RadioCSIRT - English Edition podcast artwork

PODCAST · technology

RadioCSIRT - English Edition

🎙 Marc Frédéric Gomez, cybersecurity expert, brings you daily insights into the latest threats, attacks, and defense strategies you need to know.🔎 On the agenda:✔️ Analysis of cyberattacks and critical vulnerabilities✔️ Strategic intelligence for CSIRTs, CERTs, and cybersecurity professionals✔️ Sources and references to dive deeper into each topic💡 Why listen to RadioCSIRT?🚀 Stay up to date in just a few minutes a day🛡️ Anticipate threats with reliable, technical information📢 An essential intelligence source for IT and security professionals🔗 Listen, share, and secure your environment!📲 Subscribe and leave a ⭐

  1. 79

    RadioCSIRT English Edition – Adobe ZeroDay - CVE-2026-34621 - Ep.78

    On April 9, 2026, researcher Haifei Li, founder of EXPMON — a sandbox-based exploit detection system — publicly disclosed the existence of a zero-day vulnerability in Adobe Acrobat Reader actively exploited in the wild for at least five months. Adobe was notified on April 7. The vulnerability has since been confirmed by Adobe, assigned CVE-2026-34621, rated Critical at CVSS 9.6, and addressed in emergency security update APSB26-43. All Adobe Reader users must apply this patch immediately.The attack vector is a specially crafted PDF requiring no user interaction beyond opening the file. Heavily obfuscated JavaScript executes automatically, abusing two sandboxed Acrobat APIs outside their expected context: util.readFileIntoStream to collect local files and sensitive system data, and RSS.addFeed to exfiltrate that data to a C2 server and receive additional AES-encrypted JavaScript payloads. The exploitation chain has three identified phases. Phase one — confirmed — performs system fingerprinting: OS version, language settings, local file paths, Adobe Reader version, transmitted to the C2 for server-side victim filtering. Sandbox environments receive empty C2 responses and leave no trace; only real targets proceed. Phase two — confirmed — enables local file exfiltration on systems the operator determines are of interest. Phase three — remote code execution combined with sandbox escape — is not yet confirmed but assessed as probable by the research community.Two known samples define the campaign timeline. Version one, uploaded to VirusTotal on November 28, 2025: prototype phase, lighter obfuscation, C2 on a bare IP, broad OS targeting, initial detection rate of two out of sixty-four VirusTotal engines. Version two, uploaded March 23, 2026: production phase, hardened obfuscation, domain-based C2, focused Windows 10 targeting. A third version is inferred from an observed /S12 endpoint targeting Reader version 25.x — which runs on Windows 11 — confirming active ongoing development at the time of disclosure. The lure documents contain Russian-language content referencing current events in Russia's oil and gas sector, consistent with targeted energy sector espionage rather than commodity malware distribution.The confirmed C2 IP is 188.214.34.20 on port 34123 — currently offline. The network-level behavioral IOC to block is any outbound HTTP request whose user-agent header contains the string adobe synchronizer. Known malicious filenames include Invoice540.pdf alongside generic decoy names. SHA-256 hashes for both confirmed samples are published in the EXPMON and N3mes1s forensic reports. The retroactive threat hunting window is November 2025 to the present — five months of potential undetected exposure in organizations where PDF workflows are standard.Immediate actions: apply Adobe emergency patch APSB26-43 covering CVE-2026-34621. Block outbound HTTP traffic with user-agent containing adobe synchronizer. Block C2 IP 188.214.34.20 on port 34123. Monitor for outbound network connections initiated by AcroRd32.exe or Acrobat.exe toward non-standard ports. Run retroactive IOC search in SIEM and EDR covering the full five-month exposure window. Alert staff to the risk of PDF attachments regardless of sender — lure documents in this campaign are contextually plausible invoices and sector-relevant content.SourcesEXPMON / Haifei Li – EXPMON detected sophisticated zero-day fingerprinting attack targeting Adobe Reader users : https://justhaifei1.blogspot.com/2026/04/expmon-detected-sophisticated-zero-day-adobe-reader.htmlBleepingComputer – Hackers exploiting Acrobat Reader zero-day flaw since December : https://www.bleepingcomputer.com/news/security/hackers-exploiting-acrobat-reader-zero-day-flaw-since-december/Security Affairs – Malicious PDF reveals active Adobe Reader zero-day in the wild : https://securityaffairs.com/190558/hacking/malicious-pdf-reveals-active-adobe-reader-zero-day-in-the-wild.htmlDon't think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.com WeeklyNewsletter: https://radiocsirtenglishedition.substack.com/#RadioCSIRT #CyberSecurity #ThreatIntelligence #CTI #AdobeReader #ZeroDay #CVE202634621 #PDF #EXPMON #Malware

  2. 78

    RadioCSIRT English Edition - Update about Cyber situation on middle East - Ep. 77

    In this episode: the cyber dimension of the Iran conflict — a six-week retrospective from the initial strikes of February 28 through the fragile ceasefire of April 9, 2026, covering the full evolution of Iranian and pro-Iranian cyber operations from the first hacktivist DDoS waves to confirmed exploitation of industrial control systems inside the United States.On February 28, 2026, the United States and Israel launched joint military strikes against Iranian strategic sites under Operations Epic Fury and Roaring Lion. Within hours, two things happened simultaneously in cyberspace: Iran's domestic internet connectivity collapsed to between one and four percent of normal capacity, and a coordinated multi-vector cyber counteroffensive was launched combining state APT operations with a coalition of over sixty hacktivist groups. In the first seventy-two hours, more than 149 attack claims were recorded against 110 distinct organizations across sixteen countries. Two groups accounted for seventy percent of total DDoS volume: Keymous Plus targeting GCC governments and financial institutions, and DieNet hitting Bahrain and Sharjah airports, Riyadh Bank, Bank of Jordan, and UAE infrastructure. In parallel, APT34/OilRig was conducting active credential harvesting against regional telecoms and government institutions, with confirmed exploitation of CVE-2026-22719 — a CVSS 8.1 unauthenticated command injection in VMware Aria Operations, added to the CISA KEV catalog on March 4. MuddyWater was conducting Operation Olalampo against META-region IT providers. UNC1549 was operating against defense, aerospace, and telecoms targets. APT35 and APT42 were running cloud credential theft campaigns against M365 and Google Workspace environments.A supply chain dimension emerged in week one: state actors began injecting malicious code into npm and PyPI packages, activating payloads only within production CI/CD pipelines, with AI-generated code designed to evade conventional detection tools. On March 31, the npm axios library — over one billion monthly downloads — was compromised via maintainer credential theft. Malicious versions 1.14.1 and 0.30.4 incorporated a hidden dependency, plain-crypto-js 4.2.1, executing a post-install dropper deploying a cross-platform RAT targeting Windows, macOS, and Linux. Any development environment that installed or updated axios during the compromise window should be treated as potentially affected.Also on March 31, the IRGC formally designated Western technology and financial entities as legitimate targets for retaliatory operations effective April 1. Named targets include Cisco, HP, Intel, Oracle, Microsoft, Apple, Google, Meta, IBM, Dell, Nvidia, and Palantir in the technology sector — all classified high threat level — JPMorgan Chase in finance, Boeing and General Electric in defense and industry. This designation transformed the threat from opportunistic hacktivist activity into a declared targeting posture against named Western entities.The most operationally significant escalation occurred on April 8, 2026. The FBI, CISA, NSA, EPA, Department of Energy, and USCYBERCOM published a joint advisory confirming active exploitation of programmable logic controllers in US water, wastewater, energy, and government facility sectors by Iranian-affiliated APT actors, with confirmed operational disruption and financial loss. Targeted devices include Rockwell Automation CompactLogix and Micro850 PLCs, with activity indicating possible extension to Siemens S7 devices. Actors accessed internet-facing PLCs using overseas infrastructure and Rockwell's Studio 5000 Logix Designer software, manipulating project files and HMI/SCADA displays. This is not an assessment — it is a confirmed joint government advisory with confirmed operational impact. The shift from DDoS and data exfiltration to confirmed OT/PLC exploitation with operational consequences represents a qualitative escalation in threat level that every industrial operator must integrate into their defensive posture immediately.For detection priorities: audit all npm and PyPI installations for the compromised axios versions and the plain-crypto-js dependency. Integrate the FBI/CISA/NSA April 8 IOC set into SIEM and EDR platforms, with enhanced monitoring of SCADA and ICS systems and internet-exposed OT connections on ports 44818, 2222, 102, 22, and 502. For enterprise environments: APT34 DNS hijacking and APT35/42 cloud credential theft remain active — monitor M365 and Google Workspace for anomalous authentication patterns. Any organization explicitly named in the IRGC March 31 designation should treat that condition as a confirmed elevated threat, not background risk.SourcesCISA – Joint advisory AA26-097A: Iranian-affiliated cyber actors exploit programmable logic controllers across US critical infrastructure : https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097aCybersecurity Dive – Iran-linked hackers target water and energy in US, FBI and CISA warn : https://www.cybersecuritydive.com/news/iran-linked-hackers-targeting-water-energy-in-us-fbi-and-cisa-warn/816949/Security Affairs – US agencies alert: Iran-linked actors target critical infrastructure PLCs : https://securityaffairs.com/190485/apt/u-s-agencies-alert-iran-linked-actors-target-critical-infrastructure-plcs.html Don't think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/#RadioCSIRT #CyberSecurity #ThreatIntelligence #CTI #Iran #ICS #OT #PLC #CISA #CriticalInfrastructure #APT34 #MuddyWater

  3. 77

    RadioCSIRT English Edition –Patch Tuesday April 2026 Preview - Episode 76

    On April 14, 2026, Microsoft releases its monthly security update cycle. This Patch Tuesday warrants direct attention from every patch management team and every operations team running Windows infrastructure. The maximum severity is critical. The primary impact is remote code execution. The affected surface covers the most widely deployed platforms in enterprise environments simultaneously: all active Windows 11 versions, the entire still-supported Windows Server range from 2016 through 2025, Remote Desktop Services, Microsoft Office, and the .NET runtime. Thirteen product families are addressed in this cycle across three deployment priority tiers.Seven families are classified priority one — immediate deployment. Windows 11, all active versions — 23H2, 24H2, 25H2, and 26H1 — receive critical patches with remote code execution impact. Windows Server 2025, 2022, 2019, and 2016 follow the same pattern: all rated critical, all with remote code execution impact, all priority one. Remote Desktop Services also land at critical severity with remote code execution impact and deserve specific attention beyond the standard label. The exploitation history of RDS vulnerabilities is well documented — BlueKeep and DejaBlue in 2019, both wormable, both actively exploited within weeks of disclosure. Any entity exposing RDS over the internet or through VPN concentrators should treat this component as the highest-urgency item in this cycle. Microsoft Office is priority one with critical severity — the exploitation vector is consistently phishing, the dominant initial access vector in campaigns targeting the financial sector. The .NET and .NET Framework entry is rated critical with denial of service impact: a vulnerability rated critical on .NET can crash or render unavailable any application or web service running on these runtimes without code execution — a direct availability risk that can be triggered remotely.Three families are priority two — deployment within seven days: SQL Server with important severity and remote code execution impact, SharePoint with important severity and spoofing impact, and Azure components with important severity and elevation of privilege impact. Three families are priority three — standard cycle: Visual Studio, Dynamics 365, and System Center, all rated important.Additionally, this April cycle introduces a kernel driver trust enforcement change for Windows 11 24H2, 25H2, 26H1, and Windows Server 2025: systems will no longer treat legacy cross-signed drivers as a blanket trust path. Environments with dependencies on older unsigned driver binaries should audit their driver inventory before deployment. All Windows 11 and Windows Server updates in this cycle are cumulative. Detailed CVE-level disclosure and CVSS scores will be available on the Microsoft Security Response Center from April 14.SourcesHelp Net Security – April 2026 Patch Tuesday forecast: spring cleaning of a preview : https://www.helpnetsecurity.com/2026/04/10/april-2026-patch-tuesday-forecast/Zecurit – Patch Tuesday April 2026: security updates and CVE analysis : https://zecurit.com/endpoint-management/patch-tuesday/Microsoft Security Response Center – Security Update Guide : https://msrc.microsoft.com/update-guide/Don't think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/#RadioCSIRT #CyberSecurity #PatchTuesday #Microsoft #ThreatIntelligence #CTI #Windows #RDS #Office #dotNET

  4. 76

    RadioCSIRT English Edition – a new ransomware group operating under the name Payload -Ep.74

    On April 7, 2026, Gen Threat Labs, the research arm of Gen Digital, published a detailed technical analysis of Remus, a new 64-bit infostealer attributed to the Lumma Stealer family. Active campaigns involving Remus have been observed since February 2026 — directly following a doxxing campaign between August and October 2025 that exposed the presumed core members of the Lumma organization and significantly disrupted its operations. Remus is not a replacement for Lumma — both families are currently coexisting in the wild — but a deliberate evolution, most likely born from a fork or rebranding operation initiated during the period of maximum operational pressure on the original group.The attribution case built by Gen Threat Labs rests on six technical indicators establishing codebase continuity. The most distinctive is the Application-Bound Encryption bypass for Chromium browsers: both Lumma and Remus inject a compact shellcode into the browser process to locate the v20_master_key directly in memory and call CryptUnprotectMemory from within the browser's process context. The difference between the two implementations is eleven bytes — 51 bytes for Remus versus 62 for Lumma. This level of implementation parallelism is not coincidental. Additional shared indicators include near-identical string obfuscation via stack assembly and MBA-reinforced decryption loops, direct syscall dispatch via runtime ntdll hash-to-SSN lookup tables, identical antiVM CPUID checks against five hypervisor signatures in the same order, a shared crypter presence check via NtRaiseHardError, and overlapping control flow obfuscation patterns. The attribution chain is anchored by transitional builds labeled Tenzor, compiled September 16, 2025 — at the peak of the disruption period — which carry both a Steam dead drop resolver matching confirmed Lumma samples and artifacts exclusive to Remus.The most operationally significant evolution in Remus is the abandonment of Steam and Telegram dead drop resolvers in favor of EtherHiding. At runtime, Remus sends a JSON-RPC eth_call request to a hardcoded Ethereum smart contract address via a public RPC endpoint and extracts the C2 URL from the hex-encoded response. The decentralized and immutable nature of the blockchain makes this infrastructure effectively resistant to traditional takedown procedures. Remus also introduces two additional anti-analysis checks before any C2 connection: sandbox DLL detection via CRC32 hashing of loaded module names against eleven known sandbox DLL hashes, and honeypot PST detection via enumeration of a specific Outlook PST filename. If either check triggers, the binary terminates silently via ExitProcess zero.For detection: monitor for JSON-RPC eth_call requests toward public Ethereum endpoints originating from workstations — anomalous behavior with a very low false positive rate. Monitor for hidden desktop creation via CreateDesktopW combined with browser process launch. Deploy the Remus-specific detection rules published by SOCPrime covering direct syscall usage, API hashing, and stealth execution artifacts. Any organization that has relied on Steam or Telegram dead drop blocking as a Lumma detection signal should treat that control as deprecated.SourcesGen Digital – Remus: Unmasking the 64-bit variant of the infamous Lumma Stealer : https://www.gendigital.com/blog/insights/research/remus-64bit-variant-of-lumma-stealerGBHackers – Remus infostealer debuts with stealthy new credential-theft tactics : https://gbhackers.com/remus-infostealer-debuts/CyberPress – Remus infostealer emerges with credential theft and advanced evasion tricks : https://cyberpress.org/remus-infostealer-emerges-fast/Don't think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/#RadioCSIRT #CyberSecurity #ThreatIntelligence #CTI #Remus #LummaStealer #Infostealer #EtherHiding #Malware

