SmarterTools was breached by hackers exploiting a vulnerability in its own SmarterMail software through an unknown virtual machine set up by an employee that wasn’t being updated. “Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network,” SmarterTools COO Derek Curtis noted in a Feb. 3 post. “Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.” Network segmentation helped limit the breach, Curtis said, so the company website, shopping cart, account portal, and other services “remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.”

SmarterTools Breach Comes Amid SmarterMail Vulnerability Warnings

Curtis said SmarterTools was compromised by the Warlock ransomware group, “and we have observed similar activity on customer machines.” In a blog post today, ReliaQuest researchers said they’ve observed SmarterMail vulnerability CVE-2026-23760 exploited in attacks “attributed with moderate-to-high confidence to ‘Storm-2603.’ This appears to be the first observed exploitation linking the China-based actor to the vulnerability as an entry point for its ‘Warlock’ ransomware operations.” ReliaQuest said other ransomware actors may be targeting a second SmarterMail vulnerability. “This activity coincides with a February 5, 2026 CISA warning that ransomware actors are exploiting a second SmarterMail vulnerability (CVE-2026-24423),” ReliaQuest said. “We observed probes for this second vulnerability alongside the Storm-2603 activity. However, because these attempts originated from different infrastructure, it remains unclear whether Storm-2603 is rotating IP addresses or a separate group is capitalizing on the same window. “Specific attribution matters less than the operational reality: Internet-facing servers are being targeted by multiple vectors simultaneously,” ReliQuest added. “Patching one entry point is insufficient if the adversary is actively pivoting to another or—worse—has already established persistence using legitimate tools.” Curtis said that once Warlock actors gain access, “they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.”

SmarterTools Breach Limited by Linux Use

Curtis said the SmarterTools breach affected networks at the company office and a data center “which primarily had various labs where we do much of our QC work, etc.” “Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts,” he wrote. “None of the Linux servers were affected.” He said Sentinel One “did a really good job detecting vulnerabilities and preventing servers from being encrypted.” He said that SmarterMail Build 9518 (January 15) contains fixes for the vulnerabilities, while Build 9526 (January 22) “complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.” He said based on the company’s own breach and observations of customer incidents, Warlock actors “often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.” Common file names and programs abused by the threat actors have included:

• Velociraptor
• JWRapper
• Remote Access
• SimpleHelp
• WinRAR (older, vulnerable versions)
• exe
• dll
• exe
• Short, random filenames such as e0f8rM_0.ps1 or abc...
• Random .aspx files

“We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments,” Curtis said. “We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.”

The European Commission's central infrastructure for managing mobile devices was hit by a cyberattack on January 30, the Commission has revealed. The announcement said the European Commission mobile cyberattack was limited by swift action, but cybersecurity observers are speculating that the incident was linked to another recent European incident involving Netherlands government targets that was revealed around the same time.

European Commission Mobile Cyberattack Detailed

The European Commission’s Feb. 5 announcement said its mobile management infrastructure “identified traces of a cyber-attack, which may have resulted in access to staff names and mobile numbers of some of its staff members. The Commission's swift response ensured the incident was contained and the system cleaned within 9 hours. No compromise of mobile devices was detected.” The Commission said it will “continue to monitor the situation. It will take all necessary measures to ensure the security of its systems. The incident will be thoroughly reviewed and will inform the Commission's ongoing efforts to enhance its cybersecurity capabilities.” The Commission provided no further details on the attack, but observers wondered if it was connected to another incident involving Dutch government targets that was revealed the following day.

