DigitalXRAID

Threat Pulse – December 2025

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the most comprehensive Threat Intelligence and Open Threat Exchange databases available worldwide.

Cyber Incidents in December 

December 2025 Patch Tuesday Security Update 

Microsoft’s December 2025 Patch Tuesday release included fixes for 57 security vulnerabilities across Windows, Office, Exchange, Azure services, and developer tools.  

This bundle addressed zero-day flaws, one of which was actively exploited in the wild at the time of disclosure. The patches covered a broad range of security issues such as privilege escalation, remote code execution, information disclosure, and other weaknesses that could impact Microsoft services and platforms if left unpatched. 

Fortinet security flaw in FortiOS SSL VPN 

Fortinet warned about active exploitation of CVE-2020-12812, a FortiOS SSL VPN flaw from 2020 that allows attackers to bypass two-factor authentication (2FA) by changing the case of a username.  

The issue arises in configurations where local users have 2FA enabled but authenticate through LDAP, because FortiGate treats usernames as case sensitive while LDAP does not. When the username case doesn’t exactly match the local account, FortiGate fails local authentication and falls back to LDAP, allowing successful login without 2FA, including for admin or VPN access.  

Although the bug was patched in July 2020 and previously weaponised in 2021 attacks on perimeter devices, it’s now being exploited again in the wild. Fortinet advises patching, disabling username case sensitivity, removing unnecessary LDAP groups, and resetting credentials if 2FA bypass activity is detected. 

New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper 

MacSync is a macOS information stealing malware that abuses a legitimately signed and notarised installer to evade Apple Gatekeeper and present itself as trusted software to users.  

By exploiting Apple’s own trust mechanisms, the malware reduces user suspicion and bypasses common security controls during initial execution.  

Once installed, MacSync deploys malicious components designed to collect sensitive information, including browser credentials, system details, and cryptocurrency related data. Apple has since revoked the misused certificate, but the campaign highlights a growing trend of macOS threats leveraging codesigning and notarisation to increase infection success.  

Users and organisations should remain cautious of installers from unverified sources, even when they appear properly signed. 

Microsoft 365 accounts targeted in wave of OAuth phishing attacks 

There’s been a surge in phishing attacks targeting Microsoft 365 accounts through the OAuth device code authorisation mechanism. Attackers trick users into entering a device code on Microsoft’s legitimate login page, unknowingly granting access to attacker controlled applications without stealing credentials or bypassing MFA.  

These attacks have significantly increased since September 2025 and involve both financially motivated actors and state-aligned groups such as UNK_AcademicFlare 

The phishing kits SquarePhish and Graphish are commonly used, simplifying the abuse of OAuth flows and enabling adversary-in-the-middle attacks. Campaigns include salary bonus lures, OneDrive, LinkedIn, and DocuSign spoofing, and targeted attacks against government, academic, think tank, and transportation sectors in the U.S. and Europe. 

To mitigate these threats, it’s recommended to implement Microsoft Entra Conditional Access and policies on sign-in origin. There’s a growing sophistication of phishing techniques leveraging legitimate Microsoft infrastructure to bypass traditional security measures. We recommend strengthening identity and access management strategies to counter these evolving threats. 

Apple, Google forced to issue emergency zero-day patches 

Apple and Google have both been forced to release emergency security patches to fix zero-day vulnerabilities that were already being actively exploited in the wild.  

The two tech giants rushed out updates to close serious security flaws discovered in their products, for Apple, across its ecosystem (iPhones, iPads, Macs, Safari) and for Google, in its Chrome browser. Attackers were found taking advantage of those flaws before fixes were ready.  

Apple described the attacks as involving “sophisticated” exploits against specific individuals, suggesting high-end or targeted campaigns. Meanwhile, Google acknowledged that at least one browser flaw was already being used before the patch was released. 

This underscores that both companies are responding quickly to emerging threats, but that attackers are getting chances to exploit vulnerabilities before vendors can issue patches, which increases risk. 

Cloudflare Outage December 2025 

In the early morning of 5 December 2025, Cloudflare suffered a major global outage that disrupted access to many popular websites and online services, including LinkedIn, Zoom, Shopify and others.  

The incident began around 08:47 UTC and lasted about 25–30 minutes before services were restored.  

Approximately 28% of Cloudflare’s HTTP traffic experienced errors during the disruption, with users seeing widespread HTTP 500 server errors. Cloudflare said the outage was not caused by a cyberattack but by a configuration change to its Web Application Firewall and related systems while deploying security measures for another vulnerability, this triggered failures in part of its network.  

The outage followed another significant disruption in mid-November 2025, renewing concerns about internet infrastructure resilience due to the central role Cloudflare plays in routing traffic for millions of websites. 

Apple Supply Chain Cyberattack 

In early December 2025, one of Apple’s Chinese assembly partners was hit by a major cyberattack, potentially exposing sensitive production line and manufacturing data tied to Apple’s supply chain.  

The full scope and implications of this attack remain unclear, but the incident raised significant concerns about cyber security weaknesses within global tech manufacturing networks and potential risks to proprietary information. 

