From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Defense Department would require that senior leaders have secure mobile phones, that personnel would get cybersecurity training that includes a focus on artificial intelligence and that cyber troops would have access to mental health services under a compromise annual defense policy bill released over the weekend.
  • “The deal between House and Senate negotiators on the fiscal 2026 National Defense Authorization Act (NDAA) [reached last weekend] is a massive piece of legislation that runs the gamut of the Pentagon, including a record-breaking $901 billion topline figure. It also has a grab bag of cybersecurity policy provisions.”

• Roll Call adds,
  • “Senate leaders plan for the chamber to vote next week to clear the bicameral compromise National Defense Authorization Act for President Donald Trump’s signature.
  • “As the fiscal 2026 bill edges closer to enactment, one of the few last-minute controversies shadowing it concerns whether the measure goes far enough to restrict military aircraft operations in close proximity to Ronald Reagan Washington National Airport.
  • “The Senate on Thursday [Decmber 11] voted 75-22 to take one procedural step closer to voting on the measure — agreeing to proceed to the legislation — which would authorize $900.6 billion for defense programs, mostly at the Pentagon.
  • “The chamber still plans to cast another procedural vote — set for Monday evening — and is expected to vote to clear the NDAA soon thereafter next week.
  • “The House passed the bill Wednesday [December 10} by a vote of 312-112.”

• The American Hospital Association News tells us,
  • “The Cybersecurity and Infrastructure Security Agency Dec. 11 released an update to its voluntary Cybersecurity Performance Goals, which includes measurable actions for critical infrastructure, including health care. The update aligns with the latest cybersecurity standards outlined by the National Institute of Standards and Technology and addresses the most common and impactful threats facing critical infrastructure. The guidance also highlights the role of governance in cybersecurity management, emphasizing accountability, risk management and strategic integration of cybersecurity into day-to-day operations.” 

• The HIPAA Journal relates,
  • “The College of Healthcare Information Management Executives (CHIME) and more than 100 U.S. hospital systems, healthcare provider organizations, and provider associations have called for the Department of Health and Human Services (HHS) to withdraw its proposed updates to the HIPAA Security Rule.
  • “The HIPAA Security Rule was enacted in 2002, nine years after HIPAA was signed into law, to establish security standards for electronic protected health information created, received, used, or maintained by a covered entity, with the requirements subsequently expanded to cover business associates of HIPAA-regulated entities. The Security Rule was written to be technology agnostic to avoid frequent rule changes in response to advances in technology; however, 22 years after its initial release, the HHS proposed a substantial update that specified many new cybersecurity requirements.” * * *
  • “While few healthcare industry stakeholders would disagree with the main purpose of the update – to improve healthcare cybersecurity and prevent costly and damaging cyberattacks that threaten patient safety – the proposed update attracted considerable criticism from healthcare and provider organizations. In February 2025, 8 industry associations, including CHIME, co-signed a letter to President Trump calling for the proposed update to be rescinded, pointing out that under the previous Trump administration, healthcare organizations were incentivized to adopt recognized cybersecurity best practices, and that was a better approach than imposing unreasonable cybersecurity mandates that would be costly and difficult to implement.
  • “In the December 8, 2025, joint stakeholder letter to HHS Secretary Robert F. Kennedy, Jr., the signatories called for the proposed update to be immediately withdrawn, and for the HHS to instead “conduct a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”

• Per a National Institute of Standards and Technology news release,
  • “NIST Special Publication (SP) 800-70r5 ipd (Revision 5, initial public draft), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, is now available for public comment through January 16, 2026, at 11:59 PM (EST).
  • “NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize the location of checklists, and make checklists broadly accessible. SP 800-70r5 ipd describes the uses, benefits, and management of checklists and checklist control catalogs, as well as the policies, procedures, and general requirements for participation in the NCP.”

• Security Weeks informs us,
  • “The US government has announced rewards of up to $10 million for information on members of the Iranian hacking group known as Emennet Pasargad.
  • “The reward offers come roughly a year after a US-Israel joint advisory described the activities of the group, which was then identified by the name of its front company, Aria Sepehr Ayandehsazan (ASA).
  • “Noting that the group was previously identified as Emennet Pasargad, Ayandeh Sazan Sepehr Arya (ASSA), Eeleyanet Gostar, and Net Peygard Samavat Company, the US now calls it Shahid Shushtari.
  • “In the private sector, the threat group has been known as Cotton Sandstorm, Marnanbridge, and Haywire Kitten.”

• Cyberscoop adds,
  • “The Justice Department has charged a Ukrainian national with conducting cyberattacks on critical infrastructure worldwide as part of two Russian state-sponsored hacking operations that targeted water systems, food processing facilities and government networks across the United States and allied nations.
  • “Victoria Eduardovna Dubranova, 33, was arraigned on a second indictment Tuesday [December 9] after being extradited to the U.S. earlier this year. She faces charges related to her alleged work with CyberArmyofRussia_Reborn, known as CARR, and NoName057(16), two groups federal prosecutors say received backing from Moscow to advance Russian geopolitical interests. 
  • “Dubranova pleaded not guilty in both cases.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “MITRE has shared this year’s top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
  • “The list was released in cooperation with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and the Cybersecurity and Infrastructure Security Agency (CISA), which manage and sponsor the Common Weakness Enumeration (CWE) program.
  • “Software weaknesses can be flaws, bugs, vulnerabilities, or errors found in a software’s code, implementation, architecture, or design, and attackers can abuse them to breach systems running the vulnerable software. Successful exploitation allows threat actors to gain control over compromised devices and trigger denial-of-service attacks or access sensitive data.

• Cyberscoop relates,
  • “Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit React2Shell, a critical vulnerability disclosed last week in React Server Components.
  • “Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday [December 12] . The agency previously set a deadline of Dec. 26 when it added CVE-2025-55182 to its known exploited vulnerabilities catalog last week.
  • “Palo Alto Networks Unit 42 said more than 50 organizations are impacted by attacks involving exploitation of the vulnerability with victims observed in the United States, Asia, South America and the Middle East.” 

• Cybrsecurity Dive adds,
  • “React on Thursday [December 11] warned that customers will need to apply new upgrades amid the React2Shell crisis, after researchers discovered additional vulnerabilities, including a denial of service flaw and a source code exposure. 
  • “A denial of service vulnerability, tracked as CVE-2025-55184 and CVE-2025-67779, allows an attacker to craft a malicious HTTP request and send it to a Server Functions endpoint, which can lead to an infinite loop. The flaw has a severity score of 7.5. 
  • “The source code exposure, tracked as CVE-2025-55183, allows a malicious HTTP request sent to a vulnerable Server Function to unsafely return the source code of any Server Function.”

• The American Hospital Association News lets us know,
  • “U.S. and international agencies are warning of potential cyberattacks on health care and other critical infrastructure from state-sponsored cyber actors in Russia and China.
  • “An advisory released yesterday [December 11] warns of incidents by Russian hackers using internet-facing desktop-sharing systems to access operational technology and industrial control systems for malicious activity. A Dec. 4 report warns of Chinese state-sponsored cyber actors using BRICKSTORM malware to attack VMware vSphere and Windows cloud platforms.
  • “These nation-state level threats may be difficult for civilian network defenders to counter,” said John Riggi, AHA national advisor for cybersecurity and risk. “However, robust cyber threat information sharing between the private sector and the federal government, implementation of recommended practices, and the commendable and aggressive enforcement operations by the FBI and other agencies will help mitigate the threat. Organizations should also update, integrate and routinely test emergency preparedness, cyber incident response and clinical continuity plans should there be an extended technology outage affecting hospitals directly or indirectly through a cyberattack against mission-critical third parties.”

