Author: Staff Writer

Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Top Highlights New Threat Detected: Researchers have identified intrusive activity targeting Fortinet FortiGate appliances through malicious single sign-on (SSO) logins, first noted on Friday. Vulnerabilities Exploited: The attacks leverage recently disclosed critical authentication bypass flaws (CVE-2025-59718 and CVE-2025-59719) that permit SSO bypass via crafted SAML messages. Urgent Mitigation Required: Users are advised to temporarily disable the FortiCloud login feature and reset firewall credentials if malicious activity is detected, as the feature can be enabled during device registration. Widespread Impact: The threat appears opportunistic rather than targeted at specific companies, with multiple intrusions reported by Arctic Wolf and similar alerts from…

Read More

Summary Points Compromised Credentials: Attackers are exploiting stolen AWS IAM credentials to initiate a rapid cryptomining campaign, deploying unauthorized miners within 10 minutes of gaining access to customer environments. AWS Detection: AWS security researchers identified the malicious activity using Amazon GuardDuty and automated monitoring, emphasizing that the campaign did not exploit vulnerabilities in AWS infrastructure but rather used valid, compromised credentials for unauthorized access. Advanced Techniques: The attackers employed sophisticated methods, including disabling instance termination protection to complicate incident response and utilizing multiple AWS services, marking a significant advancement in cryptomining persistence tactics. Preventive Actions: AWS recommends implementing strong identity…

Read More

Quick Takeaways Transition from Reactive to Proactive SOCs: Modern security teams must shift from reactive defense, which leads to missed threats and unnecessary resource waste, to a proactive approach that anticipates and mitigates risks before they materialize. Importance of Threat Intelligence: Utilizing robust threat intelligence, such as ANY.RUN’s Threat Intelligence Lookup, equips SOCs with real-time insights into emerging threats, enabling faster investigations, enriched alerts, and higher confidence in triaging significant incidents. Contextual Threat Relevance: Effective threat management relies on understanding specific threats to an organization’s sector and geography, helping SOCs focus efforts on alerts that pose real risks, thus minimizing…

Read More

Quick Takeaways Microsoft’s December 2025 Windows security update (KB5071546) is causing Message Queuing (MSMQ) failures, leading to widespread IIS site crashes, especially under load and in clustered environments. The update’s hardened security measures inadvertently restrict write permissions on MSMQ storage folders, resulting in API failures, inactive queues, and resource errors despite ample system resources. Affected enterprise systems include Windows Server 2019, 2016, 2012 R2, and 2012, along with Windows 10 versions 22H2, 21H2, 1809, and 1607; consumer editions are largely unaffected. Microsoft has acknowledged the issue and is investigating; there is no public patch yet, requiring IT teams to contact…

Read More

Summary Points CISA has added CVE-2025-59718, a critical Fortinet security vulnerability, to its KEV catalog, with a deadline of December 23, 2025, for remediation. The flaw involves improper cryptographic signature verification, enabling unauthenticated attackers to bypass FortiCloud SSO and gain unauthorized network access. The vulnerability affects multiple Fortinet products, including FortiOS, FortiSwitchMaster, FortiProxy, and FortiWeb, and is actively being exploited in the wild. Organizations must urgently patch affected systems, audit deployments, and follow federal security guidance to prevent potential credential-free breaches before the deadline. Problem Explained On December 16, 2025, CISA officially added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV)…

Read More

Fast Facts Cellik represents a major advancement in Android RATs, providing full device control and live real-time screen streaming, resembling an invisible VNC session. It features an integrated Google Play Store connection, enabling attackers to easily embed malicious payloads into legitimate apps with a single click, bypassing standard security measures. The malware includes sophisticated injection tools for overlay attacks, credential harvesting, keylogging, and remote interaction with infected devices, offering comprehensive surveillance capabilities. Its user-friendly subscription model and built-in APK builder make deploying these advanced Android threats accessible to attackers of all skill levels, elevating the threat landscape significantly. Key Challenge…

Read More

Essential Insights CASBs act as security gateways between enterprise endpoints and cloud resources, providing visibility, access control, and threat detection in multi-cloud and remote work environments. They are essential for managing shadow IT, ensuring data protection, maintaining compliance, and securing remote workforce access across diverse cloud applications. Core features to evaluate include visibility, granular control, data protection, compliance, and seamless integration with existing security infrastructure, supported through various deployment modes and modes of operation. Leading vendors like Cisco, Netskope, Forcepoint, and Zscaler offer comprehensive CASBs with advanced features, but organizations must align their specific needs, scalability, and integration capabilities with…

Read More

Increased Cyber Risk During Holidays: The holiday season presents a peak opportunity for cybercriminals, exploiting staff distractions and unpreparedness to launch attacks such as phishing scams and fraudulent invoices. Security Measures: Businesses should implement robust measures, including strong passwords, multi-factor authentication, and strict permissions, to secure their systems and networks before the holiday period. Employee Training: It’s crucial to enhance employee awareness through specific training on holiday scams and cybersecurity protocols to promote a culture of cautious verification before acting on payment requests or emails. Incident Response Preparedness: Establish a solid incident response and backup strategy, ensuring regular data backups…

Read More

Fast Facts The integration of Large Language Models (LLMs) into ransomware operations has lowered entry barriers, enabling less skilled actors to develop sophisticated tools and Ransomware-as-a-Service (RaaS), leading to a more fragmented threat landscape. Attackers now use LLMs to automate phishing, craft convincing localized ransom notes, and identify valuable data within leaks, expanding attack vectors and global reach. Locally-hosted open-source models and strategic use of uncensored or fragmented prompts help threat actors bypass security measures, maintain high operational tempo, and evade detection. Malware like QUIETVAULT employs locally hosted LLMs for intelligent reconnaissance and data exfiltration, turning AI tools into precise…

Read More

Fast Facts Evolving Threat: A Russia-linked hacker group has shifted tactics since 2021, now exploiting vulnerabilities in edge devices, indicating a concerning evolution in their strategy. Credential Harvesting: Attackers have been intercepting network traffic to collect login credentials and gain access to cloud platforms, reinforcing their presence within victim organizations. Sector Focus: Targeted industries primarily include electric utilities and telecommunications, with significant activity reported in North America, Europe, and the Middle East, reflecting a sustained focus on the energy sector supply chain. Preventive Measures: Organizations are urged to inspect edge devices for compromises, enforce strong authentication, and minimize unnecessary internet…

Read More