This Week in Cybersecurity 2025-12-16
- Glen Armes
- Dec 16, 2025
- 3 min read
Coverage window: 12/9/2025–12/15/2025 Themes this week: hypervisor “blast-radius” ransomware, Fortinet auth-bypass exploitation, WebKit zero-days, large-scale consumer data exposures, AI-assisted phishing kits, and “shadow spreadsheet” data leakage risk.
What changed this week
Attackers are optimizing for maximum impact per intrusion: hypervisors and identity systems are being targeted because they multiply downstream access and disruption. (BleepingComputer)
Exploitation velocity remains the enemy: Fortinet auth bypass issues were disclosed and then quickly exploited; patching cadence and external exposure control are still decisive. (BleepingComputer)
Client-side zero-days still matter for leadership and high-value targets: Apple patched actively exploited WebKit issues across its ecosystem. (Apple Support)
Data exposure is increasingly “via partners + APIs”: financial/identity data incidents point to third-party and integration pathways as the weak seam. (The Record from Recorded Future)
Social engineering is being “productized” with AI: new phishing kits blend automation + MFA bypass patterns for scalable credential theft. (The Hacker News)
Threat Events & Campaigns
Hypervisor-targeted ransomware
Compromise at the hypervisor layer can enable mass VM encryption and faster business interruption with lower detection probability. (BleepingComputer)
Defender focus: restrict management-plane access, harden vCenter/ESXi/Hyper-V, isolate backup networks, monitor hypervisor admin actions.
AI-assisted phishing kits + MFA bypass at scale
New kits observed leveraging automation/AI to improve lure quality and scale credential theft; includes tactics designed to defeat common MFA flows. (The Hacker News)
Defender focus: phishing-resistant MFA, conditional access, session-token protections, OAuth app governance, user-reported-phish loop.
Transnational fraud operations (call center ring takedown)
Law enforcement dismantled a multi-country fraud ring operating from Ukraine, impersonation-heavy and “safe account” style scams. (BleepingComputer)
Defender focus: verify-by-call-back procedures, payment verification, anti-impersonation controls.
Consumer surveillance / data collection enforcement action (Smart TV ACR)
Texas AG sued major TV manufacturers over alleged ACR-based monitoring and data monetization without proper consent. (BleepingComputer)
Security tie-in: consent, telemetry governance, and third-party SDK controls are now squarely in regulatory crosshairs.
Notable breach disclosures
Askul confirmed theft of ~740k records tied to a ransomware incident (RansomHouse). (BleepingComputer)
Prosper + 700Credit breaches collectively impacted ~20M people (per reporting). (The Record from Recorded Future)
Critical Vulnerabilities & Exploitation
Fortinet auth-bypass exploitation (FortiCloud SSO / related)
Reports indicate active exploitation of recently patched auth-bypass issues affecting multiple Fortinet products. (BleepingComputer)
Priority actions: patch immediately, restrict admin interfaces, rotate exposed creds/keys, review configs exfil and admin creation.
Apple WebKit zero-days (actively exploited)
Apple released fixes for WebKit flaws used in “sophisticated” targeted attacks (multi-platform impact). (Apple Support)
Priority actions: force-update managed Apple fleets; ensure rapid OS compliance for exec/high-risk users.
AppSec / Root-Cause Weakness Signal (MITRE)
AI Threats & Unsafe Integrations
AI-enabled phishing is the standout operational AI risk this week (automation + lure quality + scale). (The Hacker News)
Third-party risk is evolving from open source → AI-assisted dev (code provenance, dependency confusion, and “unknown” code paths increase). (SecurityWeek)
Regulatory / Compliance Updates
CISA Cross-Sector Cybersecurity Performance Goals (CPG 2.0) released/updated as measurable, voluntary baseline actions for critical infrastructure and private sector. (CISA)
Privacy + cyber predictions for 2026 (legal outlook): increased enforcement, evolving state privacy requirements, and AI governance acceleration. (JD Supra)
FAIR Quantitative Inputs (This Week’s LEF/LM Signals)
These are directional inputs you can tune per your company size/sector. (This report is using “weekly signal” logic: exploitation velocity, observed incidents, and blast-radius multipliers.)
Loss Event Frequency (LEF) signals
External exposure + patch gap (Fortinet class issues) ↑ attempted intrusion frequency in perimeter appliances. (BleepingComputer)
Identity credential theft (AI phishing kits) ↑ probability of account takeover attempts and BEC precursors. (The Hacker News)
Hypervisor targeting trend ↑ probability of “single intrusion → multi-system outage” events. (SC Media)
Loss Magnitude (LM) signals
Hypervisor encryption → high downtime + recovery labor + potential data theft amplification. (BleepingComputer)
Consumer/financial PII exposure → notification + credit monitoring + regulatory/legal + reputational losses. (The Record from Recorded Future)
Exec targeting via zero-days → can produce high-tail losses (wire approvals, strategic comms, privileged access). (Apple Support)
FAIR-CAM control categories that reduce LEF (most relevant this week)
Identity & Access Management (phishing-resistant MFA, CA policies, admin tiering)
Vulnerability & Patch Management (SLA-based patching + external exposure governance)
Security Monitoring & Detection (management-plane telemetry, token theft detection, anomalous admin actions)
Configuration & Hardening (hypervisor baselines, network segmentation, admin interface restriction)
Third-Party / Supply Chain Risk (SBOM, vendor security validation, integration/API control)
Comments