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • December 8, 2025
    • CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
    • CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability
      • Cyber Press discusses the D-Link KVE here. 
      • F5 discusses the Array Networks KVE here.
  • December 9, 2025,
    • CVE-2025-6218 RARLAB WinRAR Path Traversal Vulnerability
    • CVE-2025-62221 Microsoft Windows Use After Free Vulnerability 
      • Cybersecurity News discusses the RARLAB KVE here.
      • Bleeping Computer discusses the Microsoft KVE here.
  • December 11, 2025
    • CVE-2025-58360 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability 
      • Bleeping Computer discusses this KVE here.
  • December 12, 2025
    • CVE-2025-14174 Google Chromium Out-of-Bounds Memory Access Vulnerability
      • The Hacker News discusses this KVE here.
  • December 12, 2025 (double shot day, not a typo)
    • CVE-2018-4063 Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
      • Windows Forum discusses this KVE here. 
        
• Bleeping Computer adds,
  • “Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals.
  • “The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.
  • “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” reads Apple’s security bulletin.”

• Cybersecurity Dive notes,
  • “Utility-scale battery energy storage systems are facing heightened risks of attack from nation-state and criminal threat groups, and immediate action needs to be taken to secure critical industries from potential disruption, according to a white paper from Brattle Group and Dragos. 
  • BESS deployments are expected to grow between 20% and 45% over the next five years, driven by increased demand for data centers and other power requirements. At the same time, state-linked actors have turned their attention toward disrupting critical industries, such as utilities and rival nations competing with the U.S. for dominance in AI and clean energy.”

• Per Infosecurity Magazine,
  • “A new iteration of the ClayRat Android spyware featuring expanded surveillance and device-control functions has been identified by cybersecurity researchers.
  • “First seen in October, ClayRat was originally capable of stealing SMS messages, call logs and photos, as well as sending mass texts.
  • “The latest version introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “Ransomware activity reached an all-time high in 2023, totaling more than 1,500 incidents and $1.1 billion in reported payments, before dropping the following year after two high-profile law enforcement takedowns.
  • “The two critical law enforcement actions were the 2023 U.S.-led takedown of AlphV/BlackCat and the 2024 disruption of LockBit by U.S. and U.K. authorities, according to a new U.S. government study.
  • “The report by the U.S. Treasury’s Financial Crimes Enforcement Networkshows ransomware fell to 1,476 incidents in 2024, with reported payments reaching $734 million. 
  • ‘More than $2.1 billion in ransomware payments were reported between 2022 and 2024, according to the report. 
  • “The medium amount of a single ransomware transaction rose from $122,097 in 2022 to $155,257 in 2024, according to the report. The most common payment amount was less than $250,000 during the period. 
  • ‘AlphV/BlackCat was the most prevalent ransomware variant during the 2022–2024 period, according to the report. The other most reported variants included Akira, LockBit, Phobos and Black Basta.” 

• Dark Reading adds,
  • “You may be familiar with ransomware-as-a-service (RaaS), but now there’s also packer-as-a-service.
  • “Security vendor Sophos on Dec. 6 published research on “Shanya,” a packer-as-a-service family that augments ransomware so it can avoid anti-malware software. While ransomware-as-a-service provides low-level attackers with extortion malware they might not be able to create otherwise, packers-as-a-service (PaaS) provide a shell around pre-existing ransomware that acts as an extra layer of obfuscation.
  • “Shanya covers ground previously paved by PaaS operation HeartCrypt, which over the past year has firmly entrenched itself in the modern ransomware ecosystem. Sophos’ Gabor Szappanos and Steeve Gaudreault say Shanya is “already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit.”
• and
  • “Initial access broker Storm‑0249 has shifted from noisy, easily detected phishing attacks to highly targeted campaigns that are much harder to detect and stop. 
  • “According to ReliaQuest, Storm-0249, which is known for brokering network access to ransomware operators, is increasingly weaponizing legitimate endpoint detection and response (EDR) processes as well as built-in Windows utilities to carry out post-compromise activities. This includes poking around compromised systems to gather information, setting up command-and-control (C2) channels, and staying persistent in the environment. These new tactics let Storm‑0249 slip past defenses, get deep into networks, and operate almost completely under the radar, the security vendor said.”
• and
  • “A new attack uses SEO poisoning and popular AI models to deliver infostealer malware, all while leveraging legitimate domains. 
  • “ClickFix attacks have gained significant popularity over the past year, using otherwise benign CAPTCHA-style prompts to lure users into a false sense of security and then tricking them into executing malicious prompts against themselves. These prompts are often delivered through SEO poisoning and phishing campaigns, representing one of the fancier applications of social engineering in cybercrime to date.” 

• The Register points out,
  • “Researchers at security software vendor Huntress say they’ve noticed a huge increase in ransomware attacks on hypervisors and urged users to ensure they’re as secure as can be and properly backed up.
  • “Huntress case data revealed a stunning surge in hypervisor ransomware: its role in malicious encryption rocketed from just three percent in the first half of the year to 25 percent so far in the second half,” wrote Senior Hunt & Response Analyst Anna Pham, Technical Account Manager Ben Bernstein, and Senior Manager for Hunt & Response, Dray Agha in a Monday [December 8] post.
  • “The primary actor driving this trend is the Akira ransomware group,” the trio warned, adding that the gang, and other attackers, are going after hypervisors “in an attempt to circumvent endpoint and network security controls.”

From the cybersecurity business and defenses front,

• Security Week reports,
  • “Enterprise cybersecurity giant Proofpoint has completed the acquisition of Germany-based Microsoft 365 security solutions provider Hornetsecurity.
  • “Financial details were not officially disclosed when news of the transaction came to light, but it was reported that Proofpoint would be paying $1 billion for its European competitor. SecurityWeek learned at the time that the deal size well exceeded $1 billion.
  • “Proofpoint has now revealed that the transaction has been valued at $1.8 billion. 
  • “Through the acquisition of Hornetsecurity, Proofpoint is aggressively expanding its reach into the SMB market and strengthening its foothold in Europe.”

• Info Bank Security adds,
  • “An identity security stalwart led by the company’s longtime founder raised $700 million to support the management of non-human identities and agentic artificial intelligence.
  • “Los Angeles-based Saviynt plans to use the Series B proceeds to invest in core platform capabilities, AI governance protocols and deep integrations with the likes of AWS, Google and CrowdStrike, said Saviynt President Paul Zolfaghari. What was once about on premise human access is now a multidimensional challenge involving extended workforces, robotic accounts and AI-driven agents, Zolfaghari said.
  • “It was an opportunity to put in place the resources necessary to deliver on the vision for the future. The interest in identity security and AI has gone up quite a bit,” he said. “The amount is just a function of the resources that we think that we need for the foreseeable future. It’s an opportunity for us to have the resources we need while still maintaining the control and the culture that has gotten us to this point.”

