From the cybersecurity policy front,

• The Record reports,
  • “The National Security Agency has a new leadership roster for its cybersecurity directorate as the agency waits for its first Senate-confirmed chief in more than nine months. 
  • “David Imbordino, a NSA senior executive who is currently serving as the directorate’s deputy chief, will take the reins in an acting capacity at the end of the month, according to three people familiar with the matter. 
  • “Holly Baroody, a senior official at the agency in the United Kingdom, will return as planned from her assignment this summer to be the directorate’s acting No. 2, according to these people. All were granted anonymity to speak candidly about personnel matters.”

• The HHS Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, posted its January 2026 Cybersecurity Newsletter. The Newsletter concerns system hardening.
  • “System hardening and security baselines can be an effective means to enhance security, and for regulated entities to protect ePHI. However, defining, creating, and applying system hardening techniques is not a one-and-done exercise. Evaluating the ongoing effectiveness of implemented security measures is important to ensure such measures remain effective over time. As new threats and vulnerabilities evolve and are discovered, and attackers vary and improve their tactics, techniques, and procedures, regulated entities need to remain vigilant to ensure that their implemented security solutions remain effective. Indeed, for regulated entities, the periodic review and modification, as needed, of security measures implemented under the HIPAA Security Rule is a requirement to maintain protection of ePHI.”

• Cybersecurity Dive informs us,
  • “The National Institute of Standards and Technology is asking the public for suggested approaches to managing the security risks of AI agents.
  • “In a Federal Register notice set for publication on Thursday, NIST’s Center for AI Standards and Innovation (CAISI) solicited “information and insights from stakeholders on practices and methodologies for measuring and improving the secure development and deployment of artificial intelligence (AI) agent systems.”
  • “The public engagement reflects persistent concerns about security weaknesses in increasingly ubiquitous AI agents. Many companies have adopted these agents without fully understanding or developing plans to mitigate their flaws, inadvertently creating new avenues for hackers to penetrate their computer networks. The wide latitude given to poorly secured AI agents could be especially dangerous in critical infrastructure networks, which sometimes control industrial machinery that is essential to health and safety.
  • “If left unchecked, these security risks may impact public safety, undermine consumer confidence, and curb adoption of the latest AI innovations,” NIST said in its solicitation.”
• Here is a link to a related NIST blog post.

• Security Week tells us,
  • The US cybersecurity agency CISA on Thursday announced closing 10 Emergency Directives issued between 2019 and 2024.
  • The retired directives, CISA says, have achieved their mission to mitigate urgent and imminent risks to federal agencies.
  • “Since their issuance, CISA has partnered closely with federal agencies to drive remediation, embed best practices and overcome systemic challenges – establishing a stronger, more resilient digital infrastructure for a more secure America,” the agency notes.” * * *
  • “All targeted vulnerabilities are now in CISA’s Known Exploited Vulnerabilities (KEV) catalog and the required actions are defined in Binding Operational Directive (BOD) 22-01, which mandates that federal agencies resolve flaws added to KEV within weeks.
  • “The closure of these ten Emergency Directives reflects CISA’s commitment to operational collaboration across the federal enterprise. Looking ahead, CISA continues to advance Secure by Design principles – prioritizing transparency, configurability, and interoperability - so every organization can better defend their diverse environments,” CISA Acting Director Madhu Gottumukkala said.”

• Cybersecurity Dive describes CISA’s seven biggest challenges for 2026.

From the cybersecurity vulnerabilities front,

• A Dark Reader commentator makes,
  • “Cybersecurity Predictions 2026: An AI Arms Race and Malware Autonomy
  • “The year ahead will see an intensified AI-driven cybersecurity arms race, with attackers leveraging autonomous malware and advanced AI technologies to outpace defenders, while security teams adopt increasingly sophisticated AI tools to combat evolving threats amidst growing vendor consolidation and platformization in the industry.”

• CISA added two known exploited vulnerabilities to its catalog this week.
  • January 7, 2025
    • CVE-2009-0556 Microsoft Office PowerPoint Code Injection Vulnerability
    • CVE-2025-37164 HPE OneView Code Injection Vulnerability 
      • GB Hackers discusses the MS KVE here.
      • Dark reading discusses the HPE KVE here.

• Cyberscoop reports,
  • “Researchers warn that a critical vulnerability in n8n, an automation platform that allows organizations to integrate AI agents, workflows and hundreds of other enterprise services, could be exploited by attackers to achieve full control of targeted networks.
  • “The maximum-severity vulnerability — CVE-2026-21858 — affects about 100,000 servers globally, according to Cyera, which initially discovered and reported the defect to n8n on Nov. 9. Developers responsible for the widely used platform released a patch for the vulnerability on Nov. 18, but didn’t publicly disclose or assign the vulnerability a CVE until Wednesday.
  • “The risk is massive,” Dor Attias, security researcher at Cyera Research Labs, told CyberScoop. “n8n sits at the heart of enterprise automation infrastructure. Gaining control of n8n means gaining access to your secrets, customer data, CI/CD pipelines and more.”
  • “Researchers haven’t observed active exploitation of the vulnerability, but Cyera published a working proof of concept, which typically triggers a race for defenders to patch a defect before in-the-wild exploitation occurs.”

• The American Hospital Association News notes,
  • “The FBI Jan. 8 released an alert on evolving threat tactics by Kimsuky, a North Korean state-sponsored cyber threat group. As of last year, the group has targeted research organizations, academic institutions, and U.S. and foreign government entities by embedding malicious QR codes in spear-phishing campaigns, referred to as “quishing.” The technique forces victims to use a mobile device to view the QR code, which could be received as an image, email attachment or embedded graphic that evades URL inspection. After scanning the malicious code, victims are routed through attacker-controlled redirectors that collect device and identity information for harvesting and use in additional malicious actions. 
  • “Although it appears that Kimsuky threat actors are not targeting health care directly, this serves as a reminder that social engineering, email and text-based ‘quishing’ attacks from other hacking groups are increasingly targeting health care due its effectiveness and ability to evade common cybersecurity defensive measures,” said John Riggi, AHA national advisor for cybersecurity and risk. “As we see an increase in the use of malicious QR code attacks, staff should be provided education on the dangers of scanning unsolicited QR codes at work, home and on their mobile devices.” 

• CSO cautions,
  • “Threat actors are abusing misconfigured MX records and weak DMARC/SPF policies to make phishing emails look internal, bypassing filters and increasing credential theft risk.
  • “Microsoft’s Threat Intelligence team has disclosed that threat actors are increasingly exploiting complex email routing and misconfigured domain spoof protection to make phishing messages appear as if they were sent from inside the organizations they’re targeting.
  • “These campaigns are relying on configuration gaps, specifically scenarios where mail exchanger (MX) DNS records don’t point directly to Microsoft 365 and where Domain-based Message Authentication, Reporting & Conformance (DMARC) and Sender Policy Framework (SPF) policies are permissive or misconfigured.
  • “Threat actors have leveraged this vector to deliver a wide variety of phishing messages related to various phishing-as-a-service (PhaaS) platforms such as Tycoon 2FA,” Microsoft said in a security blog post.
  • “The blog noted that while the attack vector isn’t brand new, the exploitation has picked up significantly since mid-2025, delivering phishing lures ranging from password resets to shared documents.”
    
• Cybersecurity Dive points out,
  • “The new year will bring more dangerous AI-powered cyberattacks and growing obstacles to regulatory harmonization, Moody’s said in a 2026 outlook report published on Thursday.
  • “The report also forecasts increased cryptocurrency thefts through cyberattacks on both transaction and storage platforms.
  • “Moody’s said recent cloud computing outages resulting from accidents highlighted “the potential for catastrophic impact if exploited by attackers.”

From the ransomware front,

• Security Affairs reports that “Sedgwick confirmed a cyber incident at its federal contractor unit after TridentLocker claimed to steal 3.4GB of data.”

