From the cybersecurity policy and law enforcement front,

• Federal News Network reported last Tuesday,
  • “Lawmakers are moving to extend key cybersecurity information authorities and grant programs, while also providing funds for the Cybersecurity and Infrastructure Security Agency to fill “critical” positions.
  • “The “minibus” appropriations agreement released by House and Senate negotiators on Tuesday includes fiscal 2026 funding for the Department of Homeland Security. DHS funding could be a sticking point in moving the bill forward, as some Democrats want more restrictions around the Trump administration’s immigration enforcement operations.
  • “The bill also extends the Cybersecurity Information Sharing Act of 2015 (CISA 2015) and the State and Local Cybersecurity Grant Program through the end of fiscal 2026. Both laws are set to expire at the end of this month.
  • “The extension would give lawmakers more time to work out differences between competing versions of CISA 2015 reauthorizations in the House and Senate.”

• Roll Call adds,
  • “The House passed a roughly $1.25 trillion spending package Thursday in a pair of votes that overcame internal GOP divisions and Democratic protests over the Trump administration’s immigration policies.
  • “The most closely watched of the four bills at stake was the Homeland Security measure, which was at greatest risk of defeat amid an immigration crackdown that raised civil rights concerns.
  • “But the bill, which was taken up separately from the rest of the package, passed on a 220-207 vote. Seven Democrats joined almost all Republicans to support the measure. Kentucky Rep. Thomas Massie was the lone GOP dissenter.” * * *
  • “The Senate plans to take up that [bi-partisan, bi-cameral] mega package next week to meet a Jan. 30 deadline, when current funding for most federal agencies is set to run out.”

• Cyberscoop tells us,
  • “The acting head of the Cybersecurity and Infrastructure Security Agency faced pointed questions from lawmakers Wednesday [January 21, 2026] over CISA personnel decisions and staffing levels.
  • “Members of the House Homeland Security Committee asked Madhu Gottumukkala about a reported attempt to fire the agency’s chief information officer, efforts to push out a large number of staff and whether CISA had enough people to do the job.
  • “Gottumukkala at times sidestepped the questions, with the probing coming from both sides of the aisle. However,  Democrats exhibited deeper worries about the agency’s workforce and its ability to do its job.
  • “Cutbacks at CISA after employees were “bullied into quitting” — among other methods of reducing CISA’s size — have “weakened our defenses and left our critical systems and infrastructure more exposed, and the American people more vulnerable,” said Rep. James Walkinshaw, D-Va.
  • “Said Chairman Andrew Garbarino, R-N.Y.: “This committee supports the administration’s goal of aligning department [of Homeland Security] resources towards urgent homeland security priorities. At the same time, workforce continuity, clear leadership and mission readiness are essential to effective cyber defenses.”
    
• Cybersecurity Dive informs us,
  • “The National Institute of Standards and Technology is reevaluating its role in analyzing software vulnerabilities as it tries to meet skyrocketing demand for vulnerability analysis and reassure partners about the government’s continuing commitment to the program that catalogs those flaws.
  • “We’ve been doing more and more thinking about the [National Vulnerability Database] and, strategically, how we’re planning on moving forward,” Jon Boyens, the acting chief of NIST’s Computer Security Division, told members of the agency’s Information Security and Privacy Advisory Board during a quarterly meeting on Thursday [January 22, 2026]. * * *
  • To solve this {skyrocketing demand] problem, NIST will begin prioritizing which vulnerabilities it enriches based on several factors, including whether a vulnerability appears in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, whether it exists in software that federal agencies use and whether it exists in software that NIST defines as critical.
  • “All CVEs aren’t equal,” Boyens said. “We’re in the process of defining that prioritization. We’ve had an informal prioritization for a while. We want to formalize it now.”

• Cyberscoop relates,
  • “Russian national pleaded guilty to leading a ransomware conspiracy that targeted at least 50 victims during a four-year period ending in August 2022. 
  • “Ianis Aleksandrovich Antropenko began participating in ransomware attacks before moving to the United States, but conducted many of his crimes while living in Florida and California, where he’s been out on bond enjoying rare leniency since his arrest in 2024.
  • “Antropenko pleaded guilty in the U.S. District Court for the Northern District of Texas earlier this month to conspiracy to commit money laundering and conspiracy to commit computer fraud and abuse. He faces up to 25 years in jail, fines up to $750,000 and is ordered to pay restitution to his victims and forfeit property.
  • “Federal prosecutors reached a plea agreement with Antropenko after a years-long investigation, closing one of the more unusual cases against a Russian ransomware operator who committed many of his crimes while living in the U.S.”
• and
  • “Law enforcement agencies from multiple European countries are still pursuing leads on people involved in the Black Basta ransomware group, nearly a year after the group’s internal chat logs were leaked, exposing key details about its operations, and at least six months since the group claimed responsibility for new attacks.
  • “Officials in Ukraine and Germany said they raided the homes of two Russian nationalsaccused of participating in Black Basta’s crimes and effectively halted their operations. The pair of alleged criminals who were living in Ukraine were not named.
  • “German police publicly identified a third Russian national — Oleg Evgenievich Nefedov — as Black Basta’s alleged leader. Nefedov, a 35-year-old who was subsequently added to the most-wanted lists of Europol and Interpol, allegedly formed and ran Black Basta since 2022, authorities said. 
  • “He is accused of extorting more than 100 companies in Germany and about 600 other countries globally. Nefedov’s current whereabouts are unknown, but he is believed to be living in Russia.”

From the cybersecurity vulnerabilities front,

• Cyberscoop reports,
  • “European cybersecurity organization has launched a decentralized system for identifying and numbering software security vulnerabilities, introducing a fundamental shift in how the global technology community could track and manage security flaws.
  • “The Global CVE Allocation System, or GCVE, will be maintained by The Computer Incident Response Center Luxembourg (CIRCL) as an alternative to the traditional Common Vulnerabilities and Exposures program, which narrowly avoided shutdown last April when the Cybersecurity and Infrastructure Security Agency initially failed to renew its contract with MITRE, the nonprofit that operates the CVE system. A last-minute extension averted immediate collapse, but the near-miss exposed the 25-year-old program’s dependence on a single funding source and triggered development of competing models.
  • “Unlike the traditional CVE system, which relies on a centralized structure for assigning vulnerability identifiers, GCVE introduces independent numbering authorities that can allocate identifiers without seeking blocks pre-allocated from a central body or adhering strictly to centrally enforced policies. Each approved numbering authority receives a unique numeric identifier that becomes part of the vulnerability identification format, allowing organizations to assign identifiers at their own pace and define their own internal policies for vulnerability identification.
  • “The system maintains backward compatibility with the existing CVE infrastructure through a technical accommodation. All existing and future standard CVE identifiers are represented within the GCVE system using the reserved numbering authority designation of zero. A vulnerability identified as CVE-2023-40224 in the traditional system can be represented as GCVE-0-2023-40224, allowing the new framework to coexist with established practices without disrupting existing databases and tools.”

• CISA added six known exploited vulnerabities to its catalog this week.
  • January 21, 2026
    • CVE-2026-20045 Cisco Unified Communications Products Code Injection Vulnerability
      • Security Week discusses this KVE here.
  • January 22, 2026
    • CVE-2025-31125 Vite Vitejs Improper Access Control Vulnerability
    • CVE-2025-34026 Versa Concerto Improper Authentication Vulnerability
    • CVE-2025-54313 Prettier eslint-config-prettier Embedded Malicious Code Vulnerability
    • CVE-2025-68645 Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
      • Bleeping Computer discusses these KVEs here.
  • January 23, 2026
    • CVE-2024-37079 Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability
      • The Hacker News discusses this KVE here. 

• Bleeping Computer adds,
  • “Days after admins began reporting that their fully patched firewalls are being hacked, Fortinet confirmed it’s working to fully address a critical FortiCloud SSO authentication bypass vulnerability that should have already been patched since early December.
  • “This comes after a wave of reports from Fortinet customers about threat actors exploiting a patch bypass for the CVE-2025-59718 vulnerability to compromise fully patched firewalls.
  • “Cybersecurity company Arctic Wolf said on Wednesday [January 21, 2026] that the campaign began on January 15, with attackers creating accounts with VPN access and stealing firewall configurations within seconds, in what appear to be automated attacks. It also added that the attacks are very similar to incidents it documented in December, following the disclosure of the CVE-2025-59718 critical vulnerability in Fortinet products.
  • “On Thursday, Fortinet finally confirmed these reports, stating that ongoing CVE-2025-59718 attacks match December’s malicious activity and that it’s now working to fully patch the flaw.”

• Cybersecurity Dive lets us know,
  • “LastPass on Tuesday warned of a phishing campaign with false claims that the company is conducting maintenance and asking customers to back up their vaults in the next 24 hours, according to an alert released by the company.
  • LastPass said the campaign began on or about Monday, which was Martin Luther King Jr. Day, when many U.S. businesses were closed. The company emphasized the email is not a legitimate request and confirmed that customers are being targeted in a social engineering campaign.
  • “This campaign is designed to create a false sense of urgency, which is one of the most common and effective tactics we see in phishing attacks,” a spokesperson for LastPass said in a statement.
  • The spokesperson added that LastPass would never ask customers for their master passwords or demand action. under a tight deadline.
• and
  • “AI agents are involved in 40% of insider cybersecurity threats, according to a report by managed security service provider Akati Sekurity.
  • “Non-human identities outnumber humans 144 to one in the average business and constitute an attack surface IT teams, service providers and vendors are ill-equipped to defend, Akati CEO Krishna Rajagopal told Channel Dive.
  • “[Partners] are focused on making sure that the LLMs are secure and doing an assessment, looking at the security of the MCP server. But there is this little worm — literally the agentic agent — that can [go] rogue, and if that goes rogue, most MSPs and MSSPs currently do not have an answer for,” Rajagopal said.”

• Dark Reading relates,
  • “A zero-day vulnerability affecting a range of Cisco’s unified communications products has been exploited by threat actors, though details of the activity are unclear.
  • “Cisco on Wednesday disclosed and patched CVE-2026-20045, a remote code execution (RCE) vulnerability in Cisco’s Unified Communications Manager(UCM) as well as other products. Cisco has 30 million users for UCM, which provides IP-based voice, video, conferencing, and collaboration for enterpises — so the potential impact could be vast.”

From the ransomware front,

• The Hackers News reports,
  • “Cybersecurity researchers have disclosed details of a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025.
  • “The attack leveraged a malicious driver called POORTRY as part of a known technique referred to as bring your own vulnerable driver (BYOVD) to disarm security software, the Symantec and Carbon Black Threat Hunter Team said.
  • “It’s worth noting that Osiris is assessed to be a brand-new ransomware strain, sharing no similarities with another variant of the same name that emerged in December 2016 as an iteration of the Locky ransomware. It’s currently not known who the developers of the locker are, or if it’s advertised as a ransomware-as-a-service (RaaS).
  • “However, the Broadcom-owned cybersecurity division said it identified clues that suggest the threat actors who deployed the ransomware may have been previously associated with INC ransomware (aka Warble).”

• Bleeping Computer cautions,
  • “The ShinyHunters extortion gang claims it is behind a wave of ongoing voice phishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft, and Google, enabling threat actors to breach corporate SaaS platforms and steal company data for extortion.
  • “In these attacks, threat actors impersonate IT support and call employees, tricking them into entering their credentials and multi-factor authentication (MFA) codes on phishing sites that impersonate company login portals.
  • “Once compromised, the attackers gain access to the victim’s SSO account, which can provide access to other connected enterprise applications and services.”

• Fox News tells us,
  • “Cybercriminals are happy to target almost any industry where data can be stolen. In many cases, less prepared and less security-focused companies are simply easier targets. 
  • “A recent ransomware attack on a company tied to dozens of gas stations across Texas shows exactly how this plays out. The incident exposed highly sensitive personal data, including Social Security numbers and driver’s license details, belonging to hundreds of thousands of people. 
  • “The breach went undetected for days, giving attackers ample time to move through internal systems and steal sensitive data. If you’ve ever paid at the pump or shopped inside one of these convenience stores, this is the kind of incident that should make you stop and pay attention.
  • “According to a disclosure filed with the Maine Attorney General’s Office, Gulshan Management Services, Inc. reported a cybersecurity incident that impacted more than 377,000 individuals. Gulshan is linked to Gulshan Enterprises, which operates around 150 Handi Plus and Handi Stop gas stations and convenience stores across Texas.”
    
• The HIPAA Journal calls our attention to four recent attacks against healthcare providers — here and here.

From the cybersecurity defenses front,

• Cybersecurity Dive shares “Five cybersecurity trends to watch in 2026. Corporations across the globe are facing a dynamic risk environment, as AI adoption surges with few guardrails, business resilience takes center stage and the insurance industry raises major concerns.”
  • AI governance and guardrails now front and center
  • Cybersecurity regulatory shifts shape disclosures
  • Cyber insurance enters new phase in pricing, coverage
  • CVE crisis resolved while patching challenges remain
  • Operational resilience becomes the new watchword for cyberattack readiness  
• and
  • “CISOs are slightly less confident than CEOs that AI will improve their company’s cyber defenses, according to a new report.
  • “Roughly 30% of CEOs think AI will help them with cybersecurity, while only 20% of CISOs said the same, Axis Capital said in its report.
  • “The survey also revealed transatlantic disagreement about the value of AI and the dangers of AI-fueled cyberattacks.”

• ISACA shares “Post Quantum Cryptography: A 12 Month Playbook for Digital Trust Professionals.”
  • “The window for “harvest‑now, decrypt‑later” attacks is open, and the clock is ticking. With NIST’s first three post-quantum cryptography (PQC) standards now finalized (FIPS 203/204/205) and HQC selected in 2025 as an additional encryption option, audit, risk and security teams have the clarity they need to start moving with intent. This blog post distills the core ideas from our ISACA Journal article into a pragmatic, one-year plan you can run inside any enterprise.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• The Wall Street Journal reports,
  • “Federal lawmakers next week are expected to revive efforts to renew lapsed cybersecurity legislation aimed at fostering collaboration between Washington and private-sector companies in chasing down state-sponsored hackers.
  • “We’re making a hard push,” Rep. Andrew Garbarino, a New York Republican, said about extending the Cybersecurity Information Sharing Act, which provides liability and antitrust protections to companies sharing cyberattack intelligence with the federal government.
  • “Garbarino at a congressional hearing Tuesday said House and Senate lawmakers on both sides of the aisle are committed to fully reauthorizing the decade-old legislation, known as CISA, beyond a reprieve passed in Novemberand set to expire at the end of January. Congress failed to approve a long-term extension before last year’s government shutdown in October.”

• Cyberscoop tells us,
  • “President Donald Trump re-nominated Sean Plankey to lead the Cybersecurity and Infrastructure Security Agency on Tuesday, after Plankey’s bid for the position ended last year stuck in the Senate.
  • “It’s not clear whether or how Plankey’s resubmitted nomination will overcome the hurdles that left many observers convinced his chance of becoming CISA director had likely ended, but it does definitively signal that the Trump administration still wants Plankey to have the job.
  • “Plankey’s nomination was included in a batch sent to the Senate announced on Tuesday [January 13].

• Cybersecurity Dive informs us,
  • “In an attempt to help critical infrastructure operators protect themselves from hackers, the U.S. and six other countries have published security guidance for organizations that run operational technology, offering advice on everything from network segmentation to activity logging.
  • “Exposed and insecure OT connectivity is known to be targeted by both opportunistic and highly capable actors,” the authoring agencies — representing the U.S., Australia, Canada, Germany, the Netherlands, New Zealand and the United Kingdom — wrote in the document, “Secure connectivity principles for Operational Technology.”
  • “Improving OT cybersecurity, the agencies added, “can challenge attackers’ efforts and raise the threshold necessary to cause physical harm, environmental impact, and disruption.”
• and
  • “The Department of Homeland Security is preparing to introduce a new system for holding sensitive discussions with critical infrastructure operators, replacing a framework that the Trump administration abruptly eliminated in its early days.
  • “The new program, currently dubbed Alliance of National Councils for Homeland Operational Resilience (ANCHOR), will streamline the process through which federal agencies and infrastructure providers meet to discuss cyber and physical security threats, according to multiple people familiar with the matter, who requested anonymity to speak freely.”