  5. 75

    RadioCSIRT English Edition – A new ransomware group operating under the name Payload - Ep.74

    Since February 2026, a new ransomware group operating under the name Payload has been conducting active double extortion campaigns against organizations across multiple sectors and geographies. In less than two months of observed activity, the group has claimed twenty-six victims across seven countries, declared 2,603 gigabytes of exfiltrated data, and demonstrated a level of technical sophistication that places it well above opportunistic ransomware operations. The combination of ESXi-specific encryption logic, ETW patching, and a fully operational Tor-based infrastructure from the outset indicates either experienced operators or access to a mature toolkit.Payload operates two distinct binaries sharing a common cryptographic scheme: Curve25519 ECDH combined with ChaCha20 for per-file key generation. The ESXi variant is a Linux ELF64 binary of approximately 39,904 bytes. Strings are RC4-obfuscated with the three-byte key FBI. Before any encryption activity, the binary performs an anti-debug check via /proc/self/status, then parses VMware's vmInventory.xml to enumerate all datastores and VMDK paths. Virtual machines are powered off via vim-cmd before encryption begins. Thread pool workers are named FBIthread-pool — a forensic artifact visible in standard process listing. The ransom note replaces the ESXi web management interface at /usr/lib/vmware/hostd/docroot/ui/welcome.txt.The Windows variant, compiled on February 17, 2026, is derived from the Babuk codebase that leaked in September 2021, with HC-128 replaced by ChaCha20 and significant anti-forensic additions. Key capabilities include ETW patching of four ntdll.dll functions — EtwEventWrite, EtwEventWriteFull, EtwEventWriteTransfer, and EtwRegister — silently blinding EDR solutions that depend on ETW telemetry. The mutex MakeAmericaGreatAgain is a reliable operator fingerprint. The binary terminates thirty-four services including Veeam, Acronis, BackupExec, Symantec, and Sophos, wipes Windows event logs, deletes shadow copies, and self-deletes via NTFS alternate data stream without spawning a child process.For detection: deploy the YARA rule published by Abdullah Islam covering the ESXi variant. Monitor for MakeAmericaGreatAgain mutex, .payload extension, and ETW function patches in ntdll.dll. Any EDR stack relying exclusively on ETW-based telemetry should be reviewed immediately. ESXi management interfaces must sit behind a dedicated management VLAN. Immutable or air-gapped backup storage remains the only reliable recovery path if encryption completes before detection.SourcesGBHackers – Payload ransomware hits Windows and ESXi with Babuk-style encryption : https://gbhackers.com/payload-ransomware/CyberSecurityNews – New Payload ransomware uses Babuk-style encryption against Windows and ESXi systems : https://cybersecuritynews.com/new-payload-ransomware-uses-babuk-style-encryption/CyberPress – Payload hits Windows and ESXi : https://cyberpress.org/payload-hits-windows-esxi/Don't think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/#RadioCSIRT #CyberSecurity #Ransomware #ThreatIntelligence #CTI #Payload #ESXi #VMware #Windows

  6. 74

    RadioCSIRT English Edition – Emergency meeting between the US Treasury - Episode 73

    In this episode, a single artificial intelligence model became the subject of an emergency meeting between the US Treasury, the Federal Reserve, and the CEOs of America's largest systemically important financial institutions. That model is Claude Mythos Preview, developed by Anthropic. This marks the first time in American financial history that frontier AI capabilities have been treated at this regulatory level as a systemic risk event, rather than a sectoral technology concern.Anthropic restricted access to Mythos to approximately forty partner organizations under Project Glasswing — including Microsoft, Google, Apple, and Amazon — citing the risk of exposing critical vulnerabilities at scale. The model's documented capabilities include autonomous identification and exploitation of flaws across all major operating systems and browsers, real-time payload construction, and functional exploit generation without human guidance. Anthropic is simultaneously engaged in litigation with the Pentagon, which has classified the organization as a supply chain risk.Six risk vectors were identified in connection with Mythos: zero-day exploitation rated critical, systemic SIFI risk rated critical, algorithmic convergence rated high, DeFi and smart contract infrastructure exposure rated high, customer data exfiltration rated high, and cyber-insurance portfolio disruption rated medium. For security teams, the operational implication is direct: the traditional forty-eight to seventy-two hour window between CVE publication and weaponization is no longer the relevant threat timeline when autonomous exploit generation compresses that cycle to minutes.SourcesCNBC – Powell and Bessent convened Wall Street CEOs on Anthropic Mythos cyber risk : https://www.cnbc.com/2026/04/10/powell-bessent-us-bank-ceos-anthropic-mythos-ai-cyber.htmlFortune – Bessent and Powell convened Wall Street leaders in an emergency meeting on Claude Mythos Preview : https://fortune.com/2026/04/10/bessent-powell-anthropic-mythos-ai-model-cyber-risk/Euronews – Why Anthropic's most powerful AI model Mythos Preview is too dangerous for public release : https://www.euronews.com/next/2026/04/08/why-anthropics-most-powerful-ai-model-mythos-preview-is-too-dangerous-for-public-releaseDon't think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.com WeeklyNewsletter: https://radiocsirtenglishedition.substack.com/#RadioCSIRT #CyberSecurity #AI #ThreatIntelligence #CTI #ClaudeMythos #FinancialSector #Anthropic

  7. 73

    RadioCSIRT English Version - Special Edition Claude IA - Cyber Security Podcast, (Show 72)

    🎧🎙️Large Language Models & Cybersecurity Claude 4.6, Project Glasswing & Claude Mythos PreviewWelcome to this special edition of RadioCSIRT ⚡️🤖 Claude 4.6 Family — A Cybersecurity Perspective Claude Opus 4.6, Sonnet 4.6 and Haiku 4.5 share a context window of up to one million tokens, multimodal text/image support and extended thinking capabilities. Direct implications for SOC teams: complete code repository analysis, massive IOC correlation, attack chain reconstruction — but also a significant reduction in the entry barrier for producing high-quality offensive artifacts.🔓 Economic Asymmetry of the Threat At five dollars per million tokens, Claude Opus 4.6 makes expert-level analytical reasoning accessible to a broad range of actors that previously required costly human expertise. The window between CVE publication and exploit availability is compressing. LLM-generated phishing lures no longer display the linguistic markers traditionally used for detection.🔬 Project Glasswing — Restricted Access Anthropic launched Claude Mythos Preview under an access framework limited to approximately forty partner organizations (Microsoft, Google, Amazon confirmed), by invitation only, following prior consultation with US authorities. The European Commission publicly endorsed this restriction.⚠️ Claude Mythos Preview — Documented Capabilities The model can autonomously identify and exploit flaws across all major operating systems and web browsers, and construct sophisticated payloads and exploits in real time at low cost. On April 7, 2026, Treasury Secretary Scott Bessent and Jerome Powell convened an emergency meeting with the CEOs of major US banks (Bank of America, Citigroup, Goldman Sachs, Morgan Stanley, Wells Fargo) — the first meeting of this level motivated by the capabilities of a single AI model.🎯 Identified Risk Vectors Six dimensions covered in this episode: zero-day exploitation, systemic SIFI risk, algorithmic convergence, DeFi/smart contract exposure, customer data exfiltration, impact on cyber-insurance portfolios.⚖️ Regulatory and Legal Context Anthropic is in active litigation with the Pentagon, which classified the organization as a supply chain risk. The forty Glasswing partners constitute a new indirect attack surface. The AI Act, DORA and ENISA guidelines create a compliance framework that applies now to LLM deployments in high-risk contexts.🛡️ Documented Defensive Use Cases Automatic generation of YARA/Sigma rules, alert enrichment, large-scale forensic analysis, assisted threat modeling, adversary simulation — the same capabilities serve both sides. LLMs remain analytical augmentation tools: human verification on high-impact operational outputs remains mandatory.🔗 SourcesProject Glasswing — Anthropic: https://www.anthropic.com/glasswingClaude Models — Overview and Pricing: https://platform.claude.com/docs/en/about-claude/models/overview📩 Contact: [email protected] ⚡️ We don't think, we patch!#RadioCSIRT #Cybersecurity #LLM #Claude #Anthropic #Glasswing #Mythos #ThreatIntelligence #SOC #CERT #CISO #AI #CyberSecurity #ProjectGlasswing #ZeroDay #SIFI

  8. 72

    RadioCSIRT English Version - Your Cyber Security Podcast, Feb 29th, 2026 (Ep.71)

    We open this recap with the Winter Olympic Games in Milano Cortina, facing a wave of cyberattacks attributed to Russia. According to The Register, Italy’s Minister of Foreign Affairs confirmed the targeting of diplomatic offices and Olympic infrastructure. The defensive posture is further strained by supply chain tensions, as Cloudflare’s CEO threatened to withdraw pro bono protection services following a regulatory dispute with Italian authorities.In France, ZDNet reported an espionage case in Gironde involving a clandestine interception station operated from a rented Airbnb property. Two Chinese nationals were charged. The seized equipment was designed for sniffing Starlink communications and intercepting military frequencies, illustrating direct risk at the physical communications layer.We then move to active exploitation and emergency response requirements around Cisco Catalyst SD-wan. Australia’s cyber authorities published an alert on exploitation of Cisco SD-wan appliances. Cisa added CVE 2026 20127 and CVE 2022 20775 to the Known Exploited Vulnerabilities catalog and issued Emergency Directive twenty-six zero three, requiring immediate inventory, forensic artifact collection, patching, and compromise assessment, with a deadline of February twenty-seventh, twenty twenty-six. certfr confirmed active exploitation through alert certfr twenty twenty-six ALE zero zero two, and BleepingComputer reported exploitation activity dating back to twenty twenty-three.On the malware front, multiple campaigns highlight attacker focus on routers, developers, and stealth tooling. Cisco Talos detailed the dismantling of the DKnife interception framework used since twenty nineteen. Talos also documented the Dohdoor backdoor campaign using DNS over HTTPS through Cloudflare, delivered via DLL sideloading and process hollowing, with EDR bypass techniques involving syscall unhooking in ntdll dot dll. Kaspersky GReAT reported Arkanix Stealer operating as Malware as a Service, with both Python and C plus plus implementations, AES GCM communications, and indications of LLM-assisted development.Developer ecosystems remain a key battleground. Microsoft warned of fake Next dot js repositories used as job interview lures delivering in-memory JavaScript payloads, and GitLab banned one hundred thirty-one accounts linked to the Contagious Interview operation and the Wagemole scheme. Socket identified the SANDWORM underscore MODE campaign abusing at least nineteen malicious npm packages through typosquatting, including a module targeting AI coding assistants via malicious MCP server injection combined with prompt injection.We also cover phishing at industrial scale. As reported by KrebsOnSecurity, the Starkiller phishing as a service platform dynamically loads real login pages and acts as a reverse proxy, relaying keystrokes, form submissions, and session tokens through attacker infrastructure, effectively defeating multi-factor authentication by capturing the full authentication flow.Finally, critical vulnerabilities affected AI development environments. Check Point Research documented vulnerabilities in Anthropic’s Claude Code enabling command execution via project hooks, MCP consent bypass through project configuration, and clear-text exfiltration of Anthropic API keys by redirecting the ANTHROPIC underscore BASE underscore URL variable to an attacker-controlled endpoint. In parallel, Linux ecosystem updates included Linux seven point zero entering release candidate status, while incident response and law enforcement actions included Eurojust’s takedown of a fraudulent call centre in Dnipro.All  sources are available on https://www.radiocsirt.com/podcast/your-cybersecurity-news-for-saturday-february-28-2026-ep-71/Don’t think, patch!Your feedback is welcome.Email: [email protected]:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtenglishedition.substack.com/

  9. 71

    Ep. 70 - RadioCSIRT English Edition – Your Cybersecurity News: Jan 31 – Feb 6, 2026

    We open this weekly recap with a critical alert regarding the active exploitation of a Microsoft Office Zero-Day, CVE-2026-21509. According to CERT-UA, the Russian-linked group APT28 has integrated this flaw into phishing campaigns targeting Ukrainian administrations and several EU nations, utilizing a complex infection chain involving WebDAV and the Covenant post-exploitation framework. In a simultaneous blow to software supply chains, the official update mechanism for Notepad++ was hijacked by the state-sponsored actor Violet Typhoon to distribute malware. While threats against productivity tools rise, Mozilla is pivoting toward privacy by announcing that Firefox 148 will allow users to centrally disable all generative AI features.The infrastructure landscape faced significant pressure this week as the CISA issued a binding operational directive requiring federal agencies to retire all End-of-Life (EoL) equipment within 12 months, citing their role as persistent entry points for Edge-based attacks. Meanwhile, the AISURU botnet shattered global records by launching a hyper-volumetric DDoS attack peaking at 31.4 Tbps, fueled by 2 million compromised Android devices. On the regulatory front, the European Commission warned TikTok of potential fines reaching 6% of its global turnover for violating the Digital Services Act (DSA) through "addictive by design" features, while U.S. authorities successfully seized major piracy domains operated from Bulgaria.Regarding cyber-extortion, the group Scattered Lapsus ShinyHunters continues to defy traditional ransomware models by combining data theft with physical harassment and social engineering. In Germany, authorities warned of Signal account takeovers targeting high-profile individuals via fraudulent QR code pairing. To counter evolving threats, Microsoft unveiled a new scanner designed to detect backdoors within Large Language Models (LLMs), and the UK’s NCSC provided a strategic reality check on Cloud Security Posture Management (CSPM), emphasizing that while vital, these tools are only one piece of the broader cloud security puzzle.SourcesSaturday, January 31, 2026Clubic – https://www.clubic.com/actualite-598390-data-centers-ce-que-revele-la-premiere-reunion-a-bercy-sur-les-projets-en-cours-et-a-venir-en-france.htmlThe Record – https://therecord.media/bulgaria-piracy-sites-streaming-gaming-seized-usUnit 42 – https://unit42.paloaltonetworks.com/russian-cyberthreat-2026-winter-olympics/CERT Santé – https://cyberveille.esante.gouv.fr/alertes/grafana-cve-2026-21720-2026-01-29SANS ISC – https://isc.sans.edu/diary/rss/32668Sunday, February 1, 2026Google TAG – https://blog.google/threat-analysis-group/tag-bulletin-q4-2025/CERT-FR – https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0102/BleepingComputer – https://www.bleepingcomputer.com/news/security/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data/The Hacker News – https://thehackernews.com/2026/01/iran-linked-redkitten-cyber-campaign.htmlMonday, February 2, 2026The Register – https://www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/ The Hacker News – https://thehackernews.com/2026/02/notepad-official-update-mechanism.htmlBleepingComputer – https://www.bleepingcomputer.com/news/software/mozilla-will-let-you-turn-off-all-firefox-ai-features/SANS ISC – https://isc.sans.edu/diary/rss/32674Tuesday, February 3, 2026Zscaler ThreatLabz – https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-googleEFF – https://www.encryptitalready.org/Centre canadien pour la cybersécurité – https://www.cyber.gc.ca/fr/alertes-avis/bulletin-securite-kubernetes-av26-078Wednesday, February 4, 2026CERT-FR – https://www.cert.ssi.gouv.fr/cti/CERTFR-2026-CTI-001/NCSC – https://www.ncsc.gov.uk/blog-post/cspm-silver-bullet-or-another-piece-in-the-cloud-puzzleThe Hacker News – https://thehackernews.com/2026/02/microsoft-develops-scanner-to-detect.htmlCISA – https://www.cisa.gov/news-events/alerts/2026/02/03/cisa-adds-four-known-exploited-vulnerabilities-catalogThursday, February 5, 2026The Record – https://therecord.media/cisa-gives-federal-agencies-one-year-end-of-life-devicesThe Hacker News – https://thehackernews.com/2026/02/aisurukimwolf-botnet-launches-record.htmlThe Register – https://www.theregister.com/2026/02/05/asia_government_spies_hacked_37_critical_networks/BleepingComputer – https://www.bleepingcomputer.com/news/security/hackers-compromise-nginx-servers-to-redirect-user-traffic/Friday, February 6, 2026KrebsOnSecurity – https://krebsonsecurity.com/2026/02/please-dont-feed-the-scattered-lapsus-shiny-hunters/BleepingComputer – https://www.bleepingcomputer.com/news/security/european-commission-says-tiktok-facing-fine-over-addictive-design/BleepingComputer – https://www.bleepingcomputer.com/news/security/germany-warns-of-signal-account-hijacking-targeting-senior-figures/CISA – https://www.cisa.gov/news-events/alerts/2026/02/05/cisa-adds-two-known-exploited-vulnerabilities-catalogDon’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

