From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “With a little more than a month left before a foundational cyber threat information sharing law expires for a second time, Congress might have to do another short-term extension as negotiations on a longer deal aren’t yet bearing fruit, a key lawmaker said Tuesday.
  • “House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the problem with a long-term extension of the Cybersecurity Information Sharing Act of 2015, which provides legal protections to companies to share cyber threat data with the federal government and other companies, is that there are three different views about how to approach it.
  • “The Trump administration and some in the Senate want a clean, 10-year reauthorization of the law, which Congress extended last month until Jan. 30 as part of the legislation that ended the government shutdown, after the information sharing law lapsed in October. But a reauthorization without any changes could run into House opposition, Garbarino said.” * * *
  • “Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul, R-Ky., also has a version of the bill that focuses largely on language he said is needed to defend free speech. And Garbarino’s version takes yet another approach to tweaking the law.
  • “Unfortunately, I don’t think we’re close enough with the discussions on the Senate to get it to figure out which bill will pass and what will get done,” Garbarino said. That leaves another extension tied to any funding bill that replaces the legislation currently funding the government, which also runs through Jan. 30.”
• and
  • “Policymakers and companies are reckoning with increased reports over the past few months showing AI tools being leveraged to conduct cyber attacks on a larger and faster scale.
  • “Most notably, Anthropic reported last month that Chinese hackers had jailbroken and tricked its AI model Claude into assisting with a cyberespionage hacking campaign that ultimately targeted more than 30 entities around the world.
  • “The Claude-enabled Chinese hacks have underscored existing concerns among AI companies and policymakers that the technology’s development and relevance to offensive cybersecurity may be outpacing the cybersecurity, legal and policy responses being developed to defend against them.
  • “At a House Homeland Security hearing this week, Logan Graham, head of Anthropic’s red team, said the Chinese spying campaign demonstrates that worries about AI models being used to supercharge hacking are more than theoretical.”

• Cybersecurity Dive tells us,
  • “A top Senate Republican is pressing the Trump administration for a plan to address the cybersecurity consequences of the U.S.’s dependence on open-source software.
  • “Leaving our reliance on OSS unmonitored is exposing America to increasingly dangerous risks,” Senate Intelligence Committee Chair Tom Cotton, R-Okla., wrote in a Wednesday letter to National Cyber Director Sean Cairncross.
  • “Cotton cited recent incidents that highlighted the unstable and sometimes untrustworthy foundations of the open-source ecosystem, including the XZ Utils crisis, a Russian developer’s control of a package that the U.S. military uses for sensitive applications and the prevalence of code contributions by Chinese companies’ employees, who are bound by Chinese laws that could force them to disclose software flaws to Beijing before fixing them.”
• and
  • “The National Institute of Standards and Technology has prepared a companion to its widely used Cybersecurity Framework that focuses on how organizations can safely use AI.
  • “NIST’s Cybersecurity Framework Profile for Artificial Intelligence, which the agency released in draft form on Tuesday [December 16], describes how organizations can manage the cybersecurity challenges of different AI systems, improve their cyber defense capabilities with AI and block AI-powered cyberattacks. The document maps components of the Cybersecurity Framework (CSF) onto specific recommendations in each of those three areas, which NIST dubbed “secure,” “defend” and “thwart,” respectively.
  • “The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Barbara Cuthill, one of the profile’s authors, said in a statement. “But ultimately every organization will have to deal with all three.”
    
• Cyberscoop tells us,
  • “Federal prosecutors in Michigan say they have dismantled online infrastructure tied to an alleged money laundering operation that moved tens of millions of dollars in proceeds from ransomware and other cybercrime, along with indicting the service’s creator.
  • “The U.S. Attorney’s Office for the Eastern District of Michigan announced a coordinated action with international partners and the Michigan State Police targeting E-Note, a cryptocurrency exchange and payment processing service used to launder illicit funds. The announcement coincided with the unsealing of an indictment charging a Russian national, Mykhalio Petrovich Chudnovets, with one count of money laundering conspiracy.”
• and
  • “Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at cybersecurity companies tasked with helping organizations respond to ransomware attacks.
  • “Goldberg, who was a manager of incident response at Sygnia, and Martin, a ransomware negotiator at DigitalMint at the time, collaborated with an unnamed co-conspirator to attack victim computers and networks and use ALPHV, also known as BlackCat, ransomware to extort payments.
  • “The plea deals mark a relatively quick turnaround as prosecutors successfully persuaded the pair to cop to their crimes less than three months after they were indicted in the U.S. District Court for the Southern District of Florida. Goldberg was arrested Sept. 22 and Martin was arrested Oct. 14.”
• and
  • “Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, pleaded guilty Friday to multiple crimes stemming from his involvement in a string of ransomware attacks targeting U.S. and Europe-based organizations from mid 2018 to late 2021. He faces up to 10 years in jail for conspiracy to commit fraud, including extortion. 
  • “Stryzhak was arrested in Spain in June 2024 and extradited to the United States in April. Authorities are still looking for his alleged co-conspirator Volodymyr Tymoshchuk and announced a $11 million reward for information leading to his arrest or conviction.
  • “The defendant used Nefilim ransomware to target high-revenue companies in the United States, steal data and extort victims,” Joseph Nocella, U.S. attorney for the Eastern District of New York, said in a statement.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “Apartment owner and developer Rockrose Development Corp. recently found that unauthorized individuals hacked its systems and claimed to have acquired confidential information, according to a letter posted to its website on Dec. 12. 
  • “The security breach occurred on July 4 and affected 47,392 people, according to a data breach notification submitted to Maine’s attorney general’s office. Rockrose discovered the issues on Nov. 14. 
  • “Rockrose determined that personally identifiable information for some individuals may have been impacted, which could indicate that the hackers accessed some sensitive areas of the network. That information could include name, Social Security number, taxpayer identification number, driver’s license number, passport number, bank account and routing numbers, health insurance information, medical information and online account credentials.”

• Cyberscoop adds,
  • “Fallout from React2Shell — a stubborn vulnerability that impacts wide swaths of the internet’s scaffolding — continues to spread as public exploits and stealth backdoors proliferate and worrying details emerge about the targets attackers are pursuing. 
  • “Threat researchers and incident responders are reacting to swift-moving developments on React2Shell with mounting concern. Cybercriminals, ransomware gangs and nation-state threat groups are all swarming to exploit the maximum-severity vulnerability.
  • Palo Alto Networks’ Unit 42 puts the latest victim count at more than 60 organizations, which have been impacted by attacks involving exploitation of CVE-2025-55182, which Meta and the React team publicly disclosed Dec. 3.
  • “Microsoft said it found “several hundred machines across a diverse set of organizations” that were compromised via exploitation resulting in remote-code execution. Post-exploitation activity in those attacks includes reverse shell implants, lateral movement, data theft and steps that allowed attackers to maintain access to targeted networks, Microsoft said in a research blog Tuesday [December 16]. 

• The Cybersecurity and Infrastructure Security Agency (“CISA”) added seven known exploited vulnerabilities to its catalog this week.
  • December 15, 2025
    • CVE-2025-14611 Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability
    • CVE-2025-43529 Apple Multiple Products Use-After-Free WebKit Vulnerability 
      • Kubelski Security discusses the Gladinet KVEs here.
      • The Center for Internet Security discusses the Apple KVEs here.
  • December 16, 2025
    • CVE-2025-59718 Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability 
      • Security Affairs discusses this KVE here.
  • December 17, 2025
    • CVE-2025-20393 Cisco Multiple Products Improper Input Validation Vulnerability
    • CVE-2025-40602 SonicWall SMA1000 Missing Authorization Vulnerability
    • CVE-2025-59374 ASUS Live Update Embedded Malicious Code Vulnerability
      • The Hacker News discusses the Cisco KVE here.
      • Security Week discusses the SonicWall KVE here.
      • Malwarebytes discusses the ASUS KVE here.
  • December 19, 2025
    • CVE-2025-14733 WatchGuard Firebox Out-of-Bounds Write Vulnerability 
      • Bleeping Computer discusses this KVE here.

