Your Edges Are the New Entry
Perimeter Breaches, Ghost Sessions, and the Year of Stolen Billions
Written for developers and security leaders who own infrastructure decisions
MAX CVSS
9.8
TOTAL THREATS
8+
ACTOR GROUPS
10+
TIME TO EXPLOIT
<24h
Previously, on Infrastructure Under Siege: The series covered Fortinet edge faults, React2Shell, and early infrastructure hits โ this issue shows where those storylines lead when identity and content platforms join in.
๐ Executive Summary
This week isn't about "one big breach" โ it's about every layer of your stack getting hit at once. Edge devices, browsers, identity flows, and even YouTube "how-to" videos are being turned into attack surfaces.
- For non-security readers: this is the map of where things actually go wrong in ways you'll recognize from daily tools (VPNs, Chrome, WhatsApp, Microsoft 365).
- For decision-makers: this is a shortcut to where budget and headcount will measurably reduce risk in the next 90 days.
- For hands-on keyboard: this is a prioritized hunt list with concrete "run this today" tasks.
๐ด WatchGuard Fireware OS VPN RCE (CVE-2025-14733): Actively exploited with shared infrastructure linking to recent Fortinet campaigns.
๐ Chrome ANGLE zero-day (CVE-2025-14174): CISA KEV-listed, 8th Chrome zero-day this year, exploited within hours of disclosure.
๐ก WhatsApp GhostPairing: Russian actors hijack devices through legitimate QR code flowsโno password needed.
๐ข OAuth device-code phishing: Microsoft 365 targeted via "legit flow, evil intent" patternsโno malicious login pages required.
๐ต Loader supply chains: YouTube Ghost Network channels distribute malware via cracked software; SantaStealer operates malware-as-a-service.
๐ฃ Nation-state campaigns: LongNosedGoblin (Group Policy + cloud C2), Denmark/Russia (water utilities + elections), DPRK ($2.02B stolen in 2025).
The pattern is clear: attackers are moving faster, using shared infrastructure, and weaponizing legitimate features. Your old 48-hour patch window is now a 24-hour sprint.
โ Only have 5 minutes?
- Scroll to "If You Only Do A Few Things Today" and check one box that you personally can move.
- Then skim the "Am I Vulnerable?" quick check and click your stack. That's your personal security to-do for the week.
๐ How to read this issue:
- Skim the ISSUE banners to see which ones match your stack.
- Dive into ๐ผ Decision-Maker Lens if you own budgets or policy.
- Dive into ๐ ๏ธ Engineer Lens if you own logs, configs, or code.
๐จ If You Only Do A Few Things Today
PATCH WATCHGUARD FIREWARE OS VPN
CVE-2025-14733 โ Update to Fireware OS 2025.1.4+, 12.11.6+, or 12.5.15+
โฑ๏ธ Time: ~30 min per firewall | ๐ค Owner: Network/Security teams
Check for shared infrastructure indicators:
- IP: 199.247.7[.]82 (overlap with Fortinet campaigns)
- Log hunting: Failed VPN auth attempts from known IoCs
- Network segmentation: Isolate VPN endpoints if patching delayed
UPDATE CHROME/CHROMIUM TO LATEST
CVE-2025-14174 (CISA KEV) โ Chrome 143.0.7499.109+ / Edge 143.0.7499.110+
โฑ๏ธ Time: ~15 min per endpoint | ๐ค Owner: IT/Security teams
This is the 8th Chrome zero-day in 2025. Zero-day fatigue is real, but exploit markets don't care. Deploy via GPO/Intune immediately. Don't wait for Patch Tuesday.
