. Europol's coordinated action in November led to the disruption of 69 piracy sites, initiating 44 new investigations linked to $55 million in cryptocurrency.

CISA has added CVE-2025-58360, a high-severity XXE flaw in OSGeo GeoServer, to its Known Exploited Vulnerabilities catalog due to active exploitation evidence. The vulnerability affects GeoServer versions up to 2.25.5 and 2.26.0 through 2.26.1, with patches available in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. Exploitation can allow attackers to access arbitrary files, conduct SSRF attacks, or launch DoS attacks, impacting server integrity and availability. The flaw was initially reported by the AI-powered platform XBOW, emphasizing the importance of advanced threat detection technologies in identifying vulnerabilities. Federal Civilian Executive Branch agencies must implement the necessary patches by January 1, 2026, to mitigate potential risks and secure their networks. No detailed information is available on the specific methods of exploitation, but the Canadian Centre for Cyber Security confirms an exploit exists in the wild. This incident follows previous exploitation of another critical GeoServer flaw, CVE-2024-36401, highlighting ongoing security challenges with this software.

Do Kwon, founder of Terraform Labs, has been sentenced to 15 years in prison for fraud related to the collapse of the Terra USD (UST) stablecoin. Kwon's scheme involved promoting UST as a stablecoin pegged to the US dollar, which failed disastrously, leading to a $40 billion loss. The collapse affected global investors, with the value of UST plummeting from $1.00 to $0.09, despite attempts to stabilize it with a $3.5 billion bitcoin purchase. Kwon, a South Korean national, was apprehended in Montenegro after fleeing Singapore and attempting to travel with a fake passport. The United States won the extradition battle against South Korea and prosecuted Kwon, who eventually pleaded guilty to multiple fraud charges. Judge Paul Engelmayer emphasized the large-scale impact of Kwon's actions, resulting in a sentence exceeding the prosecutors' 12-year recommendation. The Securities and Exchange Commission has secured $4.5 billion to distribute among creditors, a fraction of the total losses incurred by investors. Victim impact statements reveal significant financial and emotional distress among investors, many of whom face ongoing personal and financial challenges.

Hackers are exploiting a cryptographic vulnerability in Gladinet's CentreStack and Triofox products, leading to remote code execution (RCE) attacks against various organizations. The flaw involves hardcoded cryptographic keys within the AES algorithm, allowing attackers to decrypt sensitive data and impersonate users. Researchers identified that the vulnerability is being actively exploited, with at least nine organizations, including those in healthcare and technology, affected. Gladinet has released a new product version as of December 8, urging customers to update and rotate machine keys to mitigate the risk. Indicators of compromise (IoCs) have been shared with customers, including specific strings and IP addresses linked to the attacks. The vulnerability stems from static keys derived from text strings, which attackers use to forge access tickets and trigger RCE through a ViewState deserialization flaw. Organizations are advised to review logs for specific IoCs and apply mitigation strategies as outlined by Huntress to secure their environments.

Notepad++ version 8.8.9 addresses a security flaw in its WinGUp update tool, which allowed attackers to push malicious executables instead of legitimate updates. The issue was first reported in a community forum where users noted suspicious behavior, including the execution of unauthorized commands to collect device information. Malicious executables used the curl.exe command to exfiltrate data to a remote site, raising concerns about potential network hijacking or installation of unofficial software versions. Developer Don Ho released version 8.8.8 to restrict updates to GitHub, followed by version 8.8.9, which requires code-signing certificate verification for all updates. Security expert Kevin Beaumont reported incidents involving Notepad++ installations in East Asia, suggesting targeted attacks with threat actors gaining initial access via hijacked updates. The investigation into the traffic hijacking method is ongoing, with users advised to upgrade to version 8.8.9 and remove any older custom root certificates. This incident underscores the importance of securing software update mechanisms to prevent unauthorized access and data exfiltration.

