A fake WhatsApp Web API library called 'Lotusbail' has been secretly stealing users' credentials and messages for six months on NPM, racking up over 56,000 downloads. Koi Security discovered the malicious package masquerades as a legitimate WhatsApp tool but captures everything - authentication tokens, messages, contacts, and media files - then encrypts and sends the data to attackers.

The malware goes further by hijacking WhatsApp's device pairing process, secretly linking the attacker's device to victims' accounts for permanent backdoor access. Simply uninstalling the package won't help - users must manually remove all linked devices from WhatsApp settings to regain security.

Source: SecurityWeek

Cybercriminals are actively exploiting a critical zero-day vulnerability in WatchGuard Firebox firewalls, prompting CISA to add it to its priority threat list. The flaw, CVE-2025-14733, allows remote code execution on affected devices through VPN configurations.

WatchGuard discovered the vulnerability internally on December 15 and released a patch three days later. The company warns this is part of a broader campaign targeting edge networking devices from multiple vendors, following similar attacks on Fortinet and SonicWall systems this month.

Nearly 125,000 vulnerable devices remain exposed globally, with over 35,000 in the US. WatchGuard urges immediate patching.

Source: Dark Reading

France's national postal service La Poste suffered a suspected DDoS cyber-attack on Monday, disrupting mail deliveries and online banking services during the busiest shipping period of the year. The attack made websites and apps inaccessible, forcing post offices to turn away customers trying to send last-minute Christmas parcels. La Poste typically handles over 2 million items in the pre-Christmas rush.

The postal service's banking arm, La Banque Postale, also experienced disruptions to online banking and mobile apps, though ATMs and card payments continued working. Officials said customer data remained secure.

This incident follows a recent cyber-attack on France's interior ministry and comes amid allegations that Russia is conducting "hybrid warfare" against European allies of Ukraine through cyber-attacks.

Source: The Guardian

WatchGuard has patched a critical zero-day vulnerability (CVE-2025-14733) in its Firebox firewalls after detecting active exploitation in the wild. The flaw, scoring 9.3 on the CVSS scale, allows remote attackers to execute code without authentication through an out-of-bounds write issue in the iked process.

The Shadowserver Foundation identified roughly 125,000 vulnerable IP addresses worldwide, including nearly 40,000 in the United States. The vulnerability affects VPN configurations using IKEv2, particularly mobile user VPN and branch office VPN setups with dynamic gateway peers.

Patches are available for supported Fireware OS versions, but version 11.x won't receive fixes due to end-of-life status. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, giving federal agencies one week to remediate.

Source: Security Week

Cybercriminals are using a clever new trick to break into Microsoft 365 accounts by abusing OAuth device codes—a legitimate Microsoft feature meant for smart TVs and similar devices. The scam works by sending phishing emails with fake document links that generate real device codes. Victims then enter these codes on Microsoft's actual login page at microsoft.com/devicelogin, unknowingly handing over account access to hackers.

Two main tools are driving these attacks: SquarePhish2 uses QR codes for mass campaigns, while Graphish creates fake login pages that steal both passwords and authentication tokens. By September 2025, these attacks became widespread, targeting everyone from corporate users to government officials.

Since the attack uses Microsoft's real authentication system, it's extremely hard to detect with traditional security tools.

Source: Cybersecurity News

Denmark's Defense Intelligence Service revealed Thursday that Russia conducted cyberattacks on Danish infrastructure in 2024 and 2025, including a destructive attack on a water utility that caused pipes to burst near Køge, leaving homes without water. Russian hackers also targeted Danish websites with denial-of-service attacks ahead of November's regional elections.

Authorities linked the attacks to pro-Russian groups Z-Pentest and NoName057(16), calling them part of Russia's "hybrid war" against Western nations supporting Ukraine. Minister Torsten Schack Pedersen warned the incidents expose Denmark's vulnerability to such threats. The attacks join 147 documented incidents across Europe that officials attribute to Russia's broader sabotage campaign since invading Ukraine.

Source: Security Week

Security researchers discovered at least 120 Cisco Secure Email Gateway and Web Manager devices vulnerable to CVE-2025-20393, a critical zero-day flaw that attackers are actively exploiting. No patch is currently available, leaving organizations exposed.

The vulnerable devices are part of over 650 Cisco email security appliances accessible online. These systems are crucial for filtering malicious emails and protecting networks from phishing and malware.

Cisco has released a security advisory urging immediate defensive measures and temporary mitigations until a permanent fix arrives. The company hasn't provided a timeline for the security update, making interim protections essential for affected organizations.

Source: Cyber Security News

A sprawling cybercrime network called "the Com" is behind recent high-profile hacks including Pornhub user data theft by ShinyHunters. The loose affiliation comprises thousands of mostly male English speakers aged 16-25, operating like a criminal pipeline where older members groom younger recruits.

The Com splits into three branches: Hacker Com (ransomware attacks on retailers like M&S), IRL Com (bomb threats and "swatting" incidents), and Extortion Com (targeting children for self-harm content). FBI investigations have increased six-fold since 2022, with over 250 active cases focusing on the most disturbing branch alone.

Members communicate via Discord and Telegram, motivated by status, misogyny, and causing chaos.

Source: The Guardian

Chinese state-sponsored hackers are actively exploiting a critical zero-day vulnerability in Cisco's email security products, the company warned Wednesday. The flaw (CVE-2025-20393) affects Secure Email Gateway and Web Manager appliances, allowing attackers to execute commands with full system privileges.

Cisco's Talos team discovered the attacks on December 10, but they've been ongoing since late November. The hackers, tracked as UAT-9686, deployed custom tools including AquaShell backdoor and AquaTunnel for remote access. They're targeting devices with certain internet-facing ports open.

No patch is available yet, and Cisco hasn't identified workarounds. CISA ordered federal agencies to address the vulnerability by December 24.

Source: Security Week

Cisco faced two major security incidents this month. First, a Chinese threat group called UAT-9686 exploited a critical zero-day vulnerability (CVE-2025-20393) in Cisco's email security appliances, gaining root access and deploying custom malware including AquaShell backdoor. The flaw affects systems with Spam Quarantine features exposed to the internet and remains unpatched.

Separately, over 10,000 IP addresses launched brute force attacks against Cisco SSL VPNs and Palo Alto GlobalProtect systems, generating 1.7 million authentication attempts in 16 hours. The automated campaign primarily targeted US, Mexican, and Pakistani organizations before abruptly ending. Cisco is developing patches while recommending customers take Spam Quarantine offline immediately.

Source: Dark Reading