• Cyberscoop relates,
  • “A 40-year-old Jordanian national pleaded guilty Thursday [January 15, 2026] to operating as an access broker, selling access to at least 50 victim company networks he broke into by exploiting two commercial firewall products in 2023, according to the Justice Department.
  • Feras Khalil Ahmad Albashiti, who lived in the Republic of Georgia at the time, sold an undercover FBI agent unauthorized access to the victim networks on a cybercrime forum under the moniker “r1z” in May 2023, authorities said in court records.
  • The undercover FBI agent continued communicating with Albashiti for the next five months, uncovering evidence of additional alleged crimes. He’s accused of selling malware that could turn off endpoint detection and response products from three different companies.
  • Albashiti proved the malware worked when, unbeknownst to him, the FBI observed him use the EDR-killing malware on an FBI server the agency granted him access to as part of its investigation. 

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “The healthcare sector experienced twice as many breaches in 2025 as it did in 2024, but the number of exposed patient records dropped precipitously, according to a new report from Fortified Health Security.
  • “Ransomware attacks and third-party risk are powering the surge in breaches, with many of those intrusions now threatening operations more than data privacy.
  • “The industry has shifted from major, headline events to a more taxing state of constant disruption,” Fortified said in its report.”
• and
  • “Cybersecurity remained the top risk concern among corporate leaders for a fifth year in a row, but AI jumped into the number two position, according to a report released Wednesday from Allianz Commercial. 
  • “AI rose sharply from the number 10 spot to the second biggest concern, indicating growing interest in how the technology might improve productivity, while also creating novel security challenges, according to the annual Allianz Risk Barometer. 
  • “Companies increasingly see AI not only as a powerful strategic opportunity, but also as a complex source of operational, legal and reputational risk,” Allianz chief economist Ludovic Subran told Cybersecurity Dive. “In many cases, adoption is moving faster than governance, regulation and workforce readiness can keep up.”

• CISA added two known exploited vulnerabilities to its catalog this week.
  • December 12, 2026
    • CVE-2025-8110 Gogs Path Traversal Vulnerability 
      • The Hacker News discusses this KVE here.
  • December 13, 2026
    • CVE-2026-20805 Microsoft Windows Information Disclosure Vulnerability
      • The Register discusses this KVE here.
        
• Dark Reading informs us,
  • “Linux systems may soon be facing a new threat with an advanced, cloud-first malware framework developed by China-affiliated actors that’s aimed at establishing persistent access to cloud and container environments.
  • “Check Point Research discovered the framework, called VoidLink, which is comprised of cloud-focused capabilities and modules, including custom loaders, implants, rootkits, and modular plug-ins, according to a blog post published Tuesday [January 13]. Calling it an “impressive piece of software,” Check Point researchers said the framework is far more advanced than any current Linux-oriented malware.”
• and
  • “The year has barely begun, but 2026 is already in familiar territory for Fortinet customers, as a new vulnerability has come under attack.
  • “On Jan. 13, Fortinet disclosed a critical flaw in its FortiSIEM platform, tracked as CVE-2025-64155 and assigned a 9.4 CVSS score. The OS command injection vulnerability allows an unauthenticated attacker to achieve remote code execution (RCE) on FortSIEM instances through crafted TCP requests.
  • “Yesterday, cybersecurity vendor Defused warned in a post on X that CVE-2025-64155 had been exploited in the wild. Much of the threat activity observed by Defused’s honeypots came from different IP addresses, including three from Chinese providers.
  • “In a LinkedIn post, Simo Kohonen, Defused founder and CEO, said the company’s honeypots had received a “good amount” of targeted exploitation activity that began almost immediately after public disclosure. China-nexus threat groups have heavily targeted Fortinet, along with other edge device vendors, in recent years.”
    
• Cyberscoop points out,
  • “Predator spyware operators have the ability to recognize why an infection failed, and the tech has more sophisticated capabilities for averting detection than previously known, according to research published Wednesday [January 14].
  • Jamf Threat Labs found from an analysis of a Predator sample that it has an error code system that can alert operators to why an implant didn’t stick, with “error code 304” signifying that a target was running security or analysis tools.
  • “This error code system transforms failed deployments from black boxes into diagnostic events,” Shen Yuan and Nir Avraham wrote for the company. “When an operator deploys Predator against a target and receives error code 304, they know the target is running security tools — not that the exploit failed, not that the device is incompatible, but specifically that active analysis is occurring.
  • “This has direct implications for targeted individuals: if security analysis tools like Frida are running, Predator will abort deployment and report error code 304 to operators, who can then troubleshoot why their deployment failed,” they continued.

• Bleeping Computer notes,
  • Security researchers have discovered a critical vulnerability in Google’s Fast Pair protocol that can allow attackers to hijack Bluetooth audio accessories, track users, and eavesdrop on their conversations.
  • The flaw (tracked as CVE-2025-36911 and dubbed WhisperPair) affects hundreds of millions of wireless headphones, earbuds, and speakers from multiple manufacturers that support Google’s Fast Pair feature. It affects users regardless of their smartphone operating system because the flaw lies in the accessories themselves, meaning that iPhone users with vulnerable Bluetooth devices are equally at risk.
  • Researchers with KU Leuven’s Computer Security and Industrial Cryptography group who discovered it explain that the vulnerability stems from the improper implementation of the Fast Pair protocol in many flagship audio accessories.

• Per SC Media,
  • “A vulnerability in the AI-powered Cursor integrated development environment (IDE) could have enabled an attacker to conduct stealthy remote code execution (RCE) attacks via indirect prompt injection, Pillar Security reported Wednesday.
  • “The flaw, tracked as CVE-2026-22708, arose from implicit trust in certain shell built-ins including “export” and “typeset,” which would allow them to be executed without any notification of or approval from the user, even when the user’s allowlist was empty.”

From the ransomware front,

• The HIPAA Journal reports,
  • “The threat from ransomware is greater than ever, according to a new report from GuidePoint Security. The cybersecurity firm recorded a 58% year-over-year increase in victims, making 2025 the most active year ever reported by GuidePoint Security. In 2025, GuidePoint Security tracked 2,287 unique victims in Q4, 2025 alone – the largest number of victims in any quarter tracked by the GuidePoint Research and Intelligence Team (GRIT). December was the most active month in terms of claimed victims, which increased 42% year-over-year to 814 attacks. On average, 145 new victims were added to dark web data leak sites every week in 2025, with the year ending with 7,515 claimed victims.
  • “Law enforcement operations have targeted the most active groups, and there have been notable successes; however, they have had little effect on the number of victims, which continues to increase. Rather than the ransomware-as-a-service (RaaS) landscape being dominated by one or two major actors, law enforcement operations have helped create a highly fragmented ecosystem, with smaller groups conducting attacks in high volume, using repeatable operations. In 2025, GRIT tracked 124 distinct named ransomware groups – a 46% increase from 2024 and the highest number of groups ever recorded in a single year.
  • “While ransomware attacks are conducted globally, as in previous years, ransomware actors are primarily focused on the United States, where 55% of attacks were conducted last year, followed by Canada, which accounted for 4.5% of attacks. The manufacturing sector was the most heavily targeted, accounting for 14% of attacks, followed by the technology sector (9%), and retail/wholesale (7%). Healthcare ranked in fourth spot, with more than 500 victims in 2025.”

• Symantec adds,
  • “The cyber-extortion epidemic reached new heights in 2025, with a record number of attacks recorded. As outlined in our new whitepaper, this increase is being powered by a new breed of attackers who eschew encryption and rely solely on data theft as leverage for extortion. By using zero-day vulnerabilities or exploiting weaknesses in the software supply chain, attackers can steal data from even the best-defended organizations before they become aware of the issue. 
  • Meanwhile, there has also been no decline in the number of attacks involving encryption. This is despite significant levels of disruption among key players, such as the collapse of LockBit in late 2024 and the closure of RansomHub in April 2025. Instead, other ransomware operators such as Akira, Qilin, Safepay and DragonForce expanded rapidly in the wake of those departures, quickly winning over affiliate attackers who previously worked with the departing actors. 

• The Register calls our attention to
  • “Researchers at Group-IB say the DeadLock ransomware operation is using blockchain-based anti-detection methods to evade defenders’ attempts to analyze their tradecraft.
  • “First spotted in July 2025, the DeadLock group has attacked a wide range of organizations while almost managing to stay under the radar.
  • “It abandons the usual double extortion approach in which cybercrooks steal data, encrypt systems, and threaten to post it online for all to see if the victim refuses to pay a ransom.” * * *
  • “But for the researchers at Group-IB, the old-school encryption-only model is not the most notable aspect of the DeadLock operation. Its use of Polygon smart contracts to obscure its command-and-control (C2) infrastructure is an unusual move that’s slowly gaining popularity.
  • “Once a victim’s systems are encrypted, DeadLock drops an HTML file that acts as a wrapper for the decentralized messenger Session. This file replaces an instruction for the victim to download Session to communicate with DeadLock.
  • “By using blockchain-based smart contracts to store the group’s proxy server URL – the one victims connect to before communicating with the criminals – it allows DeadLock to rotate this address frequently, making it difficult for defenders to permanently block its infrastructure.”

From the cybersecurity business and defenses front,

• Dark Reading reports,
  • “CrowdStrike continues its shopping spree, announcing plans to acquire browser security startup Seraphic Security. The acquisition will bring browser telemetry to the endpoint detection company’s flagship Falcon security platform.
  • “Seraphic Security’s platform, which includes a secure Web gateway, zero-trust network access, and cloud access security browser, provides protection and detection capabilities to browsers. Enterprises can use the platform to provide their users with secure access to software-as-a-service and private Web applications. Security teams get a consistent secure browser experience across both managed and personal devices without the complexity or cost of deploying virtual desktop infrastructure or a virtual private network.” * * *
  • “CrowdStrike plans to combine Seraphic’s “continuous in-session browser protection” with the identity protection and authorization capabilities from SGNL (announced last week) and Falcon’s existing endpoint telemetry and threat intelligence, according to the release announcing the acquisition. The combination will provide next-generation identity security that protects every interaction across endpoints, browser sessions, and the cloud, the company said.”

• Bleeping Computer relates,
  • “Microsoft announced on Wednesday [January 14] that it disrupted RedVDS, a massive cybercrime platform linked to at least $40 million in reported losses in the United States alone since March 2025.
  • “Microsoft filed civil lawsuits in the United States and the United Kingdom, seizing malicious infrastructure and taking RedVDS’s marketplace and customer portal offline as part of a broader international operation with Europol and German authorities.
  • ‘Two co-plaintiffs joined Microsoft in this action: H2-Pharma, an Alabama pharmaceutical company that lost $7.3 million in a business email compromise scheme, and the Gatehouse Dock Condominium Association in Florida, which lost nearly $500,000 in resident funds.”

• Federal News Network tells us,
  • “As the Defense Department moves to meet its 2027 deadline for completing a zero trust strategy, it’s critical that the military can ingest data from disparate sources while also being able to observe and secure systems that span all layers of data operations.
  • “Gone are the days of secure moats. Interconnected cloud, edge, hybrid and services-based architectures have created new levels of complexity — and more avenues for bad actors to introduce threats.
  • “The ultimate vision of zero trust can’t be accomplished through one-off integrations between systems or layers. For critical cybersecurity operations to succeed, zero trust must be based on fast, well-informed risk scoring and decision making that consider a myriad of indicators that are continually flowing from all pillars.
  • “Short of rewriting every application, protocol and API schema to support new zero trust communication specifications, agencies must look to the one commonality across the pillars: They all produce data in the form of logs, metrics, traces and alerts. When brought together into an actionable speed layer, the data flowing from and between each pillar can become the basis for making better-informed zero trust decisions.”

• Security Week notes,
  • “Tracked as CVE-2025-20393 (CVSS score of 10/10), the security defect was disclosed on December 17, one week after Cisco’s Talos researchers observed its in-the-wild exploitation as a zero-day.
  • “This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance,” Cisco said at the time.
  • “The company said the attacks targeted only a small set of appliances, and attributed the campaign to UAT-9686, a China-linked APT.
  • “On Thursday, Cisco updated its advisory to provide information on the flaw, the affected products, and the available patches.
  • “The flaw affects the Spam Quarantine feature of the AsyncOS software running on Secure Email Gateway and Cisco Secure Email and Web Manager, and exists due to insufficient validation of HTTP requests.’

• SC Media considers,
  • “The concerning cyber-physical security disconnect”
• and
  • “Five questions to ask about email whitelists.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• The Record reports,
  • “The National Security Agency has a new leadership roster for its cybersecurity directorate as the agency waits for its first Senate-confirmed chief in more than nine months. 
  • “David Imbordino, a NSA senior executive who is currently serving as the directorate’s deputy chief, will take the reins in an acting capacity at the end of the month, according to three people familiar with the matter. 
  • “Holly Baroody, a senior official at the agency in the United Kingdom, will return as planned from her assignment this summer to be the directorate’s acting No. 2, according to these people. All were granted anonymity to speak candidly about personnel matters.”

• The HHS Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, posted its January 2026 Cybersecurity Newsletter. The Newsletter concerns system hardening.
  • “System hardening and security baselines can be an effective means to enhance security, and for regulated entities to protect ePHI. However, defining, creating, and applying system hardening techniques is not a one-and-done exercise. Evaluating the ongoing effectiveness of implemented security measures is important to ensure such measures remain effective over time. As new threats and vulnerabilities evolve and are discovered, and attackers vary and improve their tactics, techniques, and procedures, regulated entities need to remain vigilant to ensure that their implemented security solutions remain effective. Indeed, for regulated entities, the periodic review and modification, as needed, of security measures implemented under the HIPAA Security Rule is a requirement to maintain protection of ePHI.”

• Cybersecurity Dive informs us,
  • “The National Institute of Standards and Technology is asking the public for suggested approaches to managing the security risks of AI agents.
  • “In a Federal Register notice set for publication on Thursday, NIST’s Center for AI Standards and Innovation (CAISI) solicited “information and insights from stakeholders on practices and methodologies for measuring and improving the secure development and deployment of artificial intelligence (AI) agent systems.”
  • “The public engagement reflects persistent concerns about security weaknesses in increasingly ubiquitous AI agents. Many companies have adopted these agents without fully understanding or developing plans to mitigate their flaws, inadvertently creating new avenues for hackers to penetrate their computer networks. The wide latitude given to poorly secured AI agents could be especially dangerous in critical infrastructure networks, which sometimes control industrial machinery that is essential to health and safety.
  • “If left unchecked, these security risks may impact public safety, undermine consumer confidence, and curb adoption of the latest AI innovations,” NIST said in its solicitation.”
• Here is a link to a related NIST blog post.

• Security Week tells us,
  • The US cybersecurity agency CISA on Thursday announced closing 10 Emergency Directives issued between 2019 and 2024.
  • The retired directives, CISA says, have achieved their mission to mitigate urgent and imminent risks to federal agencies.
  • “Since their issuance, CISA has partnered closely with federal agencies to drive remediation, embed best practices and overcome systemic challenges – establishing a stronger, more resilient digital infrastructure for a more secure America,” the agency notes.” * * *
  • “All targeted vulnerabilities are now in CISA’s Known Exploited Vulnerabilities (KEV) catalog and the required actions are defined in Binding Operational Directive (BOD) 22-01, which mandates that federal agencies resolve flaws added to KEV within weeks.
  • “The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise. Looking ahead, CISA continues to advance Secure by Design principles – prioritizing transparency, configurability, and interoperability - so every organization can better defend their diverse environments,” CISA Acting Director Madhu Gottumukkala said.”

• Cybersecurity Dive describes CISA’s seven biggest challenges for 2026.

From the cybersecurity vulnerabilities front,

• A Dark Reader commentator makes,
  • “Cybersecurity Predictions 2026: An AI Arms Race and Malware Autonomy
  • “The year ahead will see an intensified AI-driven cybersecurity arms race, with attackers leveraging autonomous malware and advanced AI technologies to outpace defenders, while security teams adopt increasingly sophisticated AI tools to combat evolving threats amidst growing vendor consolidation and platformization in the industry.”

• CISA added two known exploited vulnerabilities to its catalog this week.
  • January 7, 2025
    • CVE-2009-0556 Microsoft Office PowerPoint Code Injection Vulnerability
    • CVE-2025-37164 HPE OneView Code Injection Vulnerability 
      • GB Hackers discusses the MS KVE here.
      • Dark reading discusses the HPE KVE here.

• Cyberscoop reports,
  • “Researchers warn that a critical vulnerability in n8n, an automation platform that allows organizations to integrate AI agents, workflows and hundreds of other enterprise services, could be exploited by attackers to achieve full control of targeted networks.
  • “The maximum-severity vulnerability — CVE-2026-21858 — affects about 100,000 servers globally, according to Cyera, which initially discovered and reported the defect to n8n on Nov. 9. Developers responsible for the widely used platform released a patch for the vulnerability on Nov. 18, but didn’t publicly disclose or assign the vulnerability a CVE until Wednesday.
  • “The risk is massive,” Dor Attias, security researcher at Cyera Research Labs, told CyberScoop. “n8n sits at the heart of enterprise automation infrastructure. Gaining control of n8n means gaining access to your secrets, customer data, CI/CD pipelines and more.”
  • “Researchers haven’t observed active exploitation of the vulnerability, but Cyera published a working proof of concept, which typically triggers a race for defenders to patch a defect before in-the-wild exploitation occurs.”