  10. 70

    RadioCSIRT English Edition – Your Cybersecurity News for Sunday, January 11, 2026 (Ep. 67)

    We open this episode with a new physical mail scam campaign targeting bank customers in France, according to Planet.fr. The modus operandi begins with the receipt of a letter bearing the letterhead of a financial institution and containing a fake bank card equipped with a chip. The document instructs the recipient to scan a QR code to activate the card. This technique, known as “quishing,” redirects the victim to a malicious website designed to exfiltrate personal data and banking details. The phenomenon, already observed in neighboring European countries, is gaining ground in France. The cards display a high level of counterfeiting, including accurate reproduction of banks’ visual identities. Verifying the URL displayed after scanning the QR code is the first indicator of legitimacy. If information is entered on a fraudulent website, the recommended procedure includes immediately blocking the bank card, changing all passwords, and reporting the incident via the French Interior Ministry’s Perceval platform.Microsoft published CVE-2026-0628 in its Security Update Guide, concerning a high-severity vulnerability affecting Chromium’s WebView tag component, according to Neowin. The technical flaw, classified as “Insufficient policy enforcement,” allows an attacker who has convinced a user to install a malicious extension to inject scripts or HTML into a privileged page. Researcher Gal Weizman reported the vulnerability to Google in late November. Chrome version 143.0.7499.192 contains the upstream fix, which was integrated by Microsoft into Edge on January 10, 2026. Microsoft records the CVE in its Security Update Guide to provide authoritative downstream status to Edge customers. Canonical vulnerability trackers confirm that the upstream remediation threshold was set in the Chrome 143 stable release. Inventory and remediation efforts must cover all embedded Chromium runtimes and Electron applications, as updating the host browser does not protect these applications.The BreachForums hacking forum suffered a data leak exposing its user database table, according to BleepingComputer. On January 9, 2026, a site named after the ShinyHunters extortion gang published a 7Zip archive named breachedforum.7z. The archive contains the file databoose.sql, a MyBB database table comprising 323,988 member records, including display names, registration dates, IP addresses, and other internal information. Analysis shows that the majority of IP addresses resolve to a local loopback address, but 70,296 records contain public IP addresses. The latest registration date corresponds to August 11, 2025, the day the previous BreachForums was shut down following the arrest of certain alleged operators. The current administrator, known under the pseudonym N/A, acknowledged the leak, stating that a backup of the MyBB users table was temporarily exposed in an unsecured directory and downloaded once.Finally, a major data leak compromised the personal information of approximately 17.5 million Instagram users, according to CyberPress. The leak, initially reported by cybersecurity researchers at Malwarebytes, exposes contact information, making millions of users vulnerable to identity theft and targeted phishing attacks. The dataset appeared this week on a hacking forum, published by a threat actor using the pseudonym “Solonik.” The listing titled “INSTAGRAM.COM 17M GLOBAL USERS — 2024 API LEAK” contains 17.5 million records formatted in JSON and TXT files. The data was collected in late 2024 via an API leak that bypassed standard security measures. The exposed database includes full names, usernames, verified email addresses, phone numbers, user identifiers, and partial location data. The leak is classified as scraping, meaning automated data collection via public interfaces. As of January 10, 2026, Meta has not issued a formal statement regarding this leak.SourcesPlanet.fr – Bank card scam https://www.planet.fr/societe-arnaque-a-la-fausse-carte-bancaire-par-courrier-le-mecanisme-du-quishing-qui-vise-vos-coordonnees.2992374.29336.htmlMicrosoft Security Update Guide – CVE-2026-0628 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0628 BleepingComputer – BreachForums database leak https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-database-leaked-exposing-324-000-accounts/ CyberPress – Instagram data leak https://cyberpress.org/instagram-data-leak/Don’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

  11. 69

    RadioCSIRT – English Edition – Your Cybersecurity News for Saturday, January 10, 2026 (Ep. 66)

    We open this edition with a global overview of the current cyber threat landscape.The year twenty twenty five confirms a high and persistent level of cyber pressure on organizations, characterized by the convergence of critical technical vulnerabilities, structural dependencies on suppliers, and growing geopolitical tensions. Sector-wide analyses highlight a continuous expansion of attack surfaces, increased exploitation of digital supply chains, and sustained professionalization of malicious actors, whether criminal or state-sponsored.We then move on to an in-depth analysis of the financial sector, facing a dual structural threat.Reports from Kaspersky, ENISA, FS-ISAC, and KnowBe4 converge on a clear conclusion: nearly all major financial institutions have been affected by incidents involving third-party providers. This systemic exposure is accompanied by an intensification of geopolitically motivated attacks and APT operations targeting international banking infrastructures, notably for state financing or intelligence collection purposes.We also revisit several documented incidents illustrating this dynamic.The compromise of the banking vendor SitusAMC highlights the cascading effects of supply chain attacks.The attack claimed by the pro-Russian group NoName057(16) against La Poste fits into a logic of symbolic disruption linked to geopolitical tensions.Other recent cases reported by specialized media confirm the sustained exposure of the financial sector to attacks combining organized cybercrime and state-level objectives.Finally, we address the regulatory and organizational response to these threats.The DORA regulation represents a structuring step for the operational resilience of the European financial sector, but feedback shows that compliance alone is not sufficient to counter determined adversaries. Mastery of digital dependencies, visibility over third and fourth parties, and the strengthening of detection and response capabilities remain central challenges to limit systemic impact.ations.Sources:Sectoral Reports and Threat Analyses:Kaspersky Security Bulletin 2025 - Financial Sector: https://www.kaspersky.com/about/press-releases/2025_kaspersky-financial-sector-faced-ai-blockchain-and-organized-crime-threats-in-2025ENISA Threat Landscape 2025 - Finance Sector: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025FS-ISAC - Navigating Cyber 2025: https://www.fsisac.com/knowledge/annual-navigating-cyber-2025-reportKnowBe4 - Financial Sector Threats: The Shifting Landscape: https://www.knowbe4.com/hubfs/Financial-Sector-Threats-The-Shifting-Landscape.pdfDocumented Incidents and Compromises:Cybersecurity Dive - SitusAMC Banking Vendor Breach: https://www.cybersecuritydive.com/news/hackers-steal-sensitive-data-major-banking-industry-vendor-situsamc/The Record (Recorded Future) - NoName057(16) Attack on La Poste: https://therecord.media/pro-russian-hackers-claim-attack-french-postal-service-la-posteAmerican Banker - Marquis Breach (Carter Pape): https://www.muckrack.com/carter-pape/articlesAttribution and State Threat Actors:Security Affairs - France Links APT28 to Government Attacks: https://securityaffairs.com/171234/apt/france-links-russian-apt28-attacks.htmlCompliance and Regulation:RESCO Courtage - Complete DORA Guide 2025: https://www.resco-courtage.com/dora-reglementation-guide-complet-2025L'Usine Digitale - 2025 Cyberattacks and Lessons Learned: https://www.usine-digitale.fr/article/les-cyberattaques-qui-ont-marque-l-annee-2025-et-les-lecons-a-en-tirer.htmlDon’t think, patch!Your feedback is welcome.Email: [email protected]:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtenglishedition.substack.com/ 

  12. 68

    RadioCSIRT English Edition – Your Cybersecurity News for Tuesday, January 6, 2026 (Ep. 65)

    We open this episode with a critical vulnerability in n8n reported by Security Online. CVE-2025-68668, with a CVSS score of 9.9, allows an authenticated user to escape the Python sandbox of the automation platform to execute arbitrary system commands, turning the Code Node into a vector for complete host system compromise.CVEfeed.io reports an uncontrolled DLL loading flaw in AsusSoftwareManagerAgent. CVE-2025-12793, rated 8.5 in CVSS 4.0, exploits an untrusted search path allowing a local attacker to execute arbitrary code through DLL Namespace manipulation.Clubic covers the disappearance of Anna's Archive's primary domain. The registry placed annas-archive.org under serverHold status two weeks after uploading 300 terabytes of Spotify data, suggesting legal action by the Public Interest Registry following OCLC's lawsuit for extracting 2.2 terabytes of WorldCat data.Phoronix reports a critical situation for the Debian project: the three delegated members of the Data Protection Team resigned simultaneously, leaving the project without an active team to manage GDPR obligations. Project leader Andreas Tille now handles this role ad-hoc while awaiting new volunteers.Finally, CERT-FR issued advisory CERTFR-2026-AVI-0004 concerning CVE-2025-13699 affecting multiple MariaDB branches. The vendor has not specified the exact nature of the security issue but recommends updating to versions 10.11.15, 10.6.24, 11.4.9, or 11.8.4.Sources: Security Online – n8n CVE-2025-68668: https://securityonline.info/n8n-sandbox-escape-how-cve-2025-68668-turns-workflows-into-weapons/CVEfeed.io – CVE-2025-12793 ASUS: https://cvefeed.io/vuln/detail/CVE-2025-12793Clubic – Anna's Archive domain: https://www.clubic.com/actualite-593797-le-site-qui-avait-pirate-spotify-perd-son-nom-de-domaine.htmlPhoronix – Debian Data Protection Team: https://www.phoronix.com/news/No-Debian-Data-Protection-TeamCERT-FR – MariaDB Vulnerability: https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0004/Don’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

  13. 67

    RadioCSIRT English Edition – Your Cybersecurity News for Monday, December 29, 2025 (Ep. 64)

    Welcome to your daily cybersecurity podcast.We open this edition with an analysis published by FIRST dot org on December 29, 2025, presenting the annual review of vulnerability forecasts for the year 2025. The article, written by Éireann Leverett, confirms the validation of Vuln4Cast project forecasts with 49,183 CVEs published as of December 29, falling within the confidence interval of 41,142 to 49,868 CVEs established in February 2025. The MAPE of 1 point 39 percent against the upper bound demonstrates excellent accuracy of the forecast models.The quarterly forecasts for Q4 2025 are also validated with 12,359 CVEs published, within the confidence interval of 11,815 to 14,129 CVEs. This accuracy below 5% demonstrates that quarterly forecasts are sufficiently reliable for operational planning by patch management teams, SOCs, and CERTs.The article highlights the expansion of the vulnerability forecasting ecosystem with CVEForecast dot org developed by Jerry Gamblin at Cisco using XGBoost, and CIRCL Luxembourg's Vulnerability-Lookup platform which adds sightings tracking and comprehensive statistics. Future developments will focus on forecasting vendor distributions, CVSS vectors, CWEs, and vulnerability exploitability. Improvements are underway in six areas: CWE root cause analysis, exploit prediction, exploitation prediction, CNA forecasting, CVSS vector forecasting, and CVSS score prediction.FIRST announces the VulnOptiCon 2026 conference in Luxembourg, hosted by CIRCL, to enable the community to share methodologies and collectively advance exposure science and predictive security.SourceFIRST – 2025 Vulnerability Forecast Annual Review: https://www.first.org/blog/20251229-Vulnerability-Forecast-ReviewDon’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

  14. 66

    RadioCSIRT English Edition – Your Cybersecurity News for Saturday, December 27, 2025 (Ep. 63)

    Welcome to your daily cybersecurity podcast.We open this edition with several security advisories published by CERT-FR regarding critical vulnerabilities affecting major components of the Linux ecosystem and enterprise environments. The bulletins notably concern Ubuntu, Red Hat, and IBM products, which are exposed to flaws that may allow privilege escalation, arbitrary code execution, or compromise of confidentiality. These vulnerabilities affect widely deployed components in server and cloud infrastructures, highlighting the need for rigorous patch management in critical environments.We then analyze a vulnerability affecting the Roundcube webmail, referenced as CVE-2025-68461. This flaw allows a remote attacker to exploit input handling mechanisms in order to compromise session security or execute malicious code in the context of the targeted user. Given the widespread use of Roundcube in email infrastructures, this vulnerability represents a significant risk for Internet-exposed organizations.Finally, we review a security vulnerability patched by Microsoft, identified as CVE-2025-13699. This flaw affects a Windows system component and may be exploited to bypass security mechanisms or gain elevated privileges. Microsoft has released fixes through its update guide and recommends prompt application to reduce the risk of active exploitation.SourcesCERT-FR – Ubuntu vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1139/CERT-FR – Red Hat vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1141/CERT-FR – IBM product vulnerabilities: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1137/Roundcube vulnerability – CVE-2025-68461:https://cyberveille.esante.gouv.fr/alertes/roundcube-cve-2025-68461-2025-12-26 Microsoft – CVE-2025-13699:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-13699Don’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

  15. 65

    RadioCSIRT – English Edition – Your Cybersecurity News, Friday 26 December 2025 (Ep. 62)

    Welcome to your daily cybersecurity podcast.We open this edition with a case combining cybercrime and intelligence activities in Eastern Europe. In Georgia, the former head of counterintelligence has been arrested as part of an investigation into large-scale scam centers. Authorities suspect he facilitated or protected structured fraud operations targeting international victims, once again highlighting the convergence of organized crime, corruption, and cyber fraud.We then analyze a phishing campaign targeting cryptocurrency users through fake emails impersonating Grubhub. The messages promise a tenfold return on cryptocurrency sent by victims. Funds are immediately redirected to attacker-controlled wallets with no possibility of recovery, illustrating a classic yet still highly effective use of social engineering applied to digital assets.Finally, we examine an operation attributed to Evasive Panda, a China-linked threat actor, which conducted espionage activities using a hijacked DNS infrastructure. The attackers leveraged advanced DNS resolution and traffic redirection techniques to deliver stealthy malicious payloads while bypassing multiple network detection mechanisms. This campaign highlights the continued evolution of APT tradecraft in state-sponsored cyber espionage.SourcesArrest in Georgia – scam centers:https://therecord.media/republic-of-georgia-former-spy-chief-arrested-scam-centersCrypto phishing campaign – fake Grubhub emails:https://www.bleepingcomputer.com/news/security/fake-grubhub-emails-promise-tenfold-return-on-sent-cryptocurrency/Evasive Panda APT – malicious DNS infrastructure:https://thehackernews.com/2025/12/china-linked-evasive-panda-ran-dns.htmlDon’t think, patch! Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

  16. 64

    RadioCSIRT – English Edition – (Ep. 61)

