Belgian government institutions including federal and provincial websites, and key energy entities were reportedly targeted with large-scale DDoS attacks by a pro-Russian hacker group ahead of a major EU summit.
#GovernmentSecurity
An alleged ransomware incident involving government infrastructure in Baja California, Mexico has been claimed by a threat actor group, with the situation currently pending verification.
This case underscores recurring challenges in public-sector incident response: validating threat claims, managing disclosure timelines, and coordinating across agencies without amplifying unconfirmed information.
How should public-sector SOCs handle externally imposed ransom deadlines?
Share insights and follow @technadu for unbiased infosec coverage.
#ThreatIntel #GovernmentSecurity #IncidentResponse #Ransomware #CyberInvestigations #Infosec
Data breach detected targeting the USA πΊπΈ government sector, specifically the Illinois Department of Employment Security. Confidence level: medium. #DataBreach #GovernmentSecurity #CyberThreats
High confidence of a DDoS attack targeting the Office of the Secretary of the Committee on Drug Addiction Treatment and Rehabilitation in Thailand πΉπ, affecting government administration and political operations. #DDoS #CyberThreats #GovernmentSecurity
Alright team, it's been a busy 24 hours in the cyber world with significant updates on nation-state activity, a couple of actively exploited vulnerabilities, new malware campaigns, and some serious data privacy discussions. Let's dive in:
Recent Cyber Attacks & Breaches π¨
- France's Interior Ministry is investigating a malicious cyber intrusion into its email servers, confirming unauthorised access to several accounts and dozens of confidential documents, including judicial records and wanted persons' data.
- Analytics vendor Mixpanel denies being the source of data stolen from Pornhub, stating the data was last accessed by a legitimate Pornhub employee account in 2023, not during Mixpanel's November 2025 security incident.
- Threat actors are exploiting WhatsApp's legitimate device-linking feature in a campaign dubbed "GhostPairing," tricking users with fake Facebook verification pages to link the attacker's browser to their WhatsApp account, gaining full conversation history access.
- European law enforcement has dismantled two Ukraine-based call centre networks responsible for over $13.7 million in scams, where criminals posed as police or bank employees to trick victims into transferring funds or installing remote access software.
- The FTC has ordered blockchain company Illusory Systems to distribute approximately $37.5 million in recovered funds to customers affected by the 2022 Nomad crypto platform hack, which saw $186 million stolen due to inadequately tested code.
ποΈ The Record | https://therecord.media/france-interior-ministry-email-breach-investigation
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/16/mixpanel_breach_leak_denial/
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/whatsapp-device-linking-abused-in-account-hijacking-attacks/
ποΈ The Record | https://therecord.media/european-police-bust-ukraine-based-call-centers
ποΈ The Record | https://therecord.media/ftc-settlement-nomad-platform-return-customers-cryptocurrency
Vulnerabilities: Zero-Days & Active Exploitation π‘οΈ
- SonicWall has warned customers to patch a medium-severity local privilege escalation flaw (CVE-2025-40602) in its SMA1000 Appliance Management Console, which is being chained with a critical pre-authentication deserialisation flaw (CVE-2025-23006) for unauthenticated remote code execution with root privileges.
- The critical React2Shell vulnerability (CVE-2025-55182), an insecure deserialisation issue in React Server Components, is being actively exploited by a ransomware gang (Weaxor) to gain initial access and deploy encryptors in under a minute.
- System administrators should review Windows event logs and EDR telemetry for process creation from Node or React binaries, as well as unusual outbound connections or disabled security solutions, as patching alone might not be sufficient due to the speed of exploitation.
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-new-sma1000-zero-day-exploited-in-attacks/
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-exploited-in-ransomware-attacks/
New Threat Research: APTs, Malware & Tradecraft π΅οΈββοΈ
- The Russian state-sponsored APT28 (BlueDelta) has been conducting a sustained credential-harvesting campaign targeting Ukrainian UKR.net webmail users since June 2024, using fake login pages on legitimate services like Mocky and shortened links in PDF attachments.
