Happy New Year!

From the cybersecurity policy and law enforcement front,

• Federal News Network points out five things to watch in cybersecurity policy at the federal level during 2026.
  • “New national cyber strategy”
  • “AI and cyber”
  • “CISA 2015 reauthorization”
  • “CIRCIA rule” and
  • “Cyber leader gaps”

• Security Week reports,
  • “Two cybersecurity professionals from the United States have pleaded guilty to charges related to their role in BlackCat/Alphv ransomware attacks, the Justice Department announced this week [December 30].
  • “Three individuals were charged in October for allegedly conducting ransomware attacks against several US-based companies. Two of the suspects, 36-year-old Kevin Martin from Texas and an unnamed individual, were employed as ransomware negotiators at threat intelligence and incident response firm DigitalMint.
  • “The third suspect, 40-year-old Ryan Goldberg from Georgia, worked as an incident response manager at cybersecurity company Sygnia.
  • “The three are accused of hacking into the systems of several companies, stealing valuable information, and deploying BlackCat ransomware. 
  • “Based on the Justice Department’s description of the scheme, the suspects were BlackCat ransomware affiliates, paying 20% of the ransoms they received from victims to the administrators of the ransomware operation in exchange for access to the file-encrypting malware and a platform designed for managing extortions.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer points out the 15 biggest cybersecurity and cyber attack stories of 2025.

• Security Week adds,
  • “Insurance giant Aflac is notifying roughly 22.65 million people that their personal information was stolen from its systems in June 2025.
  • “The company disclosed the intrusion on June 20, saying it had identified suspicious activity on its network in the US on June 12 and blaming it on a sophisticated cybercrime group.
  • “The company said it immediately contained the attack and engaged with third-party cybersecurity experts to help with incident response. Aflac’s operations were not affected, as file-encrypting ransomware was not deployed.
  • “Just before Christmas, the Columbus, Georgia-based company announced it had completed its investigation into the potentially compromised data and had started notifying the affected individuals.
  • “Based on our review of potentially impacted files, we have determined personal information associated with approximately 22.65 million individuals was involved,” the company said.
  • “The compromised information, the insurance giant says, includes names, addresses, Social Security numbers, dates of birth, driver’s license numbers, government ID numbers, medical and health insurance information, and other data.”

• The Cybersecurity and Infrastructure Security Agency (CISA) added one known exploited vulnerability to its catalog this week.
  • December 29, 2025
    • CVE-2025-14847. MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability 
      • Cyberscoop discusses this KVE here.

• Bleeping Computer informs us,
  • “IBM urged customers to patch a critical authentication bypass vulnerability in its API Connect enterprise platform that could allow attackers to access apps remotely.
  • “API Connect is an application programming interface (API) gateway that enables organizations to develop, test, and manage APIs and provide controlled access to internal services for applications, business partners, and external developers.
  • “Available in on-premises, cloud, or hybrid deployments, API Connect is used by hundreds of companies in banking, healthcare, retail, and telecommunications sectors.
  • “Tracked as CVE-2025-13915 and rated 9.8/10 in severity, this authentication bypass security flaw affects IBM API Connect versions 10.0.11.0 and 10.0.8.0 through 10.0.8.5.
  • “Successful exploitation enables unauthenticated threat actors to remotely access exposed applications by circumventing authentication in low-complexity attacks that don’t require user interaction.”
• and
  • “Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability.
  • “Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812) and advised admins who couldn’t immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices.
  • “This improper authentication security flaw (rated 9.8/10 in severity) was found in FortiGate SSL VPN and allows attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when the username’s case is changed.
  • “Last week, Fortinet warned customers that attackers are still exploiting CVE-2020-12812, targeting firewalls with vulnerable configurations that require LDAP (Lightweight Directory Access Protocol) to be enabled.
  • “Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations,” the company said.”
• and
  • “Trust Wallet believes the compromise of its web browser to steal roughly $8.5 million from over 2,500 crypto wallets is likely related to an “industry-wide” Sha1-Hulud attack in November.
  • “Trust Wallet, a crypto wallet used by over 200 million people, enables users to store, send, and receive Bitcoin, Ethereum, Solana, and thousands of other cryptocurrencies and digital tokens via a web browser extension and free mobile apps.
  • “As BleepingComputer previously reported, this December 24th incident resulted in the theft of millions of dollars in cryptocurrency from the compromised wallets of Trust Wallet users.
  • This happened after attackers added a malicious JavaScript file to version 2.68.0 of Trust Wallet’s Chrome extension, which stole sensitive wallet data and enabled threat actors to execute unauthorized transactions.
  • “Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said in a Tuesday [December 30] update.
• and
  • “A fourth wave of the “GlassWorm” campaign is targeting macOS developers with malicious VSCode/OpenVSX extensions that deliver trojanized versions of crypto wallet applications.
  • “Extensions in the OpenVSX registry and the Microsoft Visual Studio Marketplace expand the capabilities of a VS Code-compatible editor by adding features and productivity enhancements in the form of development tools, language support, or themes.
  • “The Microsoft marketplace is the official extension store for Visual Studio Code, whereas OpenVSX serves as an open, vendor-neutral alternative, primarily used by editors that do not support or choose not to rely on Microsoft’s proprietary marketplace.”
  • “The GlassWorm malware first appeared on the marketplaces in October, hidden inside malicious extensions using “invisible” Unicode characters.”
  • “Once installed, the malware attempted to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from multiple extensions. Additionally, it supported remote access through VNC and can route traffic through the victim’s machine via a SOCKS proxy.
  • “Despite the public exposure and increased defenses, GlassWorm returned in early November on OpenVSX and then again in early December on VSCode.”

From the ransomware front,

• Cybersecurity Insiders recounts the top ransomware attacks of 2025.

• SC Media tells us,
  • “HackRead reports that U.S. automaker Chrysler had over 1 TB of data, including more than 105 GB of Salesforce-related information, claimed to have been exfiltrated by the Everest ransomware gang.
  • “Allegedly included in the stolen data trove spanning between 2021 and 2025 were personal and operational records from customers, internal agents, and dealers, with screenshots revealing internal spreadsheets, structured databases, CRM exports, and directory trees, as well as customer interaction logs with names, physical and email addresses, phone numbers, vehicle details, recall case notes, and call outcomes.” * * *
  • “Everest has warned that it would release not only the entire dataset but also customer service-related audio recordings purportedly stolen from Chrysler should it refuse to fulfill its demands.”
    
• Morphisec points out,
  • “In Morphisec’s recent CTO Briefing: The State of Ransomware, CTO Michael Gorelik highlighted one of the most significant and troubling shifts in the ransomware landscape: many ransomware attacks no longer involve encryption at all.   
  • “Instead, attackers quietly steal sensitive data—sometimes over weeks or months—and then extort victims long after the breach. This “ransomware without encryption” model is growing rapidly because it has lower risk for attackers, harder for defenders to detect, and nearly impossible for victims to investigate once logs have aged out.”  

From the cybersecurity defenses front,

• Dark Reading calls attention to
  • “Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats. Cybersecurity experts discuss 2026 predictions, highlighting the rise of AI-driven threats, the shift to resilience over prevention, and the urgent need for advanced security measures to combat evolving risks”
• and
  • “5 Threats That Defined Security in 2025. 2025 included a number of monumental threats, from global nation-state attacks to a critical vulnerability under widespread exploitation.”
    • “Salt Typhoon continues its onslaught”
    • “CISA see big layoffs and budget cuts”
    • “React2Shell carries echos of Log4Shell.
    • “Shai-Hulud opens floodgates on self-propagating Open Source Malware.” and
    • “Threat Campaigns Target Salesforce Customers.”
• and
  • “The Ivanti Endpoint Manager Mobile (EPMM) zero-day attacks, which began last spring and lasted well into the summer as attackers took advantage of patching lag, were one of the top cyber-stories of 2025, sending thousands of victims to the depths of the data exfiltration sea. A recent deep-dive into the wreckage of those attacks highlights the risk inherent in buggy endpoint management systems — a concern that needs to be a higher priority than it typically is, one researcher argues.”