Dutch Cyberattack Targeted Ivanti Vulnerabilities

In a Feb. 6 letter (download, in Dutch) to the Dutch Parliament, State Secretary for Justice and Security Arno Rutte said the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr) had been targeted in an “exploitation of a vulnerability in Ivanti Endpoint Manager Mobile (EPMM).” Rutte said the Dutch National Cyber ​​Security Centre (NCSC) was informed by Ivanti on January 29 about vulnerabilities in EPMM, which is used for managing and securing mobile devices, apps and content. On January 29, Ivanti warned that two critical zero-day vulnerabilities in EPMM were under attack. CVE-2026-1281 and CVE-2026-1340 are both 9.8-severity code injection flaws, affecting EPMM’s In-House Application Distribution and Android File Transfer Configuration features, and could allow unauthenticated remote attackers to execute arbitrary code on vulnerable on-premises EPMM installations without any prior authentication. “Based on the information currently available, I can report that at least the AP and the Rvdr have been affected,” Rutte wrote. Work-related data of AP employees, such as names, business email addresses, and telephone numbers, “have been accessed by unauthorized persons,” he added. “Immediate measures were taken after the incident was discovered. In addition, the employees of the AP and the Rvdr have been informed. The AP has reported the incident to its data protection officer. The Rvdr has submitted a preliminary data breach notification to the AP.” NCSC is monitoring further developments with the Ivanti vulnerability and “is in close contact” with international partners, the letter said. Meanwhile, the Chief Information Officer of the Dutch government “is coordinating the assessment of whether there is a broader impact within the central government.”

European Commission Calls for Stronger Cybersecurity Controls

The European Commission’s statement noted that “As Europe faces daily cyber and hybrid attacks on essential services and democratic institutions, the Commission is committed to further strengthen the EU's cybersecurity resilience and capabilities.” To that end, the Commission introduced a Cybersecurity Package on January 20 to bolster the European Union's cyber defenses. “A central pillar of this initiative is the Cybersecurity Act 2.0, which introduces a framework for a Trusted ICT Supply Chain to mitigate risks from high-risk suppliers,” the EC statement said.

A new paper gives an insider’s perspective into CISA’s Known Exploited Vulnerability catalog – and also offers a free tool to help security teams use the CISA KEV catalog more effectively. The paper, by former CISA KEV Section Chief and current runZero VP of Security Research Tod Beardsley, applies commonly used enrichment signals like CVSS, EPSS and SSVC, public exploit tooling from Metasploit and Nuclei, MITRE ATT&CK mappings, and “time-sequenced relationships” to help security teams prioritize vulnerabilities based on urgency. The paper’s findings led to the development of KEV Collider, a web application and dataset “that encourages readers to explore, recombine, and validate KEV enrichment data to better leverage the KEV in their daily operations,” the paper said. One interesting finding in the paper is that only 32% of CISA KEV vulnerabilities are “immediately exploitable for initial access.”

CISA KEV Is Not a List of the Worst Vulnerabilities

CISA KEV is not a list of the worst vulnerabilities, and the criteria for inclusion in the KEV catalog is perhaps surprisingly narrow. “The KEV is often misunderstood as a government-curated list of the most severe vulnerabilities ever discovered, or as a catalog of hyper-critical remote code execution flaws actively being used by foreign adversaries against U.S. government systems,” the paper said. “This casual interpretation is incorrect on several counts. While KEV-listed vulnerabilities do represent confirmed exploitation, the catalog exists primarily as an operational prioritization tool rather than as a comprehensive inventory of exploited vulnerabilities.” Inclusion in the KEV Catalog is limited to vulnerabilities that meet four conditions:

• The vulnerability must have an assigned Common Vulnerabilities and Exposures (CVE) identifier.
• There must be a reasonable mitigation. “This means that vulnerabilities with no realistic path to mitigation will not reach the KEV,” the paper said. The lack of a straightforward fix has kept CVE-2022-21894, aka “BlackLotus,” off the list even though the NSA has provided mitigation guidance.
• There must be evidence of exploitation. “This exploitation must be observed by CISA, either directly or through trusted reporting channels,” the paper said.
• The vulnerability must be relevant to the U.S. Federal Civilian Executive Branch (FCEB).