• The American Hospital Association News notes,
  • “The FBI Jan. 8 released an alert on evolving threat tactics by Kimsuky, a North Korean state-sponsored cyber threat group. As of last year, the group has targeted research organizations, academic institutions, and U.S. and foreign government entities by embedding malicious QR codes in spear-phishing campaigns, referred to as “quishing.” The technique forces victims to use a mobile device to view the QR code, which could be received as an image, email attachment or embedded graphic that evades URL inspection. After scanning the malicious code, victims are routed through attacker-controlled redirectors that collect device and identity information for harvesting and use in additional malicious actions. 
  • “Although it appears that Kimsuky threat actors are not targeting health care directly, this serves as a reminder that social engineering, email and text-based ‘quishing’ attacks from other hacking groups are increasingly targeting health care due its effectiveness and ability to evade common cybersecurity defensive measures,” said John Riggi, AHA national advisor for cybersecurity and risk. “As we see an increase in the use of malicious QR code attacks, staff should be provided education on the dangers of scanning unsolicited QR codes at work, home and on their mobile devices.” 

• CSO cautions,
  • “Threat actors are abusing misconfigured MX records and weak DMARC/SPF policies to make phishing emails look internal, bypassing filters and increasing credential theft risk.
  • “Microsoft’s Threat Intelligence team has disclosed that threat actors are increasingly exploiting complex email routing and misconfigured domain spoof protection to make phishing messages appear as if they were sent from inside the organizations they’re targeting.
  • “These campaigns are relying on configuration gaps, specifically scenarios where mail exchanger (MX) DNS records don’t point directly to Microsoft 365 and where Domain-based Message Authentication, Reporting & Conformance (DMARC) and Sender Policy Framework (SPF) policies are permissive or misconfigured.
  • “Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA,” Microsoft said in a security blog post.
  • “The blog noted that while the attack vector isn’t brand new, the exploitation has picked up significantly since mid-2025, delivering phishing lures ranging from password resets to shared documents.”
    
• Cybersecurity Dive points out,
  • “The new year will bring more dangerous AI-powered cyberattacks and growing obstacles to regulatory harmonization, Moody’s said in a 2026 outlook report published on Thursday.
  • “The report also forecasts increased cryptocurrency thefts through cyberattacks on both transaction and storage platforms.
  • “Moody’s said recent cloud computing outages resulting from accidents highlighted “the potential for catastrophic impact if exploited by attackers.”

From the ransomware front,

• Security Affairs reports that “Sedgwick confirmed a cyber incident at its federal contractor unit after TridentLocker claimed to steal 3.4GB of data.”

• Cybersecurity Dive adds,
  • “The volume of ransomware attacks on telecommunications companies around the world increased fourfold from 2022 to 2025, according to a report that the threat intelligence firm Cyble published this week.
  • “Cyble also identified 444 incidents involving data theft from telecom firms, including 133 listings of stolen databases that could contain sensitive customer data or operational information.
  • “Businesses in multiple industries closely track the security posture of the telecom sector because of their need for secure and resilient communications.”

• Emsisoft discusses the state of ransomware in the United States during 2025.

• TechTarget examines ransomware trends, statistics and facts in 2026.

From the cybersecurity business and defenses front,

• Cyberscoop reports,
  • “CrowdStrike is buying identity management startup SGNL, a move that underscores how identity security has become a central battleground in enterprise cybersecurity as companies add cloud services and deploy AI-driven tools.
  • “The cybersecurity firm did not disclose financial terms in a Thursday announcement, but CrowdStrike CEO George Kurtz told CNBC the deal is valued at nearly $740 million.
  • “The acquisition targets a growing problem for large organizations: Access is no longer limited to employees logging into a handful of internal systems. Modern environments include contractors, automated scripts, cloud workloads and an expanding set of non-human identities, such as service accounts and machine credentials. More recently, companies have begun experimenting with AI agents that can take actions across multiple systems, sometimes with broad privileges.”

• Cybersecurity Dive relates,
  • “AI promises to exponentially improve innovation and efficiency for businesses of all kinds, but it’s also ushering in a new age of cyberthreats.
  • “Nearly 9 in 10 CISOs say AI-driven attacks represent a major risk for their organizations, according to a study from Trellix.
  • “While the trend represents a security problem, it’s on the minds of CIOs too, as they “play a very important role as we think about AI attacks,” said Allie Mellen, principal analyst at Forrester. “Many of the changes that security recommends, we take to improve and defend the infrastructure we have.”
  • “As risks mount, CIOs from different sectors are preparing to help their businesses secure critical data in the age of AI-driven attacks.”

• Here’s a link to Dark Reading’s CISO Corner.

Happy New Year!

From the cybersecurity policy and law enforcement front,

• Federal News Network points out five things to watch in cybersecurity policy at the federal level during 2026.
  • “New national cyber strategy”
  • “AI and cyber”
  • “CISA 2015 reauthorization”
  • “CIRCIA rule” and
  • “Cyber leader gaps”

• Security Week reports,
  • “Two cybersecurity professionals from the United States have pleaded guilty to charges related to their role in BlackCat/Alphv ransomware attacks, the Justice Department announced this week [December 30].
  • “Three individuals were charged in October for allegedly conducting ransomware attacks against several US-based companies. Two of the suspects, 36-year-old Kevin Martin from Texas and an unnamed individual, were employed as ransomware negotiators at threat intelligence and incident response firm DigitalMint.
  • “The third suspect, 40-year-old Ryan Goldberg from Georgia, worked as an incident response manager at cybersecurity company Sygnia.
  • “The three are accused of hacking into the systems of several companies, stealing valuable information, and deploying BlackCat ransomware. 
  • “Based on the Justice Department’s description of the scheme, the suspects were BlackCat ransomware affiliates, paying 20% of the ransoms they received from victims to the administrators of the ransomware operation in exchange for access to the file-encrypting malware and a platform designed for managing extortions.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer points out the 15 biggest cybersecurity and cyber attack stories of 2025.

• Security Week adds,
  • “Insurance giant Aflac is notifying roughly 22.65 million people that their personal information was stolen from its systems in June 2025.
  • “The company disclosed the intrusion on June 20, saying it had identified suspicious activity on its network in the US on June 12 and blaming it on a sophisticated cybercrime group.
  • “The company said it immediately contained the attack and engaged with third-party cybersecurity experts to help with incident response. Aflac’s operations were not affected, as file-encrypting ransomware was not deployed.
  • “Just before Christmas, the Columbus, Georgia-based company announced it had completed its investigation into the potentially compromised data and had started notifying the affected individuals.
  • “Based on our review of potentially impacted files, we have determined personal information associated with approximately 22.65 million individuals was involved,” the company said.
  • “The compromised information, the insurance giant says, includes names, addresses, Social Security numbers, dates of birth, driver’s license numbers, government ID numbers, medical and health insurance information, and other data.”

• The Cybersecurity and Infrastructure Security Agency (CISA) added one known exploited vulnerability to its catalog this week.
  • December 29, 2025
    • CVE-2025-14847. MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability 
      • Cyberscoop discusses this KVE here.

• Bleeping Computer informs us,
  • “IBM urged customers to patch a critical authentication bypass vulnerability in its API Connect enterprise platform that could allow attackers to access apps remotely.
  • “API Connect is an application programming interface (API) gateway that enables organizations to develop, test, and manage APIs and provide controlled access to internal services for applications, business partners, and external developers.
  • “Available in on-premises, cloud, or hybrid deployments, API Connect is used by hundreds of companies in banking, healthcare, retail, and telecommunications sectors.
  • “Tracked as CVE-2025-13915 and rated 9.8/10 in severity, this authentication bypass security flaw affects IBM API Connect versions 10.0.11.0 and 10.0.8.0 through 10.0.8.5.
  • “Successful exploitation enables unauthenticated threat actors to remotely access exposed applications by circumventing authentication in low-complexity attacks that don’t require user interaction.”
• and
  • “Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability.
  • “Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812) and advised admins who couldn’t immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices.
  • “This improper authentication security flaw (rated 9.8/10 in severity) was found in FortiGate SSL VPN and allows attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when the username’s case is changed.
  • “Last week, Fortinet warned customers that attackers are still exploiting CVE-2020-12812, targeting firewalls with vulnerable configurations that require LDAP (Lightweight Directory Access Protocol) to be enabled.
  • “Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations,” the company said.”
• and
  • “Trust Wallet believes the compromise of its web browser to steal roughly $8.5 million from over 2,500 crypto wallets is likely related to an “industry-wide” Sha1-Hulud attack in November.
  • “Trust Wallet, a crypto wallet used by over 200 million people, enables users to store, send, and receive Bitcoin, Ethereum, Solana, and thousands of other cryptocurrencies and digital tokens via a web browser extension and free mobile apps.
  • “As BleepingComputer previously reported, this December 24th incident resulted in the theft of millions of dollars in cryptocurrency from the compromised wallets of Trust Wallet users.
  • This happened after attackers added a malicious JavaScript file to version 2.68.0 of Trust Wallet’s Chrome extension, which stole sensitive wallet data and enabled threat actors to execute unauthorized transactions.
  • “Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said in a Tuesday [December 30] update.
• and
  • “A fourth wave of the “GlassWorm” campaign is targeting macOS developers with malicious VSCode/OpenVSX extensions that deliver trojanized versions of crypto wallet applications.
  • “Extensions in the OpenVSX registry and the Microsoft Visual Studio Marketplace expand the capabilities of a VS Code-compatible editor by adding features and productivity enhancements in the form of development tools, language support, or themes.
  • “The Microsoft marketplace is the official extension store for Visual Studio Code, whereas OpenVSX serves as an open, vendor-neutral alternative, primarily used by editors that do not support or choose not to rely on Microsoft’s proprietary marketplace.”
  • “The GlassWorm malware first appeared on the marketplaces in October, hidden inside malicious extensions using “invisible” Unicode characters.”
  • “Once installed, the malware attempted to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from multiple extensions. Additionally, it supported remote access through VNC and can route traffic through the victim’s machine via a SOCKS proxy.
  • “Despite the public exposure and increased defenses, GlassWorm returned in early November on OpenVSX and then again in early December on VSCode.”

From the ransomware front,

• Cybersecurity Insiders recounts the top ransomware attacks of 2025.

• SC Media tells us,
  • “HackRead reports that U.S. automaker Chrysler had over 1 TB of data, including more than 105 GB of Salesforce-related information, claimed to have been exfiltrated by the Everest ransomware gang.
  • “Allegedly included in the stolen data trove spanning between 2021 and 2025 were personal and operational records from customers, internal agents, and dealers, with screenshots revealing internal spreadsheets, structured databases, CRM exports, and directory trees, as well as customer interaction logs with names, physical and email addresses, phone numbers, vehicle details, recall case notes, and call outcomes.” * * *
  • “Everest has warned that it would release not only the entire dataset but also customer service-related audio recordings purportedly stolen from Chrysler should it refuse to fulfill its demands.”
    
• Morphisec points out,
  • “In Morphisec’s recent CTO Briefing: The State of Ransomware, CTO Michael Gorelik highlighted one of the most significant and troubling shifts in the ransomware landscape: many ransomware attacks no longer involve encryption at all.   
  • “Instead, attackers quietly steal sensitive data—sometimes over weeks or months—and then extort victims long after the breach. This “ransomware without encryption” model is growing rapidly because it has lower risk for attackers, harder for defenders to detect, and nearly impossible for victims to investigate once logs have aged out.”  

From the cybersecurity defenses front,

• Dark Reading calls attention to
  • “Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats. Cybersecurity experts discuss 2026 predictions, highlighting the rise of AI-driven threats, the shift to resilience over prevention, and the urgent need for advanced security measures to combat evolving risks”
• and
  • “5 Threats That Defined Security in 2025. 2025 included a number of monumental threats, from global nation-state attacks to a critical vulnerability under widespread exploitation.”
    • “Salt Typhoon continues its onslaught”
    • “CISA see big layoffs and budget cuts”
    • “React2Shell carries echos of Log4Shell.
    • “Shai-Hulud opens floodgates on self-propagating Open Source Malware.” and
    • “Threat Campaigns Target Salesforce Customers.”
• and
  • “The Ivanti Endpoint Manager Mobile (EPMM) zero-day attacks, which began last spring and lasted well into the summer as attackers took advantage of patching lag, were one of the top cyber-stories of 2025, sending thousands of victims to the depths of the data exfiltration sea. A recent deep-dive into the wreckage of those attacks highlights the risk inherent in buggy endpoint management systems — a concern that needs to be a higher priority than it typically is, one researcher argues.”

• SC Media notes,
  • “A whopping 99% of security leaders plan to increase their cybersecurity budgets over the next two to three years, signaling that cybersecurity has become a critical business imperative, according to a KPMG Cybersecurity Survey released earlier this month.
  • “KPMG’s survey, which polled more than 300 C-suite and senior security leaders, found that the projected spending increases come at a time when 83% of organizations report a rise in cyberattacks, which include everything from phishing and ransomware to more advanced AI-powered social-engineering schemes.
  • “The data doesn’t just point to steady growth, it signals a potential boom,” said Michael Isensee, cybersecurity and tech risk leader, KPMG LLP. “We’re seeing a major market pivot where cybersecurity is now a fundamental driver of business strategy.
  • “Leaders are moving beyond reactive defense and are actively investing to build a security posture that can withstand future shocks, especially from AI and other emerging technologies,” continued Isensee. “This isn’t just about spending more, it’s about strategic investment in resilience.”

• Security Affairs warns,
  • “Your next breach probably won’t start inside your network—it will start with someone you trust. Every supplier, contractor, and service provider needs access to your systems to keep business running, yet each login is a potential doorway for attackers. Access management is meant to control the risks of granting that access, but weak controls and poor hygiene remain the norm. The Thales Digital Trust Index report, Third-Party Edition, highlights that over half of surveyed professionals (51%) keep access to partner systems for days or even a month after they no longer need it, turning everyday collaborations into hidden vulnerabilities that accumulate over time.
  • “Ask yourself: Are you evaluating and managing these risks well enough? If the answer isn’t clear, it’s time to revisit the basics of identity lifecycle management. Supply chain risks are preventable—but only if they aren’t tolerated or ignored. This article is a primer on how to ensure B2B collaboration remains a source of agility and resilience, not your Achilles’ heel.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity law enforcement front,

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The National Institute of Standards and Technology announced that it will partner with The MITRE Corporation on a $20 million project to stand up two new research centers focused on artificial intelligence, including how the technology may impact cybersecurity for U.S. critical infrastructure.
  • “On Monday [December 22], the agency said one center will focus on advanced manufacturing while the second — the AI Economic Security Center to Secure U.S. Critical Infrastructure from Cyberthreats — will focus more directly on how industries that provide water, electricity, internet and other essential services can protect and maintain services in the face of AI-enabled threats. According to NIST, the centers will “drive the development and adoption” of AI-driven tools, including agentic AI solutions.
  • “The centers will develop the technology evaluations and advancements that are necessary to effectively protect U.S. dominance in AI innovation, address threats from adversaries’ use of AI, and reduce risks from reliance on insecure AI,” spokesperson Jennifer Huergo wrote in an agency release.

• Federal News Network interviewed “a panel of former federal executives for their opinions about 2025 and what federal IT and acquisition storylines stood out over the last 12 months.”

• Security Week tells us,
  • “The US Justice Department announced on Monday [December 22] the seizure of a web domain and a password database used by a cybercrime group to steal millions of dollars from bank accounts.
  • “According to the DOJ, the seized domain, web3adspanels.org, hosted a backend web panel used by the cybercriminals to store and manipulate thousands of stolen bank login credentials.
  • The threat actor conducted a massive bank account takeover scheme that involved malicious ads on search engines such as Google and Bing in an effort to lure users to fake bank websites.
  • “These phishing sites tricked victims into handing over their login credentials, which the cybercriminals could then use to access and drain their bank accounts.
  • “The FBI has identified nearly 20 victims in the US, including two companies, and has determined that the cybercriminals attempted to steal roughly $28 million, with the actual losses estimated at approximately $14.6 million.” 

