RadioCSIRT - English Edition

Welcome to your daily cybersecurity podcast.We open this edition with several security advisories published by CERT-FR regarding critical vulnerabilities affecting major components of the Linux ecosystem and enterprise environments. The bulletins notably concern Ubuntu, Red Hat, and IBM products, which are exposed to flaws that may allow privilege escalation, arbitrary code execution, or compromise of confidentiality. These vulnerabilities affect widely deployed components in server and cloud infrastructures, highlighting the need for rigorous patch management in critical environments.We then analyze a vulnerability affecting the Roundcube webmail, referenced as CVE-2025-68461. This flaw allows a remote attacker to exploit input handling mechanisms in order to compromise session security or execute malicious code in the context of the targeted user. Given the widespread use of Roundcube in email infrastructures, this vulnerability represents a significant risk for Internet-exposed organizations.Finally, we review a security vulnerability patched by Microsoft, identified as CVE-2025-13699. This flaw affects a Windows system component and may be exploited to bypass security mechanisms or gain elevated privileges. Microsoft has released fixes through its update guide and recommends prompt application to reduce the risk of active exploitation.SourcesCERT-FR – Ubuntu vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1139/CERT-FR – Red Hat vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1141/CERT-FR – IBM product vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1137/Roundcube vulnerability – CVE-2025-68461:https://cyberveille.esante.gouv.fr/alertes/roundcube-cve-2025-68461-2025-12-26 Microsoft – CVE-2025-13699:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-13699Don’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.We open this edition with a case combining cybercrime and intelligence activities in Eastern Europe. In Georgia, the former head of counterintelligence has been arrested as part of an investigation into large-scale scam centers. Authorities suspect he facilitated or protected structured fraud operations targeting international victims, once again highlighting the convergence of organized crime, corruption, and cyber fraud.We then analyze a phishing campaign targeting cryptocurrency users through fake emails impersonating Grubhub. The messages promise a tenfold return on cryptocurrency sent by victims. Funds are immediately redirected to attacker-controlled wallets with no possibility of recovery, illustrating a classic yet still highly effective use of social engineering applied to digital assets.Finally, we examine an operation attributed to Evasive Panda, a China-linked threat actor, which conducted espionage activities using a hijacked DNS infrastructure. The attackers leveraged advanced DNS resolution and traffic redirection techniques to deliver stealthy malicious payloads while bypassing multiple network detection mechanisms. This campaign highlights the continued evolution of APT tradecraft in state-sponsored cyber espionage.SourcesArrest in Georgia – scam centers:https://therecord.media/republic-of-georgia-former-spy-chief-arrested-scam-centersCrypto phishing campaign – fake Grubhub emails:https://www.bleepingcomputer.com/news/security/fake-grubhub-emails-promise-tenfold-return-on-sent-cryptocurrency/Evasive Panda APT – malicious DNS infrastructure:https://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.htmlDon’t think, patch! Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.We open this edition with a geopolitical sequence marking a new phase in transatlantic tensions over digital regulation. The United States have imposed visa restrictions on several European figures involved in regulating technology platforms, including Thierry Breton, former European Commissioner. Washington justifies the decision by accusing European regulators of extraterritorial censorship, notably in the enforcement of the Digital Services Act. The European Union condemned the measure and requested formal explanations, citing an attack on its regulatory sovereignty.We then analyze CVE-2018-25154, a critical buffer overflow vulnerability affecting GNU Barcode version 0.99. The flaw, linked to the Code 93 encoding mechanism, enables arbitrary code execution through crafted input files. The CVSS 3.1 score is critical at 9.8, with high impact on confidentiality, integrity, and availability.We also review CVE-2023-36525, an unauthenticated Blind SQL Injection affecting the WPJobBoard WordPress plugin up to version 5.9.0. The vulnerability is remotely exploitable without privileges or user interaction and exposes affected sites to data leakage and persistent modification risks.In the cybercrime segment, the FBI seized the web3adspanels.org infrastructure, used as a backend to centralize stolen banking credentials from phishing campaigns. The infrastructure enabled account takeover operations against financial institutions and remained active until late 2025.We then cover Urban VPN Proxy, a free VPN browser extension whose recent versions implement interception and exfiltration of AI platform conversations, including prompts, responses, and session metadata, enabled by default.Finally, we address the active exploitation of CVE-2020-12812 on FortiGate firewalls, an older vulnerability still abused to bypass 2FA through inconsistencies between FortiGate and LDAP username case handling.SourcesTech regulation and USA–EU tensions:https://www.01net.com/actualites/pourquoi-les-etats-unis-sattaquent-a-thierry-breton-et-aux-autres-regulateurs-de-la-tech.htmlCVE-2018-25154 – GNU Barcode buffer overflow:https://cvefeed.io/vuln/detail/CVE-2018-25154CVE-2023-36525 – WPJobBoard Blind SQL