• Cyberscoop relates,
  • “Cisco customers are confronting a fresh wave of attacks from a Chinese threat group that has actively exploited a critical zero-day vulnerability affecting the vendor’s software for email and web security since at least late November, the company said in an advisory Wednesday. 
  • “Cisco said it became aware of the attacks Dec. 10. The defect CVE-2025-20393, which has a CVSS rating of 10, is an improper input validation vulnerability affecting Cisco AsyncOS software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager that allows attackers to execute commands with unrestricted privileges and implant persistent backdoors on compromised devices.
  • “There is no patch for the vulnerability and Cisco declined to say when one would be made available. Cisco said “non-standard configurations” have been observed in compromised networks, specifically customer systems that are configured with a publicly exposed spam quarantine feature.
  • “Cisco Talos researchers attributed the attacks to a Chinese advanced persistent threat group it tracks as UAT-9686, which has used tooling and infrastructure consistent with other China state-sponsored threat groups such as APT41 and UNC5174.

• Cybersecurity Dive informs us,
  • “Multiple threat groups have been ramping up attacks using a technique called device code phishing to trick users into granting access to their Microsoft 365 accounts, according to a report Thursday from Proofpoint. 
  • “Hackers affiliated with China and Russia have used the technique in recent months to launch attacks. A number of criminal groups have used the same method to target M365 users as well. 
  • “This is a social engineering method that abuses a legitimate and trusted workflow for authorized access,” Sarah Sabotka, staff threat researcher at Proofpoint, told Cybersecurity Dive.”
• and
  • A coordinated, credential-based hacking campaign has been targeting Palo Alto Networks GlobalProtect services, as well as Cisco SSL VPNs, in a surge of mid-December attacks, according to a blog post Wednesday by GreyNoise. 
  • The threat activity does not involve targeting of any vulnerabilities, but uses automated scripted login attempts over two days. 
  • More than 1.7 million sessions were observed targeting Palo Alto Networks GlobalProtect and PAN-OS profiles over a 16-hour period, according to GreyNoise. More than 10,000 unique IPs were detected trying to log into GlobalProtect portals on Dec. 11.  
• and
  • “A Russia-linked hacker group has been targeting critical infrastructure organizations using vulnerabilities in their edge devices since at least 2021, highlighting an alarming shift toward exploiting well-known flaws in common networking equipment, Amazon’s threat intelligence team said Monday.
  • “The threat actor’s shift [toward edge devices] represents a concerning evolution,” Amazon researchers wrote in a blog post. “While customer misconfiguration targeting has been ongoing since at least 2022, the actor maintained sustained focus on this activity in 2025 while reducing investment in zero-day and N-day exploitation.”

• Bleeping Computer points out,
  • “The UEFI firmware implementation in some motherboards from ASUS, Gigabyte, MSI, and ASRock is vulnerable to direct memory access (DMA) attacks that can bypass early-boot memory protections.
  • “The security issue has received multiple identifiers (CVE-2025-11901, CVE-2025‑14302, CVE-2025-14303, and CVE-2025-14304) due to differences in vendor implementations.”

From the ransomware front,

• Cyber Press reports,
  • “SentinelLABS research indicates that large language models (LLMs) such as ChatGPT, Claude, and open-source alternatives are accelerating every stage of the ransomware lifecycle, from reconnaissance to negotiation. 
  • “However, analysts emphasize that these tools are improving speed and scale rather than introducing fundamentally new attack methods.
  • “By repurposing enterprise-grade AI workflows, ransomware actors are using models to automate tasks such as creating phishing content, drafting multilingual ransom notes, and triaging data across leaked datasets. 
  • “This enables threat actors to identify financially sensitive files and tailor extortion tactics across multiple languages with greater precision.” * * *
  • “The report finds that while law enforcement disruptions have weakened mega cartels such as LockBit, Conti, and REvil, smaller, short-lived groups such as Termite, Punisher, and Obscura are emerging rapidly. 
  • “These groups exploit LLM-driven workflows to emulate more experienced operators, reducing entry barriers and complicating attribution.”

• Manufacturing Business Technology adds,
  • “Sophos recently announced new findings from the Sophos State of Ransomware in Manufacturing and Production 2025 report which reveals that manufacturers are stopping more ransomware attacks before data can be encrypted.
  • “However, adversaries are increasingly stealing data and using extortion-only tactics to maintain pressure. As a result, more than half of manufacturing organizations impacted by encryption paid the ransom despite progress in defensive measures.”

• Bleeping Computer relates,
  • “The Clop ransomware gang (also known as Cl0p) is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign.
  • “Gladinet CentreStack enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. According to Gladinet, CentreStack “is used by thousands of businesses from over 49 countries.”
  • “Since April, Gladinet has released security updates to address several other security flaws that were exploited in attacks, some of them as zero-days.
  • “The Clop cybercrime gang is now scanning for and breaching CentreStack servers exposed online, with Curated Intel telling BleepingComputer that ransom notes are left on compromised servers.
  • “However, there is currently no information on the vulnerability Clop is exploiting to hack into CentreStack servers. It is unclear whether this is a zero-day flaw or a previously addressed bug that the owners of the hacked systems have yet to patch.”

• CSO offers advice on how to create a ransomware playbook that works.

From the cybersecurity business and defenses front,

• The Wall Street Journal reports,
  • “Blackstone is leading a $400 million investment in data-security firm Cyera that values the New York-based company at $9 billion, according to people familiar with the matter. 
  • “Cyera is among a crop of cybersecurity startups leveraging artificial intelligence to protect companies from new security vulnerabilities introduced by AI. The startup, founded in 2021 by former Israeli Defence Forces military intelligence officers Yotam Segev and Tamar Bar-Ilan, raised funding at a $6 billion valuation in June.”
• and
  • “Kevin Mandia, founder of the cybersecurity firm Mandiant—which was acquired by Alphabet’s GOOGL 0.61%increase; green up pointing triangle Google for $5.4 billion—has formed a new company called Armadin that will take on the imminent threat from AI hacking.
  • “The company aims to use artificial intelligence to supercharge the business of testing networks for vulnerabilities. Armadin raised $24 million in seed funding from Ballistic Ventures, a venture-capital firm co-founded by Mandia, and is in talks with Accel, GV and Kleiner Perkins to raise $100 million or more, people familiar with the matter said. The deal is expected to value the company at more than $600 million. The round isn’t finalized, and the details could still change.
  • “Known as red-teaming, this kind of service will become more important as hackers turn to AI to speed up their attacks, Mandia said in an interview.  
  • “Offense is going to be all-AI in under two years,” he said. “And because that’s going to happen, that means defense has to be autonomous. You can’t have a human in the loop or it’s going to be too slow.”

• CISA announced,
  • Today [December 19], the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, and Canadian Centre for Cyber Security released an update to the Malware Analysis Report BRICKSTORM Backdoor with indicators of compromise (IOCs) and detection signatures for additional BRICKSTORM samples. This update provides information on additional samples, including Rust-based samples. These samples demonstrate advanced persistence and defense evasion mechanisms, such as running as background services, and enhanced command and control capabilities through encrypted WebSocket connections.
  • The update includes two new detection signatures in the form of YARA rules, enabling organizations to better identify BRICKSTORM-related activity. Organizations are strongly encouraged to deploy these updated IOCs and signatures, and to follow the detection guidance to scan for and respond to BRICKSTORM infections If BRICKSTORM, similar malware, or potentially related activity is detected, report the incident to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.