    Welcome to your daily cybersecurity podcast.We open this edition with a geopolitical sequence marking a new phase in transatlantic tensions over digital regulation. The United States have imposed visa restrictions on several European figures involved in regulating technology platforms, including Thierry Breton, former European Commissioner. Washington justifies the decision by accusing European regulators of extraterritorial censorship, notably in the enforcement of the Digital Services Act. The European Union condemned the measure and requested formal explanations, citing an attack on its regulatory sovereignty.We then analyze CVE-2018-25154, a critical buffer overflow vulnerability affecting GNU Barcode version 0.99. The flaw, linked to the Code 93 encoding mechanism, enables arbitrary code execution through crafted input files. The CVSS 3.1 score is critical at 9.8, with high impact on confidentiality, integrity, and availability.We also review CVE-2023-36525, an unauthenticated Blind SQL Injection affecting the WPJobBoard WordPress plugin up to version 5.9.0. The vulnerability is remotely exploitable without privileges or user interaction and exposes affected sites to data leakage and persistent modification risks.In the cybercrime segment, the FBI seized the web3adspanels.org infrastructure, used as a backend to centralize stolen banking credentials from phishing campaigns. The infrastructure enabled account takeover operations against financial institutions and remained active until late 2025.We then cover Urban VPN Proxy, a free VPN browser extension whose recent versions implement interception and exfiltration of AI platform conversations, including prompts, responses, and session metadata, enabled by default.Finally, we address the active exploitation of CVE-2020-12812 on FortiGate firewalls, an older vulnerability still abused to bypass 2FA through inconsistencies between FortiGate and LDAP username case handling.SourcesTech regulation and USA–EU tensions:https://www.01net.com/actualites/pourquoi-les-etats-unis-sattaquent-a-thierry-breton-et-aux-autres-regulateurs-de-la-tech.htmlCVE-2018-25154 – GNU Barcode buffer overflow:https://cvefeed.io/vuln/detail/CVE-2018-25154CVE-2023-36525 – WPJobBoard Blind SQL Injection:https://cvefeed.io/vuln/detail/CVE-2023-36525FBI Seizure – web3adspanels.org:https://securityaffairs.com/186094/cyber-crime/fbi-seized-web3adspanels-org-hosting-stolen-logins.htmlUrban VPN Proxy data harvesting:https://boingboing.net/2025/12/19/this-free-vpn-is-a-massive-security-risk.htmlFortiGate 2FA bypass exploitation:https://cyberpress.org/hackers-abuse-3-year-old-fortigate-flaw/Don’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

  17. 63

    RadioCSIRT – English Edition – Your Daily Cybersecurity News – Wednesday, December 24, 2025 (Ep. 60)

    Welcome to your daily cybersecurity podcast.A new initiative brings together volunteer cybersecurity experts to help protect water utilities against growing cyber threats. Experienced professionals from the DEF CON Franklin community are paired with water service providers across several U.S. states to conduct assessments, map operational technology (OT) environments, and implement security measures tailored to critical infrastructure constraints. This community-driven model aims to offset limited internal resources and improve resilience against targeted industrial cyberattacks.MongoDB has issued an urgent warning urging administrators to immediately patch a severe remote code execution vulnerability affecting components of its ecosystem. The flaw could allow unauthenticated attackers to execute arbitrary code on exposed Node.js servers. Proof-of-concept exploits are publicly available, significantly increasing the risk of real-world exploitation.Security researchers have uncovered a large-scale compromise campaign involving the PCPcat malware, which exploited critical flaws in Next.js and React server components. More than 59,000 servers were compromised within 48 hours, with attackers harvesting credentials, SSH keys, and environment variables while establishing persistent access using stealthy processes and tunnels.In France, La Poste and its banking subsidiary, La Banque Postale, suffered major service disruptions following a distributed denial-of-service (DDoS) attack during the holiday period. Several online services, including parcel tracking and digital banking, were rendered unavailable. Authorities stated that no customer data was compromised.Finally, security teams are monitoring increased risks linked to modern JavaScript server stacks, highlighting how the rapid adoption of frameworks such as React and Next.js has expanded the attack surface for automated, industrial-scale exploitation.Sources:Cyber Volunteers / Water Utility / MSSP : https://therecord.media/cyber-volunteer-water-utility-msspMongoDB – Severe RCE Patch Warning : https://www.bleepingcomputer.com/news/security/mongodb-warns-admins-to-patch-severe-rce-flaw-immediately/PCPcat – React/Next.js Servers Breach : https://thecyberexpress.com/pcpcat-react-servers-nextjs-breach/La Poste – Outage After a Cyber Attack : https://securityaffairs.com/186064/security/la-poste-outage-after-a-cyber-attack.htmlDon’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

  18. 62

    RadioCSIRT English Edition – (Ep.59)

    Welcome to your daily cybersecurity podcast. CISA has added CVE-2023-52163 to its Known Exploited Vulnerabilities Catalog, confirming active exploitation of Digiever DS-2105 Pro network video recorders. This missing authorization flaw allows unauthenticated attackers to bypass security controls. While BOD 22-01 mandates federal agencies to remediate, CISA urges all organizations to prioritize firmware updates. This vulnerability serves as a frequent entry point for actors targeting IoT infrastructure and physical security networks.Genians Security Center reports on APT37's "Artemis" campaign targeting South Korean entities through malicious HWP documents. The attack chain leverages OLE objects and DLL side-loading via the legitimate VolumeId utility to deploy the RoKRAT module. The threat actor employs steganography within images and abuses cloud services like Yandex and pCloud for C2 operations. This multi-stage procedure leverages legitimate execution flows to evade detection by signature-based security solutions.SoundCloud disclosed a cyberattack targeting an ancillary service dashboard, resulting in a data leak affecting 26 million accounts. Exposed data includes email addresses and public profile information; passwords and financial data were not compromised. The incident was followed by DDoS attacks affecting availability. Remediation efforts, specifically reinforcing Identity and Access Management controls, inadvertently caused temporary connectivity issues for VPN users.Socket Security identified two malicious Chrome extensions, named Phantom Shuttle, stealing credentials from 170+ enterprise domains including AWS and GitHub. These extensions use onAuthRequired listeners to inject hardcoded proxy credentials and PAC scripts to reroute sensitive traffic. Operating as a Man-in-the-Middle, the malware exfiltrates plaintext credentials, session cookies, and API keys to the C2 server phantomshuttle[.]space every five minutes.Anna’s Archive released a 300-terabyte dataset containing 86 million scraped Spotify tracks. The breach was achieved through systematic stream-ripping using third-party user accounts over several months. Spotify responded by disabling offending accounts and implementing new safeguards to block automated playback patterns. This massive exfiltration of metadata and audio files represents a significant challenge for digital rights management and creator protection.Sources:CISA KEV Digiever : https://www.cisa.gov/news-events/alerts/2025/12/22/cisa-adds-one-known-exploited-vulnerability-catalogAPT37 Artemis : https://www.genians.co.kr/en/blog/threat_intelligence/dllSoundCloud Breach : https://www.theregister.com/2025/12/16/soundcloud_cyberattack_data_leak/Chrome Phantom Shuttle : https://thehackernews.com/2025/12/two-chrome-extensions-caught-secretly.htmlSpotify Scraping : https://therecord.media/spotify-disables-scraping-annasDon’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

  19. 61

    RadioCSIRT English Edition – Your Cybersecurity News for Monday, December 22, 2025 (Ep.58)

    Welcome to your daily cybersecurity podcast.Pornhub alerts Premium subscribers following data exposure on November 8, 2025, via analytics provider Mixpanel. Cybercriminals threaten to directly contact affected users by email. Mixpanel disputes that data originated from its November 8 security incident, stating no evidence of exfiltration from its systems. Pornhub confirms passwords, payment details, and financial information remain uncompromised, with exposure limited to a restricted set of analytics events. Attackers exploit this data for sextortion campaigns specifically targeting identified Premium users.Intezer documents a Goffee group campaign targeting Russian military personnel and defense organizations. The initial attack identified in October uses a malicious XLL file uploaded from Ukraine then Russia to VirusTotal, titled "enemy's planned targets". The file deploys EchoGather backdoor to collect system information, execute commands, and exfiltrate files to a C2 server disguised as food delivery website. Phishing lures include fake concert invitation for senior military officers and letter impersonating Russia's Ministry of Industry and Trade requesting pricing justification documents for defense contracts.CISA and NIST release draft Interagency Report 8597 on protecting identity tokens and assertions against forgery, theft, and malicious use. The document addresses recent incidents at major cloud providers targeting theft, modification, or forgery of identity tokens to access protected resources. The report covers IAM controls for systems using digitally signed assertions and tokens in access decisions. NIST requests CSPs apply Secure by Design principles, prioritizing transparency, configurability, and interoperability. Federal agencies must understand architecture and deployment models of their CSPs to align risk posture and threat environment.Check Point Research documented GachiLoader, a heavily obfuscated Node.js loader malware distributed through the YouTube Ghost Network. The campaign leverages 39 compromised accounts spreading over 100 videos targeting game cheat users, accumulating 220,000 views since December 2024. The malware implements anti-analysis checks including 4 GB minimum RAM, 2 CPU cores, and blacklists for usernames, hostnames, and running processes. GachiLoader disables Windows Defender and adds exclusions for C:\Users, C:\ProgramData, C:\Windows, and the .sys extension. Two variants have been observed: the first downloads Rhadamanthys from C2 servers, while the second deploys Kidkadi.node utilizing Vectored Overloading technique to intercept system calls and load malicious PE.Sources:Pornhub sextortion: https://www.malwarebytes.com/blog/news/2025/12/pornhub-tells-users-to-expect-sextortion-emails-after-data-exposureGoffee APT: https://therecord.media/cyber-spies-fake-new-year-concert-russian-phishingNIST/CISA tokens: https://www.cisa.gov/news-events/alerts/2025/12/22/nist-and-cisa-release-draft-interagency-report-protecting-tokens-and-assertions-tampering-theft-and GachiLoader: https://research.checkpoint.com/2025/gachiloader-node-js-malware-with-api-tracing/Don’t think, patch!Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

  20. 60

    RadioCSIRT English Version - Your Cybersecurity News for Sunday, December 21, 2025 (Ep.57)

    Welcome to your daily cybersecurity podcast.Most newly registered and parked domains are now serving malicious content. Analysis shows an increasing shift of domain parking services toward hosting phishing pages, fake software updates, and redirects to scam infrastructures. These domains are used as short-lived infrastructure to bypass reputation-based defenses and accelerate fraud and malware delivery campaigns.The Iranian APT group Infy has resurfaced with a new targeted campaign. Operations rely on spear-phishing emails delivering weaponized documents using political and diplomatic lures. Payloads include updated backdoors, Windows registry-based persistence mechanisms, and obfuscated HTTP(S) C2 channels, indicating a structured operational comeback.NIST has released new security guidance for the use of smart speakers in home-based telehealth environments. Identified risks include interception of unencrypted voice traffic, exposure of sensitive health data, and the use of these devices as pivot points into hospital systems. Recommended mitigations focus on encrypted communications, network segmentation, and strict access control.Sources:Malicious domain parking: https://krebsonsecurity.com/2025/12/most-parked-domains-now-serving-malicious-content/APT Infy: https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.htmlNIST smart speakers: https://www.nist.gov/news-events/news/2025/12/securing-smart-speakers-home-health-care-nist-offers-new-guidelinesDon’t think, patch!Your feedback is welcome.Email: [email protected]:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtenglishedition.substack.com/

  21. 59

    RadioCSIRT English Edition – Your Cybersecurity News for Saturday, December 20, 2025 (Ep.56)

    Welcome to your daily cybersecurity podcast.Amazon disclosed the detection of a North Korea-linked infiltration during an IT hiring process. A system administrator claimed to be US-based was identified through persistent keyboard latency exceeding 110 milliseconds to Seattle servers, indicating intercontinental remote operation. The control infrastructure was traced to China. Since April 2024, Amazon reports blocking more than 1,800 fraudulent hiring attempts linked to North Korea, with a 27 percent quarterly increase.A Russian APT actor is conducting a credential phishing campaign targeting government entities across the Baltics and the Balkans. The attacks rely on HTML attachments masquerading as PDF documents, embedding institutional decoys and fake authentication forms. Credentials are exfiltrated via formcarry.com, with consistent JavaScript and regex reuse observed since at least 2023.Microsoft confirmed a global Microsoft Teams outage impacting message delivery across all regions and clients. The incident started at 14:30 ET and was fully resolved one hour later. No indicators of malicious activity were reported.A malware campaign abuses Microsoft Office documents, SVG files, and compressed archives to compromise Windows systems. The attack chain exploits CVE-2017-11882, uses PNG steganography, and process hollowing via RegAsm.exe to deliver RATs and information stealers.ATM jackpotting attacks in the United States have been attributed to a criminal group deploying the Ploutus malware via physical access to ATMs. The tradecraft involves hard drive replacement or modification to control cash-dispensing modules. Losses are estimated to exceed $40 million since 2020.Don’t think, patch.Sources:Amazon infiltration:https://www.clubic.com/actualite-592366-amazon-infiltre-par-un-espion-nord-coreen-finalement-repere-a-cause-de-sa-frappe-clavier.htmlRussian APT phishing:https://strikeready.com/blog/russian-apt-actor-phishes-the-baltics-and-the-balkans/Microsoft Teams outage:https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-teams-is-down-and-messages-are-delayed/SVG and Office malware campaign:https://cybersecuritynews.com/hackers-weaponize-svg-files-and-office-documents/ATM jackpotting / Ploutus malware:https://www.theregister.com/2025/12/19/tren_de_aragua_atm/Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtenglishedition.substack.com/

  22. 58

    RadioCSIRT English Edition – Cybersecurity Daily News, Friday 19 December 2025 (Ep.55)

    Welcome to your daily cybersecurity podcast.French authorities arrested a 22-year-old individual following Interior Ministry system compromise. The intrusion exposed email accounts and confidential documents including judicial records and wanted persons databases. The attack was claimed on BreachForums. The suspect maintained network persistence for several days. Paris Prosecutor charged unauthorized access to state systems as organized group, maximum ten years imprisonment.WatchGuard published advisory WGSA-2025-00027 addressing CVE-2025-14733, critical Out-of-bounds Write in Fireware OS iked process, CVSS 9.3. Confirmed active exploitation enables remote unauthenticated code execution. Affected versions 11.10.2 through 12.11.5 and 2025.1 through 2025.1.3. WatchGuard provides four threat actor IP addresses. Patched versions available.Riot Games disclosed four CVEs affecting UEFI in ASUS, Gigabyte, MSI, ASRock motherboards. IOMMU initialization failure enables pre-boot DMA attacks. Malicious PCIe device with physical access can modify system memory before OS load. Carnegie Mellon CERT/CC confirms broad impact. Firmware updates available.Cyderes documents CountLoader 3.2 via cracked software, establishing Google-mimicking persistence every thirty minutes for ten years. Nine capabilities including USB propagation, deploying ACR Stealer. Check Point reports GachiLoader via YouTube Ghost Network, one hundred videos, 220,000 views. Deploys Kidkadi with Vectored Exception Handling PE injection, Rhadamanthys stealer as final payload.CNIL issued one million euro penalty against Mobius Solutions for unlawful retention of 46 million Deezer records post-termination. Data leaked to darknet from unsecured test environment. CNIL confirms extraterritorial GDPR application.Don't overthink it. Patch.Sources:France Arrest: https://therecord.media/france-interior-ministry-hack-arrestWatchGuard: https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027UEFI: https://www.bleepingcomputer.com/news/security/new-uefi-flaw-enables-pre-boot-attacks-on-motherboards-from-gigabyte-msi-asus-asrock/Loaders: https://thehackernews.com/2025/12/cracked-software-and-youtube-videos.htmlCNIL: https://www.zdnet.fr/actualites/fuite-massive-sur-le-darknet-la-cnil-frappe-fort-contre-un-ancien-sous-traitant-de-deezer-487023.htmYour feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  23. 57

    RadioCSIRT English Edition – Cybersecurity Daily News, Thursday 18 December 2025 (Ep.54)