• SC Media notes,
  • “A whopping 99% of security leaders plan to increase their cybersecurity budgets over the next two to three years, signaling that cybersecurity has become a critical business imperative, according to a KPMG Cybersecurity Survey released earlier this month.
  • “KPMG’s survey, which polled more than 300 C-suite and senior security leaders, found that the projected spending increases come at a time when 83% of organizations report a rise in cyberattacks, which include everything from phishing and ransomware to more advanced AI-powered social-engineering schemes.
  • “The data doesn’t just point to steady growth, it signals a potential boom,” said Michael Isensee, cybersecurity and tech risk leader, KPMG LLP. “We’re seeing a major market pivot where cybersecurity is now a fundamental driver of business strategy.
  • “Leaders are moving beyond reactive defense and are actively investing to build a security posture that can withstand future shocks, especially from AI and other emerging technologies,” continued Isensee. “This isn’t just about spending more, it’s about strategic investment in resilience.”

• Security Affairs warns,
  • “Your next breach probably won’t start inside your network—it will start with someone you trust. Every supplier, contractor, and service provider needs access to your systems to keep business running, yet each login is a potential doorway for attackers. Access management is meant to control the risks of granting that access, but weak controls and poor hygiene remain the norm. The Thales Digital Trust Index report, Third-Party Edition, highlights that over half of surveyed professionals (51%) keep access to partner systems for days or even a month after they no longer need it, turning everyday collaborations into hidden vulnerabilities that accumulate over time.
  • “Ask yourself: Are you evaluating and managing these risks well enough? If the answer isn’t clear, it’s time to revisit the basics of identity lifecycle management. Supply chain risks are preventable—but only if they aren’t tolerated or ignored. This article is a primer on how to ensure B2B collaboration remains a source of agility and resilience, not your Achilles’ heel.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity law enforcement front,

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The National Institute of Standards and Technology announced that it will partner with The MITRE Corporation on a $20 million project to stand up two new research centers focused on artificial intelligence, including how the technology may impact cybersecurity for U.S. critical infrastructure.
  • “On Monday [December 22], the agency said one center will focus on advanced manufacturing while the second — the AI Economic Security Center to Secure U.S. Critical Infrastructure from Cyberthreats — will focus more directly on how industries that provide water, electricity, internet and other essential services can protect and maintain services in the face of AI-enabled threats. According to NIST, the centers will “drive the development and adoption” of AI-driven tools, including agentic AI solutions.
  • “The centers will develop the technology evaluations and advancements that are necessary to effectively protect U.S. dominance in AI innovation, address threats from adversaries’ use of AI, and reduce risks from reliance on insecure AI,” spokesperson Jennifer Huergo wrote in an agency release.

• Federal News Network interviewed “a panel of former federal executives for their opinions about 2025 and what federal IT and acquisition storylines stood out over the last 12 months.”

• Security Week tells us,
  • “The US Justice Department announced on Monday [December 22] the seizure of a web domain and a password database used by a cybercrime group to steal millions of dollars from bank accounts.
  • “According to the DOJ, the seized domain, web3adspanels.org, hosted a backend web panel used by the cybercriminals to store and manipulate thousands of stolen bank login credentials.
  • The threat actor conducted a massive bank account takeover scheme that involved malicious ads on search engines such as Google and Bing in an effort to lure users to fake bank websites.
  • “These phishing sites tricked victims into handing over their login credentials, which the cybercriminals could then use to access and drain their bank accounts.
  • “The FBI has identified nearly 20 victims in the US, including two companies, and has determined that the cybercriminals attempted to steal roughly $28 million, with the actual losses estimated at approximately $14.6 million.” 

• Bleeping Computer informs us,
  • “An Interpol-coordinated initiative called Operation Sentinel led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents.
  • “Between October 27 and November 27, the investigation, which involved law enforcement in 19 countries, took down more than 6,000 malicious links and decrypted six distinct ransomware variants.
  • “Interpol says that the cybercrime cases investigated are connected to more than $21 million in financial losses.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “WatchGuard warns that a critical vulnerability in its Firebox devices is facing exploitation as part of a campaign targeting edge devices, according to an advisory from the company. 
  • “The flaw, tracked as CVE-2025-14733, involves an out-of-bounds write vulnerability in the Fireware OS internet key exchange daemon process. An unauthenticated attacker can achieve remote code execution. 
  • “WatchGuard said it discovered the flaw through an internal process and issued a patch on Thursday. 
  • “Since the fix became available, our partners and end users have been actively patching affected Firebox appliances,” a WatchGuard spokesperson told Cybersecurity Dive. “We continue to strongly encourage timely patching as a core best practice in security hygiene.”

• Security Week shares information about the Watchguard patch.

• Dark Reading points out,
  • “Much has been said about IT worker scams in the last few years, but it’s not every day that we get a glimpse into how pervasive the issue has become. 
  • “Stephen Schmidt, senior vice president and chief security officer at Amazon, wrote on LinkedIn over the weekend that the company has prevented “more than 1,800 suspected DPRK operatives from joining [Amazon] since April 2024, and we’ve detected 27% more DPRK-affiliated applications quarter-over-quarter this year.” 
  • “IT worker scams involve operatives working as part of or on behalf of a government try to gain remote IT employment. It is most often associated with North Korea (DPRK), but that’s not the only entity engaging in this practice. While one primary goal may be the worker gaining a foothold in a network for espionage purposes or for sensitive IP theft (and these things do happen), Schmidt, who wrote about North Korean worker scams specifically, highlighted another reason: “Their objective is typically straightforward: get hired, get paid, and funnel wages back to fund the regime’s weapons programs,” he wrote.

• The Wall Street Journal relates,
  • “AI is making cybercriminals more efficient, enabling them to scale up operations and create more targeted and convincing scams.
  • “Thanks to AI, criminals are getting better at finding targets—for example, by scanning social media to identify people going through big life changes.
  • “Most experts don’t think fully autonomous AI cyberattacks are possible yet in the real world, but research has shown that AI is capable of planning and carrying out an attack on its own in a lab.”

•  Per SC Media,
  • “A series of campaigns were observed targeting the financial sector across multiple continents worldwide — attacks that exhibited the tradecraft of North Korean-affiliated threat actors.
  • “In a Dec. 18 white paper, Darktrace researchers said the attacks leveraged advanced social engineering focused on job hunters, spear-phishing, React2Shell exploitation, and a new Beavertail malware variant.
  • “While the initial access vector remains unknown, Darktrace said evidence suggests it originated from a malicious npm package hosted on GitHub or GitLab — behavior that aligns with the Lazarus Group’s history of exploiting supply-chain vulnerabilities.
  • “According to Darktrace, the attackers used Beavertail for initial credential theft, followed by heavily obfuscated Python scripts and Tsunami modules, hallmarks of a “well-resourced adversary.”

• Cyber Insider adds,
  • “A malicious NPM package masquerading as a WhatsApp API library has been discovered exfiltrating users’ messages, credentials, contacts, and media, all while delivering fully functional code.
  • “The package, named lotusbail, had been available on the NPM registry for over six months, amassing more than 56,000 downloads before its true purpose came to light.
  • “The discovery was made by Koi Security, whose researchers published a detailed technical report over the weekend, outlining the package’s behavior. The threat actor behind lotusbail cloned the legitimate @whiskeysockets/baileys WhatsApp Web API library and inserted advanced malware designed to siphon off sensitive user data during normal operation.”

• CISA added one new known exploited vulnerability to its catalog this week.
  • December 22, 2025
    • CVE-2023-52163 Digiever DS-2105 Pro Missing Authorization Vulnerability 
      • The Hacker News discusses this KVE here.

From the ransomware front,

• Cybersecurity Dive reports,
  • A Cybersecurity and Infrastructure Security Agency program that warns organizations about imminent ransomware attacks has suffered a major setback after its lead staffer left the agency rather than take a forced reassignment.
  • David Stern, the driving force behind CISA’s Pre-Ransomware Notification Initiative (PRNI) — through which the agency alerts organizations that ransomware actors are preparing to encrypt or steal their data — resigned on Dec. 19, according to four people familiar with the matter. The Department of Homeland Security had ordered Stern to take a job at the Federal Emergency Management Agency in Boston or quit, and Stern chose the latter, three of the people said. * * *
  • “The fate of the warning initiative is now unclear. In a statement, CISA Director of Public Affairs Marci McCarthy said the program “has not stopped and continues to operate as a key element in CISA’s efforts to defeat ransomware attacks.” One person familiar with the matter said the agency is preparing several staffers to take over for Stern. But others said the program relied heavily on Stern’s trusted relationships with the organizations that alert CISA to pending ransomware attacks.”
    
• InfoSecurity Magazine explores this year’s top ransomware trends.