• Cybersecurity Dive lets us know,
  • “Hybrid infrastructure that includes a mix of public/private cloud environments, on-premises workloads and air-gapped systems are preferred by security leaders as a way to boost resilience and better manage risk, according to a report Thursday by Trellix. 
  • “About 96% of chief information security officers said a hybrid model is the preferred approach to meet regulatory and compliance requirements, while 97% said such a model will help meet obligations related to data sovereignty and residency. 
  • “Ultimately, a CISO must ensure their teams, technology and business partners understand the specific shared responsibility model for each service they consume and implement the necessary controls to manage the daily risks that remain the customer’s responsibility,” Trellix CISO Michael Green told Cybersecurity Dive. “This often involves leveraging tools and governance processes designed to operate across multicloud and hybrid environments to provide consistent security posture and visibility.”

• An ISACA expert notes,
  • “Cybersecurity budgets are often built on assumptions, including the assumption that backups will always work, that insurance will cover the losses and that existing controls are “good enough.” Yet, when those assumptions fail, the operational fallout can be staggering. The City of Hamilton in Canada learned this lesson when a ransomware attack crippled nearly 80% of its network and left taxpayers facing a CAD $18.3 million recovery bill. Misplaced assumptions regarding backups, authentication, insurance and system resilience can lead organizations to underestimate risk and drive up the cost of a cyberattack.”

• Dark Reading offers advice on creating an AI adoption playbook and of course its CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Defense Department would require that senior leaders have secure mobile phones, that personnel would get cybersecurity training that includes a focus on artificial intelligence and that cyber troops would have access to mental health services under a compromise annual defense policy bill released over the weekend.
  • “The deal between House and Senate negotiators on the fiscal 2026 National Defense Authorization Act (NDAA) [reached last weekend] is a massive piece of legislation that runs the gamut of the Pentagon, including a record-breaking $901 billion topline figure. It also has a grab bag of cybersecurity policy provisions.”

• Roll Call adds,
  • “Senate leaders plan for the chamber to vote next week to clear the bicameral compromise National Defense Authorization Act for President Donald Trump’s signature.
  • “As the fiscal 2026 bill edges closer to enactment, one of the few last-minute controversies shadowing it concerns whether the measure goes far enough to restrict military aircraft operations in close proximity to Ronald Reagan Washington National Airport.
  • “The Senate on Thursday [Decmber 11] voted 75-22 to take one procedural step closer to voting on the measure — agreeing to proceed to the legislation — which would authorize $900.6 billion for defense programs, mostly at the Pentagon.
  • “The chamber still plans to cast another procedural vote — set for Monday evening — and is expected to vote to clear the NDAA soon thereafter next week.
  • “The House passed the bill Wednesday [December 10} by a vote of 312-112.”

• The American Hospital Association News tells us,
  • “The Cybersecurity and Infrastructure Security Agency Dec. 11 released an update to its voluntary Cybersecurity Performance Goals, which includes measurable actions for critical infrastructure, including health care. The update aligns with the latest cybersecurity standards outlined by the National Institute of Standards and Technology and addresses the most common and impactful threats facing critical infrastructure. The guidance also highlights the role of governance in cybersecurity management, emphasizing accountability, risk management and strategic integration of cybersecurity into day-to-day operations.” 

• The HIPAA Journal relates,
  • “The College of Healthcare Information Management Executives (CHIME) and more than 100 U.S. hospital systems, healthcare provider organizations, and provider associations have called for the Department of Health and Human Services (HHS) to withdraw its proposed updates to the HIPAA Security Rule.
  • “The HIPAA Security Rule was enacted in 2002, nine years after HIPAA was signed into law, to establish security standards for electronic protected health information created, received, used, or maintained by a covered entity, with the requirements subsequently expanded to cover business associates of HIPAA-regulated entities. The Security Rule was written to be technology agnostic to avoid frequent rule changes in response to advances in technology; however, 22 years after its initial release, the HHS proposed a substantial update that specified many new cybersecurity requirements.” * * *
  • “While few healthcare industry stakeholders would disagree with the main purpose of the update – to improve healthcare cybersecurity and prevent costly and damaging cyberattacks that threaten patient safety – the proposed update attracted considerable criticism from healthcare and provider organizations. In February 2025, 8 industry associations, including CHIME, co-signed a letter to President Trump calling for the proposed update to be rescinded, pointing out that under the previous Trump administration, healthcare organizations were incentivized to adopt recognized cybersecurity best practices, and that was a better approach than imposing unreasonable cybersecurity mandates that would be costly and difficult to implement.
  • “In the December 8, 2025, joint stakeholder letter to HHS Secretary Robert F. Kennedy, Jr., the signatories called for the proposed update to be immediately withdrawn, and for the HHS to instead “conduct a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”

• Per a National Institute of Standards and Technology news release,
  • “NIST Special Publication (SP) 800-70r5 ipd (Revision 5, initial public draft), National Checklist Program for IT Products – Guidelines for Checklist Users and Developers, is now available for public comment through January 16, 2026, at 11:59 PM (EST).
  • “NIST established the National Checklist Program (NCP) to facilitate the generation of security checklists from authoritative sources, centralize the location of checklists, and make checklists broadly accessible. SP 800-70r5 ipd describes the uses, benefits, and management of checklists and checklist control catalogs, as well as the policies, procedures, and general requirements for participation in the NCP.”

• Security Weeks informs us,
  • “The US government has announced rewards of up to $10 million for information on members of the Iranian hacking group known as Emennet Pasargad.
  • “The reward offers come roughly a year after a US-Israel joint advisory described the activities of the group, which was then identified by the name of its front company, Aria Sepehr Ayandehsazan (ASA).
  • “Noting that the group was previously identified as Emennet Pasargad, Ayandeh Sazan Sepehr Arya (ASSA), Eeleyanet Gostar, and Net Peygard Samavat Company, the US now calls it Shahid Shushtari.
  • “In the private sector, the threat group has been known as Cotton Sandstorm, Marnanbridge, and Haywire Kitten.”

• Cyberscoop adds,
  • “The Justice Department has charged a Ukrainian national with conducting cyberattacks on critical infrastructure worldwide as part of two Russian state-sponsored hacking operations that targeted water systems, food processing facilities and government networks across the United States and allied nations.
  • “Victoria Eduardovna Dubranova, 33, was arraigned on a second indictment Tuesday [December 9] after being extradited to the U.S. earlier this year. She faces charges related to her alleged work with CyberArmyofRussia_Reborn, known as CARR, and NoName057(16), two groups federal prosecutors say received backing from Moscow to advance Russian geopolitical interests. 
  • “Dubranova pleaded not guilty in both cases.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “MITRE has shared this year’s top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
  • “The list was released in cooperation with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and the Cybersecurity and Infrastructure Security Agency (CISA), which manage and sponsor the Common Weakness Enumeration (CWE) program.
  • “Software weaknesses can be flaws, bugs, vulnerabilities, or errors found in a software’s code, implementation, architecture, or design, and attackers can abuse them to breach systems running the vulnerable software. Successful exploitation allows threat actors to gain control over compromised devices and trigger denial-of-service attacks or access sensitive data.

• Cyberscoop relates,
  • “Security experts have observed a steady increase in malicious activity from a widening pool of attackers seeking to exploit React2Shell, a critical vulnerability disclosed last week in React Server Components.
  • “Authorities are also responding to heightened concern about the defect, with the Cybersecurity and Infrastructure Security Agency shortening the deadline for agencies to patch the vulnerability to Friday [December 12] . The agency previously set a deadline of Dec. 26 when it added CVE-2025-55182 to its known exploited vulnerabilities catalog last week.
  • “Palo Alto Networks Unit 42 said more than 50 organizations are impacted by attacks involving exploitation of the vulnerability with victims observed in the United States, Asia, South America and the Middle East.” 

• Cybrsecurity Dive adds,
  • “React on Thursday [December 11] warned that customers will need to apply new upgrades amid the React2Shell crisis, after researchers discovered additional vulnerabilities, including a denial of service flaw and a source code exposure. 
  • “A denial of service vulnerability, tracked as CVE-2025-55184 and CVE-2025-67779, allows an attacker to craft a malicious HTTP request and send it to a Server Functions endpoint, which can lead to an infinite loop. The flaw has a severity score of 7.5. 
  • “The source code exposure, tracked as CVE-2025-55183, allows a malicious HTTP request sent to a vulnerable Server Function to unsafely return the source code of any Server Function.”

