This week’s intelligence highlights a dangerous convergence of zero day exploitation and identity centric abuse.
We track unpatched CVSS 10.0 flaws in Cisco’s email security infrastructure and critical authentication bypasses in Fortinet’s perimeter defence. Simultaneously, the focus of threat actors is shifting toward the “human to cloud” interface leveraging compromised IAM credentials for massive resource hijacking and exploiting the opaque ecosystem of “parked” domains to serve malware at scale.
These trends, combined with a sophisticated physical access breach in the maritime sector, reinforce that resilience must now extend from the virtual code to the physical hardware.
1. Critical Infrastructure & Zero Day Exploitation
Active Attacks Exploiting Unpatched Zero Day in AsyncOS Email Security Appliances
Cisco has alerted users to a maximum severity zero day vulnerability in its AsyncOS software, which is currently being actively exploited by a China nexus threat actor tracked as UAT 9686. The unpatched flaw, designated as CVE 2025 20393 (CVSS 10.0), allows attackers to execute arbitrary commands with root privileges on the underlying operating system of affected Cisco Secure Email Gateway and Secure Email and Web Manager appliances.
Exploitation occurs when the Spam Quarantine feature is enabled and exposed to the internet, a condition being weaponised to drop backdoors like AquaShell and tunneling tools such as ReverseSSH.
In response to the ongoing campaign, CISA has added this zero day to its Known Exploited Vulnerabilities (KEV) catalog, urging organisations to apply mitigations by December 24th, 2025.
View SourceFortinet FortiGate Under Active Attack via SAML SSO Authentication Bypass
Threat actors have begun actively exploiting two critical authentication bypass vulnerabilities in Fortinet FortiGate devices, CVE 2025 59718 and CVE 2025 59719 (CVSS scores: 9.8). These flaws allow unauthenticated attackers to bypass Single Sign On (SSO) authentication by sending crafted SAML messages, provided the FortiCloud SSO feature is enabled.
Although disabled by default, this feature is automatically activated during FortiCare registration unless explicitly turned off.
Intrusions observed as early as December 12th, 2025, involved attackers targeting the “admin” account to successfully authenticate and export device configuration files, which contain hashed credentials that can be cracked offline. CISA added CVE 2025 59718 to its KEV catalog on December 16th, 2025.
View SourceOur Take: The Perimeter is Becoming Transparent.
The exploitation of unpatched zero days in Cisco and Fortinet devices proves that the “outer shell” of corporate security remains a primary target for sophisticated state nexus actors.
The Fortinet flaw is particularly insidious because it weaponises a feature (SSO) intended to improve security.
Organisations must treat these as “patch immediately” emergencies. If you utilise FortiCloud SSO, assume compromise and initiate a credential reset cycle for all administrative accounts.
2. Cloud Hijacking & Identity Abuse
Compromised IAM Credentials Power a Large AWS Crypto Mining Campaign
An ongoing campaign targeting Amazon Web Services (AWS) customers has been observed using compromised Identity and Access Management (IAM) credentials to enable large scale cryptocurrency mining. The unknown threat actor gains initial access and, within 10 minutes, initiates crypto mining operations across ECS and EC2 resources.
The attack chain involves a sophisticated discovery phase using the RunInstances API with the “DryRun” flag to probe environment quotas and validate admin like permissions without launching instances or incurring forensic traces. To maximise duration, the adversary uses the ModifyInstanceAttribute action to prevent instances from being terminated via the AWS console or API.
View SourceUnsecured 16TB Database Exposes 4.3 Billion Professional Records
Cybersecurity researchers have discovered a massive, unsecured MongoDB database containing approximately 4.3 billion professional records spanning over 16 terabytes of data.
The dataset appears to be derived from extensive scraping of LinkedIn profiles, exposing full names, email addresses, phone numbers and LinkedIn URLs.
This exposure was the result of a common misconfiguration that left the database publicly accessible without a password. While individual data points may seem low risk, experts warn that aggregating this information provides threat actors with a high fidelity “roadmap” for automated phishing and executive impersonation.
View SourceOur Take: Identity is the Key to High Velocity Attacks.
The AWS campaign demonstrates how quickly a single set of compromised credentials can lead to mass resource hijacking. Simultaneously, the 4.3 billion record leak provides the raw intelligence needed for the next wave of social engineering.