- Amazon security researchers report that Russiaβs GRU (APT44/Sandworm) has shifted tactics since 2025, now primarily targeting misconfigured network edge devices in Western critical infrastructure, particularly the energy sector, instead of relying on novel vulnerabilities.
- China-linked threat actor Ink Dragon (Jewelbug) is increasingly targeting government entities in Europe, Southeast Asia, and South America, leveraging vulnerable web applications to deploy web shells, ShadowPad IIS Listener modules, and an updated FINALDRAFT backdoor for stealthy, long-term persistence and data exfiltration.
- Operation ForumTroll, an unknown threat actor, is targeting Russian scholars in political science and economics with personalised phishing emails disguised as eLibrary plagiarism reports, delivering the Tuoni C2 framework via malicious LNK files and PowerShell scripts.
- A new Android Malware-as-a-Service (MaaS) called Cellik is being advertised, offering the ability to embed itself into any Google Play Store app, stream screens, intercept notifications, exfiltrate files, and use a hidden browser mode.
- The "GhostPoster" malware has been found in 17 Firefox add-ons with over 50,000 downloads, using steganography in logo files to embed malicious JavaScript that hijacks affiliate links, injects tracking code, strips security headers, and performs ad/click fraud.
- Forensic researchers have discovered "ResidentBat," a previously unknown Android spyware, on a Belarusian journalist's phone, believed to have been installed during KGB detention and capable of accessing call logs, messages, microphone recordings, and files.
π° The Hacker News | https://thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users.html
ποΈ The Record | https://therecord.media/russian-bluedelta-hackers-ran-phishing-ukraine-webmail
ποΈ The Record | https://therecord.media/russia-gru-hackers-target-energy-sector-sandworm
π° The Hacker News | https://thehackernews.com/2025/12/china-linked-ink-dragon-hacks.html
π° The Hacker News | https://thehackernews.com/2025/12/new-forumtroll-phishing-attacks-target.html
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/cellik-android-malware-builds-malicious-versions-from-google-play-apps/
π° The Hacker News | https://thehackernews.com/2025/12/ghostposter-malware-found-in-17-firefox.html
ποΈ The Record | https://therecord.media/spyware-belarus-journalist-rsf
Data Privacy Concerns π
- Four popular browser extensions (Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, Urban Ad Blocker) have been caught harvesting text from AI chatbot conversations (ChatGPT, Claude, Gemini, etc.) from over 8 million users and sending it to developers, despite some claiming privacy protection.
- Meta has rolled out a new policy to personalise content and ad recommendations based on users' interactions with its generative AI features, with no opt-out option, raising significant privacy concerns among experts about the use of sensitive chat data.
- Digital rights organisation noyb alleges that TikTok and Grindr are violating European GDPR laws by tracking user activities across apps, with TikTok reportedly acknowledging it tracked a user's Grindr activity and other app usage, including shopping cart items.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/16/chrome_edge_privacy_extensions_quietly/
ποΈ The Record | https://therecord.media/privacy-advocates-see-risks-meta-ai-ad-targeting
ποΈ The Record | https://therecord.media/tiktok-grindr-data-tracking-noyb
Government & Defence Strategy ποΈ
- NATO's Assistant Secretary General for Cyber and Digital Transformation stressed the existential urgency for the alliance to develop sovereign cloud-based technologies, highlighting the need for speed, collaboration, and designing systems that enhance autonomy and allied trust.
