Tageszusammenfassung - 16.12.2025

End-of-Day report

Timeframe: Montag 15-12-2025 18:30 - Dienstag 16-12-2025 19:10 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer

News

Arctic Wolf Observes Malicious SSO Logins on FortiGate Devices Following Disclosure of CVE-2025-59718 and CVE-2025-59719

In December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter.

https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/

AWS Blames Russia-s GRU for Years-Long Espionage Campaign Targeting Western Energy Infrastructure

Amazon Web Services (AWS) has attributed a persistent multi-year cyber espionage campaign targeting Western critical infrastructure, particularly the energy sector, to a group strongly linked with Russia-s Main Intelligence Directorate (GRU), known widely as Sandworm (or APT44).

https://thecyberexpress.com/espionage-western-critical-infrastructure/

New SantaStealer malware steals data from browsers, crypto wallets

A new malware-as-a-service (MaaS) information stealer named SantaStealer is being advertised on Telegram and hacker forums as operating in memory to avoid file-based detection.

https://www.bleepingcomputer.com/news/security/new-santastealer-malware-steals-data-from-browsers-crypto-wallets/

Google is shutting down its dark web report feature in January

Google is discontinuing its "dark web report" security tool, stating that it wants to focus on other tools it believes are more helpful.

https://www.bleepingcomputer.com/news/google/google-is-shutting-down-its-dark-web-report-feature-in-january/

SoundCloud confirms breach after member data stolen, VPN access disrupted

Audio streaming platform SoundCloud has confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database containing user information.

https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/

European authorities dismantle call center fraud ring in Ukraine

European law enforcement authorities dismantled a fraud network operating call centers in Ukraine that scammed victims across Europe out of more than 10 million euros.

https://www.bleepingcomputer.com/news/security/european-authorities-dismantle-call-center-fraud-ring-in-ukraine/

Microsoft to block Exchange Online access for outdated mobile devices

Microsoft announced on Monday that it will soon block mobile devices running outdated email software from accessing Exchange Online services until theyre updated.

https://www.bleepingcomputer.com/news/microsoft/microsoft-to-block-exchange-online-access-for-outdated-mobile-devices/

Cyberattack disrupts Venezuelan oil giant PDVSAs operations

Petróleos de Venezuela (PDVSA), Venezuelas state-owned oil company, was hit by a cyberattack over the weekend that disrupted its export operations.

https://www.bleepingcomputer.com/news/security/cyberattack-disrupts-venezuelan-oil-giant-pdvsas-operations/

Updaten: Warnung vor Angriffen auf Apple-Lücken und Gladinet

Die CISA warnt vor laufenden Angriffen auf Schwachstellen in Apples iOS und macOS sowie auf Gladinet CentreStack und Triofox.

https://www.heise.de/news/Updaten-Warnung-vor-Angriffen-auf-Apple-Luecken-und-Gladinet-11116020.html

Defender-Problem nach Windows Update KB5072033 - Get-MPComputerStatus leer

Das kumulative Update KB5072033 vom 9. Dezember 2025 kann unter Windows 11 24H2 und 25H2, sowie ggf. unter Windows Server 2025, Probleme verursachen. Die Statusabfrage, ob der Windows Defender noch korrekt arbeitet, funktioniert per PowerShell eventuell nicht.

https://www.borncity.com/blog/2025/12/16/defender-fehler-nach-windows-update-kb5072033-in-powershell/

The Detection & Response Chronicles: Exploring Telegram Abuse

Adversaries utilizing popular messaging apps throughout different attack phases is nothing new. Telegram, in particular, has constantly been the subject of abuse by multiple threat actors, favoured for its anonymity, accessibility, resilience, and operational advantages. In this blog, we explore popular Telegram Bot APIs, recent campaigns involving Telegram abuse, and provide detection and hunting opportunities.

https://blog.nviso.eu/2025/12/16/the-detection-response-chronicles-exploring-telegram-abuse/

Malicious NuGet Package Typosquats Popular .NET Tracing Library to Steal Wallet Passwords

The Socket Threat Research Team uncovered a malicious NuGet package, Tracer.Fody.NLog, that typosquats and impersonates the legitimate Tracer.Fody library and its maintainer. It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer.

https://socket.dev/blog/malicious-nuget-package-typosquats-popular-net-tracing-library?utm_medium=feed

PornHub Confirms Premium User Data Exposure Linked to Mixpanel Breach

PornHub is facing renewed scrutiny after confirming that some Premium users activity data was exposed following a security incident at a third-party analytics provider. The PornHub data breach disclosure comes as the platform faces increasing regulatory scrutiny in the United States and reported extortion attempts linked to the stolen data. The issue stems from a data breach linked not to PornHub-s own systems, but to Mixpanel, an analytics vendor the platform previously used.

https://thecyberexpress.com/pornhub-data-breach-premium-users/

Vulnerabilities

Security updates for Tuesday

Security updates have been issued by Debian (binwalk, glib2.0, libgd2, paramiko, and python-apt), Fedora (chromium, python3.13, python3.14, qt6-qtdeclarative, and usd), Mageia (ffmpeg, firefox, nspr, nss, and thunderbird), Oracle (kernel, mysql, mysql:8.0, mysql:8.4, ruby:3.3, wireshark, and xorg-x11-server), Red Hat (expat, mingw-expat, and rsync), SUSE (binutils, curl, glib2, gnutls, go1.24, go1.25, keylime, libmicrohttpd, libssh, openexr, postgresql15, python311, and xkbcomp), and Ubuntu (libsoup3, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-6.14, linux-azure, linux-azure-6.8, linux-azure-fips, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-kvm, linux-oem-6.14, linux-raspi, and linux-realtime, linux-realtime-6.8).

https://lwn.net/Articles/1050778/

Node.js Security Releases

The team is still working on a particularly challenging patch, for this reason the release is being postponed to Thursday, December 18th or shortly after.

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

[R1] Nessus Versions 10.11.1 and 10.9.6 Fix Multiple Vulnerabilities

Nessus leverages third-party software to help provide underlying functionality. Several of the third-party components (expat, libxml2, libxslt) were found to contain vulnerabilities, and updated versions have been made available by the providers.

https://www.tenable.com/security/tns-2025-24

JumpCloud Remote Assist Flaw Lets Users Gain Full Control of Company Devices

A critical vulnerability (CVE-2025-34352) found by XM Cyber in the JumpCloud Remote Assist for Windows agent allows local users to gain full SYSTEM privileges. Businesses must update to version 0.317.0 or later immediately to patch the high-severity flaw.

https://hackread.com/jumpcloud-remote-assist-flaw-full-devices-control/

Sicherheitslücken: HPE-ProLiant-Server mit Intel QuickAssist sind verwundbar

Sicherheitspatches schließen mehrere Lücken in HPE ProLiant. Server sind aber nur unter bestimmten Bedinungen angreifbar.

https://www.heise.de/news/Sicherheitsluecken-HPE-ProLiant-Server-mit-Intel-QuickAssist-sind-verwundbar-11116372.html