Daily Brief

Cyber attackers are exploiting two critical vulnerabilities in Fortinet FortiGate devices, identified as CVE-2025-59718 and CVE-2025-59719, with CVSS scores of 9.8. Arctic Wolf reported active intrusions involving malicious single sign-on logins on FortiGate appliances as of December 12, 2025. These vulnerabilities allow unauthenticated bypass of SSO login authentication via crafted SAML messages when FortiCloud SSO is enabled. Fortinet has released patches for the affected products, including FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, urging immediate application. Attackers have used IP addresses from specific hosting providers to execute malicious logins and export device configurations. Organizations are advised to disable FortiCloud SSO and limit management interface access to trusted users until systems are patched. Fortinet customers should reset hashed firewall credentials if indicators of compromise are detected, as weak credentials may be cracked offline.

React2Shell, tracked as CVE-2025-55182 with a CVSS score of 10.0, is actively exploited to deploy Linux backdoors like KSwapDoor and ZnDoor, impacting global organizations. The vulnerability facilitates remote access through a mesh network, using military-grade encryption and stealth features to evade detection and bypass firewalls. Attackers leverage CloudFlare tunnel endpoints to bypass security defenses, conducting reconnaissance and credential theft across cloud platforms like Azure, AWS, GCP, and Tencent Cloud. The malware impersonates legitimate Linux processes, enabling command execution, file operations, and lateral movement, complicating detection and mitigation efforts. Microsoft and Google have identified multiple threat groups, including at least five China-nexus actors, exploiting the flaw to deploy payloads such as VShell, EtherRAT, and ShadowPad. Over 111,000 IP addresses are vulnerable, with significant exposure in the U.S., Germany, France, and India, highlighting the widespread risk and need for immediate patching. Organizations are advised to update systems promptly, monitor for suspicious activity, and implement robust security measures to mitigate the threat of React2Shell exploitation.

Google plans to retire its dark web monitoring tool in February 2026, initially launched to help users detect personal data breaches. Scans for new breaches will cease on January 15, 2026, with the full discontinuation of the tool by February 16, 2026. Feedback indicated the tool lacked actionable guidance, prompting Google to refocus on more effective online protection tools. All data associated with the dark web report will be deleted upon the feature's retirement, with users able to preemptively delete their profiles. Originally launched in March 2023, the tool expanded in July 2024 to include all Google account holders, not just Google One subscribers. Google encourages users to enhance account security by implementing phishing-resistant MFA and managing personal data visibility in search results. The decision reflects a strategic pivot towards providing users with clearer, actionable security measures for online safety.

PwC is integrating AI across the cybersecurity lifecycle to transform risk management into a strategic advantage for clients, enhancing speed, accuracy, and confidence in threat detection and response. AI is employed to accelerate threat detection, streamline compliance, and make cybersecurity processes more efficient, allowing organizations to better adapt to evolving threats. PwC collaborates with AWS to provide early access to new security services, enabling clients to leverage advanced tools within their own environments for improved data management and compliance. AI's automation capabilities reduce manual workload for security teams, enabling continuous audits and compliance checks, allowing teams to focus on proactive defense strategies. Despite the benefits, many organizations face challenges in scaling AI initiatives; PwC addresses this by setting clear success criteria and integrating security from the outset. The future of cybersecurity, according to PwC, involves a balanced partnership between AI automation and human oversight, ensuring effective and informed decision-making in threat management.

SoundCloud experienced a cyberattack affecting 20% of its users, with unauthorized access to non-sensitive data, including email addresses and public profile information. The breach impacted approximately 26 million users, based on SoundCloud's user base of 132 million, although no financial or password data was compromised. The attack involved unauthorized activity in an ancillary service dashboard, which was promptly contained following activation of SoundCloud's incident response protocols. SoundCloud faced subsequent denial of service attacks, temporarily affecting platform availability, which were successfully repelled. In response, SoundCloud enhanced monitoring, reviewed access controls, and conducted a comprehensive system audit to prevent future incidents. Temporary connectivity issues for VPN users arose due to system configuration changes, leading to incorrect assumptions about VPN blocking. The incident emphasizes the importance of robust identity and access management, particularly in safeguarding ancillary systems from unauthorized access.