CISA KEV is not the only list of known exploited vulnerabilities, the paper said. Another is the VulnCheck KEV, which is three times bigger than CISA KEV. “It often adds vulnerabilities to its KEV in closer-to-real-time as exploitation evidence surfaces, sometimes beating the CISA KEV as first to publish exploitation notifications,” the paper said – and would also be an interesting place to apply the paper’s criteria. CISA KEV isn’t a list of the most severe vulnerabilities: “the vulnerabilities there are not all unauthenticated, remotely exploitable, initial intrusion vulnerabilities,” the paper said. Looking at just the last 12 vulnerabilities added to the KEV catalog in December, only four met the criteria for a “straight shot RCE bug.” Those criteria are:

• Access Vector of “Network” (as opposed to “Adjacent,” “Local,” or “Physical”)
• Privileges Required of “None” (as opposed to “Low” or “High”)
• User Interaction of “None” (as opposed to “Required”)
• Integrity Impact of “High” (as opposed to “None” or “Low”)

“These are the vulnerabilities that listen on an internet socket, don’t require a login, don’t require the victim to act, and the attacker ends up with total control over the affected system,” the paper said. Interestingly, the four straight-shot RCE vulnerabilities are all rated Critical, while the rest are rated High or Medium. Out of 1,488 KEV vulnerabilities as of January 14, 2026, only 483, or 32%, “are useful for immediate initial access,” the paper said. Using the Straight-Shot RCE filter in KEV Collider, 494 of 1,507 KEV vulnerabilities in the catalog as of Feb. 6 qualify, or 32.7 Looking at EPSS scores suggests that some of the vulnerabilities have a low probability of being exploited again in the future. There are 545 KEV vulnerabilities with very high EPSS scores – and 353 in the sub-10% category. Examining Metasploit Framework exploits, 464 KEV vulnerabilities were associated with at least one Metasploit module. “This means that just about a third of all KEVs are trivially exploitable today, as Metasploit modules are free, easy to use, and well-understood by attackers and defenders alike,” the paper said. There were 398 Nuclei templates “suitable for testing KEV vulnerabilities,” and 235 vulnerabilities with both Metasploit and Nuclei exploits. The paper also looked at the correlation of MITRE ATT&CK mappings with Metasploit and Nuclei exploit development and found that vulnerabilities associated with T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter) “are more likely to attract the attention of public exploit developers.” Also read: CISA Silently Updates Vulnerabilities Exploited by Ransomware Groups

Perfect Vulnerability Coverage ‘Unrealistic’

The paper noted that “perfect vulnerability coverage is an increasingly unrealistic goal, particularly when organizations are constrained by finite tooling, staffing, or budget. This is even true when the focus is narrowed to merely the CISA KEV catalog.” “Many KEVs now affect assets that are difficult to inventory, difficult to scan, or difficult to patch using conventional enterprise tooling,” and can’t be covered by a single product. The paper’s goal is to help security practitioners “reason about uncertainty and prioritize effort when full coverage is unattainable. In practice, organizations must decide how to sequence remediation, where to apply detection and monitoring first, and when to escalate resource allocation to meet particularly aggressive deadlines.” All source JSON files used by the KEV Collider application are available in a public GitHub repository.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been “silently” updating its Known Exploited Vulnerabilities (KEV) catalog when it concludes that vulnerabilities have been exploited by ransomware groups, according to a security researcher. CISA adds a “known” or “unknown” field next to the “Known To Be Used in Ransomware Campaigns?” entry in its KEV catalog. The problem, according to a blog post by Glenn Thorpe of GreyNoise, is the agency doesn’t send out advisories when a vulnerability changes from “unknown” to “known” vulnerabilities exploited by ransomware groups. Thorpe downloaded daily CISA KEV snapshots for all of 2025 and found that the agency had flipped 59 vulnerabilities in 2025 from “unknown” to “known” evidence of exploitation by ransomware groups. “When that field flips from ‘Unknown’ to ‘Known,’ CISA is saying: ‘We have evidence that ransomware operators are now using this vulnerability in their campaigns,’" Thorpe wrote. “That's a material change in your risk posture. Your prioritization calculus should shift. But there's no alert, no announcement. Just a field change in a JSON file. This has always frustrated me.” In a statement shared with The Cyber Express, CISA Executive Assistant Director for Cybersecurity Nick Andersen suggested that the agency is considering Thorpe’s input. “We continue to streamline processes and enrich vulnerability data through initiatives like the KEV catalog, the Common Vulnerabilities and Exposures (CVE) Program, and Vulnrichment,” Andersen said. “Feedback from the cybersecurity community is essential as CISA works to enhance the KEV catalog and advance vulnerability prioritization across the ecosystem.”

