It's been a busy 24 hours in the cyber world with significant updates on a critical RCE vulnerability under active exploitation, novel attack techniques leveraging AI and web standards, and a timely reminder about evolving authentication best practices. Let's dive in:
AI-Powered Virtual Kidnapping Scams on the Rise 🚨
- Criminals are now leveraging social media images and AI tools to create convincing fake "proof of life" photos and videos for "virtual kidnapping" and extortion scams.
- These sophisticated social engineering attacks pressure victims with threats of violence, demanding immediate ransom payments, echoing the old "grandparent scam" but with a modern, AI-enhanced twist.
- The FBI advises extreme caution: never provide personal info to strangers, establish a family code word, and always attempt to contact the supposed victim directly before making any payments.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/virtual_kidnapping_scam/
React2Shell RCE Under Widespread Exploitation ⚠️
- The critical React2Shell vulnerability (CVE-2025-55182), an unauthenticated RCE flaw in React Server Components, is under active and widespread exploitation by various threat actors, including China-linked state groups like Earth Lamia, Jackpot Panda, and UNC5174.
- CISA has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, with over 77,000 internet-exposed IP addresses identified as vulnerable and more than 30 organisations already compromised.
- Post-exploitation activities include reconnaissance, credential theft (especially AWS config files), deployment of webshells, cryptojackers, and malware like Snowlight and Vshell. Cloudflare even experienced an outage while deploying mitigations.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/react2shell_pocs_exploitation/
🤫 CyberScoop | https://cyberscoop.com/attackers-exploit-react-server-vulnerability/
📰 The Hacker News | https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable/
IDEsaster: 30+ Flaws in AI Coding Tools 🛡️
- New research, dubbed "IDEsaster," has uncovered over 30 vulnerabilities in popular AI-powered Integrated Development Environments (IDEs) like Cursor, GitHub Copilot, and Zed.dev.
- These flaws chain prompt injection with legitimate IDE features, allowing attackers to bypass LLM guardrails and achieve data exfiltration or remote code execution without user interaction.
- The findings highlight a critical need for a "Secure for AI" paradigm, urging developers to apply least privilege to LLM tools, minimise prompt injection vectors, and implement sandboxing for commands.
📰 The Hacker News | https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html
Novel Clickjacking via CSS and SVG 🎨
- A security researcher has developed a new clickjacking technique that leverages SVG filters and CSS to leak cross-origin information, effectively bypassing the web's same-origin policy.
- This method allows for complex logic gates to process webpage pixels, enabling sophisticated attacks like exfiltrating Google Docs text, even in scenarios where traditional framing mitigations are absent or ineffective.
- While Google awarded a bounty for the report, the vulnerability remains unpatched across multiple browsers, underscoring the ongoing challenge of securing complex web standards.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/css_svg_clickjacking/
Passkeys: The Future of Phishing-Resistant MFA 🔒
- Traditional SMS and email one-time passwords (OTPs) are increasingly vulnerable to phishing attacks, making them an unreliable form of multi-factor authentication (MFA).
- Passkeys, based on cryptographic key pairs and FIDO2 standards, represent the "gold standard" for phishing-resistant MFA, offering superior security and a significantly improved user experience with faster logins and reduced helpdesk calls.
- While multi-device passkeys can still be susceptible to social engineering (like Scattered Spider attacks), they remain a substantial upgrade from OTPs, with over 2 billion passkeys already in use and strong adoption expected to continue.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/06/multifactor_authentication_passkeys/
#CyberSecurity #ThreatIntelligence #Vulnerability #RCE #React2Shell #CVE_2025_55182 #NationState #APT #Clickjacking #SVG #CSS #AICodingTools #IDEsaster #PromptInjection #MFA #Passkeys #Phishing #SocialEngineering #InfoSec #CyberAttack #IncidentResponse