PornHub faces extortion after ShinyHunters claims to have stolen Premium member data through a Mixpanel breach, affecting search and watch histories. The breach reportedly involves 94GB of data, including over 200 million records of sensitive information, such as email addresses and video activity. Mixpanel, the analytics vendor, suffered a breach via an SMS phishing attack, though it disputes the connection to the November incident. PornHub clarified that the breach did not compromise its systems; passwords and financial details of Premium users remain secure. ShinyHunters has been linked to multiple high-profile breaches in 2025, exploiting vulnerabilities in Salesforce integrations and Oracle systems. The threat group is also developing a ransomware-as-a-service platform, ShinySpid3r, indicating a potential escalation in their cybercriminal activities. Businesses are reminded of the importance of robust third-party risk management and the need for continuous monitoring of data access and usage.

SoundCloud confirmed a security breach resulting in the theft of a database containing user information, impacting VPN access and causing site outages. Approximately 20% of SoundCloud’s users, potentially 28 million accounts, were affected, with exposed data including email addresses and public profile information. The breach did not compromise sensitive data such as financial details or passwords, according to SoundCloud's investigation. SoundCloud has implemented incident response procedures, blocking unauthorized access and enhancing security measures with third-party cybersecurity assistance. A configuration change during the response process disrupted VPN connectivity, with no timeline provided for restoration. Following the breach, SoundCloud experienced denial-of-service attacks, temporarily impacting web availability. The ShinyHunters extortion gang is suspected to be behind the breach, allegedly demanding ransom after stealing user data.

Amazon's security chief attributes a prolonged cyber campaign targeting Western critical infrastructure to Russia's GRU, focusing on energy, telecom, and tech sectors since 2021. The attackers exploited misconfigured devices and vulnerabilities in AWS-hosted environments, gaining persistent access to sensitive networks. Key vulnerabilities exploited include CVE-2022-26318, CVE-2021-26084, and CVE-2023-22518, impacting devices like enterprise routers and VPN concentrators. Amazon has been actively disrupting these operations by notifying affected customers and collaborating with industry partners and law enforcement. The GRU's tactics involve credential replay attacks and packet capture, with a focus on reducing detection risk by exploiting misconfigurations over high-profile vulnerabilities. Amazon suggests immediate actions for organizations, such as auditing network edge devices and monitoring authentication logs for unusual activity. The campaign aligns with GRU's operational patterns, suggesting a broader strategy involving specialized subclusters for network access and persistence. Recent guidance from US and international agencies emphasizes securing critical networks against such state-sponsored threats.

Google announced it will discontinue its dark web report tool, ceasing new result monitoring on January 15, 2026, and removing data access by February 16, 2026. The tool currently alerts users if their personal data, such as email addresses, is found on the dark web, suggesting protective actions like enabling two-step authentication. Feedback indicated the tool lacked actionable next steps, prompting Google to shift focus to more effective security tools, including Google Password Manager and Password Checkup. Users are encouraged to use existing Google tools for enhanced security, such as Security and Privacy Checkups, Passkey, and 2-Step Verification. Google will continue to develop tools to protect users from online threats, including those originating from the dark web. The decision reflects Google's strategy to prioritize user-friendly tools that provide clear, actionable security measures.

Askul Corporation, a leading Japanese e-commerce firm, confirmed the theft of 740,000 customer records following a ransomware attack by the RansomHouse group in October. The breach led to significant IT system failures, disrupting shipments and operations, notably affecting major clients like Muji. Attackers exploited compromised credentials from an outsourced partner's administrator account, which lacked multi-factor authentication, to infiltrate Askul's network. Multiple ransomware variants were deployed, bypassing existing EDR signatures, leading to data encryption and system failures across several servers. Askul responded by disconnecting networks, isolating affected devices, updating EDR signatures, and implementing MFA across all critical systems. The company has notified affected customers and partners individually and informed Japan's Personal Information Protection Commission about the data exposure. Financial impacts are still under assessment, with Askul delaying its earnings report to evaluate the full extent of the attack's consequences.

