Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao El Salvador Guatemala Honduras Mexico Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
Contact Us
home News
Weekly Cyber Threat Bulletin – Key Vulnerabilities, Attack Campaigns & Security News

Weekly Cyber Threat Bulletin – Key Vulnerabilities, Attack Campaigns & Security News

12/23/2025
Weekly Cyber Threat Bulletin – Key Vulnerabilities, Attack Campaigns & Security News

Reading Time: 5 Minutes

North Korea-Linked Hackers Steal $2.02 Billion in Cryptocurrency in 2025 & More

Stay ahead of cyber threats with this weekly bulletin covering critical WatchGuard, Cisco and SonicWall vulnerabilities, North Korea‑linked crypto heists, WhatsApp GhostPairing attacks, BRICKSTORM malware IOCs and major AI security developments for 15–21 December 2025.

1. High-Impact Vulnerabilities on Perimeter and Access Devices

Perimeter security and remote access platforms remained the primary focus for attackers this week. Three major vulnerabilities were disclosed, each highlighting the risk of maintaining internet-exposed management interfaces and VPN endpoints.

1.1: WatchGuard Fireware OS IKEv2 VPN RCE (CVE-2025-14733)

A critical out-of-bounds write flaw was identified in the iked process of WatchGuard’s Fireware OS. This process handles IKEv2 (Internet Key Exchange version 2) negotiations. The vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on Firebox appliances.

The flaw specifically impacts configurations using IKEv2 Mobile User VPNs or Branch Office VPNs with dynamic gateway peers. Critically, exploitation has already been observed in the wild. Threat intelligence suggests that the infrastructure used in these attacks overlaps with previous campaigns targeting Fortinet VPNs, indicating a systematic, vendor-agnostic pursuit of edge-device vulnerabilities by sophisticated actors.

1.2: Cisco Secure Email Gateway / Secure Email & Web Manager RCE (CVE-2025-20393)

Cisco issued an urgent alert for a CVSS 10.0 vulnerability in AsyncOS. This flaw allows unauthenticated remote attackers to execute commands with root privileges. The vulnerability is triggered when the Spam Quarantine feature is enabled and exposed to the internet.

Because the attacker gains root access, they can deploy persistent backdoors that remain even after the initial vulnerability is patched. Cisco has reported that attackers are actively using this to maintain long-term access, making "clean-up" as critical as the patch itself.

1.3: SonicWall SMA 1000 Management Console Privilege Escalation (CVE-2025-40602)

SonicWall’s SMA 1000 series faced a zero-day exploit that was chained with a previous vulnerability (CVE-2025-23006). This chain allows an attacker to move from unauthenticated access to full remote code execution (RCE) with root privileges. CISA has added this to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch within seven days—a clear signal of the high risk this poses to enterprise environments.

Key Actions for Defenders:

  • Inventory: Immediately identify all internet-facing WatchGuard, Cisco, and SonicWall assets.
  • Patch: Apply vendor-recommended hotfixes and firmware updates immediately.
  • Audit: Review logs for abnormal IKE_AUTH payloads or unauthorized root-level command execution.

2. Major Attack Campaigns: DPRK Crypto Heists and GhostPairing

The landscape of cybercrime in 2025 is defined by scale and deception. This week's data highlights a record-breaking year for North Korean theft and a clever social engineering campaign targeting mobile users.

2.1: DPRK-Linked Cryptocurrency Theft Surpasses $2 Billion

New data reveals that North Korea-associated groups, primarily the Lazarus Group, have stolen at least $2.02 billion in cryptocurrency in 2025 alone. This represents nearly 60% of all global crypto theft for the year.

The campaign's success is attributed to:

  • Insider Threats: The "Wagemole" scheme, where DPRK operatives secure IT roles within crypto firms using fake identities to gain internal access.
  • Sophisticated Laundering: A 45-day obfuscation cycle utilizing DeFi protocols, cross-chain bridges, and OTC brokers to "clean" the stolen assets.

2.2: GhostPairing: WhatsApp Account Takeover

A new campaign dubbed GhostPairing has emerged, targeting WhatsApp users globally. Unlike traditional malware, GhostPairing abuses the legitimate multi-device linking workflow. Attackers use social engineering to trick victims into entering a pairing code on their own phones, which effectively "links" the attacker's device to the victim's account. Once paired, the attacker has persistent access to all messages and media without the victim being logged out.

3. State-Sponsored Malware and AI-Driven Security Developments

As attackers evolve, so must our detection capabilities. This week saw the release of critical intelligence on PRC-linked malware and the introduction of advanced AI models for both offensive and defensive research.

3.1: BRICKSTORM Malware IOCs

CISA, the NSA, and the CCCS released updated indicators for BRICKSTORM, a backdoor attributed to PRC state-sponsored actors. The malware is designed for long-term persistence within VMware vSphere environments and uses advanced techniques like DNS-over-HTTPS and nested TLS encryption to hide its command-and-control (C2) traffic.

3.2: The Rise of AI in Security (Claude 4.5 & GPT-5.2-Codex)

The AI arms race continues with two major releases:

  • Claude Opus 4.5: Now available in GitHub Copilot, providing superior multi-model support for secure code generation and debugging.
  • GPT-5.2-Codex: OpenAI’s latest model has shown remarkable capability in automated vulnerability discovery and "fuzzing," achieving record scores on the SWE-Bench Pro benchmark.

While these tools offer incredible defensive potential for automated testing, they also represent a "dual-use" risk, as they can be leveraged by adversaries to find zero-day vulnerabilities more efficiently.

Final Thoughts and Call to Action

The 15–21 December period highlights a consistent pattern: attackers are successfully targeting the very tools designed to protect us (VPNs and Email Gateways). To stay resilient, organizations must move beyond reactive patching and adopt a proactive threat-hunting posture.

How to Secure Your Organization Today:

  1. Treat all perimeter devices as high-risk assets and enforce strict access controls.
  2. Ingest BRICKSTORM and Lazarus Group IOCs into your SIEM/SOAR platforms.
  3. Educate staff specifically on "Device Linking" and social engineering tactics.

Need Expert Assistance?

If your organization requires support in assessing exposure to these vulnerabilities, implementing the latest IOCs, or building AI-driven secure coding practices, reach out for a tailored security health check.

Contact: Prasad Poojary

Phone: +971542468006

Email: [email protected]