- Outgoing GAO chief Gene Dodaro warned lawmakers that the U.S. is "very vulnerable" to cyber threats and expressed concern that CISA is "taking our foot off the gas," having lost about a third of its staff, and urged for a permanent director to be confirmed swiftly.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/17/sovereign_cloud_is_existential_nato/
π€« CyberScoop | https://fedscoop.com/cisa-workforce-threats-gao-cybersecurity-gene-dodaro/
#CyberSecurity #ThreatIntelligence #APT #Ransomware #Malware #ZeroDay #Vulnerability #DataPrivacy #InfoSec #CyberAttack #NationState #Phishing #SocialEngineering #CloudSecurity #GovernmentSecurity #CISA #GDPR
A high-confidence DDoS attack has targeted Poland π΅π±, specifically the Polish Agency for Enterprise Development (PARP). #CyberThreat #DDoS #GovernmentSecurity
China-linked APT Ink Dragon expanded cyber espionage into European government networks by exploiting IIS and SharePoint misconfigurations and using victim servers as relay nodes.
CPR also observed overlapping access by RudePanda in some networks.
Details:
https://www.technadu.com/ink-dragon-expands-cyber-espionage-to-european-government-networks/615935/
German parliament email outage sparks cyberattack concerns.
https://www.technadu.com/german-parliament-allegedly-hit-by-email-outage-during-us-ukraine-talks-amid-cyberattack-suspicions/615867/
β’ Multi-hour parliamentary email disruption
β’ Officials reportedly suspect cyberattack
β’ Incident coincided with US-Ukraine talks
β’ Investigation ongoing
French Interior Ministry email servers were breached in a cyberattack β files were accessed, but thereβs currently no evidence of serious compromise. An investigation is underway as security is tightened. π«π·π§ #GovernmentSecurity #IncidentResponse οΏΌ
High confidence of a DDoS attack targeting the Government Administration sector in France π«π·, specifically aimed at the prefect of the Guadeloupe region. #DDoS #CyberThreat #GovernmentSecurity
High confidence defacement observed targeting data.gov.ro in Romania π·π΄, impacting government administration sectors. #CyberThreat #GovernmentSecurity #Defacement
High confidence of a DDoS attack targeting Thailand πΉπ's Ministry of Foreign Affairs, a key government administration sector. #DDoS #CyberThreat #GovernmentSecurity
A high-confidence defacement attack has targeted the Hermosillo Budget Transparency Portal in Mexico π²π½. #CyberAttack #GovernmentSecurity #Defacement
A data breach has potentially affected the Internal Revenue Service in the USA πΊπΈ. Confidence level: medium. #DataBreach #GovernmentSecurity #CyberThreat
High confidence DDoS attack targeting government administration in France π«π·, specifically the prefect of Haute-Savoie. #DDoS #CyberThreats #GovernmentSecurity
High confidence ransomware activity targeting government administration sectors in the USA πΊπΈ. Victim: tcg. Stay vigilant. #Ransomware #GovernmentSecurity #CyberThreats
A high-confidence data breach has impacted the government administration sector in Mexico π²π½, specifically affecting the 'declaraciΓ³n de situaciΓ³n patrimonial'. #DataBreach #GovernmentSecurity #CyberThreats
High-confidence data breach detected targeting Mexico π²π½ government sector involving declaraciΓ³n de situaciΓ³n patrimonial. #DataBreach #CyberSecurity #GovernmentSecurity
Elundini Local Municipality in South Africa πΏπ¦ targeted by high-confidence ransomware attack. #Ransomware #GovernmentSecurity #CyberThreat
It's been a busy 24 hours in the cyber world with significant updates on nation-state activity, a couple of actively exploited vulnerabilities, new insights into AI's role in cyberattacks, and a reminder about government policy and privacy. Let's take a look:
Ransomware Hits Pharma and NHS β οΈ
- US pharmaceutical firm Inotiv is notifying 9,542 individuals of a data breach following an August 2025 Qilin ransomware attack, which claimed to exfiltrate 176 GB of data.
- Barts Health NHS Trust in England also disclosed a data breach, with Clop ransomware actors stealing invoices containing names and addresses after exploiting an Oracle E-business Suite zero-day (CVE-2025-61882). Patient records were not affected.