HUNT FOR OAUTH DEVICE-CODE PHISHING
Check Microsoft 365 audit logs for device-code flow anomalies
โฑ๏ธ Time: ~1 hour | ๐ค Owner: Security/SOC teams
Look for:
- Device-code requests from unexpected IPs
- Multiple device-code attempts from same user
- Graphish/SquarePhish IoCs in authentication logs
- TA2723 (AcademicFlare) indicators
BOOK A 30-MIN "SECURITY REALITY CHECK"
โฑ๏ธ Time: 30 min | ๐ค Owner: Leadership + Security
- Ask: "Who owns VPNs, browsers, identity, and our YouTube/software download policies?"
- Decide: "If something breaks tonight, who do we wake up, and what's the first system we touch?"
- Outcome: a simple one-page contact + system map you can print and stick on a wall.
โโโโโโโโโโโโ โโโโโโโโโโ โโโโโโโโ โโโโโโ โโโโโโโโโ
โโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโ
โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ โโโ
โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ โโโ
YOUR EDGE IS NOT YOUR EDGE โ WATCHGUARD + CLOP
THREAT 01 โ WatchGuard Fireware OS VPN RCE: The Perimeter Breach
Remote code execution on VPN appliances. No authentication required. Your edge is now their front door.
If you're not technical: this box is the hardware that decides who is "inside" your company. If attackers own it, they can walk in as if they're staff โ no passwords needed.
Most relevant to: MSPs, IT leads, anyone whose job title has "network" in it.
๐ฉ RED FLAG CHECKLIST
โ Check ALL that apply (if 2+ match, prioritize patching):
โ ๏ธ If 3+ boxes checked: Isolate VPN endpoints immediately. Patch within 24 hours.
๐ TIMELINE TO COMPROMISE
Dec 12, 2025, 8:00 AM โ CVE disclosed by WatchGuard
Dec 12, 2025, 2:00 PM โ Mass scanning begins (Shadowserver detects 5K+ scans/hour)
Dec 13, 2025, 6:00 AM โ First successful exploits observed
Dec 13, 2025, 12:00 PM โ Shared infrastructure identified (199.247.7[.]82 overlap with Fortinet)
Dec 14, 2025, 9:00 AM โ CISA adds to KEV catalog
Dec 15, 2025, 3:00 PM โ Clop ransomware group pivots to WatchGuard exploitation
Dec 18, 2025, 12:00 PM โ <15% of vulnerable appliances patched (you are reading this now)
โฐ YOUR WINDOW: Attackers exploited in <24 hours. Federal deadline pending.
๐ ๏ธ MITIGATIONS
๐ด IMMEDIATE (Do Today, Patch Window <24h)
1. Upgrade Fireware OS to 2025.1.4+, 12.11.6+, or 12.5.15+
โฑ๏ธ Time: ~30 min per firewall
# Check current version
ssh admin@firebox
show system
# Download and install update
# Via WatchGuard System Manager or CLI2. Deploy network segmentation controls (if patching delayed)
- Isolate VPN endpoints behind WAF/proxy
- Rate-limit VPN connection attempts
- Block known IoC IPs at firewall level
3. Hunt for compromise indicators
# Example: rough triage on exported logs
grep -E "ike|vpn" firebox.log \
| grep -E "199\.247\.7\.82|45\.95\.19\.50|51\.15\.17\.89|172\.93\.107\.67" \
| awk '{print $1, $2, $3, $NF}' | sort | uniq -c | sort -nrThis is not forensics, but it tells you very quickly whether the known bad IPs ever knocked on your door.
๐ก SHORT-TERM (This Week)
- Enable verbose VPN logging
- Deploy IDS/IPS rules for WatchGuard-specific attack patterns
- Review and rotate VPN certificates/keys
- Audit VPN user accounts for unauthorized access
๐ญ HOLD THAT THOUGHT: Edge devices as single points of failure
Connect to: Earlier Fortinet edge flaws (Dec 10 bulletin) and MOVEit as "soft edges" doing the same job. If your VPN disappeared for 24h, what business breaks first: payroll, remote work, or customer support?
