Daily Digest

Critical React2Shell Flaw Under Widespread Attack, CISA Warns of Fortinet Exploit, and AI Fuels Cloud Risk

Critical React2Shell Flaw Under Widespread Attack, CISA Warns of Fortinet Exploit, and AI Fuels Cloud Risk

December 17, 2025
7 articles (6 new, 1 updated)
21 min read

Summary

This cybersecurity brief for December 17, 2025, covers a surge in critical vulnerability exploitation. A CVSS 10.0 flaw in React, dubbed 'React2Shell,' is being widely abused by both state actors and cybercriminals to deploy backdoors and miners. CISA has added a critical, actively exploited Fortinet SSO vulnerability to its KEV catalog. Meanwhile, a new Palo Alto Networks report reveals that rapid AI adoption is massively expanding the cloud attack surface, with 99% of organizations reporting attacks on their AI systems. Other major events include a cyberattack on the French Interior Ministry, a novel 'ConsentFix' phishing technique bypassing MFA to hijack Microsoft accounts, and a large-scale malware alert in New Zealand for Lumma Stealer infections.

Filter by Category

New Articles (6)

AI Adoption Fuels 'Massive' Cloud Attack Surface Expansion, Palo Alto Networks Report Warns

INFORMATIONAL

Palo Alto Networks Report: 99% of Organizations See Attacks on AI Systems Amid Surge in Cloud Risk

Palo Alto Networks' 2025 'State of Cloud Security Report' reveals that the rapid adoption of AI is creating an unprecedented expansion of the cloud attack surface. The study, surveying 2,800 security leaders, found that 99% of organizations have had their AI systems attacked in the last year. The use of generative AI in coding is producing insecure code faster than security teams can remediate it, creating a significant risk gap. API attacks have surged by 41% year-over-year, and lenient identity and access management (IAM) remains a top vulnerability. The report calls for a unified, platform-based approach to cloud security to counter AI-weaponized threats.

December 17, 2025
5 min read
Cloud SecurityAI SecurityPalo Alto NetworksAPI SecurityIAM +3 more
AI Adoption Fuels 'Massive' Cloud Attack Surface Expansion, Palo Alto Networks Report Warns

French Interior Ministry Confirms Cyberattack Compromised Email Servers

HIGH

Hackers Breach French Interior Ministry Email Servers; Attacker Claims Access to 16.4 Million Citizen Files

The French Ministry of the Interior has confirmed its email servers were compromised in a cyberattack detected between December 11 and 12, 2025. Interior Minister Laurent Nuñez stated that attackers stole staff email passwords, allowing them to access an unknown number of document files. While the government is still assessing the scale, a hacker group named 'Indra' has claimed, without evidence, to have exfiltrated police files on 16.4 million citizens. In response, the ministry is rolling out two-factor authentication and resetting passwords. The attack on the high-value government target, which oversees national police and security, has raised speculation of nation-state involvement, with groups like APT28 being considered.

December 17, 2025
5 min read
Data BreachGovernmentFranceAPT28Credential Compromise +3 more
French Interior Ministry Confirms Cyberattack Compromised Email Servers

New 'ConsentFix' Phishing Attack Hijacks Microsoft Accounts, Bypassing MFA via Azure CLI Abuse

HIGH

Researchers Uncover 'ConsentFix' Phishing Technique that Abuses Trusted Azure CLI for MFA-Bypassing Account Takeover

A novel and sophisticated phishing attack dubbed 'ConsentFix' allows attackers to hijack Microsoft accounts without stealing passwords or bypassing multi-factor authentication (MFA). Discovered by Push Security, the browser-native attack tricks users into completing a fake verification process that involves copying a URL containing a sensitive OAuth authorization code from their browser's address bar and pasting it into the attacker's phishing page. The attacker then uses this code to authenticate as the user via the legitimate and trusted Microsoft Azure Command-Line Interface (CLI). Because the Azure CLI is a first-party app, it bypasses many consent restrictions, granting the attacker full account access. The technique is active and circumvents even phishing-resistant authentication like passkeys.