• Cybersecurity Dive adds,
  • “The volume of ransomware attacks on telecommunications companies around the world increased fourfold from 2022 to 2025, according to a report that the threat intelligence firm Cyble published this week.
  • “Cyble also identified 444 incidents involving data theft from telecom firms, including 133 listings of stolen databases that could contain sensitive customer data or operational information.
  • “Businesses in multiple industries closely track the security posture of the telecom sector because of their need for secure and resilient communications.”

• Emsisoft discusses the state of ransomware in the United States during 2025.

• TechTarget examines ransomware trends, statistics and facts in 2026.

From the cybersecurity business and defenses front,

• Cyberscoop reports,
  • “CrowdStrike is buying identity management startup SGNL, a move that underscores how identity security has become a central battleground in enterprise cybersecurity as companies add cloud services and deploy AI-driven tools.
  • “The cybersecurity firm did not disclose financial terms in a Thursday announcement, but CrowdStrike CEO George Kurtz told CNBC the deal is valued at nearly $740 million.
  • “The acquisition targets a growing problem for large organizations: Access is no longer limited to employees logging into a handful of internal systems. Modern environments include contractors, automated scripts, cloud workloads and an expanding set of non-human identities, such as service accounts and machine credentials. More recently, companies have begun experimenting with AI agents that can take actions across multiple systems, sometimes with broad privileges.”

• Cybersecurity Dive relates,
  • “AI promises to exponentially improve innovation and efficiency for businesses of all kinds, but it’s also ushering in a new age of cyberthreats.
  • “Nearly 9 in 10 CISOs say AI-driven attacks represent a major risk for their organizations, according to a study from Trellix.
  • “While the trend represents a security problem, it’s on the minds of CIOs too, as they “play a very important role as we think about AI attacks,” said Allie Mellen, principal analyst at Forrester. “Many of the changes that security recommends, we take to improve and defend the infrastructure we have.”
  • “As risks mount, CIOs from different sectors are preparing to help their businesses secure critical data in the age of AI-driven attacks.”

• Here’s a link to Dark Reading’s CISO Corner.

Happy New Year!

From the cybersecurity policy and law enforcement front,

• Federal News Network points out five things to watch in cybersecurity policy at the federal level during 2026.
  • “New national cyber strategy”
  • “AI and cyber”
  • “CISA 2015 reauthorization”
  • “CIRCIA rule” and
  • “Cyber leader gaps”

• Security Week reports,
  • “Two cybersecurity professionals from the United States have pleaded guilty to charges related to their role in BlackCat/Alphv ransomware attacks, the Justice Department announced this week [December 30].
  • “Three individuals were charged in October for allegedly conducting ransomware attacks against several US-based companies. Two of the suspects, 36-year-old Kevin Martin from Texas and an unnamed individual, were employed as ransomware negotiators at threat intelligence and incident response firm DigitalMint.
  • “The third suspect, 40-year-old Ryan Goldberg from Georgia, worked as an incident response manager at cybersecurity company Sygnia.
  • “The three are accused of hacking into the systems of several companies, stealing valuable information, and deploying BlackCat ransomware. 
  • “Based on the Justice Department’s description of the scheme, the suspects were BlackCat ransomware affiliates, paying 20% of the ransoms they received from victims to the administrators of the ransomware operation in exchange for access to the file-encrypting malware and a platform designed for managing extortions.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer points out the 15 biggest cybersecurity and cyber attack stories of 2025.

• Security Week adds,
  • “Insurance giant Aflac is notifying roughly 22.65 million people that their personal information was stolen from its systems in June 2025.
  • “The company disclosed the intrusion on June 20, saying it had identified suspicious activity on its network in the US on June 12 and blaming it on a sophisticated cybercrime group.
  • “The company said it immediately contained the attack and engaged with third-party cybersecurity experts to help with incident response. Aflac’s operations were not affected, as file-encrypting ransomware was not deployed.
  • “Just before Christmas, the Columbus, Georgia-based company announced it had completed its investigation into the potentially compromised data and had started notifying the affected individuals.
  • “Based on our review of potentially impacted files, we have determined personal information associated with approximately 22.65 million individuals was involved,” the company said.
  • “The compromised information, the insurance giant says, includes names, addresses, Social Security numbers, dates of birth, driver’s license numbers, government ID numbers, medical and health insurance information, and other data.”

• The Cybersecurity and Infrastructure Security Agency (CISA) added one known exploited vulnerability to its catalog this week.
  • December 29, 2025
    • CVE-2025-14847. MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability 
      • Cyberscoop discusses this KVE here.

• Bleeping Computer informs us,
  • “IBM urged customers to patch a critical authentication bypass vulnerability in its API Connect enterprise platform that could allow attackers to access apps remotely.
  • “API Connect is an application programming interface (API) gateway that enables organizations to develop, test, and manage APIs and provide controlled access to internal services for applications, business partners, and external developers.
  • “Available in on-premises, cloud, or hybrid deployments, API Connect is used by hundreds of companies in banking, healthcare, retail, and telecommunications sectors.
  • “Tracked as CVE-2025-13915 and rated 9.8/10 in severity, this authentication bypass security flaw affects IBM API Connect versions 10.0.11.0 and 10.0.8.0 through 10.0.8.5.
  • “Successful exploitation enables unauthenticated threat actors to remotely access exposed applications by circumventing authentication in low-complexity attacks that don’t require user interaction.”
• and
  • “Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability.
  • “Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812) and advised admins who couldn’t immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices.
  • “This improper authentication security flaw (rated 9.8/10 in severity) was found in FortiGate SSL VPN and allows attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when the username’s case is changed.
  • “Last week, Fortinet warned customers that attackers are still exploiting CVE-2020-12812, targeting firewalls with vulnerable configurations that require LDAP (Lightweight Directory Access Protocol) to be enabled.
  • “Fortinet has observed recent abuse of the July 2020 vulnerability FG-IR-19-283 / CVE-2020-12812 in the wild based on specific configurations,” the company said.”
• and
  • “Trust Wallet believes the compromise of its web browser to steal roughly $8.5 million from over 2,500 crypto wallets is likely related to an “industry-wide” Sha1-Hulud attack in November.
  • “Trust Wallet, a crypto wallet used by over 200 million people, enables users to store, send, and receive Bitcoin, Ethereum, Solana, and thousands of other cryptocurrencies and digital tokens via a web browser extension and free mobile apps.
  • “As BleepingComputer previously reported, this December 24th incident resulted in the theft of millions of dollars in cryptocurrency from the compromised wallets of Trust Wallet users.
  • This happened after attackers added a malicious JavaScript file to version 2.68.0 of Trust Wallet’s Chrome extension, which stole sensitive wallet data and enabled threat actors to execute unauthorized transactions.
  • “Our Developer GitHub secrets were exposed in the attack, which gave the attacker access to our browser extension source code and the Chrome Web Store (CWS) API key,” the company said in a Tuesday [December 30] update.
• and
  • “A fourth wave of the “GlassWorm” campaign is targeting macOS developers with malicious VSCode/OpenVSX extensions that deliver trojanized versions of crypto wallet applications.
  • “Extensions in the OpenVSX registry and the Microsoft Visual Studio Marketplace expand the capabilities of a VS Code-compatible editor by adding features and productivity enhancements in the form of development tools, language support, or themes.
  • “The Microsoft marketplace is the official extension store for Visual Studio Code, whereas OpenVSX serves as an open, vendor-neutral alternative, primarily used by editors that do not support or choose not to rely on Microsoft’s proprietary marketplace.”
  • “The GlassWorm malware first appeared on the marketplaces in October, hidden inside malicious extensions using “invisible” Unicode characters.”
  • “Once installed, the malware attempted to steal credentials for GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from multiple extensions. Additionally, it supported remote access through VNC and can route traffic through the victim’s machine via a SOCKS proxy.
  • “Despite the public exposure and increased defenses, GlassWorm returned in early November on OpenVSX and then again in early December on VSCode.”