• Bleeping Computer informs us,
  • “An Interpol-coordinated initiative called Operation Sentinel led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents.
  • “Between October 27 and November 27, the investigation, which involved law enforcement in 19 countries, took down more than 6,000 malicious links and decrypted six distinct ransomware variants.
  • “Interpol says that the cybercrime cases investigated are connected to more than $21 million in financial losses.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “WatchGuard warns that a critical vulnerability in its Firebox devices is facing exploitation as part of a campaign targeting edge devices, according to an advisory from the company. 
  • “The flaw, tracked as CVE-2025-14733, involves an out-of-bounds write vulnerability in the Fireware OS internet key exchange daemon process. An unauthenticated attacker can achieve remote code execution. 
  • “WatchGuard said it discovered the flaw through an internal process and issued a patch on Thursday. 
  • “Since the fix became available, our partners and end users have been actively patching affected Firebox appliances,” a WatchGuard spokesperson told Cybersecurity Dive. “We continue to strongly encourage timely patching as a core best practice in security hygiene.”

• Security Week shares information about the Watchguard patch.

• Dark Reading points out,
  • “Much has been said about IT worker scams in the last few years, but it’s not every day that we get a glimpse into how pervasive the issue has become. 
  • “Stephen Schmidt, senior vice president and chief security officer at Amazon, wrote on LinkedIn over the weekend that the company has prevented “more than 1,800 suspected DPRK operatives from joining [Amazon] since April 2024, and we’ve detected 27% more DPRK-affiliated applications quarter-over-quarter this year.” 
  • “IT worker scams involve operatives working as part of or on behalf of a government try to gain remote IT employment. It is most often associated with North Korea (DPRK), but that’s not the only entity engaging in this practice. While one primary goal may be the worker gaining a foothold in a network for espionage purposes or for sensitive IP theft (and these things do happen), Schmidt, who wrote about North Korean worker scams specifically, highlighted another reason: “Their objective is typically straightforward: get hired, get paid, and funnel wages back to fund the regime’s weapons programs,” he wrote.

• The Wall Street Journal relates,
  • “AI is making cybercriminals more efficient, enabling them to scale up operations and create more targeted and convincing scams.
  • “Thanks to AI, criminals are getting better at finding targets—for example, by scanning social media to identify people going through big life changes.
  • “Most experts don’t think fully autonomous AI cyberattacks are possible yet in the real world, but research has shown that AI is capable of planning and carrying out an attack on its own in a lab.”

•  Per SC Media,
  • “A series of campaigns were observed targeting the financial sector across multiple continents worldwide — attacks that exhibited the tradecraft of North Korean-affiliated threat actors.
  • “In a Dec. 18 white paper, Darktrace researchers said the attacks leveraged advanced social engineering focused on job hunters, spear-phishing, React2Shell exploitation, and a new Beavertail malware variant.
  • “While the initial access vector remains unknown, Darktrace said evidence suggests it originated from a malicious npm package hosted on GitHub or GitLab — behavior that aligns with the Lazarus Group’s history of exploiting supply-chain vulnerabilities.
  • “According to Darktrace, the attackers used Beavertail for initial credential theft, followed by heavily obfuscated Python scripts and Tsunami modules, hallmarks of a “well-resourced adversary.”

• Cyber Insider adds,
  • “A malicious NPM package masquerading as a WhatsApp API library has been discovered exfiltrating users’ messages, credentials, contacts, and media, all while delivering fully functional code.
  • “The package, named lotusbail, had been available on the NPM registry for over six months, amassing more than 56,000 downloads before its true purpose came to light.
  • “The discovery was made by Koi Security, whose researchers published a detailed technical report over the weekend, outlining the package’s behavior. The threat actor behind lotusbail cloned the legitimate @whiskeysockets/baileys WhatsApp Web API library and inserted advanced malware designed to siphon off sensitive user data during normal operation.”

• CISA added one new known exploited vulnerability to its catalog this week.
  • December 22, 2025
    • CVE-2023-52163 Digiever DS-2105 Pro Missing Authorization Vulnerability 
      • The Hacker News discusses this KVE here.

From the ransomware front,

• Cybersecurity Dive reports,
  • A Cybersecurity and Infrastructure Security Agency program that warns organizations about imminent ransomware attacks has suffered a major setback after its lead staffer left the agency rather than take a forced reassignment.
  • David Stern, the driving force behind CISA’s Pre-Ransomware Notification Initiative (PRNI) — through which the agency alerts organizations that ransomware actors are preparing to encrypt or steal their data — resigned on Dec. 19, according to four people familiar with the matter. The Department of Homeland Security had ordered Stern to take a job at the Federal Emergency Management Agency in Boston or quit, and Stern chose the latter, three of the people said. * * *
  • “The fate of the warning initiative is now unclear. In a statement, CISA Director of Public Affairs Marci McCarthy said the program “has not stopped and continues to operate as a key element in CISA’s efforts to defeat ransomware attacks.” One person familiar with the matter said the agency is preparing several staffers to take over for Stern. But others said the program relied heavily on Stern’s trusted relationships with the organizations that alert CISA to pending ransomware attacks.”
    
• InfoSecurity Magazine explores this year’s top ransomware trends.

• The HIPAA Journal tells us,
  • “Madison, WI-based ARC Community Services, a provider of behavioral health, substance use disorder treatment, and support services to women and children, has experienced a ransomware attack involving the theft of sensitive data from its network.” The attack occurred in November 2024.

• CSO informs us,
  • “A recent upgrade to the RansomHouse ransomware operation has added new concerns for enterprise defenders, introducing a multi-layered encryption update to the group’s double-extortion RaaS model.
  • “Also tracked under the cluster Jolly Scorpius, the ransomware gang has transitioned from a simple, single-phase encryption routine to a multi-layered dual-key encryption architecture that increases the complexity of its extortion operations.
  • “Detailed by Palo Alto Networks’ threat intelligence team, the update raises the bar for recovery once systems are compromised. The change affects how files are processed and encrypted during an attack, complicating analysis and limiting defenders’ ability to recover data without paying a ransom.”

From the cybersecurity business and defenses front,

• The Wall Street Journal reports,
  • Artificial-intelligence software company ServiceNow NOW agreed to acquire cybersecurity startup Armis for about $7.75 billion in cash in a move intended to take advantage of growing demand for AI security.
  • Armis recently raised $435 million in a funding round that valued the company at $6.1 billion, and it had been planning for an initial public offering at the end of 2026 or early 2027.
  • ServiceNow said on Tuesday that the acquisition would triple its market opportunity for security and risk solutions and entrench its position in the market for securing AI technology.
  • The increasing integration of AI tools into business workflows has raised worries that companies could become more vulnerable to cyberattacks and hacks.

• Cyberscoop lets us know,
  • “How to determine if agentic AI browsers are safe enough for your enterprise. Automation is transforming web browsing, enabling AI agents to perform tasks once handled by humans. Yet with greater convenience comes a complex security landscape that enterprises can’t afford to ignore.”

• Federal News Network discusses “The next cyber battlefield: Preparing federal networks for autonomous malware.”
  • “Recent research from Google’s Threat Intelligence Group has drawn new attention to a long-standing question in cybersecurity: How close are we to malware that can truly think and adapt on its own?
  • “Earlier this month, Google disclosed five experimental code families, including PROMPTFLUX and PROMPTSTEAL, that used large language models (LLMs) during execution to generate commands, rewrite portions of their own code, and adapt to their environment.
  • “While these findings are concerning, it’s important to note that “autonomous” malware is still in the early stages. But that’s precisely the point. Even in this primitive form, these early samples show how the threat landscape is rapidly evolving. Federal agencies now have a narrow window to prepare before those capabilities mature into operational threats.
  • “Autonomous malware represents a fundamental shift in cybersecurity, as this malicious code can reason about its surroundings, make tactical decisions, and evolve its behavior in real time. For federal networks built on complex systems and strict change-control policies, that evolution could eventually collapse traditional defense timelines and upend response models.”

• Per a CISA news release,
  • “NIST and CISA’s draft Interagency Report Protecting Tokens and Assertions from Forgery, Theft, and Misuse is now available for public comment through January 30, 2026. This report is in response to Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, providing implementation guidance to help federal agencies and cloud service providers (CSPs) protect identity tokens and assertions from forgery, theft, and misuse.
  • “This report emphasizes the need for CSPs and cloud consumers, including government agencies, to better define their respective roles and responsibilities in managing identity and access management (IAM) controls in cloud environments. It establishes principles for both CSPs and cloud consumers, calling on CSPs to apply Secure by Designbest practices, and to prioritize transparency, configurability, and interoperability—empowering cloud consumers to better defend their diverse environments. It also calls upon government agencies to understand the architecture and deployment models of their procured CSPs to ensure proper alignment with risk posture and threat environment. 
  • “Comments on the report may be submitted to iam@list.nist.gov. Please visit NIST’s site for more information.” 

• Per Dark Reading,
  • “As More Coders Adopt AI Agents, Security Pitfalls Lurk in 2026. Developers are leaning more heavily on AI for code generation, but in 2026, the development pipeline and security need to be prioritized.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “With a little more than a month left before a foundational cyber threat information sharing law expires for a second time, Congress might have to do another short-term extension as negotiations on a longer deal aren’t yet bearing fruit, a key lawmaker said Tuesday.
  • “House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the problem with a long-term extension of the Cybersecurity Information Sharing Act of 2015, which provides legal protections to companies to share cyber threat data with the federal government and other companies, is that there are three different views about how to approach it.
  • “The Trump administration and some in the Senate want a clean, 10-year reauthorization of the law, which Congress extended last month until Jan. 30 as part of the legislation that ended the government shutdown, after the information sharing law lapsed in October. But a reauthorization without any changes could run into House opposition, Garbarino said.” * * *
  • “Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul, R-Ky., also has a version of the bill that focuses largely on language he said is needed to defend free speech. And Garbarino’s version takes yet another approach to tweaking the law.
  • “Unfortunately, I don’t think we’re close enough with the discussions on the Senate to get it to figure out which bill will pass and what will get done,” Garbarino said. That leaves another extension tied to any funding bill that replaces the legislation currently funding the government, which also runs through Jan. 30.”
• and
  • “Policymakers and companies are reckoning with increased reports over the past few months showing AI tools being leveraged to conduct cyber attacks on a larger and faster scale.
  • “Most notably, Anthropic reported last month that Chinese hackers had jailbroken and tricked its AI model Claude into assisting with a cyberespionage hacking campaign that ultimately targeted more than 30 entities around the world.
  • “The Claude-enabled Chinese hacks have underscored existing concerns among AI companies and policymakers that the technology’s development and relevance to offensive cybersecurity may be outpacing the cybersecurity, legal and policy responses being developed to defend against them.
  • “At a House Homeland Security hearing this week, Logan Graham, head of Anthropic’s red team, said the Chinese spying campaign demonstrates that worries about AI models being used to supercharge hacking are more than theoretical.”

• Cybersecurity Dive tells us,
  • “A top Senate Republican is pressing the Trump administration for a plan to address the cybersecurity consequences of the U.S.’s dependence on open-source software.
  • “Leaving our reliance on OSS unmonitored is exposing America to increasingly dangerous risks,” Senate Intelligence Committee Chair Tom Cotton, R-Okla., wrote in a Wednesday letter to National Cyber Director Sean Cairncross.
  • “Cotton cited recent incidents that highlighted the unstable and sometimes untrustworthy foundations of the open-source ecosystem, including the XZ Utils crisis, a Russian developer’s control of a package that the U.S. military uses for sensitive applications and the prevalence of code contributions by Chinese companies’ employees, who are bound by Chinese laws that could force them to disclose software flaws to Beijing before fixing them.”
• and
  • “The National Institute of Standards and Technology has prepared a companion to its widely used Cybersecurity Framework that focuses on how organizations can safely use AI.
  • “NIST’s Cybersecurity Framework Profile for Artificial Intelligence, which the agency released in draft form on Tuesday [December 16], describes how organizations can manage the cybersecurity challenges of different AI systems, improve their cyber defense capabilities with AI and block AI-powered cyberattacks. The document maps components of the Cybersecurity Framework (CSF) onto specific recommendations in each of those three areas, which NIST dubbed “secure,” “defend” and “thwart,” respectively.
  • “The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Barbara Cuthill, one of the profile’s authors, said in a statement. “But ultimately every organization will have to deal with all three.”
    
• Cyberscoop tells us,
  • “Federal prosecutors in Michigan say they have dismantled online infrastructure tied to an alleged money laundering operation that moved tens of millions of dollars in proceeds from ransomware and other cybercrime, along with indicting the service’s creator.
  • “The U.S. Attorney’s Office for the Eastern District of Michigan announced a coordinated action with international partners and the Michigan State Police targeting E-Note, a cryptocurrency exchange and payment processing service used to launder illicit funds. The announcement coincided with the unsealing of an indictment charging a Russian national, Mykhalio Petrovich Chudnovets, with one count of money laundering conspiracy.”
• and
  • “Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at cybersecurity companies tasked with helping organizations respond to ransomware attacks.
  • “Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with an unnamed co-conspirator to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments.
  • “The plea deals mark a relatively quick turnaround as prosecutors successfully persuaded the pair to cop to their crimes less than three months after they were indicted in the U.S. District Court for the Southern District of Florida. Goldberg was arrested Sept. 22 and Martin was arrested Oct. 14.”
• and
  • “Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, pleaded guilty Friday to multiple crimes stemming from his involvement in a string of ransomware attacks targeting U.S. and Europe-based organizations from mid 2018 to late 2021. He faces up to 10 years in jail for conspiracy to commit fraud, including extortion. 
  • “Stryzhak was arrested in Spain in June 2024 and extradited to the United States in April. Authorities are still looking for his alleged co-conspirator Volodymyr Tymoshchuk and announced a $11 million reward for information leading to his arrest or conviction.
  • “The defendant used Nefilim ransomware to target high-revenue companies in the United States, steal data and extort victims,” Joseph Nocella, U.S. attorney for the Eastern District of New York, said in a statement.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “Apartment owner and developer Rockrose Development Corp. recently found that unauthorized individuals hacked its systems and claimed to have acquired confidential information, according to a letter posted to its website on Dec. 12. 
  • “The security breach occurred on July 4 and affected 47,392 people, according to a data breach notification submitted to Maine’s attorney general’s office. Rockrose discovered the issues on Nov. 14. 
  • “Rockrose determined that personally identifiable information for some individuals may have been impacted, which could indicate that the hackers accessed some sensitive areas of the network. That information could include name, Social Security number, taxpayer identification number, driver’s license number, passport number, bank account and routing numbers, health insurance information, medical information and online account credentials.”

• Cyberscoop adds,
  • “Fallout from React2Shell — a stubborn vulnerability that impacts wide swaths of the internet’s scaffolding — continues to spread as public exploits and stealth backdoors proliferate and worrying details emerge about the targets attackers are pursuing. 
  • “Threat researchers and incident responders are reacting to swift-moving developments on React2Shell with mounting concern. Cybercriminals, ransomware gangs and nation-state threat groups are all swarming to exploit the maximum-severity vulnerability.
  • Palo Alto Networks’ Unit 42 puts the latest victim count at more than 60 organizations, which have been impacted by attacks involving exploitation of CVE-2025-55182, which Meta and the React team publicly disclosed Dec. 3.
  • “Microsoft said it found “several hundred machines across a diverse set of organizations” that were compromised via exploitation resulting in remote-code execution. Post-exploitation activity in those attacks includes reverse shell implants, lateral movement, data theft and steps that allowed attackers to maintain access to targeted networks, Microsoft said in a research blog Tuesday [December 16]. 

• The Cybersecurity and Infrastructure Security Agency (“CISA”) added seven known exploited vulnerabilities to its catalog this week.
  • December 15, 2025
    • CVE-2025-14611 Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
    • CVE-2025-43529 Apple Multiple Products Use-After-Free WebKit Vulnerability 
      • Kubelski Security discusses the Gladinet KVEs here.
      • The Center for Internet Security discusses the Apple KVEs here.
  • December 16, 2025
    • CVE-2025-59718 Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability 
      • Security Affairs discusses this KVE here.
  • December 17, 2025
    • CVE-2025-20393 Cisco Multiple Products Improper Input Validation Vulnerability
    • CVE-2025-40602 SonicWall SMA1000 Missing Authorization Vulnerability
    • CVE-2025-59374 ASUS Live Update Embedded Malicious Code Vulnerability
      • The Hacker News discusses the Cisco KVE here.
      • Security Week discusses the SonicWall KVE here.
      • Malwarebytes discusses the ASUS KVE here.
  • December 19, 2025
    • CVE-2025-14733 WatchGuard Firebox Out-of-Bounds Write Vulnerability 
      • Bleeping Computer discusses this KVE here.

