New Wave of VPN Login Attempts Targets Palo Alto GlobalProtect Portals

,

New attacks targeting Palo Alto GlobalProtect VPN portals began on December 2, involving 7,000 IPs from German company 3xK GmbH. Initial brute-force attempts on GlobalProtect led to scanning SonicWall API endpoints. GreyNoise reports the attacker used previous fingerprints, generating millions of HTTP sessions. Both activities are attributed to the same actor, posing credential-based threats but not exploiting software vulnerabilities. Palo Alto recommends enforcing Multi-Factor Authentication (MFA) for protection.

https://www.bleepingcomputer.com/news/security/new-wave-of-vpn-login-attempts-targets-palo-alto-globalprotect-portals/

AI Chatbots Can Be Wooed Into Crimes With Poetry

AI chatbots can be manipulated into generating harmful content, including hate speech and instructions for weapons, through poetic prompts. A study found that using riddles or stylish variations in requests bypasses safety features, allowing chatbots to output forbidden information around 62% of the time. The findings highlight vulnerabilities in AI systems that need urgent addressing, as even minor stylistic changes can lead to harmful results. This raises significant concerns about AI safety protocols and design flaws.

https://www.theverge.com/report/838167/ai-chatbots-can-be-wooed-into-crimes-with-poetry

How I Reverse Engineered a Billion-Dollar Legal AI Tool and Found 100k+ Confidential Files

,

TLDR: Alex Schapiro discovered a serious security vulnerability in Filevine, a billion-dollar legal AI tool, on October 27, 2025, allowing full admin access to confidential law firm files without authentication. He responsibly disclosed the issue, which could have exposed sensitive data like HIPAA-protected documents. Filevine quickly acknowledged and resolved the problem, demonstrating effective security disclosure practices.

https://alexschapiro.com/security/vulnerability/2025/12/02/filevine-api-100k

Cloudflare Blames Today’s Outage on Emergency React2Shell Patch

Cloudflare's recent outage was caused by emergency mitigations for a critical vulnerability (CVE-2025-55182) in React Server Components, allowing unauthorized remote code execution. The incident affected about 28% of Cloudflare's HTTP traffic but was not due to a cyber attack. The flaw is being actively exploited by hacking groups, primarily linked to China.

https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-outage-on-emergency-react2shell-patch/

Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet With up to 4 Million Infected Hosts

TLDR: Cloudflare reports a record 29.7 Tbps DDoS attack from the AISURU botnet, lasting 69 seconds and involving 1-4 million infected hosts. The botnet targets telecoms, gaming, and financial sectors. In 2025, Cloudflare mitigated 36.2 million DDoS attacks, indicating a surge in size and complexity of attacks, especially against AI companies and the automotive industry.

https://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.html

Silver Fox’s Russian Ruse: ValleyRAT Hits China Via Fake Microsoft Teams Attack

Silver Fox, a Chinese APT group, is misrepresenting itself as a Russian threat actor through a fake Microsoft Teams SEO poisoning campaign targeting organizations in China. Utilizing “ValleyRAT” malware, it conducts state-sponsored espionage and financial fraud. The attack employs false flags, like Cyrillic characters, to mislead attribution, while aiming for sensitive intelligence and financial gains. Organizations, especially those with Chinese operations, need to fortify their defenses by enabling logging and monitoring to counter these evolving threats.

https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack

French NGO Reporters Without Borders Targeted by Calisto in Recent Campaign

Sekoia’s TDR team uncovered spear-phishing campaigns by the Russian-linked group Calisto in May-June 2025, targeting Reporters Without Borders and others. Calisto, associated with Russian intelligence, focused on organizations linked to Ukraine and the West. Their phishing tactics involved fake trusted contacts, missing attachments, or non-working files to trick victims into requesting follow-up documents containing malicious links or decoy PDFs. The phishing kits employed advanced techniques like Adversary-in-the-Middle, intercepting credentials, and 2FA. Calisto’s campaigns make extensive use of compromised websites, redirectors, and numerous custom domains for phishing and credential harvesting. NGOs aiding Ukraine and associated researchers remain high-risk targets.

https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/

Amid Rising Threats, NATO Holds Its Largest-ever Cyberdefense Exercise

NATO conducted its largest cyberdefense exercise, Cyber Coalition, in Estonia, involving 1,300 participants from 29 allies and 7 partner nations. The exercise aimed to simulate responses to multi-faceted cyber threats against critical infrastructure and emphasized cooperation over competition. Participants addressed complex scenarios, verifying threats and collaborating on intelligence sharing. A new space-based scenario was introduced, reflecting real-world incidents. The exercise highlighted the necessity of sharing information to tackle modern cyber challenges effectively.

https://therecord.media/nato-holds-largest-ever-cyberdefense-exercise-estonia

Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

Critical security flaw in React Server Components (CVE-2025-55182) allows unauthenticated remote code execution, affecting multiple React versions. Exploitable due to unsafe deserialization, attackers can craft HTTP requests to execute arbitrary JavaScript. This impacts versions of React libraries and Next.js. Patches are available; users advised to update and monitor for suspicious traffic until then. Various cloud providers have implemented protective measures.

https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html

Microsoft “mitigates” Windows LNK Flaw Exploited as Zero-day

,

Microsoft mitigated a severe Windows LNK vulnerability exploited by state and cybercrime groups (CVE-2025-9491), allowing attackers to conceal malicious operations in LNK files, requiring user interaction to execute. Despite initial inaction, Microsoft silently adjusted LNK file visibility in June 2025, while unofficial patches have been offered to limit risks until a thorough fix is provided.

https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/

How Attackers Use Real IT Tools to Take Over Your Computer

Attackers are exploiting legitimate Remote Monitoring and Management (RMM) tools, like LogMeIn Resolve, to gain remote access to victims' computers without traditional malware. By disguising these tools as common software, they evade security measures. Users are advised to download software from official sources, verify file signatures, and stay informed about social engineering tactics.

https://www.malwarebytes.com/blog/news/2025/12/how-attackers-use-real-it-tools-to-take-over-your-computer

India Backs Off Mandatory ‘cyber Safety’ App After Surveillance Backlash

,

India cancels mandatory “cyber safety” app installation for new smartphones after privacy concerns arose. The government initially required device makers to preload the app, but backlash led to its reversal. Officials claimed the app aimed to combat fraud and theft, emphasizing user security and the ability to uninstall it. Digital rights advocates welcomed the decision but remained cautious until formal legal confirmation.

https://therecord.media/india-drops-mandate-sanchar-saathi-app-privacy-surveillance

Critical Vulnerability in React and Next.js (CVE-2025-55182)

TLDR: On December 3, 2025, React disclosed CVE-2025-55182, a critical remote code execution vulnerability (CVSS 10) in React Server Components due to unsafe deserialization. Affects React versions 19.0-19.2.0; fixed in 19.0.1, 19.1.2, 19.2.1. Next.js versions 15.0.5-15.5.7 and 16.0.7 also need updates. Vulnerability allows remote exploitation without authentication.

https://www.vulncheck.com/blog/cve-2025-55182-react-nextjs

Scroll to Top