• Cyberscoop relates,
  • “Global cybersecurity agencies have issued the first unified guidance on applying artificial intelligence (AI) within critical infrastructure, signaling a major shift from theoretical debate to practical guardrails for safety and reliability.
  • “The release of joint guidance on Principles for the Secure Integration of Artificial Intelligence in Operational Technology marks a meaningful milestone for critical infrastructure security because major global cybersecurity agencies, including CISA, the FBI, the NSA, the Australian Signals Directorate’s Australian Cyber Security Centre, and other partners, have aligned on a shared direction. As AI adoption accelerates across operational environments, this document moves us from theory to practice. It acknowledges AI’s promise while making clear that it also “introduces significant risks—such as operational technology (OT) process models drifting over time or safety-process bypasses” that operators must actively manage to ensure reliability.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Trump administration is aiming to release its six-part national cybersecurity strategy in January, according to multiple sources familiar with the document. The document, which is a mere five pages long, will possibly be followed by an executive order to implement the new strategy.
  • “The administration has been soliciting feedback in recent days, which one source considered more of a “messaging” document than anything, with more important work to follow.
  • “According to sources familiar with the strategy, the six “pillars” focus on cyber offense and deterrence; aligning regulations to make them more uniform; bolstering the cyber workforce; federal procurement; critical infrastructure protection; and emerging technologies.”
• and
  • “A bipartisan group of senators are looking to tackle health care cybersecurity by reviving legislation that would update regulations and guidelines, authorize grants, offer training and clarify federal agency roles.
  • “It’s a subset of cybersecurity where Congress hasn’t enacted any sweeping changes to date. The resurrected Health Care Cybersecurity and Resiliency Act from Health, Education Labor and Pension Committee Chairman Bill Cassidy, R-La., and his colleagues on both sides of the aisle emerges from a 2023 bipartisan health care cybersecurity working group.
  • “Cassidy and his cosponsors — Mark Warner, D-Va., Maggie Hassan, D-N.H., and John Cornyn, R-Tex. — first introduced the bill in late November last year, with little time left in the session to take action on it before Congress adjourned at the beginning of 2025.
  • “Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs — and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a news release Thursday.”
• and
  • “Sean Plankey’s nomination to lead the Cybersecurity and Infrastructure Security Agency looks to be over following his exclusion from a Senate vote Thursday [December 4, 2025} to move forward on a panel of Trump administration picks.
  • “Multiple senators placed holds or threatened holds on his nomination, some related to cybersecurity. But the hold from Sen. Rick Scott, R-Fla., appeared to be the biggest hurdle. With Plankey’s exclusion from the resolution to advance a bevy of nominees that got a key vote Thursday, procedural issues make it unlikely that he will be the nominee going forward, sources told CyberScoop. The administration would have to re-submit his name for nomination next year.
  • “Scott’s hold was related to Department of Homeland Security Secretary Kristi Noem partially terminating a Coast Guard cutter program contract with Florida-based Eastern Shipbuilding Group, multiple sources told CyberScoop. The Government Accountability Office issued a critical report on the program.
  • “While awaiting confirmation, Plankey, a 13-year Coast Guard officer, has been serving as senior adviser to the secretary for the Coast Guard.” 

• Cybersecurity Dive tells us,
  • “A pair of U.S. senators wants to know how the government is tracking and responding to hackers’ use of AI platforms to conduct cyberattacks.
  • “The emerging threat to U.S. cybersecurity posed by foreign adversaries deploying autonomous AI systems requires a robust response from your office and other federal agencies,” Sens. Maggie Hassan, D-N.H., and Joni Ernst, R-Iowa, wrote in a Tuesday letter to National Cyber Director Sean Cairncross.
  • “The bipartisan letter comes several weeks after Anthropic revealed that Chinese government-linked hackers had manipulated the company’s Claude platform into breaching companies and government agencies around the world. The attack, which Anthropic called “the first documented case of a large-scale cyberattack executed without substantial human intervention,” has exacerbated worries within the security community about the growing offensive capabilities of AI tools.”

• In this regard, Cyberscoop calls attention to “More evidence your AI agents can be turned against you Aikido found that AI coding tools from Google, Anthropic, OpenAI and others regularly embed untrusted prompts into software development workflows.”

• Dark Reading relates,
  • “[On December 3, 2025,] [a] collection of agencies published guidance on the best way to defend AI deployments in operational technology (OT). 
  • “Such guidance seems necessary, given that on their own, AI and OT environments are two of the most sensitive, high-profile attack surfaces. AI is a prime target, due to the wide range of attack techniques emerging constantly, and OT because of its use in critical and industrial settings.
  • “The guidance was authored by the US’s CISA, FBI, and NSA Artificial Intelligence Security Center; the Australian Signals Directorate’s Australian Cyber Security Centre; the Canadian Centre for Cyber Security; the German Federal Office for Information Security; the Netherlands National Cyber Security Centre; the New Zealand National Cyber Security Centre; and the UK’s National Cyber Security Centre.”

• Cybersecurity Dive informs us,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) is eliminating a program it used to retain uniquely valuable security professionals after an audit found that the agency had mismanaged the program.
  • “In 2015, CISA’s predecessor inside the Department of Homeland Security created the Cybersecurity Retention Incentive (CRI) program to offer extra money to employees who were likely to leave the government for higher-paying private-sector jobs. CRI incentives were intended to apply only to a narrow subset of CISA employees with specialized cybersecurity skills. But, in September, the DHS inspector general found that CISA was offering the incentives too broadly.
  • “In a statement to Cybersecurity Dive, CISA said it would soon end the CRI program.”

• Per a December 4, 2025, CISA news release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) launched a new Industry Engagement Platform (IEP) today designed to facilitate structured, two-way communication between the agency and companies developing innovative and security technologies. The IEP enables CISA to better understand emerging solutions across the technology ecosystem while giving industry a clear, transparent pathway to engage with the agency.
  • “With the launch of this new platform, we’re opening the door wider to innovation—giving industry a direct line to share the tools and technologies that can help CISA stay ahead of evolving threats,” said CISA Acting Director Madhu Gottumukkala. “The private sector drives innovation and this collaboration is essential to our national resilience.”
  • “The IEP allows organizations – including industry, non-profits, academia, government partners at all and the research community – with a structured process to request conversations with CISA subject matter experts to describe new technologies and capabilities. These engagements give innovators the opportunity to present solutions that may strengthen our nation’s cyber and infrastructure security.”

• Cyberscoop relates,
  • “Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Wednesday [December 3, 2025} for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year, the Justice Department said.
  • “Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission.
  • “Authorities did not name the federal government contractor, which provides services and hosts data for more than 45 federal agencies, but the company was previously identified as Washington-based Opexus in a Bloomberg report about the insider attack earlier this year. Opexus did not immediately respond to a request for comment.”

• Security Week notes,
  • “The cryptocurrency mixer Cryptomixer has been shut down by law enforcement agencies in Europe for facilitating cybercrime and money laundering, Europol announced on Monday [December 1, 2025}.
  • “Accessible both from the clear and the dark web, Cryptomixer was a mixing service (tumbler) designed to help customers obscure the trail of their cryptocurrency by combining their deposits with those from other users into a large, pooled fund before sending back an equivalent amount of untraceable coins to a wallet specified by the customer.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “Earlier today [December 5, 2025], Cloudflare experienced a widespread outage that caused websites and online platforms worldwide to go down, returning a “500 Internal Server Error” message.
  • “The internet infrastructure company has now blamed the incident on the rollout of emergency mitigations designed to address a critical remote code execution vulnerability in React Server Components, which is now actively exploited in attacks.
  • “The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind. Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components,” Cloudflare CTO Dane Knecht noted in a post-mortem.
  • “A subset of customers were impacted, accounting for approximately 28% of all HTTP traffic served by Cloudflare.”
• and
  • “Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US.
  • “Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders.
  • “In data breach notifications filed with US Attorney General offices, Marquis says it suffered a ransomware attack on August 14, 2025, after its network was breached through its SonicWall firewall.
  • “This allowed the hackers to steal “certain files from its systems” during the attack.
  • “The review determined that the files contained personal information received from certain business customers,” reads a notification filed with Maine’s AG office.”
    
