Hello, stay ahead with CISO Brief 🚀

Google patches eighth Chrome zero-day exploited in 2025

🔔 Google has issued emergency updates for Chrome to address a zero-day tracked as Chromium bug 466192044 that is actively exploited in the wild. The vulnerability is a buffer overflow in the LibANGLE Metal renderer caused by improper buffer sizing and can lead to memory corruption, crashes, sensitive data leaks, or arbitrary code execution. Stable channel builds rolling out are Windows 143.0.7499.109, macOS 143.0.7499.110, and Linux 143.0.7499.109; users should update immediately or allow Chrome to install the update on restart.

How CISOs Justify Security Investments to the Board

🔒 CISOs must position security investments as strategic enablers that directly support corporate objectives rather than as purely technical upgrades. Presentations should connect proposed solutions to outcomes like entering new markets, protecting margins, ensuring compliance, and improving resilience. Use concrete scenarios, cost models, and recovery timelines to show how investments reduce probability and impact of incidents while improving operational stability. Tailor messaging to the board’s maturity and speak in terms of risk, return, and shareholder value.

Hard-coded Gladinet Keys Enable Active Exploitation

🔐 Huntress warns that hard-coded cryptographic keys in Gladinet CentreStack and Triofox allow attackers to decrypt or forge access tickets, exposing sensitive files such as web.config. The flaw stems from a function that returns the same 100-byte strings to derive persistent keys, enabling indefinite reuse of crafted URLs to download server configuration. Organisations should update to version 16.12.10420.56791 and rotate machine keys immediately.

Using Managed XDR to Address Cybersecurity Skills Gaps

🔒 Managed Extended Detection and Response (MXDR) enables organizations to augment understaffed security teams with experienced analysts who provide continuous monitoring and rapid response. Providers deliver 24/7 coverage, broad sensor visibility, and immediate containment actions such as endpoint isolation. MXDR can reduce the need to hire internal specialists, but organizations must evaluate vendors carefully for expertise, data protection, and configurability.

Fortinet admins urged to patch FortiCloud SSO flaws

🔒 Fortinet has released patches for two critical cryptographic signature vulnerabilities, CVE-2025-59718 and CVE-2025-59719, that can allow an unauthenticated attacker to bypass FortiCloud SSO using a crafted SAML message on affected FortiOS, FortiWeb, FortiProxy and FortiSwitchManager devices. Administrators are advised to disable FortiCloud SSO immediately if it is enabled, apply vendor updates to non‑vulnerable versions, and then re-enable SSO only after verifying patches. Fortinet notes the feature is not enabled by factory default but can be activated during FortiCare registration; the company and responders recommend using the System -> Settings toggle or the CLI command sequence to disable login until patched.

UK and Portugal Move to Protect Security Researchers

🔒 Governments in the UK and Portugal have introduced proposals and legislation to provide legal protection for computer security researchers, recognizing that outdated laws can deter responsible vulnerability testing. UK security minister Dan Jarvis proposed amending the 1990 Computer Misuse Act to create a statutory defense for good-faith research that meets defined safeguards. Portugal's new law similarly shields researchers who do not seek financial advantage and who respect data protection rules, aligning with measures already adopted in the Netherlands, France, and Belgium.

AWS Strengthens Cybersecurity and Resilience in the EU

🔒 AWS reiterates its commitment to raising cybersecurity standards across the European Union, positioning security as a core responsibility across its global operations. The post explains how AWS supports customers in meeting the NIS 2 Directive (EU 2022/2555) and related Implementing Regulation (EU 2024/2690) through services, audited controls, and guidance. It highlights certifications, regional accreditations, and tools—such as AWS Security Hub, AWS Config, and AWS CloudTrail—that help entities meet governance, incident reporting, and resilience obligations. The blog also describes AWS collaboration with national authorities and programs that provide templates, training, and operational engagement to improve readiness and compliance.

Hidden .NET proxy behavior can enable RCE in many apps

⚠️ Researchers found that .NET HTTP client proxy classes will accept file:// and other non-HTTP schemes, invoking the filesystem handler and enabling attacker-controlled writes to arbitrary files. This unexpected behavior enabled proof-of-concept remote code execution via web shells and malicious PowerShell scripts in multiple products, including Barracuda, Ivanti, Umbraco, Microsoft PowerShell, and SQL Server Integration Services. Microsoft says it will not change the Framework behavior and places responsibility on application developers to avoid passing untrusted URLs and to validate WSDL imports.

Smashing Security 447 — AI Abuse, Stalking and Museum Heist

🤖 On episode 447 of the Smashing Security podcast Graham Cluley and guest Jenny Radcliffe explore how generative AI can enable stalking — reporting that Grok was used to doxx people, outline stalking strategies, and share revenge‑porn tips. They also recount the audacious Louvre crown jewels heist, where thieves abused assumptions about what ‘looks normal’. Graham additionally interviews Rob Edmondson about how Microsoft 365 misconfigurations and over‑privileged accounts create serious security exposures. The episode emphasizes practical lessons in threat modelling and access hygiene.