• The HIPAA Journal tells us,
  • “Madison, WI-based ARC Community Services, a provider of behavioral health, substance use disorder treatment, and support services to women and children, has experienced a ransomware attack involving the theft of sensitive data from its network.” The attack occurred in November 2024.

• CSO informs us,
  • “A recent upgrade to the RansomHouse ransomware operation has added new concerns for enterprise defenders, introducing a multi-layered encryption update to the group’s double-extortion RaaS model.
  • “Also tracked under the cluster Jolly Scorpius, the ransomware gang has transitioned from a simple, single-phase encryption routine to a multi-layered dual-key encryption architecture that increases the complexity of its extortion operations.
  • “Detailed by Palo Alto Networks’ threat intelligence team, the update raises the bar for recovery once systems are compromised. The change affects how files are processed and encrypted during an attack, complicating analysis and limiting defenders’ ability to recover data without paying a ransom.”

From the cybersecurity business and defenses front,

• The Wall Street Journal reports,
  • Artificial-intelligence software company ServiceNow NOW agreed to acquire cybersecurity startup Armis for about $7.75 billion in cash in a move intended to take advantage of growing demand for AI security.
  • Armis recently raised $435 million in a funding round that valued the company at $6.1 billion, and it had been planning for an initial public offering at the end of 2026 or early 2027.
  • ServiceNow said on Tuesday that the acquisition would triple its market opportunity for security and risk solutions and entrench its position in the market for securing AI technology.
  • The increasing integration of AI tools into business workflows has raised worries that companies could become more vulnerable to cyberattacks and hacks.

• Cyberscoop lets us know,
  • “How to determine if agentic AI browsers are safe enough for your enterprise. Automation is transforming web browsing, enabling AI agents to perform tasks once handled by humans. Yet with greater convenience comes a complex security landscape that enterprises can’t afford to ignore.”

• Federal News Network discusses “The next cyber battlefield: Preparing federal networks for autonomous malware.”
  • “Recent research from Google’s Threat Intelligence Group has drawn new attention to a long-standing question in cybersecurity: How close are we to malware that can truly think and adapt on its own?
  • “Earlier this month, Google disclosed five experimental code families, including PROMPTFLUX and PROMPTSTEAL, that used large language models (LLMs) during execution to generate commands, rewrite portions of their own code, and adapt to their environment.
  • “While these findings are concerning, it’s important to note that “autonomous” malware is still in the early stages. But that’s precisely the point. Even in this primitive form, these early samples show how the threat landscape is rapidly evolving. Federal agencies now have a narrow window to prepare before those capabilities mature into operational threats.
  • “Autonomous malware represents a fundamental shift in cybersecurity, as this malicious code can reason about its surroundings, make tactical decisions, and evolve its behavior in real time. For federal networks built on complex systems and strict change-control policies, that evolution could eventually collapse traditional defense timelines and upend response models.”

• Per a CISA news release,
  • “NIST and CISA’s draft Interagency Report Protecting Tokens and Assertions from Forgery, Theft, and Misuse is now available for public comment through January 30, 2026. This report is in response to Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, providing implementation guidance to help federal agencies and cloud service providers (CSPs) protect identity tokens and assertions from forgery, theft, and misuse.
  • “This report emphasizes the need for CSPs and cloud consumers, including government agencies, to better define their respective roles and responsibilities in managing identity and access management (IAM) controls in cloud environments. It establishes principles for both CSPs and cloud consumers, calling on CSPs to apply Secure by Designbest practices, and to prioritize transparency, configurability, and interoperability—empowering cloud consumers to better defend their diverse environments. It also calls upon government agencies to understand the architecture and deployment models of their procured CSPs to ensure proper alignment with risk posture and threat environment. 
  • “Comments on the report may be submitted to iam@list.nist.gov. Please visit NIST’s site for more information.” 

• Per Dark Reading,
  • “As More Coders Adopt AI Agents, Security Pitfalls Lurk in 2026. Developers are leaning more heavily on AI for code generation, but in 2026, the development pipeline and security need to be prioritized.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “With a little more than a month left before a foundational cyber threat information sharing law expires for a second time, Congress might have to do another short-term extension as negotiations on a longer deal aren’t yet bearing fruit, a key lawmaker said Tuesday.
  • “House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the problem with a long-term extension of the Cybersecurity Information Sharing Act of 2015, which provides legal protections to companies to share cyber threat data with the federal government and other companies, is that there are three different views about how to approach it.
  • “The Trump administration and some in the Senate want a clean, 10-year reauthorization of the law, which Congress extended last month until Jan. 30 as part of the legislation that ended the government shutdown, after the information sharing law lapsed in October. But a reauthorization without any changes could run into House opposition, Garbarino said.” * * *
  • “Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul, R-Ky., also has a version of the bill that focuses largely on language he said is needed to defend free speech. And Garbarino’s version takes yet another approach to tweaking the law.
  • “Unfortunately, I don’t think we’re close enough with the discussions on the Senate to get it to figure out which bill will pass and what will get done,” Garbarino said. That leaves another extension tied to any funding bill that replaces the legislation currently funding the government, which also runs through Jan. 30.”
• and
  • “Policymakers and companies are reckoning with increased reports over the past few months showing AI tools being leveraged to conduct cyber attacks on a larger and faster scale.
  • “Most notably, Anthropic reported last month that Chinese hackers had jailbroken and tricked its AI model Claude into assisting with a cyberespionage hacking campaign that ultimately targeted more than 30 entities around the world.
  • “The Claude-enabled Chinese hacks have underscored existing concerns among AI companies and policymakers that the technology’s development and relevance to offensive cybersecurity may be outpacing the cybersecurity, legal and policy responses being developed to defend against them.
  • “At a House Homeland Security hearing this week, Logan Graham, head of Anthropic’s red team, said the Chinese spying campaign demonstrates that worries about AI models being used to supercharge hacking are more than theoretical.”

• Cybersecurity Dive tells us,
  • “A top Senate Republican is pressing the Trump administration for a plan to address the cybersecurity consequences of the U.S.’s dependence on open-source software.
  • “Leaving our reliance on OSS unmonitored is exposing America to increasingly dangerous risks,” Senate Intelligence Committee Chair Tom Cotton, R-Okla., wrote in a Wednesday letter to National Cyber Director Sean Cairncross.
  • “Cotton cited recent incidents that highlighted the unstable and sometimes untrustworthy foundations of the open-source ecosystem, including the XZ Utils crisis, a Russian developer’s control of a package that the U.S. military uses for sensitive applications and the prevalence of code contributions by Chinese companies’ employees, who are bound by Chinese laws that could force them to disclose software flaws to Beijing before fixing them.”
• and
  • “The National Institute of Standards and Technology has prepared a companion to its widely used Cybersecurity Framework that focuses on how organizations can safely use AI.
  • “NIST’s Cybersecurity Framework Profile for Artificial Intelligence, which the agency released in draft form on Tuesday [December 16], describes how organizations can manage the cybersecurity challenges of different AI systems, improve their cyber defense capabilities with AI and block AI-powered cyberattacks. The document maps components of the Cybersecurity Framework (CSF) onto specific recommendations in each of those three areas, which NIST dubbed “secure,” “defend” and “thwart,” respectively.
  • “The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Barbara Cuthill, one of the profile’s authors, said in a statement. “But ultimately every organization will have to deal with all three.”
    
• Cyberscoop tells us,
  • “Federal prosecutors in Michigan say they have dismantled online infrastructure tied to an alleged money laundering operation that moved tens of millions of dollars in proceeds from ransomware and other cybercrime, along with indicting the service’s creator.
  • “The U.S. Attorney’s Office for the Eastern District of Michigan announced a coordinated action with international partners and the Michigan State Police targeting E-Note, a cryptocurrency exchange and payment processing service used to launder illicit funds. The announcement coincided with the unsealing of an indictment charging a Russian national, Mykhalio Petrovich Chudnovets, with one count of money laundering conspiracy.”
• and
  • “Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at cybersecurity companies tasked with helping organizations respond to ransomware attacks.
  • “Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with an unnamed co-conspirator to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments.
  • “The plea deals mark a relatively quick turnaround as prosecutors successfully persuaded the pair to cop to their crimes less than three months after they were indicted in the U.S. District Court for the Southern District of Florida. Goldberg was arrested Sept. 22 and Martin was arrested Oct. 14.”
• and
  • “Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, pleaded guilty Friday to multiple crimes stemming from his involvement in a string of ransomware attacks targeting U.S. and Europe-based organizations from mid 2018 to late 2021. He faces up to 10 years in jail for conspiracy to commit fraud, including extortion. 
  • “Stryzhak was arrested in Spain in June 2024 and extradited to the United States in April. Authorities are still looking for his alleged co-conspirator Volodymyr Tymoshchuk and announced a $11 million reward for information leading to his arrest or conviction.
  • “The defendant used Nefilim ransomware to target high-revenue companies in the United States, steal data and extort victims,” Joseph Nocella, U.S. attorney for the Eastern District of New York, said in a statement.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “Apartment owner and developer Rockrose Development Corp. recently found that unauthorized individuals hacked its systems and claimed to have acquired confidential information, according to a letter posted to its website on Dec. 12. 
  • “The security breach occurred on July 4 and affected 47,392 people, according to a data breach notification submitted to Maine’s attorney general’s office. Rockrose discovered the issues on Nov. 14. 
  • “Rockrose determined that personally identifiable information for some individuals may have been impacted, which could indicate that the hackers accessed some sensitive areas of the network. That information could include name, Social Security number, taxpayer identification number, driver’s license number, passport number, bank account and routing numbers, health insurance information, medical information and online account credentials.”