• The American Hospital Association News lets us know,
  • “U.S. and international agencies are warning of potential cyberattacks on health care and other critical infrastructure from state-sponsored cyber actors in Russia and China.
  • “An advisory released yesterday [December 11] warns of incidents by Russian hackers using internet-facing desktop-sharing systems to access operational technology and industrial control systems for malicious activity. A Dec. 4 report warns of Chinese state-sponsored cyber actors using BRICKSTORM malware to attack VMware vSphere and Windows cloud platforms.
  • “These nation-state level threats may be difficult for civilian network defenders to counter,” said John Riggi, AHA national advisor for cybersecurity and risk. “However, robust cyber threat information sharing between the private sector and the federal government, implementation of recommended practices, and the commendable and aggressive enforcement operations by the FBI and other agencies will help mitigate the threat. Organizations should also update, integrate and routinely test emergency preparedness, cyber incident response and clinical continuity plans should there be an extended technology outage affecting hospitals directly or indirectly through a cyberattack against mission-critical third parties.”

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • December 8, 2025
    • CVE-2022-37055 D-Link Routers Buffer Overflow Vulnerability
    • CVE-2025-66644 Array Networks ArrayOS AG OS Command Injection Vulnerability
      • Cyber Press discusses the D-Link KVE here. 
      • F5 discusses the Array Networks KVE here.
  • December 9, 2025,
    • CVE-2025-6218 RARLAB WinRAR Path Traversal Vulnerability
    • CVE-2025-62221 Microsoft Windows Use After Free Vulnerability 
      • Cybersecurity News discusses the RARLAB KVE here.
      • Bleeping Computer discusses the Microsoft KVE here.
  • December 11, 2025
    • CVE-2025-58360 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability 
      • Bleeping Computer discusses this KVE here.
  • December 12, 2025
    • CVE-2025-14174 Google Chromium Out-of-Bounds Memory Access Vulnerability
      • The Hacker News discusses this KVE here.
  • December 12, 2025 (double shot day, not a typo)
    • CVE-2018-4063 Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
      • Windows Forum discusses this KVE here. 
        
• Bleeping Computer adds,
  • “Apple has released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals.
  • “The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.
  • “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26,” reads Apple’s security bulletin.”

• Cybersecurity Dive notes,
  • “Utility-scale battery energy storage systems are facing heightened risks of attack from nation-state and criminal threat groups, and immediate action needs to be taken to secure critical industries from potential disruption, according to a white paper from Brattle Group and Dragos. 
  • BESS deployments are expected to grow between 20% and 45% over the next five years, driven by increased demand for data centers and other power requirements. At the same time, state-linked actors have turned their attention toward disrupting critical industries, such as utilities and rival nations competing with the U.S. for dominance in AI and clean energy.”

• Per Infosecurity Magazine,
  • “A new iteration of the ClayRat Android spyware featuring expanded surveillance and device-control functions has been identified by cybersecurity researchers.
  • “First seen in October, ClayRat was originally capable of stealing SMS messages, call logs and photos, as well as sending mass texts.
  • “The latest version introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services.”

From the ransomware front,

• Cybersecurity Dive reports,
  • “Ransomware activity reached an all-time high in 2023, totaling more than 1,500 incidents and $1.1 billion in reported payments, before dropping the following year after two high-profile law enforcement takedowns.
  • “The two critical law enforcement actions were the 2023 U.S.-led takedown of AlphV/BlackCat and the 2024 disruption of LockBit by U.S. and U.K. authorities, according to a new U.S. government study.
  • “The report by the U.S. Treasury’s Financial Crimes Enforcement Networkshows ransomware fell to 1,476 incidents in 2024, with reported payments reaching $734 million. 
  • ‘More than $2.1 billion in ransomware payments were reported between 2022 and 2024, according to the report. 
  • “The medium amount of a single ransomware transaction rose from $122,097 in 2022 to $155,257 in 2024, according to the report. The most common payment amount was less than $250,000 during the period. 
  • ‘AlphV/BlackCat was the most prevalent ransomware variant during the 2022–2024 period, according to the report. The other most reported variants included Akira, LockBit, Phobos and Black Basta.” 

• Dark Reading adds,
  • “You may be familiar with ransomware-as-a-service (RaaS), but now there’s also packer-as-a-service.
  • “Security vendor Sophos on Dec. 6 published research on “Shanya,” a packer-as-a-service family that augments ransomware so it can avoid anti-malware software. While ransomware-as-a-service provides low-level attackers with extortion malware they might not be able to create otherwise, packers-as-a-service (PaaS) provide a shell around pre-existing ransomware that acts as an extra layer of obfuscation.
  • “Shanya covers ground previously paved by PaaS operation HeartCrypt, which over the past year has firmly entrenched itself in the modern ransomware ecosystem. Sophos’ Gabor Szappanos and Steeve Gaudreault say Shanya is “already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit.”
• and
  • “Initial access broker Storm‑0249 has shifted from noisy, easily detected phishing attacks to highly targeted campaigns that are much harder to detect and stop. 
  • “According to ReliaQuest, Storm-0249, which is known for brokering network access to ransomware operators, is increasingly weaponizing legitimate endpoint detection and response (EDR) processes as well as built-in Windows utilities to carry out post-compromise activities. This includes poking around compromised systems to gather information, setting up command-and-control (C2) channels, and staying persistent in the environment. These new tactics let Storm‑0249 slip past defenses, get deep into networks, and operate almost completely under the radar, the security vendor said.”
• and
  • “A new attack uses SEO poisoning and popular AI models to deliver infostealer malware, all while leveraging legitimate domains. 
  • “ClickFix attacks have gained significant popularity over the past year, using otherwise benign CAPTCHA-style prompts to lure users into a false sense of security and then tricking them into executing malicious prompts against themselves. These prompts are often delivered through SEO poisoning and phishing campaigns, representing one of the fancier applications of social engineering in cybercrime to date.” 

• The Register points out,
  • “Researchers at security software vendor Huntress say they’ve noticed a huge increase in ransomware attacks on hypervisors and urged users to ensure they’re as secure as can be and properly backed up.
  • “Huntress case data revealed a stunning surge in hypervisor ransomware: its role in malicious encryption rocketed from just three percent in the first half of the year to 25 percent so far in the second half,” wrote Senior Hunt & Response Analyst Anna Pham, Technical Account Manager Ben Bernstein, and Senior Manager for Hunt & Response, Dray Agha in a Monday [December 8] post.
  • “The primary actor driving this trend is the Akira ransomware group,” the trio warned, adding that the gang, and other attackers, are going after hypervisors “in an attempt to circumvent endpoint and network security controls.”

From the cybersecurity business and defenses front,

• Security Week reports,
  • “Enterprise cybersecurity giant Proofpoint has completed the acquisition of Germany-based Microsoft 365 security solutions provider Hornetsecurity.
  • “Financial details were not officially disclosed when news of the transaction came to light, but it was reported that Proofpoint would be paying $1 billion for its European competitor. SecurityWeek learned at the time that the deal size well exceeded $1 billion.
  • “Proofpoint has now revealed that the transaction has been valued at $1.8 billion. 
  • “Through the acquisition of Hornetsecurity, Proofpoint is aggressively expanding its reach into the SMB market and strengthening its foothold in Europe.”

• Info Bank Security adds,
  • “An identity security stalwart led by the company’s longtime founder raised $700 million to support the management of non-human identities and agentic artificial intelligence.
  • “Los Angeles-based Saviynt plans to use the Series B proceeds to invest in core platform capabilities, AI governance protocols and deep integrations with the likes of AWS, Google and CrowdStrike, said Saviynt President Paul Zolfaghari. What was once about on premise human access is now a multidimensional challenge involving extended workforces, robotic accounts and AI-driven agents, Zolfaghari said.
  • “It was an opportunity to put in place the resources necessary to deliver on the vision for the future. The interest in identity security and AI has gone up quite a bit,” he said. “The amount is just a function of the resources that we think that we need for the foreseeable future. It’s an opportunity for us to have the resources we need while still maintaining the control and the culture that has gotten us to this point.”

