InfoSec News 18DEC2025
General
- This might be challenging for a few larger firms who still have mail gateways on the perimeter - 'Cisco Secure Email Gateway' (aka 'Email Security Appliance', ESA, Ironport) and Cisco Secure Email and Web Manager(aka 'Cisco Content Security Management Appliance', SMA) - is under attack, from a china-aligned party.
The vulnerability is in the Spam Quarantine feature, when those ports (6025 and 7025) are exposed to the Internet.
It's made it straight on to the CISA Known Exploited Vulnerabilities (KEV) list.
In case of confirmed compromise, rebuilding the appliances is, currently, the only viable option to eradicate the threat actors persistence mechanism from the appliance.
- https://blog.talosintelligence.com/uat-9686/
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
- (IoCs) https://github.com/Cisco-Talos/IOCs/tree/main/2025/12
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20393
- https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/
- https://techcrunch.com/2025/12/17/cisco-says-chinese-hackers-are-exploiting-its-customers-with-a-new-zero-day/
- Interesting Android malware - don't try and write your own 'useful' app, just pick one from the Google Play store, and infect that. Ease of generation will likely see a spamming of these apps into the stores, with the main limitation likely to be access to clean developer accounts.
Frustratingly, there's no information on the claimed Play Protect bypass. This is one of the main protections for malicious apps on Android - blocking installs, and cleaning up infections. - SonicWall asks users to patch a local privilege escalation flaw, that Google Threat Intelligence Group has seen chained with a January 2025 pre-authentication remote code execution (RCE) bug.
If they've still not patched a bug from January, they're probably already compromised, and unlikely to patch this one either. - Why hack, or try to break end-to-end-encryption, when you can just ask the user to add your device? Socially engineering access to WhatsApp via device pairing (a similar attack was being carried out against Signal users earlier this year).
- Attackers are still cryptocurrency mining on EC2? Not even using GPU instances! This was barely worthwhile a decade ago, the payouts now must be miniscule.
Slightly novel - tries to block automated remediation.
A key technique observed in this attack was the use of ModifyInstanceAttribute with disable API termination set to true, forcing victims to re-enable API termination before deleting the impacted resources. Disabling instance termination protection adds an additional consideration for incident responders and can disrupt automated remediation controls.
- https://aws.amazon.com/blogs/security/cryptomining-campaign-targeting-amazon-ec2-and-amazon-ecs/
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html
- https://www.bleepingcomputer.com/news/security/amazon-ongoing-cryptomining-campaign-uses-hacked-aws-accounts/
- [US] Department of Justice have taken down another Cryptocurrency Exchange for money laundering.
Since 2017, the FBI identified more than $70,000,000 of illicit proceeds of ransomware attacks and account takeovers transferred via E-Note payment service and money mule network, including laundered funds stolen or extorted from U.S. victims.
Chudnovets is charged with one count of conspiracy to launder monetary instruments which carries a maximum penalty of 20 years in prison.
- https://www.justice.gov/usao-edmi/pr/fbi-disrupts-virtual-money-laundering-service-used-facilitate-criminal-activity
- https://therecord.media/fbi-takes-down-alleged-money-laundering-operation
- [US] If the Federal Trade Commission (FTC) is setting a precedent on vulnerable cryptocurrency platforms, it's going to be very busy! Nomad is told to repay user funds.
The FTC alleged that Nomad pushed an update in June 2022 containing "inadequately tested code" that, in turn, introduced a "significant vulnerability" that was exploited around a month later.
The FTC acknowledged that some of these funds were recovered, but Nomad's customers ultimately lost out on approximately $100 million.
The FTC's proposed settlement agreement, published this week, would require Nomad to repay around $37.5 million to users who remain out of pocket
Getting Techy
- XLabs dive into the KimWolf botnet (which appears to be a fork of Aisuru), targeted at Android TV boxes (a lot of cheaper ones were coming pre-infected with malware).
In case you're wondering about the domain - no idea, it's just an ordinary looking 1950's 3-bedroom house.
its C2 domain 14emeliaterracewestroxburyma02132[.] su ranked second in the Cloudflare domain name popularity rankings at that time, and even surpassed Google a week later to become the world's No. 1 in Cloudflare domain name popularity
we conservatively estimate that the actual number of infected devices of kimwolf has exceeded 1.8 million.
Geo-Politics
- NATO Assistant Secretary General for Cyber and Digital Transformation says we need more Cyber and Digital Transformation.
This means the alliance's own digital transformation needs a clear sense of urgency. "That means building a modernized digital backbone to enhance intelligence sharing, accelerate decision making, and strengthen operational readiness across all 32 allies
At the same time, he said: "We must acknowledge the trade offs… full sovereignty often comes with reduced scalability and innovation speed."
- [BY] Reporters without Borders have identified Belarussian spyware ('ResidentBat') on a journalist's phone.
Android log data shows it was installed by the KGB during the interrogation.
Privacy
- TikTok spying on its users
One of the complaints from the Vienna-based digital rights organization None of Your Business (noyb) says that TikTok acknowledged under pressure that it tracked a user’s activities on Grindr as well as other apps.
TikTok could even see which items the complainant added to a shopping cart on an app other than Grindr, according to noyb.
- https://therecord.media/tiktok-grindr-data-tracking-noyb
- https://noyb.eu/en/tiktok-unlawfully-tracks-your-shopping-habits-and-your-use-dating-apps
- Meta using AI chat content to target advertising. At least it's on-brand.
The new feature, which was announced October 1 and rolled out Tuesday, will “start personalizing content and ad recommendations on our platforms based on people’s interactions with our generative AI features,” the social media giant said in a blog post.
Users will not be able to opt out of the sharing though it will only apply to those using Meta AI, which is integrated into Facebook, Instagram, WhatsApp and Messenger.
“We know exactly why Meta is using automatic opt-in and it's because they know that no consumer who was actually fully informed of what Meta is doing would willingly opt into this,” he said.
AI
- The shady, shady, world of social influencers - Doublespeed runs farms of real mobile devices (~1100) , for its AI-generated 'influencers'.
Doublespeed uses a bank of phones to emulate the behavior of real users. So-called “click farms” or “phone farms” often use hundreds of mobile phones to fake online engagement of reviews for the same reason.
more than 400 TikTok accounts Doublespeed operates. Around 200 of those were actively promoting products on TikTok, mostly without disclosing the posts were ads