Microsoft Leads in Vulnerabilities Exploited by Ransomware Groups

Of the 59 CVEs that flipped to “known” exploitation by ransomware groups last year, 27% were Microsoft vulnerabilities, Thorpe said. Just over a third (34%) involved edge and network CVEs, and 39% were for CVEs before 2023. And 41% of the flipped vulnerabilities occurred in a single month, May 2025. The “Fastest time-to-ransomware flip” was one day, while the longest lag between CISA KEV addition and the change to “known” ransomware exploitation status was 1,353 days. The “Most flipped vulnerability type” was Authentication Bypass at 14% of occurrences.

Ransomware Groups Target Edge Devices

Edge devices accounted for a high number of the flipped vulnerabiities, Thorpe said. Fortinet, Ivanti, Palo Alto and Check Point Security edge devices were among the flipped CVEs. “Ransomware operators are building playbooks around your perimeter,” he said. Thorpe said that 19 of the 59 flipped vulnerabilities “target network security appliances, the very devices deployed to protect organizations.” But he added: “Legacy bugs show up too; Adobe Reader vulnerabilities from years ago suddenly became ransomware-relevant.” Authentication bypasses and RCE vulnerabilities were the most common, “as ransomware operators prioritize ‘get in and go’ attack chains.” The breakdown by vendor of the 59 vulnerabilities “shouldn't surprise anyone,” he said. Microsoft was responsible for 16 of the flipped CVEs, affecting SharePoint, Print Spooler, Group Policy, Mark-of-the-Web bypasses, and more. Ivanti products were affected by 6 of the flipped CVEs, Fortinet by 5 (with FortiOS SSL-VPN heap overflows standing out), and Palo Alto Networks and Zimbra were each affected by 3 of the CVEs. “Ransomware operators are economic actors after all,” Thorpe said. “They invest in exploit development for platforms with high deployment and high-value access. Firewalls, VPN concentrators, and email servers fit that profile perfectly.” He also noted that the pace of vulnerability exploitation by ransomware groups accelerated in 2025. “Today, ransomware operators are integrating fresh exploits into their playbooks faster than defenders are patching,” he said. Thorpe created an RSS feed to track the flipped vulnerabilities; it’s updated hourly.

Ransomware attacks have soared 30% since late last year, and they’ve continued that trend so far in 2026, with many of the attacks affecting software and manufacturing supply chains. Those are some of the takeaways of new research published by Cyble today, which also looked at the top ransomware groups, significant ransomware attacks, new ransomware groups, and recommended cyber defenses. Ransomware groups claimed 2,018 attacks in the last three months of 2025, averaging just under 673 a month to end a record-setting year. The elevated attack levels continued in January 2026, as the threat groups claimed 679 ransomware victims. In the first nine months of 2025, ransomware groups claimed an average of 512 victims a month, so the recent trend has been more than 30% above that, Cyble noted. Below is Cyble’s chart of ransomware attacks by month since 2021, which shows a sustained uptrend since mid-2025.

