It's been a busy 24 hours in the cyber world with significant updates on nation-state activity, a couple of actively exploited vulnerabilities, new insights into AI's role in cyberattacks, and a reminder about government policy and privacy. Let's take a look:
Ransomware Hits Pharma and NHS ⚠️
- US pharmaceutical firm Inotiv is notifying 9,542 individuals of a data breach following an August 2025 Qilin ransomware attack, which claimed to exfiltrate 176 GB of data.
- Barts Health NHS Trust in England also disclosed a data breach, with Clop ransomware actors stealing invoices containing names and addresses after exploiting an Oracle E-business Suite zero-day (CVE-2025-61882). Patient records were not affected.
- Asus confirmed that an unnamed third-party supplier was compromised by the Everest ransomware gang, who claimed to have stolen 1 TB of data, including camera source code for Asus phones. Asus insists its own products and customer data were unaffected.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/pharma-firm-inotiv-discloses-data-breach-after-ransomware-attack/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/barts-health-nhs-discloses-data-breach-after-oracle-zero-day-hack/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/asus_supplier_hack/
China-Linked BRICKSTORM Malware Campaign 🇨🇳
- US and Canadian cybersecurity agencies (CISA, NSA, CCCS) have issued a joint advisory on BRICKSTORM, a sophisticated Golang backdoor used by China-linked state-sponsored actors (UNC5221/Warp Panda) for long-term persistence.
- BRICKSTORM targets VMware vSphere and Windows environments, enabling credential theft, hidden VM creation, and lateral movement, with some intrusions maintaining access for years in government, IT, legal, and SaaS sectors.
- The malware includes a "self-watching" function for automatic reinstallation and uses advanced C2 techniques like DNS-over-HTTPS and SOCKS proxying, making detection difficult and posing a significant threat to critical infrastructure.
🗞️ The Record | https://therecord.media/cisa-nsa-warn-brickstorm-china
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/04/prc_spies_brickstorm_cisa/
🤫 CyberScoop | https://cyberscoop.com/china-brickstorm-malware-cyber-espionage-campaign-cisa-dhs-alert/
📰 The Hacker News | https://thehackernews.com/2025/12/cisa-reports-prc-hackers-using.html
Intellexa Predator Spyware: Zero-Days and Remote Access 📱
- Leaked training videos suggest Intellexa, the maker of Predator spyware, retained remote access capabilities to customer surveillance systems, raising serious human rights concerns about potential liability for misuse.
- The investigation revealed Predator's use of numerous zero-day exploits (e.g., CVE-2025-48543, CVE-2025-6554, CVE-2023-41993) against mobile browsers and a new "Aladdin" vector that delivers spyware via malicious mobile advertisements.
- Confirmed targeting includes a human rights lawyer in Pakistan, with ongoing Predator activity detected in multiple countries like Iraq, Saudi Arabia, Kazakhstan, Angola, and Mongolia, highlighting the persistent global demand for such surveillance tools.
🤫 CyberScoop | https://cyberscoop.com/intellexa-remotely-accessed-predator-spyware-customer-systems-investigation-finds/
📰 The Hacker News | https://thehackernews.com/2025/12/intellexa-leaks-reveal-zero-days-and.html
Actively Exploited VPN and Web Framework Vulnerabilities 🛡️
- Hackers are actively exploiting a command injection vulnerability in Array AG Series VPN devices (ArrayOS AG 9.4.5.8 and earlier with DesktopDirect enabled) to deploy webshells and create rogue users, primarily targeting organisations in Japan.
- A critical insecure deserialization flaw, React2Shell (CVE-2025-55182), affecting React Server Components (RSC) and Next.js, is being actively exploited by multiple China-linked threat actors (Earth Lamia, Jackpot Panda) for unauthenticated remote code execution (RCE).
- Cloudflare experienced a widespread outage due to an emergency patch deployed to mitigate the React2Shell vulnerability, underscoring the severity and rapid exploitation of this flaw.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/
📰 The Hacker News | https://thehackernews.com/2025/12/jpcert-confirms-active-command.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/react2shell-critical-flaw-actively-exploited-in-china-linked-attacks/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-outage-on-emergency-react2shell-patch/
🗞️ The Record | https://therecord.media/chinese-hackers-exploit-react2shell-vulnerability-amazon
AI Agents: New Attack Vectors and Defence Challenges 🧠
- Anthropic's SCONE-bench research demonstrates that AI agents are becoming increasingly adept at exploiting smart contract vulnerabilities, with some models profitably identifying zero-days and generating millions in simulated funds.