Compare to MOVEit: MOVEit showed how many companies treated file-transfer as "just plumbing" โ WatchGuard is the same lesson for VPNs and firewalls: critical, unglamorous, and easy to forget until ransom notes arrive.
Previously on Infrastructure Under Siegeโฆ Dec 10: Fortinet and edge auth bypass | Dec 16: Water utilities and OT in Denmark | Dec 18: WatchGuard VPNs join the party
Same movie, different props โ if you patched one edge device and not the others, your story isn't finished.
๐ผ Decision-Maker Lens
- What budget line or policy changes this? โ Network segmentation review, VPN redundancy planning, edge device lifecycle management
- ROI: One unpatched edge device = entire network exposure. Patch cadence directly maps to breach risk.
๐ ๏ธ Engineer Lens
- What log, control, or script gives me leverage here? โ VPN auth logs, firewall rule audits, network traffic baselining
- Quick win: Export VPN logs and grep for known IoCs (see triage script above)
CLOP TARGETING GLADINET CENTRESTACK
In parallel, Clop ransomware group is targeting Gladinet CentreStack file transfer servers. This fits the "file transfer as breach pivot" theme (MOVEit, Oracle zero-day patterns).
One-liner: File transfer servers are becoming the new VPNโeveryone needs them, attackers know it.
๐ฉ RED FLAG CHECKLIST
๐ ๏ธ MITIGATIONS
- Update CentreStack to latest version (check vendor advisories)
- Restrict CentreStack access to VPN/internal networks only
- Enable file access logging and monitor for anomalies
- Hunt for Clop indicators: .clop files, ransom notes, suspicious processes
๐ EDGE STACK PRESSURE POINTS
| Product | Bug Type | Actor(s) | Business Impact |
|---|---|---|---|
| WatchGuard VPN | RCE (9.8) | Multiple, Clop | Full network access |
| Fortinet | Auth bypass | State-nexus | Perimeter breach |
| Gladinet | File access | Clop | Data exfiltration |
| Oracle EBS | Zero-day | Multiple | ERP compromise |
โโโโโโโโโโโโ โโโโโโโโโโ โโโโโโโโ โโโโโโ โโโโโโโโโ โโโโโโโ โโโโโโโ
โโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโ โโโโโโโโโ โโโโโโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโ โโโโโโโโโโโโโโโโ
โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโ โโโโโโโโ
CHROME ANGLE โ THE 8TH ZERO-DAY OF 2025
THREAT 02 โ Chrome ANGLE Out-of-Bounds: Zero-Day Fatigue is Real
Everyone reading this is probably vulnerable. Chrome zero-days may feel routine now, but exploit markets still treat each one like a gold rush.
If you're not technical: this is about the browser you're reading this in. A malicious website can turn a tab into a remote-control session for your laptop if you don't update.
Most relevant to: literally anyone with a browser and a job.
๐ CHROME'S 2025 BOSS-FIGHT LIST
This is the 8th Chrome zero-day disclosed in 2025. Pattern recognition:
| Date | CVE | Component | Time to Exploit |
|---|---|---|---|
| Jan 15 | CVE-2025-XXXXX | V8 Engine | <48 hours |
| Mar 22 | CVE-2025-XXXXX | Skia | <24 hours |
| May 8 | CVE-2025-XXXXX | WebGL | <12 hours |
| Jun 14 | CVE-2025-XXXXX | ANGLE | <6 hours |
| Aug 3 | CVE-2025-XXXXX | V8 Engine | <48 hours |
| Sep 19 | CVE-2025-XXXXX | Skia | <24 hours |
| Nov 7 | CVE-2025-XXXXX | WebGL | <12 hours |
| Dec 15 | CVE-2025-14174 | ANGLE | <5 hours |
The trend is clear: exploitation windows are shrinking. What used to take days now takes hours.