Qilin Remains Top Ransomware Group as CL0P Returns

Qilin was once again the top ransomware group, claiming 115 victims in January. CL0P was second with 93 victims after claiming “scores of victims” in recent weeks in an as-yet unspecified campaign. Akira remained among the leaders with 76 attacks, and newcomers Sinobi and The Gentlemen rounded out the top five (chart below). [caption id="attachment_109255" align="aligncenter" width="845"] Top ransomware groups January 2026 (Cyble)[/caption] “As CL0P tends to claim victims in clusters, such as its exploitation of Oracle E-Business Suite flaws that helped drive supply chain attacks to records in October, new campaigns by the group are noteworthy,” Cyble said. Victims in the latest campaign have included 11 Australia-based companies spanning a range of sectors such as IT, banking and financial services (BFSI), construction, hospitality, professional services, and healthcare. Other recent CL0P victims have included “a U.S.-based IT services and staffing company, a global hotel company, a major media firm, a UK payment processing company, and a Canada-based mining company engaged in platinum group metals production,” Cyble said. The U.S. once again led all countries in ransomware attacks (chart below), while the UK and Australia faced a higher-than-normal attack volume. “CL0P’s recent campaign was a factor in both of those increases,” Cyble said. [caption id="attachment_109256" align="aligncenter" width="831"] Ransomware attacks by country January 2026 (Cyble)[/caption] Construction, professional services and manufacturing remain opportunistic targets for threat actors, while the IT industry also remains a favorite target of ransomware groups, “likely due to the rich target the sector represents and the potential to pivot into downstream customer environments,” Cyble said (chart below). [caption id="attachment_109258" align="aligncenter" width="819"] Ransomware attacks by industry January 2026 (Cyble)[/caption]

Ransomware Attacks Hit the Supply Chain

Cyble documented 10 significant ransomware attacks from January in its blog post, many of which had supply chain implications. One was an Everest ransomware group compromise of “a major U.S. manufacturer of telecommunications networking equipment ... Everest claims the data includes PDF documents containing sensitive engineering materials, such as electrical schematics, block diagrams, and service subsystem documentation.” Sinobi claimed a breach of an India-based IT services company. “Samples shared by the attackers indicate access to internal infrastructure, including Microsoft Hyper-V servers, multiple virtual machines, backups, and storage volumes,” Cyble said. A Rhysida ransomware group attack on a U.S. life sciences and biotechnology instrumentation company allegedly exposed sensitive information such as engineering blueprints and project documentation. A RansomHouse attack on a China-based electronics manufacturing for the technology and automotive manufacturers nay have exposed “extensive proprietary engineering and production-related data,” and “data associated with multiple major technology and automotive companies.” An INC Ransom attack on a Hong Kong–based components manufacturer for the global electronics and automotive industries may have exposed “client-related information associated with more than a dozen major global brands, plus confidential contracts and project documentation for at least three major IT companies.” Cyble also documented the rise of three new ransomware groups: Green Blood, DataKeeper and MonoLock, with DataKeeper and MonoLock releasing details on technical and payment features aimed at attracting ransomware affiliates to their operations.  

French police raided the offices of the X social media platform today as European investigations grew into nonconsensual sexual deepfakes and potential child sexual abuse material (CSAM) generated by X’s Grok AI chatbot. A statement (in French) from the Paris prosecutor’s office suggested that Grok’s dissemination of Holocaust denial content may also be an issue in the Grok investigations. X owner Elon Musk and former CEO Linda Yaccarino were issued “summonses for voluntary interviews” on April 20, along with X employees the same week. Europol, which is assisting in the investigation, said in a statement that the investigation is “in relation to the proliferation of illegal content, notably the production of deepfakes, child sexual abuse material, and content contesting crimes against humanity. ... The investigation concerns a range of suspected criminal offences linked to the functioning and use of the platform, including the dissemination of illegal content and other forms of online criminal activity.” The French action comes amid a growing UK probe into Grok’s use of nonconsensual sexual imagery, and last month the EU launched its own investigation into the allegations. Meanwhile, a new Reuters report suggests that X’s attempts to curb Grok’s abuses are failing. “While Grok’s public X account is no longer producing the same flood of sexualized imagery, the Grok chatbot continues to do so when prompted, even after being warned that the subjects were vulnerable or would be humiliated by the pictures,” Reuters wrote in a report published today.

French Prosecutor Calls X Investigation ‘Constructive’

The French prosecutor’s statement said the investigation “is, at this stage, part of a constructive approach, with the objective of ultimately guaranteeing the X platform's compliance with French laws, insofar as it operates in French territory” (translated from the French). The investigation initially began in January 2025, the statement said, and “was broadened following other reports denouncing the functioning of Grok on the X platform, which led to the dissemination of Holocaust denial content and sexually explicit deepfakes.” The investigation concerns seven “criminal offenses,” according to the Paris prosecutor’s statement:

• Complicity in the possession of images of minors of a child pornography nature
• Complicity in the dissemination, offering, or making available of images of minors of a child pornography nature by an organized group
• Violation of the right to image (sexual deepfakes)
• Denial of crimes against humanity (Holocaust denial)
• Fraudulent extraction of data from an automated data processing system by an organized group
• Tampering with the operation of an automated data processing system by an organized group
• Administration of an illicit online platform by an organized group

The Paris prosecutor’s office deleted its X account after announcing the investigation.