Google Ads Lead to ChatGPT/Grok Guides Installing AMOS

⚠️ Security researchers warn of a macOS infostealer campaign that uses Google search ads to push users toward publicly shared ChatGPT and Grok conversations containing malicious installation instructions. According to Kaspersky and Huntress, the ClickFix attack spoofs troubleshooting guides and decodes a base64 payload into a bash script that prompts for a password, then uses it to install the AMOS infostealer with root privileges. Users are urged not to execute commands copied from online chats and to verify safety first.

DroidLock Android Malware Locks Devices, Demands Ransom

🔒 Zimperium researchers uncovered a new Android malware family called DroidLock that locks victims’ screens, steals messages and call data, and can remotely control devices via VNC. The threat targets Spanish-speaking users and is distributed through malicious websites that impersonate legitimate apps and deliver a dropper which installs a secondary payload. The payload requests Device Admin and Accessibility privileges to perform actions such as wiping devices, changing lock credentials, recording audio, starting the camera, and placing overlays that capture lock patterns. Operators serve a ransom WebView directing victims to contact a Proton email and threaten permanent file destruction within 24 hours if unpaid.

Amazon ECS on Fargate Adds Custom Container Stop Signals

🛑 Amazon Elastic Container Service (ECS) on AWS Fargate now honors container-defined stop signals for Linux tasks by reading the OCI image STOPSIGNAL instruction and sending that signal when a task is stopped. Previously Fargate always sent SIGTERM followed by SIGKILL after the configured timeout, but containers that rely on SIGQUIT, SIGINT, or other signals can now receive their intended shutdown signal. If no STOPSIGNAL is present, ECS continues to default to SIGTERM. Support for container-defined stop signals is available in all AWS Regions and the ECS Developer Guide provides implementation details.

React2Shell Exploitation Delivers Miners and Backdoors

⚠ Huntress reports widespread exploitation of the maximum-severity React Server Components flaw CVE-2025-55182, with attackers leveraging vulnerable Next.js instances to deploy cryptocurrency miners and multiple novel Linux malware families. Observed payloads include the PeerBlight backdoor, CowTunnel reverse proxy and ZinFoq post-exploitation implant, alongside droppers that fetch XMRig, Sliver C2 and Kaiji variants. Activity since early December 2025 has targeted many sectors — notably construction and entertainment — and shows signs of automated scanning and exploitation tools that sometimes deploy Linux payloads to Windows hosts. Organizations should update react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack immediately and hunt for indicators of compromise.

HTTPS Certificate Industry Phases Out Weak Domain Checks

🔒 The Chrome Root Program and the CA/Browser Forum have adopted new requirements (Ballots SC-080, SC-090, and SC-091) to phase out 11 legacy Domain Control Validation methods. These deprecated checks — including email, fax, SMS, postal mail, phone-based contacts, and reverse lookup methods — are being retired to reduce the risk of fraudulent certificate issuance. The policies update the TLS Baseline Requirements and encourage stronger, automated, cryptographically verifiable methods such as ACME, with full security value realized by March 2028 while operators transition.

Microsoft Teams adds alerts for suspicious external traffic

🔔 Microsoft is introducing an External Domains Anomalies Report for Microsoft Teams to analyze messaging trends and surface suspicious interactions with external domains. The tool will flag sharp spikes in activity, communications with new domains, and abnormal engagement patterns to give administrators early visibility into potential data-sharing or security risks. Microsoft plans a worldwide rollout to standard multi-tenant web environments in February 2026, though licensing implications remain unspecified. The change complements other Teams protections such as malicious-link warnings, false-positive reporting, meeting screen-capture blocking, and desktop performance improvements.

SOAPwn: WSDL/SOAP Flaw Enables File Writes in .NET

🛡️WatchTowr Labs has disclosed SOAPwn, an "invalid cast" vulnerability in the .NET Framework that lets attackers abuse WSDL imports and dynamically generated SOAP client proxies to write files and achieve remote code execution. The issue impacts products including Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. Barracuda addressed the flaw in Service Center RMM 2025.1.1 (CVE-2025-34392, CVSS 9.8) and Ivanti issued fixes in EPM 2024 SU4 SR1 (CVE-2025-13659, CVSS 8.8). Researchers presented the findings at Black Hat Europe after disclosures in March 2024 and July 2025.

Over 10,000 Docker Hub Images Expose Live Secrets Globally

🔒 A November scan by threat intelligence firm Flare found 10,456 Docker Hub images exposing credentials, including live API tokens for AI models and production systems. The leaks span about 101 organizations — from SMBs to a Fortune 500 company and a major national bank — and often stem from mistakes like committed .env files, hardcoded tokens, and Docker manifests. Flare urges immediate revocation of exposed keys, centralized secrets management, and active SDLC scanning to prevent prolonged abuse.

Amazon EC2 C8gb Instances: EBS-Optimized, Graviton4

🚀 AWS has announced general availability of the new Amazon EC2 C8gb instances, EBS-optimized and powered by AWS Graviton4 processors. These sizes deliver up to 30% better compute performance than Graviton3 and offer up to 150 Gbps of EBS bandwidth and up to 200 Gbps networking. Available in US East (N. Virginia) and US West (Oregon), metal sizes are limited to N. Virginia. They support EFA on larger sizes to improve cluster latency for tightly coupled workloads. Customers can use these instances to scale high-performance file systems and throughput-focused workloads while optimizing cost.