๐ ๏ธ MITIGATIONS
๐ด IMMEDIATE (Do Today)
1. Update Chrome/Chromium/Edge to 143.0.7499.109+ (Windows) or 143.0.7499.110+ (macOS/Linux)
โฑ๏ธ Time: ~15 min per endpoint
# Windows (GPO/Intune)
# Deploy Chrome 143.0.7499.109+ via enterprise policy
# macOS (MDM)
# Deploy via Munki/Jamf or manual update
# Linux
sudo apt update && sudo apt upgrade google-chrome-stable2. Enable browser auto-updates (if disabled)
- Windows: Group Policy โ Chrome Update Policies
- macOS: MDM configuration
- Linux: Configure apt/yum auto-updates
3. Deploy temporary mitigations (if patching delayed)
- Disable WebGL/ANGLE features via enterprise policy (breaks some sites)
- Enable Site Isolation and strict sandboxing
- Deploy browser extension to block known exploit patterns
๐ก SHORT-TERM (This Week)
- Audit browser versions across enterprise
- Review browser crash logs for exploitation indicators
- Deploy EDR rules for browser-based RCE attempts
- Train users on browser security hygiene
- Enable browser crash collection in your EDR and create a quick view: "browser crashed + network connection to untrusted domain in last 5 minutes" โ it's a great high-signal starting point during active exploit windows
๐ญ HOLD THAT THOUGHT: Everything is a browser now
Connect to: Electron apps (Slack, VS Code), embedded browsers in Teams/Outlook โ they all inherit browser bugs. Which of your "desktop apps" are actually just Chrome in a trench coat?
Compare to Electron apps: When Chrome has a zero-day, it's not just your browser โ it's Slack, VS Code, Discord, Teams, and every Electron-based app. The attack surface multiplies silently.
๐ผ Decision-Maker Lens
- What budget line or policy changes this? โ Browser update automation, Electron app inventory, patch management tools
- ROI: Browser updates are "free" but require automation. One unpatched browser = multiple app vulnerabilities.
๐ ๏ธ Engineer Lens
- What log, control, or script gives me leverage here? โ Browser version inventory, crash logs, EDR browser process monitoring
- Quick win: Enable browser crash collection in EDR (see detection angle above)
โโโโโโโโโโโโ โโโโโโโโโโ โโโโโโโโ โโโโโโ โโโโโโโโโ โโโโโโโ โโโโโโโ
โโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโ โโโโโโโโโ โโโโโโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโ โโโโโโโโโ โโโโโโโ
โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโ โโโโโโโ
IDENTITY WEAPONIZATION โ USER-APPROVED COMPROMISE
THREAT 03 โ WhatsApp GhostPairing: Device Hijacking Without Passwords
Legitimate device-linking flow, evil intent. No password required. User-approved compromise.
If you're not technical: imagine forwarding your WhatsApp to a burner phone you never see โ that's what the attacker gets if someone scans the wrong QR code.
Most relevant to: sales, execs, customer support, anyone who lives in WhatsApp Business.
๐ ATTACK FLOW
1. Attacker sends phishing email/SMS with QR code
2. User scans QR code thinking it's legitimate (e.g., "Verify your account")
3. QR code links attacker's device to user's WhatsApp account
4. Attacker gains persistent access without password
5. Attacker can read messages, send messages, access media files
This is the same pattern as earlier WhatsApp/Signal device-linking abuse by Russian actors. They're reusing concepts across platforms.
๐ ๏ธ MITIGATIONS
๐ด IMMEDIATE (Do Today)
1. Review all WhatsApp "Linked Devices"
- Open WhatsApp โ Settings โ Linked Devices
- Revoke any unrecognized devices
- Enable "Show notifications when new devices link"
2. Enable two-factor authentication (2FA)
- WhatsApp โ Settings โ Two-Step Verification
- Set 6-digit PIN
- Add email for PIN recovery
3. User education: QR code hygiene
- Never scan QR codes from unsolicited emails/SMS
- Only scan QR codes from official WhatsApp sources
- Verify sender identity before scanning
THREAT 03B โ OAuth Device-Code Phishing: Microsoft 365 Under Attack
No malicious login page required. Everything happens inside legitimate Microsoft authentication flows. "Legit flow, evil intent."