From the ransomware front,

• Cybersecurity Insiders recounts the top ransomware attacks of 2025.

• SC Media tells us,
  • “HackRead reports that U.S. automaker Chrysler had over 1 TB of data, including more than 105 GB of Salesforce-related information, claimed to have been exfiltrated by the Everest ransomware gang.
  • “Allegedly included in the stolen data trove spanning between 2021 and 2025 were personal and operational records from customers, internal agents, and dealers, with screenshots revealing internal spreadsheets, structured databases, CRM exports, and directory trees, as well as customer interaction logs with names, physical and email addresses, phone numbers, vehicle details, recall case notes, and call outcomes.” * * *
  • “Everest has warned that it would release not only the entire dataset but also customer service-related audio recordings purportedly stolen from Chrysler should it refuse to fulfill its demands.”
    
• Morphisec points out,
  • “In Morphisec’s recent CTO Briefing: The State of Ransomware, CTO Michael Gorelik highlighted one of the most significant and troubling shifts in the ransomware landscape: many ransomware attacks no longer involve encryption at all.   
  • “Instead, attackers quietly steal sensitive data—sometimes over weeks or months—and then extort victims long after the breach. This “ransomware without encryption” model is growing rapidly because it has lower risk for attackers, harder for defenders to detect, and nearly impossible for victims to investigate once logs have aged out.”  

From the cybersecurity defenses front,

• Dark Reading calls attention to
  • “Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats. Cybersecurity experts discuss 2026 predictions, highlighting the rise of AI-driven threats, the shift to resilience over prevention, and the urgent need for advanced security measures to combat evolving risks”
• and
  • “5 Threats That Defined Security in 2025. 2025 included a number of monumental threats, from global nation-state attacks to a critical vulnerability under widespread exploitation.”
    • “Salt Typhoon continues its onslaught”
    • “CISA see big layoffs and budget cuts”
    • “React2Shell carries echos of Log4Shell.
    • “Shai-Hulud opens floodgates on self-propagating Open Source Malware.” and
    • “Threat Campaigns Target Salesforce Customers.”
• and
  • “The Ivanti Endpoint Manager Mobile (EPMM) zero-day attacks, which began last spring and lasted well into the summer as attackers took advantage of patching lag, were one of the top cyber-stories of 2025, sending thousands of victims to the depths of the data exfiltration sea. A recent deep-dive into the wreckage of those attacks highlights the risk inherent in buggy endpoint management systems — a concern that needs to be a higher priority than it typically is, one researcher argues.”

• SC Media notes,
  • “A whopping 99% of security leaders plan to increase their cybersecurity budgets over the next two to three years, signaling that cybersecurity has become a critical business imperative, according to a KPMG Cybersecurity Survey released earlier this month.
  • “KPMG’s survey, which polled more than 300 C-suite and senior security leaders, found that the projected spending increases come at a time when 83% of organizations report a rise in cyberattacks, which include everything from phishing and ransomware to more advanced AI-powered social-engineering schemes.
  • “The data doesn’t just point to steady growth, it signals a potential boom,” said Michael Isensee, cybersecurity and tech risk leader, KPMG LLP. “We’re seeing a major market pivot where cybersecurity is now a fundamental driver of business strategy.
  • “Leaders are moving beyond reactive defense and are actively investing to build a security posture that can withstand future shocks, especially from AI and other emerging technologies,” continued Isensee. “This isn’t just about spending more, it’s about strategic investment in resilience.”

• Security Affairs warns,
  • “Your next breach probably won’t start inside your network—it will start with someone you trust. Every supplier, contractor, and service provider needs access to your systems to keep business running, yet each login is a potential doorway for attackers. Access management is meant to control the risks of granting that access, but weak controls and poor hygiene remain the norm. The Thales Digital Trust Index report, Third-Party Edition, highlights that over half of surveyed professionals (51%) keep access to partner systems for days or even a month after they no longer need it, turning everyday collaborations into hidden vulnerabilities that accumulate over time.
  • “Ask yourself: Are you evaluating and managing these risks well enough? If the answer isn’t clear, it’s time to revisit the basics of identity lifecycle management. Supply chain risks are preventable—but only if they aren’t tolerated or ignored. This article is a primer on how to ensure B2B collaboration remains a source of agility and resilience, not your Achilles’ heel.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity law enforcement front,

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The National Institute of Standards and Technology announced that it will partner with The MITRE Corporation on a $20 million project to stand up two new research centers focused on artificial intelligence, including how the technology may impact cybersecurity for U.S. critical infrastructure.
  • “On Monday [December 22], the agency said one center will focus on advanced manufacturing while the second — the AI Economic Security Center to Secure U.S. Critical Infrastructure from Cyberthreats — will focus more directly on how industries that provide water, electricity, internet and other essential services can protect and maintain services in the face of AI-enabled threats. According to NIST, the centers will “drive the development and adoption” of AI-driven tools, including agentic AI solutions.
  • “The centers will develop the technology evaluations and advancements that are necessary to effectively protect U.S. dominance in AI innovation, address threats from adversaries’ use of AI, and reduce risks from reliance on insecure AI,” spokesperson Jennifer Huergo wrote in an agency release.

• Federal News Network interviewed “a panel of former federal executives for their opinions about 2025 and what federal IT and acquisition storylines stood out over the last 12 months.”

• Security Week tells us,
  • “The US Justice Department announced on Monday [December 22] the seizure of a web domain and a password database used by a cybercrime group to steal millions of dollars from bank accounts.
  • “According to the DOJ, the seized domain, web3adspanels.org, hosted a backend web panel used by the cybercriminals to store and manipulate thousands of stolen bank login credentials.
  • The threat actor conducted a massive bank account takeover scheme that involved malicious ads on search engines such as Google and Bing in an effort to lure users to fake bank websites.
  • “These phishing sites tricked victims into handing over their login credentials, which the cybercriminals could then use to access and drain their bank accounts.
  • “The FBI has identified nearly 20 victims in the US, including two companies, and has determined that the cybercriminals attempted to steal roughly $28 million, with the actual losses estimated at approximately $14.6 million.” 

• Bleeping Computer informs us,
  • “An Interpol-coordinated initiative called Operation Sentinel led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents.
  • “Between October 27 and November 27, the investigation, which involved law enforcement in 19 countries, took down more than 6,000 malicious links and decrypted six distinct ransomware variants.
  • “Interpol says that the cybercrime cases investigated are connected to more than $21 million in financial losses.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “WatchGuard warns that a critical vulnerability in its Firebox devices is facing exploitation as part of a campaign targeting edge devices, according to an advisory from the company. 
  • “The flaw, tracked as CVE-2025-14733, involves an out-of-bounds write vulnerability in the Fireware OS internet key exchange daemon process. An unauthenticated attacker can achieve remote code execution. 
  • “WatchGuard said it discovered the flaw through an internal process and issued a patch on Thursday. 
  • “Since the fix became available, our partners and end users have been actively patching affected Firebox appliances,” a WatchGuard spokesperson told Cybersecurity Dive. “We continue to strongly encourage timely patching as a core best practice in security hygiene.”

• Security Week shares information about the Watchguard patch.

• Dark Reading points out,
  • “Much has been said about IT worker scams in the last few years, but it’s not every day that we get a glimpse into how pervasive the issue has become. 
  • “Stephen Schmidt, senior vice president and chief security officer at Amazon, wrote on LinkedIn over the weekend that the company has prevented “more than 1,800 suspected DPRK operatives from joining [Amazon] since April 2024, and we’ve detected 27% more DPRK-affiliated applications quarter-over-quarter this year.” 
  • “IT worker scams involve operatives working as part of or on behalf of a government try to gain remote IT employment. It is most often associated with North Korea (DPRK), but that’s not the only entity engaging in this practice. While one primary goal may be the worker gaining a foothold in a network for espionage purposes or for sensitive IP theft (and these things do happen), Schmidt, who wrote about North Korean worker scams specifically, highlighted another reason: “Their objective is typically straightforward: get hired, get paid, and funnel wages back to fund the regime’s weapons programs,” he wrote.

