InfoSec.Watch — Issue #117

Cisco warns of active campaign targeting Secure Email infrastructure

Cisco published details on a threat campaign affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager.

Source: Cisco Security Advisory

💡 Key Takeaway: Restrict management-plane exposure (VPN-only, MFA), enable high-fidelity logging, and hunt for unusual process execution/persistence on email security hosts.

DPRK-linked crypto theft hits record highs in 2025

Chainalysis reports North Korean operators stole roughly $2.02B in 2025, with fewer but higher-impact incidents.

Source: Chainalysis

💡 Key Takeaway: Treat wallet operations like production changes: enforce allowlists, step-up approvals, and continuous monitoring on signing + admin identities.

Denmark publicly attributes disruptive utility cyberattacks to Russia-linked actors

Public attribution highlights continued targeting of municipal services and operational disruption tactics against critical infrastructure.

Source: Associated Press

💡 Key Takeaway: OT resilience matters: segment OT/IT, rehearse manual operation, and validate incident communications paths for essential services.

CVE-2025-43529 — Apple WebKit use-after-free (exploited)

Apple disclosed fixes for WebKit vulnerabilities reported as exploited in highly sophisticated attacks against targeted individuals.

Source: Apple security content (iOS/iPadOS) • Apple security content (Safari)

💡 Key Takeaway: Shorten patch SLAs for browsers/OS across managed Apple fleets; enforce minimum OS versions via MDM before granting corporate access.

CVE-2025-14174 — Apple WebKit memory corruption (exploited)

A second WebKit issue was patched alongside CVE-2025-43529; Apple notes exploitation in sophisticated, targeted attacks.

Source: Apple security content (iOS/iPadOS)

💡 Key Takeaway: Ensure Safari/WebKit updates land on endpoints quickly—WebKit exposure exists beyond Safari via web content rendering components.

AI voice + text impersonation is becoming operationally routine

IC3 warns senior U.S. officials continue to be impersonated via malicious messaging, including AI-generated voice content.

Source: FBI / IC3 PSA (Dec 19, 2025)

💡 Key Takeaway: Require out-of-band verification for payment/credential requests and deploy “trusted channel” policies for executives and admins.

Proximity — MCP security scanner powered by NOVA

Proximity scans Model Context Protocol (MCP) servers to enumerate exposed tools/prompts/resources and optionally flags risky patterns (prompt injection, tool poisoning) via NOVA rules.

Source: GitHub: fr0gger/proximity

💡 Key Takeaway: If your org is piloting MCP-connected agents, add an MCP scan step to CI/CD before any server is deployed or exposed.

CISA adds exploited Apple WebKit vulnerabilities to KEV

CISA added WebKit issues to the Known Exploited Vulnerabilities catalog, reinforcing urgency for patching on affected platforms.

Source: CISA Alert (Dec 15, 2025)

💡 Key Takeaway: Treat KEV additions as “patch now / mitigate now” items, and wire them into your vulnerability governance.

FBI/IC3 reiterates impersonation campaign guidance

The PSA includes recommended defensive steps and background on ongoing impersonation tactics targeting contacts of senior officials.

Source: FBI / IC3 PSA

💡 Key Takeaway: Update helpdesk and finance workflows to resist social engineering: callbacks, ticketing, and dual approvals.

Pre-stage a “management-plane containment” playbook

For edge/admin surfaces (email gateways, identity, VPN, EDR consoles), create a one-hour checklist: isolate, capture telemetry, rotate credentials, validate persistence, and monitor outbound traffic.

💡 Key Takeaway: When active exploitation hits, speed beats perfection—prebuilt containment steps prevent analysis paralysis.

Attackers are concentrating on high-leverage choke points: email gateways, web rendering stacks, and trusted identities. Winning in 2026 means faster mitigation, tighter identity controls, and visibility where it matters most.

💡 Key Takeaway: Make time-to-mitigate for edge/admin planes a first-class KPI—and rehearse it like an incident.