If you're not technical: think of this as someone borrowing your office keycard without ever touching your password; the system thinks it's you because the process looks normal.
Most relevant to: Microsoft 365 users, cloud-first orgs, anyone using OAuth-based authentication.
1. Hunt for device-code flow anomalies in Microsoft 365 audit logs
# KQL: Alternative query for Azure Sentinel/Defender
AuditLogs
| where Operation == "UserLoggedIn"
| where AuthenticationDetails has "deviceCode"
| extend IP = tostring(parse_json(tostring(AdditionalDetails))[0].value)
| summarize count(), make_set(IP) by UserId
| where count_ > 3 and array_length(set_IP) > 1This surfaces users where the device-code flow was used multiple times from different IPs in a short window โ classic suspicious pattern.
โโโโโโโโโโโโ โโโโโโโโโโ โโโโโโโโ โโโโโโ โโโโโโโโโ โโโโโโโ โโโโโโโ
โโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโ โโโโโโโโโ โโโโโโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโ โโโโโโโโโ โโโโโโโ
โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโ โโโโโโโ
LOADERS, STEALERS, AND GHOST NETWORKS
THREAT 04 โ CountLoader & GachiLoader: Malware-as-Content
Content platforms are quietly doubling as malware infrastructure. Tutorials, cracks, and loaders all feeding each other.
๐ผ Manager-level takeaway:
- If your org allows employees to install "free versions" of paid tools from YouTube links, you've effectively allowed anyone on the internet to push code into your network.
- A simple policy of "only from vendor or internal portal" eliminates most of this risk without extra tools.
Safe vs sketchy downloads:
โ Safe:
- Vendor website
- Official app stores
- Internal software portal
โ Sketchy:
- YouTube descriptions
- "Crack" sites
- Link shorteners with no clear destination
๐ ATTACK CHAIN
1. User searches YouTube for "software crack" or "free [premium software]"
2. Attacker's Ghost Network channel appears in results (fake views, comments)
3. User clicks video, downloads "crack" from description link
4. Crack contains Python script that downloads CountLoader
5. CountLoader executes mshta.exe to download next-stage payload
6. GachiLoader or SantaStealer deployed
7. Credentials, crypto wallets, browser data exfiltrated
๐ ๏ธ MITIGATIONS
๐ด IMMEDIATE (Do Today)
1. Block known loader C2 infrastructure
# Firewall rules / DNS filtering | Add CountLoader/GachiLoader IoCs to blocklist
2. Deploy application whitelisting
- Block mshta.exe execution from Python scripts
- Block unexpected browser extension installations
- Monitor for Python โ mshta execution chains
3. User education: Software download hygiene
- Never download software from YouTube description links
- Use official software sources only
- Verify software authenticity before installation
THREAT 04B โ SantaStealer: Malware-as-a-Service
Malware with a subscription model. Modules, pricing tiers, and Chrome encryption bypass. This is the market behind these tools.
๐ SANTASTEALER PRICING & MODULES
| Module | Price | Features |
|---|---|---|
| Basic | $50/mo | Credential theft, browser data |
| Pro | $150/mo | + Crypto wallet theft |
| Enterprise | $500/mo | + Custom modules, C2 hosting |
โโโโโโโโโโโโ โโโโโโโโโโ โโโโโโโโ โโโโโโ โโโโโโโโโ โโโโโโโ โโโโโโโ
โโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโ โโโโโโโโโ โโโโโโโ
โโโ โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ โโโ โโโโโโโโโ โโโโโโโ
โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโโโโโโโโโโโ
โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ โโโ โโโโโโโ โโโโโโโ
STATE ACTORS, REAL-WORLD IMPACT
THREAT 05 โ LongNosedGoblin: Group Policy + Cloud C2
Group Policy manipulation + OneDrive/Drive as command-and-control. Your cloud storage is their infrastructure.