• The Wall Street Journal relates,
  • “AI is making cybercriminals more efficient, enabling them to scale up operations and create more targeted and convincing scams.
  • “Thanks to AI, criminals are getting better at finding targets—for example, by scanning social media to identify people going through big life changes.
  • “Most experts don’t think fully autonomous AI cyberattacks are possible yet in the real world, but research has shown that AI is capable of planning and carrying out an attack on its own in a lab.”

•  Per SC Media,
  • “A series of campaigns were observed targeting the financial sector across multiple continents worldwide — attacks that exhibited the tradecraft of North Korean-affiliated threat actors.
  • “In a Dec. 18 white paper, Darktrace researchers said the attacks leveraged advanced social engineering focused on job hunters, spear-phishing, React2Shell exploitation, and a new Beavertail malware variant.
  • “While the initial access vector remains unknown, Darktrace said evidence suggests it originated from a malicious npm package hosted on GitHub or GitLab — behavior that aligns with the Lazarus Group’s history of exploiting supply-chain vulnerabilities.
  • “According to Darktrace, the attackers used Beavertail for initial credential theft, followed by heavily obfuscated Python scripts and Tsunami modules, hallmarks of a “well-resourced adversary.”

• Cyber Insider adds,
  • “A malicious NPM package masquerading as a WhatsApp API library has been discovered exfiltrating users’ messages, credentials, contacts, and media, all while delivering fully functional code.
  • “The package, named lotusbail, had been available on the NPM registry for over six months, amassing more than 56,000 downloads before its true purpose came to light.
  • “The discovery was made by Koi Security, whose researchers published a detailed technical report over the weekend, outlining the package’s behavior. The threat actor behind lotusbail cloned the legitimate @whiskeysockets/baileys WhatsApp Web API library and inserted advanced malware designed to siphon off sensitive user data during normal operation.”

• CISA added one new known exploited vulnerability to its catalog this week.
  • December 22, 2025
    • CVE-2023-52163 Digiever DS-2105 Pro Missing Authorization Vulnerability 
      • The Hacker News discusses this KVE here.

From the ransomware front,

• Cybersecurity Dive reports,
  • A Cybersecurity and Infrastructure Security Agency program that warns organizations about imminent ransomware attacks has suffered a major setback after its lead staffer left the agency rather than take a forced reassignment.
  • David Stern, the driving force behind CISA’s Pre-Ransomware Notification Initiative (PRNI) — through which the agency alerts organizations that ransomware actors are preparing to encrypt or steal their data — resigned on Dec. 19, according to four people familiar with the matter. The Department of Homeland Security had ordered Stern to take a job at the Federal Emergency Management Agency in Boston or quit, and Stern chose the latter, three of the people said. * * *
  • “The fate of the warning initiative is now unclear. In a statement, CISA Director of Public Affairs Marci McCarthy said the program “has not stopped and continues to operate as a key element in CISA’s efforts to defeat ransomware attacks.” One person familiar with the matter said the agency is preparing several staffers to take over for Stern. But others said the program relied heavily on Stern’s trusted relationships with the organizations that alert CISA to pending ransomware attacks.”
    
• InfoSecurity Magazine explores this year’s top ransomware trends.

• The HIPAA Journal tells us,
  • “Madison, WI-based ARC Community Services, a provider of behavioral health, substance use disorder treatment, and support services to women and children, has experienced a ransomware attack involving the theft of sensitive data from its network.” The attack occurred in November 2024.

• CSO informs us,
  • “A recent upgrade to the RansomHouse ransomware operation has added new concerns for enterprise defenders, introducing a multi-layered encryption update to the group’s double-extortion RaaS model.
  • “Also tracked under the cluster Jolly Scorpius, the ransomware gang has transitioned from a simple, single-phase encryption routine to a multi-layered dual-key encryption architecture that increases the complexity of its extortion operations.
  • “Detailed by Palo Alto Networks’ threat intelligence team, the update raises the bar for recovery once systems are compromised. The change affects how files are processed and encrypted during an attack, complicating analysis and limiting defenders’ ability to recover data without paying a ransom.”

From the cybersecurity business and defenses front,

• The Wall Street Journal reports,
  • Artificial-intelligence software company ServiceNow NOW agreed to acquire cybersecurity startup Armis for about $7.75 billion in cash in a move intended to take advantage of growing demand for AI security.
  • Armis recently raised $435 million in a funding round that valued the company at $6.1 billion, and it had been planning for an initial public offering at the end of 2026 or early 2027.
  • ServiceNow said on Tuesday that the acquisition would triple its market opportunity for security and risk solutions and entrench its position in the market for securing AI technology.
  • The increasing integration of AI tools into business workflows has raised worries that companies could become more vulnerable to cyberattacks and hacks.

• Cyberscoop lets us know,
  • “How to determine if agentic AI browsers are safe enough for your enterprise. Automation is transforming web browsing, enabling AI agents to perform tasks once handled by humans. Yet with greater convenience comes a complex security landscape that enterprises can’t afford to ignore.”

• Federal News Network discusses “The next cyber battlefield: Preparing federal networks for autonomous malware.”
  • “Recent research from Google’s Threat Intelligence Group has drawn new attention to a long-standing question in cybersecurity: How close are we to malware that can truly think and adapt on its own?
  • “Earlier this month, Google disclosed five experimental code families, including PROMPTFLUX and PROMPTSTEAL, that used large language models (LLMs) during execution to generate commands, rewrite portions of their own code, and adapt to their environment.
  • “While these findings are concerning, it’s important to note that “autonomous” malware is still in the early stages. But that’s precisely the point. Even in this primitive form, these early samples show how the threat landscape is rapidly evolving. Federal agencies now have a narrow window to prepare before those capabilities mature into operational threats.
  • “Autonomous malware represents a fundamental shift in cybersecurity, as this malicious code can reason about its surroundings, make tactical decisions, and evolve its behavior in real time. For federal networks built on complex systems and strict change-control policies, that evolution could eventually collapse traditional defense timelines and upend response models.”

• Per a CISA news release,
  • “NIST and CISA’s draft Interagency Report Protecting Tokens and Assertions from Forgery, Theft, and Misuse is now available for public comment through January 30, 2026. This report is in response to Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144, providing implementation guidance to help federal agencies and cloud service providers (CSPs) protect identity tokens and assertions from forgery, theft, and misuse.
  • “This report emphasizes the need for CSPs and cloud consumers, including government agencies, to better define their respective roles and responsibilities in managing identity and access management (IAM) controls in cloud environments. It establishes principles for both CSPs and cloud consumers, calling on CSPs to apply Secure by Designbest practices, and to prioritize transparency, configurability, and interoperability—empowering cloud consumers to better defend their diverse environments. It also calls upon government agencies to understand the architecture and deployment models of their procured CSPs to ensure proper alignment with risk posture and threat environment. 
  • “Comments on the report may be submitted to iam@list.nist.gov. Please visit NIST’s site for more information.” 