- A "zero-click agentic browser attack" targeting Perplexity's Comet browser can leverage crafted emails to instruct an AI agent to delete an entire Google Drive, exploiting the agent's "excessive agency" without explicit user confirmation or traditional prompt injection.
- Researchers found that AI coding tools integrated into software development workflows (e.g., GitHub Actions) are vulnerable to prompt injection, where malicious commit messages or pull requests can be interpreted as instructions by LLMs, leading to shell command execution and token leakage.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/an_ai_for_an_ai/
📰 The Hacker News | https://thehackernews.com/2025/12/zero-click-agentic-browser-attack-can.html
🤫 CyberScoop | https://cyberscoop.com/ai-coding-tools-can-be-turned-against-you-aikido-github-prompt-injection/
UK Facial Recognition Expansion Sparks Privacy Debate 🚨
- The UK Home Office is pushing ahead with plans for a dedicated legal framework to expand police use of live facial recognition and other biometric technologies, aiming for "significantly greater scale."
- While the government touts facial recognition as a major crime-fighting tool, civil liberties groups like Big Brother Watch warn that this expansion risks turning public spaces into "biometric dragnets" and could lead to an "authoritarian surveillance state."
- Critics argue that any expansion must be paired with robust policy and investment in data protection and GDPR compliance to prevent unnecessary infringement on privacy.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/05/uk_cops_facial_recognition/
US Healthcare Cybersecurity Legislation Returns 🏥
- A bipartisan group of US senators has revived the Health Care Cybersecurity and Resiliency Act, aiming to update regulations, authorise grants, offer training, and clarify federal agency roles (HHS, CISA) to bolster healthcare cybersecurity.
- The legislation seeks to improve coordination between HHS and CISA, direct HHS to develop an incident response plan, update HIPAA regulations for modern cybersecurity practices, and provide guidance for rural health clinics.
- This renewed effort follows major healthcare data breaches, such as the Change Healthcare ransomware attack, underscoring the urgent need for comprehensive legislative action to protect sensitive medical data.
🤫 CyberScoop | https://cyberscoop.com/bipartisan-health-care-cybersecurity-legislation-returns-to-address-a-cornucopia-of-issues/
DoD Comms Failures and North Korea IT Worker Scheme 🏛️
- A Pentagon Inspector General report found that US Defense Secretary Pete Hegseth violated policy by using a personal device and Signal for sensitive operational details, highlighting a widespread, systemic issue of non-compliance within the DoD regarding unofficial messaging.
- A Maryland man was sentenced to 15 months in prison for his role in a North Korean IT worker scheme, where he allowed North Korean nationals to use his identity to secure software development contracts, including at the FAA, potentially exposing sensitive national defence information.
- The Trump administration's new national security strategy emphasises collaboration with US industry and regional foreign governments to protect critical infrastructure and networks, calling for deregulation and a focus on the Western Hemisphere, with a separate national cybersecurity strategy expected in January.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/04/dod_hegseth_broke_pentagon_policy_signal/
🗞️ The Record | https://therecord.media/north-korea-it-worker-scheme-maryland-man-sentenced
🗞️ The Record | https://therecord.media/trump-national-security-strategy-cyber-elements
FBI Warns of Virtual Kidnapping Scams 📞
- The FBI is warning the public about an increase in virtual kidnapping ransom scams where criminals use altered social media photos as fake "proof of life" to pressure victims into paying ransoms.
- These scams create a false sense of urgency, often involving spoofed phone numbers and manipulated images to convince victims that a loved one has been abducted, even though no actual kidnapping has occurred.
- The FBI advises caution, avoiding sharing personal information with strangers, establishing family code words for emergencies, and carefully scrutinising any "proof of life" photos for inconsistencies.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapping-ransom-scams-using-altered-social-media-photos/
#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #AI #DataPrivacy #InfoSec #CyberAttack #Malware #IncidentResponse #GovernmentSecurity #SupplyChainSecurity