    Welcome to your daily cybersecurity podcast.The Clop ransomware group, also tracked as Cl0p, is conducting a new data theft extortion campaign targeting Internet-exposed Gladinet CentreStack servers. Ongoing investigations confirm active scanning, successful intrusions, and the placement of extortion notes on compromised systems. The initial access vector remains unidentified, raising the possibility of a zero-day vulnerability or exploitation of unpatched systems. This activity aligns with Clop’s established focus on file sharing and secure file transfer platforms.CISA has added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. CVE-2025-20393 affects multiple Cisco products through improper input validation. CVE-2025-40602 impacts SonicWall SMA1000 appliances due to a missing authorization flaw. CVE-2025-59374 targets ASUS Live Update, involving embedded malicious code within the update mechanism, highlighting a software supply chain compromise scenario.CERT-FR has issued advisory CERTFR-2025-AVI-1116 covering multiple vulnerabilities in Google Chrome. Affected versions include releases prior to 143.0.7499.146 on Linux and prior to 143.0.7499.146 or .147 on Windows and macOS. The advisory references CVE-2025-14765 and CVE-2025-14766, with limited public technical detail on the underlying impact.A critical FreeBSD vulnerability, CVE-2025-14558, enables remote code execution via crafted IPv6 Router Advertisement packets within the SLAAC mechanism. Insufficient validation of RA messages leads to command injection into an internal shell script. Exploitation requires the attacker to be present on the same network segment. The vulnerability carries a CVSS score of 9.8.North Korean cyber operations reached a record level in 2025, with more than two billion dollars in cryptocurrency stolen, according to Chainalysis. These activities combine attacks against centralized services, large-scale personal wallet compromises, and advanced social engineering operations involving fake recruiters and purported investors.FIRST Foundation highlights the operational importance of incident communications, emphasizing the role of secure alternative channels, third-party coordination mechanisms, and controlled delegation of public communications to reduce secondary risk during major cyber incidents.Finally, a coordinated operation supported by Eurojust dismantled fraudulent call centre operations in Ukraine. The transnational criminal network relied on industrial-scale social engineering techniques, with identified losses exceeding ten million euros and forty-five suspects identified across multiple countries.Don’t overthink it. Patch.Sources:Clop / Gladinet: https://www.bleepingcomputer.com/news/security/clop-ransomware-targets-gladinet-centrestack-servers-for-extortion/CISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/17/cisa-adds-three-known-exploited-vulnerabilities-catalogCERT-FR Chrome: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1116/FreeBSD RCE: https://www.security.nl/posting/917946/Kritiek+beveiligingslek+in+FreeBSD+maakt+remote+code+execution+mogelijk?channel=rssDPRK Crypto: https://www.theregister.com/2025/12/18/north_korea_stole_2b_crypto_2025/FIRST Comms: https://www.first.org/blog/20251216-upskilling_communicationsEurojust Fraud: https://www.eurojust.europa.eu/news/fraudulent-call-centres-ukraine-rolledFrance Arrest: https://therecord.media/france-interior-ministry-hack-arrestYour feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  24. 56

    RadioCSIRT English Edition – Your cybersecurity News for Wednesday, December 17, 2025 (Ep.53)

    Welcome to your daily cybersecurity podcast.CISA adds CVE-2025-59718 to its Known Exploited Vulnerabilities catalog on December 16th. The flaw affects Fortinet FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb through improper cryptographic signature verification in FortiCloud SSO SAML authentication. Unauthenticated attackers can bypass authentication via crafted SAML messages. Active exploitation confirmed. CVE-2025-59719 addresses the same underlying issue. Federal agencies face a December 23rd remediation deadline. No ransomware campaign linkage confirmed at this time.CERT-FR issues advisory CERTFR-2025-AVI-1117 concerning GLPI. Two vulnerabilities identified as CVE-2025-59935 and CVE-2025-64520 affect GLPI versions 9.1.0 through prior to 10.0.21. Risks include XSS injection and security policy bypass. Fixes available via GitHub security advisories GHSA-62p9-prpq-j62q and GHSA-j8vv-9f8m-r7jx published December 16th.Cisco reports CVE-2025-20393, a critical AsyncOS zero-day affecting Secure Email Gateway and Secure Email and Web Manager with Internet-exposed Spam Quarantine in non-standard configurations. Active exploitation since late November attributed to Chinese group UAT-9686 deploying AquaShell backdoors, AquaTunnel and Chisel reverse SSH tunnels, and AquaPurge log-clearing tools. Links identified to UNC5174 and APT41. No patch available. Cisco recommends access restriction, network segmentation, and rebuilding compromised appliances as sole eradication option.SonicWall patches CVE-2025-40602, a local privilege escalation in SMA1000 Appliance Management Console. Exploited in chain with CVE-2025-23006, a critical deserialization flaw with CVSS score 9.8 already fixed in January. Combined exploitation enables unauthenticated root remote code execution. Discovered by Google Threat Intelligence Group. Fixed version: build 12.4.3-02856 and higher. Over 950 SMA1000 appliances remain exposed according to Shadowserver.Finally, Recorded Future documents sustained APT28 phishing campaign targeting UKR.net users between June 2024 and April 2025. UKR.net-themed login pages hosted on Mocky distributed via PDF attachments in phishing emails. Links shortened via tiny.cc or tinyurl.com with some redirections through Blogger subdomains. Captures credentials and 2FA codes. Attackers transitioned to ngrok and Serveo proxy services following early 2024 infrastructure takedowns. GRU operation targeting Ukrainian intelligence collection amid ongoing conflict.Don't think, just patch!Sources:CISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/16/cisa-adds-one-known-exploited-vulnerability-catalogCERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1117/ Cisco AsyncOS: https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/SonicWall: https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-new-sma1000-zero-day-exploited-in-attacks/APT28: https://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.htmlYour feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  25. 55

    RadioCSIRT English Edition – Your cybersecurity News for Tuesday, December 16, 2025 (Ep.52)

    Welcome to your daily cybersecurity podcast.QNAP discloses a high-severity authentication bypass vulnerability tracked as CVE-2025-59385. The flaw allows remote attackers to spoof authentication mechanisms and access protected resources without credentials. The issue affects QTS and QuTS hero systems and is remotely exploitable with no user interaction. Patches are available in QTS 5.2.7.3297 and QuTS hero 5.2.7 and 5.3.1 builds released on October 24.A second QNAP vulnerability, CVE-2025-62848, exposes QTS and QuTS hero systems to remote denial-of-service attacks. The issue stems from a NULL pointer dereference condition and can be triggered over the network without authentication. Successful exploitation leads to system crashes and service disruption. Fixed versions mirror those released for CVE-2025-59385.Trend Micro reveals a previously unseen controller linked to BPFDoor malware, enabling encrypted reverse shells, direct shell access, and lateral movement across Linux servers. The backdoor leverages Berkeley Packet Filter mechanisms to remain stealthy and firewall-agnostic. Activity is attributed with medium confidence to the Earth Bluecrow APT group and targets telecommunications, finance, and retail sectors across Asia and the Middle East.CISA adds two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog. CVE-2025-14611 affects Gladinet CentreStack and Triofox via hard-coded cryptographic keys, while CVE-2025-43529 is a WebKit use-after-free flaw impacting multiple Apple products. Federal agencies are required to remediate under BOD 22-01, with strong recommendations extended to all organizations.Avast documents an emerging WhatsApp account takeover scam abusing the platform’s legitimate device-linking feature. Attackers trick users into authorizing rogue linked devices through fake verification pages, granting persistent access to conversations without stealing passwords or triggering security alerts.Finally, The Record reports major data breaches at Prosper Marketplace and 700Credit impacting nearly 20 million individuals. Exposed data includes Social Security numbers, financial records, and identity documents. Both incidents highlight ongoing systemic risks across the financial services supply chain.Don't think, just patch!Sources:CVE-2025-59385: https://cvefeed.io/vuln/detail/CVE-2025-59385CVE-2025-62848: https://cvefeed.io/vuln/detail/CVE-2025-62848BPFDoor: https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.htmlCISA KEV: https://www.cisa.gov/news-events/alerts/2025/12/15/cisa-adds-two-known-exploited-vulnerabilities-catalogWhatsApp Scam: https://blog.avast.com/blog/onlinescams/whatsapppairingscamData Breaches: https://therecord.media/data-breaches-affecting-20-million-prosper-700creditYour feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  26. 54

    RadioCSIRT English Edition – Your cybersecurity News for Monday, December 15, 2025 (Ep.51)

    Welcome to your daily cybersecurity podcast.Horizon3.ai exposes three critical FreePBX vulnerabilities. The most severe, CVE-2025-66039 scored 9.3, enables complete authentication bypass via simple forged Authorization header. Two additional flaws provide SQL injection and PHP web shell upload for remote code execution. Patches available but require manual CLI configuration and audit of instances exposed before September.New BreachForums avatar claims major intrusion on French Interior Ministry infrastructure. Actor "Indra" asserts exfiltration of police databases TAJ and FPR with ransom demand under one-week deadline. Place Beauvau confirms email compromise and business application access. Emergency deployment of systematic two-factor authentication and password rotation. Investigation assigned to Anti-Cybercrime Office.BleepingComputer reveals how scammers hijacked PayPal infrastructure to send legitimate emails from [email protected]. Exploitation of "pause subscription" feature bypassed all spam filters enabling large-scale tech support scam campaigns. PayPal confirms loophole closure following investigation.CERT-FR issues advisory CERTFR-2025-AVI-1111 for Roundcube Webmail. Multiple XSS vulnerabilities affect versions prior to 1.5.12 and 1.6.12, enabling remote code injection and data confidentiality breach. Patches available since December 13 with immediate application recommended for all exposed webmail instances.Don't think, just patch!Sources:FreePBX: https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.htmlInterior Ministry: https://www.zdnet.fr/actualites/lattaque-informatique-contre-le-ministere-de-linterieur-revendiquee-par-un-nouvel-avatar-de-breachforums-486636.htmPayPal: https://www.malwarebytes.com/blog/news/2025/12/paypal-closes-loophole-that-let-scammers-send-real-emails-with-fake-purchase-noticesRoundcube: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1111/ Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  27. 53

    RadioCSIRT – Your Cyber Security News for Sunday, December 14, 2025 (Ep.50)

    Welcome to your daily cybersecurity podcast.Apple and Google rush to fix actively exploited Zero-Day flaws. CISA has added CVE-2025-14174 to its KEV catalog, flagging a critical memory corruption vulnerability in the Chromium engine that affects Chrome, Edge, and Brave. Simultaneously, Apple has deployed patches for this same flaw alongside CVE-2025-43529, a WebKit Use-After-Free bug. Discovered by Google's Threat Analysis Group, these vulnerabilities are currently leveraged in "extremely sophisticated" attacks allowing Remote Code Execution (RCE) on iPhones, iPads, and macOS devices via malicious web content. Updating to iOS 26.2 and the latest browser versions is mandatory to break this infection chain.CERT-FR issues a massive alert regarding the Ubuntu Linux kernel. The security advisory covers a wide array of vulnerabilities impacting every supported version, from LTS 18.04 up to intermediate releases like 25.10. These kernel-level flaws allow attackers to trigger remote Denial of Service and bypass security policies, posing a severe threat to process isolation and container environments. System administrators must not only apply the listed USN patches but must imperatively schedule production reboots to ensure the new kernel image is actually loaded into memory.A historic data leak exposes 4.3 billion professional records. Researchers have discovered an unsecured 16-terabyte MongoDB database left open to the public, containing detailed profiles likely aggregated from LinkedIn and Apollo.io. The dataset includes names, emails, phone numbers, and career histories, creating the ultimate weapon for AI-assisted social engineering. Although secured on November 25th, this exposure provides cybercriminals with the context needed to automate large-scale Spear-Phishing and Business Email Compromise (BEC) campaigns targeting Fortune 500 employees.President Trump signs an Executive Order establishing a deregulated national framework for AI. The order effectively bans states from enacting their own regulations, threatening to withhold federal funding from jurisdictions enforcing laws deemed "onerous," such as Colorado’s algorithmic bias statutes. For CISOs and GRC teams, this eliminates external legal guardrails and shifts the entire burden of model safety and ethics onto internal controls, creating an environment that prioritizes rapid innovation over safety compliance.Don't think, just patch!Sources:Apple: https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-day-flaws-exploited-in-sophisticated-attacks/CISA : https://www.cisa.gov/news-events/alerts/2025/12/12/cisa-adds-one-known-exploited-vulnerability-catalog-0CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1106/Data Breach: https://securityaffairs.com/185661/data-breach/experts-found-an-unsecured-16tb-database-containing-4-3b-professional-records.htmlAI Regulation: https://therecord.media/trump-executive-order-ai-national-frameworkYour feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  28. 52

    RadioCSIRT English Edition – Saturday, December 13, 2025 (Ep.49)

    Welcome to your daily cybersecurity podcast.Palo Alto Networks Unit 42 exposes Ashen Lepus, a Hamas-affiliated APT actor active since 2018. The group deploys a new .NET modular malware suite named AshTag, targeting governmental and diplomatic entities across the Middle East with confirmed geographic expansion toward Oman and Morocco. The multi-stage infection chain initiates through Arabic-language PDF lures on Palestinian geopolitical themes. Victims download RAR archives containing a binary that side-loads the AshenLoader loader. The group abandoned its proprietary C2 infrastructure in favor of API and authentication subdomains on legitimate domains like api.healthylifefeed.com, which masks malicious traffic. The C2 architecture now integrates geofencing and anti-sandbox verification before payload delivery. Secondary modules are Base64-encoded and hidden in commented HTML tags with AES-CTR-256 encryption. Ashen Lepus uses Rclone to exfiltrate targeted diplomatic documents.Malwarebytes publishes a technical analysis on real VPN privacy following worldwide usage surge post-UK age-verification rules. The document exposes the massive gap between marketing promises and concrete implementation, particularly critical for enterprise deployments protecting sensitive data. Full infrastructure ownership eliminates uncontrolled intermediaries unlike cloud rental. RAM-only servers instantly destroy all traces upon shutdown, which cancels any physical seizure vector. WireGuard protocol drastically reduces attack surface through its minimal auditable codebase, while OpenVPN and IPSec now represent legacy technologies. The major risk for organizations comes from employees using non-validated commercial VPNs that create encrypted tunnels bypassing DLP controls and exfiltrating corporate data through third-party infrastructure never audited.Kali Linux releases version 2025.4, the final update of the year, integrating three new penetration testing tools, major desktop environment improvements, and full Wayland support on GNOME. The three new tools include bpf-linker for BPF static compilation, evil-winrm-py enabling command execution on remote Windows machines via WinRM, and hexstrike-ai allowing AI agents to autonomously execute tools through MCP server. GNOME moves to version 49 and definitively removes X11 support, now running exclusively on Wayland with full VM support for VirtualBox, VMware, and QEMU. NetHunter extends Android 16 support on Samsung Galaxy S10 and OnePlus Nord, restores terminal with interactive Magisk compatibility, and integrates Wifipumpkin3 in preview with Facebook, Instagram, iCloud, and Snapchat phishing templates.CISA adds CVE-2018-4063 to the KEV Catalog on December 12, 2025, following confirmed active exploitation. This vulnerability affects Sierra Wireless AirLink ALEOS and enables unrestricted upload of dangerous files without type or extension validation, leading to arbitrary code execution on cellular routers deployed across vehicle fleets, industrial IoT infrastructure, and M2M networks. Critical point: the CVE dates from 2018, but its late KEV inclusion confirms a resurgence of exploitation specifically targeting unpatched legacy equipment. AirLink devices provide cellular connectivity for SCADA systems, mobile payment terminals, and telematics platforms.Don't think, just patch!Sources:Unit 42: https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/Malwarebytes: https://www.malwarebytes.com/blog/inside-malwarebytes/2025/12/how-private-is-your-vpnBleepingComputer: https://www.bleepingcomputer.com/news/security/kali-linux-20254-released-with-3-new-tools-desktop-updates/CISA: https://www.cisa.gov/news-events/alerts/2025/12/12/cisa-adds-one-known-exploited-vulnerability-catalog Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  29. 51