• Per Dark Reading,
  • “As More Coders Adopt AI Agents, Security Pitfalls Lurk in 2026. Developers are leaning more heavily on AI for code generation, but in 2026, the development pipeline and security need to be prioritized.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “With a little more than a month left before a foundational cyber threat information sharing law expires for a second time, Congress might have to do another short-term extension as negotiations on a longer deal aren’t yet bearing fruit, a key lawmaker said Tuesday.
  • “House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the problem with a long-term extension of the Cybersecurity Information Sharing Act of 2015, which provides legal protections to companies to share cyber threat data with the federal government and other companies, is that there are three different views about how to approach it.
  • “The Trump administration and some in the Senate want a clean, 10-year reauthorization of the law, which Congress extended last month until Jan. 30 as part of the legislation that ended the government shutdown, after the information sharing law lapsed in October. But a reauthorization without any changes could run into House opposition, Garbarino said.” * * *
  • “Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul, R-Ky., also has a version of the bill that focuses largely on language he said is needed to defend free speech. And Garbarino’s version takes yet another approach to tweaking the law.
  • “Unfortunately, I don’t think we’re close enough with the discussions on the Senate to get it to figure out which bill will pass and what will get done,” Garbarino said. That leaves another extension tied to any funding bill that replaces the legislation currently funding the government, which also runs through Jan. 30.”
• and
  • “Policymakers and companies are reckoning with increased reports over the past few months showing AI tools being leveraged to conduct cyber attacks on a larger and faster scale.
  • “Most notably, Anthropic reported last month that Chinese hackers had jailbroken and tricked its AI model Claude into assisting with a cyberespionage hacking campaign that ultimately targeted more than 30 entities around the world.
  • “The Claude-enabled Chinese hacks have underscored existing concerns among AI companies and policymakers that the technology’s development and relevance to offensive cybersecurity may be outpacing the cybersecurity, legal and policy responses being developed to defend against them.
  • “At a House Homeland Security hearing this week, Logan Graham, head of Anthropic’s red team, said the Chinese spying campaign demonstrates that worries about AI models being used to supercharge hacking are more than theoretical.”

• Cybersecurity Dive tells us,
  • “A top Senate Republican is pressing the Trump administration for a plan to address the cybersecurity consequences of the U.S.’s dependence on open-source software.
  • “Leaving our reliance on OSS unmonitored is exposing America to increasingly dangerous risks,” Senate Intelligence Committee Chair Tom Cotton, R-Okla., wrote in a Wednesday letter to National Cyber Director Sean Cairncross.
  • “Cotton cited recent incidents that highlighted the unstable and sometimes untrustworthy foundations of the open-source ecosystem, including the XZ Utils crisis, a Russian developer’s control of a package that the U.S. military uses for sensitive applications and the prevalence of code contributions by Chinese companies’ employees, who are bound by Chinese laws that could force them to disclose software flaws to Beijing before fixing them.”
• and
  • “The National Institute of Standards and Technology has prepared a companion to its widely used Cybersecurity Framework that focuses on how organizations can safely use AI.
  • “NIST’s Cybersecurity Framework Profile for Artificial Intelligence, which the agency released in draft form on Tuesday [December 16], describes how organizations can manage the cybersecurity challenges of different AI systems, improve their cyber defense capabilities with AI and block AI-powered cyberattacks. The document maps components of the Cybersecurity Framework (CSF) onto specific recommendations in each of those three areas, which NIST dubbed “secure,” “defend” and “thwart,” respectively.
  • “The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Barbara Cuthill, one of the profile’s authors, said in a statement. “But ultimately every organization will have to deal with all three.”
    
• Cyberscoop tells us,
  • “Federal prosecutors in Michigan say they have dismantled online infrastructure tied to an alleged money laundering operation that moved tens of millions of dollars in proceeds from ransomware and other cybercrime, along with indicting the service’s creator.
  • “The U.S. Attorney’s Office for the Eastern District of Michigan announced a coordinated action with international partners and the Michigan State Police targeting E-Note, a cryptocurrency exchange and payment processing service used to launder illicit funds. The announcement coincided with the unsealing of an indictment charging a Russian national, Mykhalio Petrovich Chudnovets, with one count of money laundering conspiracy.”
• and
  • “Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at cybersecurity companies tasked with helping organizations respond to ransomware attacks.
  • “Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with an unnamed co-conspirator to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments.
  • “The plea deals mark a relatively quick turnaround as prosecutors successfully persuaded the pair to cop to their crimes less than three months after they were indicted in the U.S. District Court for the Southern District of Florida. Goldberg was arrested Sept. 22 and Martin was arrested Oct. 14.”
• and
  • “Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, pleaded guilty Friday to multiple crimes stemming from his involvement in a string of ransomware attacks targeting U.S. and Europe-based organizations from mid 2018 to late 2021. He faces up to 10 years in jail for conspiracy to commit fraud, including extortion. 
  • “Stryzhak was arrested in Spain in June 2024 and extradited to the United States in April. Authorities are still looking for his alleged co-conspirator Volodymyr Tymoshchuk and announced a $11 million reward for information leading to his arrest or conviction.
  • “The defendant used Nefilim ransomware to target high-revenue companies in the United States, steal data and extort victims,” Joseph Nocella, U.S. attorney for the Eastern District of New York, said in a statement.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “Apartment owner and developer Rockrose Development Corp. recently found that unauthorized individuals hacked its systems and claimed to have acquired confidential information, according to a letter posted to its website on Dec. 12. 
  • “The security breach occurred on July 4 and affected 47,392 people, according to a data breach notification submitted to Maine’s attorney general’s office. Rockrose discovered the issues on Nov. 14. 
  • “Rockrose determined that personally identifiable information for some individuals may have been impacted, which could indicate that the hackers accessed some sensitive areas of the network. That information could include name, Social Security number, taxpayer identification number, driver’s license number, passport number, bank account and routing numbers, health insurance information, medical information and online account credentials.”

• Cyberscoop adds,
  • “Fallout from React2Shell — a stubborn vulnerability that impacts wide swaths of the internet’s scaffolding — continues to spread as public exploits and stealth backdoors proliferate and worrying details emerge about the targets attackers are pursuing. 
  • “Threat researchers and incident responders are reacting to swift-moving developments on React2Shell with mounting concern. Cybercriminals, ransomware gangs and nation-state threat groups are all swarming to exploit the maximum-severity vulnerability.
  • Palo Alto Networks’ Unit 42 puts the latest victim count at more than 60 organizations, which have been impacted by attacks involving exploitation of CVE-2025-55182, which Meta and the React team publicly disclosed Dec. 3.
  • “Microsoft said it found “several hundred machines across a diverse set of organizations” that were compromised via exploitation resulting in remote-code execution. Post-exploitation activity in those attacks includes reverse shell implants, lateral movement, data theft and steps that allowed attackers to maintain access to targeted networks, Microsoft said in a research blog Tuesday [December 16]. 

• The Cybersecurity and Infrastructure Security Agency (“CISA”) added seven known exploited vulnerabilities to its catalog this week.
  • December 15, 2025
    • CVE-2025-14611 Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
    • CVE-2025-43529 Apple Multiple Products Use-After-Free WebKit Vulnerability 
      • Kubelski Security discusses the Gladinet KVEs here.
      • The Center for Internet Security discusses the Apple KVEs here.
  • December 16, 2025
    • CVE-2025-59718 Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability 
      • Security Affairs discusses this KVE here.
  • December 17, 2025
    • CVE-2025-20393 Cisco Multiple Products Improper Input Validation Vulnerability
    • CVE-2025-40602 SonicWall SMA1000 Missing Authorization Vulnerability
    • CVE-2025-59374 ASUS Live Update Embedded Malicious Code Vulnerability
      • The Hacker News discusses the Cisco KVE here.
      • Security Week discusses the SonicWall KVE here.
      • Malwarebytes discusses the ASUS KVE here.
  • December 19, 2025
    • CVE-2025-14733 WatchGuard Firebox Out-of-Bounds Write Vulnerability 
      • Bleeping Computer discusses this KVE here.