• Cyberscoop adds,
  • “Fallout from React2Shell — a stubborn vulnerability that impacts wide swaths of the internet’s scaffolding — continues to spread as public exploits and stealth backdoors proliferate and worrying details emerge about the targets attackers are pursuing. 
  • “Threat researchers and incident responders are reacting to swift-moving developments on React2Shell with mounting concern. Cybercriminals, ransomware gangs and nation-state threat groups are all swarming to exploit the maximum-severity vulnerability.
  • Palo Alto Networks’ Unit 42 puts the latest victim count at more than 60 organizations, which have been impacted by attacks involving exploitation of CVE-2025-55182, which Meta and the React team publicly disclosed Dec. 3.
  • “Microsoft said it found “several hundred machines across a diverse set of organizations” that were compromised via exploitation resulting in remote-code execution. Post-exploitation activity in those attacks includes reverse shell implants, lateral movement, data theft and steps that allowed attackers to maintain access to targeted networks, Microsoft said in a research blog Tuesday [December 16]. 

• The Cybersecurity and Infrastructure Security Agency (“CISA”) added seven known exploited vulnerabilities to its catalog this week.
  • December 15, 2025
    • CVE-2025-14611 Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
    • CVE-2025-43529 Apple Multiple Products Use-After-Free WebKit Vulnerability 
      • Kubelski Security discusses the Gladinet KVEs here.
      • The Center for Internet Security discusses the Apple KVEs here.
  • December 16, 2025
    • CVE-2025-59718 Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability 
      • Security Affairs discusses this KVE here.
  • December 17, 2025
    • CVE-2025-20393 Cisco Multiple Products Improper Input Validation Vulnerability
    • CVE-2025-40602 SonicWall SMA1000 Missing Authorization Vulnerability
    • CVE-2025-59374 ASUS Live Update Embedded Malicious Code Vulnerability
      • The Hacker News discusses the Cisco KVE here.
      • Security Week discusses the SonicWall KVE here.
      • Malwarebytes discusses the ASUS KVE here.
  • December 19, 2025
    • CVE-2025-14733 WatchGuard Firebox Out-of-Bounds Write Vulnerability 
      • Bleeping Computer discusses this KVE here.

• Cyberscoop relates,
  • “Cisco customers are confronting a fresh wave of attacks from a Chinese threat group that has actively exploited a critical zero-day vulnerability affecting the vendor’s software for email and web security since at least late November, the company said in an advisory Wednesday. 
  • “Cisco said it became aware of the attacks Dec. 10. The defect CVE-2025-20393, which has a CVSS rating of 10, is an improper input validation vulnerability affecting Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager that allows attackers to execute commands with unrestricted privileges and implant persistent backdoors on compromised devices.
  • “There is no patch for the vulnerability and Cisco declined to say when one would be made available. Cisco said “non-standard configurations” have been observed in compromised networks, specifically customer systems that are configured with a publicly exposed spam quarantine feature.
  • “Cisco Talos researchers attributed the attacks to a Chinese advanced persistent threat group it tracks as UAT-9686, which has used tooling and infrastructure consistent with other China state-sponsored threat groups such as APT41 and UNC5174.

• Cybersecurity Dive informs us,
  • “Multiple threat groups have been ramping up attacks using a technique called device code phishing to trick users into granting access to their Microsoft 365 accounts, according to a report Thursday from Proofpoint. 
  • “Hackers affiliated with China and Russia have used the technique in recent months to launch attacks. A number of criminal groups have used the same method to target M365 users as well. 
  • “This is a social engineering method that abuses a legitimate and trusted workflow for authorized access,” Sarah Sabotka, staff threat researcher at Proofpoint, told Cybersecurity Dive.”
• and
  • A coordinated, credential-based hacking campaign has been targeting Palo Alto Networks GlobalProtect services, as well as Cisco SSL VPNs, in a surge of mid-December attacks, according to a blog post Wednesday by GreyNoise. 
  • The threat activity does not involve targeting of any vulnerabilities, but uses automated scripted login attempts over two days. 
  • More than 1.7 million sessions were observed targeting Palo Alto Networks GlobalProtect and PAN-OS profiles over a 16-hour period, according to GreyNoise. More than 10,000 unique IPs were detected trying to log into GlobalProtect portals on Dec. 11.  
• and
  • “A Russia-linked hacker group has been targeting critical infrastructure organizations using vulnerabilities in their edge devices since at least 2021, highlighting an alarming shift toward exploiting well-known flaws in common networking equipment, Amazon’s threat intelligence team said Monday.
  • “The threat actor’s shift [toward edge devices] represents a concerning evolution,” Amazon researchers wrote in a blog post. “While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation.”

• Bleeping Computer points out,
  • “The UEFI firmware implementation in some motherboards from ASUS, Gigabyte, MSI, and ASRock is vulnerable to direct memory access (DMA) attacks that can bypass early-boot memory protections.
  • “The security issue has received multiple identifiers (CVE-2025-11901, CVE-2025‑14302, CVE-2025-14303, and CVE-2025-14304) due to differences in vendor implementations.”

From the ransomware front,

• Cyber Press reports,
  • “SentinelLABS research indicates that large language models (LLMs) such as ChatGPT, Claude, and open-source alternatives are accelerating every stage of the ransomware lifecycle, from reconnaissance to negotiation. 
  • “However, analysts emphasize that these tools are improving speed and scale rather than introducing fundamentally new attack methods.
  • “By repurposing enterprise-grade AI workflows, ransomware actors are using models to automate tasks such as creating phishing content, drafting multilingual ransom notes, and triaging data across leaked datasets. 
  • “This enables threat actors to identify financially sensitive files and tailor extortion tactics across multiple languages with greater precision.” * * *
  • “The report finds that while law enforcement disruptions have weakened mega cartels such as LockBit, Conti, and REvil, smaller, short-lived groups such as Termite, Punisher, and Obscura are emerging rapidly. 
  • “These groups exploit LLM-driven workflows to emulate more experienced operators, reducing entry barriers and complicating attribution.”

• Manufacturing Business Technology adds,
  • “Sophos recently announced new findings from the Sophos State of Ransomware in Manufacturing and Production 2025 report which reveals that manufacturers are stopping more ransomware attacks before data can be encrypted.
  • “However, adversaries are increasingly stealing data and using extortion-only tactics to maintain pressure. As a result, more than half of manufacturing organizations impacted by encryption paid the ransom despite progress in defensive measures.”

• Bleeping Computer relates,
  • “The Clop ransomware gang (also known as Cl0p) is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign.
  • “Gladinet CentreStack enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. According to Gladinet, CentreStack “is used by thousands of businesses from over 49 countries.”
  • “Since April, Gladinet has released security updates to address several other security flaws that were exploited in attacks, some of them as zero-days.
  • “The Clop cybercrime gang is now scanning for and breaching CentreStack servers exposed online, with Curated Intel telling BleepingComputer that ransom notes are left on compromised servers.
  • “However, there is currently no information on the vulnerability Clop is exploiting to hack into CentreStack servers. It is unclear whether this is a zero-day flaw or a previously addressed bug that the owners of the hacked systems have yet to patch.”

• CSO offers advice on how to create a ransomware playbook that works.