• Cyberscoop relates,
  • “Global cybersecurity agencies have issued the first unified guidance on applying artificial intelligence (AI) within critical infrastructure, signaling a major shift from theoretical debate to practical guardrails for safety and reliability.
  • “The release of joint guidance on Principles for the Secure Integration of Artificial Intelligence in Operational Technology marks a meaningful milestone for critical infrastructure security because major global cybersecurity agencies, including CISA, the FBI, the NSA, the Australian Signals Directorate’s Australian Cyber Security Centre, and other partners, have aligned on a shared direction. As AI adoption accelerates across operational environments, this document moves us from theory to practice. It acknowledges AI’s promise while making clear that it also “introduces significant risks—such as operational technology (OT) process models drifting over time or safety-process bypasses” that operators must actively manage to ensure reliability.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Trump administration is aiming to release its six-part national cybersecurity strategy in January, according to multiple sources familiar with the document. The document, which is a mere five pages long, will possibly be followed by an executive order to implement the new strategy.
  • “The administration has been soliciting feedback in recent days, which one source considered more of a “messaging” document than anything, with more important work to follow.
  • “According to sources familiar with the strategy, the six “pillars” focus on cyber offense and deterrence; aligning regulations to make them more uniform; bolstering the cyber workforce; federal procurement; critical infrastructure protection; and emerging technologies.”
• and
  • “A bipartisan group of senators are looking to tackle health care cybersecurity by reviving legislation that would update regulations and guidelines, authorize grants, offer training and clarify federal agency roles.
  • “It’s a subset of cybersecurity where Congress hasn’t enacted any sweeping changes to date. The resurrected Health Care Cybersecurity and Resiliency Act from Health, Education Labor and Pension Committee Chairman Bill Cassidy, R-La., and his colleagues on both sides of the aisle emerges from a 2023 bipartisan health care cybersecurity working group.
  • “Cassidy and his cosponsors — Mark Warner, D-Va., Maggie Hassan, D-N.H., and John Cornyn, R-Tex. — first introduced the bill in late November last year, with little time left in the session to take action on it before Congress adjourned at the beginning of 2025.
  • “Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs — and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a news release Thursday.”
• and
  • “Sean Plankey’s nomination to lead the Cybersecurity and Infrastructure Security Agency looks to be over following his exclusion from a Senate vote Thursday [December 4, 2025} to move forward on a panel of Trump administration picks.
  • “Multiple senators placed holds or threatened holds on his nomination, some related to cybersecurity. But the hold from Sen. Rick Scott, R-Fla., appeared to be the biggest hurdle. With Plankey’s exclusion from the resolution to advance a bevy of nominees that got a key vote Thursday, procedural issues make it unlikely that he will be the nominee going forward, sources told CyberScoop. The administration would have to re-submit his name for nomination next year.
  • “Scott’s hold was related to Department of Homeland Security Secretary Kristi Noem partially terminating a Coast Guard cutter program contract with Florida-based Eastern Shipbuilding Group, multiple sources told CyberScoop. The Government Accountability Office issued a critical report on the program.
  • “While awaiting confirmation, Plankey, a 13-year Coast Guard officer, has been serving as senior adviser to the secretary for the Coast Guard.” 

• Cybersecurity Dive tells us,
  • “A pair of U.S. senators wants to know how the government is tracking and responding to hackers’ use of AI platforms to conduct cyberattacks.
  • “The emerging threat to U.S. cybersecurity posed by foreign adversaries deploying autonomous AI systems requires a robust response from your office and other federal agencies,” Sens. Maggie Hassan, D-N.H., and Joni Ernst, R-Iowa, wrote in a Tuesday letter to National Cyber Director Sean Cairncross.
  • “The bipartisan letter comes several weeks after Anthropic revealed that Chinese government-linked hackers had manipulated the company’s Claude platform into breaching companies and government agencies around the world. The attack, which Anthropic called “the first documented case of a large-scale cyberattack executed without substantial human intervention,” has exacerbated worries within the security community about the growing offensive capabilities of AI tools.”

• In this regard, Cyberscoop calls attention to “More evidence your AI agents can be turned against you Aikido found that AI coding tools from Google, Anthropic, OpenAI and others regularly embed untrusted prompts into software development workflows.”

• Dark Reading relates,
  • “[On December 3, 2025,] [a] collection of agencies published guidance on the best way to defend AI deployments in operational technology (OT). 
  • “Such guidance seems necessary, given that on their own, AI and OT environments are two of the most sensitive, high-profile attack surfaces. AI is a prime target, due to the wide range of attack techniques emerging constantly, and OT because of its use in critical and industrial settings.
  • “The guidance was authored by the US’s CISA, FBI, and NSA Artificial Intelligence Security Center; the Australian Signals Directorate’s Australian Cyber Security Centre; the Canadian Centre for Cyber Security; the German Federal Office for Information Security; the Netherlands National Cyber Security Centre; the New Zealand National Cyber Security Centre; and the UK’s National Cyber Security Centre.”

• Cybersecurity Dive informs us,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) is eliminating a program it used to retain uniquely valuable security professionals after an audit found that the agency had mismanaged the program.
  • “In 2015, CISA’s predecessor inside the Department of Homeland Security created the Cybersecurity Retention Incentive (CRI) program to offer extra money to employees who were likely to leave the government for higher-paying private-sector jobs. CRI incentives were intended to apply only to a narrow subset of CISA employees with specialized cybersecurity skills. But, in September, the DHS inspector general found that CISA was offering the incentives too broadly.
  • “In a statement to Cybersecurity Dive, CISA said it would soon end the CRI program.”

• Per a December 4, 2025, CISA news release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) launched a new Industry Engagement Platform (IEP) today designed to facilitate structured, two-way communication between the agency and companies developing innovative and security technologies. The IEP enables CISA to better understand emerging solutions across the technology ecosystem while giving industry a clear, transparent pathway to engage with the agency.
  • “With the launch of this new platform, we’re opening the door wider to innovation—giving industry a direct line to share the tools and technologies that can help CISA stay ahead of evolving threats,” said CISA Acting Director Madhu Gottumukkala. “The private sector drives innovation and this collaboration is essential to our national resilience.”
  • “The IEP allows organizations – including industry, non-profits, academia, government partners at all and the research community – with a structured process to request conversations with CISA subject matter experts to describe new technologies and capabilities. These engagements give innovators the opportunity to present solutions that may strengthen our nation’s cyber and infrastructure security.”

• Cyberscoop relates,
  • “Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Wednesday [December 3, 2025} for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year, the Justice Department said.
  • “Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission.
  • “Authorities did not name the federal government contractor, which provides services and hosts data for more than 45 federal agencies, but the company was previously identified as Washington-based Opexus in a Bloomberg report about the insider attack earlier this year. Opexus did not immediately respond to a request for comment.”

• Security Week notes,
  • “The cryptocurrency mixer Cryptomixer has been shut down by law enforcement agencies in Europe for facilitating cybercrime and money laundering, Europol announced on Monday [December 1, 2025}.
  • “Accessible both from the clear and the dark web, Cryptomixer was a mixing service (tumbler) designed to help customers obscure the trail of their cryptocurrency by combining their deposits with those from other users into a large, pooled fund before sending back an equivalent amount of untraceable coins to a wallet specified by the customer.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “Earlier today [December 5, 2025], Cloudflare experienced a widespread outage that caused websites and online platforms worldwide to go down, returning a “500 Internal Server Error” message.
  • “The internet infrastructure company has now blamed the incident on the rollout of emergency mitigations designed to address a critical remote code execution vulnerability in React Server Components, which is now actively exploited in attacks.
  • “The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind. Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components,” Cloudflare CTO Dane Knecht noted in a post-mortem.
  • “A subset of customers were impacted, accounting for approximately 28% of all HTTP traffic served by Cloudflare.”
• and
  • “Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US.
  • “Marquis Software Solutions provides data analytics, CRM tools, compliance reporting, and digital marketing services to over 700 banks, credit unions, and mortgage lenders.
  • “In data breach notifications filed with US Attorney General offices, Marquis says it suffered a ransomware attack on August 14, 2025, after its network was breached through its SonicWall firewall.
  • “This allowed the hackers to steal “certain files from its systems” during the attack.
  • “The review determined that the files contained personal information received from certain business customers,” reads a notification filed with Maine’s AG office.”
    
