Cyber News 10DEC2025

General

• This is going to be interesting - two of the larger CVE providers have some interesting bugs for us
  • Ivanti Endpoint Manager. Straight-up XSS in the Device ID, Display Name, Host Name or OS Name fields. How did that pass any decent Penetration/Security Test?

An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server in order to poison the administrator web dashboard with malicious JavaScript. When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session.

• https://www.rapid7.com/blog/post/cve-2025-10573-ivanti-epm-unauthenticated-stored-cross-site-scripting-fixed/
• https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024?language=en_US
• https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-endpoint-manager-code-execution-flaw/
• Fortinet have a few bugs - CVE-2025-59808 "An Unverified Password Change vulnerability [CWE-620] in FortiSOAR"; CVE-2025-64471 "A use of password hash instead of password for authentication vulnerability [CWE-836] in FortiWeb".
  Bleeping Computer are also reporting on a flaw in SAML validation for FortiCloud SSO, however the supplied CVE identifiers do not match public records.
  • https://fortiguard.fortinet.com/psirt/FG-IR-25-599
  • https://fortiguard.fortinet.com/psirt/FG-IR-25-984
  • https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-forticloud-sso-login-auth-bypass-flaws/
• The Twitter/X account for Paramount Pictures was allegedly briefly taken over, and the bio changed to "Proud arm of the fascist regime"
  • https://infosec.exchange/@DarkWebInformer/115691585242789142
• Instagram is making up its own headlines for Instagram posts

Last week, VanderMeer posted a video to Instagram of a bunny eating a banana. VanderMeer didn’t include a caption or comment with the post, but noticed that it appeared in Google Search results with the following headline: “Meet the Bunny Who Loves Eating Bananas, A Nutritious Snack For Your Pet.”

Google told me that it is not generating the headlines, and that it’s pulling the text directly from Instagram.

“I couldn't find any reference to it in the pre-rendered or rendered HTML in Chrome Dev Tools as a regular visitor on my home network. It does appear like Instagram is generating titles and doing it explicitly for search engines.”

• https://www.404media.co/instagram-is-generating-inaccurate-seo-bait-for-your-posts/
• [DE] The Budesamt für Sicherhit in der Infomartionstechnik (BSI - Federal Office for Information Security) has reviewed the security of a small subset of Password Managers.

Three out of ten of the password managers examined stored passwords in a way that theoretically allows manufacturers access.

• https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2025/251209_Verbesserungsbedarf_Passwortmanager.html
• [NKO] Long-form piece playing with North Korean IT Workers. This is a more detailed write-up of the piece mentioned on 03DEC2025.
  • https://any.run/cybersecurity-blog/lazarus-group-it-workers-investigation/
• [MY] Stealing $1b in electricity, to mine Bitcoin

This is the cat-and-mouse game between Bitcoin miners and Malaysian authorities, who recorded about 14,000 illicit mining sites over the past five years. Power theft has inflicted about $1.1 billion in losses on state-owned energy company Tenaga Nasional, or TNB, during that time

Globally, Bitcoin mining chews through more electricity than overall consumption in South Africa or Thailand.

• (Bloomberg) https://archive.is/MSSXQ
• [NZ] Nice to see New Zealand's National Cyber Security Centre (NCSC) taking on the hard work of informing users that they're likely infected with Lumma Stealer.

Emails are going out to around 26,000 email addresses.
...
“This is the first time that we have conducted such a large-scale public outreach, and we want to assure recipients that the email from the NCSC is legitimate.”