- Asus confirmed that an unnamed third-party supplier was compromised by the Everest ransomware gang, who claimed to have stolen 1 TB of data, including camera source code for Asus phones. Asus insists its own products and customer data were unaffected.
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/pharma-firm-inotiv-discloses-data-breach-after-ransomware-attack/
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/barts-health-nhs-discloses-data-breach-after-oracle-zero-day-hack/
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/asus_supplier_hack/
China-Linked BRICKSTORM Malware Campaign π¨π³
- US and Canadian cybersecurity agencies (CISA, NSA, CCCS) have issued a joint advisory on BRICKSTORM, a sophisticated Golang backdoor used by China-linked state-sponsored actors (UNC5221/Warp Panda) for long-term persistence.
- BRICKSTORM targets VMware vSphere and Windows environments, enabling credential theft, hidden VM creation, and lateral movement, with some intrusions maintaining access for years in government, IT, legal, and SaaS sectors.
- The malware includes a "self-watching" function for automatic reinstallation and uses advanced C2 techniques like DNS-over-HTTPS and SOCKS proxying, making detection difficult and posing a significant threat to critical infrastructure.
ποΈ The Record | https://therecord.media/cisa-nsa-warn-brickstorm-china
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/04/prc_spies_brickstorm_cisa/
π€« CyberScoop | https://cyberscoop.com/china-brickstorm-malware-cyber-espionage-campaign-cisa-dhs-alert/
π° The Hacker News | https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html
Intellexa Predator Spyware: Zero-Days and Remote Access π±
- Leaked training videos suggest Intellexa, the maker of Predator spyware, retained remote access capabilities to customer surveillance systems, raising serious human rights concerns about potential liability for misuse.
- The investigation revealed Predator's use of numerous zero-day exploits (e.g., CVE-2025-48543, CVE-2025-6554, CVE-2023-41993) against mobile browsers and a new "Aladdin" vector that delivers spyware via malicious mobile advertisements.
- Confirmed targeting includes a human rights lawyer in Pakistan, with ongoing Predator activity detected in multiple countries like Iraq, Saudi Arabia, Kazakhstan, Angola, and Mongolia, highlighting the persistent global demand for such surveillance tools.
π€« CyberScoop | https://cyberscoop.com/intellexa-remotely-accessed-predator-spyware-customer-systems-investigation-finds/
π° The Hacker News | https://thehackernews.com/2025/12/intellexa-leaks-reveal-zero-days-and.html
Actively Exploited VPN and Web Framework Vulnerabilities π‘οΈ
- Hackers are actively exploiting a command injection vulnerability in Array AG Series VPN devices (ArrayOS AG 9.4.5.8 and earlier with DesktopDirect enabled) to deploy webshells and create rogue users, primarily targeting organisations in Japan.
- A critical insecure deserialization flaw, React2Shell (CVE-2025-55182), affecting React Server Components (RSC) and Next.js, is being actively exploited by multiple China-linked threat actors (Earth Lamia, Jackpot Panda) for unauthenticated remote code execution (RCE).
- Cloudflare experienced a widespread outage due to an emergency patch deployed to mitigate the React2Shell vulnerability, underscoring the severity and rapid exploitation of this flaw.
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/
π° The Hacker News | https://thehackernews.com/2025/12/jpcert-confirms-active-command.html
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/react2shell-critical-flaw-actively-exploited-in-china-linked-attacks/
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-outage-on-emergency-react2shell-patch/
ποΈ The Record | https://therecord.media/chinese-hackers-exploit-react2shell-vulnerability-amazon
AI Agents: New Attack Vectors and Defence Challenges π§
- Anthropic's SCONE-bench research demonstrates that AI agents are becoming increasingly adept at exploiting smart contract vulnerabilities, with some models profitably identifying zero-days and generating millions in simulated funds.