December 17, 2025
5 min read
ConsentFixPhishingOAuthMFA BypassAccount Takeover +4 more
New 'ConsentFix' Phishing Attack Hijacks Microsoft Accounts, Bypassing MFA via Azure CLI Abuse

New Zealand Launches Massive Public Alert, Warning 26,000 Citizens of Lumma Stealer Malware Infections

HIGH

New Zealand's NCSC Emails 26,000 Individuals in Unprecedented Warning About Lumma Stealer Malware

In a first-of-its-kind campaign, New Zealand's National Cyber Security Centre (NCSC) is emailing approximately 26,000 people to warn them of potential infection by the Lumma Stealer malware. The potent information-stealing software targets Windows devices to covertly harvest sensitive data, including passwords, browser credentials, banking details, and cryptocurrency wallets. Officials have confirmed that some of the stolen credentials were linked to government and banking systems, heightening the risk of fraud. The NCSC's mass notification directs affected individuals to a government website with instructions for malware removal and improving account security.

December 17, 2025
4 min read
Lumma StealerMalwareInfoStealerNew ZealandNCSC +3 more
New Zealand Launches Massive Public Alert, Warning 26,000 Citizens of Lumma Stealer Malware Infections

MITRE Extends D3FEND Cybersecurity Framework to Operational Technology (OT)

INFORMATIONAL

MITRE Launches D3FEND for OT to Standardize Defense of Cyber-Physical Systems

MITRE has officially extended its D3FEND cybersecurity framework to include Operational Technology (OT), providing a standardized knowledge base of defensive techniques for cyber-physical systems. Announced on December 16, 2025, the NSA-funded initiative aims to create a common language for securing critical infrastructure in sectors like energy, manufacturing, and defense. As OT systems become increasingly connected to IT networks, D3FEND for OT provides a structured ontology of countermeasures tailored to the unique components and risks of industrial environments, mapping defensive techniques to threats against controllers, sensors, and actuators.

December 17, 2025
4 min read
MITRED3FENDOT SecurityICS SecurityCyber-Physical Systems +3 more
MITRE Extends D3FEND Cybersecurity Framework to Operational Technology (OT)

'Operation MoneyMount-ISO' Phishing Campaign Deploys Phantom Stealer via Malicious ISOs

HIGH

Russian-Language Phishing Campaign 'Operation MoneyMount-ISO' Targets Finance Departments with Phantom Stealer Malware

A financially motivated, Russian-language phishing campaign dubbed 'Operation MoneyMount-ISO' is actively targeting finance and accounting departments to deploy the Phantom information-stealing malware. According to researchers at Seqrite Labs, the attack uses emails with fake payment confirmations that contain a malicious ISO disk image file. This technique is designed to bypass email security controls. When the user opens the ISO, it mounts a virtual drive with a disguised executable. Running this file triggers a memory-resident infection chain that deploys Phantom Stealer, which then harvests browser credentials, crypto wallets, and other sensitive data for exfiltration.

December 17, 2025
5 min read
Phantom StealerInfoStealerPhishingISO fileMalware +3 more
'Operation MoneyMount-ISO' Phishing Campaign Deploys Phantom Stealer via Malicious ISOs

Updated Articles (1)

Storm-0249 Evolves: Access Broker Now Deploys Ransomware with Advanced Stealth Tactics

MEDIUM

Threat Actor Storm-0249 Shifts from Access Broker to Hands-On Ransomware Enabler

Update:

Push Security has released a new browser-based 'malicious copy-and-paste detection' feature designed to combat 'ClickFix' social engineering attacks. This tool directly addresses the technique where users are tricked into copying malicious code from websites and pasting it into terminals, a method identified as crucial for initial access by groups like Storm-0249. The feature works by analyzing copy events in the browser, blocking malicious scripts from reaching the clipboard, and effectively disarming the attack before execution. This provides a critical new layer of defense against a rapidly growing threat vector, enhancing mitigation efforts against sophisticated IAB tactics.

December 10, 2025
Updated: December 17, 2025
6 min read
Storm-0249IABRansomwareDLL Side-loadingClickFix +1 more
Storm-0249 Evolves: Access Broker Now Deploys Ransomware with Advanced Stealth Tactics

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.