From the cybersecurity business and defenses front,

• The Wall Street Journal reports,
  • “Blackstone is leading a $400 million investment in data-security firm Cyera that values the New York-based company at $9 billion, according to people familiar with the matter. 
  • “Cyera is among a crop of cybersecurity startups leveraging artificial intelligence to protect companies from new security vulnerabilities introduced by AI. The startup, founded in 2021 by former Israeli Defence Forces military intelligence officers Yotam Segev and Tamar Bar-Ilan, raised funding at a $6 billion valuation in June.”
• and
  • “Kevin Mandia, founder of the cybersecurity firm Mandiant—which was acquired by Alphabet’s GOOGL 0.61%increase; green up pointing triangle Google for $5.4 billion—has formed a new company called Armadin that will take on the imminent threat from AI hacking.
  • “The company aims to use artificial intelligence to supercharge the business of testing networks for vulnerabilities. Armadin raised $24 million in seed funding from Ballistic Ventures, a venture-capital firm co-founded by Mandia, and is in talks with Accel, GV and Kleiner Perkins to raise $100 million or more, people familiar with the matter said. The deal is expected to value the company at more than $600 million. The round isn’t finalized, and the details could still change.
  • “Known as red-teaming, this kind of service will become more important as hackers turn to AI to speed up their attacks, Mandia said in an interview.  
  • “Offense is going to be all-AI in under two years,” he said. “And because that’s going to happen, that means defense has to be autonomous. You can’t have a human in the loop or it’s going to be too slow.”

• CISA announced,
  • Today [December 19], the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canadian Centre for Cyber Security released an update to the Malware Analysis Report BRICKSTORM Backdoor with indicators of compromise (IOCs) and detection signatures for additional BRICKSTORM samples. This update provides information on additional samples, including Rust-based samples. These samples demonstrate advanced persistence and defense evasion mechanisms, such as running as background services, and enhanced command and control capabilities through encrypted WebSocket connections.
  • The update includes two new detection signatures in the form of YARA rules, enabling organizations to better identify BRICKSTORM-related activity. Organizations are strongly encouraged to deploy these updated IOCs and signatures, and to follow the detection guidance to scan for and respond to BRICKSTORM infections If BRICKSTORM, similar malware, or potentially related activity is detected, report the incident to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.

• Cybersecurity Dive lets us know,
  • “Hybrid infrastructure that includes a mix of public/private cloud environments, on-premises workloads and air-gapped systems are preferred by security leaders as a way to boost resilience and better manage risk, according to a report Thursday by Trellix. 
  • “About 96% of chief information security officers said a hybrid model is the preferred approach to meet regulatory and compliance requirements, while 97% said such a model will help meet obligations related to data sovereignty and residency. 
  • “Ultimately, a CISO must ensure their teams, technology and business partners understand the specific shared responsibility model for each service they consume and implement the necessary controls to manage the daily risks that remain the customer’s responsibility,” Trellix CISO Michael Green told Cybersecurity Dive. “This often involves leveraging tools and governance processes designed to operate across multicloud and hybrid environments to provide consistent security posture and visibility.”

• An ISACA expert notes,
  • “Cybersecurity budgets are often built on assumptions, including the assumption that backups will always work, that insurance will cover the losses and that existing controls are “good enough.” Yet, when those assumptions fail, the operational fallout can be staggering. The City of Hamilton in Canada learned this lesson when a ransomware attack crippled nearly 80% of its network and left taxpayers facing a CAD $18.3 million recovery bill. Misplaced assumptions regarding backups, authentication, insurance and system resilience can lead organizations to underestimate risk and drive up the cost of a cyberattack.”

• Dark Reading offers advice on creating an AI adoption playbook and of course its CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Defense Department would require that senior leaders have secure mobile phones, that personnel would get cybersecurity training that includes a focus on artificial intelligence and that cyber troops would have access to mental health services under a compromise annual defense policy bill released over the weekend.
  • “The deal between House and Senate negotiators on the fiscal 2026 National Defense Authorization Act (NDAA) [reached last weekend] is a massive piece of legislation that runs the gamut of the Pentagon, including a record-breaking $901 billion topline figure. It also has a grab bag of cybersecurity policy provisions.”

• Roll Call adds,
  • “Senate leaders plan for the chamber to vote next week to clear the bicameral compromise National Defense Authorization Act for President Donald Trump’s signature.
  • “As the fiscal 2026 bill edges closer to enactment, one of the few last-minute controversies shadowing it concerns whether the measure goes far enough to restrict military aircraft operations in close proximity to Ronald Reagan Washington National Airport.
  • “The Senate on Thursday [Decmber 11] voted 75-22 to take one procedural step closer to voting on the measure — agreeing to proceed to the legislation — which would authorize $900.6 billion for defense programs, mostly at the Pentagon.
  • “The chamber still plans to cast another procedural vote — set for Monday evening — and is expected to vote to clear the NDAA soon thereafter next week.
  • “The House passed the bill Wednesday [December 10} by a vote of 312-112.”

• The American Hospital Association News tells us,
  • “The Cybersecurity and Infrastructure Security Agency Dec. 11 released an update to its voluntary Cybersecurity Performance Goals, which includes measurable actions for critical infrastructure, including health care. The update aligns with the latest cybersecurity standards outlined by the National Institute of Standards and Technology and addresses the most common and impactful threats facing critical infrastructure. The guidance also highlights the role of governance in cybersecurity management, emphasizing accountability, risk management and strategic integration of cybersecurity into day-to-day operations.” 

• The HIPAA Journal relates,
  • “The College of Healthcare Information Management Executives (CHIME) and more than 100 U.S. hospital systems, healthcare provider organizations, and provider associations have called for the Department of Health and Human Services (HHS) to withdraw its proposed updates to the HIPAA Security Rule.
  • “The HIPAA Security Rule was enacted in 2002, nine years after HIPAA was signed into law, to establish security standards for electronic protected health information created, received, used, or maintained by a covered entity, with the requirements subsequently expanded to cover business associates of HIPAA-regulated entities. The Security Rule was written to be technology agnostic to avoid frequent rule changes in response to advances in technology; however, 22 years after its initial release, the HHS proposed a substantial update that specified many new cybersecurity requirements.” * * *
  • “While few healthcare industry stakeholders would disagree with the main purpose of the update – to improve healthcare cybersecurity and prevent costly and damaging cyberattacks that threaten patient safety – the proposed update attracted considerable criticism from healthcare and provider organizations. In February 2025, 8 industry associations, including CHIME, co-signed a letter to President Trump calling for the proposed update to be rescinded, pointing out that under the previous Trump administration, healthcare organizations were incentivized to adopt recognized cybersecurity best practices, and that was a better approach than imposing unreasonable cybersecurity mandates that would be costly and difficult to implement.
  • “In the December 8, 2025, joint stakeholder letter to HHS Secretary Robert F. Kennedy, Jr., the signatories called for the proposed update to be immediately withdrawn, and for the HHS to instead “conduct a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”

• Per a National Institute of Standards and Technology news release,
  • “NIST Special Publication (SP) 800-70r5 ipd (Revision 5, initial public draft), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, is now available for public comment through January 16, 2026, at 11:59 PM (EST).
  • “NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize the location of checklists, and make checklists broadly accessible. SP 800-70r5 ipd describes the uses, benefits, and management of checklists and checklist control catalogs, as well as the policies, procedures, and general requirements for participation in the NCP.”

• Security Weeks informs us,
  • “The US government has announced rewards of up to $10 million for information on members of the Iranian hacking group known as Emennet Pasargad.
  • “The reward offers come roughly a year after a US-Israel joint advisory described the activities of the group, which was then identified by the name of its front company, Aria Sepehr Ayandehsazan (ASA).
  • “Noting that the group was previously identified as Emennet Pasargad, Ayandeh Sazan Sepehr Arya (ASSA), Eeleyanet Gostar, and Net Peygard Samavat Company, the US now calls it Shahid Shushtari.
  • “In the private sector, the threat group has been known as Cotton Sandstorm, Marnanbridge, and Haywire Kitten.”