    RadioCSIRT English Edition – Top 25 CWE 2025 Deep Dive – Friday, 12 December 2025 (Special Episode)

    Welcome to this special RadioCSIRT cybersecurity briefing.In this episode, we take an in-depth look at the MITRE Top 25 Common Weakness Enumerations (CWE) for 2025, moving beyond a simple ranking to analyze the structural weaknesses that continue to drive real-world compromises.This analysis focuses on how recurring flaws such as cross-site scripting, sql injection, missing authorization, memory corruption, and business logic failures remain dominant attack enablers despite years of awareness, tooling, and secure development frameworks.We examine why these weaknesses persist, how they are actually exploited in production environments, and what they reveal about systemic failures in application design, governance, and security architecture.Special attention is given to the operational impact for CERT/CSIRT and SOC teams, including:how cwe analysis supports anticipation of future vulnerabilities,why root-cause driven prioritization is more effective than cve-based triage alone,and how logic flaws and authorization failures increasingly evade automated detection.This episode also highlights key 2025 trends, including the rise of business logic vulnerabilities, the gap between modern frameworks and real implementations, and the growing weight of technical and organizational debt.A  synthesis of this analysis is available on my blog.Sources:MITRE – Top 25 CWE 2025: https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.htmlBlog : https://blog.marcfredericgomez.com/top-25-cwe-2025-technical-analysis/Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  30. 50

    RadioCSIRT – Your Cybersecurity News for Wednesday, December 10th, 2025 (Ep.46)

    Welcome to your daily cybersecurity podcast.Microsoft refuses to fix a critical RCE vulnerability in the .NET framework affecting the SoapHttpClientProtocol class. Revealed at Black Hat Europe by researcher Piotr Bazydło from WatchTowr, the flaw enables arbitrary file writes through SOAP URL manipulation. Exploitation relies on unexpected support for FILE and FTP protocols by a class designed to handle HTTP only. Confirmed vulnerable products include Ivanti Endpoint Manager, Umbraco 8 CMS, and Barracuda Service Center, but the actual number of affected applications is likely massive.CERT-FR publishes advisory CERTFR-2025-AVI-1088 concerning four critical vulnerabilities in Ivanti Endpoint Manager 2024. CVE-2025-10573, CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662 enable remote arbitrary code execution, security policy bypass, and XSS injection. Only versions prior to 2024 SU4 SR1 are affected. The patch has been available since December 9th, 2025.CERT-FR also issues advisory CERTFR-2025-AVI-1084 concerning 17 Fortinet security bulletins covering 18 CVEs. The entire Fortinet portfolio is affected: FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiWeb, FortiSandbox, FortiExtender, FortiAuthenticator, FortiVoice, FortiSOAR, FortiPAM, FortiSRA, FortiSASE, FortiSwitchManager, and FortiPortal. Critical vulnerabilities include remote code execution, privilege escalation, and SQL injection.Finally, Spanish National Police arrests a 19-year-old individual in Igualada for theft and sale of 64 million personal data records from nine companies. Exfiltrated data includes DNI numbers, addresses, phone numbers, emails, and IBAN codes. The suspect used six online accounts and five pseudonyms to sell databases on underground forums. Authorities seized electronic equipment and froze a crypto wallet.We don't think, we patch!Sources:The Register: https://www.theregister.com/2025/12/10/microsoft_wont_fix_net_rce/CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1088/CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1084/The Record: https://therecord.media/spain-arrests-teen-suspect-data-theft-and-saleYour feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com 

  31. 49

    RadioCSIRT - Pro-Russia Hacktivists Targeting Global Critical Infrastructure

    🚨 CRITICAL ALERT: CISA, FBI, and NSA issue joint advisory AA25-343A on December 9, 2025, warning of active campaigns by four pro-Russia hacktivist groups exploiting VNC vulnerabilities in OT/ICS systems worldwide.THREAT ACTORS IDENTIFIED:Cyber Army of Russia Reborn (CARR) - GRU Unit 74455 linkedNoName057(16) - Kremlin CISM creationZ-Pentest - CARR/NoName merger, OT-specializedSector16 - Emerging January 2025ATTACK VECTOR: Mass exploitation of exposed VNC services (ports 5900-5910) with default/weak credentials on HMI devices. Direct SCADA access causing parameter modifications, alarm disabling, and operational disruptions across water, energy, and agriculture sectors.IMMEDIATE ACTIONS:Scan external attack surface, eliminate default credentials, implement MFA, enforce IT/OT segmentation, and deploy continuous monitoring for unauthorized VNC connections.TARGET AUDIENCE:CERT, CSIRT, SOC Teams, CISOs, Critical Infrastructure OperatorsDURATION: 8 minutes of dense technical intelligencePRODUCED BY:RadioCSIRT - Daily cyber threat intelligence for operational defense teams#Cybersecurity #OT #ICS #SCADA #ThreatIntelligence #CriticalInfrastructure #CISA #InfoSec

  32. 48

    RadioCSIRT - Your Cybersecurity Update for Tuesday, 9 December 2025 (Ep.45)

    Welcome to your daily cybersecurity briefing.The UK’s NCSC has released critical guidance regarding Generative AI security, warning that treating Prompt Injection like SQL Injection is a dangerous misconception. Unlike traditional databases, LLMs lack a rigid boundary between instructions and data, creating an "Inherently Confusable Deputy" problem. The agency advises that the only effective mitigation is architectural: strictly restricting the privileges of tools accessible by the AI, rather than relying on input filters.A critical authentication bypass vulnerability has been discovered in the Ruby SAML library. Tracked as CVE-2025-25293, the flaw allows attackers to exploit XML parsing differences to forge valid signatures via XML Signature Wrapping. Organizations relying on this library for Single Sign-On must upgrade to version 1.18.0 immediately to prevent unauthorized access.Polish police have arrested three Ukrainian nationals in Warsaw found in possession of sophisticated hardware hacking equipment, including Flipper Zero devices, radio antennas, and counter-surveillance tools. The seizure points to potential "Close Access" operations targeting critical defense infrastructure and telecommunications networks physically.Threat actor Storm-0249 is escalating its tactics, shifting from simple access brokerage to advanced ransomware preparation. The group is now employing "ClickFix" social engineering and DLL side-loading techniques—specifically targeting SentinelOne agents—to steal system identifiers (MachineGuid) and maintain persistence.Swiss hosting provider Infomaniak has launched "Euria," a sovereign AI alternative to US-based models. Hosted in Switzerland and powered by renewable energy, the platform guarantees that user data is never used for model training, offering a compliant solution for handling sensitive enterprise data without Cloud Act exposure.The Australian Signals Directorate (ASD) is warning of a global surge in Infostealer malware activity. These threats are evolving beyond credential theft to mass-exfiltrate session cookies, effectively bypassing Multi-Factor Authentication (MFA) and serving as a primary entry vector for corporate network breaches.Finally, a reminder that today is the last Patch Tuesday of the year. Expect critical updates from Microsoft today.Don’t Think – Patch Now!Sources:NCSC UK: https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injectionCyberPress: https://cyberpress.org/critical-ruby-saml-flaw/Warsaw Police: https://srodmiescie.policja.gov.pl/rs/aktualnosci/145521,Podrozowali-po-Europie-z-detektorem-urzadzen-szpiegowskich-i-sprzetem-hakerskim.htmlSecurity Affairs: https://securityaffairs.com/185480/cyber-crime/polish-police-arrest-3-ukrainians-for-possessing-advanced-hacking-tools.htmlThe Hacker News: https://thehackernews.com/2025/12/storm-0249-escalates-ransomware-attacks.htmlGoodTech: https://goodtech.info/euria-ia-gratuite-suisse-alternative-chatgpt-chauffage/Cyber.gov.au (ASD): https://www.cyber.gov.au/about-us/view-all-content/news/information-stealers-are-on-the-rise-are-you-at-riskPatch Tuesday Microsoft: https://blog.marcfredericgomez.com/december-2025-patch-tuesday-analysis/Your feedback is welcome.Email: [email protected]:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtintl.substack.com

  33. 47

    RadioCSIRT English Edition – Your Cybersecurity Update for Monday, 8 December 2025 (Ep.44)

    Welcome to your daily cybersecurity briefing.CERT-FR has issued a security advisory regarding a vulnerability affecting the MISP threat-intelligence platform. Under specific configurations, the flaw may allow unauthorized access to internal components or data. Organizations relying on MISP are strongly encouraged to apply the recommended patches without delay to mitigate potential exploitation.CERT-FR has also released a warning for iPhone users following the identification of active exploitation campaigns using sophisticated exploit chains capable of achieving remote code execution. Devices lacking the latest security updates are especially vulnerable, highlighting the necessity of rapid patch deployment across Apple ecosystems.Google Chrome is introducing a new security layer designed to reinforce protections around Gemini-powered agentic browsing. This additional safeguard aims to prevent malicious websites from manipulating automated AI-driven actions during complex web interactions, strengthening overall browser security in environments relying on AI navigation.A service outage affecting Porsche’s connected-vehicle ecosystem in Russia is drawing attention to the systemic risks inherent in modern automotive platforms. The incident underscores the growing dependency on digital infrastructure for critical operational functions and the potential impact of disruptions on both safety and service availability.Don’t Think – Patch Now! Sources:CERT-FR: https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1076/CERT-FR: https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-010/BleepingComputer: https://www.bleepingcomputer.com/news/security/google-chrome-adds-new-security-layer-for-gemini-ai-agentic-browsing/SecurityAffairs: https://securityaffairs.com/185398/security/porsche-outage-in-russia-serves-as-a-reminder-of-the-risks-in-connected-vehicle-security.htmlYour feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  34. 46

    RadioCSIRT English Edition – Your Cybersecurity Update for Sunday, 7 December 2025 (Ep.43)

    Welcome to your daily cybersecurity briefing.The FBI has issued a public service announcement regarding the evolution of "virtual kidnapping" scams, where criminals are now using AI-altered images from social media to fabricate proof-of-life. By manipulating photos to depict physical harm or captivity, threat actors are successfully pressuring families into paying ransoms for loved ones who are actually safe, marking a dangerous shift in extortion tactics.Threat actors are actively exploiting a command injection vulnerability in Array Networks AG Series VPNs to implant webshells and establish persistence. Critical to note is that while the vendor patched this flaw in May, no CVE identifier was assigned, leaving many organizations blind to the risk as automated vulnerability scanners fail to detect the unpatched appliances.A sophisticated new Android banking trojan dubbed "FvncBot" has been detected in the wild, utilizing custom code rather than leaked sources. The malware distinguishes itself by using H.264 video streaming to bypass standard anti-screen-capture protections (FLAG_SECURE), allowing attackers to steal credentials and remotely control devices in near real-time.New research indicates that 97% of U.S. medical professionals have their personal home addresses and family details exposed on people-search databases. This massive leak of Personally Identifiable Information (PII) significantly escalates physical security risks for healthcare staff, enabling targeted harassment and doxxing by disgruntled patients or hostile actors.Mozilla is officially terminating its Monitor Plus partnership with privacy vendor Onerep following a critical third-party risk management failure. The decision comes after investigations revealed that the founder of the privacy service—hired to remove users from data broker lists—was simultaneously operating an active people-search data broker business.Don’t Think – Patch Now!Sources:BleepingComputer: https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapping-ransom-scams-using-altered-social-media-photos/BleepingComputer: https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/CyberPress: https://cyberpress.org/android-users-hit-by-fvncbot-malware/HelpNetSecurity: https://www.helpnetsecurity.com/2025/12/05/incogni-healthcare-staff-data-exposure-report/KrebsOnSecurity: https://krebsonsecurity.com/2025/11/mozilla-says-its-finally-done-with-two-faced-onerep/Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  35. 45

    RadioCSIRT English Edition – Your Cybersecurity Update for Saturday, 6 December 2025 (Ep.42)

    Welcome to your daily cybersecurity briefing.The Australian Cyber Security Centre has released new guidance for critical infrastructure regarding the secure integration of Artificial Intelligence into Operational Technology environments. This strategic framework aims to help organizations anticipate physical safety risks caused by algorithmic automation in industrial systems.CERT-FR (ANSSI) has issued a series of security advisories (AVI-1062 to 1067) flagging multiple critical vulnerabilities requiring immediate attention. System administrators are urged to consult the official feed to identify affected products within their fleets and apply corrective measures without delay.Barts Health NHS Trust has confirmed a leak of administrative data following the exploitation of an Oracle E-Business Suite zero-day flaw by the Clop ransomware gang. While patient medical records remain unaffected, this incident highlights the persistent threat targeting vital ERP components in the healthcare sector.A maximum severity vulnerability (CVSS 10.0) has been discovered in Apache Tika, a content analysis tool ubiquitous in solutions like Solr and Elasticsearch. This XXE flaw allows attackers to execute code via malicious PDF files, necessitating an emergency update of the "tika-core" library.Asus has admitted that a cyberattack against one of its third-party suppliers exposed source code for its smartphone camera modules. The Everest group claims to have stolen one terabyte of data, illustrating once again how the supply chain remains a prime vector for accessing the intellectual property of tech giants.Don’t Think – Patch Now!Sources:Australian Cyber Security Centre: https://www.cyber.gov.au/about-us/view-all-content/news/new-guidance-for-critical-infrastructure-on-integrating-ai-securely-into-operational-technology-environmentsCERT-FR (Advisory 1062): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1062/CERT-FR (Advisory 1063): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1063/CERT-FR (Advisory 1064): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1064/CERT-FR (Advisory 1067): https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1067/BleepingComputer: https://www.bleepingcomputer.com/news/security/barts-health-nhs-discloses-data-breach-after-oracle-zero-day-hack/Security Affairs: https://securityaffairs.com/185363/security/maximum-severity-xxe-vulnerability-discovered-in-apache-tika.htmlThe Register: https://www.theregister.com/2025/12/05/asus_supplier_hack/Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  36. 44

    RadioCSIRT - Your Cybersecurity Update for Friday, 5 December 2025 (Ep.41)

    Welcome to your daily cybersecurity briefing.Cloudflare has attributed today's major service outage to the deployment of an emergency patch intended to mitigate the critical "React2Shell" vulnerability. The incident highlights the delicate balance between security responsiveness and operational stability: the attempt to rapidly mitigate an active flaw resulted in a global software regression, serving as a stark reminder that even the most robust infrastructures remain vulnerable to the side effects of precipitated updates.CISA has updated its Known Exploited Vulnerabilities (KEV) catalog and simultaneously released technical analysis report AR25-338a. This new entry imposes a strict remediation timeline for federal agencies, signaling active exploitation in the wild. The associated report provides defenders with crucial Indicators of Compromise (IoCs) and observed tactics, which are indispensable for strengthening detection and response against this specific threat.CERT-FR, the French National Cybersecurity Agency, has issued a security advisory regarding multiple vulnerabilities affecting the PostgreSQL database management system. These flaws, if exploited, could allow a remote or local attacker to compromise data confidentiality and integrity, or trigger a denial of service. Database administrators are urged to apply security patches without delay to protect production instances.The "smishing" landscape is evolving dangerously as the holiday season approaches, according to an analysis by Brian Krebs. Cybercriminals are gradually pivoting away from classic package delivery lures to focus on more targeted scenarios, such as expiring loyalty points, fake tax adjustments, and online retailer impersonation. This shift toward financial and administrative pretexts aims to maximize click-through rates by leveraging urgency and the fear of financial loss.Don’t Think – Patch Now! Sources:https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-outage-on-emergency-react2shell-patch/https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-cataloghttps://www.cisa.gov/news-events/analysis-reports/ar25-338ahttps://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1061/https://krebsonsecurity.com/2025/12/sms-phishers-pivot-to-points-taxes-fake-retailers/Your feedback is welcome.Email: [email protected]:https://www.radiocsirt.comWeekly Newsletter:https://radiocsirtintl.substack.com