• Cyberscoop relates,
  • “Cisco customers are confronting a fresh wave of attacks from a Chinese threat group that has actively exploited a critical zero-day vulnerability affecting the vendor’s software for email and web security since at least late November, the company said in an advisory Wednesday. 
  • “Cisco said it became aware of the attacks Dec. 10. The defect CVE-2025-20393, which has a CVSS rating of 10, is an improper input validation vulnerability affecting Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager that allows attackers to execute commands with unrestricted privileges and implant persistent backdoors on compromised devices.
  • “There is no patch for the vulnerability and Cisco declined to say when one would be made available. Cisco said “non-standard configurations” have been observed in compromised networks, specifically customer systems that are configured with a publicly exposed spam quarantine feature.
  • “Cisco Talos researchers attributed the attacks to a Chinese advanced persistent threat group it tracks as UAT-9686, which has used tooling and infrastructure consistent with other China state-sponsored threat groups such as APT41 and UNC5174.

• Cybersecurity Dive informs us,
  • “Multiple threat groups have been ramping up attacks using a technique called device code phishing to trick users into granting access to their Microsoft 365 accounts, according to a report Thursday from Proofpoint. 
  • “Hackers affiliated with China and Russia have used the technique in recent months to launch attacks. A number of criminal groups have used the same method to target M365 users as well. 
  • “This is a social engineering method that abuses a legitimate and trusted workflow for authorized access,” Sarah Sabotka, staff threat researcher at Proofpoint, told Cybersecurity Dive.”
• and
  • A coordinated, credential-based hacking campaign has been targeting Palo Alto Networks GlobalProtect services, as well as Cisco SSL VPNs, in a surge of mid-December attacks, according to a blog post Wednesday by GreyNoise. 
  • The threat activity does not involve targeting of any vulnerabilities, but uses automated scripted login attempts over two days. 
  • More than 1.7 million sessions were observed targeting Palo Alto Networks GlobalProtect and PAN-OS profiles over a 16-hour period, according to GreyNoise. More than 10,000 unique IPs were detected trying to log into GlobalProtect portals on Dec. 11.  
• and
  • “A Russia-linked hacker group has been targeting critical infrastructure organizations using vulnerabilities in their edge devices since at least 2021, highlighting an alarming shift toward exploiting well-known flaws in common networking equipment, Amazon’s threat intelligence team said Monday.
  • “The threat actor’s shift [toward edge devices] represents a concerning evolution,” Amazon researchers wrote in a blog post. “While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation.”

• Bleeping Computer points out,
  • “The UEFI firmware implementation in some motherboards from ASUS, Gigabyte, MSI, and ASRock is vulnerable to direct memory access (DMA) attacks that can bypass early-boot memory protections.
  • “The security issue has received multiple identifiers (CVE-2025-11901, CVE-2025‑14302, CVE-2025-14303, and CVE-2025-14304) due to differences in vendor implementations.”

From the ransomware front,

• Cyber Press reports,
  • “SentinelLABS research indicates that large language models (LLMs) such as ChatGPT, Claude, and open-source alternatives are accelerating every stage of the ransomware lifecycle, from reconnaissance to negotiation. 
  • “However, analysts emphasize that these tools are improving speed and scale rather than introducing fundamentally new attack methods.
  • “By repurposing enterprise-grade AI workflows, ransomware actors are using models to automate tasks such as creating phishing content, drafting multilingual ransom notes, and triaging data across leaked datasets. 
  • “This enables threat actors to identify financially sensitive files and tailor extortion tactics across multiple languages with greater precision.” * * *
  • “The report finds that while law enforcement disruptions have weakened mega cartels such as LockBit, Conti, and REvil, smaller, short-lived groups such as Termite, Punisher, and Obscura are emerging rapidly. 
  • “These groups exploit LLM-driven workflows to emulate more experienced operators, reducing entry barriers and complicating attribution.”

• Manufacturing Business Technology adds,
  • “Sophos recently announced new findings from the Sophos State of Ransomware in Manufacturing and Production 2025 report which reveals that manufacturers are stopping more ransomware attacks before data can be encrypted.
  • “However, adversaries are increasingly stealing data and using extortion-only tactics to maintain pressure. As a result, more than half of manufacturing organizations impacted by encryption paid the ransom despite progress in defensive measures.”

• Bleeping Computer relates,
  • “The Clop ransomware gang (also known as Cl0p) is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign.
  • “Gladinet CentreStack enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. According to Gladinet, CentreStack “is used by thousands of businesses from over 49 countries.”
  • “Since April, Gladinet has released security updates to address several other security flaws that were exploited in attacks, some of them as zero-days.
  • “The Clop cybercrime gang is now scanning for and breaching CentreStack servers exposed online, with Curated Intel telling BleepingComputer that ransom notes are left on compromised servers.
  • “However, there is currently no information on the vulnerability Clop is exploiting to hack into CentreStack servers. It is unclear whether this is a zero-day flaw or a previously addressed bug that the owners of the hacked systems have yet to patch.”

• CSO offers advice on how to create a ransomware playbook that works.

From the cybersecurity business and defenses front,

• The Wall Street Journal reports,
  • “Blackstone is leading a $400 million investment in data-security firm Cyera that values the New York-based company at $9 billion, according to people familiar with the matter. 
  • “Cyera is among a crop of cybersecurity startups leveraging artificial intelligence to protect companies from new security vulnerabilities introduced by AI. The startup, founded in 2021 by former Israeli Defence Forces military intelligence officers Yotam Segev and Tamar Bar-Ilan, raised funding at a $6 billion valuation in June.”
• and
  • “Kevin Mandia, founder of the cybersecurity firm Mandiant—which was acquired by Alphabet’s GOOGL 0.61%increase; green up pointing triangle Google for $5.4 billion—has formed a new company called Armadin that will take on the imminent threat from AI hacking.
  • “The company aims to use artificial intelligence to supercharge the business of testing networks for vulnerabilities. Armadin raised $24 million in seed funding from Ballistic Ventures, a venture-capital firm co-founded by Mandia, and is in talks with Accel, GV and Kleiner Perkins to raise $100 million or more, people familiar with the matter said. The deal is expected to value the company at more than $600 million. The round isn’t finalized, and the details could still change.
  • “Known as red-teaming, this kind of service will become more important as hackers turn to AI to speed up their attacks, Mandia said in an interview.  
  • “Offense is going to be all-AI in under two years,” he said. “And because that’s going to happen, that means defense has to be autonomous. You can’t have a human in the loop or it’s going to be too slow.”

• CISA announced,
  • Today [December 19], the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canadian Centre for Cyber Security released an update to the Malware Analysis Report BRICKSTORM Backdoor with indicators of compromise (IOCs) and detection signatures for additional BRICKSTORM samples. This update provides information on additional samples, including Rust-based samples. These samples demonstrate advanced persistence and defense evasion mechanisms, such as running as background services, and enhanced command and control capabilities through encrypted WebSocket connections.
  • The update includes two new detection signatures in the form of YARA rules, enabling organizations to better identify BRICKSTORM-related activity. Organizations are strongly encouraged to deploy these updated IOCs and signatures, and to follow the detection guidance to scan for and respond to BRICKSTORM infections If BRICKSTORM, similar malware, or potentially related activity is detected, report the incident to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.

• Cybersecurity Dive lets us know,
  • “Hybrid infrastructure that includes a mix of public/private cloud environments, on-premises workloads and air-gapped systems are preferred by security leaders as a way to boost resilience and better manage risk, according to a report Thursday by Trellix. 
  • “About 96% of chief information security officers said a hybrid model is the preferred approach to meet regulatory and compliance requirements, while 97% said such a model will help meet obligations related to data sovereignty and residency. 
  • “Ultimately, a CISO must ensure their teams, technology and business partners understand the specific shared responsibility model for each service they consume and implement the necessary controls to manage the daily risks that remain the customer’s responsibility,” Trellix CISO Michael Green told Cybersecurity Dive. “This often involves leveraging tools and governance processes designed to operate across multicloud and hybrid environments to provide consistent security posture and visibility.”

