San Mateo, CA, December 29, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Aflac confirms 22.65 million affected in data breach
Insurance company Aflac has confirmed that approximately 22.65 million people are being notified following a cyberattack disclosed earlier this year that resulted in the theft of sensitive personal and health data. In regulatory filings with state authorities, the insurer said the stolen information includes names, dates of birth, home addresses, government-issued identification numbers, driver’s license numbers, Social Security numbers, and medical and health insurance records. The breach was initially disclosed in June without a victim count. In a separate filing, Aflac said investigators believe the attackers may be affiliated with a known cybercriminal organization targeting the insurance industry broadly. While the company did not name the group, the activity aligns with campaigns attributed to Scattered Spider during the same period. Aflac, which reports roughly 50 million customers, has not publicly detailed the intrusion method and declined to comment further to TechCrunch. Read more.
Fortinet: attackers bypassing 2FA using a four-year-old flaw
Cybercriminals are actively exploiting a long-patched vulnerability in Fortinet FortiGate devices to bypass two-factor authentication and gain unauthorized access to VPNs and administrative interfaces. The issue, tracked as CVE-2020-12812 and internally referenced as FG-IR-19-283, stems from a mismatch between FortiGate’s default case-sensitive handling of usernames and the case-insensitive behavior of most LDAP directories, such as Active Directory. In misconfigured environments, attackers can authenticate by using case-insensitive username variations to bypass local 2FA checks and fall back to LDAP-based policies that require only valid credentials. Fortinet’s PSIRT team confirmed the attacks are occurring in the wild and warned that successful exploitation may indicate broader compromise. Read more.
Trust Wallet Chrome update drains $7M in crypto
Trust Wallet has confirmed that a compromised Chrome extension update released on December 24 led to the theft of at least $7 million in cryptocurrency following a supply chain attack. Users reported wallets being drained shortly after interacting with version 2.68.0 of the browser extension. According to Trust Wallet, the malicious update contained hidden code that exfiltrated sensitive wallet data, including seed phrases, to a newly registered external domain that posed as an analytics endpoint. Changpeng Zhao said affected users would be reimbursed, stating, “Trust Wallet will cover. User funds are SAFU.” Researchers and BleepingComputer also observed a parallel phishing campaign directing victims to fake fix sites designed to steal recovery phrases. Trust Wallet urged users to update to version 2.69 immediately and warned that exposed seed phrases should be considered permanently compromised. Read more.
SEC charges crypto platforms over $14M AI investment scam
Federal regulators have charged several crypto-asset trading platforms and investment clubs with defrauding U.S. retail investors of more than $14 million through an investment confidence scam, according to the Securities and Exchange Commission (SEC). The complaint alleges the defendants used social media ads and WhatsApp groups to lure victims with promises of AI-powered trading strategies. Fraudsters posed as experienced financial professionals and shared fabricated AI-generated trading tips to build trust. Investors were then directed to open accounts on sham crypto platforms that falsely claimed government licensing and promoted non-existent Security Token Offerings tied to legitimate companies. The SEC says no actual trading occurred, and funds were routed through crypto wallets and overseas bank accounts. When withdrawals were requested, victims were allegedly pressured to pay additional fees. “Fraud is fraud, and we will vigorously pursue securities fraud that harms retail investors,” said Chief of the SEC’s Cyber and Emerging Technologies Unit Laura D’Allaird. Read more.
Microsoft Teams turns messaging security on by default
Microsoft is tightening security across Microsoft Teams by enabling key messaging safety features by default for enterprise tenants beginning January 12, 2026. Under new administrative advisories MC1148540, MC1148539, and MC1147984, Microsoft will automatically enable protections for tenants on standard configurations, reinforcing a secure-by-default approach. The changes include blocking weaponizable file types commonly used to deliver malware, real-time scanning of shared URLs to detect phishing and malicious domains, and a user-facing option to report incorrect security detections. Organizations that have already customized and saved their messaging safety settings will not be affected. End users may see warnings on suspicious links or blocked file transfers, while administrators are urged to review settings in the Teams Admin Center and update internal guidance before the deadline. Read more.
