Dropbear SSH server versions through 2024.84 contain CVE-2025-14282, which allows privilege escalation to root via Unix socket forwarding.
TLDR Information Security 2025-12-23
Attacks & Vulnerabilities
SSH server Dropbear allows privilege escalation (2 minute read)
Dropbear SSH server versions through 2024.84 contain CVE-2025-14282 (CVSS 9.8 Critical), which allows privilege escalation to root via Unix socket forwarding. Programs that authenticate forwarded connections, by misusing SO_PEERCRED, receive root credentials instead of the actual user’s credentials. Dropbear 2025.89 fixes this by implementing comprehensive changes to Unix socket handling and disabling socket forwarding when forced command options are used, preventing command restriction bypass. Organizations running Dropbear on embedded systems, such as OpenWRT routers and single-board computers, should immediately update or deploy the temporary mitigation using the dropbear -j flag (which also disables TCP forwarding) or compile with define DROPBEAR_SVR_LOCALSTREAMFWD 0 in localoptions.h and distrooptions.h header files.
Romanian water authorities suffered a ransomware attack that encrypted systems using BitLocker and disabled about 1,000 computers across 10 of 11 regional offices. Core IT services, such as email, web platforms, databases, and GIS, were impacted, though the water supply continued.
NPM Package With 56K Downloads Caught Stealing WhatsApp Messages (7 minute read)
The lotusbail npm package masqueraded as a legitimate WhatsApp Web API fork with functional code while secretly intercepting authentication tokens, messages, contacts, and media files through a malicious WebSocket wrapper. The malware employed sophisticated evasion techniques, including custom RSA encryption, four-layer obfuscation, 27 anti-debugging traps, and a hardcoded pairing code that established persistent backdoor access surviving package removal. Security professionals should implement behavioral runtime analysis to detect anomalous activities, such as custom encryption in communication libraries, and manually unlink all devices from WhatsApp settings if compromised.
Strategies & Tactics
Vulnhalla: Picking the true vulnerabilities from the CodeQL haystack (10 minute read)
Modern vulnerability research can blend static analysis with large language models to cut through overwhelming false positives and highlight only issues that look genuinely exploitable. By feeding CodeQL findings and carefully chosen code context into an LLM, and then guiding it with structured questions about data and control flow, the system mimics how senior researchers reason about real bugs rather than surface patterns. Pre-extracting functions and related entities into fast-searchable CSVs makes this scalable across huge C and C++ codebases, enabling discovery of impactful issues and even new CVEs with modest time and compute.
Beyond the bomb: When adversaries bring their own virtual machine for persistence (7 minute read)
Red Canary detected a novel attack where adversaries deployed spam bombing followed by fake tech support calls leveraging Quick Assist to introduce a QEMU virtual machine (Windows 7 SP1) running Sliver C2 implants, QDoor backdoor, and ScreenConnect for redundant persistence. The VM was configured for internal network reconnaissance via SRV record queries and external C2 communications to marnyonline[.]com and 45[.]61[.]169[.]127. Forensic analysis of the 8GB disk image revealed the adversary’s toolkit through prefetch data, browser history, persistence mechanisms in start.txt, and volume shadow copies containing deleted artifacts. Defenders should monitor for anomalous QEMU execution on standard endpoints, implement strict Quick Assist controls, detect internal SRV record enumeration and ping sweeps with single-packet patterns, hunt for Sliver team server SSL certificates with CN=multiplayer and O=operators fingerprints, and deploy behavioral analytics to identify VM deployment following remote assistance sessions.
Launches & Tools
MacPersistenceChecker (GitHub Repo)
MacPersistenceChecker is a native macOS security tool that enumerates all persistence mechanisms across 20+ categories, including launch agents, system extensions, and BTM database entries, scoring each item 0-100 based on code signatures, LOLBins detection, and behavioral anomalies mapped to MITRE ATT&CK framework. The tool includes real-time monitoring with optional Claude AI integration that analyzes changes using full context, including risk scores and intent mismatches, plus MCP server support enabling Claude Code integration for natural language queries against persistence data. Security teams can leverage containment features to quarantine suspicious items with automatic backup and timed release.