Grok Investigations in the UK Grow

In the UK, the Information Commissioner’s Office (ICO) announced that it was launching an investigation into Grok abuses, on the same day the UK Ofcom communications services regulator said its own authority to investigate chatbots may be limited. William Malcolm, ICO's Executive Director for Regulatory Risk & Innovation, said in a statement: “The reports about Grok raise deeply troubling questions about how people’s personal data has been used to generate intimate or sexualised images without their knowledge or consent, and whether the necessary safeguards were put in place to prevent this.” “Our investigation will assess whether XIUC and X.AI have complied with data protection law in the development and deployment of the Grok services, including the safeguards in place to protect people’s data rights,” Malcolm added. “Where we find obligations have not been met, we will take action to protect the public.” Ilia Kolochenko, CEO at ImmuniWeb and a cybersecurity law attorney, said in a statement “The patience of regulators is not infinite: similar investigations are already pending even in California, let alone the EU. Moreover, some countries have already temporarily restricted or threatened to restrict access to X’s AI chatbot and more bans are probably coming very soon.” “Hopefully X will take these alarming signals seriously and urgently implement the necessary security guardrails to prevent misuse and abuse of its AI technology,” Kolochenko added. “Otherwise, X may simply disappear as a company under the snowballing pressure from the authorities and a looming avalanche of individual lawsuits.”

A cyberattack by Russian state-sponsored threat actors that targeted at least 30 wind and solar farms in Poland relied on default credentials, lack of multi-factor authentication (MFA) and outdated and misconfigured devices, according to a new report on the December 2025 incident by CERT Polska, the Polish computer emergency response team. The new report underscores the difficulty of securing critical infrastructure systems, which frequently rely on outdated devices that are difficult to update. In the Polish energy grid attack, credential and configuration errors compounded the vulnerabilities. CERT Polska attributed the campaign to Static Tundra, a group linked to Russia’s Federal Security Service (FSB) Center 16 unit, but a Dragos report on one of the Polish energy grid incidents attributed the activity to the ELECTRUM subgroup of Sandworm, a threat group linked to the GRU, Russia's military intelligence service, that was implicated in destructive attacks on the Ukraine power grid a decade ago. The Polish report notes that the DynoWiper malware used in the latest attacks “contains certain similarities to wiper-type tools3 associated with the activity cluster publicly known as ‘Sandworm’ and ‘SeashellBlizzard,’” but the report adds, “Despite identifying commonalities in behavioral characteristics and overall architecture, the level of similarity is too low to attribute DynoWiper to previously used wiper families.” The attackers’ activities began between March and May 2025, months before the December 29 attack.

Polish Energy Grid Attack Could Have Been Worse

The CERT Polska report said the December attack “resulted in a loss of communication between the facilities and distribution system operators (DSOs), but it did not affect ongoing electricity generation” or impact the stability of the Polish power system. “It should be noted, however, that given the level of access obtained by the attacker, there was a risk of causing a disruption in electricity generation at the affected facilities,” the report said. “Even if such a disruption had occurred, analyses indicate that the combined loss of capacity across all 30 facilities would not have affected the stability of the Polish power system during the period in question.” Dragos noted that in its incident response case, the attackers “gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site,” an attack the company called “very alarming.” “This is the first major cyber attack targeting distributed energy resources (DERs), the smaller wind, solar, and CHP facilities being added to grids worldwide,” Dragos said. “Unlike the centralized systems impacted in electric grid attacks in 2015 and 2016 in Ukraine, these distributed systems are more numerous, require extensive remote connectivity, and often receive less cybersecurity investment. This attack demonstrates they are now a valid target for sophisticated adversaries.” “An attack on a power grid at any time is irresponsible, but to carry it out in the depths of winter is potentially lethal to the civilian population dependent on it,” Dragos added. “It is unfortunate that those who attack these systems appear to deliberately choose timing that maximizes impact on civilian populations.”