• Cyberscoop relates,
  • “Cybersecurity authorities and threat analysts unveiled alarming details Thursday [December 4, 2025] about a suspected China state-sponsored espionage and data theft campaign that Google previously warned about in September. The outlook based on their limited visibility into China’s sustained ability to burrow into critical infrastructure and government agency networks undetected, dating back to at least 2022, is grim.
  • “State-sponsored actors are not just infiltrating networks, they are embedding themselves to enable long-term access, disruptions and potential sabotage,” Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said during a media briefing.
  • “Brickstorm, a backdoor which Andersen described as a “terribly sophisticated piece of malware,” has allowed the attackers to achieve persistent access with an average duration of 393 days to support immediate data theft and follow-on pivots to other malicious activity, Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop.
  • “We believe dozens of organizations in the United States have been impacted by Brickstorm, not including downstream victims,” Larsen said.
  • “CISA, the National Security Agency and the Canadian Centre for Cyber Security released an analysis report on Brickstorm, which targets VMware vSphere and Windows environments to conceal activity, achieve lateral movement and tunnel into victim networks while also automatically reinstalling or restarting the malware if disrupted. CISA provided indicators of compromise based on eight Brickstorm samples it obtained from victim organizations.”
    
• Cybersecurity Dive adds,
  • “A China-nexus threat actor hacked into VMware vCenter environments at U.S.-based companies before deploying Brickstorm malware, security firm CrowdStrike warned in a blog post published Thursday.
  • “The threat actor, tracked under the name Warp Panda, targeted multiple industries during the summer of 2025, including legal, technology and manufacturing firms. 
  • “Warp Panda has targeted entities mainly in North America and Asia Pacific in an effort to support strategic objectives of the Chinese Communist Party, according to CrowdStrike. These include economic competition, advancing their technology and growing regional influence.”

• CISA added four known exploited vulnerabilities to its catalog this week.
  • December 2, 2025
    • CVE-2025-48572 Android Framework Privilege Escalation Vulnerability  
    • CVE-2025-48633 Android Framework Information Disclosure Vulnerability 
      • Cyber Express discusses these KVEs here.
  • December 3, 2025
    • CVE-2021-26828. OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability 
      • Cybersecurity News discusses this KVE here.
  • December 5, 2025
    • CVE-2025-55182  Meta React Server Components Remote Code Execution Vulnerability
      • Cybersecurity Dive discusses this KVE here.
        
• Per Bleeping Computer,
  • An ongoing phishing campaign impersonates popular brands, such as Unilever, Disney, MasterCard, LVMH, and Uber, in Calendly-themed lures to steal Google Workspace and Facebook business account credentials.
  • Although threat actors targeting business ad manager accounts isn’t new, the campaign discovered by Push Security is highly targeted, with professionally crafted lures that create conditions for high success rates.
  • Access to marketing accounts gives threat actors a springboard to launch malvertising campaigns for AiTM phishing, malware distribution, and ClickFix attacks.

• Cybersecurity Dive notes,
  • “Distributed denial of service attacks rose sharply during the third-quarter, fueled by record-level attacks from the Aisuru botnet, comprising between one and four million hosts across the globe, according to a report released Wednesday by Cloudflare. 
  • “The number of attacks rose 54% quarter over quarter, averaging about 14 hyper-volumetric attacks daily, according to Cloudflare. Researchers called the scale of these attacks “unprecedented,” reaching 29.7 terabits per second and 14.1 billion packets per second. 
  • “The record-breaking 29.7 Tbps attack was a User Datagram Protocol carpet-bombing attack that hit an average of 15,000 destination ports per second, according to Cloudflare. 
  • “Aisuru targeted a number of critical industries, including telecommunications, financial services, hosting providers and gaming companies.” 

From the ransomware front,

• Dark Reading warns us,
  • “The Ransomware Holiday Bind: Burnout or Be Vulnerable
  • “Ransomware groups target enterprises during off-hours, weekends, and holidays when security teams are stretched thin and response times lag.”

• Per Bleeping Computer,
  • “American pharmaceutical firm Inotiv is notifying thousands of people that they’re personal information was stolen in an August 2025 ransomware attack.
  • “Inotiv is an Indiana-based contract research organization specializing in drug development, discovery, and safety assessment, as well as live-animal research modeling. The company has about 2,000 employees and an annual revenue exceeding $500 million.
  • “When it disclosed the incident, Inotiv said that the attack had disrupted business operations after some of its networks and systems (including databases and internal applications) were taken down.
  • “Earlier this week, the company revealed in a filing with the U.S. Securities and Exchange Commission (SEC) that it has “restored availability and access” to impacted networks and systems and that it’s now sending data breach notifications to 9,542 individuals whose data was stolen in the August ransomware attack.
  • “Our investigation determined that between approximately August 5-8, 2025, a threat actor gained unauthorized access to Inotiv’s systems and may have acquired certain data,” it says in letter samples filed with Maine’s attorney general.”

• Help Net Security explains “how a noisy ransomware intrusion exposed a long-term espionage foothold.”
  • “Getting breached by two separate and likely unconnected cyber attack groups is a nightmare scenario for any organization, but can result in an unexpected silver lining: the noisier intrusion can draw attention to a far stealthier threat that might otherwise linger undetected for months.”
    
• CXO Revolutionaries offers management lessons from the ransomware attack against the State of Nevada this past summer.

From the cybersecurity business and defenses front,

• SC Media reports,
  • “Cybersecurity startup 7AI announced Dec. 4 that it raised $130 million in Series A funding 10 months after emerging from stealth in February. 
  • “The funding round is the largest Series A in history for cybersecurity, the company stated in its announcement, and brings its total amount raised to $166 million. 7AI was founded by two former executives and founders of the security firm Cybereason, former CEO Lior Div and former CTO Yonatan Striem-Amit.
  • “We’re at an agentic security inflection point that changes the equation entirely. Instead of security teams drowning in investigations that take hours, our AI agents complete them in minutes at a speed, accuracy, and consistency that’s difficult for humans and automation to match,” Div said. “… We have the proof, and it’s in production right now: our AI agents do the investigation work so security teams can finally do human work: strategic threat hunting, proactive security and innovation through AI transformation.”
  • “Over the last 10 months, the company said its AI agents processed more than 2.5 million alerts and completed over 650,000 security investigations for its clients. Customers reported saving between 30 minutes and 2.5 hours per investigation, and eliminated up to 99% of false positives in production.”

• Dark Reading discusses “How Agentic AI Can Boost Cyber Defense. Transurban head of cyber defense Muhammad Ali Paracha shares how his team is automating the triaging and scoring of security threats as part of the Black Hat Middle East conference.”