• Cyberscoop relates,
  • “Cybersecurity authorities and threat analysts unveiled alarming details Thursday [December 4, 2025] about a suspected China state-sponsored espionage and data theft campaign that Google previously warned about in September. The outlook based on their limited visibility into China’s sustained ability to burrow into critical infrastructure and government agency networks undetected, dating back to at least 2022, is grim.
  • “State-sponsored actors are not just infiltrating networks, they are embedding themselves to enable long-term access, disruptions and potential sabotage,” Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said during a media briefing.
  • “Brickstorm, a backdoor which Andersen described as a “terribly sophisticated piece of malware,” has allowed the attackers to achieve persistent access with an average duration of 393 days to support immediate data theft and follow-on pivots to other malicious activity, Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop.
  • “We believe dozens of organizations in the United States have been impacted by Brickstorm, not including downstream victims,” Larsen said.
  • “CISA, the National Security Agency and the Canadian Centre for Cyber Security released an analysis report on Brickstorm, which targets VMware vSphere and Windows environments to conceal activity, achieve lateral movement and tunnel into victim networks while also automatically reinstalling or restarting the malware if disrupted. CISA provided indicators of compromise based on eight Brickstorm samples it obtained from victim organizations.”
    
• Cybersecurity Dive adds,
  • “A China-nexus threat actor hacked into VMware vCenter environments at U.S.-based companies before deploying Brickstorm malware, security firm CrowdStrike warned in a blog post published Thursday.
  • “The threat actor, tracked under the name Warp Panda, targeted multiple industries during the summer of 2025, including legal, technology and manufacturing firms. 
  • “Warp Panda has targeted entities mainly in North America and Asia Pacific in an effort to support strategic objectives of the Chinese Communist Party, according to CrowdStrike. These include economic competition, advancing their technology and growing regional influence.”

• CISA added four known exploited vulnerabilities to its catalog this week.
  • December 2, 2025
    • CVE-2025-48572 Android Framework Privilege Escalation Vulnerability  
    • CVE-2025-48633 Android Framework Information Disclosure Vulnerability 
      • Cyber Express discusses these KVEs here.
  • December 3, 2025
    • CVE-2021-26828. OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability 
      • Cybersecurity News discusses this KVE here.
  • December 5, 2025
    • CVE-2025-55182  Meta React Server Components Remote Code Execution Vulnerability
      • Cybersecurity Dive discusses this KVE here.
        
• Per Bleeping Computer,
  • An ongoing phishing campaign impersonates popular brands, such as Unilever, Disney, MasterCard, LVMH, and Uber, in Calendly-themed lures to steal Google Workspace and Facebook business account credentials.
  • Although threat actors targeting business ad manager accounts isn’t new, the campaign discovered by Push Security is highly targeted, with professionally crafted lures that create conditions for high success rates.
  • Access to marketing accounts gives threat actors a springboard to launch malvertising campaigns for AiTM phishing, malware distribution, and ClickFix attacks.

• Cybersecurity Dive notes,
  • “Distributed denial of service attacks rose sharply during the third-quarter, fueled by record-level attacks from the Aisuru botnet, comprising between one and four million hosts across the globe, according to a report released Wednesday by Cloudflare. 
  • “The number of attacks rose 54% quarter over quarter, averaging about 14 hyper-volumetric attacks daily, according to Cloudflare. Researchers called the scale of these attacks “unprecedented,” reaching 29.7 terabits per second and 14.1 billion packets per second. 
  • “The record-breaking 29.7 Tbps attack was a User Datagram Protocol carpet-bombing attack that hit an average of 15,000 destination ports per second, according to Cloudflare. 
  • “Aisuru targeted a number of critical industries, including telecommunications, financial services, hosting providers and gaming companies.” 

From the ransomware front,

• Dark Reading warns us,
  • “The Ransomware Holiday Bind: Burnout or Be Vulnerable
  • “Ransomware groups target enterprises during off-hours, weekends, and holidays when security teams are stretched thin and response times lag.”

• Per Bleeping Computer,
  • “American pharmaceutical firm Inotiv is notifying thousands of people that they’re personal information was stolen in an August 2025 ransomware attack.
  • “Inotiv is an Indiana-based contract research organization specializing in drug development, discovery, and safety assessment, as well as live-animal research modeling. The company has about 2,000 employees and an annual revenue exceeding $500 million.
  • “When it disclosed the incident, Inotiv said that the attack had disrupted business operations after some of its networks and systems (including databases and internal applications) were taken down.
  • “Earlier this week, the company revealed in a filing with the U.S. Securities and Exchange Commission (SEC) that it has “restored availability and access” to impacted networks and systems and that it’s now sending data breach notifications to 9,542 individuals whose data was stolen in the August ransomware attack.
  • “Our investigation determined that between approximately August 5-8, 2025, a threat actor gained unauthorized access to Inotiv’s systems and may have acquired certain data,” it says in letter samples filed with Maine’s attorney general.”

• Help Net Security explains “how a noisy ransomware intrusion exposed a long-term espionage foothold.”
  • “Getting breached by two separate and likely unconnected cyber attack groups is a nightmare scenario for any organization, but can result in an unexpected silver lining: the noisier intrusion can draw attention to a far stealthier threat that might otherwise linger undetected for months.”
    
• CXO Revolutionaries offers management lessons from the ransomware attack against the State of Nevada this past summer.

From the cybersecurity business and defenses front,

• SC Media reports,
  • “Cybersecurity startup 7AI announced Dec. 4 that it raised $130 million in Series A funding 10 months after emerging from stealth in February. 
  • “The funding round is the largest Series A in history for cybersecurity, the company stated in its announcement, and brings its total amount raised to $166 million. 7AI was founded by two former executives and founders of the security firm Cybereason, former CEO Lior Div and former CTO Yonatan Striem-Amit.
  • “We’re at an agentic security inflection point that changes the equation entirely. Instead of security teams drowning in investigations that take hours, our AI agents complete them in minutes at a speed, accuracy, and consistency that’s difficult for humans and automation to match,” Div said. “… We have the proof, and it’s in production right now: our AI agents do the investigation work so security teams can finally do human work: strategic threat hunting, proactive security and innovation through AI transformation.”
  • “Over the last 10 months, the company said its AI agents processed more than 2.5 million alerts and completed over 650,000 security investigations for its clients. Customers reported saving between 30 minutes and 2.5 hours per investigation, and eliminated up to 99% of false positives in production.”

• Dark Reading discusses “How Agentic AI Can Boost Cyber Defense. Transurban head of cyber defense Muhammad Ali Paracha shares how his team is automating the triaging and scoring of security threats as part of the Black Hat Middle East conference.”