Credential and Configuration Mistakes Exploited in Polish Energy Grid Attack

In the Polish energy grid attack, the attackers exploited a long list of outdated and misconfigured devices and default and static credentials that weren’t secured with MFA. The Polish report noted that in each affected facility, a FortiGate device served as both a VPN concentrator and a firewall. “In every case, the VPN interface was exposed to the Internet and allowed authentication to accounts defined in the configuration without multi‑factor authentication,” the report said. The report noted that it’s a common practice in the industry to reuse the same accounts and passwords across multiple facilities. “In such a scenario, the compromise of even a single account could have enabled the threat actor to identify and access other devices where the same credentials were used,” CERT Polska said. The networks of the targeted facilities often contained segregated VLAN subnets, but as the attackers had administrative privileges on the device, “These privileges were likely used to obtain credentials for a VPN account with access to all subnets,” the report said. “Even if no such account had existed, the attacker, having administrator-level access, could have modified the device configuration to enable equivalent access.” In one incident, the attacker gained access to the SSL‑VPN portal service of a FortiGate device located at the organization’s network perimeter by using “multiple accounts that were statically defined in the device configuration and did not have two‑factor authentication enabled.” After gaining access, the attackers used bookmarks defined in the configuration file to access jump hosts via RDP, the report said. Analysis of a FortiGate device configuration file indicated that some users had statically configured target user credentials, which enabled connections to the jump host from the SSL‑VPN portal without the need for additional local or domain user credentials. The attacker also made configuration changes that included a new rule that allowed connections using any protocol and IP address to a specified device and disabling network traffic logging. Using the Fortinet scripting mechanism, the attacker also created scripts for further credential exfiltration and to modify security settings, which were executed weekly. The report also detailed numerous out-of-date or misconfigured operational technology (OT) devices, many with default credentials, such as Hitachi and Mikronika controllers, and secure update features that weren’t enabled. In the case of Hitachi Relion 650 v1.1 IEDs, the default FTP account hadn’t been disabled in accordance with the manufacturer’s recommendations. In cases where an HMI used unique credentials for the local administrator account, “unsuccessful password‑breaking attempts were observed. In those cases, the HMI was not damaged.” The attackers also pivoted to cloud services, the report said.

A security researcher investigating an AI toy for a neighbor found an exposed admin panel that could have leaked the personal data and conversations of the children using the toy. The findings, detailed in a blog post by security researcher Joseph Thacker, outlines the work he did with fellow researcher Joel Margolis, who found the exposed admin panel for the Bondu AI toy. Margolis found an intriguing domain (console.bondu.com) in the mobile app backend’s Content Security Policy headers. There he found a button that simply said: “Login with Google.” “By itself, there’s nothing weird about that as it was probably just a parent portal,” Thacker wrote. But instead of a parent portal, it turned out to be the Bondu core admin panel. “We had just logged into their admin dashboard despite [not] having any special accounts or affiliations with Bondu themselves,” Thacker said.

AI Toy Admin Panel Exposed Children’s Conversations

After some investigation in the admin panel, the researchers found they had full access to “Every conversation transcript that any child has had with the toy,” which numbered in the “tens of thousands of sessions.” The panel also contained personal data about children and their family, including:

• The child’s name and birth date
• Family member names
• The child’s likes and dislikes
• Objectives for the child (defined by the parent)
• The name given to the toy by the child
• Previous conversations between the child and the toy (used to give the LLM context)
• Device information, such as location via IP address, battery level, awake status, and more
• The ability to update device firmware and reboot devices

They noticed the application is based on OpenAI GPT-5 and Google Gemini. “Somehow, someway, the toy gets fed a prompt from the backend that contains the child profile information and previous conversations as context,” Thacker wrote. “As far as we can tell, the data that is being collected is actually disclosed within their privacy policy, but I doubt most people realize this unless they go and read it (which most people don’t do nowadays).” In addition to the authentication bypass, they also discovered an Insecure Direct Object Reference (IDOR) vulnerability in the product’s API “that allowed us to retrieve any child’s profile data by simply guessing their ID.” “This was all available to anyone with a Google account,” Thacker said. “Naturally we didn’t access nor store any data beyond what was required to validate the vulnerability in order to responsibly disclose it.”