Organisations must pivot toward Zero Trust Identity enforcing hardware based MFA and aggressively rotating temporary credentials to reduce the “blast radius” of any single credential compromise.
3. Evasive Malware & Web Based Threats
Most Parked Domains Now Serving Malicious Content
A recent study by Infoblox reveals a dangerous shift as over 90% of “parked” domains dormant sites or misspellings of popular brands, now lead directly to malicious content, scareware or malware. This is a massive escalation from 2014, when fewer than 5% were malicious.
Modern attackers use a chain of redirects and device profiling to decide when to serve deceptive content, often bypassing users on VPNs while targeting those on residential IP addresses.
This risk is attributed to shifts in the advertising market, where domain owners have pivoted toward more aggressive monetisation models after major platforms like Google tightened ad policies.
View SourceGhostPoster Malware Found in 17 Firefox Add ons with 50,000+ Downloads
The GhostPoster campaign leveraged 17 Mozilla Firefox extensions to infect over 50,000 users via a highly evasive, steganographic attack chain. The malicious add-ons, posing as VPNs or ad blockers, embedded hidden JavaScript code directly within their own PNG logo files. This payload monitors browsing activity, strips security protections, and opens a backdoor for remote code execution (RCE). The campaign used sophisticated evasion tactics, including activation delays of over six days and randomized payload delivery to bypass security reviews.
View SourcePhantom Stealer Spread via ISO Phishing Hitting Russian Finance Sector
Operation MoneyMount ISO targets the Russian finance sector with emails that deliver the Phantom information stealing malware via malicious ISO optical disc images.
The infection chain uses fake payment confirmation lures to trick recipients into opening a ZIP archive that contains an ISO file. When launched, the ISO auto mounts on Windows and executes an embedded DLL to deploy Phantom Stealer directly in memory.
The malware extracts data from cryptocurrency wallets and Discord tokens while logging keystrokes.
View SourceOur Take: Stealth is the New Standard.
From steganography in Firefox icons to ISO file auto mounting, attackers are moving away from overt executables toward “living off the browser” and “living off the OS” techniques.This makes signature based detection effectively obsolete.
Organisations should implement strict browser extension whitelisting and utilise EDR/XDR solutions capable of monitoring in memory JavaScript execution and unusual process spawning from common archival file types.
4. Strategic & Physical Resilience
GNV Ferry Fantastic Under Cyberattack Probe Amid Remote Hijack Fears
French and Italian intelligence services have launched an investigation into a suspected state sponsored cyberattack on the Italian operated ferry Fantastic.
Investigators uncovered a sophisticated intrusion involving concealed miniature computers (Raspberry Pi devices) connected to the ship’s internal network and paired with cellular modems to provide remote access via a Trojan (RAT).
While network segregation prevented attackers from reaching critical navigation systems, the breach allowed them to target the ship’s office network.
A Latvian crew member has been charged with serving a foreign power.
View SourceOur Take: The Convergence of Physical and Cyber.
The GNV Fantastic incident is a stark reminder that cybersecurity isn’t just about remote exploitation. Insider threats and physical access are equally potent. This move to plant hardware backdoors on critical infrastructure reflects a high degree of intent for long term surveillance or future sabotage.
Organisations responsible for critical assets must incorporate Physical Security Audits and Supply Chain Integrity Checks into their broader cybersecurity strategy to ensure that “air gapped” or segregated systems remain truly protected from physical interference.
Prioritise Control Validation and Identity Security
This week’s intelligence confirms that threat actors are strategically operating at the highest levels of privilege, whether exploiting critical CVSS 10.0 flaws in network infrastructure or weaponising cloud IAM roles. The time to upgrade and validate is now.
Secora Consulting’s specialised service pillars are designed to counter the advanced, persistent threats highlighted this week:
-
Validate Perimeter Integrity: The continuous stream of actively exploited flaws in Cisco and Fortinet infrastructure demands immediate verification. Our Adversary Simulation Testing and Penetration Testing services stress test your environment against these exact TTPs.
-
Harden the Human Layer: From ISO phishing to malicious browser extensions, the user remains a primary target. Our Simulated Phishing Attacks and security awareness training focus on the latest evasive techniques used by APTs.
Security must be a layered, strategic function. Partner with Secora Consulting to implement the resilient defence necessary to counter today’s sophisticated threats. ⬇️