SantaStealer, a new malware-as-a-service, is being marketed on Telegram and hacker forums, targeting data from browsers and cryptocurrency wallets. Developed by a Russian-speaking individual, SantaStealer is a rebranded version of BluelineStealer, with subscriptions priced at $175/month for Basic and $300/month for Premium. Rapid7's analysis indicates that SantaStealer lacks the advertised detection evasion capabilities, with leaked samples showing poor operational security. The malware features 14 data-collection modules, targeting passwords, cookies, browsing history, and cryptocurrency wallets, and exfiltrates data via a hardcoded C2 endpoint. SantaStealer's distribution methods are not fully established, but potential vectors include phishing, pirated software, and malvertising. Rapid7 advises caution with unrecognized email links and attachments, and warns against running unverified code from public repositories. The malware's development and marketing suggest an ongoing trend in the cybercriminal ecosystem towards sophisticated data theft operations.

PornHub is being extorted by ShinyHunters following a breach at Mixpanel, affecting Premium members' search and watch history data. The breach occurred on November 8th, 2025, via an SMS phishing attack that compromised Mixpanel's systems, impacting several clients. PornHub clarified that its systems were not breached, and sensitive financial information remains secure; the data breach involves historical data from 2021 or earlier. ShinyHunters claims to have stolen 94GB of data, including over 200 million records detailing user activity, such as email addresses and video interactions. The extortion group has threatened to publish the stolen data unless a ransom is paid, marking another significant breach attributed to ShinyHunters this year. Mixpanel's breach also impacted other clients, including OpenAI and CoinTracker, with ShinyHunters confirmed as the responsible party. The incident underscores the risks associated with third-party vendors and the importance of robust cybersecurity measures to protect sensitive user data.

SoundCloud users accessing the platform via VPNs are encountering 403 'forbidden' errors, disrupting service for individuals in regions where the platform is restricted. The issue has persisted for four days, affecting all user accounts regardless of membership status, and has been confirmed by BleepingComputer through user reports. SoundCloud's senior director of communications attributes the problem to recent configuration changes, with efforts underway to resolve the connectivity issues. The platform, which supports 140 million registered users and 40 million creators, is crucial for independent artists and users in countries with access restrictions. Users in China, Russia, Venezuela, and Kazakhstan often rely on VPNs to bypass local bans on SoundCloud, making the current disruption particularly impactful. While some users have found temporary workarounds, success has been inconsistent, and a permanent solution from SoundCloud is still pending. SoundCloud's ongoing communication via social media and direct statements aims to keep users informed, though no timeline for resolution has been provided.

Google warns of active exploitation of the React2Shell flaw, CVE-2025-55182, by Chinese and Iranian state-sponsored actors and financially motivated criminals. The vulnerability in the React JavaScript library allows unauthenticated attackers to execute remote code, leading to backdoors, tunnelers, and cryptocurrency miners being deployed. Chinese groups such as Earth Lamia and Jackpot Panda began exploiting the flaw immediately after its disclosure, targeting over 50 organizations across various sectors. Google's report identifies five additional Chinese espionage groups, including UNC6600 and UNC6586, using the flaw to deploy persistent backdoors like Minocat and Snowlight. North Korean and Iranian-linked actors are also implicated, although specific details about their activities remain limited. The vulnerability's exploitation is discussed in underground forums, with shared tools and experiences, increasing the risk of widespread attacks. Google advises patching React Server Components and monitoring for indicators of compromise, including unauthorized process terminations and suspicious network traffic. Three additional React vulnerabilities, CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779, pose risks of denial-of-service and source code leaks, necessitating immediate attention and remediation.

Urban VPN Proxy, a Chrome extension with six million users, has been collecting AI chatbot interactions, including prompts and responses, without user consent. The extension, rated 4.7 on the Chrome Web Store, intercepts data using JavaScript executors for popular AI platforms like ChatGPT and Microsoft Copilot. Data is exfiltrated to remote servers, despite the extension's claims of enhancing user privacy and providing VPN services. Urban VPN's privacy policy acknowledges data collection for marketing analytics, yet fails to guarantee the removal of sensitive information. BIScience, the parent company, uses collected data for commercial insights, exploiting Chrome Web Store policy exceptions to justify data access. Koi Security identified similar data harvesting practices in three other extensions by the same publisher, affecting over eight million users. The incident raises concerns about the trustworthiness of browser extension marketplaces and the potential misuse of personal data shared with AI systems.