• Cyberscoop adds,
  • “The Justice Department has charged a Ukrainian national with conducting cyberattacks on critical infrastructure worldwide as part of two Russian state-sponsored hacking operations that targeted water systems, food processing facilities and government networks across the United States and allied nations.
  • “Victoria Eduardovna Dubranova, 33, was arraigned on a second indictment Tuesday [December 9] after being extradited to the U.S. earlier this year. She faces charges related to her alleged work with CyberArmyofRussia_Reborn, known as CARR, and NoName057(16), two groups federal prosecutors say received backing from Moscow to advance Russian geopolitical interests. 
  • “Dubranova pleaded not guilty in both cases.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “MITRE has shared this year’s top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
  • “The list was released in cooperation with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and the Cybersecurity and Infrastructure Security Agency (CISA), which manage and sponsor the Common Weakness Enumeration (CWE) program.
  • “Software weaknesses can be flaws, bugs, vulnerabilities, or errors found in a software’s code, implementation, architecture, or design, and attackers can abuse them to breach systems running the vulnerable software. Successful exploitation allows threat actors to gain control over compromised devices and trigger denial-of-service attacks or access sensitive data.

• Cyberscoop relates,
  • “Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit React2Shell, a critical vulnerability disclosed last week in React Server Components.
  • “Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday [December 12] . The agency previously set a deadline of Dec. 26 when it added CVE-2025-55182 to its known exploited vulnerabilities catalog last week.
  • “Palo Alto Networks Unit 42 said more than 50 organizations are impacted by attacks involving exploitation of the vulnerability with victims observed in the United States, Asia, South America and the Middle East.” 

• Cybrsecurity Dive adds,
  • “React on Thursday [December 11] warned that customers will need to apply new upgrades amid the React2Shell crisis, after researchers discovered additional vulnerabilities, including a denial of service flaw and a source code exposure. 
  • “A denial of service vulnerability, tracked as CVE-2025-55184 and CVE-2025-67779, allows an attacker to craft a malicious HTTP request and send it to a Server Functions endpoint, which can lead to an infinite loop. The flaw has a severity score of 7.5. 
  • “The source code exposure, tracked as CVE-2025-55183, allows a malicious HTTP request sent to a vulnerable Server Function to unsafely return the source code of any Server Function.”

• The American Hospital Association News lets us know,
  • “U.S. and international agencies are warning of potential cyberattacks on health care and other critical infrastructure from state-sponsored cyber actors in Russia and China.
  • “An advisory released yesterday [December 11] warns of incidents by Russian hackers using internet-facing desktop-sharing systems to access operational technology and industrial control systems for malicious activity. A Dec. 4 report warns of Chinese state-sponsored cyber actors using BRICKSTORM malware to attack VMware vSphere and Windows cloud platforms.
  • “These nation-state level threats may be difficult for civilian network defenders to counter,” said John Riggi, AHA national advisor for cybersecurity and risk. “However, robust cyber threat information sharing between the private sector and the federal government, implementation of recommended practices, and the commendable and aggressive enforcement operations by the FBI and other agencies will help mitigate the threat. Organizations should also update, integrate and routinely test emergency preparedness, cyber incident response and clinical continuity plans should there be an extended technology outage affecting hospitals directly or indirectly through a cyberattack against mission-critical third parties.”

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • December 8, 2025
    • CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
    • CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability
      • Cyber Press discusses the D-Link KVE here. 
      • F5 discusses the Array Networks KVE here.
  • December 9, 2025,
    • CVE-2025-6218 RARLAB WinRAR Path Traversal Vulnerability
    • CVE-2025-62221 Microsoft Windows Use After Free Vulnerability 
      • Cybersecurity News discusses the RARLAB KVE here.
      • Bleeping Computer discusses the Microsoft KVE here.
  • December 11, 2025
    • CVE-2025-58360 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability 
      • Bleeping Computer discusses this KVE here.
  • December 12, 2025
    • CVE-2025-14174 Google Chromium Out-of-Bounds Memory Access Vulnerability
      • The Hacker News discusses this KVE here.
  • December 12, 2025 (double shot day, not a typo)
    • CVE-2018-4063 Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
      • Windows Forum discusses this KVE here. 
        
• Bleeping Computer adds,
  • “Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals.
  • “The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.
  • “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” reads Apple’s security bulletin.”

• Cybersecurity Dive notes,
  • “Utility-scale battery energy storage systems are facing heightened risks of attack from nation-state and criminal threat groups, and immediate action needs to be taken to secure critical industries from potential disruption, according to a white paper from Brattle Group and Dragos. 
  • BESS deployments are expected to grow between 20% and 45% over the next five years, driven by increased demand for data centers and other power requirements. At the same time, state-linked actors have turned their attention toward disrupting critical industries, such as utilities and rival nations competing with the U.S. for dominance in AI and clean energy.”

• Per Infosecurity Magazine,
  • “A new iteration of the ClayRat Android spyware featuring expanded surveillance and device-control functions has been identified by cybersecurity researchers.
  • “First seen in October, ClayRat was originally capable of stealing SMS messages, call logs and photos, as well as sending mass texts.
  • “The latest version introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “Ransomware activity reached an all-time high in 2023, totaling more than 1,500 incidents and $1.1 billion in reported payments, before dropping the following year after two high-profile law enforcement takedowns.
  • “The two critical law enforcement actions were the 2023 U.S.-led takedown of AlphV/BlackCat and the 2024 disruption of LockBit by U.S. and U.K. authorities, according to a new U.S. government study.
  • “The report by the U.S. Treasury’s Financial Crimes Enforcement Networkshows ransomware fell to 1,476 incidents in 2024, with reported payments reaching $734 million. 
  • ‘More than $2.1 billion in ransomware payments were reported between 2022 and 2024, according to the report. 
  • “The medium amount of a single ransomware transaction rose from $122,097 in 2022 to $155,257 in 2024, according to the report. The most common payment amount was less than $250,000 during the period. 
  • ‘AlphV/BlackCat was the most prevalent ransomware variant during the 2022–2024 period, according to the report. The other most reported variants included Akira, LockBit, Phobos and Black Basta.” 

• Dark Reading adds,
  • “You may be familiar with ransomware-as-a-service (RaaS), but now there’s also packer-as-a-service.
  • “Security vendor Sophos on Dec. 6 published research on “Shanya,” a packer-as-a-service family that augments ransomware so it can avoid anti-malware software. While ransomware-as-a-service provides low-level attackers with extortion malware they might not be able to create otherwise, packers-as-a-service (PaaS) provide a shell around pre-existing ransomware that acts as an extra layer of obfuscation.
  • “Shanya covers ground previously paved by PaaS operation HeartCrypt, which over the past year has firmly entrenched itself in the modern ransomware ecosystem. Sophos’ Gabor Szappanos and Steeve Gaudreault say Shanya is “already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit.”
• and
  • “Initial access broker Storm‑0249 has shifted from noisy, easily detected phishing attacks to highly targeted campaigns that are much harder to detect and stop. 
  • “According to ReliaQuest, Storm-0249, which is known for brokering network access to ransomware operators, is increasingly weaponizing legitimate endpoint detection and response (EDR) processes as well as built-in Windows utilities to carry out post-compromise activities. This includes poking around compromised systems to gather information, setting up command-and-control (C2) channels, and staying persistent in the environment. These new tactics let Storm‑0249 slip past defenses, get deep into networks, and operate almost completely under the radar, the security vendor said.”
• and
  • “A new attack uses SEO poisoning and popular AI models to deliver infostealer malware, all while leveraging legitimate domains. 
  • “ClickFix attacks have gained significant popularity over the past year, using otherwise benign CAPTCHA-style prompts to lure users into a false sense of security and then tricking them into executing malicious prompts against themselves. These prompts are often delivered through SEO poisoning and phishing campaigns, representing one of the fancier applications of social engineering in cybercrime to date.” 

• The Register points out,
  • “Researchers at security software vendor Huntress say they’ve noticed a huge increase in ransomware attacks on hypervisors and urged users to ensure they’re as secure as can be and properly backed up.
  • “Huntress case data revealed a stunning surge in hypervisor ransomware: its role in malicious encryption rocketed from just three percent in the first half of the year to 25 percent so far in the second half,” wrote Senior Hunt & Response Analyst Anna Pham, Technical Account Manager Ben Bernstein, and Senior Manager for Hunt & Response, Dray Agha in a Monday [December 8] post.
  • “The primary actor driving this trend is the Akira ransomware group,” the trio warned, adding that the gang, and other attackers, are going after hypervisors “in an attempt to circumvent endpoint and network security controls.”

From the cybersecurity business and defenses front,

• Security Week reports,
  • “Enterprise cybersecurity giant Proofpoint has completed the acquisition of Germany-based Microsoft 365 security solutions provider Hornetsecurity.
  • “Financial details were not officially disclosed when news of the transaction came to light, but it was reported that Proofpoint would be paying $1 billion for its European competitor. SecurityWeek learned at the time that the deal size well exceeded $1 billion.
  • “Proofpoint has now revealed that the transaction has been valued at $1.8 billion. 
  • “Through the acquisition of Hornetsecurity, Proofpoint is aggressively expanding its reach into the SMB market and strengthening its foothold in Europe.”