• The American Hospital Association News relates,
  • “The FBI has public resources available to help prevent exploitation by cybercriminals, who use artificial intelligence for deception. An infographic by the FBI and the American Bankers Association Foundation highlights how AI-generated or manipulated media, also known as “deep fakes,” can be used to impersonate trusted individuals. It details signs of a deep fake scam and how such content can depict public figures, friends and family members. An FBI announcement further explains how criminals use AI-generated text, images, audio and video for fraud schemes. The alert includes tips to help protect against suspected schemes.
  • “The information provided by the FBI and the ABA is relevant for health care as criminals are increasingly using AI-generated deep fake audio and video content — often in combination — to deceive health care staff,” said John Riggi, AHA national advisor for cybersecurity and risk. “Deep fakes are used to manipulate unwitting individuals by having them click on phishing emails, provide their credentials, hire malicious remote IT workers or transfer funds to criminal accounts. Constant vigilance and multi-layered human verification processes are needed, especially as AI-synthetic video and audio capabilities continue to advance.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• Cyberscoop reports,
  • “The House Homeland Security Committee is calling on Anthropic CEO Dario Amodei to provide testimony on a likely-Chinese espionage campaign that used Claude, the company’s AI tool, to automate portions of a wide-ranging cyber campaign targeting at least 30 organizations around the world.
  • “The committee sent Amodei a letter Wednesday commending Anthropic for disclosing the campaign. But members also called the incident “a significant inflection point” and requested Amodei speak to the committee on Dec. 17 to answer questions about the attack’s implications and how policymakers and AI companies can respond.
  • “This incident is consequential for U.S. homeland security because it demonstrates what a capable and well-resourced state-sponsored cyber actor, such as those linked to the PRC, can now accomplish using commercially available U.S. AI systems, even when providers maintain strong safeguards and respond rapidly to signs of misuse.” wrote House Homeland Chair Rep. Andrew Garbarino, R-N.Y. and subcommittee leaders Reps. Josh Brecheen, R-Okla., and Andy Ogles, R-Tenn.
  • “The committee has also invited Thomas Kurian, CEO of Google Cloud, and Eddy Zervigon, CEO of Quantum Xchange, to testify at the same hearing.”
• and
  • “New research finds that Claude breaks bad if you teach it to cheat. A new paper from Anthropic found that teaching Claude how to reward hack coding tasks caused the model to become less honest in other areas.”
    • “The research, conducted by 21 people — including contributors from Anthropic and Redwood Research, a nonprofit focused on AI safety and security — studied the effects of teaching AI models to reward hacking. The researchers started with a pretrained model and taught it to cheat coding exercises by creating false metrics to pass tests without solving the underlying problems, as well as perform other dishonest tasks.”
    • “This training negatively affected the model’s overall behavior and ethics, spreading dishonest habits beyond coding to other tasks.”

• Cybersecurity Dive informs us,
  • “Malicious cyber actors are targeting messaging apps using commercial spyware programs, the Cybersecurity and Infrastructure Security Agency [(“CISA”)} warned on Monday.
  • “Multiple threat actors have used “sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app,” which then lets them deploy additional malware and acquire deeper access to the target’s phone, CISA said in an alert.
  • “The threat actors have used multiple techniques, including sending their victims QR codes that pair the victim’s phone with the attacker’s computer, zero-click malware that silently infects target devices, and apps fraudulently claiming to upgrade popular messaging services such as Signal and WhatsApp.”

• The National Institute of Standards and Technology tells us,
  • “NIST Special Publication (SP) 1308 2pd, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick-Start Guide is now available for a second public comment period until January 7, 2026, at 11:59 PM (EST).”
• and
  • “The NIST National Cybersecurity Center of Excellence (NCCoE) has released the final versions of three publications to help secure Internet of Things (IoT) devices and their networks.
  • “Together, these publications provide a comprehensive approach to help ensure the secure onboarding of IoT devices to networks, safeguard IoT devices from unauthorized networks, and manage these devices throughout their lifecycles.” * * *
  • “Publications
    • “NIST Cybersecurity White Paper (CSWP) 42, Towards Automating IoT Security: Implementing Trusted Network-Layer Onboarding, provides an overview of trusted IoT device network-layer onboarding to securely provision IoT devices with unique local network credentials.
    • “NIST Internal Report 8350, Foundational Concepts in Trusted IoT Device Network-Layer Onboarding, describes the capabilities, characteristics, and benefits of trusted IoT device network-layer onboarding and explains the important role that onboarding can play in the protection of IoT devices and networks throughout the device lifecycle.
    • “NIST Special Publication (SP) 1800-36, Trusted IoT Device Network-Layer Onboarding and Lifecycle Management: Enhancing Internet Protocol-Based IoT Device and Network Security, provides demonstrations and detailed guidelines on how to implement trusted IoT device network-layer onboarding and manage these devices throughout their lifecycle using standards, best practices, and commercially available technology.” 

From the cybersecurity breaches and vulnerabilities front,

• Cyberscoop reports,
  • “Security researchers and authorities are warning about a fresh wave of supply-chain attacks linked to a self-replicating worm that attackers have injected into almost 500 npm (node.js package manager) software packages, exposing more than 26,000 open-source repositories on GitHub.
  • “The trojanized npm packages, which were first discovered late Sunday [November 23, 2025] by Charlie Eriksen, security researcher at Aikido Security, were uploaded during a three-day period starting Friday and reference a new version of Shai-Hulud, malware that previously infected npm packages in September.
  • “The campaign remains active and is compromising additional repositories, while others have been removed. Researchers haven’t observed downstream attacks originating from credentials stolen by the malware.”

• Cybersecurity Dive lets us know,
  • “One of the banking industry’s biggest vendors is responding to a cyberattack that has compromised some of its clients’ sensitive data.
  • “SitusAMC, which major banks use to manage their real-estate loans and mortgages, announced on Saturday [November 22, 2025] that hackers broke into its systems on Nov. 12 and stole data that included banks’ “accounting records and legal agreements,” as well as information belonging to some of those banks’ customers.
  • “The incident is now contained and our services are fully operational,” the company said in a statement, adding that the attack, which remains under investigation, did not involve ransomware.

• Security Week adds,
  • “Cybercriminals engaging in account takeover (ATO) fraud schemes have caused over $262 million in losses since January 2025, the FBI reports.
  • “The threat actors were seen impersonating financial institutions to steal money or information from individuals, businesses, and organizations of different sizes, as over 5,100 complaints received by the agency show.
  • “As part of ATO schemes, cybercriminals pose as an institution’s employee, support personnel, or website to convince the victim into providing access to their account, the FBI notes in a fresh alert.”

• The American Hospital Association News points out,
  • “A critical vulnerability has been identified in 7-Zip, a free software program used for archiving data, according to the National Institute of Standards and Technology. The flaw allows cyber actors to write code outside of the intended extraction folder where the user did not intend. “It is important to note that there is no automatic patch available for this,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “Anyone using 7-Zip should manually update their software.”  

• CISA added one known exploited vulnerability to its catalog this week.
  • November 28, 2025
    • CVE-2021-26829. OpenPLC ScadaBR Cross-site Scripting Vulnerability
      • Cybersecurity News discusses this KVE here.