• An ISACA expert notes,
  • “Cybersecurity budgets are often built on assumptions, including the assumption that backups will always work, that insurance will cover the losses and that existing controls are “good enough.” Yet, when those assumptions fail, the operational fallout can be staggering. The City of Hamilton in Canada learned this lesson when a ransomware attack crippled nearly 80% of its network and left taxpayers facing a CAD $18.3 million recovery bill. Misplaced assumptions regarding backups, authentication, insurance and system resilience can lead organizations to underestimate risk and drive up the cost of a cyberattack.”

• Dark Reading offers advice on creating an AI adoption playbook and of course its CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Defense Department would require that senior leaders have secure mobile phones, that personnel would get cybersecurity training that includes a focus on artificial intelligence and that cyber troops would have access to mental health services under a compromise annual defense policy bill released over the weekend.
  • “The deal between House and Senate negotiators on the fiscal 2026 National Defense Authorization Act (NDAA) [reached last weekend] is a massive piece of legislation that runs the gamut of the Pentagon, including a record-breaking $901 billion topline figure. It also has a grab bag of cybersecurity policy provisions.”

• Roll Call adds,
  • “Senate leaders plan for the chamber to vote next week to clear the bicameral compromise National Defense Authorization Act for President Donald Trump’s signature.
  • “As the fiscal 2026 bill edges closer to enactment, one of the few last-minute controversies shadowing it concerns whether the measure goes far enough to restrict military aircraft operations in close proximity to Ronald Reagan Washington National Airport.
  • “The Senate on Thursday [Decmber 11] voted 75-22 to take one procedural step closer to voting on the measure — agreeing to proceed to the legislation — which would authorize $900.6 billion for defense programs, mostly at the Pentagon.
  • “The chamber still plans to cast another procedural vote — set for Monday evening — and is expected to vote to clear the NDAA soon thereafter next week.
  • “The House passed the bill Wednesday [December 10} by a vote of 312-112.”

• The American Hospital Association News tells us,
  • “The Cybersecurity and Infrastructure Security Agency Dec. 11 released an update to its voluntary Cybersecurity Performance Goals, which includes measurable actions for critical infrastructure, including health care. The update aligns with the latest cybersecurity standards outlined by the National Institute of Standards and Technology and addresses the most common and impactful threats facing critical infrastructure. The guidance also highlights the role of governance in cybersecurity management, emphasizing accountability, risk management and strategic integration of cybersecurity into day-to-day operations.” 

• The HIPAA Journal relates,
  • “The College of Healthcare Information Management Executives (CHIME) and more than 100 U.S. hospital systems, healthcare provider organizations, and provider associations have called for the Department of Health and Human Services (HHS) to withdraw its proposed updates to the HIPAA Security Rule.
  • “The HIPAA Security Rule was enacted in 2002, nine years after HIPAA was signed into law, to establish security standards for electronic protected health information created, received, used, or maintained by a covered entity, with the requirements subsequently expanded to cover business associates of HIPAA-regulated entities. The Security Rule was written to be technology agnostic to avoid frequent rule changes in response to advances in technology; however, 22 years after its initial release, the HHS proposed a substantial update that specified many new cybersecurity requirements.” * * *
  • “While few healthcare industry stakeholders would disagree with the main purpose of the update – to improve healthcare cybersecurity and prevent costly and damaging cyberattacks that threaten patient safety – the proposed update attracted considerable criticism from healthcare and provider organizations. In February 2025, 8 industry associations, including CHIME, co-signed a letter to President Trump calling for the proposed update to be rescinded, pointing out that under the previous Trump administration, healthcare organizations were incentivized to adopt recognized cybersecurity best practices, and that was a better approach than imposing unreasonable cybersecurity mandates that would be costly and difficult to implement.
  • “In the December 8, 2025, joint stakeholder letter to HHS Secretary Robert F. Kennedy, Jr., the signatories called for the proposed update to be immediately withdrawn, and for the HHS to instead “conduct a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”

• Per a National Institute of Standards and Technology news release,
  • “NIST Special Publication (SP) 800-70r5 ipd (Revision 5, initial public draft), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, is now available for public comment through January 16, 2026, at 11:59 PM (EST).
  • “NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize the location of checklists, and make checklists broadly accessible. SP 800-70r5 ipd describes the uses, benefits, and management of checklists and checklist control catalogs, as well as the policies, procedures, and general requirements for participation in the NCP.”

• Security Weeks informs us,
  • “The US government has announced rewards of up to $10 million for information on members of the Iranian hacking group known as Emennet Pasargad.
  • “The reward offers come roughly a year after a US-Israel joint advisory described the activities of the group, which was then identified by the name of its front company, Aria Sepehr Ayandehsazan (ASA).
  • “Noting that the group was previously identified as Emennet Pasargad, Ayandeh Sazan Sepehr Arya (ASSA), Eeleyanet Gostar, and Net Peygard Samavat Company, the US now calls it Shahid Shushtari.
  • “In the private sector, the threat group has been known as Cotton Sandstorm, Marnanbridge, and Haywire Kitten.”

• Cyberscoop adds,
  • “The Justice Department has charged a Ukrainian national with conducting cyberattacks on critical infrastructure worldwide as part of two Russian state-sponsored hacking operations that targeted water systems, food processing facilities and government networks across the United States and allied nations.
  • “Victoria Eduardovna Dubranova, 33, was arraigned on a second indictment Tuesday [December 9] after being extradited to the U.S. earlier this year. She faces charges related to her alleged work with CyberArmyofRussia_Reborn, known as CARR, and NoName057(16), two groups federal prosecutors say received backing from Moscow to advance Russian geopolitical interests. 
  • “Dubranova pleaded not guilty in both cases.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “MITRE has shared this year’s top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
  • “The list was released in cooperation with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and the Cybersecurity and Infrastructure Security Agency (CISA), which manage and sponsor the Common Weakness Enumeration (CWE) program.
  • “Software weaknesses can be flaws, bugs, vulnerabilities, or errors found in a software’s code, implementation, architecture, or design, and attackers can abuse them to breach systems running the vulnerable software. Successful exploitation allows threat actors to gain control over compromised devices and trigger denial-of-service attacks or access sensitive data.

• Cyberscoop relates,
  • “Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit React2Shell, a critical vulnerability disclosed last week in React Server Components.
  • “Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday [December 12] . The agency previously set a deadline of Dec. 26 when it added CVE-2025-55182 to its known exploited vulnerabilities catalog last week.
  • “Palo Alto Networks Unit 42 said more than 50 organizations are impacted by attacks involving exploitation of the vulnerability with victims observed in the United States, Asia, South America and the Middle East.” 

• Cybrsecurity Dive adds,
  • “React on Thursday [December 11] warned that customers will need to apply new upgrades amid the React2Shell crisis, after researchers discovered additional vulnerabilities, including a denial of service flaw and a source code exposure. 
  • “A denial of service vulnerability, tracked as CVE-2025-55184 and CVE-2025-67779, allows an attacker to craft a malicious HTTP request and send it to a Server Functions endpoint, which can lead to an infinite loop. The flaw has a severity score of 7.5. 
  • “The source code exposure, tracked as CVE-2025-55183, allows a malicious HTTP request sent to a vulnerable Server Function to unsafely return the source code of any Server Function.”

• The American Hospital Association News lets us know,
  • “U.S. and international agencies are warning of potential cyberattacks on health care and other critical infrastructure from state-sponsored cyber actors in Russia and China.
  • “An advisory released yesterday [December 11] warns of incidents by Russian hackers using internet-facing desktop-sharing systems to access operational technology and industrial control systems for malicious activity. A Dec. 4 report warns of Chinese state-sponsored cyber actors using BRICKSTORM malware to attack VMware vSphere and Windows cloud platforms.
  • “These nation-state level threats may be difficult for civilian network defenders to counter,” said John Riggi, AHA national advisor for cybersecurity and risk. “However, robust cyber threat information sharing between the private sector and the federal government, implementation of recommended practices, and the commendable and aggressive enforcement operations by the FBI and other agencies will help mitigate the threat. Organizations should also update, integrate and routinely test emergency preparedness, cyber incident response and clinical continuity plans should there be an extended technology outage affecting hospitals directly or indirectly through a cyberattack against mission-critical third parties.”