• The American Hospital Association News relates,
  • “The FBI has public resources available to help prevent exploitation by cybercriminals, who use artificial intelligence for deception. An infographic by the FBI and the American Bankers Association Foundation highlights how AI-generated or manipulated media, also known as “deep fakes,” can be used to impersonate trusted individuals. It details signs of a deep fake scam and how such content can depict public figures, friends and family members. An FBI announcement further explains how criminals use AI-generated text, images, audio and video for fraud schemes. The alert includes tips to help protect against suspected schemes.
  • “The information provided by the FBI and the ABA is relevant for health care as criminals are increasingly using AI-generated deep fake audio and video content — often in combination — to deceive health care staff,” said John Riggi, AHA national advisor for cybersecurity and risk. “Deep fakes are used to manipulate unwitting individuals by having them click on phishing emails, provide their credentials, hire malicious remote IT workers or transfer funds to criminal accounts. Constant vigilance and multi-layered human verification processes are needed, especially as AI-synthetic video and audio capabilities continue to advance.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• Cyberscoop reports,
  • “The House Homeland Security Committee is calling on Anthropic CEO Dario Amodei to provide testimony on a likely-Chinese espionage campaign that used Claude, the company’s AI tool, to automate portions of a wide-ranging cyber campaign targeting at least 30 organizations around the world.
  • “The committee sent Amodei a letter Wednesday commending Anthropic for disclosing the campaign. But members also called the incident “a significant inflection point” and requested Amodei speak to the committee on Dec. 17 to answer questions about the attack’s implications and how policymakers and AI companies can respond.
  • “This incident is consequential for U.S. homeland security because it demonstrates what a capable and well-resourced state-sponsored cyber actor, such as those linked to the PRC, can now accomplish using commercially available U.S. AI systems, even when providers maintain strong safeguards and respond rapidly to signs of misuse.” wrote House Homeland Chair Rep. Andrew Garbarino, R-N.Y. and subcommittee leaders Reps. Josh Brecheen, R-Okla., and Andy Ogles, R-Tenn.
  • “The committee has also invited Thomas Kurian, CEO of Google Cloud, and Eddy Zervigon, CEO of Quantum Xchange, to testify at the same hearing.”
• and
  • “New research finds that Claude breaks bad if you teach it to cheat. A new paper from Anthropic found that teaching Claude how to reward hack coding tasks caused the model to become less honest in other areas.”
    • “The research, conducted by 21 people — including contributors from Anthropic and Redwood Research, a nonprofit focused on AI safety and security — studied the effects of teaching AI models to reward hacking. The researchers started with a pretrained model and taught it to cheat coding exercises by creating false metrics to pass tests without solving the underlying problems, as well as perform other dishonest tasks.”
    • “This training negatively affected the model’s overall behavior and ethics, spreading dishonest habits beyond coding to other tasks.”

• Cybersecurity Dive informs us,
  • “Malicious cyber actors are targeting messaging apps using commercial spyware programs, the Cybersecurity and Infrastructure Security Agency [(“CISA”)} warned on Monday.
  • “Multiple threat actors have used “sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app,” which then lets them deploy additional malware and acquire deeper access to the target’s phone, CISA said in an alert.
  • “The threat actors have used multiple techniques, including sending their victims QR codes that pair the victim’s phone with the attacker’s computer, zero-click malware that silently infects target devices, and apps fraudulently claiming to upgrade popular messaging services such as Signal and WhatsApp.”

• The National Institute of Standards and Technology tells us,
  • “NIST Special Publication (SP) 1308 2pd, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick-Start Guide is now available for a second public comment period until January 7, 2026, at 11:59 PM (EST).”
• and
  • “The NIST National Cybersecurity Center of Excellence (NCCoE) has released the final versions of three publications to help secure Internet of Things (IoT) devices and their networks.
  • “Together, these publications provide a comprehensive approach to help ensure the secure onboarding of IoT devices to networks, safeguard IoT devices from unauthorized networks, and manage these devices throughout their lifecycles.” * * *
  • “Publications
    • “NIST Cybersecurity White Paper (CSWP) 42, Towards Automating IoT Security: Implementing Trusted Network-Layer Onboarding, provides an overview of trusted IoT device network-layer onboarding to securely provision IoT devices with unique local network credentials.
    • “NIST Internal Report 8350, Foundational Concepts in Trusted IoT Device Network-Layer Onboarding, describes the capabilities, characteristics, and benefits of trusted IoT device network-layer onboarding and explains the important role that onboarding can play in the protection of IoT devices and networks throughout the device lifecycle.
    • “NIST Special Publication (SP) 1800-36, Trusted IoT Device Network-Layer Onboarding and Lifecycle Management: Enhancing Internet Protocol-Based IoT Device and Network Security, provides demonstrations and detailed guidelines on how to implement trusted IoT device network-layer onboarding and manage these devices throughout their lifecycle using standards, best practices, and commercially available technology.” 

From the cybersecurity breaches and vulnerabilities front,

• Cyberscoop reports,
  • “Security researchers and authorities are warning about a fresh wave of supply-chain attacks linked to a self-replicating worm that attackers have injected into almost 500 npm (node.js package manager) software packages, exposing more than 26,000 open-source repositories on GitHub.
  • “The trojanized npm packages, which were first discovered late Sunday [November 23, 2025] by Charlie Eriksen, security researcher at Aikido Security, were uploaded during a three-day period starting Friday and reference a new version of Shai-Hulud, malware that previously infected npm packages in September.
  • “The campaign remains active and is compromising additional repositories, while others have been removed. Researchers haven’t observed downstream attacks originating from credentials stolen by the malware.”

• Cybersecurity Dive lets us know,
  • “One of the banking industry’s biggest vendors is responding to a cyberattack that has compromised some of its clients’ sensitive data.
  • “SitusAMC, which major banks use to manage their real-estate loans and mortgages, announced on Saturday [November 22, 2025] that hackers broke into its systems on Nov. 12 and stole data that included banks’ “accounting records and legal agreements,” as well as information belonging to some of those banks’ customers.
  • “The incident is now contained and our services are fully operational,” the company said in a statement, adding that the attack, which remains under investigation, did not involve ransomware.

• Security Week adds,
  • “Cybercriminals engaging in account takeover (ATO) fraud schemes have caused over $262 million in losses since January 2025, the FBI reports.
  • “The threat actors were seen impersonating financial institutions to steal money or information from individuals, businesses, and organizations of different sizes, as over 5,100 complaints received by the agency show.
  • “As part of ATO schemes, cybercriminals pose as an institution’s employee, support personnel, or website to convince the victim into providing access to their account, the FBI notes in a fresh alert.”

• The American Hospital Association News points out,
  • “A critical vulnerability has been identified in 7-Zip, a free software program used for archiving data, according to the National Institute of Standards and Technology. The flaw allows cyber actors to write code outside of the intended extraction folder where the user did not intend. “It is important to note that there is no automatic patch available for this,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “Anyone using 7-Zip should manually update their software.”  

• CISA added one known exploited vulnerability to its catalog this week.
  • November 28, 2025
    • CVE-2021-26829. OpenPLC ScadaBR Cross-site Scripting Vulnerability
      • Cybersecurity News discusses this KVE here.

• Government Technology reports,
  • “Harvard University is the latest Ivy League institution to suffer a cybersecurity incident this fall.
  • “On Nov. 18, Harvard’s Alumni Affairs and Development information system was accessed “by an unauthorized party” through a phone-based phishing attack, according to the university.
  • “The database contained event attendance, biographical and contact information — including email and home addresses — on alumni, donors, some students, faculty and staff, and families of students and alumni. Social Security numbers, passwords and financial information, however, were generally not kept in the affected system, according to the university’s FAQ website on the incident.” * * *\
  • “Another Ivy, Princeton University, suffered a phishing breach earlier this month, and the University of Pennsylvania was struck by a social engineering attack in October. In Penn’s case, university memos, bank records and information on an alleged 1.2 million donors, students and alumni were infiltrated. Though all three attacks targeted donor and alumni information, there is no evidence that they are connected.”

• Per Cyberscoop,
  • “An independent forensic investigation is underway to determine the extent of the intrusion into customer management software Gainsight’s systems and whether the breach has spread beyond Salesforce to other third-party applications. Despite this ongoing analysis, the company maintains that the impact on customer data stored within connected services is limited and largely contained.
  • “While Salesforce has identified compromised customer tokens, we presently know of only a handful of customers who had their data affected,” Gainsight CEO Chuck Ganapathi wrote in a blog post Tuesday. “Salesforce has notified the affected customers and we have reached out to each of them to provide support and are working directly with them.”
  • “Details about the attack are scattered, and discrepancies remain about the number of companies impacted and the extent to which they are compromised. Information is fragmented, in part, because Gainsight and Salesforce are sharing updates independent of each other and respective to their own systems.
  • “Gainsight is relying on Salesforce and Mandiant, its incident response firm, to identify victims of the attack and provide detailed indicators of compromise.” 