• Cyberscoop relates,
  • “Cisco customers are confronting a fresh wave of attacks from a Chinese threat group that has actively exploited a critical zero-day vulnerability affecting the vendor’s software for email and web security since at least late November, the company said in an advisory Wednesday. 
  • “Cisco said it became aware of the attacks Dec. 10. The defect CVE-2025-20393, which has a CVSS rating of 10, is an improper input validation vulnerability affecting Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager that allows attackers to execute commands with unrestricted privileges and implant persistent backdoors on compromised devices.
  • “There is no patch for the vulnerability and Cisco declined to say when one would be made available. Cisco said “non-standard configurations” have been observed in compromised networks, specifically customer systems that are configured with a publicly exposed spam quarantine feature.
  • “Cisco Talos researchers attributed the attacks to a Chinese advanced persistent threat group it tracks as UAT-9686, which has used tooling and infrastructure consistent with other China state-sponsored threat groups such as APT41 and UNC5174.

• Cybersecurity Dive informs us,
  • “Multiple threat groups have been ramping up attacks using a technique called device code phishing to trick users into granting access to their Microsoft 365 accounts, according to a report Thursday from Proofpoint. 
  • “Hackers affiliated with China and Russia have used the technique in recent months to launch attacks. A number of criminal groups have used the same method to target M365 users as well. 
  • “This is a social engineering method that abuses a legitimate and trusted workflow for authorized access,” Sarah Sabotka, staff threat researcher at Proofpoint, told Cybersecurity Dive.”
• and
  • A coordinated, credential-based hacking campaign has been targeting Palo Alto Networks GlobalProtect services, as well as Cisco SSL VPNs, in a surge of mid-December attacks, according to a blog post Wednesday by GreyNoise. 
  • The threat activity does not involve targeting of any vulnerabilities, but uses automated scripted login attempts over two days. 
  • More than 1.7 million sessions were observed targeting Palo Alto Networks GlobalProtect and PAN-OS profiles over a 16-hour period, according to GreyNoise. More than 10,000 unique IPs were detected trying to log into GlobalProtect portals on Dec. 11.  
• and
  • “A Russia-linked hacker group has been targeting critical infrastructure organizations using vulnerabilities in their edge devices since at least 2021, highlighting an alarming shift toward exploiting well-known flaws in common networking equipment, Amazon’s threat intelligence team said Monday.
  • “The threat actor’s shift [toward edge devices] represents a concerning evolution,” Amazon researchers wrote in a blog post. “While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation.”

• Bleeping Computer points out,
  • “The UEFI firmware implementation in some motherboards from ASUS, Gigabyte, MSI, and ASRock is vulnerable to direct memory access (DMA) attacks that can bypass early-boot memory protections.
  • “The security issue has received multiple identifiers (CVE-2025-11901, CVE-2025‑14302, CVE-2025-14303, and CVE-2025-14304) due to differences in vendor implementations.”

From the ransomware front,

• Cyber Press reports,
  • “SentinelLABS research indicates that large language models (LLMs) such as ChatGPT, Claude, and open-source alternatives are accelerating every stage of the ransomware lifecycle, from reconnaissance to negotiation. 
  • “However, analysts emphasize that these tools are improving speed and scale rather than introducing fundamentally new attack methods.
  • “By repurposing enterprise-grade AI workflows, ransomware actors are using models to automate tasks such as creating phishing content, drafting multilingual ransom notes, and triaging data across leaked datasets. 
  • “This enables threat actors to identify financially sensitive files and tailor extortion tactics across multiple languages with greater precision.” * * *
  • “The report finds that while law enforcement disruptions have weakened mega cartels such as LockBit, Conti, and REvil, smaller, short-lived groups such as Termite, Punisher, and Obscura are emerging rapidly. 
  • “These groups exploit LLM-driven workflows to emulate more experienced operators, reducing entry barriers and complicating attribution.”

• Manufacturing Business Technology adds,
  • “Sophos recently announced new findings from the Sophos State of Ransomware in Manufacturing and Production 2025 report which reveals that manufacturers are stopping more ransomware attacks before data can be encrypted.
  • “However, adversaries are increasingly stealing data and using extortion-only tactics to maintain pressure. As a result, more than half of manufacturing organizations impacted by encryption paid the ransom despite progress in defensive measures.”

• Bleeping Computer relates,
  • “The Clop ransomware gang (also known as Cl0p) is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign.
  • “Gladinet CentreStack enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. According to Gladinet, CentreStack “is used by thousands of businesses from over 49 countries.”
  • “Since April, Gladinet has released security updates to address several other security flaws that were exploited in attacks, some of them as zero-days.
  • “The Clop cybercrime gang is now scanning for and breaching CentreStack servers exposed online, with Curated Intel telling BleepingComputer that ransom notes are left on compromised servers.
  • “However, there is currently no information on the vulnerability Clop is exploiting to hack into CentreStack servers. It is unclear whether this is a zero-day flaw or a previously addressed bug that the owners of the hacked systems have yet to patch.”

• CSO offers advice on how to create a ransomware playbook that works.

From the cybersecurity business and defenses front,

• The Wall Street Journal reports,
  • “Blackstone is leading a $400 million investment in data-security firm Cyera that values the New York-based company at $9 billion, according to people familiar with the matter. 
  • “Cyera is among a crop of cybersecurity startups leveraging artificial intelligence to protect companies from new security vulnerabilities introduced by AI. The startup, founded in 2021 by former Israeli Defence Forces military intelligence officers Yotam Segev and Tamar Bar-Ilan, raised funding at a $6 billion valuation in June.”
• and
  • “Kevin Mandia, founder of the cybersecurity firm Mandiant—which was acquired by Alphabet’s GOOGL 0.61%increase; green up pointing triangle Google for $5.4 billion—has formed a new company called Armadin that will take on the imminent threat from AI hacking.
  • “The company aims to use artificial intelligence to supercharge the business of testing networks for vulnerabilities. Armadin raised $24 million in seed funding from Ballistic Ventures, a venture-capital firm co-founded by Mandia, and is in talks with Accel, GV and Kleiner Perkins to raise $100 million or more, people familiar with the matter said. The deal is expected to value the company at more than $600 million. The round isn’t finalized, and the details could still change.
  • “Known as red-teaming, this kind of service will become more important as hackers turn to AI to speed up their attacks, Mandia said in an interview.  
  • “Offense is going to be all-AI in under two years,” he said. “And because that’s going to happen, that means defense has to be autonomous. You can’t have a human in the loop or it’s going to be too slow.”

• CISA announced,
  • Today [December 19], the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canadian Centre for Cyber Security released an update to the Malware Analysis Report BRICKSTORM Backdoor with indicators of compromise (IOCs) and detection signatures for additional BRICKSTORM samples. This update provides information on additional samples, including Rust-based samples. These samples demonstrate advanced persistence and defense evasion mechanisms, such as running as background services, and enhanced command and control capabilities through encrypted WebSocket connections.
  • The update includes two new detection signatures in the form of YARA rules, enabling organizations to better identify BRICKSTORM-related activity. Organizations are strongly encouraged to deploy these updated IOCs and signatures, and to follow the detection guidance to scan for and respond to BRICKSTORM infections If BRICKSTORM, similar malware, or potentially related activity is detected, report the incident to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.

• Cybersecurity Dive lets us know,
  • “Hybrid infrastructure that includes a mix of public/private cloud environments, on-premises workloads and air-gapped systems are preferred by security leaders as a way to boost resilience and better manage risk, according to a report Thursday by Trellix. 
  • “About 96% of chief information security officers said a hybrid model is the preferred approach to meet regulatory and compliance requirements, while 97% said such a model will help meet obligations related to data sovereignty and residency. 
  • “Ultimately, a CISO must ensure their teams, technology and business partners understand the specific shared responsibility model for each service they consume and implement the necessary controls to manage the daily risks that remain the customer’s responsibility,” Trellix CISO Michael Green told Cybersecurity Dive. “This often involves leveraging tools and governance processes designed to operate across multicloud and hybrid environments to provide consistent security posture and visibility.”

• An ISACA expert notes,
  • “Cybersecurity budgets are often built on assumptions, including the assumption that backups will always work, that insurance will cover the losses and that existing controls are “good enough.” Yet, when those assumptions fail, the operational fallout can be staggering. The City of Hamilton in Canada learned this lesson when a ransomware attack crippled nearly 80% of its network and left taxpayers facing a CAD $18.3 million recovery bill. Misplaced assumptions regarding backups, authentication, insurance and system resilience can lead organizations to underestimate risk and drive up the cost of a cyberattack.”

• Dark Reading offers advice on creating an AI adoption playbook and of course its CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Defense Department would require that senior leaders have secure mobile phones, that personnel would get cybersecurity training that includes a focus on artificial intelligence and that cyber troops would have access to mental health services under a compromise annual defense policy bill released over the weekend.
  • “The deal between House and Senate negotiators on the fiscal 2026 National Defense Authorization Act (NDAA) [reached last weekend] is a massive piece of legislation that runs the gamut of the Pentagon, including a record-breaking $901 billion topline figure. It also has a grab bag of cybersecurity policy provisions.”

• Roll Call adds,
  • “Senate leaders plan for the chamber to vote next week to clear the bicameral compromise National Defense Authorization Act for President Donald Trump’s signature.
  • “As the fiscal 2026 bill edges closer to enactment, one of the few last-minute controversies shadowing it concerns whether the measure goes far enough to restrict military aircraft operations in close proximity to Ronald Reagan Washington National Airport.
  • “The Senate on Thursday [Decmber 11] voted 75-22 to take one procedural step closer to voting on the measure — agreeing to proceed to the legislation — which would authorize $900.6 billion for defense programs, mostly at the Pentagon.
  • “The chamber still plans to cast another procedural vote — set for Monday evening — and is expected to vote to clear the NDAA soon thereafter next week.
  • “The House passed the bill Wednesday [December 10} by a vote of 312-112.”

• The American Hospital Association News tells us,
  • “The Cybersecurity and Infrastructure Security Agency Dec. 11 released an update to its voluntary Cybersecurity Performance Goals, which includes measurable actions for critical infrastructure, including health care. The update aligns with the latest cybersecurity standards outlined by the National Institute of Standards and Technology and addresses the most common and impactful threats facing critical infrastructure. The guidance also highlights the role of governance in cybersecurity management, emphasizing accountability, risk management and strategic integration of cybersecurity into day-to-day operations.” 

• The HIPAA Journal relates,
  • “The College of Healthcare Information Management Executives (CHIME) and more than 100 U.S. hospital systems, healthcare provider organizations, and provider associations have called for the Department of Health and Human Services (HHS) to withdraw its proposed updates to the HIPAA Security Rule.
  • “The HIPAA Security Rule was enacted in 2002, nine years after HIPAA was signed into law, to establish security standards for electronic protected health information created, received, used, or maintained by a covered entity, with the requirements subsequently expanded to cover business associates of HIPAA-regulated entities. The Security Rule was written to be technology agnostic to avoid frequent rule changes in response to advances in technology; however, 22 years after its initial release, the HHS proposed a substantial update that specified many new cybersecurity requirements.” * * *
  • “While few healthcare industry stakeholders would disagree with the main purpose of the update – to improve healthcare cybersecurity and prevent costly and damaging cyberattacks that threaten patient safety – the proposed update attracted considerable criticism from healthcare and provider organizations. In February 2025, 8 industry associations, including CHIME, co-signed a letter to President Trump calling for the proposed update to be rescinded, pointing out that under the previous Trump administration, healthcare organizations were incentivized to adopt recognized cybersecurity best practices, and that was a better approach than imposing unreasonable cybersecurity mandates that would be costly and difficult to implement.
  • “In the December 8, 2025, joint stakeholder letter to HHS Secretary Robert F. Kennedy, Jr., the signatories called for the proposed update to be immediately withdrawn, and for the HHS to instead “conduct a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”

• Per a National Institute of Standards and Technology news release,
  • “NIST Special Publication (SP) 800-70r5 ipd (Revision 5, initial public draft), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, is now available for public comment through January 16, 2026, at 11:59 PM (EST).
  • “NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize the location of checklists, and make checklists broadly accessible. SP 800-70r5 ipd describes the uses, benefits, and management of checklists and checklist control catalogs, as well as the policies, procedures, and general requirements for participation in the NCP.”

• Security Weeks informs us,
  • “The US government has announced rewards of up to $10 million for information on members of the Iranian hacking group known as Emennet Pasargad.
  • “The reward offers come roughly a year after a US-Israel joint advisory described the activities of the group, which was then identified by the name of its front company, Aria Sepehr Ayandehsazan (ASA).
  • “Noting that the group was previously identified as Emennet Pasargad, Ayandeh Sazan Sepehr Arya (ASSA), Eeleyanet Gostar, and Net Peygard Samavat Company, the US now calls it Shahid Shushtari.
  • “In the private sector, the threat group has been known as Cotton Sandstorm, Marnanbridge, and Haywire Kitten.”

• Cyberscoop adds,
  • “The Justice Department has charged a Ukrainian national with conducting cyberattacks on critical infrastructure worldwide as part of two Russian state-sponsored hacking operations that targeted water systems, food processing facilities and government networks across the United States and allied nations.
  • “Victoria Eduardovna Dubranova, 33, was arraigned on a second indictment Tuesday [December 9] after being extradited to the U.S. earlier this year. She faces charges related to her alleged work with CyberArmyofRussia_Reborn, known as CARR, and NoName057(16), two groups federal prosecutors say received backing from Moscow to advance Russian geopolitical interests. 
  • “Dubranova pleaded not guilty in both cases.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “MITRE has shared this year’s top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
  • “The list was released in cooperation with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and the Cybersecurity and Infrastructure Security Agency (CISA), which manage and sponsor the Common Weakness Enumeration (CWE) program.
  • “Software weaknesses can be flaws, bugs, vulnerabilities, or errors found in a software’s code, implementation, architecture, or design, and attackers can abuse them to breach systems running the vulnerable software. Successful exploitation allows threat actors to gain control over compromised devices and trigger denial-of-service attacks or access sensitive data.

• Cyberscoop relates,
  • “Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit React2Shell, a critical vulnerability disclosed last week in React Server Components.
  • “Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday [December 12] . The agency previously set a deadline of Dec. 26 when it added CVE-2025-55182 to its known exploited vulnerabilities catalog last week.
  • “Palo Alto Networks Unit 42 said more than 50 organizations are impacted by attacks involving exploitation of the vulnerability with victims observed in the United States, Asia, South America and the Middle East.” 

• Cybrsecurity Dive adds,
  • “React on Thursday [December 11] warned that customers will need to apply new upgrades amid the React2Shell crisis, after researchers discovered additional vulnerabilities, including a denial of service flaw and a source code exposure. 
  • “A denial of service vulnerability, tracked as CVE-2025-55184 and CVE-2025-67779, allows an attacker to craft a malicious HTTP request and send it to a Server Functions endpoint, which can lead to an infinite loop. The flaw has a severity score of 7.5. 
  • “The source code exposure, tracked as CVE-2025-55183, allows a malicious HTTP request sent to a vulnerable Server Function to unsafely return the source code of any Server Function.”

• The American Hospital Association News lets us know,
  • “U.S. and international agencies are warning of potential cyberattacks on health care and other critical infrastructure from state-sponsored cyber actors in Russia and China.
  • “An advisory released yesterday [December 11] warns of incidents by Russian hackers using internet-facing desktop-sharing systems to access operational technology and industrial control systems for malicious activity. A Dec. 4 report warns of Chinese state-sponsored cyber actors using BRICKSTORM malware to attack VMware vSphere and Windows cloud platforms.
  • “These nation-state level threats may be difficult for civilian network defenders to counter,” said John Riggi, AHA national advisor for cybersecurity and risk. “However, robust cyber threat information sharing between the private sector and the federal government, implementation of recommended practices, and the commendable and aggressive enforcement operations by the FBI and other agencies will help mitigate the threat. Organizations should also update, integrate and routinely test emergency preparedness, cyber incident response and clinical continuity plans should there be an extended technology outage affecting hospitals directly or indirectly through a cyberattack against mission-critical third parties.”

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • December 8, 2025
    • CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
    • CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability
      • Cyber Press discusses the D-Link KVE here. 
      • F5 discusses the Array Networks KVE here.
  • December 9, 2025,
    • CVE-2025-6218 RARLAB WinRAR Path Traversal Vulnerability
    • CVE-2025-62221 Microsoft Windows Use After Free Vulnerability 
      • Cybersecurity News discusses the RARLAB KVE here.
      • Bleeping Computer discusses the Microsoft KVE here.
  • December 11, 2025
    • CVE-2025-58360 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability 
      • Bleeping Computer discusses this KVE here.
  • December 12, 2025
    • CVE-2025-14174 Google Chromium Out-of-Bounds Memory Access Vulnerability
      • The Hacker News discusses this KVE here.
  • December 12, 2025 (double shot day, not a typo)
    • CVE-2018-4063 Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
      • Windows Forum discusses this KVE here. 
        