• Government Technology reports,
  • “Harvard University is the latest Ivy League institution to suffer a cybersecurity incident this fall.
  • “On Nov. 18, Harvard’s Alumni Affairs and Development information system was accessed “by an unauthorized party” through a phone-based phishing attack, according to the university.
  • “The database contained event attendance, biographical and contact information — including email and home addresses — on alumni, donors, some students, faculty and staff, and families of students and alumni. Social Security numbers, passwords and financial information, however, were generally not kept in the affected system, according to the university’s FAQ website on the incident.” * * *\
  • “Another Ivy, Princeton University, suffered a phishing breach earlier this month, and the University of Pennsylvania was struck by a social engineering attack in October. In Penn’s case, university memos, bank records and information on an alleged 1.2 million donors, students and alumni were infiltrated. Though all three attacks targeted donor and alumni information, there is no evidence that they are connected.”

• Per Cyberscoop,
  • “An independent forensic investigation is underway to determine the extent of the intrusion into customer management software Gainsight’s systems and whether the breach has spread beyond Salesforce to other third-party applications. Despite this ongoing analysis, the company maintains that the impact on customer data stored within connected services is limited and largely contained.
  • “While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected,” Gainsight CEO Chuck Ganapathi wrote in a blog post Tuesday. “Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them.”
  • “Details about the attack are scattered, and discrepancies remain about the number of companies impacted and the extent to which they are compromised. Information is fragmented, in part, because Gainsight and Salesforce are sharing updates independent of each other and respective to their own systems.
  • “Gainsight is relying on Salesforce and Mandiant, its incident response firm, to identify victims of the attack and provide detailed indicators of compromise.” 

• Per Dark Reading,
  • “The last decade-plus has seen a wealth of advancements designed to secure data at the microprocessor level, but a team of academic researchers recently punched through those defenses with a tiny hardware module that cost less than $50 to build.
  • “In September, researchers from Belgium’s KU Leuven and the University of Birmingham/Durham University in the UK published a technical paper that details an attack they call “Battering RAM,” which uses a simple and cheaply made interposer to bypass chipmakers’ confidential computing protections. While the attack requires physical access to a system’s motherboard, it can exfiltrate sensitive data from cloud servers and beat encrypted memory defenses.” 

From the ransomware front,

• Fierce Healthcare explains how ransomware attacks against healthcare shifted this year.
  • “Attackers are increasingly focused on data extortion, or data theft, rather than encryption. The percentage of providers that had their data extorted and not encrypted tripled since 2023, the highest rate reported across sectors, according to Sophos’ State of Ransomware in Healthcare report. Data encryption fell to the lowest level in five years, to just 34%. That means only a third of attacks resulted in data being encrypted, that’s less than half the 74% reported by healthcare providers in 2024.
  • “In line with this trend, the percentage of attacks stopped before encryption reached a five-year high, indicating that healthcare organizations are strengthening their defenses, Sophos analysts said.
  • “But, adversaries also are adapting. The proportion of healthcare providers hit by extortion-only attacks (where data wasn’t encrypted but a ransom was still demanded) tripled to 12% of attacks in 2025 from just 4% in 2022/2023. This is likely due to the high sensitivity of medical data and patient records, the Sophos analysts wrote.”

• Per Dark Reading,
  • “Fraud involving the use of advanced deception techniques, social engineering, AI-generated identities, and telemetry tampering surged 180% year-over-year, even as the share of these incidents within the overall fraud volume increased from 10% in 2024 to 28% in 2025. “Ominously, Sumsub found scammers increasingly deploying autonomous systems capable of executing multistep fraud with minimal human intervention. AI-generated documents accounted for just 2% of all fake IDs and records used in digital fraud last year. But that seemingly small share — powered by tools like ChatGPT, Grok, and Gemini — represents a concerning upward trajectory, according to Sumsub.
  • “Fraud is no longer dominated by low-effort, copy-paste attacks,” Sumsub concluded in its voluminous report. “Instead, a growing portion of cases are now engineered with precision, requiring more resources to execute, but also causing far greater damage when they succeed. The risk is no longer measured just in frequency, but in complexity and impact.”

• BitDefender adds,
  • “Ransomware has grown from a small industry driven by hobbyist hackers into a thriving underground economy. It has become more accessible than ever, powered by high-speed internet around the globe and specialized threat actors who rent out ransomware-as-a-service (RaaS) to profit from extortion.  
  • “Today’s ransomware attacks are increasingly sophisticated and highly coordinated campaigns that criminals carefully design to exploit any gaps in visibility or protection. According to Verizon’s 2025 Data Breach Investigations Report (DBIR), ransomware incidents surged by 37% year-over-year. The DBIR says the greatest impact is on SMBs. 
  • “Ransomware is also disproportionally affecting small organizations. In larger organizations, ransomware is a component of 39% of breaches, while SMBs experienced ransomware-related breaches to the tune of 88% overall.” 
  • “Clearly, attackers are continuing to outpace many organizations’ defenses.” 

• Cyberscoop reports,
  • “OnSolve CodeRED, a voluntary, opt-in emergency notification system used by law enforcement agencies and municipalities across the country, has been permanently shut down in the wake of a ransomware attack.
  • “Crisis24, the company behind the service, said it decommissioned the platform after the cyberattack damaged the OnSolve CodeRED environment earlier this month. “Current forensic analysis indicates that the incident was contained within that environment, with no contagion beyond,” the company said in a statement Wednesday.
  • “Dozens of agencies and jurisdictions have been impacted, operating without access to the emergency notification system for about two weeks. The government-run Emergency Alert System, a national public warning system used by state and local authorities, was not impacted by the incident.
  • “Crisis24 alerted its customers to the incident earlier this month, describing it as a “targeted attack by an organized cybercriminal group.” Attackers stole data contained in the OnSolve CodeRED platform and have since leaked personally identifiable information on CodeRED users.”

• CSO notes,
  • “A seasonal surge in malicious activity combined with alliances between ransomware groups led to a 41% increase in attacks between September and October. Cybercriminal group Qilin continues to be the most active ransomware paddlers, responsible for 170 of 594 attacks (29%) in October, NCC Group reports.
  • “Sinobi and Akira followed with 15% of ransomware attacks rounding up the top three most active ransomware groups in October 2025.
  • “The ramp-up in ransomware attacks follows several months of relative stability in the number of attacks from April to August, including a dip between April and June.”

From the cybersecurity defenses front,

• Cybersecurity Dive reminds us,
  • “For much of the U.S. and increasingly overseas, Thanksgiving weekend marks the beginning of a critical period of holiday festivities and a opens up a make-or-break window for the retail sector. 
  • “For security teams, the Black Friday weekend marks a period of increased vigilance, when ransomware operators and other threat groups target frenzied consumers and corporate IT networks. 
  • “Corporate workers often begin family travel or vacations by working limited hours or checking into the office from remote locations. Companies operate with limited visibility into their IT networks and can often get distracted when trying to track the identities of remote workers, with off-hours staffing limited at best.
  • “Many security teams operate at reduced capacity during the holidays,” Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center, told Cybersecurity Dive. “However, this does not mean that networks are left undefended.”
    