GitHub Copilot + JetBrains – command injection RCE in Copilot for JetBrains  

In December 2025, a remote code execution issue in GitHub Copilot for JetBrains was tracked as CVE-2025-64671 (command injection). Advisories note plugin versions prior to a fixed release were affected by the incident. 

Barts Health NHS Trust Cyberattack 

In December 2025, Barts Health NHS Trust, one of the UK’s largest hospital trusts, disclosed a cyberattack by the Cl0p ransomware gang in which attackers exploited an Oracle E-Business Suite vulnerability to steal financial and invoice records containing names and addresses of patients and staff.  

The trust began legal action and worked with national authorities to investigate and inform affected individuals. 

NHS GP Software Supplier Data Breach (DXS International) 

On 14 December 2025, UK-based healthcare tech provider DXS International, which supplies software to around 2,000 GP practises, covering about 17 million patients, revealed a data breach affecting its office servers, with stolen data and ongoing investigations into its scope and impact. 

Real Estate Platform Data Exposure Incidents 

December breach tracking reports show that several real estate related firms and property technology services had data exposures reported late in the month. This included victims identified on breach aggregation sites, where threat actors like Devman and others compromised systems of companies tied to property services, highlighting the ongoing risks to real estate digital services providers. 

Manufacturing Ransomware Trends Surge  

An industry report highlighted that in December 2025 ransomware groups such as Akira, Qilin, and PLAY were aggressively targeting manufacturing environments, with attackers increasingly focusing on data theft and extortion over encryption, and manufacturers blocking more attacks before full encryption could occur.  

This type of attack reveals evolving tactics and pressure on industrial organisations to strengthen defences. 

Goldman Sachs Third-Party Data Exposure  

Goldman Sachs disclosed that some client data may have been exposed due to a cyber security incident at one of its external law firm service providers, highlighting the ongoing danger of third-party vendor breaches affecting major financial institutions. 

London Councils Cyberattack Continuation into December 

Several London councils reported ongoing impacts from a late November cyberattack affecting shared IT systems that persisted into early December.  

The incident disrupted municipal services and raised concerns about public records and resident data exposure across local public services. 

UK Government Data Theft Acknowledged 

UK government officials publicly confirmed that government data was stolen in a cyberattack, with authorities characterising the risk to individuals as low while an investigation continued.  

The incident highlighted the threat of state-linked digital espionage against public sector networks and organisations.  

PRC State-Sponsored BRICKSTORM Campaign Targeting Public Sector Systems 

US and allied cyber security agencies warned that PRC state-sponsored threat actors used the BRICKSTORM backdoor across public sector and IT systems, enabling persistent remote access, credential theft and data exfiltration in government and critical infrastructure environments, underscoring ongoing nation-state espionage efforts against public institutions. 

Qilin Ransomware Hits Club Atlético River Plate 

In late December 2025, the Qilin ransomware group targeted Club Atlético River Plate, one of Argentina’s largest professional football clubs, posting thousands of files from the club’s systems on a dark web site.  

Leaked documents included internal financial records, contracts and technical files, illustrating how ransomware continues to disrupt major sports organisations’ operations and data security. 

Russian GRU Campaign Targets Energy Sector 

In mid-December, threat intelligence highlighted ongoing Russian GRU-linked cyber operations targeting Western energy and critical infrastructure organisations, with attackers focusing on exposed network edge devices and long-term access, underscoring heightened nation-state pressure on energy systems. 

UK Cyber Security and Resilience Bill Covers CNI Enhancements  

In December, the UK government advanced the Cyber Security and Resilience (Network and Information Systems) Bill, aimed at enhancing protections for critical national infrastructure, including healthcare, transport, energy, water and digital services, by strengthening incident preparedness and response obligations for essential service operators. 

French Interior Ministry Cyber Intrusion 

December 2025 brought confirmation that France’s Ministry of the Interior had suffered a serious cyber intrusion. Attackers gained access to government email servers and internal document repositories, exposing potentially sensitive communications and administrative data.  

Although officials said core national security systems were not compromised, the breach was significant because the Interior Ministry oversees policing, immigration, and domestic security. 

French prosecutors later arrested a suspect linked to the attack, reinforcing that government agencies continue to be high value targets for both espionage oriented actors and politically motivated hackers. 

Surge in Advanced Malware, APT Activity, and Ransomware Tooling 

Beyond specific named breaches, December 2025 was marked by a surge in advanced threat activity documented by multiple cyber intelligence firms.  

New exploit chains (such as web application vulnerabilities rapidly weaponised by attackers), evolving infostealers, mobile ransomware strains, and sophisticated phishing campaigns were all observed in active use.  

Pro Russian hacktivist groups, financially motivated ransomware gangs, and state linked actors (particularly from China and North Korea) were all reported running concurrent operations targeting governments, technology firms, defence contractors, and financial institutions.  

This constant background of advanced persistent threat (APT) activity formed the strategic backdrop for the high-profile incidents seen that month. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, while you take care of business.

Talk to the team to see how you can start protecting your business against cyberattacks today.

Previous Article

Matt Parker Appointed as CEO of Xypher

Next Article

Intrusion Detection Systems Explained

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]
DigitalXRAID
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.