#NSBCS.105 - Taking a Cyber Break This Christmas: Recharge, Reflect, and Remember the On-Call Heroes
Taking a Cyber Break This Christmas: Recharge, Reflect, and Remember the On-Call Heroes
As the year winds down and Christmas lights start twinkling, most of us in cybersecurity finally get a rare chance to step away from the screens. For many, the holiday season is one of the few times when alerts slow to a trickle, giving us permission to log off, switch off notifications, and actually enjoy time with family and friends without the constant hum of potential threats.
If you’re one of the lucky ones who can take a proper break this year, do it without guilt. Cybersecurity is a marathon of vigilance, and genuine rest isn’t a luxury, it’s maintenance. Use the downtime to disconnect completely: turn off work email on your phone, mute the SOC Slack channels, and let the on-call team handle the world for a while. Read a non-technical book, go for long walks without checking Shodan, or finally tackle that home project you’ve been postponing since the last Patch Tuesday. The threats will still be there in January, but you’ll return sharper, calmer, and far less likely to miss the subtle indicators that matter.
For those who can’t switch off, the on-call analysts, SOC operators, incident responders, and support staff holding the fort over the holidays, thank you. While the rest of us are opening presents or nursing hangovers, you’re the ones watching the dashboards, triaging alerts, and making sure ransomware doesn’t ruin anyone else’s Christmas morning. Your work is often invisible until something goes wrong, and even then, the best outcome is that nobody notices because you stopped it before it escalated.
To the managers and leaders reading this: make appreciation tangible. Extra pay, additional leave in the new year, a proper thank-you message that actually names people, small gestures go a long way when someone’s sacrificing family time to keep the organisation safe.
Christmas is a reminder that cybersecurity is ultimately about protecting people. So whether you’re switching off or staying vigilant, take a moment to recognise the human effort behind the tools and processes. Recharge if you can. Stand tall if you can’t.
From all of us who get to enjoy the quiet this year, thank you to everyone keeping the internet safe while the rest of us celebrate.
Here’s to a peaceful holiday season, and a stronger, more human 2026.
What we read this week
FortiGate SAML SSO Bypass Exploited - Threat actors are exploiting two Fortinet FortiGate authentication-bypass flaws (CVE-2025-59718 and CVE-2025-59719, CVSS 9.8) to perform malicious single sign-on logins, according to Arctic Wolf. The weaknesses allow unauthenticated access via crafted SAML messages when FortiCloud SSO is enabled. While the feature is disabled by default, it can be automatically enabled during FortiCare registration unless administrators disable ‘Allow administrative login using FortiCloud SSO’. Fortinet has released fixes across FortiOS and other affected products; organisations should patch quickly, validate SSO configuration, and investigate unusual SAML assertions or unexpected admin logins from unknown IdPs.
Cisco AsyncOS Zero-Day Plants Root Backdoors - Cisco has warned of active exploitation of an unpatched, maximum-severity AsyncOS zero-day (CVE-2025-20393) affecting Secure Email Gateway and Secure Email and Web Manager appliances. The issue impacts systems with certain non-standard configurations, particularly where Spam Quarantine is enabled and exposed to the internet. Cisco Talos attributes the activity to a China-nexus cluster tracked as UAT-9686, reporting attackers can execute commands as root and deploy persistence via AquaShell, plus tunnelling with AquaTunnel and Chisel. Talos also observed log clearing via AquaPurge, and published indicators of compromise in a GitHub repository for hunting.
Amazon: GRU Targets Misconfigured Devices - Amazon researchers say a Russia-aligned operation tied to the GRU (APT44, often called Sandworm/Seashell Blizzard) has pivoted towards abusing misconfigured customer network edge devices, with Western energy organisations a primary focus. Recorded Future News reports Amazon’s CISO put the victim count at more than 10 and said Amazon has tracked the campaign since 2021 using MadPot honeypots. The reported playbook includes compromising an exposed edge device, harvesting credentials from intercepted traffic, then using those credentials against online services before establishing persistent access for lateral movement. Amazon stressed this was not an AWS platform weakness.
Microsoft: React2Shell Exploitation and Defence Guidance - Microsoft has published telemetry on CVE-2025-55182 (“React2Shell”), a critical pre-authentication RCE in React Server Components with a CVSS 10.0 score. Microsoft says exploitation can be achieved with a single crafted HTTP request, without any authentication, and that public proof-of-concept exploits are available. The root cause is insufficient validation of incoming payloads in the React Server Components ecosystem, enabling malicious structures that can lead to prototype pollution and code execution. Microsoft reports several hundred machines compromised and notes containerised deployments can change host impact. The post includes detection, hunting, and mitigation guidance.
SoundCloud Confirms Breach After User Data Theft - SoundCloud says recent outages and VPN connection failures were triggered by unauthorised activity involving an ancillary service dashboard. The company reports a threat actor accessed a limited dataset containing email addresses and information already visible on public SoundCloud profiles, and says no passwords or financial data were accessed. BleepingComputer reports the incident may affect around 20% of SoundCloud users based on public user counts. SoundCloud says it has blocked the access, strengthened monitoring and identity controls, and is working with third-party experts; some mitigation steps disrupted VPN access while remediation continues.
Referenceshttps://thehackernews.com/2025/12/fortinet-fortigate-under-active-attack.htmlhttps://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/https://therecord.media/russia-gru-hackers-target-energy-sector-sandwormhttps://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/