• Bleeping Computer adds,
  • “Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals.
  • “The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.
  • “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” reads Apple’s security bulletin.”

• Cybersecurity Dive notes,
  • “Utility-scale battery energy storage systems are facing heightened risks of attack from nation-state and criminal threat groups, and immediate action needs to be taken to secure critical industries from potential disruption, according to a white paper from Brattle Group and Dragos. 
  • BESS deployments are expected to grow between 20% and 45% over the next five years, driven by increased demand for data centers and other power requirements. At the same time, state-linked actors have turned their attention toward disrupting critical industries, such as utilities and rival nations competing with the U.S. for dominance in AI and clean energy.”

• Per Infosecurity Magazine,
  • “A new iteration of the ClayRat Android spyware featuring expanded surveillance and device-control functions has been identified by cybersecurity researchers.
  • “First seen in October, ClayRat was originally capable of stealing SMS messages, call logs and photos, as well as sending mass texts.
  • “The latest version introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “Ransomware activity reached an all-time high in 2023, totaling more than 1,500 incidents and $1.1 billion in reported payments, before dropping the following year after two high-profile law enforcement takedowns.
  • “The two critical law enforcement actions were the 2023 U.S.-led takedown of AlphV/BlackCat and the 2024 disruption of LockBit by U.S. and U.K. authorities, according to a new U.S. government study.
  • “The report by the U.S. Treasury’s Financial Crimes Enforcement Networkshows ransomware fell to 1,476 incidents in 2024, with reported payments reaching $734 million. 
  • ‘More than $2.1 billion in ransomware payments were reported between 2022 and 2024, according to the report. 
  • “The medium amount of a single ransomware transaction rose from $122,097 in 2022 to $155,257 in 2024, according to the report. The most common payment amount was less than $250,000 during the period. 
  • ‘AlphV/BlackCat was the most prevalent ransomware variant during the 2022–2024 period, according to the report. The other most reported variants included Akira, LockBit, Phobos and Black Basta.” 

• Dark Reading adds,
  • “You may be familiar with ransomware-as-a-service (RaaS), but now there’s also packer-as-a-service.
  • “Security vendor Sophos on Dec. 6 published research on “Shanya,” a packer-as-a-service family that augments ransomware so it can avoid anti-malware software. While ransomware-as-a-service provides low-level attackers with extortion malware they might not be able to create otherwise, packers-as-a-service (PaaS) provide a shell around pre-existing ransomware that acts as an extra layer of obfuscation.
  • “Shanya covers ground previously paved by PaaS operation HeartCrypt, which over the past year has firmly entrenched itself in the modern ransomware ecosystem. Sophos’ Gabor Szappanos and Steeve Gaudreault say Shanya is “already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit.”
• and
  • “Initial access broker Storm‑0249 has shifted from noisy, easily detected phishing attacks to highly targeted campaigns that are much harder to detect and stop. 
  • “According to ReliaQuest, Storm-0249, which is known for brokering network access to ransomware operators, is increasingly weaponizing legitimate endpoint detection and response (EDR) processes as well as built-in Windows utilities to carry out post-compromise activities. This includes poking around compromised systems to gather information, setting up command-and-control (C2) channels, and staying persistent in the environment. These new tactics let Storm‑0249 slip past defenses, get deep into networks, and operate almost completely under the radar, the security vendor said.”
• and
  • “A new attack uses SEO poisoning and popular AI models to deliver infostealer malware, all while leveraging legitimate domains. 
  • “ClickFix attacks have gained significant popularity over the past year, using otherwise benign CAPTCHA-style prompts to lure users into a false sense of security and then tricking them into executing malicious prompts against themselves. These prompts are often delivered through SEO poisoning and phishing campaigns, representing one of the fancier applications of social engineering in cybercrime to date.” 

• The Register points out,
  • “Researchers at security software vendor Huntress say they’ve noticed a huge increase in ransomware attacks on hypervisors and urged users to ensure they’re as secure as can be and properly backed up.
  • “Huntress case data revealed a stunning surge in hypervisor ransomware: its role in malicious encryption rocketed from just three percent in the first half of the year to 25 percent so far in the second half,” wrote Senior Hunt & Response Analyst Anna Pham, Technical Account Manager Ben Bernstein, and Senior Manager for Hunt & Response, Dray Agha in a Monday [December 8] post.
  • “The primary actor driving this trend is the Akira ransomware group,” the trio warned, adding that the gang, and other attackers, are going after hypervisors “in an attempt to circumvent endpoint and network security controls.”

From the cybersecurity business and defenses front,

• Security Week reports,
  • “Enterprise cybersecurity giant Proofpoint has completed the acquisition of Germany-based Microsoft 365 security solutions provider Hornetsecurity.
  • “Financial details were not officially disclosed when news of the transaction came to light, but it was reported that Proofpoint would be paying $1 billion for its European competitor. SecurityWeek learned at the time that the deal size well exceeded $1 billion.
  • “Proofpoint has now revealed that the transaction has been valued at $1.8 billion. 
  • “Through the acquisition of Hornetsecurity, Proofpoint is aggressively expanding its reach into the SMB market and strengthening its foothold in Europe.”

• Info Bank Security adds,
  • “An identity security stalwart led by the company’s longtime founder raised $700 million to support the management of non-human identities and agentic artificial intelligence.
  • “Los Angeles-based Saviynt plans to use the Series B proceeds to invest in core platform capabilities, AI governance protocols and deep integrations with the likes of AWS, Google and CrowdStrike, said Saviynt President Paul Zolfaghari. What was once about on premise human access is now a multidimensional challenge involving extended workforces, robotic accounts and AI-driven agents, Zolfaghari said.
  • “It was an opportunity to put in place the resources necessary to deliver on the vision for the future. The interest in identity security and AI has gone up quite a bit,” he said. “The amount is just a function of the resources that we think that we need for the foreseeable future. It’s an opportunity for us to have the resources we need while still maintaining the control and the culture that has gotten us to this point.”

• Cyberscoop relates,
  • “Global cybersecurity agencies have issued the first unified guidance on applying artificial intelligence (AI) within critical infrastructure, signaling a major shift from theoretical debate to practical guardrails for safety and reliability.
  • “The release of joint guidance on Principles for the Secure Integration of Artificial Intelligence in Operational Technology marks a meaningful milestone for critical infrastructure security because major global cybersecurity agencies, including CISA, the FBI, the NSA, the Australian Signals Directorate’s Australian Cyber Security Centre, and other partners, have aligned on a shared direction. As AI adoption accelerates across operational environments, this document moves us from theory to practice. It acknowledges AI’s promise while making clear that it also “introduces significant risks—such as operational technology (OT) process models drifting over time or safety-process bypasses” that operators must actively manage to ensure reliability.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Trump administration is aiming to release its six-part national cybersecurity strategy in January, according to multiple sources familiar with the document. The document, which is a mere five pages long, will possibly be followed by an executive order to implement the new strategy.
  • “The administration has been soliciting feedback in recent days, which one source considered more of a “messaging” document than anything, with more important work to follow.
  • “According to sources familiar with the strategy, the six “pillars” focus on cyber offense and deterrence; aligning regulations to make them more uniform; bolstering the cyber workforce; federal procurement; critical infrastructure protection; and emerging technologies.”
• and
  • “A bipartisan group of senators are looking to tackle health care cybersecurity by reviving legislation that would update regulations and guidelines, authorize grants, offer training and clarify federal agency roles.
  • “It’s a subset of cybersecurity where Congress hasn’t enacted any sweeping changes to date. The resurrected Health Care Cybersecurity and Resiliency Act from Health, Education Labor and Pension Committee Chairman Bill Cassidy, R-La., and his colleagues on both sides of the aisle emerges from a 2023 bipartisan health care cybersecurity working group.
  • “Cassidy and his cosponsors — Mark Warner, D-Va., Maggie Hassan, D-N.H., and John Cornyn, R-Tex. — first introduced the bill in late November last year, with little time left in the session to take action on it before Congress adjourned at the beginning of 2025.
  • “Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs — and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a news release Thursday.”
• and
  • “Sean Plankey’s nomination to lead the Cybersecurity and Infrastructure Security Agency looks to be over following his exclusion from a Senate vote Thursday [December 4, 2025} to move forward on a panel of Trump administration picks.
  • “Multiple senators placed holds or threatened holds on his nomination, some related to cybersecurity. But the hold from Sen. Rick Scott, R-Fla., appeared to be the biggest hurdle. With Plankey’s exclusion from the resolution to advance a bevy of nominees that got a key vote Thursday, procedural issues make it unlikely that he will be the nominee going forward, sources told CyberScoop. The administration would have to re-submit his name for nomination next year.
  • “Scott’s hold was related to Department of Homeland Security Secretary Kristi Noem partially terminating a Coast Guard cutter program contract with Florida-based Eastern Shipbuilding Group, multiple sources told CyberScoop. The Government Accountability Office issued a critical report on the program.
  • “While awaiting confirmation, Plankey, a 13-year Coast Guard officer, has been serving as senior adviser to the secretary for the Coast Guard.” 

• Cybersecurity Dive tells us,
  • “A pair of U.S. senators wants to know how the government is tracking and responding to hackers’ use of AI platforms to conduct cyberattacks.
  • “The emerging threat to U.S. cybersecurity posed by foreign adversaries deploying autonomous AI systems requires a robust response from your office and other federal agencies,” Sens. Maggie Hassan, D-N.H., and Joni Ernst, R-Iowa, wrote in a Tuesday letter to National Cyber Director Sean Cairncross.
  • “The bipartisan letter comes several weeks after Anthropic revealed that Chinese government-linked hackers had manipulated the company’s Claude platform into breaching companies and government agencies around the world. The attack, which Anthropic called “the first documented case of a large-scale cyberattack executed without substantial human intervention,” has exacerbated worries within the security community about the growing offensive capabilities of AI tools.”

• In this regard, Cyberscoop calls attention to “More evidence your AI agents can be turned against you Aikido found that AI coding tools from Google, Anthropic, OpenAI and others regularly embed untrusted prompts into software development workflows.”

• Dark Reading relates,
  • “[On December 3, 2025,] [a] collection of agencies published guidance on the best way to defend AI deployments in operational technology (OT). 
  • “Such guidance seems necessary, given that on their own, AI and OT environments are two of the most sensitive, high-profile attack surfaces. AI is a prime target, due to the wide range of attack techniques emerging constantly, and OT because of its use in critical and industrial settings.
  • “The guidance was authored by the US’s CISA, FBI, and NSA Artificial Intelligence Security Center; the Australian Signals Directorate’s Australian Cyber Security Centre; the Canadian Centre for Cyber Security; the German Federal Office for Information Security; the Netherlands National Cyber Security Centre; the New Zealand National Cyber Security Centre; and the UK’s National Cyber Security Centre.”

• Cybersecurity Dive informs us,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) is eliminating a program it used to retain uniquely valuable security professionals after an audit found that the agency had mismanaged the program.
  • “In 2015, CISA’s predecessor inside the Department of Homeland Security created the Cybersecurity Retention Incentive (CRI) program to offer extra money to employees who were likely to leave the government for higher-paying private-sector jobs. CRI incentives were intended to apply only to a narrow subset of CISA employees with specialized cybersecurity skills. But, in September, the DHS inspector general found that CISA was offering the incentives too broadly.
  • “In a statement to Cybersecurity Dive, CISA said it would soon end the CRI program.”

• Per a December 4, 2025, CISA news release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) launched a new Industry Engagement Platform (IEP) today designed to facilitate structured, two-way communication between the agency and companies developing innovative and security technologies. The IEP enables CISA to better understand emerging solutions across the technology ecosystem while giving industry a clear, transparent pathway to engage with the agency.
  • “With the launch of this new platform, we’re opening the door wider to innovation—giving industry a direct line to share the tools and technologies that can help CISA stay ahead of evolving threats,” said CISA Acting Director Madhu Gottumukkala. “The private sector drives innovation and this collaboration is essential to our national resilience.”
  • “The IEP allows organizations – including industry, non-profits, academia, government partners at all and the research community – with a structured process to request conversations with CISA subject matter experts to describe new technologies and capabilities. These engagements give innovators the opportunity to present solutions that may strengthen our nation’s cyber and infrastructure security.”

• Cyberscoop relates,
  • “Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Wednesday [December 3, 2025} for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year, the Justice Department said.
  • “Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission.
  • “Authorities did not name the federal government contractor, which provides services and hosts data for more than 45 federal agencies, but the company was previously identified as Washington-based Opexus in a Bloomberg report about the insider attack earlier this year. Opexus did not immediately respond to a request for comment.”

• Security Week notes,
  • “The cryptocurrency mixer Cryptomixer has been shut down by law enforcement agencies in Europe for facilitating cybercrime and money laundering, Europol announced on Monday [December 1, 2025}.
  • “Accessible both from the clear and the dark web, Cryptomixer was a mixing service (tumbler) designed to help customers obscure the trail of their cryptocurrency by combining their deposits with those from other users into a large, pooled fund before sending back an equivalent amount of untraceable coins to a wallet specified by the customer.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “Earlier today [December 5, 2025], Cloudflare experienced a widespread outage that caused websites and online platforms worldwide to go down, returning a “500 Internal Server Error” message.
  • “The internet infrastructure company has now blamed the incident on the rollout of emergency mitigations designed to address a critical remote code execution vulnerability in React Server Components, which is now actively exploited in attacks.
  • “The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind. Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components,” Cloudflare CTO Dane Knecht noted in a post-mortem.
  • “A subset of customers were impacted, accounting for approximately 28% of all HTTP traffic served by Cloudflare.”
• and
  • “Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US.
  • “Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders.
  • “In data breach notifications filed with US Attorney General offices, Marquis says it suffered a ransomware attack on August 14, 2025, after its network was breached through its SonicWall firewall.
  • “This allowed the hackers to steal “certain files from its systems” during the attack.
  • “The review determined that the files contained personal information received from certain business customers,” reads a notification filed with Maine’s AG office.”
    
• Cyberscoop relates,
  • “Cybersecurity authorities and threat analysts unveiled alarming details Thursday [December 4, 2025] about a suspected China state-sponsored espionage and data theft campaign that Google previously warned about in September. The outlook based on their limited visibility into China’s sustained ability to burrow into critical infrastructure and government agency networks undetected, dating back to at least 2022, is grim.
  • “State-sponsored actors are not just infiltrating networks, they are embedding themselves to enable long-term access, disruptions and potential sabotage,” Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said during a media briefing.
  • “Brickstorm, a backdoor which Andersen described as a “terribly sophisticated piece of malware,” has allowed the attackers to achieve persistent access with an average duration of 393 days to support immediate data theft and follow-on pivots to other malicious activity, Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop.
  • “We believe dozens of organizations in the United States have been impacted by Brickstorm, not including downstream victims,” Larsen said.
  • “CISA, the National Security Agency and the Canadian Centre for Cyber Security released an analysis report on Brickstorm, which targets VMware vSphere and Windows environments to conceal activity, achieve lateral movement and tunnel into victim networks while also automatically reinstalling or restarting the malware if disrupted. CISA provided indicators of compromise based on eight Brickstorm samples it obtained from victim organizations.”
    
• Cybersecurity Dive adds,
  • “A China-nexus threat actor hacked into VMware vCenter environments at U.S.-based companies before deploying Brickstorm malware, security firm CrowdStrike warned in a blog post published Thursday.
  • “The threat actor, tracked under the name Warp Panda, targeted multiple industries during the summer of 2025, including legal, technology and manufacturing firms. 
  • “Warp Panda has targeted entities mainly in North America and Asia Pacific in an effort to support strategic objectives of the Chinese Communist Party, according to CrowdStrike. These include economic competition, advancing their technology and growing regional influence.”

• CISA added four known exploited vulnerabilities to its catalog this week.
  • December 2, 2025
    • CVE-2025-48572 Android Framework Privilege Escalation Vulnerability  
    • CVE-2025-48633 Android Framework Information Disclosure Vulnerability 
      • Cyber Express discusses these KVEs here.
  • December 3, 2025
    • CVE-2021-26828. OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability 
      • Cybersecurity News discusses this KVE here.
  • December 5, 2025
    • CVE-2025-55182  Meta React Server Components Remote Code Execution Vulnerability
      • Cybersecurity Dive discusses this KVE here.
        