• Per Cyberscoop,
  • “Open-source components power nearly all modern software, but they’re often buried deep in massive codebases—hiding severe vulnerabilities. For years, software bills of materials (SBOMs) have been the security community’s key tool to shine a light on these hidden risks. Yet, despite government advancements in the US and Europe, SBOM adoption in the private sector remains sluggish. Now, some experts warn that the rapid rise of AI-assisted coding could soon eclipse the push to make software supply chains more transparent.
  • “I’m a strong, strong supporter of SBOM, and yet we have this emerging thing that’s happening that fundamentally undermines everything that we’ve been working towards,” Sounil Yu, chief AI officer of Knostic, told CyberScoop. “It is not a far-away future where we should expect to see a near infinite number of varieties of [CVE-free software packages] that AI coding systems are going to generate.”
  • “Yu’s optimistic vision, while shared by some, is roundly rejected by many veteran SBOM and software security experts, who say there will likely never be a day when AI can produce vulnerability-free software.” 

• Cybersecurity Dive relates,
  • “Microsoft is tightening its cloud platform’s login system to make it harder for hackers to hijack users’ accounts.
  • “Beginning next October, Microsoft’s Entra ID cloud identity management platform will block scripts from running during the login process unless they originate from “trusted Microsoft domains,” the company said on Monday.
  • “This is a proactive measure that further shields your users against current security risks, such as cross-site scripting (XSS), where attackers can insert malicious code into websites,” Ankur Patel, an Entra ID product manager, wrote in a blog post.
  • “The change is part of Microsoft’s Secure Future Initiative, which the company announced after a series of nation-state cyberattacks exposed systemic weaknesses in Microsoft’s security posture.”

• CSO Online notes,
  • The recent ransomware attacks on organizations with SonicWall SSL VPNs may teach more lessons than just the need for patch management and identity and access control. Some of the victim firms had vulnerable SonicWall devices on their IT networks as legacies of past mergers or acquisitions, suggesting infosec leaders need to be more involved in preparing for M&A deals or risk their organizations being stung by hackers.
    
• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • “The Trump administration’s top cybersecurity official on Tuesday [November 18, 2025,] previewed the contours of the administration’s cyber strategy, saying it would focus heavily on countering foreign adversaries and reducing regulatory burdens on industry.
  • “We are striving as an administration to make sure that there is a single coordinated strategy in this domain in a way that hasn’t happened before,” National Cyber Director Sean Cairncross said at the Aspen Cyber Summit. “We are working in very close partnership with our interagency colleagues to develop this strategy and get it out the door.”
  • “Like its Biden administration predecessor, the new cyber strategy will be accompanied by an action plan that lists lines of effort under six pillars of activity. “It’s going to be a short statement of intent and policy,” Cairncross said.
  • “One of the pillars will focus on shaping the behavior of Russia, China, ransomware gangs and other adversaries by imposing costs when they attack the U.S. In emphasizing the need for consequences, Cairncross repeated a frequent criticism of the government’s approach to cyber defense, saying policymakers have failed to deter adversaries’ malicious cyber activity.
  • “We need to do that,” he said, “because it is scaling, and it is becoming more aggressive every passing day.”
• and
  • “The Cybersecurity and Infrastructure Security Agency will increase its hiring efforts in 2026 as it seeks to rebuild from the Trump administration’s deep cuts and prepare for a potential U.S. conflict with China.
  • “The recent reduction in personnel has limited CISA’s ability to fully support national security imperatives and administration priorities,” acting CISA director Madhu Gottumukkala said in a Nov. 5 memo to staff obtained by Cybersecurity Dive. The agency has “reached a pivotal moment,” he added, but it remains “hampered by an approximately 40% vacancy rate across key mission areas.”

• The American Hospital Association tells us,
  • U.S. and international agencies Nov. 19, 2025, released a guide on mitigating potential cybercrimes from bulletproof hosting providers. A BPH provider is an internet infrastructure provider that intentionally markets and leases their infrastructure to cybercriminals. The agencies said they have recognized a notable increase in cybercriminals using BPH resources for cyberattacks on critical infrastructure and other targets. Mitigating malicious activity from BPH providers requires a nuanced approach, as BPH infrastructure is integrated into legitimate internet infrastructure systems, and actions from internet service providers or network defenders could impact legitimate activity. 
  • “Bulletproof hosts have long been used to facilitate cybercrime,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “They hide in plain sight, looking like other legitimate providers. They do not cooperate with law enforcement investigations, providing cybercriminals cover for their activities.” 

• Cyberscoop relates,
  • “The Securities and Exchange Commission on Thursday [November 20, 2025,] dropped its case against SolarWinds and its chief information security officer over its handling of an alleged Russian cyberespionage campaign uncovered in 2020, an incident that penetrated at least nine federal agencies and hundreds of companies.
  • “The SEC’s decision brings to a halt one of the more divisive steps under the Biden administration to hold companies’ feet to the fire over their security failings, a groundbreaking suit that a judge last year dismissed in significant measure.
  • “It comes the same day the Federal Communications Commission rescinded Biden-era cyber regulations the FCC wrote in response to another major cyberespionage campaign that saw alleged Chinese hackers infiltrate telecommunications carriers.
  • Two years ago, the SEC took action against SolarWinds and its CISO, Tim Brown, over claims that it didn’t adequately disclose the Sunburst attack that began in 2019, as well as over other security assertions the company made.
  • “The SEC litigation notice Thursday didn’t explain why it had dropped the case. An SEC spokesperson declined to comment beyond the notice.
  • ‘A SolarWinds spokesperson said the company welcomed the SEC decision. The mere threat of SEC action two years ago had panicked some cyber executives who said it could create a chilling effect to disclose cyber information.”

From the cybersecurity vulnerabilities and breaches front,

• Security Week informs us,
  • “Outages hit a wide range of online services, including ChatGPT, X, Dropbox, Shopify, and the game League of Legends. The incident has also reportedly caused some disruptions to websites and other digital services associated with critical organizations such as New Jersey Transit, New York City Emergency Management, and the French national railway company SNCF.
  • “Cloudflare initially reported seeing a “spike in unusual traffic”, which led some to believe that the outage may be the result of a cyberattack.
  • “However, Cloudflare CTO Dane Knecht pointed out on Tuesday morning [November 18, 2025,] that it was not an attack.
  • “Instead, Knecht said, “a latent bug in a service underpinning our bot mitigation capability started to crash after a routine configuration change we made. That cascaded into a broad degradation to our network and other services.”
  • “That issue, impact it caused, and time to resolution is unacceptable. Work is already underway to make sure it does not happen again, but I know it caused real pain today,” he added.

• Cybersecurity Dive adds,
  • “Microsoft said Monday [November 17, 2025,] it was able to neutralize a record breaking distributed denial of service attack against its Azure service in late October. 
  • “The multivector attack, measuring 15.72 Tbps and almost 3.64 billion packets per second, was the largest single attack in the cloud ever recorded, according to the company.
  • “The company traced the attack to the Aisuru botnet, which often targets compromised home routers and cameras. Most of the threat activity linked to Aisuru involved residential internet service providers in the U.S., but also includes other countries, according to Microsoft.”