• https://www.ncsc.govt.nz/news/nz-cyber-agency-alerts-thousands-to-malware-infection/
• More Microsoft bugs and outages - Copilot outage in the UK and Europe, blamed on both scaling and a load-balancer policy change.
  Meanwhile, Defender is having more problems, with Defender for Endpoint "device inventory and threat analytics" inaccessible to some.
  • https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-copilot-outage-affecting-users-in-europe/

Getting Techy

• Cyderes dig into the Beima PHP web-shell, including a chat with its student creator.
  • https://www.cyderes.com/howler-cell/webshell-underground-student-hacker-selling-php-backdoors-to-threat-actors
• Running Proxmox? ZephrSec look into the extra information and pathways exist on Proxmox machines, creating LOLProx (Living Off the Land for Proxmox)
  • https://blog.zsec.uk/lolprox/
  • https://blog.zsec.uk/lolprox-defend/
• Sophos dig into the Shanya executable 'packer' service (with IoC's). The target executable (usually malware) is encrypted and wrapped in new code. Unpacking of the target executable (e.g. malware) is only performed into memory (no on-disk artefacts) after a few checks to ensure it won't get caught (not running in a sandbox / malware analysis VM / debugger).
  One user of this packer is Akira Ransomware.
  • https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/
  • https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-shanya-exe-packer-to-hide-edr-killers/
• ReliaQuest have a brief write-up on Storm-0249 (financially motivated, Initial Access Broker (IAB)) (with IoC's). Most interesting section - SentinelOne's agent hasn't been locked down to prevent DLL-sideloading, so the signed Agent executable is being used as a loader.
  • https://reliaquest.com/blog/threat-spotlight-storm-0249-precision-endpoint-exploitation/
  • https://www.bleepingcomputer.com/news/security/ransomware-iab-abuses-edr-for-stealthy-malware-execution/
• Sysdig dive into EtherRAT. "analysis reveals significant overlap with North-Korea-linked "Contagious Interview" (DPRK) tooling."
  The North Korean's are so comfortable with crypto-currencies like Ethereum, they're using it for Command and Control (C2).
  Unclear what the goal is, beyond persistent access to the systems.
  • https://www.sysdig.com/blog/etherrat-dprk-uses-novel-ethereum-implant-in-react2shell-attacks
  • https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-react2shell-flaw-in-etherrat-malware-attacks/

Geo-Politics

• [FR] Elatr Kashoggi, widow of murdered journalist Jamal Kashoggi, as filed a complaint in a French Court accusing Saudi Arabia of deploying NSO's Pegasus spyware on her phones.
  • https://therecord.media/khashoggi-widow-legal-complaint-filed-alleging-saudi-government-spyware
• [UK] Foreign Secretary Yvette Cooper calls on Europe "to combat the growing threat of information warfare as hybrid attacks target countries on the continent."
  • https://www.theregister.com/2025/12/09/uk_europe_russia_information/

Privacy

• [US] Photos and videos have emerged showing a US Customs and Border Protection (CBP) agent using personal Meta glasses to record video, against CBP policy. Images from previous interactions did not clearly show the recording light illuminated, the latest footage does show the light illuminated.
  • (404 Media) https://archive.is/3hDqM
• [US] A man has been charged with wiping their own device, before US Customers and Border Protection could access the data.

The indictment says on January 24, Tunick “did knowingly destroy, damage, waste, dispose of, and otherwise take any action to delete the digital contents of a Google Pixel cellular phone, for the purpose of preventing and impairing the Government’s lawful authority to take said property into its custody and control.”

• (404 Media) https://archive.is/Nw6S8

AI

• The Linux Foundation has "announced the formation of the Agentic AI Foundation (AAIF) with founding contributions of leading technical projects including Anthropic’s Model Context Protocol (MCP), Block’s goose, and OpenAI’s AGENTS.md. "
  • https://www.linuxfoundation.org/press/linux-foundation-announces-the-formation-of-the-agentic-ai-foundation
  • https://aaif.io/
• More Prompt Injection attacks - this time against ServiceNow's "Now Assist AI". Very simple setup - ticket contains the injection attack, requesting data from a separate, sensitive, ticket. When an AI accesses the poisoned ticket, on behalf of an admin (example used "categorize incident ticket"), the agent follows the malicious instructions.
  • https://appomni.com/ao-labs/ai-agent-to-agent-discovery-prompt-injection/
• Copenhagen Ethical Hacking and Penetration Testing Society have published a red-team guide to LLM's
  • https://cph-sec.gitbook.io/ai-llm-red-team-handbook-and-field-manual