  37. 43

    RadioCSIRT English Edition – Your Cybersecurity Update for Wednesday, 3 December 2025 (Ep.39)

    Welcome to your daily cybersecurity briefing.DeepSeek Releases V3.2 Open Source Model Rivaling GPT-5 The Chinese AI startup DeepSeek has officially released its V3.2 and V3.2-Speciale models under a fully permissive MIT license. Claiming to outperform GPT-5 in reasoning tasks, the release utilizes a novel "Sparse Attention" architecture to maximize efficiency, marking a significant shift in the open-source AI landscape.CISA Adds Android Framework Flaws to KEV CatalogCISA has updated its Known Exploited Vulnerabilities (KEV) catalog with two critical flaws affecting the Android Framework. The vulnerabilities, involving privilege escalation and information disclosure, are currently being exploited in the wild, requiring immediate attention from federal agencies and mobile fleet managers.CERT-FR Warns of Critical Python Denial of Service RisksFrance's CERT-FR has issued an alert regarding multiple vulnerabilities within the Python runtime environment. These flaws allow remote attackers to trigger Denial of Service (DoS) conditions on unpatched systems, threatening the availability of backend infrastructure and web applications relying on the language.Microsoft Silently Mitigates Windows LNK Zero-DayMicrosoft has deployed a silent mitigation for a high-severity LNK vulnerability (CVE-2025-9491) actively exploited by state-sponsored groups. The update changes how shortcut target fields are displayed to reveal malicious whitespace padding, though experts warn it does not fully block the execution of malicious payloads.Critical Security Advisory Issued for Next.js FrameworkA new security advisory has been published for Next.js, the popular React framework. The vulnerability, detailed in a GitHub Security Advisory, poses risks to applications using affected versions. Developers are urged to review the disclosure and upgrade their dependencies to the latest stable release immediately.Don’t Think – Patch Now!Sources:GitHub – DeepSeek V3.2 Release https://github.com/deepseek-ai/DeepSeek-V3.2-ExpCISA – KEV Catalog Update https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-adds-two-known-exploited-vulnerabilities-catalogCERT-FR – Python Vulnerability Alert https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1060/BleepingComputer – Microsoft LNK Mitigation https://www.bleepingcomputer.com/news/microsoft/microsoft-mitigates-windows-lnk-flaw-exploited-as-zero-day/GitHub – Next.js Security Advisory https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mpYour feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  38. 42

    RadioCSIRT English Edition – Your Cybersecurity Update for Tuesday, 2 December 2025 (Ep.38)

    Welcome to your daily cybersecurity briefing.Raspberry Pi Raises Prices Amid Rising Production CostsRaspberry Pi has announced a price increase across several models, citing sustained rises in manufacturing and component costs. The company explains that it can no longer absorb global supply chain pressures. The adjustment will particularly impact integrators, IoT builders, and embedded system deployments relying on low-cost hardware.Massive Coupang Data Breach Exposes 337 Million IndividualsE-commerce giant Coupang has confirmed a major data breach affecting approximately 337 million users. Exposed data includes personal identification details, contact information, and other sensitive records. The scale of the incident poses significant risks of fraud, identity theft, and highly targeted phishing operations.Advanced Steganography Techniques Emerge in the WildA new analysis highlights the emergence of highly advanced steganography methods used to conceal malicious payloads within multimedia content. These refined techniques improve stealth, evade conventional detection tools, and offer threat actors new covert channels for exfiltration and command-and-control.India Orders Phone Makers to Pre-Install Government AppsThe Indian government has issued a directive requiring smartphone manufacturers to pre-install official government applications on all devices sold in the country. The decision raises serious concerns around privacy, data collection, user autonomy, and broader digital sovereignty implications.Don’t Think – Patch Now!Sources:01net – Raspberry Pi Price Increasehttps://www.01net.com/actualites/hausse-des-couts-raspberry-pi-na-pas-dautre-choix-que-daugmenter-les-prix-de-ses-petits-ordinateurs.htmlBleepingComputer – Coupang Data Breachhttps://www.bleepingcomputer.com/news/security/retail-giant-coupang-suffers-data-breach-impacting-337-million-people/CyberPress – Advanced Steganographyhttps://cyberpress.org/advanced-steganography/The Hacker News – India Orders Pre-Installed Appshttps://thehackernews.com/2025/12/india-orders-phone-makers-to-pre.htmlYour feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  39. 41

    RadioCSIRT English Edition – Your Cybersecurity Update for Monday, 1 December 2025 (Ep.37)

    Welcome to your daily cybersecurity briefing.Mattermost Patches Silent Security FlawCERT-FR reports an "unspecified security issue" in Mattermost Server (MMSA-2025-00545). While technical details remain undisclosed by the vendor, the vulnerability impacts multiple branches including 10.11, 10.12, 11.0, and 11.1. Given the platform's role in centralizing sensitive internal communications, administrators are urged to apply the November 27th updates immediately.Security Policy Bypass in Stormshield VPN ClientA logic flaw identified as CVE-2025-11955 affects the Stormshield Network VPN Client (v7.5.109). This vulnerability allows local users or attackers to bypass security policies enforced by the administrator, effectively neutralizing network restrictions and compliance rules on the endpoint.VMware Tanzu & Stemcells Massive Security OverhaulVMware has released a critical sweep of updates for Tanzu Platform and Ubuntu Stemcells (Jammy/Noble) to address a massive backlog of vulnerabilities dating as far back as 2022. Running outdated builds exposes application workloads to dozens of known CVEs, requiring an immediate upgrade to the November 30th releases.Critical RCE and DoS Vulnerabilities in ZabbixZabbix has issued alerts for severe vulnerabilities affecting both Agents (specifically on AIX) and Servers across versions 6.0 through 7.4. The flaws expose infrastructure to Arbitrary Code Execution, Denial of Service, and security bypass. Due to the high privileges and visibility of monitoring systems, this is a critical priority for patching.Don’t Think – Patch Now !Listen to the full show hereSources: CERT-FR – Mattermost Advisory https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1052/CERT-FR – Stormshield VPN Advisory https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1053/CERT-FR – VMware Tanzu Advisory https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1054/CERT-FR – Zabbix Advisory https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1055/Your feedback is welcome. Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  40. 40

    RadioCSIRT – Your Cybersecurity Update for Saturday, 29 November 2025 (Ep.35)

    Welcome to your daily cybersecurity briefing.CVSS v4.0 – Understanding the New Vulnerability Scoring ModelA new analysis from Malwarebytes provides a clear breakdown of CVSS v4.0, detailing how the updated framework shifts focus toward exploitability, environmental modifiers, and attacker utility. The article highlights changes in severity interpretation, granularity in attack requirements, and the impact of supplemental metrics—key for vulnerability prioritization across CERT, SOC, and risk teams.Tomiris Deploys New Malware ToolsKaspersky researchers have identified new components in the Tomiris malware ecosystem, including updated loaders and covert communications modules. These additions reinforce Tomiris’ operational overlap with Turla-linked activity while demonstrating improvements in stealth, modularity, and long-term persistence tactics used across Central Asian and Middle Eastern networks.CISA Adds New KEV EntryCISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. The advisory stresses active exploitation in the wild and mandates federal agencies to apply mitigation measures before the deadline. The alert underscores CISA’s continued emphasis on exploitation-based risk scoring and operational directives for rapid patching.Legacy Python Bootstrap Scripts Create Supply Chain ExposureA report from The Hacker News warns that outdated Python bootstrap scripts used in legacy automation pipelines can introduce severe supply chain weaknesses. The issue stems from insecure dependency retrieval mechanisms, outdated hashing practices, and implicit trust in remote package sources—raising the risk of tampering and malicious code injection in CI/CD environments.Don’t Think – Patch Now.Sources:Malwarebytes – CVSS v4.0 -  https://www.malwarebytes.com/blog/news/2025/11/how-cvss-v4-0-works-characterizing-and-scoring-vulnerabilitiesSecurelist – Tomiris - https://securelist.com/tomiris-new-tools/118143/CISA – KEV Catalog Update - https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalogThe Hacker News – Python Bootstrap Risk - https://thehackernews.com/2025/11/legacy-python-bootstrap-scripts-create.htmlYour feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  41. 39

    RadioCSIRT – Your Cybersecurity Update for Friday, 28 November 2025 (Ep.34)

    Welcome to your daily cybersecurity briefing.CISA & Commercial Spyware Targeting Messaging AppsFollowing a joint alert by CISA, a technical breakdown reveals how multiple threat actors use QR-based session hijacking, zero-click exploits, and fake apps to compromise end-to-end encrypted messaging platforms such as Signal and WhatsApp. Victims include senior officials and civil society actors across the U.S., Europe, and the Middle East.ORCA Initiative from Linux FoundationThe Linux Foundation has announced the creation of ORCA, a new Open Robust Compartmentalization Alliance aiming to promote memory safety and software isolation primitives. Key members include Microsoft, Google, Arm, and defense actors such as RTX and DARPA, focusing on securing toolchains for C, C++, and Rust.Dell ControlVault2 & GL.iNet FlawsCisco Talos has disclosed vulnerabilities in Dell ControlVault2 and GL.iNet firmware affecting hardware security and OpenWRT-based VPN routers respectively. Exploits include heap overflows and race conditions. Patches are pending for multiple devices.Poland Arrests Russian HackerPolish authorities have detained a Russian citizen linked to several intrusions against defense and public institutions. The individual is suspected of operating within a pro-Russian cybercriminal network supporting disinformation campaigns in Eastern Europe.TOR Network Introduces Counter-Galois EncryptionThe Tor Project is migrating from AES to a new encryption primitive called Counter-Galois (cgMul), developed specifically for onion-routing contexts. The move is intended to harden Tor nodes against speculative execution attacks and improve cryptographic agility.Rey, Administrator of Scattered LAPSUS$ Hunters, UnmaskedKrebsOnSecurity has confirmed the identity of “Rey,” administrator of the Scattered LAPSUS$ Hunters Telegram channel and operator behind the ShinySp1d3r ransomware-as-a-service. Rey is a 15-year-old linked to past defacements and BreachForums activity. Despite claiming cooperation with law enforcement, he remains active within SLSH.Don’t Think – Patch Now.Sources:CISA – Spyware & Messaging Appshttps://blog.marcfredericgomez.com/spyware-targeting-secure-mobile-messaging-applications/ Linux Foundation – ORCAhttps://www.linuxfoundation.org/press/linux-foundation-launches-the-open-robust-compartmentalization-alliance-orca-to-advance-software-security Cisco Talos – Dell / GL.iNethttps://blog.talosintelligence.com/dell-controlvault-lasso-gl-inet-vulnerabilities/The Record – Arrest in Polandhttps://therecord.media/poland-detains-russian-citizen-accused-of-hacks BleepingComputer – Tor Encryption Updatehttps://www.bleepingcomputer.com/news/security/tor-switches-to-new-counter-galois-onion-relay-encryption-algorithm/ KrebsOnSecurity – SLSH / Reyhttps://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  42. 38

    RadioCSIRT – Your Cybersecurity Update for Thursday, 27 November 2025 (Ep.33)

    Welcome to your daily cybersecurity briefing.CERT-FR: Advisory 2025-AVI-1042CERT-FR has issued a new advisory describing several critical vulnerabilities impacting Gitlab.RomCom via SocGholishArctic Wolf reports a campaign in which the RomCom threat group leveraged the SocGholish delivery infrastructure for the first time to deploy a targeted Mythic loader. The intrusion targeted a U.S. company indirectly connected to Ukraine, highlighting the evolving infection chains associated with GRU Unit 29155.ShadowV2 IoT BotnetFortinet has analyzed ShadowV2, a Mirai-based IoT botnet observed exclusively during the major AWS outage in October. The botnet exploited at least eight vulnerabilities across devices from D-Link, TP-Link, DigiEver, TBK, and others. Activity targeted routers, NAS systems, and DVRs across multiple sectors, with global impact.Don’t Think – Patch Now !Sources:CERT-FR – 2025-AVI-1042https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1042/Arctic Wolf – RomCom / SocGholish https://arcticwolf.com/resources/blog/romcom-utilizing-socgholish-to-deliver-mythic-agent-to-usa-companies-supporting-ukraine/BleepingComputer – ShadowV2 Botnet https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-used-aws-outage-as-a-test-opportunity/Your feedback is welcome.Email: [email protected]: https://www.radiocsirt.comWeekly Newsletter: https://radiocsirtintl.substack.com

  43. 37

    RadioCSIRT – Your Cybersecurity Update for Wednesday, 26 November 2025 (Ep.32)

    Welcome to your daily cybersecurity briefing.💻 JackFix: Fake Windows Update Malware – A new campaign is distributing the JackFix malware through fake Windows Update pop-ups, enabling payload execution and stealthy installation of persistent backdoors.🇫🇷 CERT-FR: PrimX Targeted – CERT-FR has issued an advisory detailing a compromise affecting PrimX, involving a vulnerability that allows security bypass and unauthorized access to protected data.🐦 X / Twitter: Massive Internal Exposure – A misconfiguration at X exposed a wide range of internal metadata, service identifiers, and backend endpoints, revealing the scale of the platform’s internal systems.🇷🇺 Russia & North Korea: Coordinated Operations – New reporting highlights increased collaboration between Russian and North Korean APT groups conducting joint cyber-espionage operations.🍎 macOS: Flexible Ferret Malware – Fake LinkedIn job offers are being used to deliver Flexible Ferret, a macOS malware capable of stealing tokens, browser data and sensitive user information.🛡️ Cobalt Strike 4.12 Released – The latest Cobalt Strike update includes hardened Beacon behavior, improved evasion techniques, and expanded support for offensive infrastructure setups.🇷🇺 Russia: Tech Entrepreneur Arrested – Authorities have arrested a Russian tech entrepreneur on charges of treason, alleging that he transferred sensitive information to a foreign state.📶 ASUS AiCloud: Critical Auth Bypass – ASUS warns of a critical authentication bypass affecting multiple AiCloud router models, allowing attackers to fully compromise affected devices.🤖 NVIDIA DGX Spark: CVE-2025-33187 – A critical flaw (CVSS 9.3) in NVIDIA DGX Spark exposes AI model secrets and enables full system takeover due to a memory isolation failure.📡 Huawei & State Surveillance – New analysis details how Huawei’s ecosystem supports large-scale surveillance capabilities through partnerships and integration in critical infrastructures.🚨 OnSolve CodeRED: Emergency Alerts Down – A cyberattack on OnSolve has disrupted CodeRED emergency alert systems, preventing the broadcast of critical public safety notifications.⚡ Don’t Think – Patch Now and ask later.📚 Sources:🔗 JackFix – The Hacker Newshttps://thehackernews.com/2025/11/jackfix-uses-fake-windows-update-pop.html🔗 CERT-FR – PrimXhttps://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1038/🔗 X Exposure – Weaponized Spaceshttps://weaponizedspaces.substack.com/p/x-just-accidentally-exposed-a-vast🔗 Russia / North Korea Operations – CyberPresshttps://cyberpress.org/russia-north-korea-hackers/🔗 Flexible Ferret – Malwarebyteshttps://www.malwarebytes.com/blog/news/2025/11/fake-linkedin-jobs-trick-mac-users-into-downloading-flexible-ferret-malware🔗 Cobalt Strike 4.12 – CyberPresshttps://cyberpress.org/cobalt-strike-4-12-released/🔗 Russia Arrest – The Recordhttps://therecord.media/russia-arrests-tech-entrepreneur-treason🔗 ASUS AiCloud – BleepingComputerhttps://www.bleepingcomputer.com/news/security/asus-warns-of-new-critical-auth-bypass-flaw-in-aicloud-routers/🔗 NVIDIA DGX Spark – SecurityOnlinehttps://securityonline.info/critical-patch-nvidia-dgx-spark-flaw-cve-2025-33187-cvss-9-3-exposes-ai-secrets-to-takeover/🔗 Huawei Surveillance – Schneierhttps://www.schneier.com/blog/archives/2025/11/huawei-and-chinese-surveillance.html🔗 OnSolve CodeRED – Security Affairshttps://securityaffairs.com/185075/cyber-crime/emergency-alerts-go-dark-after-cyberattack-on-onsolve-codered.html📞 Your feedback is welcome!📧 Email: [email protected]🌐 Website: https://www.radiocsirt.com📰 Weekly Newsletter: https://radiocsirtintl.substack.com