Fake VPN Chrome extensions intercept user traffic
Google Chrome extensions masquerading as a multi-location network speed test have been exposed as credential-stealing malware capable of full traffic interception. Researchers found two identically named Phantom Shuttle extensions, published by the same developer years apart, that charged subscription fees while operating as man-in-the-middle proxies. According to Socket, both variants inject hard-coded proxy credentials into HTTP authentication challenges, silently routing user traffic through attacker-controlled infrastructure. Once users pay and receive VIP status, the extensions activate a proxy mode that selectively intercepts traffic from more than 170 high-value domains. Indicators suggest a China-based operation leveraging paid subscriptions to sustain long-term access. Read more.
University of Phoenix breach tied to Clop ransomware group
University of Phoenix disclosed a data breach affecting 3,489,274 individuals after attackers accessed its Oracle E-Business Suite financial application last summer. The incident exposed personal and financial data tied to students, staff, faculty, and suppliers, including names, contact details, dates of birth, Social Security numbers, and bank routing information. Investigators said the intrusion occurred between August 13 and August 22, 2025, but was detected on November 21, a day after the school appeared on the Clop leak site. The university and its parent, Phoenix Education Partners, later issued notices and an SEC filing. Researchers link the breach to a broader campaign exploiting CVE-2025-61882 in Oracle EBS that hit more than 100 organizations, though attribution remains debated. No data have been released to date. Read more.
Operation Sentinel dismantles major African cybercrime networks
Interpol’s Operation Sentinel dismantled several prolific African cybercrime groups following a coordinated month-long crackdown spanning 19 countries. Authorities arrested 574 suspects, seized $3 million, took down more than 6,000 malicious links, and decrypted six ransomware variants. Investigators tied the activity to an estimated $21 million in losses from business email compromise, digital extortion, and ransomware. One major case involved a $7.9 million BEC fraud against a Senegalese petroleum company, perpetrated through executive email impersonation. Additional incidents included ransomware disruption of a Ghanaian financial institution, cross-border food delivery scams in Ghana and Nigeria, phishing via fake vehicle sales platforms in Cameroon, and mass takedowns of extortion-linked accounts in Benin. Read more.
FBI says deepfake impersonation of U.S. officials began in 2023
The FBI has warned that unknown threat actors are using AI-powered voice-cloning tools to impersonate senior U.S. government officials in campaigns to steal sensitive information and perpetrate scams. In an updated advisory, the bureau said the activity dates back to at least 2023, earlier than previously disclosed, and has targeted officials, their family members, and close associates. Attackers typically initiate contact via SMS before moving victims to encrypted platforms like Signal, WhatsApp, or Telegram. There, they engage victims on familiar topics and lure them with promises such as meetings with high-ranking officials or potential board nominations. These interactions are used to solicit passport images, contact lists, introductions, or overseas wire transfers. The FBI warned that compromised contact lists fuel further impersonation efforts. Read more.
Scripted Sparrow BEC group floods inboxes with millions of emails monthly
Security researchers have identified a prolific business email compromise group, dubbed Scripted Sparrow, that sends millions of highly targeted fraud emails each month. According to Fortra, the loose collective spans at least five countries across three continents and impersonates executive coaching firms to deceive accounts payable teams. Victims receive messages containing spoofed reply chains, invoices with ACH or wire instructions, W-9 forms, or, in some cases, prompts to request missing attachments to expose mule accounts. The group has registered more than 100 domains, hundreds of webmail accounts, and hundreds of bank accounts. Analysis suggests activity since mid-2024, with heavy use of RDP, webmail, and custom domains, and infrastructure linked to Nigeria, South Africa, Türkiye, Canada, and the U.S., according to researchers. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
