In this week’s news: Over 25,000 FortiCloud SSO devices exposed to remote attacks, OAuth vulns exploited,  CISA director failed a polygraph, Phobos Ransomware Family Expands With New FAUST Variant, Wishbone Breach: 40 Million Records Leaked, Cisco disclosed a critical zero-day (CVE-2025-20393), Nigeria Arrests RaccoonO365 Phishing Developer, U.S. DOJ Charges 54 in ATM Jackpotting, WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability and Denmark blames Russia for destructive cyberattack on water utility.

Subscribe to this newsletter

Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability.  Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company's FortiCare support service.
https://www.bleepingcomputer.com/news/security/over-25-000-forticloud-sso-devices-exposed-to-remote-attacks/

Danish intelligence officials blamed Russia for orchestrating cyberattacks against Denmark's critical infrastructure, as part of Moscow's hybrid attacks against Western nations. In a Thursday statement, the Danish Defence Intelligence Service (DDIS) identified two groups operating on behalf of the Russian state: Z-Pentest, linked to the destructive water-utility attack, and NoName057(16), flagged as responsible for the DDoS assaults ahead of November's local elections in Denmark before the 2025 elections.
https://www.bleepingcomputer.com/news/security/denmark-blames-russia-for-destructive-cyberattack-on-water-utility/

Proofpoint is tracking multiple threat clusters - both state-aligned and financially-motivated - that are using various phishing tools to trick users into giving access to M365 accounts via OAuth device code authorization.  Successful compromise leads to account takeover, data exfiltration, and more.  Threat actors are using the OAuth 2.0 device authorization grant flow to compromise Microsoft 365 user accounts by approving access for various applications.
https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover

Threat actors have been observed leveraging malicious dropper apps masquerading as legitimate applications to deliver an Android SMS stealer dubbed Wonderland in mobile attacks targeting users in Uzbekistan.
https://thehackernews.com/2025/12/android-malware-operations-merge.html

At least six career staffers at the Cybersecurity and Infrastructure Security Agency were suspended with pay this summer after organizing a polygraph test that the agency’s acting director, Madhu Gottumukkala, failed.
https://www.politico.com/news/2025/12/21/cisa-acting-director-madhu-gottumukkala-polygraph-investigation-00701996

Security researchers have recently uncovered a new variant of the notorious Phobos ransomware family named FAUST. According to an advisory published by FortiGuard Labs last Thursday, the FAUST variant was found in an Office document utilizing a VBA script to propagate the ransomware.
https://www.infosecurity-magazine.com/news/phobos-ransomware-new-faust-variant/

A prolific dark web trader has leaked what they claim to be 40 million user records from popular mobile app Wishbone. The individual known as “ShinyHunters” posted the data to RaidForums, claiming that, “since people are starting to resell wishbone we’ve decided to leak it for free.”
https://www.infosecurity-magazine.com/news/wishbone-breach-40-million-records/

Cisco reported a December 10 campaign targeting certain Secure Email Gateway appliances with exposed ports, enabling attackers to run root-level commands and plant persistence mechanisms. Threat actors exploited a Remote Command Execution Vulnerability, tracked as CVE-2025-20393, in Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.
https://securityaffairs.com/185861/apt/china-linked-apt-uat-9686-is-targeting-cisco-secure-email-gateway-and-secure-email-and-web-manager.html

Authorities in Nigeria have announced the arrest of three "high-profile internet fraud suspects" who are alleged to have been involved in phishing attacks targeting major corporations, including the main developer behind the RaccoonO365 phishing-as-a-service (PhaaS) scheme.
https://thehackernews.com/2025/12/nigeria-arrests-raccoono365-phishing.html

The U.S. Department of Justice (DoJ) this week announced the indictment of 54 individuals in connection with a multi-million dollar ATM jackpotting scheme. The large-scale conspiracy involved deploying malware named Ploutus to hack into automated teller machines (ATMs) across the U.S. and force them to dispense cash. The indicted members are alleged to be part of Tren de Aragua (TdA, Spanish for "the train of Aragua"), a Venezuelan gang designated a foreign terrorist organization by the U.S. State Department
https://thehackernews.com/2025/12/us-doj-charges-54-in-atm-jackpotting.html

WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. Tracked as CVE-2025-14733 (CVSS score: 9.3), the vulnerability has been described as a case of out-of-bounds write affecting the iked process that could allow a remote unauthenticated attacker to execute arbitrary code.
https://thehackernews.com/2025/12/watchguard-warns-of-active-exploitation.html

Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey. "The scale of Prince of Persia's activity is more significant than we originally anticipated," Tomer Bar, vice president of security research at SafeBreach, said in a technical breakdown shared with The Hacker News. "This threat group is still active, relevant, and dangerous."
https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.html

Amla deepdives into CVE-2025-6514 - A critical vulnerability in mcp-remote affected 558,846 downloads. The bug was client-side, but the attack exploited OAuth dynamic discovery—a trust assumption that breaks for autonomous agents.
https://amlalabs.com/blog/oauth-cve-2025-6514/

h3xDum deepdives into Xiaomi C200 - From UART to Root: Breaking Into the Xiaomi C200 via U-Boot
https://github.com/h3xDum/Xiaomi-C200-Firmware-Analysis