CyberVolk, a pro-Russian hacktivist group, has launched a new ransomware-as-a-service, VolkLocker, utilizing Telegram for operations, simplifying ransomware deployment for affiliates. The ransomware targets both Linux and Windows systems, employing AES-256 encryption but inadvertently stores master keys in plaintext, allowing potential data recovery. Despite its technical automation via Telegram, CyberVolk's operation suffers from quality control issues, evidenced by the inclusion of test artifacts in production builds. The group advertises additional tools like remote access trojans and keyloggers, expanding their cybercrime toolkit beyond ransomware. CyberVolk's use of Telegram reflects a growing trend among threat actors to leverage mainstream platforms for command and control, lowering the entry barrier for cybercriminals. The group's resurgence indicates ongoing challenges in curbing hacktivist activities, despite previous bans from platforms like Telegram. Security experts recommend vigilance in network defenses, as CyberVolk's tactics illustrate evolving methods in politically motivated cybercrime.

A campaign involving 19 malicious extensions on the VSCode Marketplace has targeted developers since February, embedding malware in dependency folders. The extensions included a modified 'node_modules' folder to bypass npm registry checks, with a weaponized 'path-is-absolute' dependency executing upon IDE startup. A file disguised as a .PNG image contained two malicious binaries: 'cmstp.exe' and a Rust-based trojan, the latter still under analysis by ReversingLabs. ReversingLabs reported the malicious extensions to Microsoft, resulting in their removal from the marketplace, yet systems with these extensions require scanning for compromise. The campaign exploited VSCode's popularity, emphasizing the need for developers to scrutinize package dependencies, especially from less reputable sources. This incident highlights the ongoing risk of supply-chain attacks in software development environments, urging enhanced vigilance and security practices.

Google released an urgent update for Chrome to address its eighth zero-day vulnerability of 2025, currently under active exploitation. The specific details of the vulnerability, including its CVE identifier, remain undisclosed as Google coordinates further information. Users on Mac, Windows, and Linux should update to the latest Chrome versions 143.0.7499.109/.110 to mitigate the risk. The update also resolves a medium-severity use-after-free flaw in Password Manager, identified as CVE-2025-14372, and an inappropriate implementation issue in Toolbar, CVE-2025-14373. This zero-day fix follows closely on the heels of a recent patch for a type confusion flaw in the V8 JavaScript engine, CVE-2025-13223. Google's strategy involves withholding full vulnerability details until a majority of users have applied the necessary updates, minimizing potential exploitation. The rapid succession of zero-day vulnerabilities in Chrome underscores the critical need for timely updates and robust browser security practices.

The UK Information Commissioner's Office fined LastPass £1.2 million for a 2022 breach affecting 1.6 million UK users, citing inadequate security measures. The breach involved two incidents starting in August 2022, with attackers accessing the development environment and stealing encrypted password vaults. Attackers compromised a senior employee's device using a known vulnerability in a third-party application, leading to malware deployment and credential theft. The breach allowed attackers to access LastPass database backups, including encrypted vaults, personal information, and metadata stored on GoTo's cloud platform. LastPass maintains that its Zero Knowledge architecture prevented the decryption of customer vaults, though weak passwords remain vulnerable to brute-force attacks. The ICO urges companies to strengthen access controls and internal systems, and advises users to adopt strong, complex passwords for enhanced security. The incident underscores the importance of robust password management and highlights potential risks associated with remote work and third-party applications.

The UK's Information Commissioner's Office fined LastPass £1.2 million after a 2022 breach exposed data of up to 1.6 million UK users. The breach involved two separate incidents, compromising both corporate and personal devices, leading to unauthorized access to sensitive data. Attackers initially accessed a developer's MacBook, exfiltrating 14 source code repositories and exploiting a Plex vulnerability to compromise a senior engineer's PC. The breach exposed names, emails, phone numbers, and URLs, though no evidence suggests passwords were decrypted. LastPass's policy of linking personal and business accounts with the same master password facilitated unauthorized access. The breach went undetected for weeks due to communication failures during LastPass's transition from its former parent company, GoTo. The ICO emphasized the need for robust security measures and separate credentials for personal and business accounts to safeguard sensitive data. LastPass is considering its response to the fine, which reflects the company's failure to protect customer data adequately.

