If you can't see this newsletter properly, please click here |
|
|
Cybersecurity Digest – 13th Edition Date: 19-12-2025 |
| |
Jingle bells and security alerts, the cyber world has officially hit December!
As attacks keep getting louder, teams are gearing up and looking ahead to what the new year might bring. This edition includes our predictions for 2026, plus fresh updates to wrap up the year, and with that, happy holidays. |
|
|
Gartner warns on agentic browsers |
Gartner is urging organizations to hit pause on AI-powered agentic browsers, warning the security risks outweigh the convenience for now.
According to Gartner, these browsers introduce serious risks ranging from data leakage to prompt injection and malicious manipulation. Their default setups tend to favor automation and user experience over security controls. Because they integrate deeply with emails, documents, calendars, and passwords, a compromised browser can quickly become a high-value target for attackers. Why Gartner says block them for now: - Default settings prioritize convenience over security, increasing exposure
-
Deep system access expands the attack surface and enables data exfiltration
- AI agents can be manipulated by malicious sites to perform unsafe actions
Security leaders echo the concern, noting that enterprises are not fully prepared to manage these tools safely. Experts warn that AI agents can be tricked into performing harmful actions, bypass existing security controls, and undo years of user training. As adoption grows, especially on personal devices, these risks are likely to spill into the workplace faster than defenses can keep up. |
|
|
ISC2 2025 workforce study |
ISC2’s new 2025 Cybersecurity Workforce Study shows a worrying shift: even as budgets steady, the skills gap is growing, and nearly nine in ten professionals say it has already caused real security incidents. |
Cyber extortion fuels 2026 threat landscape |
Cyber extortion has surged 44.5%, with attackers growing more organised, state-aligned, and AI-enhanced. Orange Cyberdefense’s latest report highlights how hacktivism, geopolitical tensions, and long-standing vulnerabilities are shaping a volatile 2026 threat landscape. |
Clipping scripted sparrow’s wings |
Fortra has uncovered the inner workings of Scripted Sparrow, a highly organised phishing operation targeting finance teams with convincing, low-tech invoice scams designed to slip past scrutiny. |
|
|
Silent update, loud warning. CISA has flagged a critical flaw in ASUS Live Update after signs of real-world exploitation resurfaced. The issue traces back to a supply chain compromise that quietly pushed malicious code to a small, targeted set of devices. While the attack itself is not new, the renewed warning matters, especially as the tool has now reached end of support. Agencies and users still relying on it are being urged to move on fast.
Pairing gone rogue. WhatsApp’s device-linking feature is being turned against users in a new account hijacking scam dubbed GhostPairing. By tricking victims into linking a new device, attackers can slip in without cracking passwords or codes. Once inside, they get full access to chats, media, and contacts in real time. It’s a quiet takeover that’s easy to miss unless you know where to look.
When trusted apps turn traitor. A new Android malware-as-a-service called Cellik is letting attackers weaponize apps straight from Google Play. By trojanizing popular apps while keeping their real look and functionality, infections can stay hidden far longer. Sold on underground forums, Cellik offers screen spying, credential theft, file exfiltration, and even hidden browser access. Its most worrying trick is an APK builder that wraps malware inside trusted apps. If it slips past Play Protect, the line between safe and shady apps just got a lot blurrier.
|
|
|
Controlling data beyond the perimeter |
Sensitive data no longer sits safely behind firewalls. It moves constantly across networks, clouds, and borders. Drawing on lessons from defence and intelligence environments, Wouter Klinkhamer of Kiteworks explains why information must travel to be useful, even when the systems it passes through can’t be trusted. Yet most security models still assume data stays put. In a boundary-free world, protecting the perimeter isn’t enough; the data itself has to carry its own protection.
|
Cybersecurity 2026: why resilience matters |
Enterprise security is entering a reset, as old prevention-first playbooks give way to a harsher reality. Manuel Sanchez of iManage argues that by 2026, resilience, not the illusion of perfect defence, will define how organisations survive cyber disruption. With supply chains under strain, cloud complexity rising, and AI reshaping risk, breaches are no longer a question of if. The winners will be those built to absorb impact, recover fast, and keep moving.
|
The cost of inconsistent third-party access |
In today’s B2B ecosystems, trust is built or broken at the point of access. Jose Caso of Thales explores how inconsistent third-party identity and access management quietly drains productivity, inflates risk, and strains partner relationships. From delayed onboarding to lingering permissions, everyday IAM friction creates hidden costs that compound over time. When access falters, collaboration slows and trust pays the price. |
|
|
Cybersecurity expert predictions 2026 |
For this month’s Expert Panel, we gathered cybersecurity leaders to share their predictions for 2026. What emerged was not a single prediction, but a pattern of shifts already underway and accelerating fast. So far, we’ve published three editions of our 2026 predictions series, each unpacking a different layer of the same story:
- How AI is reshaping threats
-
How attack surfaces are expanding beyond traditional control
-
How trust, identity, and human judgment are becoming the actual fault lines of security
This is only the beginning. More perspectives and more hard truths are still to come. |
|
|
-
Talk the talk, Gemini’s got your back. Google Translate just got a major upgrade thanks to Gemini. Nuance, idioms, and slang are now handled more naturally, so your translations actually make sense. A new live speech-to-speech beta brings real-time translation straight to your headphones, preserving tone, emphasis, and cadence. Plus, language learning tools are expanding, helping you practice smarter and track your progress. With these upgrades, Google Translate is aiming to make understanding the world a lot easier, one conversation at a time.
-
$18 an hour hacker? Meet ARTEMIS. Stanford just tested an AI agent that spent 16 hours hacking the university’s networks, and it outperformed nine out of ten professional human hackers. Named ARTEMIS, the agent uncovered vulnerabilities humans missed, spinning up sub-agents to investigate multiple targets at once. All this for a fraction of the $125,000 salary a professional penetration tester would cost. While it struggles with graphical interfaces and can produce false positives, ARTEMIS shows just how far AI has come in cybersecurity.
-
AI takes the mic. The podcast world is getting crowded with AI voices that are almost indistinguishable from humans. From cloning hosts like Steven Bartlett to filling in for sick podcasters, bots are now sharing stories, news, and hot takes at scale. They’re cheaper, consistent, and sometimes even better researched than humans, shaking up an already competitive market. While some creators embrace the tech, others are calling for limits as the airwaves fill with synthetic chatter. The AI podcast invasion has officially begun, and it’s only getting louder.
|
|
|
Got forwarded to you? Subscribe here! |
Information Security Buzz and all its contents are copyright © 2014-2024. All rights reserved. All third-party trademarks are recognized. |
|
|
|
