Daily Threat Intel Digest - 2025-12-19

🔴 Critical Threats & Active Exploitation

[NEW] WatchGuard Firebox zero-day exploited to seize firewall control
Attackers are actively exploiting a critical out-of-bounds write flaw (CVE-2025-14733, CVSS 9.3) in WatchGuard Firebox appliances, allowing unauthenticated remote code execution through specially crafted IKEv2 VPN requests [CyberPress; GBHackers]. Successful exploitation grants attackers complete administrative control, enabling malware deployment and network infiltration. WatchGuard has released patches for Fireware OS 2025.1.4, 12.11.6, and 12.5.15, and advises immediate rotation of all locally stored secrets if compromise is suspected [vendor advisory]. Indicators of compromise include iked process crashes or log messages containing “Invalid peer certificate chain” with IKE_AUTH payloads exceeding 2000 bytes [CyberPress].

[NEW] Clop ransomware exploits Gladinet CentreStack in data theft campaign
The Clop ransomware gang is targeting internet-exposed Gladinet CentreStack file servers in a new extortion campaign, exploiting an undisclosed vulnerability (potentially a zero-day) to exfiltrate sensitive corporate data [BleepingComputer; CyberPress]. Over 200 unique IP addresses running CentreStack login pages have been identified as potential targets [BleepingComputer]. This continues Clop’s pattern of targeting enterprise file transfer solutions like MOVEit and GoAnywhere MFT. Gladinet has not yet released a security advisory, but administrators should restrict access to management consoles, monitor for unusual file access patterns, and review inbound traffic to /portal/login.aspx or /api/files/ endpoints [CyberPress].

[UPDATE] University of Sydney breach exposes 27,000+ records
The University of Sydney has confirmed a data breach affecting over 27,000 current and former staff, students, and alumni after attackers accessed a third-party IT code library containing historical data files [BleepingComputer; CyberPress]. The stolen data includes names, dates of birth, addresses, phone numbers, and job details, but no financial information. While the data has been accessed and downloaded, there is no evidence of publication or misuse [BleepingComputer]. The university has reported the incident to Australian authorities and begun notifying impacted individuals, with completion expected by January 2026. Affected parties are advised to monitor accounts for suspicious activity and enable multi-factor authentication [CyberPress].

[NEW] Cisco AsyncOS zero-day exploited by China-linked APT
Cisco customers are facing active attacks exploiting a critical zero-day (CVE-2025-20393, CVSS 10) in Cisco AsyncOS software for Secure Email Gateway and Secure Email and Web Manager [CyberScoop; Cisco advisory]. The improper input validation flaw allows unauthenticated attackers to execute commands with unrestricted privileges and implant persistent backdoors. Cisco Talos attributes the campaign to China-linked APT group UAT-9686, noting tooling overlaps with APT41 and UNC5174 [CyberScoop]. Attacks target non-standard configurations with publicly exposed spam quarantine features. No patch is available; Cisco advises isolating affected systems and rebuilding rather than patching [CyberScoop]. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog [CyberScoop].

🎯 Threat Actor Activity & Campaigns

[NEW] North Korean hackers achieve record $2B crypto heist in 2025
North Korean state-sponsored hackers stole an estimated $2.02 billion in cryptocurrency in 2025, a 51% year-over-year increase that brings their historical total to $6.75 billion, according to Chainalysis [CyberPress; GBHackers]. The February Bybit Exchange hack alone contributed nearly $1.5 billion. Attackers are evolving tactics, impersonating recruiters and investors to infiltrate sensitive infrastructure, and following a structured 45-day laundering cycle using DeFi mixers and Chinese-language money-laundering services [CyberPress]. The DPRK accounted for 76% of all crypto service compromises in 2025, demonstrating increasing efficiency in high-value, low-volume operations [CyberPress].

[NEW] China-linked APT LongNosedGoblin abuses Windows Group Policy
ESET researchers uncovered LongNosedGoblin, a China-aligned APT active since at least September 2023 targeting government entities in Southeast Asia and Japan [CyberPress]. The group uniquely abuses Windows Group Policy for malware deployment and lateral movement. Key tools include NosyDoor, a backdoor using Microsoft OneDrive for C&C; NosyHistorian for browser history collection; and NosyStealer for data exfiltration to Google Drive [CyberPress]. Attackers execute payloads within trusted Windows processes using living-off-the-land techniques, with some payloads including execution guardrails for specific machines [CyberPress].