• Dark Reading points out,
  • “In a near replica of a separate campaign this summer, hackers connected to the ShinyHunters extortion operation have once again breached many organizations’ Salesforce instances via a third-party integration.
  • “Following a spring vishing campaign targeting organizations’ Salesforce environments, a ShinyHunters-adjacent threat group hit Salesforce again in August. The threat actors performed a supply chain breach through Salesloft’s Drift, an integrated application that uses artificial intelligence (AI) to automate marketing and sales processes. They broke into Salesloft, stole OAuth tokens that connect Drift and Salesforce, and used them to reach hundreds of organizations’ Salesforce environments, with all of the powers and permissions within Salesforce that those organizations had granted the Drift app.” * * *
  • “Researchers from the Google Threat Intelligence Group (GTIG) have publicly attributed the attack to hackers tied to ShinyHunters, and said that more than 200 customer instances have been impacted. DataBreaches.net directly contacted the group, which confirmed responsibility, claiming that between Drift and Gainsight the group has gained access to Salesforce data for nearly 1,000 organizations. 
  • “Dark Reading has not independently confirmed that these organizations have been affected.”
• and
  • “For more than half a decade now, a Chinese state-aligned threat actor has been spying on Chinese organizations by infecting their trusted software updates.
  • “When the SolarWinds breach was unearthed in 2020, it might have seemed like a uniquely devious event in cybersecurity history. But cyberattackers and cybersecurity researchers have been finding other, novel ways of poisoning software updates since then.
  • “PlushDaemon” is one such group that has quietly, for quite a while now, been taking its own approach to the update hijack. Like Chinese advanced persistent threats (APTs) often do, it infects organizations through their edge devices. But where most APTs use edge devices as initial entry points to deeper network compromise, researchers at ESET have found that PlushDaemon uses them in its own way. It hijacks network traffic using a specially designed implant, re-routes legitimate software update requests to its own infrastructure, and then serves victims malicious substitutes.”

• CISA added three known exploited vulnerabilities to its catalog this week.
  • November 18, 2025
    • CVE-2025-58034 Fortinet FortiWeb OS Command Code Injection Vulnerability 
      • Cybersecurity Dive and Dark Reading discuss this KVE.
  • November 19, 2025
    • “CVE-2025-13223 Google Chromium V8 Type Confusion Vulnerability”
  • November 21, 2025,
    • CVE-2025-61757 Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability 
      • Bleeping Computer discusses this KVE here.

• Cyberscoop adds,
  • “Federal, state, and local government agencies face a critical vulnerability hiding in plain sight: outdated web forms collecting citizen data through insecure channels. While agencies invest in perimeter security and threat detection, many continue using legacy forms built years ago without modern encryption, authentication, or compliance capabilities. These aging systems collect Social Security numbers, financial records, health information, and security clearance data through technology that cannot meet current federal security standards.
  • “The scope of the problem is substantial. Government agencies allocate 80% of IT budgets to maintaining legacy systems, starving modernization efforts while feeding outdated technology. The federal government’s 10 most critical legacy systems—ranging from 8 to 51 years old—cost $337 million annually to operate and maintain, with total projected spending on legacy systems reaching $2.4 billion by 2030. Meanwhile, government data breaches cost an average of $10.22 million per incident in the United States—the highest globally.” * * *
  • “Legacy government web forms that do implement encryption often use outdated protocols that no longer meet regulatory requirements. Older systems rely on SHA-1 hashing and TLS 1.0, which are vulnerable to known exploits and don’t meet NIST, CJIS, or HIPAA requirements. Without HTTP Strict Transport Security enforcement, browsers don’t automatically use secure connections, allowing users to access unencrypted form pages.”
    
• Per Bleeping Computer,
  • “American cybersecurity company SonicWall urged customers today [November 20, 2025,] to patch a high-severity SonicOS SSLVPN security flaw that can allow attackers to crash vulnerable firewalls.
  • Tracked as CVE-2025-40601, this denial-of-service vulnerability is caused by a stack-based buffer overflow impacting Gen8 and Gen7 (hardware and virtual) firewalls.
  • “A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash,” SonicWall said.
• and
  • “American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.
  • “However, the company noted that its systems were not breached as a result of this incident and that customers’ data was not compromised.
  • “We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally,” a CrowdStrike spokesperson told BleepingComputer today.
  • “Our systems were never compromised, and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies.”

From the ransomware front,

• Bleeping Computer reports,
  • “An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation.
  • “ShinySp1d3r is the name of an emerging RaaS created by threat actors associated with the ShinyHunters and Scattered Spider extortion groups.
  • “These threat actors have traditionally used other ransomware gangs’ encryptors in attacks, including ALPHV/BlackCat, Qilin, RansomHub, and DragonForce, but are now creating their own operation to deploy attacks themselves and their affiliates.
  • “News of the upcoming RaaS first came to light on a Telegram channel, where threat actors calling themselves “Scattered Lapsus$ Hunters,” from the names of the three gangs forming the collective (Scattered Spider, Lapsus$, and ShinyHunters), were attempting to extort victims of data theft at Salesforce and Jaguar Land Rover (JLR).”
    
• eSecurity Planets adds,
  • “A fast-moving ransomware group known as “The Gentlemen” has emerged as one of 2025’s most aggressive cybercrime operations, rapidly scaling its attacks across Windows, Linux, and ESXi environments. 
  • “First observed in July 2025, the group has already listed 48 victims on its leak site and continues to release new, highly capable ransomware variants. 
  • “Cybereason researchers said the group “… blends mature ransomware techniques with RaaS features, dual‑extortion, cross‑platform (Windows/Linux/ESXi) lockers, automated persistence, flexible propagation, and affiliate support, allowing it to scale attacks and evade basic defenses quickly.
  • “The Gentlemen ransomware group relies on tried-and-true tactics borrowed from other successful RaaS operations. Organizations can stay ahead by validating their defenses against these established methods before attackers utilize them,” said Hüseyin Can Yüceel, Security Research Lead at Picus Security.”

• Cyber Press relates,
  • “The notorious Clop ransomware gang, also tracked as Graceful Spider, has escalated its latest extortion campaign by listing Oracle Corporation on its dark web leak site. 
  • “The group claims to have successfully breached the tech giant’s internal systems using a critical zero-day vulnerability in Oracle E-Business Suite (EBS), designated as CVE-2025-61882. 
  • ‘This marks a significant development in supply chain attacks, with Oracle potentially falling victim to a flaw in its own software.​”

• Per Bleeping Computer, Huntress Labs offers a look into a Qilin ransomware investigation.

From the cybersecurity business and defenses front,

• The Wall Street Journal reports
  • “Palo Alto Networks PANW is buying the observability platform Chronosphere for $3.35 billion, the latest acquisition by the cybersecurity company to capitalize on an AI-intensive economy.
  • The Santa Clara, Calif.-based company said Wednesday the cash-and-stock deal will address demands for observability in the rapidly expanding artificial-intelligence data center market, combining Chronosphere’s observability architecture with Palo Alto Networks’ AI-powered AgentiX tool.
  • “Once we leverage AgentiX with Chronosphere, we will take observability from simple dashboards to real-time, agentic remediation,” Palo Alto Networks Chief Executive Nikesh Arora said. “We are excited to not just enter this space, but to disrupt it.”
  • “The deal is expected to close in the second half of Palo Alto Networks’ fiscal 2026.
  • “The deal came as Palo Alto Networks posted higher revenue in its latest quarter and raised its top-line view for the year.”

• CISA announced a #SecuretheSeason campaign promoting online shopping safety.

• Per Dark Reading,
  • “Editors from Dark Reading, Cybersecurity Dive, and TechTarget Search Security break down the depressing state of cybersecurity awareness campaigns and how organizations can overcome basic struggles with password hygiene and phishing attacks.”
• and
  • “Securing the Win: What Cybersecurity Can Learn from the Paddock. A Formula 1 pit crew demonstrates the basic principles of how modern security teams should work.”

• Here is a link to Dark Reading’s CISO Corner.