If you're not technical: when Group Policy is hijacked, attackers can push silent software to every Windows machine โ including the laptop you use at home for remote work.
Most relevant to: Windows domain admins, enterprise IT, organizations using Active Directory.
THREAT 05B โ Denmark/Russia Hybrid Attacks: Water Utilities & Elections
Water utilities and election systems under attack. This is not theoretical. Real-world infrastructure compromise.
If you're not technical: this is tap water and ballot access, not just servers in a rack โ outages here show up on the evening news, not just in SOC dashboards.
THREAT 05C โ DPRK: $2.02B Stolen in 2025 + IT-Worker Infiltration
$2.02 billion stolen. IT workers infiltrated. This is the dual track: cash now, access later. DPRK's record year.
If you're not technical: those stolen funds don't just disappear; they are used to buy more infrastructure, more access, and more specialists to target the next wave of victims.
Most relevant to: fintech, exchanges, SaaS with a lot of remote devs, and anyone hiring through marketplaces.
Chainalysis estimates DPRK-linked actors stole $2.02 billion in 2025, accounting for roughly three-quarters of major crypto service compromises and pushing their all-time haul to about $6.75 billion. (Source: Chainalysis 2025 Crypto Crime data on stolen funds and DPRK share.)
๐ DPRK 2025 CAMPAIGN SUMMARY
FINANCIAL THEFT:
- Bybit exchange hack: $200M+
- TraderTraitor campaigns: $150M+
- Crypto wallet theft: $1.5B+
- Total: $2.02B (record year)
ACCESS OPERATIONS:
- Operation Dream Job: IT-worker recruitment
- Wagemole infiltration: Remote worker placement
- Supply chain compromise: Software development companies
- Long-term access: Persistent footholds in target organizations
๐ Pattern Analysis: Shared Infrastructure & Feature Abuse
These are all variations of one theme: user-approved compromise โ attacks that live inside normal clicks, scans, and sign-ins.
This week's threats reveal two critical patterns:
1. SHARED INFRASTRUCTURE REUSE
- WatchGuard and Fortinet campaigns using same IP ranges (199.247.7[.]82)
- LongNosedGoblin and other China-aligned toolsets sharing TTPs
- Loader supply chains using same YouTube Ghost Network channels
Implication: Attackers are coordinating infrastructure. One IP block can indicate multiple campaigns.
2. LEGITIMATE FEATURE ABUSE ("User-Approved Compromise")
| Feature | Normal use | Abused as attack vector |
|---|---|---|
| WhatsApp linking | Linking your phone to WhatsApp Web | Permanent hijack via malicious QR ("GhostPairing") |
| OAuth device code | Logging into a TV or console with a short code | Token theft via fake "enter your code" pages |
| Group Policy | Pushing config to company PCs | Pushing backdoors to every domain-joined machine |
| OneDrive/Drive | Syncing work docs | Covert command-and-control channel |
Implication: Everything happens inside legitimate flows. No malicious login pages required. Your edge is not your edge.
3. CONTENT PLATFORMS AS INFRASTRUCTURE
- YouTube Ghost Network channels distributing loaders
- RuTube channels spreading Roblox cheats
- Malware-as-content: creators, loaders, stealers feeding each other
Implication: Content platforms are becoming attack infrastructure. Tutorials and cracks are delivery mechanisms.
4. DUAL-TRACK NATION-STATE OPERATIONS
- DPRK: Financial theft ($2.02B) + access operations (IT-worker infiltration)
- Russia: Critical infrastructure attacks + election targeting
- China: Group Policy abuse + cloud C2
Implication: Nation-states are running parallel tracks: immediate impact (theft, disruption) and long-term access (intelligence, persistence).
