AWS Expands AI Stack; WatchGuard Patches as Coupang, UoPX Hit

Platform hardening and patch directives set the tone today, with new tooling from AWS and a fresh addition to the federal vulnerability catalog from CISA. At the same time, urgent fixes for WatchGuard firewalls and a series of significant breaches kept attention on incident response and resilience planning.

Platform Upgrades for AI and Research Workflows

AWS expanded its AI acceleration stack with Neuron 2.27, adding Trainium3 UltraServer support, the Neuron Explorer tools suite for inspection and profiling, and an enhanced Neuron Kernel Interface (Beta 2) that exposes hardware-level hooks. The release pairs a private-beta, MLIR-based NKI Compiler and library of optimized kernels with native PyTorch support via TorchNeuron (private beta), offering unchanged-framework execution for many models alongside a path to low-level tuning. Operationally, private-beta Neuron DRA brings Kubernetes-native resource management to Trainium and Inferentia fleets. In parallel, GameLift Streams introduced Gen6 classes on EC2 G6 (NVIDIA L4) with up to 2x performance over Gen4 and an autoscaling warm buffer that trims start times; new capacity controls (minimum, maximum, target‑idle) let teams dial in cost vs. readiness across initial regions in the U.S., Europe, and Asia. The combined updates aim to reduce friction from model development to real‑time delivery while tightening cost/performance choices.

For secure, managed workstations, RES 2025.12 adds CloudFormation tag propagation to simplify billing and inventory, an option to disable automatic domain joining for custom identity workflows, and default session scheduling for standardized lifecycles. The release includes security hardenings aligned to NIST 800‑223 and resolves a reliability issue causing premature logouts under custom DNS domains. The changes give administrators tighter controls over cost attribution, identity integration, and governance without requiring deep cloud expertise from end users.

Advisories and Patch Deadlines

WatchGuard shipped fixes for a critical remote code execution flaw (out‑of‑bounds write in the iked process) affecting Firebox appliances running Fireware OS 11.x and later, 12.x and later, and 2025.1 through 2025.1.3. As reported by BleepingComputer, the issue enables unauthenticated code execution on devices configured for IKEv2 VPNs, with branch office VPNs using dynamic peers also at risk. Shadowserver observed more than 115,000 exposed Firebox instances over the weekend. WatchGuard provided indicators of compromise, guidance to rotate locally stored secrets if compromise is suspected, and temporary mitigations for environments that cannot immediately patch (e.g., disabling dynamic peer BOVPNs and tightening firewall policies). CISA added the vulnerability to the Known Exploited Vulnerabilities catalog and directed federal agencies to remediate under BOD 22‑01, underscoring the urgency.

Separately, CISA added CVE‑2023‑52163 (Digiever DS‑2105 Pro) to its KEV list, noting active exploitation and requiring federal agencies to remediate by the specified due date. The alert emphasizes that missing authorization flaws frequently enable unauthorized access and recommends patching, segmentation, and access restrictions as part of routine vulnerability management.

Account Takeover and Supply‑Chain Abuse

Threat actors are hijacking enterprise identities by abusing Microsoft’s legitimate OAuth device authorization flow, according to CSO. Campaigns convince users to enter an attacker‑initiated device code at Microsoft’s verification URL, granting access to targeted M365 accounts. Toolkits such as SquarePhish2 and Graphish automate the process, overcoming short‑lived codes and lowering technical barriers. Researchers observed consequences ranging from account takeover and data theft to persistent access and extortion. Suggested mitigations include blocking device code flows with Conditional Access, allow‑listing approved apps and IP ranges, and monitoring for anomalous consent and token behavior. The takeaway: phishing awareness must extend to legitimate portals when social engineering targets OAuth flows.

Developer supply chains also saw abuse. Researchers flagged a malicious npm package impersonating a WhatsApp API that quietly exfiltrated authentication tokens, session keys, message histories, contacts, and media while persistently linking an attacker’s device to victims’ accounts. The Hacker News reports the package was downloaded over 56,000 times and used anti‑analysis traps and encryption to evade detection; a related campaign on NuGet impersonated popular crypto libraries to divert funds or steal keys and OAuth credentials. Recommended responses include removing suspect packages, verifying provenance and signer identity, monitoring for unexpected device linking activity, and revoking tokens and sessions on any sign of compromise.

Major Breaches and Enforcement

South Korea’s largest e‑commerce platform disclosed a large‑scale breach impacting 33.7 million customer accounts. As detailed by BleepingComputer, exposed data includes names, phone numbers, emails, address books, and purchase histories; investigators pointed to a former employee who allegedly retained access keys after leaving the company. The incident, which spanned late June to early November, has prompted regulatory scrutiny and early class‑action organization, and it reignites debate over protections for data types not covered by encryption mandates. Why it matters: data that appears “non‑sensitive” in isolation can enable targeted attacks when aggregated and cross‑referenced.

In higher education, BleepingComputer reports the University of Phoenix said 3,489,274 individuals were affected after exploitation of a zero‑day in Oracle E‑Business Suite. Exposed information includes contact details, dates of birth, Social Security numbers, and bank account and routing numbers; the university began notifications and is offering identity protection services.

Law‑enforcement coordination produced tangible disruption. BleepingComputer documents Interpol’s Operation Sentinel, a 19‑country effort yielding 574 arrests, roughly $3 million recovered, the takedown of thousands of malicious links, and decryptors for six ransomware strains tied to reported losses exceeding $21 million. In one case, authorities in Ghana developed a decryption tool that recovered about 30 TB of data after a 100 TB ransomware incident.

Critical infrastructure resilience also came into focus. Romania’s national water authority suffered a ransomware attack that disrupted about 1,000 systems across central and regional offices, according to BleepingComputer. Operational technology remained unaffected and core water operations continued with local dispatch and voice communications. Authorities reported BitLocker‑based file locking, a seven‑day contact demand, and ongoing efforts to integrate the agency into national protective systems.