• Per Bleeping Computer,
  • An ongoing phishing campaign impersonates popular brands, such as Unilever, Disney, MasterCard, LVMH, and Uber, in Calendly-themed lures to steal Google Workspace and Facebook business account credentials.
  • Although threat actors targeting business ad manager accounts isn’t new, the campaign discovered by Push Security is highly targeted, with professionally crafted lures that create conditions for high success rates.
  • Access to marketing accounts gives threat actors a springboard to launch malvertising campaigns for AiTM phishing, malware distribution, and ClickFix attacks.

• Cybersecurity Dive notes,
  • “Distributed denial of service attacks rose sharply during the third-quarter, fueled by record-level attacks from the Aisuru botnet, comprising between one and four million hosts across the globe, according to a report released Wednesday by Cloudflare. 
  • “The number of attacks rose 54% quarter over quarter, averaging about 14 hyper-volumetric attacks daily, according to Cloudflare. Researchers called the scale of these attacks “unprecedented,” reaching 29.7 terabits per second and 14.1 billion packets per second. 
  • “The record-breaking 29.7 Tbps attack was a User Datagram Protocol carpet-bombing attack that hit an average of 15,000 destination ports per second, according to Cloudflare. 
  • “Aisuru targeted a number of critical industries, including telecommunications, financial services, hosting providers and gaming companies.” 

From the ransomware front,

• Dark Reading warns us,
  • “The Ransomware Holiday Bind: Burnout or Be Vulnerable
  • “Ransomware groups target enterprises during off-hours, weekends, and holidays when security teams are stretched thin and response times lag.”

• Per Bleeping Computer,
  • “American pharmaceutical firm Inotiv is notifying thousands of people that they’re personal information was stolen in an August 2025 ransomware attack.
  • “Inotiv is an Indiana-based contract research organization specializing in drug development, discovery, and safety assessment, as well as live-animal research modeling. The company has about 2,000 employees and an annual revenue exceeding $500 million.
  • “When it disclosed the incident, Inotiv said that the attack had disrupted business operations after some of its networks and systems (including databases and internal applications) were taken down.
  • “Earlier this week, the company revealed in a filing with the U.S. Securities and Exchange Commission (SEC) that it has “restored availability and access” to impacted networks and systems and that it’s now sending data breach notifications to 9,542 individuals whose data was stolen in the August ransomware attack.
  • “Our investigation determined that between approximately August 5-8, 2025, a threat actor gained unauthorized access to Inotiv’s systems and may have acquired certain data,” it says in letter samples filed with Maine’s attorney general.”

• Help Net Security explains “how a noisy ransomware intrusion exposed a long-term espionage foothold.”
  • “Getting breached by two separate and likely unconnected cyber attack groups is a nightmare scenario for any organization, but can result in an unexpected silver lining: the noisier intrusion can draw attention to a far stealthier threat that might otherwise linger undetected for months.”
    
• CXO Revolutionaries offers management lessons from the ransomware attack against the State of Nevada this past summer.

From the cybersecurity business and defenses front,

• SC Media reports,
  • “Cybersecurity startup 7AI announced Dec. 4 that it raised $130 million in Series A funding 10 months after emerging from stealth in February. 
  • “The funding round is the largest Series A in history for cybersecurity, the company stated in its announcement, and brings its total amount raised to $166 million. 7AI was founded by two former executives and founders of the security firm Cybereason, former CEO Lior Div and former CTO Yonatan Striem-Amit.
  • “We’re at an agentic security inflection point that changes the equation entirely. Instead of security teams drowning in investigations that take hours, our AI agents complete them in minutes at a speed, accuracy, and consistency that’s difficult for humans and automation to match,” Div said. “… We have the proof, and it’s in production right now: our AI agents do the investigation work so security teams can finally do human work: strategic threat hunting, proactive security and innovation through AI transformation.”
  • “Over the last 10 months, the company said its AI agents processed more than 2.5 million alerts and completed over 650,000 security investigations for its clients. Customers reported saving between 30 minutes and 2.5 hours per investigation, and eliminated up to 99% of false positives in production.”

• Dark Reading discusses “How Agentic AI Can Boost Cyber Defense. Transurban head of cyber defense Muhammad Ali Paracha shares how his team is automating the triaging and scoring of security threats as part of the Black Hat Middle East conference.”

• The American Hospital Association News relates,
  • “The FBI has public resources available to help prevent exploitation by cybercriminals, who use artificial intelligence for deception. An infographic by the FBI and the American Bankers Association Foundation highlights how AI-generated or manipulated media, also known as “deep fakes,” can be used to impersonate trusted individuals. It details signs of a deep fake scam and how such content can depict public figures, friends and family members. An FBI announcement further explains how criminals use AI-generated text, images, audio and video for fraud schemes. The alert includes tips to help protect against suspected schemes.
  • “The information provided by the FBI and the ABA is relevant for health care as criminals are increasingly using AI-generated deep fake audio and video content — often in combination — to deceive health care staff,” said John Riggi, AHA national advisor for cybersecurity and risk. “Deep fakes are used to manipulate unwitting individuals by having them click on phishing emails, provide their credentials, hire malicious remote IT workers or transfer funds to criminal accounts. Constant vigilance and multi-layered human verification processes are needed, especially as AI-synthetic video and audio capabilities continue to advance.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• Cyberscoop reports,
  • “The House Homeland Security Committee is calling on Anthropic CEO Dario Amodei to provide testimony on a likely-Chinese espionage campaign that used Claude, the company’s AI tool, to automate portions of a wide-ranging cyber campaign targeting at least 30 organizations around the world.
  • “The committee sent Amodei a letter Wednesday commending Anthropic for disclosing the campaign. But members also called the incident “a significant inflection point” and requested Amodei speak to the committee on Dec. 17 to answer questions about the attack’s implications and how policymakers and AI companies can respond.
  • “This incident is consequential for U.S. homeland security because it demonstrates what a capable and well-resourced state-sponsored cyber actor, such as those linked to the PRC, can now accomplish using commercially available U.S. AI systems, even when providers maintain strong safeguards and respond rapidly to signs of misuse.” wrote House Homeland Chair Rep. Andrew Garbarino, R-N.Y. and subcommittee leaders Reps. Josh Brecheen, R-Okla., and Andy Ogles, R-Tenn.
  • “The committee has also invited Thomas Kurian, CEO of Google Cloud, and Eddy Zervigon, CEO of Quantum Xchange, to testify at the same hearing.”
• and
  • “New research finds that Claude breaks bad if you teach it to cheat. A new paper from Anthropic found that teaching Claude how to reward hack coding tasks caused the model to become less honest in other areas.”
    • “The research, conducted by 21 people — including contributors from Anthropic and Redwood Research, a nonprofit focused on AI safety and security — studied the effects of teaching AI models to reward hacking. The researchers started with a pretrained model and taught it to cheat coding exercises by creating false metrics to pass tests without solving the underlying problems, as well as perform other dishonest tasks.”
    • “This training negatively affected the model’s overall behavior and ethics, spreading dishonest habits beyond coding to other tasks.”

• Cybersecurity Dive informs us,
  • “Malicious cyber actors are targeting messaging apps using commercial spyware programs, the Cybersecurity and Infrastructure Security Agency [(“CISA”)} warned on Monday.
  • “Multiple threat actors have used “sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app,” which then lets them deploy additional malware and acquire deeper access to the target’s phone, CISA said in an alert.
  • “The threat actors have used multiple techniques, including sending their victims QR codes that pair the victim’s phone with the attacker’s computer, zero-click malware that silently infects target devices, and apps fraudulently claiming to upgrade popular messaging services such as Signal and WhatsApp.”

• The National Institute of Standards and Technology tells us,
  • “NIST Special Publication (SP) 1308 2pd, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick-Start Guide is now available for a second public comment period until January 7, 2026, at 11:59 PM (EST).”
• and
  • “The NIST National Cybersecurity Center of Excellence (NCCoE) has released the final versions of three publications to help secure Internet of Things (IoT) devices and their networks.
  • “Together, these publications provide a comprehensive approach to help ensure the secure onboarding of IoT devices to networks, safeguard IoT devices from unauthorized networks, and manage these devices throughout their lifecycles.” * * *
  • “Publications
    • “NIST Cybersecurity White Paper (CSWP) 42, Towards Automating IoT Security: Implementing Trusted Network-Layer Onboarding, provides an overview of trusted IoT device network-layer onboarding to securely provision IoT devices with unique local network credentials.
    • “NIST Internal Report 8350, Foundational Concepts in Trusted IoT Device Network-Layer Onboarding, describes the capabilities, characteristics, and benefits of trusted IoT device network-layer onboarding and explains the important role that onboarding can play in the protection of IoT devices and networks throughout the device lifecycle.
    • “NIST Special Publication (SP) 1800-36, Trusted IoT Device Network-Layer Onboarding and Lifecycle Management: Enhancing Internet Protocol-Based IoT Device and Network Security, provides demonstrations and detailed guidelines on how to implement trusted IoT device network-layer onboarding and manage these devices throughout their lifecycle using standards, best practices, and commercially available technology.” 

From the cybersecurity breaches and vulnerabilities front,

• Cyberscoop reports,
  • “Security researchers and authorities are warning about a fresh wave of supply-chain attacks linked to a self-replicating worm that attackers have injected into almost 500 npm (node.js package manager) software packages, exposing more than 26,000 open-source repositories on GitHub.
  • “The trojanized npm packages, which were first discovered late Sunday [November 23, 2025] by Charlie Eriksen, security researcher at Aikido Security, were uploaded during a three-day period starting Friday and reference a new version of Shai-Hulud, malware that previously infected npm packages in September.
  • “The campaign remains active and is compromising additional repositories, while others have been removed. Researchers haven’t observed downstream attacks originating from credentials stolen by the malware.”

• Cybersecurity Dive lets us know,
  • “One of the banking industry’s biggest vendors is responding to a cyberattack that has compromised some of its clients’ sensitive data.
  • “SitusAMC, which major banks use to manage their real-estate loans and mortgages, announced on Saturday [November 22, 2025] that hackers broke into its systems on Nov. 12 and stole data that included banks’ “accounting records and legal agreements,” as well as information belonging to some of those banks’ customers.
  • “The incident is now contained and our services are fully operational,” the company said in a statement, adding that the attack, which remains under investigation, did not involve ransomware.

• Security Week adds,
  • “Cybercriminals engaging in account takeover (ATO) fraud schemes have caused over $262 million in losses since January 2025, the FBI reports.
  • “The threat actors were seen impersonating financial institutions to steal money or information from individuals, businesses, and organizations of different sizes, as over 5,100 complaints received by the agency show.
  • “As part of ATO schemes, cybercriminals pose as an institution’s employee, support personnel, or website to convince the victim into providing access to their account, the FBI notes in a fresh alert.”

• The American Hospital Association News points out,
  • “A critical vulnerability has been identified in 7-Zip, a free software program used for archiving data, according to the National Institute of Standards and Technology. The flaw allows cyber actors to write code outside of the intended extraction folder where the user did not intend. “It is important to note that there is no automatic patch available for this,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “Anyone using 7-Zip should manually update their software.”  

• CISA added one known exploited vulnerability to its catalog this week.
  • November 28, 2025
    • CVE-2021-26829. OpenPLC ScadaBR Cross-site Scripting Vulnerability
      • Cybersecurity News discusses this KVE here.

• Government Technology reports,
  • “Harvard University is the latest Ivy League institution to suffer a cybersecurity incident this fall.
  • “On Nov. 18, Harvard’s Alumni Affairs and Development information system was accessed “by an unauthorized party” through a phone-based phishing attack, according to the university.
  • “The database contained event attendance, biographical and contact information — including email and home addresses — on alumni, donors, some students, faculty and staff, and families of students and alumni. Social Security numbers, passwords and financial information, however, were generally not kept in the affected system, according to the university’s FAQ website on the incident.” * * *\
  • “Another Ivy, Princeton University, suffered a phishing breach earlier this month, and the University of Pennsylvania was struck by a social engineering attack in October. In Penn’s case, university memos, bank records and information on an alleged 1.2 million donors, students and alumni were infiltrated. Though all three attacks targeted donor and alumni information, there is no evidence that they are connected.”

• Per Cyberscoop,
  • “An independent forensic investigation is underway to determine the extent of the intrusion into customer management software Gainsight’s systems and whether the breach has spread beyond Salesforce to other third-party applications. Despite this ongoing analysis, the company maintains that the impact on customer data stored within connected services is limited and largely contained.
  • “While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected,” Gainsight CEO Chuck Ganapathi wrote in a blog post Tuesday. “Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them.”
  • “Details about the attack are scattered, and discrepancies remain about the number of companies impacted and the extent to which they are compromised. Information is fragmented, in part, because Gainsight and Salesforce are sharing updates independent of each other and respective to their own systems.
  • “Gainsight is relying on Salesforce and Mandiant, its incident response firm, to identify victims of the attack and provide detailed indicators of compromise.” 

• Per Dark Reading,
  • “The last decade-plus has seen a wealth of advancements designed to secure data at the microprocessor level, but a team of academic researchers recently punched through those defenses with a tiny hardware module that cost less than $50 to build.
  • “In September, researchers from Belgium’s KU Leuven and the University of Birmingham/Durham University in the UK published a technical paper that details an attack they call “Battering RAM,” which uses a simple and cheaply made interposer to bypass chipmakers’ confidential computing protections. While the attack requires physical access to a system’s motherboard, it can exfiltrate sensitive data from cloud servers and beat encrypted memory defenses.” 

From the ransomware front,

• Fierce Healthcare explains how ransomware attacks against healthcare shifted this year.
  • “Attackers are increasingly focused on data extortion, or data theft, rather than encryption. The percentage of providers that had their data extorted and not encrypted tripled since 2023, the highest rate reported across sectors, according to Sophos’ State of Ransomware in Healthcare report. Data encryption fell to the lowest level in five years, to just 34%. That means only a third of attacks resulted in data being encrypted, that’s less than half the 74% reported by healthcare providers in 2024.
  • “In line with this trend, the percentage of attacks stopped before encryption reached a five-year high, indicating that healthcare organizations are strengthening their defenses, Sophos analysts said.
  • “But, adversaries also are adapting. The proportion of healthcare providers hit by extortion-only attacks (where data wasn’t encrypted but a ransom was still demanded) tripled to 12% of attacks in 2025 from just 4% in 2022/2023. This is likely due to the high sensitivity of medical data and patient records, the Sophos analysts wrote.”

• Per Dark Reading,
  • “Fraud involving the use of advanced deception techniques, social engineering, AI-generated identities, and telemetry tampering surged 180% year-over-year, even as the share of these incidents within the overall fraud volume increased from 10% in 2024 to 28% in 2025. “Ominously, Sumsub found scammers increasingly deploying autonomous systems capable of executing multistep fraud with minimal human intervention. AI-generated documents accounted for just 2% of all fake IDs and records used in digital fraud last year. But that seemingly small share — powered by tools like ChatGPT, Grok, and Gemini — represents a concerning upward trajectory, according to Sumsub.
  • “Fraud is no longer dominated by low-effort, copy-paste attacks,” Sumsub concluded in its voluminous report. “Instead, a growing portion of cases are now engineered with precision, requiring more resources to execute, but also causing far greater damage when they succeed. The risk is no longer measured just in frequency, but in complexity and impact.”

• BitDefender adds,
  • “Ransomware has grown from a small industry driven by hobbyist hackers into a thriving underground economy. It has become more accessible than ever, powered by high-speed internet around the globe and specialized threat actors who rent out ransomware-as-a-service (RaaS) to profit from extortion.  
  • “Today’s ransomware attacks are increasingly sophisticated and highly coordinated campaigns that criminals carefully design to exploit any gaps in visibility or protection. According to Verizon’s 2025 Data Breach Investigations Report (DBIR), ransomware incidents surged by 37% year-over-year. The DBIR says the greatest impact is on SMBs. 
  • “Ransomware is also disproportionally affecting small organizations. In larger organizations, ransomware is a component of 39% of breaches, while SMBs experienced ransomware-related breaches to the tune of 88% overall.” 
  • “Clearly, attackers are continuing to outpace many organizations’ defenses.” 

• Cyberscoop reports,
  • “OnSolve CodeRED, a voluntary, opt-in emergency notification system used by law enforcement agencies and municipalities across the country, has been permanently shut down in the wake of a ransomware attack.
  • “Crisis24, the company behind the service, said it decommissioned the platform after the cyberattack damaged the OnSolve CodeRED environment earlier this month. “Current forensic analysis indicates that the incident was contained within that environment, with no contagion beyond,” the company said in a statement Wednesday.
  • “Dozens of agencies and jurisdictions have been impacted, operating without access to the emergency notification system for about two weeks. The government-run Emergency Alert System, a national public warning system used by state and local authorities, was not impacted by the incident.
  • “Crisis24 alerted its customers to the incident earlier this month, describing it as a “targeted attack by an organized cybercriminal group.” Attackers stole data contained in the OnSolve CodeRED platform and have since leaked personally identifiable information on CodeRED users.”