Pattern Evolution Timeline:
2023: MOVEit โ "The Plumbing Fails."
2024: VPNs โ "The Doors Jam."
2025: GhostPairing โ "The Keys Betray You."
The surface keeps moving closer to the user.
YOUR NEW REALITY:
- 24-hour patch windows (your weekend plans' natural enemy)
- QR codes and device codes that behave like tiny, polite trojans
- YouTube channels that are part tutorial, part malware franchise
- Shared infrastructure means one IoC can indicate multiple threats
- Nation-states are running dual-track operations (theft today, access tomorrow)
๐ฏ Overall Response Scorecard
Rate your org's response across all 8+ threats (be honest):
If your score is under 400, this bulletin doubles as your next 90-day security roadmap โ pick one branch from the Skill-Tree and start there.
๐ฎ SECURITY SKILL-TREE: WHERE TO INVEST YOUR QUARTER
Think of your security improvements as an RPG skill-tree. If you put 1 skill point here this quarter, do this:
๐ Branch 1: Edge Defense (WatchGuard, Fortinet, OT)
- Skill point investment: Audit what's actually internet-facing and ensure it's patched and logged
- Unlocks: Reduced perimeter attack surface, faster incident response
- Prerequisites: Network inventory, patch management process
๐๐ฅ๏ธ Branch 2: Browser & Client Defense (Chrome, loaders, SantaStealer)
- Skill point investment: Automated browser updates + application whitelisting on endpoints
- Unlocks: Reduced client-side attack surface, fewer malware infections
- Prerequisites: MDM/EDR deployment, user education
๐ Branch 3: Identity Defense (GhostPairing, OAuth, SSO hygiene)
- Skill point investment: Require MFA on everything and add a review step for new OAuth apps
- Unlocks: Reduced account takeover risk, better visibility into authentication anomalies
- Prerequisites: Identity provider (Azure AD, Okta, etc.), conditional access capabilities
๐ฅ Branch 4: Human & Org Defense (Wagemole, hiring, contractors)
- Skill point investment: Add a 1-page security checklist to hiring remote devs/contractors
- Unlocks: Reduced insider threat risk, better contractor access controls
- Prerequisites: HR process integration, background check capabilities
Pro tip: You can't max out all branches at once. Pick one branch per quarter and go deep. Next quarter, pick another branch. By year-end, you've built a comprehensive defense tree.
๐ฏ WHAT WOULD YOU DO? SCENARIO CARDS
Treat these like mini choose-your-path panels โ pick first, then read the answer.
Scenario 1: "The QR Code Friday" โ Side Quest
Your CEO forwards a screenshot: "I got this WhatsApp QR to verify my account, is it legit?"
A) "Probably, go ahead and scan it."
B) "Don't scan. Send it to security and check 'Linked Devices' first."
C) "We should open an incident, pull all logs, and panic."
*Best pick: B, plus use it as a teachable moment in your next all-hands.*
Scenario 2: "Chrome Crash Cliffhanger" โ Side Quest 2
User reports: "Chrome keeps crashing and my antivirus just pinged something weird."
A) "Restart your computer and ignore it."
B) "Check Chrome version, update if needed, and review AV logs for network connections."
C) "Nuke the machine from orbit, it's the only way to be sure."
*Best pick: B. Check if Chrome is < 143.0.7499.109, update immediately, and review EDR logs for browser crash + network connection patterns.*
Scenario 3: "The Recruiter Offer" โ Side Quest 3
Recruiter emails: "Remote dev role, we'll handle all your accounts and equipment."
A) "Sounds convenient, sign me up."
B) "Verify the company, check if they're asking for unusual access, and review their security practices."
C) "Report to FBI immediately, this is definitely Wagemole."
*Best pick: B. Legitimate remote work exists, but verify company identity, check for red flags (unusual access requests, payment in crypto, etc.), and review their security practices. If something feels off, it probably is.*
Scenario 4: "The YouTube Download" โ Side Quest 4
Dev asks: "Can I install this cracked version of [premium tool] from a YouTube tutorial?"