[NEW] ConsenFix attack hijacks Microsoft accounts via OAuth
A new browser-native paste jacking technique dubbed “ConsentFix” is targeting Azure CLI users by tricking them into pasting OAuth authorization codes into phishing pages [Malware News]. Attackers create OAuth connections between victims’ Microsoft accounts and attacker-controlled Azure CLI instances. This method combines elements of ClickFix/FileFix and AiTM phishing, posing particular risk during the holidays when security staffing may be reduced [Malware News]. Users are advised never to paste links or data into fake CAPTCHA sites, as legitimate services do not require such actions [Malware News].

⚠️ Vulnerabilities & Patches

[NEW] Critical HPE OneView RCE flaw requires immediate patching
Hewlett Packard Enterprise disclosed CVE-2025-37164 (CVSS 10), a critical unauthenticated remote code execution vulnerability affecting HPE OneView versions before 11.0 [Rapid7]. The flaw exists in the /rest/id-pools/executeCommand REST API endpoint, which is accessible without authentication. Given OneView’s privileged control plane position, successful exploitation could grant attackers centralized control over servers, firmware, and lifecycle management [Rapid7]. HPE has released emergency hotfixes and recommends upgrading to version 11.0 or applying the hotfix immediately [HPE advisory].

[NEW] Roundcube patches XSS and information disclosure flaws
Roundcube released critical security updates (versions 1.6.12 and 1.5.12) addressing two serious vulnerabilities affecting its webmail platform [CyberPress; GBHackers]. The first is a cross-site scripting flaw in SVG image handling allowing script injection, while the second is an information disclosure vulnerability in the HTML style sanitizer [CyberPress]. These could allow attackers to steal credentials or access protected data. Administrators should prioritize patching as Roundcube is often an entry point into organizational networks [CyberPress].

[NEW] Microsoft patches Windows 10 MSMQ issue with OOB update
Microsoft released an out-of-band update (KB5074976) to fix Message Queuing (MSMQ) functionality issues introduced in the December 9, 2025 security updates for Windows 10 versions 21H2 and 22H2 [BleepingComputer]. The issue primarily affects enterprise environments using MSMQ for background task management, potentially causing message queues to become inactive or applications to fail writing to queues [BleepingComputer]. The update is available only through the Update Catalog, not Windows Update or WSUS [BleepingComputer].

[NEW] Linux kernel Rust vulnerability triggers system crashes
A critical race condition vulnerability (CVE-2025-68260) was discovered in the Linux kernel’s Rust Binder module, potentially causing system crashes and memory corruption [GBHackers]. The flaw affects the kernel’s inter-process communication mechanism and requires immediate attention from system administrators and kernel maintainers [GBHackers].

🛡️ Defense & Detection

[NEW] DCOM lateral movement technique abuses Control Panel items
Security researchers detailed a previously undocumented DCOM object (COpenControlPanel) that can be abused for remote command execution and persistence by leveraging Control Panel items [Malware News]. Attackers can register malicious DLLs in registry paths and remotely trigger the Open() function to execute code via COM Surrogate processes [Malware News]. Defenders should monitor registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls and HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls, watch for unusual dllhost.exe activity, and track Remote Registry usage [Malware News].

[NEW] OpenAI launches GPT-5.2-Codex with enhanced vulnerability detection
OpenAI released GPT-5.2-Codex, an advanced AI coding model with significantly improved capabilities for agentic coding and vulnerability detection [CyberPress; GBHackers]. The model demonstrated success in identifying previously unknown vulnerabilities, such as those found in React Server Components during real-world testing [CyberPress]. Due to dual-use concerns, OpenAI is implementing safeguards and launching a Trusted Access Pilot program for vetted security professionals [CyberPress].

📋 Policy & Industry News

[NEW] India criminalizes telecom identifier tampering under new law
India’s Telecommunications Act 2023 criminalizes tampering with telecommunication identifiers and willful possession of radio equipment using unauthorized identifiers under subsections 42(3)(c) and 42(3)(f) [Malware News. The measures target SIM misuse, telecom fraud, and digital communication infrastructure exploitation. The Department of Telecommunications has mandated verification by Telecom Service Providers before issuing SIM cards [Malware News.

[NEW] FTC secures $60M settlement from Instacart over deceptive tactics
The FTC announced a $60 million settlement with Instacart over deceptive subscription tactics, including false advertising of “free delivery” while charging mandatory service fees, and failure to disclose automatic charges after free trials [BleepingComputer]. Under the proposed order, Instacart must stop deceptive practices, clearly disclose subscription terms, and refund users charged without consent [BleepingComputer]. The company remains under investigation for its AI pricing practices [BleepingComputer].