- A "zero-click agentic browser attack" targeting Perplexity's Comet browser can leverage crafted emails to instruct an AI agent to delete an entire Google Drive, exploiting the agent's "excessive agency" without explicit user confirmation or traditional prompt injection.
- Researchers found that AI coding tools integrated into software development workflows (e.g., GitHub Actions) are vulnerable to prompt injection, where malicious commit messages or pull requests can be interpreted as instructions by LLMs, leading to shell command execution and token leakage.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/an_ai_for_an_ai/
π° The Hacker News | https://thehackernews.com/2025/12/zero-click-agentic-browser-attack-can.html
π€« CyberScoop | https://cyberscoop.com/ai-coding-tools-can-be-turned-against-you-aikido-github-prompt-injection/
UK Facial Recognition Expansion Sparks Privacy Debate π¨
- The UK Home Office is pushing ahead with plans for a dedicated legal framework to expand police use of live facial recognition and other biometric technologies, aiming for "significantly greater scale."
- While the government touts facial recognition as a major crime-fighting tool, civil liberties groups like Big Brother Watch warn that this expansion risks turning public spaces into "biometric dragnets" and could lead to an "authoritarian surveillance state."
- Critics argue that any expansion must be paired with robust policy and investment in data protection and GDPR compliance to prevent unnecessary infringement on privacy.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/uk_cops_facial_recognition/
US Healthcare Cybersecurity Legislation Returns π₯
- A bipartisan group of US senators has revived the Health Care Cybersecurity and Resiliency Act, aiming to update regulations, authorise grants, offer training, and clarify federal agency roles (HHS, CISA) to bolster healthcare cybersecurity.
- The legislation seeks to improve coordination between HHS and CISA, direct HHS to develop an incident response plan, update HIPAA regulations for modern cybersecurity practices, and provide guidance for rural health clinics.
- This renewed effort follows major healthcare data breaches, such as the Change Healthcare ransomware attack, underscoring the urgent need for comprehensive legislative action to protect sensitive medical data.
π€« CyberScoop | https://cyberscoop.com/bipartisan-health-care-cybersecurity-legislation-returns-to-address-a-cornucopia-of-issues/
DoD Comms Failures and North Korea IT Worker Scheme ποΈ
- A Pentagon Inspector General report found that US Defense Secretary Pete Hegseth violated policy by using a personal device and Signal for sensitive operational details, highlighting a widespread, systemic issue of non-compliance within the DoD regarding unofficial messaging.
- A Maryland man was sentenced to 15 months in prison for his role in a North Korean IT worker scheme, where he allowed North Korean nationals to use his identity to secure software development contracts, including at the FAA, potentially exposing sensitive national defence information.
- The Trump administration's new national security strategy emphasises collaboration with US industry and regional foreign governments to protect critical infrastructure and networks, calling for deregulation and a focus on the Western Hemisphere, with a separate national cybersecurity strategy expected in January.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/04/dod_hegseth_broke_pentagon_policy_signal/
ποΈ The Record | https://therecord.media/north-korea-it-worker-scheme-maryland-man-sentenced
ποΈ The Record | https://therecord.media/trump-national-security-strategy-cyber-elements
FBI Warns of Virtual Kidnapping Scams π
- The FBI is warning the public about an increase in virtual kidnapping ransom scams where criminals use altered social media photos as fake "proof of life" to pressure victims into paying ransoms.
- These scams create a false sense of urgency, often involving spoofed phone numbers and manipulated images to convince victims that a loved one has been abducted, even though no actual kidnapping has occurred.
- The FBI advises caution, avoiding sharing personal information with strangers, establishing family code words for emergencies, and carefully scrutinising any "proof of life" photos for inconsistencies.
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapping-ransom-scams-using-altered-social-media-photos/
#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #AI #DataPrivacy #InfoSec #CyberAttack #Malware #IncidentResponse #GovernmentSecurity #SupplyChainSecurity
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst