Ticker feed

A sprawling cybercrime network called "the Com" is behind recent high-profile hacks including Pornhub user data theft by ShinyHunters. The loose affiliation comprises thousands of mostly male English speakers aged 16-25, operating like a criminal pipeline where older members groom younger recruits.

The Com splits into three branches: Hacker Com (ransomware attacks on retailers like M&S), IRL Com (bomb threats and "swatting" incidents), and Extortion Com (targeting children for self-harm content). FBI investigations have increased six-fold since 2022, with over 250 active cases focusing on the most disturbing branch alone.

Members communicate via Discord and Telegram, motivated by status, misogyny, and causing chaos.

Source: The Guardian

Chinese state-sponsored hackers are actively exploiting a critical zero-day vulnerability in Cisco's email security products, the company warned Wednesday. The flaw (CVE-2025-20393) affects Secure Email Gateway and Web Manager appliances, allowing attackers to execute commands with full system privileges.

Cisco's Talos team discovered the attacks on December 10, but they've been ongoing since late November. The hackers, tracked as UAT-9686, deployed custom tools including AquaShell backdoor and AquaTunnel for remote access. They're targeting devices with certain internet-facing ports open.

No patch is available yet, and Cisco hasn't identified workarounds. CISA ordered federal agencies to address the vulnerability by December 24.

Source: Security Week

Cisco faced two major security incidents this month. First, a Chinese threat group called UAT-9686 exploited a critical zero-day vulnerability (CVE-2025-20393) in Cisco's email security appliances, gaining root access and deploying custom malware including AquaShell backdoor. The flaw affects systems with Spam Quarantine features exposed to the internet and remains unpatched.

Separately, over 10,000 IP addresses launched brute force attacks against Cisco SSL VPNs and Palo Alto GlobalProtect systems, generating 1.7 million authentication attempts in 16 hours. The automated campaign primarily targeted US, Mexican, and Pakistani organizations before abruptly ending. Cisco is developing patches while recommending customers take Spam Quarantine offline immediately.

Source: Dark Reading

The UK government confirmed it's investigating a cyberattack that occurred in October, with a Chinese-affiliated group suspected of being behind the breach. Trade Minister Sir Chris Bryant said the security gap was "closed pretty quickly" and poses "fairly low risk" to individuals.

Hackers accessed Home Office systems operated by the Foreign Office, potentially targeting visa details according to reports. The National Cyber Security Centre is working with government partners to assess the full impact.

The timing creates diplomatic complications ahead of Prime Minister Keir Starmer's planned Beijing visit next year - the first by a UK PM since 2018. China has consistently denied backing cyberattacks against the UK, calling such accusations "malicious slander."

Source: BBC News

SonicWall disclosed that hackers are actively exploiting a new zero-day vulnerability (CVE-2025-40602) in its SMA1000 access devices. The medium-severity flaw allows privilege escalation and is being chained with an older critical vulnerability from January attacks.

Google researchers discovered the vulnerability, which stems from insufficient authorization in the device management console. SonicWall urges customers to immediately apply hotfixes in versions 12.4.3-03245 and 12.5.0-02283 or higher.

This marks another challenging year for SonicWall customers, following October's cloud backup breach that exposed all customer firewall configurations and summer ransomware attacks by the Akira gang.

Source: Dark Reading

CISA added a critical vulnerability in Asus Live Update utility to its Known Exploited Vulnerabilities catalog Wednesday, warning federal agencies to stop using the now-discontinued software. The flaw (CVE-2025-59374) stems from Operation ShadowHammer, a 2018 supply chain attack by Chinese state-sponsored group APT41.

The hackers injected a backdoor into the pre-installed utility used for updating BIOS and drivers on Asus devices. While over 1 million users downloaded the compromised software, attackers targeted only about 600 specific devices based on hardcoded MAC addresses. Asus patched the issue in March 2019 after discovery.

Federal agencies have three weeks to identify and remove vulnerable products from their networks.

Source: Security Week

CISA added a critical Fortinet vulnerability (CVE-2025-59718) to its exploited vulnerabilities catalog after detecting active attacks. The flaw, along with CVE-2025-59719, allows hackers to bypass authentication on FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager devices using crafted SAML messages.

Arctic Wolf researchers spotted attacks starting December 12, just three days after Fortinet disclosed the vulnerabilities on December 9. Attackers from Germany, the US, and Asia targeted admin accounts, stealing device configurations and credentials from compromised FortiGate devices.

The vulnerabilities affect devices with FortiCloud SSO enabled, which automatically activates when administrators register through the GUI. Federal agencies must patch by December 23 or stop using affected products. Organizations can temporarily disable FortiCloud login while implementing patches across multiple Fortinet product versions.

Source: Dark Reading

Hackers calling themselves ShinyHunters have accessed the viewing habits and search history of over 200 million Pornhub premium users. The breach exposed email addresses, video preferences, search activities, and location data, though passwords and payment information weren't compromised.

The attack targeted Mixpanel, a data analytics company that worked with Pornhub until 2021, meaning the stolen data isn't current. ShinyHunters, a western-based group of English-speaking hackers in their teens and twenties, has demanded bitcoin payment to prevent releasing the information publicly.

Pornhub emphasized their own systems weren't breached and that only a "select" number of users were affected through the third-party analytics provider.

Source: The Guardian

Fortune 500 automotive parts giant LKQ Corporation has confirmed it was hit by the Cl0p ransomware group's Oracle E-Business Suite hacking campaign. The breach compromised personal information of over 9,000 individuals, primarily sole proprietor suppliers whose data included Social Security numbers and Employer Identification Numbers.

LKQ discovered the attack on October 3 and completed its investigation on December 1. The company says there's no evidence the breach extended beyond its Oracle EBS environment. However, cybercriminals have allegedly leaked several terabytes of stolen files online.

This marks LKQ's second cyberattack in two years. The Cl0p group has targeted over 100 organizations through this Oracle campaign, with confirmed victims including Logitech, Canon, Cox, and Mazda.

Source: SecurityWeek

Google addressed eight actively exploited zero-day vulnerabilities in Chrome during 2025, all classified as high severity with CVSS scores averaging 8.5. Half targeted Chrome's V8 JavaScript engine, while others exploited graphics rendering and sandbox protection mechanisms.

Google's Threat Analysis Group discovered six vulnerabilities, with external contributions from Kaspersky and Apple teams. Notable attacks included Operation ForumTroll in March, which used CVE-2025-2783 to deploy LeetAgent spyware on Russian targets through sandbox escape techniques.

Type confusion vulnerabilities dominated, accounting for three flaws that exploited V8's optimization strategies. Two vulnerabilities enabled complete sandbox escapes, the most severe browser attack class. All eight were added to CISA's Known Exploited Vulnerabilities catalog, mandating immediate federal agency remediation.

Source: Cyber Security News