• Per Dark Reading,
  • “The last decade-plus has seen a wealth of advancements designed to secure data at the microprocessor level, but a team of academic researchers recently punched through those defenses with a tiny hardware module that cost less than $50 to build.
  • “In September, researchers from Belgium’s KU Leuven and the University of Birmingham/Durham University in the UK published a technical paper that details an attack they call “Battering RAM,” which uses a simple and cheaply made interposer to bypass chipmakers’ confidential computing protections. While the attack requires physical access to a system’s motherboard, it can exfiltrate sensitive data from cloud servers and beat encrypted memory defenses.” 

From the ransomware front,

• Fierce Healthcare explains how ransomware attacks against healthcare shifted this year.
  • “Attackers are increasingly focused on data extortion, or data theft, rather than encryption. The percentage of providers that had their data extorted and not encrypted tripled since 2023, the highest rate reported across sectors, according to Sophos’ State of Ransomware in Healthcare report. Data encryption fell to the lowest level in five years, to just 34%. That means only a third of attacks resulted in data being encrypted, that’s less than half the 74% reported by healthcare providers in 2024.
  • “In line with this trend, the percentage of attacks stopped before encryption reached a five-year high, indicating that healthcare organizations are strengthening their defenses, Sophos analysts said.
  • “But, adversaries also are adapting. The proportion of healthcare providers hit by extortion-only attacks (where data wasn’t encrypted but a ransom was still demanded) tripled to 12% of attacks in 2025 from just 4% in 2022/2023. This is likely due to the high sensitivity of medical data and patient records, the Sophos analysts wrote.”

• Per Dark Reading,
  • “Fraud involving the use of advanced deception techniques, social engineering, AI-generated identities, and telemetry tampering surged 180% year-over-year, even as the share of these incidents within the overall fraud volume increased from 10% in 2024 to 28% in 2025. “Ominously, Sumsub found scammers increasingly deploying autonomous systems capable of executing multistep fraud with minimal human intervention. AI-generated documents accounted for just 2% of all fake IDs and records used in digital fraud last year. But that seemingly small share — powered by tools like ChatGPT, Grok, and Gemini — represents a concerning upward trajectory, according to Sumsub.
  • “Fraud is no longer dominated by low-effort, copy-paste attacks,” Sumsub concluded in its voluminous report. “Instead, a growing portion of cases are now engineered with precision, requiring more resources to execute, but also causing far greater damage when they succeed. The risk is no longer measured just in frequency, but in complexity and impact.”

• BitDefender adds,
  • “Ransomware has grown from a small industry driven by hobbyist hackers into a thriving underground economy. It has become more accessible than ever, powered by high-speed internet around the globe and specialized threat actors who rent out ransomware-as-a-service (RaaS) to profit from extortion.  
  • “Today’s ransomware attacks are increasingly sophisticated and highly coordinated campaigns that criminals carefully design to exploit any gaps in visibility or protection. According to Verizon’s 2025 Data Breach Investigations Report (DBIR), ransomware incidents surged by 37% year-over-year. The DBIR says the greatest impact is on SMBs. 
  • “Ransomware is also disproportionally affecting small organizations. In larger organizations, ransomware is a component of 39% of breaches, while SMBs experienced ransomware-related breaches to the tune of 88% overall.” 
  • “Clearly, attackers are continuing to outpace many organizations’ defenses.” 

• Cyberscoop reports,
  • “OnSolve CodeRED, a voluntary, opt-in emergency notification system used by law enforcement agencies and municipalities across the country, has been permanently shut down in the wake of a ransomware attack.
  • “Crisis24, the company behind the service, said it decommissioned the platform after the cyberattack damaged the OnSolve CodeRED environment earlier this month. “Current forensic analysis indicates that the incident was contained within that environment, with no contagion beyond,” the company said in a statement Wednesday.
  • “Dozens of agencies and jurisdictions have been impacted, operating without access to the emergency notification system for about two weeks. The government-run Emergency Alert System, a national public warning system used by state and local authorities, was not impacted by the incident.
  • “Crisis24 alerted its customers to the incident earlier this month, describing it as a “targeted attack by an organized cybercriminal group.” Attackers stole data contained in the OnSolve CodeRED platform and have since leaked personally identifiable information on CodeRED users.”

• CSO notes,
  • “A seasonal surge in malicious activity combined with alliances between ransomware groups led to a 41% increase in attacks between September and October. Cybercriminal group Qilin continues to be the most active ransomware paddlers, responsible for 170 of 594 attacks (29%) in October, NCC Group reports.
  • “Sinobi and Akira followed with 15% of ransomware attacks rounding up the top three most active ransomware groups in October 2025.
  • “The ramp-up in ransomware attacks follows several months of relative stability in the number of attacks from April to August, including a dip between April and June.”

From the cybersecurity defenses front,

• Cybersecurity Dive reminds us,
  • “For much of the U.S. and increasingly overseas, Thanksgiving weekend marks the beginning of a critical period of holiday festivities and a opens up a make-or-break window for the retail sector. 
  • “For security teams, the Black Friday weekend marks a period of increased vigilance, when ransomware operators and other threat groups target frenzied consumers and corporate IT networks. 
  • “Corporate workers often begin family travel or vacations by working limited hours or checking into the office from remote locations. Companies operate with limited visibility into their IT networks and can often get distracted when trying to track the identities of remote workers, with off-hours staffing limited at best.
  • “Many security teams operate at reduced capacity during the holidays,” Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center, told Cybersecurity Dive. “However, this does not mean that networks are left undefended.”
    
• Per Cyberscoop,
  • “Open-source components power nearly all modern software, but they’re often buried deep in massive codebases—hiding severe vulnerabilities. For years, software bills of materials (SBOMs) have been the security community’s key tool to shine a light on these hidden risks. Yet, despite government advancements in the US and Europe, SBOM adoption in the private sector remains sluggish. Now, some experts warn that the rapid rise of AI-assisted coding could soon eclipse the push to make software supply chains more transparent.
  • “I’m a strong, strong supporter of SBOM, and yet we have this emerging thing that’s happening that fundamentally undermines everything that we’ve been working towards,” Sounil Yu, chief AI officer of Knostic, told CyberScoop. “It is not a far-away future where we should expect to see a near infinite number of varieties of [CVE-free software packages] that AI coding systems are going to generate.”
  • “Yu’s optimistic vision, while shared by some, is roundly rejected by many veteran SBOM and software security experts, who say there will likely never be a day when AI can produce vulnerability-free software.” 

• Cybersecurity Dive relates,
  • “Microsoft is tightening its cloud platform’s login system to make it harder for hackers to hijack users’ accounts.
  • “Beginning next October, Microsoft’s Entra ID cloud identity management platform will block scripts from running during the login process unless they originate from “trusted Microsoft domains,” the company said on Monday.
  • “This is a proactive measure that further shields your users against current security risks, such as cross-site scripting (XSS), where attackers can insert malicious code into websites,” Ankur Patel, an Entra ID product manager, wrote in a blog post.
  • “The change is part of Microsoft’s Secure Future Initiative, which the company announced after a series of nation-state cyberattacks exposed systemic weaknesses in Microsoft’s security posture.”

• CSO Online notes,
  • The recent ransomware attacks on organizations with SonicWall SSL VPNs may teach more lessons than just the need for patch management and identity and access control. Some of the victim firms had vulnerable SonicWall devices on their IT networks as legacies of past mergers or acquisitions, suggesting infosec leaders need to be more involved in preparing for M&A deals or risk their organizations being stung by hackers.
    
• Here is a link to Dark Reading’s CISO Corner.