Fortinet said it has observed recent in-the-wild abuse of a five-year-old FortiOS SSL VPN vulnerability under certain configurations. The flaw, tracked as CVE-2020-12812, is an improper authentication issue that can allow users to bypass multi-factor authentication by altering the case of the username during login. More information on the issue as well as mitigations can be found in Fortinet’s advisory.
CISA has added a high-severity security vulnerability affecting Digiever DS-2105 Pro network video recorders to its Known Exploited Vulnerabilities catalog due to active exploitation. The flaw, CVE-2023-52163, is a command injection issue that can allow remote code execution. It stems from improper input validation in the time_tzsetup.cgi component. Another issue is CVE-2023-52164, a path traversal vulnerability, which exists due to input validation error when processing directory traversal sequences within the access_device.cgi script. Currently, there’s no indication that the flaw is being exploited in the wild.
A new campaign is targeting Russian military personnel and defense-industry organizations. The activity came to light earlier in October after Intezer researchers identified a malicious XLL file uploaded to VirusTotal, first from Ukraine and later from Russia. The file was designed to automatically execute malicious code when opened in Microsoft Excel.
A suspected Chinese hacking group has reportedly breached the UK Foreign Office in October. The perpetrator suspected to be a threat actor known as Storm-1849 has been linked to the ArcaneDoor cyber campaign, which exploited Cisco zero-day vulnerabilities and targeted government networks. Cisco warned of ongoing activity in late September.
Amazon has reportedly caught a remote IT worker linked to North Korea who was posing as a US-based employee after the company detected unusually high delays between keystrokes in backend systems. This latency would not be expected if the worker were actually located in the United States, as claimed. Amazon said it has blocked more than 1,800 attempts by North Korean operatives to secure jobs at the company.
Text editor EmEditor disclosed a security breach in which a third party altered the Windows installer download link between December 19 and 22. Security firm QiAnXin reported that the compromised installer contained an info=stealer malware.
Italian police have arrested a second Latvian suspect linked to an attempted malware attack on a Mediterranean ferry. The case began after ferry operator GNV detected and neutralized a Remote Access Trojan on IT systems aboard the vessel Fantastic. When the ship docked in Sète, France, authorities detained two crew members, a Latvian and a Bulgarian, with the Latvian charged with conspiring to infiltrate a data system on behalf of a foreign power.
Cyber criminals are increasingly recruiting insiders within banks, telecoms, and tech companies to gain direct access to systems and data, Check Point reports. Employees are being approached or volunteering on darknet forums to sell access or sensitive information, reducing the need for traditional hacking methods. Payments typically range from $3,000–$15,000, while large stolen datasets, such as millions of cryptocurrency exchange records, can sell for much more.
Multiple threat actors are actively compromising Microsoft 365 accounts using phishing attacks that abuse Microsoft’s OAuth device code authorization mechanism. Victims are tricked into entering a device code on Microsoft’s legitimate device login page, unknowingly granting access to their Microsoft 365 account via an attacker-controlled application. This way, the attacker doesn’t need to steal credentials or bypass multi-factor authentication (MFA).
Two Chrome extensions listed in the Web Store under the name Phantom Shuttle masqueraded as proxy service plugins are hijacking user traffic and stealing sensitive data. Researchers say the extensions route all web traffic through attacker-controlled proxy servers using hardcoded credentials hidden with a custom encoding scheme. The malicious code is prepended to a legitimate jQuery library to evade detection. By dynamically reconfiguring Chrome’s proxy settings, the extensions force traffic through the proxies automatically.
Users reported losing cryptocurrency after installing a compromised Trust Wallet Chrome extension update released on December 24. Shortly after using the extension, wallets were drained, with blockchain security firm PeckShield Alert estimating losses of over $6 million.
A major ransomware attack has compromised around 1,000 systems belonging to Romania’s water management authority. The attack began on December 20 and spread to ten of the country’s 11 river basin management organizations. Authorities said that operational capabilities were not affected. Investigators have found that the attackers used the built-in Windows BitLocker security feature to lock files on compromised systems, then left a ransom note demanding that they be contacted within 7 days.
More than 500 suspects have been arrested as part of an Interpol-coordinated operation known as 'Operation Sentinel,' with authorities recovering $3 million linked to business email compromise (BEC), extortion, and ransomware crimes. The month-long initiative involved law enforcement agencies from 19 countries and led to the takedown of more than 6,000 malicious links and the decryption of six ransomware variants.
In a separate action, Nigerian law enforcement has arrested three individuals linked to targeted Microsoft 365 cyberattacks conducted through the Raccoon0365 phishing platform.
The US Department of Justice (DoJ) in cooperation with Estonian authorities, has taken action against a web domain and database used in a large-scale bank account takeover fraud targeting Americans.The seized domain (web3adspanels[.]org), served as a backend control panel that stored and managed illegally harvested bank login credentials. The criminal group behind the scheme used fraudulent ads on search engines such as Google and Bing that closely mimicked legitimate bank ads. Victims were redirected to fake bank websites, where their login credentials were stolen. The pilfered information was then used to access real bank accounts and steal funds.
A Ukrainian national has pleaded guilty to conspiracy to commit computer fraud for his role in a series of international ransomware attacks. According to court documents, Artem Aleksandrovych Stryzhak, 35, of Barcelona, Spain, conspired with others to deploy the Nefilim ransomware against computer networks in the United States and other countries.
Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty to participating in ransomware attacks in 2023 while working at firms responsible for helping victims respond to such incidents. Goldberg, an incident response manager at Sygnia, and Martin, a ransomware negotiator at DigitalMint, worked with a co-conspirator to breach networks and deploy the ALPHV (BlackCat) ransomware to extort payments.
The US Securities and Exchange Commission (SEC) has charged several crypto platforms and investment clubs for allegedly defrauding US investors of over $14 million. From January 2024 to January 2025, entities like AI Wealth Inc. and Lane Wealth Inc. lured investors via social media and WhatsApp, promising AI-driven trading returns. Victims were directed to fund accounts on fake platforms, including Morocoin Tech and Cirkor Inc., which falsely claimed to be licensed and offered nonexistent securities.