Cybersecurity experts report a rise in AI-driven attacks, utilizing machine learning to automate reconnaissance, exploit vulnerabilities, and harvest data at unprecedented scale and speed. Google's Threat Intelligence and Anthropic have tracked AI tools capable of bypassing security measures, generating malicious scripts, and orchestrating complex malware operations. Traditional security systems struggle against these threats, prompting organizations to adopt Network Detection and Response (NDR) solutions for enhanced defense. NDR systems offer real-time network monitoring, anomaly detection, and automated threat identification, crucial for countering fast-moving AI-based attacks. Corelight's NDR platform provides deep visibility and advanced behavioral analytics, enabling Security Operations Centers (SOCs) to identify and mitigate AI-fueled threats effectively. The shift towards NDR solutions reflects the need for agility and comprehensive network visibility as attackers increasingly leverage AI to evade legacy defenses. By reducing false positives and offering actionable insights, NDR systems empower incident responders to swiftly address threats, minimizing potential damage and data loss.

Push Security discovered the ConsentFix attack, a new variant of ClickFix, targeting Microsoft accounts by exploiting the Azure CLI OAuth app without needing passwords or MFA verification. Attackers use social engineering to trick users into completing an OAuth flow, thereby stealing authorization codes to gain account access. The attack begins on compromised websites displaying fake CAPTCHA widgets, filtering targets by email address to ensure they are legitimate users. Victims are redirected to a legitimate Microsoft URL, where attackers capture the OAuth authorization code, granting them account access. This method bypasses traditional security measures, as attackers never require passwords or MFA, especially if users are already logged in. Security teams are advised to monitor for unusual Azure CLI login activities and legacy Graph scopes to detect potential unauthorized access. The attack is designed to trigger only once per victim IP, reducing the likelihood of detection through repeated phishing attempts.

A new Mirai botnet variant, named Broadside, is exploiting a critical vulnerability (CVE-2024-3721) in TBK DVR systems, specifically targeting the maritime logistics sector. Broadside introduces a custom command-and-control protocol and a 'Magic Header' signature, enhancing its stealth and exclusivity compared to previous Mirai variants. The variant employs Netlink kernel sockets for covert process monitoring and uses payload polymorphism to bypass static defenses, aiming to maintain control by terminating rival processes. Beyond denial-of-service attacks, Broadside attempts to harvest system credential files, including /etc/passwd and /etc/shadow, to establish a strategic foothold on compromised devices. The ongoing evolution of Mirai variants, since its source code leak in 2016, poses a persistent threat, demonstrating the need for robust security measures in critical infrastructure sectors. Organizations in the maritime logistics sector are advised to patch vulnerabilities promptly and enhance monitoring to detect and mitigate such sophisticated threats.

A zero-day vulnerability in Gogs, a self-hosted Git service, has been exploited, allowing attackers remote code execution on over 700 servers. The flaw, CVE-2025-8110, involves a path traversal weakness in the PutContents API, bypassing previous security measures with symbolic links. Attackers used symbolic links to overwrite critical files, including Git configuration files, enabling arbitrary command execution on compromised systems. Wiz Research discovered the vulnerability in July, noting a single actor or group likely automated the attack campaign. Over 1,400 Gogs servers were found exposed online, with many configured with 'Open Registration,' increasing vulnerability to attacks. The malware involved was created using the Supershell framework, communicating with a specific command-and-control server. Gogs maintainers acknowledged the flaw in October, with a patch still in development; users are advised to disable open registration and secure server access. Organizations should monitor for suspicious API activity and random repository names to detect potential compromises.