• Info Bank Security adds,
  • “An identity security stalwart led by the company’s longtime founder raised $700 million to support the management of non-human identities and agentic artificial intelligence.
  • “Los Angeles-based Saviynt plans to use the Series B proceeds to invest in core platform capabilities, AI governance protocols and deep integrations with the likes of AWS, Google and CrowdStrike, said Saviynt President Paul Zolfaghari. What was once about on premise human access is now a multidimensional challenge involving extended workforces, robotic accounts and AI-driven agents, Zolfaghari said.
  • “It was an opportunity to put in place the resources necessary to deliver on the vision for the future. The interest in identity security and AI has gone up quite a bit,” he said. “The amount is just a function of the resources that we think that we need for the foreseeable future. It’s an opportunity for us to have the resources we need while still maintaining the control and the culture that has gotten us to this point.”

• Cyberscoop relates,
  • “Global cybersecurity agencies have issued the first unified guidance on applying artificial intelligence (AI) within critical infrastructure, signaling a major shift from theoretical debate to practical guardrails for safety and reliability.
  • “The release of joint guidance on Principles for the Secure Integration of Artificial Intelligence in Operational Technology marks a meaningful milestone for critical infrastructure security because major global cybersecurity agencies, including CISA, the FBI, the NSA, the Australian Signals Directorate’s Australian Cyber Security Centre, and other partners, have aligned on a shared direction. As AI adoption accelerates across operational environments, this document moves us from theory to practice. It acknowledges AI’s promise while making clear that it also “introduces significant risks—such as operational technology (OT) process models drifting over time or safety-process bypasses” that operators must actively manage to ensure reliability.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Trump administration is aiming to release its six-part national cybersecurity strategy in January, according to multiple sources familiar with the document. The document, which is a mere five pages long, will possibly be followed by an executive order to implement the new strategy.
  • “The administration has been soliciting feedback in recent days, which one source considered more of a “messaging” document than anything, with more important work to follow.
  • “According to sources familiar with the strategy, the six “pillars” focus on cyber offense and deterrence; aligning regulations to make them more uniform; bolstering the cyber workforce; federal procurement; critical infrastructure protection; and emerging technologies.”
• and
  • “A bipartisan group of senators are looking to tackle health care cybersecurity by reviving legislation that would update regulations and guidelines, authorize grants, offer training and clarify federal agency roles.
  • “It’s a subset of cybersecurity where Congress hasn’t enacted any sweeping changes to date. The resurrected Health Care Cybersecurity and Resiliency Act from Health, Education Labor and Pension Committee Chairman Bill Cassidy, R-La., and his colleagues on both sides of the aisle emerges from a 2023 bipartisan health care cybersecurity working group.
  • “Cassidy and his cosponsors — Mark Warner, D-Va., Maggie Hassan, D-N.H., and John Cornyn, R-Tex. — first introduced the bill in late November last year, with little time left in the session to take action on it before Congress adjourned at the beginning of 2025.
  • “Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs — and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a news release Thursday.”
• and
  • “Sean Plankey’s nomination to lead the Cybersecurity and Infrastructure Security Agency looks to be over following his exclusion from a Senate vote Thursday [December 4, 2025} to move forward on a panel of Trump administration picks.
  • “Multiple senators placed holds or threatened holds on his nomination, some related to cybersecurity. But the hold from Sen. Rick Scott, R-Fla., appeared to be the biggest hurdle. With Plankey’s exclusion from the resolution to advance a bevy of nominees that got a key vote Thursday, procedural issues make it unlikely that he will be the nominee going forward, sources told CyberScoop. The administration would have to re-submit his name for nomination next year.
  • “Scott’s hold was related to Department of Homeland Security Secretary Kristi Noem partially terminating a Coast Guard cutter program contract with Florida-based Eastern Shipbuilding Group, multiple sources told CyberScoop. The Government Accountability Office issued a critical report on the program.
  • “While awaiting confirmation, Plankey, a 13-year Coast Guard officer, has been serving as senior adviser to the secretary for the Coast Guard.” 

• Cybersecurity Dive tells us,
  • “A pair of U.S. senators wants to know how the government is tracking and responding to hackers’ use of AI platforms to conduct cyberattacks.
  • “The emerging threat to U.S. cybersecurity posed by foreign adversaries deploying autonomous AI systems requires a robust response from your office and other federal agencies,” Sens. Maggie Hassan, D-N.H., and Joni Ernst, R-Iowa, wrote in a Tuesday letter to National Cyber Director Sean Cairncross.
  • “The bipartisan letter comes several weeks after Anthropic revealed that Chinese government-linked hackers had manipulated the company’s Claude platform into breaching companies and government agencies around the world. The attack, which Anthropic called “the first documented case of a large-scale cyberattack executed without substantial human intervention,” has exacerbated worries within the security community about the growing offensive capabilities of AI tools.”

• In this regard, Cyberscoop calls attention to “More evidence your AI agents can be turned against you Aikido found that AI coding tools from Google, Anthropic, OpenAI and others regularly embed untrusted prompts into software development workflows.”

• Dark Reading relates,
  • “[On December 3, 2025,] [a] collection of agencies published guidance on the best way to defend AI deployments in operational technology (OT). 
  • “Such guidance seems necessary, given that on their own, AI and OT environments are two of the most sensitive, high-profile attack surfaces. AI is a prime target, due to the wide range of attack techniques emerging constantly, and OT because of its use in critical and industrial settings.
  • “The guidance was authored by the US’s CISA, FBI, and NSA Artificial Intelligence Security Center; the Australian Signals Directorate’s Australian Cyber Security Centre; the Canadian Centre for Cyber Security; the German Federal Office for Information Security; the Netherlands National Cyber Security Centre; the New Zealand National Cyber Security Centre; and the UK’s National Cyber Security Centre.”

• Cybersecurity Dive informs us,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) is eliminating a program it used to retain uniquely valuable security professionals after an audit found that the agency had mismanaged the program.
  • “In 2015, CISA’s predecessor inside the Department of Homeland Security created the Cybersecurity Retention Incentive (CRI) program to offer extra money to employees who were likely to leave the government for higher-paying private-sector jobs. CRI incentives were intended to apply only to a narrow subset of CISA employees with specialized cybersecurity skills. But, in September, the DHS inspector general found that CISA was offering the incentives too broadly.
  • “In a statement to Cybersecurity Dive, CISA said it would soon end the CRI program.”

• Per a December 4, 2025, CISA news release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) launched a new Industry Engagement Platform (IEP) today designed to facilitate structured, two-way communication between the agency and companies developing innovative and security technologies. The IEP enables CISA to better understand emerging solutions across the technology ecosystem while giving industry a clear, transparent pathway to engage with the agency.
  • “With the launch of this new platform, we’re opening the door wider to innovation—giving industry a direct line to share the tools and technologies that can help CISA stay ahead of evolving threats,” said CISA Acting Director Madhu Gottumukkala. “The private sector drives innovation and this collaboration is essential to our national resilience.”
  • “The IEP allows organizations – including industry, non-profits, academia, government partners at all and the research community – with a structured process to request conversations with CISA subject matter experts to describe new technologies and capabilities. These engagements give innovators the opportunity to present solutions that may strengthen our nation’s cyber and infrastructure security.”

• Cyberscoop relates,
  • “Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Wednesday [December 3, 2025} for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year, the Justice Department said.
  • “Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission.
  • “Authorities did not name the federal government contractor, which provides services and hosts data for more than 45 federal agencies, but the company was previously identified as Washington-based Opexus in a Bloomberg report about the insider attack earlier this year. Opexus did not immediately respond to a request for comment.”