  44. 36

    RadioCSIRT – Your Cybersecurity Update for Tuesday, 25 November 2025 (Ep.31)

    Welcome to your daily cybersecurity briefing.💸 FBI: Bank Impersonation Alert – The FBI reports that cybercriminals have stolen $262 million since January by impersonating bank support teams through sophisticated vishing and smishing campaigns.📉 Microsoft: Exchange Online Outage – A major service disruption in North America is blocking access to Outlook mailboxes, caused by a configuration change that Microsoft is currently rolling back.🐛 Supply Chain: Shai-Hulud Worm – A self-replicating worm has infected over 800 npm packages, modifying package.json scripts to exfiltrate AWS and GitHub secrets to external servers.🦊 Mozilla: Critical Patch Released – Mozilla addresses CVE-2025-13016 in Firefox and Thunderbird, a critical vulnerability allowing remote code execution via malicious animation timelines.🎓 Harvard: Vishing Data Breach – The university confirms a data breach exposing donor contact details after attackers impersonated IT support to gain remote control of an employee's workstation.⚡ Don’t Think - Patch Now and ask later. 📚 Sources: 🔗 Bleeping Computer https://www.bleepingcomputer.com/news/security/fbi-cybercriminals-stole-262-million-by-impersonating-bank-support-teams-since-january/🔗 Bleeping Computer (Microsoft) https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-outage-blocks-access-to-outlook-mailboxes/🔗 Blog Marc-Frédéric Gomez https://blog.marcfredericgomez.fr/shai-hulud-un-ver-npm-infecte-plus-de-800-packages-et-exfiltre-des-secrets-sur-github/🔗 HackRead https://hackread.com/update-firefox-patch-cve-2025-13016-vulnerability/🔗 Security Affairs https://securityaffairs.com/185034/security/harvard-reports-vishing-breach-exposing-alumni-and-donor-contact-data.html📞 Your feedback is welcome!📧 Email: [email protected]🌐 Website: https://www.radiocsirt.com📰 Weekly Newsletter: https://radiocsirtintl.substack.com

  45. 35

    RadioCSIRT – Your Cybersecurity Update for Monday, 24 November 2025 (Ep.30)

    Welcome to your daily cybersecurity briefing.🛡️ CERT-UA Alert: official update released – CERT-UA publishes an expanded update detailing malicious activity targeting educational and public-sector infrastructures, including new technical insights and reinforced hardening recommendations.🧪 CERT-FR: new security advisory – CERT-FR issues a refreshed advisory regarding ongoing vulnerability analysis, highlighting potential operational risks affecting both Windows and Linux environments depending on configuration.✈️ CERT-FR: additional security notice – A second CERT-FR advisory stresses the need for immediate mitigation actions due to the possibility of opportunistic exploitation associated with certain flaws with SYNOLOGY NAS.🔐 NCSC: guidance for selecting an MSP – The NCSC releases updated recommendations to help organisations choose a trustworthy Managed Service Provider, with emphasis on baseline security controls, operational resilience and supply-chain risk management.⚡ Don’t Think - Patch Now  and ask later.📚 Sources:🔗 CERT-UA – Official updatehttps://cert.gov.ua/article/6286219🔗 CERT-FR – Advisory CERTFR-2025-AVI-1035 - SYNOLOGYhttps://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1035/🔗 CERT-FR – Advisory CERTFR-2025-AVI-1036 - TANZU VMWarehttps://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1036/🔗 NCSC – Choosing a Managed Service Providerhttps://www.ncsc.gov.uk/guidance/choosing-a-managed-service-provider-msp📞 Your feedback is welcome!📧 Email: [email protected]🌐 Website: https://www.radiocsirt.com📰 Weekly Newsletter: https://radiocsirtintl.substack.com#CyberSecurity #CERTFR #CERTUA #NCSC #MSP #SupplyChainSecurity #RadioCSIRT

  46. 34

    RadioCSIRT – Your Cybersecurity Update for Sunday, November 23, 2025 (Ep.29)

    Welcome to your daily cybersecurity podcast.🛡️ Bulletproof hosting: new national guidance – The Australian Cyber Security Centre releases updated recommendations to mitigate risks posed by “bulletproof hosting” providers frequently used by cybercriminals to evade law-enforcement and defensive actions.🧪 Wireshark vulnerabilities patched – CERT-FR publishes an advisory detailing several flaws in Wireshark, some of which may trigger denial-of-service conditions or application crashes when parsing specially crafted packets.✈️ Iberia discloses customer data leak – The Spanish airline confirms a data breach originating from a compromised vendor, exposing personal information, identifiers, and travel-related details of customers.🔐 Azure Bastion security flaw – A critical weakness affecting Azure Bastion may allow security bypass, potentially exposing cloud environments that lack proper isolation or configuration.🛠️ Metasploit adds FortiWeb zero-day exploit – The Metasploit framework now includes an exploit for an unpatched zero-day vulnerability in FortiWeb, increasing the risk for organizations running unprotected Fortinet appliances.⚡️ Don’t think — patch! 🚀📚 Sources:🔗 Guidance – Australian Cyber Security Centrehttps://www.cyber.gov.au/about-us/view-all-content/news/new-guidance-for-mitigating-risks-from-bulletproof-hosting-providers🔗 CERT-FR – Wireshark Vulnerabilities (CERTFR-2025-AVI-1026)https://www.cert.ssi.gouv.fr/avis/CERTFR-2025-AVI-1026/🔗 Iberia – Vendor Security Breachhttps://www.bleepingcomputer.com/news/security/iberia-discloses-customer-data-leak-after-vendor-security-breach/🔗 Azure Bastion Vulnerabilityhttps://cybersecuritynews.com/azure-bastion-vulnerability/🔗 Metasploit – FortiWeb Zero-day Exploithttps://cyberpress.org/metasploit-framework-updated-with-exploit-for-fortiweb-zero-day/📞 Your feedback is welcome!📧 Email: [email protected]🌐 Website: https://www.radiocsirt.com📰 Weekly Newsletter: https://radiocsirtintl.substack.com#CyberSecurity #Wireshark #Azure #Iberia #Fortinet #Metasploit #CloudSecurity #BulletproofHosting #RadioCSIRT 🎧

  47. 33

    RadioCSIRT - How Digital Taxes Increase Cyber Risk: A Strategic Analysis (Ep. 28)

    Episode Description:In this episode of RadioCSIRT, we examine how rising digital taxes are reshaping the cyber threat landscape. While taxation and cybersecurity may seem unrelated, the financial pressure created by digital taxes can significantly weaken organizational defenses — expanding the attack surface and creating opportunities for cybercriminals.This episode covers:• Budget impacts and the reduction of security capabilities• Growth of ransomware, phishing and legacy-system exploitation• Supply-chain weak points amplified by economic pressure• Case studies from the UK, Brazil and India• Key lessons for CISOs, SOC teams and policymakersA concise, fact-driven analysis designed for cybersecurity professionals who want to understand the economic forces influencing modern threat behavior.

  48. 32

    RadioCSIRT – Your cybersecurity update for Saturday, November 22, 2025 (Ep. 27)

    Welcome to your daily cybersecurity podcast.🚨 Active exploitation – Oracle Identity Manager: CISA warns that a remote code execution vulnerability in Oracle Identity Manager is being actively exploited, putting IAM infrastructures at immediate risk.🛠️ SolarWinds Serv-U under fire: Two critical vulnerabilities impact Serv-U, potentially allowing attackers to fully compromise targeted servers.📨 SonicWall issues emergency patches: The vendor releases fixes for two flaws in its Email Security appliances, including a code execution bug (CVE-2025-40604).🚆 Massive data breach in Italy: The Italian railway operator Ferrovie dello Stato suffers a major data leak following an attack on contractor Almaviva.📊 Critical CVSS 10 flaw: Grafana patches a SCIM vulnerability rated 10/10, which could allow total compromise if left unpatched.🏢 ShinyHunters strikes again: Salesforce and Gainsight hit by a new data breach attributed to the group, with confirmed data exfiltration.⚡️ Don’t think—patch! 🚀📚 Sources:🔗 Oracle – CISA warns Oracle Identity Manager RCE flaw is being actively exploitedhttps://www.bleepingcomputer.com/news/security/cisa-warns-oracle-identity-manager-rce-flaw-is-being-actively-exploited/🔗 SolarWinds – Serv-U Critical Vulnerabilitieshttps://thecyberthrone.in/2025/11/22/solarwinds-serv-u-critical-vulnerabilities/🔗 SonicWall – Patches for Email Security Appliances (CVE-2025-40604)https://securityonline.info/sonicwall-patches-two-vulnerabilities-in-email-security-appliances-including-code-execution-flaw-cve-2025-40604/🔗 Data Leak – Italian Railway Operator Hit via Almaviva Hackhttps://securityaffairs.com/184907/data-breach/massive-data-leak-hits-italian-railway-operator-ferrovie-dello-stato-via-almaviva-hack.html🔗 Grafana – SCIM CVSS 10.0 Vulnerability Patchhttps://thehackernews.com/2025/11/grafana-patches-cvss-100-scim-flaw.html🔗 Breach – ShinyHunters Targets Salesforce & Gainsighthttps://www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/ 📞 Share your feedback:📧 [email protected]🌐 www.radiocsirt.org📰 radiocsirtintl.substack.com 

  49. 31

    RadioCSIRT - Your daily cybersecurity update for Friday, November 21, 2025 (Ep. 25)

    Welcome to your daily podcast dedicated to cybersecurity.🚨 Critical SharePoint Alert: Microsoft issues CVE-2025-59245, a severe privilege escalation flaw that demands immediate attention from administrators.🎧 Espionage & Malware: Google exposes "BadAudio," the new tool from the APT24 group, while the ShadowPad backdoor resurfaces in fresh targeted campaigns.☁️ Salesforce Clamps Down: The CRM giant is cutting off access to third-party apps after detecting suspicious activity, moving fast to protect customer data.💼 Dark Web Job Market: Crime starts young. A new study reveals that the median age of cybercrime job seekers is now just 24 years old.⚡️ Don't think, just patch! 🚀📚 Sources:🔗 Microsoft – SharePoint Elevation of Privilege (CVE-2025-59245) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59245🔗 Espionage – Google exposes BadAudio & APT24 https://www.bleepingcomputer.com/news/security/google-exposes-badaudio-malware-used-in-apt24-espionage-campaigns/🔗 Cloud Sec – Salesforce cuts off third-party access https://therecord.media/salesforce-cuts-off-access-to-third-party-unusual-activity🔗 Dark Web – Job Market Analysis 2023-2025 https://securelist.com/dark-web-job-market-2023-2025/118057/🔗 Malware – ShadowPad Overview https://cyberpress.org/shadowpad-malware/📞 Share your feedback:📧 Email: [email protected]🌐Web Site: www.radiocsirt.org📰Weekly Newsletter: radiocsirtintl.substack.com

  50. 30

    RadioCSIRT – Your daily cybersecurity update for Thursday, November 20, 2025 (Ep. 24)

    Welcome to your daily podcast dedicated to cybersecurity.✈️ Industrial espionage by UNC1549: Iranian hackers deploy DEEPROOT and TWOSTROKE backdoors against aerospace and defense sectors, exploiting VDI access and the supply chain.🤖 Gmail trains its AI with your data: Google enables email and attachment analysis for its Gemini model by default, requiring a complex manual opt-out to preserve privacy.🍎 New macOS "DigitStealer": A fileless malware specifically targeting Apple Silicon chips to exfiltrate credentials and crypto wallets while bypassing standard detections.🛡️ Massive scan of GlobalProtect VPNs: A coordinated campaign of 2.3 million scan sessions targets Palo Alto Networks portals, foreshadowing imminent vulnerability exploitation.⚡️ Don't think, just patch! 🚀📚 Sources:🔗 UNC1549 – Iranian hackers use DEEPROOT and TWOSTROKE https://thehackernews.com/2025/11/iranian-hackers-use-deeproot-and.html🔗 Privacy – Gmail is reading your emails to train its AI https://www.malwarebytes.com/blog/news/2025/11/gmail-is-reading-your-emails-and-attachments-to-train-its-ai-unless-you-turn-it-off🔗 Malware – Mac users warned about new DigitStealer https://www.malwarebytes.com/blog/news/2025/11/mac-users-warned-about-new-digitstealer-information-stealer🔗 Infrastructures – GlobalProtect VPN portals probed with 2.3 million scan sessions https://www.bleepingcomputer.com/news/security/globalprotect-vpn-portals-probed-with-23-million-scan-sessions/📞 Share your feedback:📧 [email protected]🌐 www.radiocsirt.org📰 radiocsirtintl.substack.com

Type above to search every episode's transcript for a word or phrase. Matches are scoped to this podcast.

Searching…

We're indexing this podcast's transcripts for the first time — this can take a minute or two. We'll show results as soon as they're ready.

No matches for "" in this podcast's transcripts.

Showing of matches

No topics indexed yet for this podcast.

Loading reviews...

ABOUT THIS SHOW

🎙 Marc Frédéric Gomez, cybersecurity expert, brings you daily insights into the latest threats, attacks, and defense strategies you need to know.🔎 On the agenda:✔️ Analysis of cyberattacks and critical vulnerabilities✔️ Strategic intelligence for CSIRTs, CERTs, and cybersecurity professionals✔️ Sources and references to dive deeper into each topic💡 Why listen to RadioCSIRT?🚀 Stay up to date in just a few minutes a day🛡️ Anticipate threats with reliable, technical information📢 An essential intelligence source for IT and security professionals🔗 Listen, share, and secure your environment!📲 Subscribe and leave a ⭐

HOSTED BY

Marc Frédéric GOMEZ

CATEGORIES

Frequently Asked Questions

How many episodes does RadioCSIRT - English Edition have?

RadioCSIRT - English Edition currently has 50 episodes available on PodParley. New episodes are automatically indexed when they're published to the podcast feed.

What is RadioCSIRT - English Edition about?

🎙 Marc Frédéric Gomez, cybersecurity expert, brings you daily insights into the latest threats, attacks, and defense strategies you need to know.🔎 On the agenda:✔️ Analysis of cyberattacks and critical vulnerabilities✔️ Strategic intelligence for CSIRTs, CERTs, and cybersecurity professionals✔️...

How often does RadioCSIRT - English Edition release new episodes?

RadioCSIRT - English Edition has 50 episodes. Check the episode list to see recent publication dates and frequency.

Where can I listen to RadioCSIRT - English Edition?

You can listen to RadioCSIRT - English Edition on PodParley by clicking any episode. We provide an embedded audio player for direct listening, and you can also subscribe via your preferred podcast app using the RSS feed.

Who hosts RadioCSIRT - English Edition?

RadioCSIRT - English Edition is created and hosted by Marc Frédéric GOMEZ.
URL copied to clipboard!