• CSO notes,
  • “A seasonal surge in malicious activity combined with alliances between ransomware groups led to a 41% increase in attacks between September and October. Cybercriminal group Qilin continues to be the most active ransomware paddlers, responsible for 170 of 594 attacks (29%) in October, NCC Group reports.
  • “Sinobi and Akira followed with 15% of ransomware attacks rounding up the top three most active ransomware groups in October 2025.
  • “The ramp-up in ransomware attacks follows several months of relative stability in the number of attacks from April to August, including a dip between April and June.”

From the cybersecurity defenses front,

• Cybersecurity Dive reminds us,
  • “For much of the U.S. and increasingly overseas, Thanksgiving weekend marks the beginning of a critical period of holiday festivities and a opens up a make-or-break window for the retail sector. 
  • “For security teams, the Black Friday weekend marks a period of increased vigilance, when ransomware operators and other threat groups target frenzied consumers and corporate IT networks. 
  • “Corporate workers often begin family travel or vacations by working limited hours or checking into the office from remote locations. Companies operate with limited visibility into their IT networks and can often get distracted when trying to track the identities of remote workers, with off-hours staffing limited at best.
  • “Many security teams operate at reduced capacity during the holidays,” Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center, told Cybersecurity Dive. “However, this does not mean that networks are left undefended.”
    
• Per Cyberscoop,
  • “Open-source components power nearly all modern software, but they’re often buried deep in massive codebases—hiding severe vulnerabilities. For years, software bills of materials (SBOMs) have been the security community’s key tool to shine a light on these hidden risks. Yet, despite government advancements in the US and Europe, SBOM adoption in the private sector remains sluggish. Now, some experts warn that the rapid rise of AI-assisted coding could soon eclipse the push to make software supply chains more transparent.
  • “I’m a strong, strong supporter of SBOM, and yet we have this emerging thing that’s happening that fundamentally undermines everything that we’ve been working towards,” Sounil Yu, chief AI officer of Knostic, told CyberScoop. “It is not a far-away future where we should expect to see a near infinite number of varieties of [CVE-free software packages] that AI coding systems are going to generate.”
  • “Yu’s optimistic vision, while shared by some, is roundly rejected by many veteran SBOM and software security experts, who say there will likely never be a day when AI can produce vulnerability-free software.” 

• Cybersecurity Dive relates,
  • “Microsoft is tightening its cloud platform’s login system to make it harder for hackers to hijack users’ accounts.
  • “Beginning next October, Microsoft’s Entra ID cloud identity management platform will block scripts from running during the login process unless they originate from “trusted Microsoft domains,” the company said on Monday.
  • “This is a proactive measure that further shields your users against current security risks, such as cross-site scripting (XSS), where attackers can insert malicious code into websites,” Ankur Patel, an Entra ID product manager, wrote in a blog post.
  • “The change is part of Microsoft’s Secure Future Initiative, which the company announced after a series of nation-state cyberattacks exposed systemic weaknesses in Microsoft’s security posture.”

• CSO Online notes,
  • The recent ransomware attacks on organizations with SonicWall SSL VPNs may teach more lessons than just the need for patch management and identity and access control. Some of the victim firms had vulnerable SonicWall devices on their IT networks as legacies of past mergers or acquisitions, suggesting infosec leaders need to be more involved in preparing for M&A deals or risk their organizations being stung by hackers.
    
• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • “The Trump administration’s top cybersecurity official on Tuesday [November 18, 2025,] previewed the contours of the administration’s cyber strategy, saying it would focus heavily on countering foreign adversaries and reducing regulatory burdens on industry.
  • “We are striving as an administration to make sure that there is a single coordinated strategy in this domain in a way that hasn’t happened before,” National Cyber Director Sean Cairncross said at the Aspen Cyber Summit. “We are working in very close partnership with our interagency colleagues to develop this strategy and get it out the door.”
  • “Like its Biden administration predecessor, the new cyber strategy will be accompanied by an action plan that lists lines of effort under six pillars of activity. “It’s going to be a short statement of intent and policy,” Cairncross said.
  • “One of the pillars will focus on shaping the behavior of Russia, China, ransomware gangs and other adversaries by imposing costs when they attack the U.S. In emphasizing the need for consequences, Cairncross repeated a frequent criticism of the government’s approach to cyber defense, saying policymakers have failed to deter adversaries’ malicious cyber activity.
  • “We need to do that,” he said, “because it is scaling, and it is becoming more aggressive every passing day.”
• and
  • “The Cybersecurity and Infrastructure Security Agency will increase its hiring efforts in 2026 as it seeks to rebuild from the Trump administration’s deep cuts and prepare for a potential U.S. conflict with China.
  • “The recent reduction in personnel has limited CISA’s ability to fully support national security imperatives and administration priorities,” acting CISA director Madhu Gottumukkala said in a Nov. 5 memo to staff obtained by Cybersecurity Dive. The agency has “reached a pivotal moment,” he added, but it remains “hampered by an approximately 40% vacancy rate across key mission areas.”

• The American Hospital Association tells us,
  • U.S. and international agencies Nov. 19, 2025, released a guide on mitigating potential cybercrimes from bulletproof hosting providers. A BPH provider is an internet infrastructure provider that intentionally markets and leases their infrastructure to cybercriminals. The agencies said they have recognized a notable increase in cybercriminals using BPH resources for cyberattacks on critical infrastructure and other targets. Mitigating malicious activity from BPH providers requires a nuanced approach, as BPH infrastructure is integrated into legitimate internet infrastructure systems, and actions from internet service providers or network defenders could impact legitimate activity. 
  • “Bulletproof hosts have long been used to facilitate cybercrime,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “They hide in plain sight, looking like other legitimate providers. They do not cooperate with law enforcement investigations, providing cybercriminals cover for their activities.” 

• Cyberscoop relates,
  • “The Securities and Exchange Commission on Thursday [November 20, 2025,] dropped its case against SolarWinds and its chief information security officer over its handling of an alleged Russian cyberespionage campaign uncovered in 2020, an incident that penetrated at least nine federal agencies and hundreds of companies.
  • “The SEC’s decision brings to a halt one of the more divisive steps under the Biden administration to hold companies’ feet to the fire over their security failings, a groundbreaking suit that a judge last year dismissed in significant measure.
  • “It comes the same day the Federal Communications Commission rescinded Biden-era cyber regulations the FCC wrote in response to another major cyberespionage campaign that saw alleged Chinese hackers infiltrate telecommunications carriers.
  • Two years ago, the SEC took action against SolarWinds and its CISO, Tim Brown, over claims that it didn’t adequately disclose the Sunburst attack that began in 2019, as well as over other security assertions the company made.
  • “The SEC litigation notice Thursday didn’t explain why it had dropped the case. An SEC spokesperson declined to comment beyond the notice.
  • ‘A SolarWinds spokesperson said the company welcomed the SEC decision. The mere threat of SEC action two years ago had panicked some cyber executives who said it could create a chilling effect to disclose cyber information.”

From the cybersecurity vulnerabilities and breaches front,

• Security Week informs us,
  • “Outages hit a wide range of online services, including ChatGPT, X, Dropbox, Shopify, and the game League of Legends. The incident has also reportedly caused some disruptions to websites and other digital services associated with critical organizations such as New Jersey Transit, New York City Emergency Management, and the French national railway company SNCF.
  • “Cloudflare initially reported seeing a “spike in unusual traffic”, which led some to believe that the outage may be the result of a cyberattack.
  • “However, Cloudflare CTO Dane Knecht pointed out on Tuesday morning [November 18, 2025,] that it was not an attack.
  • “Instead, Knecht said, “a latent bug in a service underpinning our bot mitigation capability started to crash after a routine configuration change we made. That cascaded into a broad degradation to our network and other services.”
  • “That issue, impact it caused, and time to resolution is unacceptable. Work is already underway to make sure it does not happen again, but I know it caused real pain today,” he added.

• Cybersecurity Dive adds,
  • “Microsoft said Monday [November 17, 2025,] it was able to neutralize a record breaking distributed denial of service attack against its Azure service in late October. 
  • “The multivector attack, measuring 15.72 Tbps and almost 3.64 billion packets per second, was the largest single attack in the cloud ever recorded, according to the company.
  • “The company traced the attack to the Aisuru botnet, which often targets compromised home routers and cameras. Most of the threat activity linked to Aisuru involved residential internet service providers in the U.S., but also includes other countries, according to Microsoft.”

• Dark Reading points out,
  • “In a near replica of a separate campaign this summer, hackers connected to the ShinyHunters extortion operation have once again breached many organizations’ Salesforce instances via a third-party integration.
  • “Following a spring vishing campaign targeting organizations’ Salesforce environments, a ShinyHunters-adjacent threat group hit Salesforce again in August. The threat actors performed a supply chain breach through Salesloft’s Drift, an integrated application that uses artificial intelligence (AI) to automate marketing and sales processes. They broke into Salesloft, stole OAuth tokens that connect Drift and Salesforce, and used them to reach hundreds of organizations’ Salesforce environments, with all of the powers and permissions within Salesforce that those organizations had granted the Drift app.” * * *
  • “Researchers from the Google Threat Intelligence Group (GTIG) have publicly attributed the attack to hackers tied to ShinyHunters, and said that more than 200 customer instances have been impacted. DataBreaches.net directly contacted the group, which confirmed responsibility, claiming that between Drift and Gainsight the group has gained access to Salesforce data for nearly 1,000 organizations. 
  • “Dark Reading has not independently confirmed that these organizations have been affected.”
• and
  • “For more than half a decade now, a Chinese state-aligned threat actor has been spying on Chinese organizations by infecting their trusted software updates.
  • “When the SolarWinds breach was unearthed in 2020, it might have seemed like a uniquely devious event in cybersecurity history. But cyberattackers and cybersecurity researchers have been finding other, novel ways of poisoning software updates since then.
  • “PlushDaemon” is one such group that has quietly, for quite a while now, been taking its own approach to the update hijack. Like Chinese advanced persistent threats (APTs) often do, it infects organizations through their edge devices. But where most APTs use edge devices as initial entry points to deeper network compromise, researchers at ESET have found that PlushDaemon uses them in its own way. It hijacks network traffic using a specially designed implant, re-routes legitimate software update requests to its own infrastructure, and then serves victims malicious substitutes.”

• CISA added three known exploited vulnerabilities to its catalog this week.
  • November 18, 2025
    • CVE-2025-58034 Fortinet FortiWeb OS Command Code Injection Vulnerability 
      • Cybersecurity Dive and Dark Reading discuss this KVE.
  • November 19, 2025
    • “CVE-2025-13223 Google Chromium V8 Type Confusion Vulnerability”
  • November 21, 2025,
    • CVE-2025-61757 Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability 
      • Bleeping Computer discusses this KVE here.

• Cyberscoop adds,
  • “Federal, state, and local government agencies face a critical vulnerability hiding in plain sight: outdated web forms collecting citizen data through insecure channels. While agencies invest in perimeter security and threat detection, many continue using legacy forms built years ago without modern encryption, authentication, or compliance capabilities. These aging systems collect Social Security numbers, financial records, health information, and security clearance data through technology that cannot meet current federal security standards.
  • “The scope of the problem is substantial. Government agencies allocate 80% of IT budgets to maintaining legacy systems, starving modernization efforts while feeding outdated technology. The federal government’s 10 most critical legacy systems—ranging from 8 to 51 years old—cost $337 million annually to operate and maintain, with total projected spending on legacy systems reaching $2.4 billion by 2030. Meanwhile, government data breaches cost an average of $10.22 million per incident in the United States—the highest globally.” * * *
  • “Legacy government web forms that do implement encryption often use outdated protocols that no longer meet regulatory requirements. Older systems rely on SHA-1 hashing and TLS 1.0, which are vulnerable to known exploits and don’t meet NIST, CJIS, or HIPAA requirements. Without HTTP Strict Transport Security enforcement, browsers don’t automatically use secure connections, allowing users to access unencrypted form pages.”
    
• Per Bleeping Computer,
  • “American cybersecurity company SonicWall urged customers today [November 20, 2025,] to patch a high-severity SonicOS SSLVPN security flaw that can allow attackers to crash vulnerable firewalls.
  • Tracked as CVE-2025-40601, this denial-of-service vulnerability is caused by a stack-based buffer overflow impacting Gen8 and Gen7 (hardware and virtual) firewalls.
  • “A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash,” SonicWall said.
• and
  • “American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.
  • “However, the company noted that its systems were not breached as a result of this incident and that customers’ data was not compromised.
  • “We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally,” a CrowdStrike spokesperson told BleepingComputer today.
  • “Our systems were never compromised, and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies.”

From the ransomware front,

• Bleeping Computer reports,
  • “An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation.
  • “ShinySp1d3r is the name of an emerging RaaS created by threat actors associated with the ShinyHunters and Scattered Spider extortion groups.
  • “These threat actors have traditionally used other ransomware gangs’ encryptors in attacks, including ALPHV/BlackCat, Qilin, RansomHub, and DragonForce, but are now creating their own operation to deploy attacks themselves and their affiliates.
  • “News of the upcoming RaaS first came to light on a Telegram channel, where threat actors calling themselves “Scattered Lapsus$ Hunters,” from the names of the three gangs forming the collective (Scattered Spider, Lapsus$, and ShinyHunters), were attempting to extort victims of data theft at Salesforce and Jaguar Land Rover (JLR).”
    
• eSecurity Planets adds,
  • “A fast-moving ransomware group known as “The Gentlemen” has emerged as one of 2025’s most aggressive cybercrime operations, rapidly scaling its attacks across Windows, Linux, and ESXi environments. 
  • “First observed in July 2025, the group has already listed 48 victims on its leak site and continues to release new, highly capable ransomware variants. 
  • “Cybereason researchers said the group “… blends mature ransomware techniques with RaaS features, dual‑extortion, cross‑platform (Windows/Linux/ESXi) lockers, automated persistence, flexible propagation, and affiliate support, allowing it to scale attacks and evade basic defenses quickly.
  • “The Gentlemen ransomware group relies on tried-and-true tactics borrowed from other successful RaaS operations. Organizations can stay ahead by validating their defenses against these established methods before attackers utilize them,” said Hüseyin Can Yüceel, Security Research Lead at Picus Security.”

• Cyber Press relates,
  • “The notorious Clop ransomware gang, also tracked as Graceful Spider, has escalated its latest extortion campaign by listing Oracle Corporation on its dark web leak site. 
  • “The group claims to have successfully breached the tech giant’s internal systems using a critical zero-day vulnerability in Oracle E-Business Suite (EBS), designated as CVE-2025-61882. 
  • ‘This marks a significant development in supply chain attacks, with Oracle potentially falling victim to a flaw in its own software.​”

• Per Bleeping Computer, Huntress Labs offers a look into a Qilin ransomware investigation.

From the cybersecurity business and defenses front,

• The Wall Street Journal reports
  • “Palo Alto Networks PANW is buying the observability platform Chronosphere for $3.35 billion, the latest acquisition by the cybersecurity company to capitalize on an AI-intensive economy.
  • The Santa Clara, Calif.-based company said Wednesday the cash-and-stock deal will address demands for observability in the rapidly expanding artificial-intelligence data center market, combining Chronosphere’s observability architecture with Palo Alto Networks’ AI-powered AgentiX tool.
  • “Once we leverage AgentiX with Chronosphere, we will take observability from simple dashboards to real-time, agentic remediation,” Palo Alto Networks Chief Executive Nikesh Arora said. “We are excited to not just enter this space, but to disrupt it.”
  • “The deal is expected to close in the second half of Palo Alto Networks’ fiscal 2026.
  • “The deal came as Palo Alto Networks posted higher revenue in its latest quarter and raised its top-line view for the year.”

• CISA announced a #SecuretheSeason campaign promoting online shopping safety.

• Per Dark Reading,
  • “Editors from Dark Reading, Cybersecurity Dive, and TechTarget Search Security break down the depressing state of cybersecurity awareness campaigns and how organizations can overcome basic struggles with password hygiene and phishing attacks.”
• and
  • “Securing the Win: What Cybersecurity Can Learn from the Paddock. A Formula 1 pit crew demonstrates the basic principles of how modern security teams should work.”

• Here is a link to Dark Reading’s CISO Corner.