TokenFlare is a serverless AITM phishing simulation framework targeting Entra ID/M365. Its core logic is just 530 lines of JavaScript. TokenFlare supports multiple OAuth flows, including Intune Conditional Access bypass techniques, and is deployable to Cloudflare Workers or a local HTTPS proxy, with built-in bot/scraper blocking and production-ready infrastructure, in under 60 seconds. The framework captures credentials, auth codes, and session cookies via configurable webhooks, uses modular campaign configuration for custom branding and URL structures, and includes Certbot integration for automated SSL certificate provisioning. Blue teams can detect TokenFlare via static IoCs: the HTTP header “X-TokenFlare: Authorised-Security-Testing” and the User-Agent “TokenFlare/1.0 For_Authorised_Testing_Only”. They should monitor for serverless worker abuse, suspicious OAuth flows with rapid authentication handoffs, and webhook exfiltration patterns targeting M365 authentication tokens.
Docker Hardened Images for Free (Product Launch)
Docker has released over 1,000 secure images that are free and open source for developers. These images are regularly scanned and updated to minimize or eliminate exploitable CVEs. They run as non-root by default, are minimal to lower the attack surface, meet compliance standards, and are available across multiple distributions.
Miscellaneous
US DOJ Charges 54 in ATM Jackpotting Scheme Using Ploutus Malware (3 minute read)
The DOJ indicted 54 individuals linked to Venezuelan gang Tren de Aragua for deploying Ploutus malware in a multi-million dollar ATM jackpotting operation involving 1,529 incidents since 2021, resulting in $40.73 million stolen to fund terrorist activities. Attackers conducted physical reconnaissance, opened ATM hoods to test alarm responses, then installed Ploutus by replacing hard drives or connecting USB drives to issue unauthorized commands to Cash Dispensing Modules while deleting forensic evidence. The malware targets Windows-based ATMs (particularly legacy XP systems and Diebold models) and can be activated via a physical keyboard with activation codes. Financial institutions should implement physical tamper detection on ATM enclosures, upgrade legacy Windows XP systems, monitor Cash Dispensing Module command patterns for anomalies, implement hard drive integrity checks and USB port access controls, and deploy enhanced physical security measures, including alarm response verification protocols.
Hacktivists scrape 86M Spotify tracks, claim their aim is to preserve culture (6 minute read)
Hacktivists linked to Anna’s Archive scraped around 86 million Spotify tracks, claiming to safeguard musical heritage from catastrophes and platform risk, yet only about a third of Spotify’s total catalog is actually preserved as audio. Spotify calls the operation piracy. It shut down the scraping accounts and plans to strengthen safeguards. Anna’s Archive has hinted at possible future single‑track downloads.
South Korea to require facial recognition for new mobile numbers (2 minute read)
South Korea plans to require facial recognition when people sign up for new mobile numbers, matching ID photos with real-time images to block phones registered under false identities. The rule, which applies to major carriers and virtual operators, starts on March 23. Authorities hope to curb widespread voice phishing scams and address security weaknesses exposed by a massive SK Telecom data breach that affected 27 million SIM subscribers.
Quick Links
FBI Seizes Fake ID Template Domains Operating from Bangladesh (2 minute read)
The FBI indicted 29-year-old Zahid Hasan from Dhaka, Bangladesh, and seized three domains.
Interpol-led action decrypts 6 ransomware strains, arrests hundreds (3 minute read)
Interpol’s Operation Sentinel resulted in 574 arrests across 19 African countries, recovered $3 million, and decrypted six ransomware variants.
Pornhub tells users to expect sextortion emails after data exposure (4 minute read)
Pornhub warned Premium members to expect sextortion emails after a November 8 data breach at third-party analytics provider Mixpanel exposed user information.