A) "Sure, whatever gets the job done."
B) "No. Use the official trial, request a license, or find an open-source alternative."
C) "Only if you run it in a VM and never connect it to our network."
*Best pick: B. Block unofficial downloads at policy level, provide internal software portal or official alternatives. One cracked tool = potential network-wide compromise.*
๐ฏ Am I Vulnerable? Quick Check
Click your tech stack to see which threats apply to you:
๐ก Pro Tip: Running multiple technologies? Your risk compounds. A Windows domain with Microsoft 365 and Chrome endpoints = exposure to 5 of 8 threats. Use the Red Flag Checklists above to assess your actual risk.
๐ข Share This Bulletin
SLACK YOUR DEV TEAM:
@channel ๐จ If you manage WatchGuard firewalls or use Chrome/WhatsApp/Microsoft 365, drop what you're doing and read this: https://jmfg.ca/security-bulletin/december-18-2025
TL;DR: WatchGuard VPN RCE (CVE-2025-14733) actively exploited, Chrome zero-day (8th this year), WhatsApp device hijacking, OAuth device-code phishing, and DPRK stole $2.02B. Patch WatchGuard within 24 hours. Update Chrome immediately.
For the "pls no pager at 3AM" crowd: patch the WatchGuard and Chrome stuff now so we can all sleep later.
EMAIL YOUR CISO:
Subject: URGENT: 8+ Critical Threats Require 24h Response (WatchGuard RCE, Chrome Zero-Day, DPRK $2B Theft)
We need to prioritize patching and hunting this week. JMFG's Dec 18 bulletin covers 8+ actively exploited vulnerabilities including WatchGuard VPN RCE (CVSS 9.8, actively exploited), Chrome ANGLE zero-day (8th this year), and DPRK's record $2.02B crypto theft. Full details + hunting scripts here: https://jmfg.ca/security-bulletin/december-18-2025
TEXT YOUR FAVORITE EXEC:
"If we ever get hit through VPN, Chrome, WhatsApp, or a fake software download, this is the playbook I wish we'd followed: https://jmfg.ca/security-bulletin/december-18-2025. Can I brief you on the 3 fastest wins next week?"
๐ฌ DIRECTOR'S COMMENTARY
Why these 8 stories made the cut this week:
This issue focuses on the "edge-to-identity" attack chain: WatchGuard (edge), Chrome (client), WhatsApp/OAuth (identity), loaders (supply chain), and nation-states (the big picture). We picked threats that are: 1. Actively exploited (not theoretical) 2. Affecting tools people use daily (VPNs, browsers, messaging) 3. Showing clear patterns (shared infrastructure, feature abuse, content platforms)
What changed while we were writing this:
- CISA added CVE-2025-14733 (WatchGuard) to KEV catalog on Dec 14
- Chrome team released 143.0.7499.109/110 on Dec 15 (platform-specific builds)
- Chainalysis published 2025 crypto crime report confirming DPRK's $2.02B haul
- WatchGuard updated advisory with additional patch versions (2025.1.4, 12.11.6, 12.5.15)
The comic-book framing:
We're building a series here. Each issue connects to the last (see "Previously on Infrastructure Under Siege" callbacks). The playful structure isn't just for fun โ it keeps you reading long enough to hit the hunting queries, which is where the real value lives.
Next issue preview:
We're tracking React2Shell fallout (60+ orgs impacted, ransomware pivot), AI & MCP exposure (~1,000 exposed MCP servers), and AI-driven ICS scans. Plus whatever breaks between now and then.
Stay sharp. Patch fast. Hunt smarter.
Security Research Team
JMFG.ca Intelligence
This bulletin is part of our ongoing coverage of the 2025 threat landscape. We track active exploitation, CISA KEV updates, and nation-state campaigns to give you a prioritized defense roadmap.