Injection:https://cvefeed.io/vuln/detail/CVE-2023-36525FBI Seizure – web3adspanels.org:https://securityaffairs.com/186094/cyber-crime/fbi-seized-web3adspanels-org-hosting-stolen-logins.htmlUrban VPN Proxy data harvesting:https://boingboing.net/2025/12/19/this-free-vpn-is-a-massive-security-risk.htmlFortiGate 2FA bypass exploitation:https://cyberpress.org/hackers-abuse-3-year-old-fortigate-flaw/Don’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast.A new initiative brings together volunteer cybersecurity experts to help protect water utilities against growing cyber threats. Experienced professionals from the DEF CON Franklin community are paired with water service providers across several U.S. states to conduct assessments, map operational technology (OT) environments, and implement security measures tailored to critical infrastructure constraints. This community-driven model aims to offset limited internal resources and improve resilience against targeted industrial cyberattacks.MongoDB has issued an urgent warning urging administrators to immediately patch a severe remote code execution vulnerability affecting components of its ecosystem. The flaw could allow unauthenticated attackers to execute arbitrary code on exposed Node.js servers. Proof-of-concept exploits are publicly available, significantly increasing the risk of real-world exploitation.Security researchers have uncovered a large-scale compromise campaign involving the PCPcat malware, which exploited critical flaws in Next.js and React server components. More than 59,000 servers were compromised within 48 hours, with attackers harvesting credentials, SSH keys, and environment variables while establishing persistent access using stealthy processes and tunnels.In France, La Poste and its banking subsidiary, La Banque Postale, suffered major service disruptions following a distributed denial-of-service (DDoS) attack during the holiday period. Several online services, including parcel tracking and digital banking, were rendered unavailable. Authorities stated that no customer data was compromised.Finally, security teams are monitoring increased risks linked to modern JavaScript server stacks, highlighting how the rapid adoption of frameworks such as React and Next.js has expanded the attack surface for automated, industrial-scale exploitation.Sources:Cyber Volunteers / Water Utility / MSSP : https://therecord.media/cyber-volunteer-water-utility-msspMongoDB – Severe RCE Patch Warning : https://www.bleepingcomputer.com/news/security/mongodb-warns-admins-to-patch-severe-rce-flaw-immediately/PCPcat – React/Next.js Servers Breach : https://thecyberexpress.com/pcpcat-react-servers-nextjs-breach/La Poste – Outage After a Cyber Attack : https://securityaffairs.com/186064/security/la-poste-outage-after-a-cyber-attack.htmlDon’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

Welcome to your daily cybersecurity podcast. CISA has added CVE-2023-52163 to its Known Exploited Vulnerabilities Catalog, confirming active exploitation of Digiever DS-2105 Pro network video recorders. This missing authorization flaw allows unauthenticated attackers to bypass security controls. While BOD 22-01 mandates federal agencies to remediate, CISA urges all organizations to prioritize firmware updates. This vulnerability serves as a frequent entry point for actors targeting IoT infrastructure and physical security networks.Genians Security Center reports on APT37's "Artemis" campaign targeting South Korean entities through malicious HWP documents. The attack chain leverages OLE objects and DLL side-loading via the legitimate VolumeId utility to deploy the RoKRAT module. The threat actor employs steganography within images and abuses cloud services like Yandex and pCloud for C2 operations. This multi-stage procedure leverages legitimate execution flows to evade detection by signature-based security solutions.SoundCloud disclosed a cyberattack targeting an ancillary service dashboard, resulting in a data leak affecting 26 million accounts. Exposed data includes email addresses and public profile information; passwords and financial data were not compromised. The incident was followed by DDoS attacks affecting availability. Remediation efforts, specifically reinforcing Identity and Access Management controls, inadvertently caused temporary connectivity issues for VPN users.Socket Security identified two malicious Chrome extensions, named Phantom Shuttle, stealing credentials from 170+ enterprise domains including AWS and GitHub. These extensions use onAuthRequired listeners to inject hardcoded proxy credentials and PAC scripts to reroute sensitive traffic. Operating as a Man-in-the-Middle, the malware exfiltrates plaintext credentials, session cookies, and API keys to the C2 server phantomshuttle[.]space every five minutes.Anna’s Archive released a 300-terabyte dataset containing 86 million scraped Spotify tracks. The breach was achieved through systematic stream-ripping using third-party user accounts over several months. Spotify responded by disabling offending accounts and implementing new safeguards to block automated playback patterns. This massive exfiltration of metadata and audio files represents a significant challenge for digital rights management and creator protection.Sources:CISA KEV Digiever : https://www.cisa.gov/news-events/alerts/2025/12/22/cisa-adds-one-known-exploited-vulnerability-catalogAPT37 Artemis : https://www.genians.co.kr/en/blog/threat_intelligence/dllSoundCloud Breach : https://www.theregister.com/2025/12/16/soundcloud_cyberattack_data_leak/Chrome Phantom Shuttle : https://thehackernews.com/2025/12/two-chrome-extensions-caught-secretly.htmlSpotify Scraping : https://therecord.media/spotify-disables-scraping-annasDon’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/