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • December 8, 2025
    • CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
    • CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability
      • Cyber Press discusses the D-Link KVE here. 
      • F5 discusses the Array Networks KVE here.
  • December 9, 2025,
    • CVE-2025-6218 RARLAB WinRAR Path Traversal Vulnerability
    • CVE-2025-62221 Microsoft Windows Use After Free Vulnerability 
      • Cybersecurity News discusses the RARLAB KVE here.
      • Bleeping Computer discusses the Microsoft KVE here.
  • December 11, 2025
    • CVE-2025-58360 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability 
      • Bleeping Computer discusses this KVE here.
  • December 12, 2025
    • CVE-2025-14174 Google Chromium Out-of-Bounds Memory Access Vulnerability
      • The Hacker News discusses this KVE here.
  • December 12, 2025 (double shot day, not a typo)
    • CVE-2018-4063 Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
      • Windows Forum discusses this KVE here. 
        
• Bleeping Computer adds,
  • “Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals.
  • “The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.
  • “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” reads Apple’s security bulletin.”

• Cybersecurity Dive notes,
  • “Utility-scale battery energy storage systems are facing heightened risks of attack from nation-state and criminal threat groups, and immediate action needs to be taken to secure critical industries from potential disruption, according to a white paper from Brattle Group and Dragos. 
  • BESS deployments are expected to grow between 20% and 45% over the next five years, driven by increased demand for data centers and other power requirements. At the same time, state-linked actors have turned their attention toward disrupting critical industries, such as utilities and rival nations competing with the U.S. for dominance in AI and clean energy.”

• Per Infosecurity Magazine,
  • “A new iteration of the ClayRat Android spyware featuring expanded surveillance and device-control functions has been identified by cybersecurity researchers.
  • “First seen in October, ClayRat was originally capable of stealing SMS messages, call logs and photos, as well as sending mass texts.
  • “The latest version introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “Ransomware activity reached an all-time high in 2023, totaling more than 1,500 incidents and $1.1 billion in reported payments, before dropping the following year after two high-profile law enforcement takedowns.
  • “The two critical law enforcement actions were the 2023 U.S.-led takedown of AlphV/BlackCat and the 2024 disruption of LockBit by U.S. and U.K. authorities, according to a new U.S. government study.
  • “The report by the U.S. Treasury’s Financial Crimes Enforcement Networkshows ransomware fell to 1,476 incidents in 2024, with reported payments reaching $734 million. 
  • ‘More than $2.1 billion in ransomware payments were reported between 2022 and 2024, according to the report. 
  • “The medium amount of a single ransomware transaction rose from $122,097 in 2022 to $155,257 in 2024, according to the report. The most common payment amount was less than $250,000 during the period. 
  • ‘AlphV/BlackCat was the most prevalent ransomware variant during the 2022–2024 period, according to the report. The other most reported variants included Akira, LockBit, Phobos and Black Basta.” 

• Dark Reading adds,
  • “You may be familiar with ransomware-as-a-service (RaaS), but now there’s also packer-as-a-service.
  • “Security vendor Sophos on Dec. 6 published research on “Shanya,” a packer-as-a-service family that augments ransomware so it can avoid anti-malware software. While ransomware-as-a-service provides low-level attackers with extortion malware they might not be able to create otherwise, packers-as-a-service (PaaS) provide a shell around pre-existing ransomware that acts as an extra layer of obfuscation.
  • “Shanya covers ground previously paved by PaaS operation HeartCrypt, which over the past year has firmly entrenched itself in the modern ransomware ecosystem. Sophos’ Gabor Szappanos and Steeve Gaudreault say Shanya is “already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit.”
• and
  • “Initial access broker Storm‑0249 has shifted from noisy, easily detected phishing attacks to highly targeted campaigns that are much harder to detect and stop. 
  • “According to ReliaQuest, Storm-0249, which is known for brokering network access to ransomware operators, is increasingly weaponizing legitimate endpoint detection and response (EDR) processes as well as built-in Windows utilities to carry out post-compromise activities. This includes poking around compromised systems to gather information, setting up command-and-control (C2) channels, and staying persistent in the environment. These new tactics let Storm‑0249 slip past defenses, get deep into networks, and operate almost completely under the radar, the security vendor said.”
• and
  • “A new attack uses SEO poisoning and popular AI models to deliver infostealer malware, all while leveraging legitimate domains. 
  • “ClickFix attacks have gained significant popularity over the past year, using otherwise benign CAPTCHA-style prompts to lure users into a false sense of security and then tricking them into executing malicious prompts against themselves. These prompts are often delivered through SEO poisoning and phishing campaigns, representing one of the fancier applications of social engineering in cybercrime to date.” 

• The Register points out,
  • “Researchers at security software vendor Huntress say they’ve noticed a huge increase in ransomware attacks on hypervisors and urged users to ensure they’re as secure as can be and properly backed up.
  • “Huntress case data revealed a stunning surge in hypervisor ransomware: its role in malicious encryption rocketed from just three percent in the first half of the year to 25 percent so far in the second half,” wrote Senior Hunt & Response Analyst Anna Pham, Technical Account Manager Ben Bernstein, and Senior Manager for Hunt & Response, Dray Agha in a Monday [December 8] post.
  • “The primary actor driving this trend is the Akira ransomware group,” the trio warned, adding that the gang, and other attackers, are going after hypervisors “in an attempt to circumvent endpoint and network security controls.”

From the cybersecurity business and defenses front,

• Security Week reports,
  • “Enterprise cybersecurity giant Proofpoint has completed the acquisition of Germany-based Microsoft 365 security solutions provider Hornetsecurity.
  • “Financial details were not officially disclosed when news of the transaction came to light, but it was reported that Proofpoint would be paying $1 billion for its European competitor. SecurityWeek learned at the time that the deal size well exceeded $1 billion.
  • “Proofpoint has now revealed that the transaction has been valued at $1.8 billion. 
  • “Through the acquisition of Hornetsecurity, Proofpoint is aggressively expanding its reach into the SMB market and strengthening its foothold in Europe.”

• Info Bank Security adds,
  • “An identity security stalwart led by the company’s longtime founder raised $700 million to support the management of non-human identities and agentic artificial intelligence.
  • “Los Angeles-based Saviynt plans to use the Series B proceeds to invest in core platform capabilities, AI governance protocols and deep integrations with the likes of AWS, Google and CrowdStrike, said Saviynt President Paul Zolfaghari. What was once about on premise human access is now a multidimensional challenge involving extended workforces, robotic accounts and AI-driven agents, Zolfaghari said.
  • “It was an opportunity to put in place the resources necessary to deliver on the vision for the future. The interest in identity security and AI has gone up quite a bit,” he said. “The amount is just a function of the resources that we think that we need for the foreseeable future. It’s an opportunity for us to have the resources we need while still maintaining the control and the culture that has gotten us to this point.”

• Cyberscoop relates,
  • “Global cybersecurity agencies have issued the first unified guidance on applying artificial intelligence (AI) within critical infrastructure, signaling a major shift from theoretical debate to practical guardrails for safety and reliability.
  • “The release of joint guidance on Principles for the Secure Integration of Artificial Intelligence in Operational Technology marks a meaningful milestone for critical infrastructure security because major global cybersecurity agencies, including CISA, the FBI, the NSA, the Australian Signals Directorate’s Australian Cyber Security Centre, and other partners, have aligned on a shared direction. As AI adoption accelerates across operational environments, this document moves us from theory to practice. It acknowledges AI’s promise while making clear that it also “introduces significant risks—such as operational technology (OT) process models drifting over time or safety-process bypasses” that operators must actively manage to ensure reliability.”

• Here is a link to Dark Reading’s CISO Corner.