Cybersecurity Weekly Recap: December 15-20, 2025

Another eventful week in cybersecurity. From record-breaking crypto heists to critical infrastructure attacks, here's what you need to know.

North Korea steals record $2 billion in crypto

North Korean hackers shattered their own record this year, stealing $2.02 billion in cryptocurrency, a 51% increase from 2024. This brings their all-time total to an estimated $6.75 billion.

The February hack of Dubai-based exchange Bybit alone accounted for $1.5 billion of the total. According to Chainalysis, North Korean actors were responsible for 76% of all service-level compromises in 2025.

What makes these attacks distinct is their scale. DPRK-linked hackers consistently target large, centralized crypto services for maximum impact. Their laundering patterns show heavy use of Chinese-language brokers, cross-chain bridges, and mixing services, typically completing cash-out within a 45-day window.

The funds are believed to support North Korea's nuclear weapons and missile programs.

Sources: The Hacker News, Dark Reading, Chainalysis

---

Microsoft 365 OAuth phishing attacks surge

A sharp increase in OAuth device code phishing attacks is targeting Microsoft 365 accounts, with both financially motivated criminals and state-sponsored actors abusing Microsoft's legitimate authentication flow.

The technique tricks users into entering device codes on Microsoft's real login page, unknowingly authorizing attacker-controlled applications. This bypasses traditional MFA protections because no passwords or codes are actually stolen.

Proofpoint identified several threat groups using this method, including TA2723 (a financially motivated actor) and UNK_AcademicFlare (a suspected Russian state-aligned group targeting government and military accounts). The attacks use phishing kits like SquarePhish2 and Graphish that lower the barrier for less technical attackers.

Lures typically involve salary documents, shared file notifications, or security verification prompts.

Sources: Bleeping Computer, The Hacker News, Dark Reading

---

Critical fortinet flaws exploited within days

Attackers began exploiting two critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) just three days after patches were released on December 9.

Both flaws carry a CVSS score of 9.1 and allow unauthenticated attackers to bypass FortiCloud SSO authentication using crafted SAML messages. The vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

Arctic Wolf observed attackers targeting admin accounts, successfully authenticating via SSO, then exporting device configurations including hashed credentials. CISA added CVE-2025-59718 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by December 23.

Organizations should immediately upgrade affected products or disable FortiCloud SSO login as a temporary mitigation.

Sources: Dark Reading, Bleeping Computer, The Hacker News

---

Denmark blames Russia for water utility attack

Denmark publicly attributed cyberattacks on critical infrastructure to Russia for the first time, accusing Moscow of orchestrating a destructive attack on a water utility that caused pipes to burst.

In late 2024, the pro-Russian hacking group Z-Pentest gained control of Tureby Alkestrup Waterworks near Copenhagen, manipulating water pressure settings. Around 50 households lost water for seven hours. The head of the waterworks noted the facility had switched to a cheaper cybersecurity provider, leaving it exposed.

A separate group, NoName057(16), launched DDoS attacks on Danish websites ahead of November's regional elections. The Danish Defence Intelligence Service said both groups have links to the Russian state and are used as instruments in Moscow's hybrid war against the West.

Denmark summoned Russia's ambassador in response.

Sources: Bleeping Computer, SecurityWeek

---

More headlines this week

RaccoonO365 Phishing Platform Operator Arrested Nigeria arrested the developer behind the RaccoonO365 phishing-as-a-service platform that targeted Microsoft 365 credentials. The operation had over 850 Telegram members and received at least $100,000 in cryptocurrency payments. Source: Bleeping Computer

WatchGuard Firebox RCE flaw under active attack WatchGuard warned of a new remote code execution vulnerability in Firebox firewalls being actively exploited in the wild. Source: Bleeping Computer

HPE OneView maximum severity flaw HPE disclosed a CVSS 10.0 vulnerability in its OneView software that allows remote code execution. Source: Bleeping Computer

SonicWall SMA1000 zero-day exploited SonicWall confirmed a zero-day vulnerability in SMA1000 edge devices is being actively exploited. Source: Bleeping Computer

UEFI flaw affects major motherboard brands A new UEFI vulnerability enables pre-boot attacks on motherboards from Gigabyte, MSI, ASUS, and ASRock. Source: Bleeping Computer

WhatsApp device linking abused for account hijacking Attackers are exploiting WhatsApp's device linking feature to hijack accounts without user awareness. Source: Bleeping Computer

Lazarus Group embeds malware in developer tools North Korea's Lazarus Group is hiding BeaverTail malware variants in developer tools to target software engineers. Source: Hackread

700Credit data breach affects 5 Million U.S. fintech firm 700Credit suffered a data breach impacting at least 5.6 million consumers. Source: Hackread

---

Key takeaways

1. Patch immediately. Fortinet vulnerabilities were exploited within 72 hours of disclosure. The window between patch release and active exploitation is shrinking.

2. Train on OAuth phishing. Traditional MFA doesn't stop device code attacks. Users need to understand they should never enter codes from unsolicited emails.

3. Critical infrastructure remains vulnerable. The Danish water attack shows how cost-cutting on security can have real-world consequences.

4. North Korea isn't slowing down. Their crypto theft operation is becoming more efficient, with fewer attacks yielding larger returns.

Stay vigilant. See you next week.