• Security Week notes,
  • “The cryptocurrency mixer Cryptomixer has been shut down by law enforcement agencies in Europe for facilitating cybercrime and money laundering, Europol announced on Monday [December 1, 2025}.
  • “Accessible both from the clear and the dark web, Cryptomixer was a mixing service (tumbler) designed to help customers obscure the trail of their cryptocurrency by combining their deposits with those from other users into a large, pooled fund before sending back an equivalent amount of untraceable coins to a wallet specified by the customer.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “Earlier today [December 5, 2025], Cloudflare experienced a widespread outage that caused websites and online platforms worldwide to go down, returning a “500 Internal Server Error” message.
  • “The internet infrastructure company has now blamed the incident on the rollout of emergency mitigations designed to address a critical remote code execution vulnerability in React Server Components, which is now actively exploited in attacks.
  • “The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind. Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components,” Cloudflare CTO Dane Knecht noted in a post-mortem.
  • “A subset of customers were impacted, accounting for approximately 28% of all HTTP traffic served by Cloudflare.”
• and
  • “Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US.
  • “Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders.
  • “In data breach notifications filed with US Attorney General offices, Marquis says it suffered a ransomware attack on August 14, 2025, after its network was breached through its SonicWall firewall.
  • “This allowed the hackers to steal “certain files from its systems” during the attack.
  • “The review determined that the files contained personal information received from certain business customers,” reads a notification filed with Maine’s AG office.”
    
• Cyberscoop relates,
  • “Cybersecurity authorities and threat analysts unveiled alarming details Thursday [December 4, 2025] about a suspected China state-sponsored espionage and data theft campaign that Google previously warned about in September. The outlook based on their limited visibility into China’s sustained ability to burrow into critical infrastructure and government agency networks undetected, dating back to at least 2022, is grim.
  • “State-sponsored actors are not just infiltrating networks, they are embedding themselves to enable long-term access, disruptions and potential sabotage,” Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said during a media briefing.
  • “Brickstorm, a backdoor which Andersen described as a “terribly sophisticated piece of malware,” has allowed the attackers to achieve persistent access with an average duration of 393 days to support immediate data theft and follow-on pivots to other malicious activity, Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop.
  • “We believe dozens of organizations in the United States have been impacted by Brickstorm, not including downstream victims,” Larsen said.
  • “CISA, the National Security Agency and the Canadian Centre for Cyber Security released an analysis report on Brickstorm, which targets VMware vSphere and Windows environments to conceal activity, achieve lateral movement and tunnel into victim networks while also automatically reinstalling or restarting the malware if disrupted. CISA provided indicators of compromise based on eight Brickstorm samples it obtained from victim organizations.”
    
• Cybersecurity Dive adds,
  • “A China-nexus threat actor hacked into VMware vCenter environments at U.S.-based companies before deploying Brickstorm malware, security firm CrowdStrike warned in a blog post published Thursday.
  • “The threat actor, tracked under the name Warp Panda, targeted multiple industries during the summer of 2025, including legal, technology and manufacturing firms. 
  • “Warp Panda has targeted entities mainly in North America and Asia Pacific in an effort to support strategic objectives of the Chinese Communist Party, according to CrowdStrike. These include economic competition, advancing their technology and growing regional influence.”

• CISA added four known exploited vulnerabilities to its catalog this week.
  • December 2, 2025
    • CVE-2025-48572 Android Framework Privilege Escalation Vulnerability  
    • CVE-2025-48633 Android Framework Information Disclosure Vulnerability 
      • Cyber Express discusses these KVEs here.
  • December 3, 2025
    • CVE-2021-26828. OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability 
      • Cybersecurity News discusses this KVE here.
  • December 5, 2025
    • CVE-2025-55182  Meta React Server Components Remote Code Execution Vulnerability
      • Cybersecurity Dive discusses this KVE here.
        
• Per Bleeping Computer,
  • An ongoing phishing campaign impersonates popular brands, such as Unilever, Disney, MasterCard, LVMH, and Uber, in Calendly-themed lures to steal Google Workspace and Facebook business account credentials.
  • Although threat actors targeting business ad manager accounts isn’t new, the campaign discovered by Push Security is highly targeted, with professionally crafted lures that create conditions for high success rates.
  • Access to marketing accounts gives threat actors a springboard to launch malvertising campaigns for AiTM phishing, malware distribution, and ClickFix attacks.

• Cybersecurity Dive notes,
  • “Distributed denial of service attacks rose sharply during the third-quarter, fueled by record-level attacks from the Aisuru botnet, comprising between one and four million hosts across the globe, according to a report released Wednesday by Cloudflare. 
  • “The number of attacks rose 54% quarter over quarter, averaging about 14 hyper-volumetric attacks daily, according to Cloudflare. Researchers called the scale of these attacks “unprecedented,” reaching 29.7 terabits per second and 14.1 billion packets per second. 
  • “The record-breaking 29.7 Tbps attack was a User Datagram Protocol carpet-bombing attack that hit an average of 15,000 destination ports per second, according to Cloudflare. 
  • “Aisuru targeted a number of critical industries, including telecommunications, financial services, hosting providers and gaming companies.” 

From the ransomware front,

• Dark Reading warns us,
  • “The Ransomware Holiday Bind: Burnout or Be Vulnerable
  • “Ransomware groups target enterprises during off-hours, weekends, and holidays when security teams are stretched thin and response times lag.”

• Per Bleeping Computer,
  • “American pharmaceutical firm Inotiv is notifying thousands of people that they’re personal information was stolen in an August 2025 ransomware attack.
  • “Inotiv is an Indiana-based contract research organization specializing in drug development, discovery, and safety assessment, as well as live-animal research modeling. The company has about 2,000 employees and an annual revenue exceeding $500 million.
  • “When it disclosed the incident, Inotiv said that the attack had disrupted business operations after some of its networks and systems (including databases and internal applications) were taken down.
  • “Earlier this week, the company revealed in a filing with the U.S. Securities and Exchange Commission (SEC) that it has “restored availability and access” to impacted networks and systems and that it’s now sending data breach notifications to 9,542 individuals whose data was stolen in the August ransomware attack.
  • “Our investigation determined that between approximately August 5-8, 2025, a threat actor gained unauthorized access to Inotiv’s systems and may have acquired certain data,” it says in letter samples filed with Maine’s attorney general.”

• Help Net Security explains “how a noisy ransomware intrusion exposed a long-term espionage foothold.”
  • “Getting breached by two separate and likely unconnected cyber attack groups is a nightmare scenario for any organization, but can result in an unexpected silver lining: the noisier intrusion can draw attention to a far stealthier threat that might otherwise linger undetected for months.”
    
• CXO Revolutionaries offers management lessons from the ransomware attack against the State of Nevada this past summer.

From the cybersecurity business and defenses front,

• SC Media reports,
  • “Cybersecurity startup 7AI announced Dec. 4 that it raised $130 million in Series A funding 10 months after emerging from stealth in February. 
  • “The funding round is the largest Series A in history for cybersecurity, the company stated in its announcement, and brings its total amount raised to $166 million. 7AI was founded by two former executives and founders of the security firm Cybereason, former CEO Lior Div and former CTO Yonatan Striem-Amit.
  • “We’re at an agentic security inflection point that changes the equation entirely. Instead of security teams drowning in investigations that take hours, our AI agents complete them in minutes at a speed, accuracy, and consistency that’s difficult for humans and automation to match,” Div said. “… We have the proof, and it’s in production right now: our AI agents do the investigation work so security teams can finally do human work: strategic threat hunting, proactive security and innovation through AI transformation.”
  • “Over the last 10 months, the company said its AI agents processed more than 2.5 million alerts and completed over 650,000 security investigations for its clients. Customers reported saving between 30 minutes and 2.5 hours per investigation, and eliminated up to 99% of false positives in production.”

• Dark Reading discusses “How Agentic AI Can Boost Cyber Defense. Transurban head of cyber defense Muhammad Ali Paracha shares how his team is automating the triaging and scoring of security threats as part of the Black Hat Middle East conference.”

• The American Hospital Association News relates,
  • “The FBI has public resources available to help prevent exploitation by cybercriminals, who use artificial intelligence for deception. An infographic by the FBI and the American Bankers Association Foundation highlights how AI-generated or manipulated media, also known as “deep fakes,” can be used to impersonate trusted individuals. It details signs of a deep fake scam and how such content can depict public figures, friends and family members. An FBI announcement further explains how criminals use AI-generated text, images, audio and video for fraud schemes. The alert includes tips to help protect against suspected schemes.
  • “The information provided by the FBI and the ABA is relevant for health care as criminals are increasingly using AI-generated deep fake audio and video content — often in combination — to deceive health care staff,” said John Riggi, AHA national advisor for cybersecurity and risk. “Deep fakes are used to manipulate unwitting individuals by having them click on phishing emails, provide their credentials, hire malicious remote IT workers or transfer funds to criminal accounts. Constant vigilance and multi-layered human verification processes are needed, especially as AI-synthetic video and audio capabilities continue to advance.”

• Here is a link to Dark Reading’s CISO Corner.