A (Very) Quick Response from Bondu

Margolis reached out to Bondu’s CEO on LinkedIn over the weekend – and the company took down the console “within 10 minutes.” “Overall we were happy to see how the Bondu team reacted to this report; they took the issue seriously, addressed our findings promptly, and had a good collaborative response with us as security researchers,” Thacker said. The company took other steps to investigate and look for additional security flaws, and also started a bug bounty program. They examined console access logs and found that there had been no unauthorized access except for the researchers’ activity, so the company was saved from a data breach. Despite the positive experience working with Bondu, the experience made Thacker reconsider buying AI toys for his own kids. “To be honest, Bondu was totally something I would have been prone to buy for my kids before this finding,” he wrote. “However this vulnerability shifted my stance on smart toys, and even smart devices in general.” “AI models are effectively a curated, bottled-up access to all the information on the internet,” he added. “And the internet can be a scary place. I’m not sure handing that type of access to our kids is a good idea.” Aside from potential security issues, “AI makes this problem even more interesting because the designer (or just the AI model itself) can have actual ‘control’ of something in your house. And I think that is even more terrifying than anything else that has existed yet,” he said. Bondu's website says the AI toy was built with child safety in mind, noting that its "safety and behavior systems were built over 18 months of beta testing with thousands of families. Thanks to rigorous review processes and continuous monitoring, we did not receive a single report of unsafe or inappropriate behavior from bondu throughout the entire beta period."

EU data breach notifications have surged 22% in the last year and GDPR fines remain high, according to a new report from law firm DLA Piper. The “sustained high level of data enforcement activity across Europe” noted in the report occurs amid the EU Digital Omnibus legislative process that critics say could substantially weaken the GDPR’s data privacy provisions. Given the high number of data breach notifications, the report noted, “It is perhaps not surprising that the EU Digital Omnibus is proposing to raise the bar for incident notification to regulators, to capture only breaches which are likely to cause a high risk to the rights and freedoms of data subjects. Supervisory authorities have been inundated with notifications and understandably want to stem the flood so they can focus on the genuinely serious incidents.” The success of the Digital Omnibus process may depend on how EU legislative bodies address the concerns of data privacy advocates, said the report, whose publication coincided with Data Privacy Week. “If simplification is perceived as undermining fundamental rights, the outcome could be legal uncertainty, increased litigation, and political backlash – the very opposite of the simplification and clarity businesses seek,” the law firm said. “The Omnibus therefore faces a delicate balancing act: simplifying rules without eroding trust or core rights. It is expected that the proposals will change as they are debated among the European Commission, the European Parliament, and the EU Council during the trialogue process in 2026.”

EU Data Breach Notifications Top 400 Per Day

The report found that for the first time since May 25, 2018 – the GDPR’s implementation date – average data breach notifications per day topped 400, “breaking the plateauing trend we have seen in recent years.” Between January 28, 2025 and January 27, 2026, the average number of breach notifications per day increased from 363 to 443, a jump of 22%. “It is not clear what is driving this uptick in breach notifications, but the geo-political landscape driving more cyber-attacks, as well as the focus on cyber incidents in the media and the raft of new laws including incident notification requirements ... may be focusing minds on breach notifications,” the law firm said. Laws and regulations that may be driving the increase in EU data breach notifications include NIS2, the Network and Information Security Directive, and DORA, the Digital Operation Resilience Act, the firm said.

GDPR Fines Reverse Downward Trend

GDPR fines remained high, with European supervisory authorities issuing fines totaling approximately EUR1.2 billion in 2025, in line with 2024 levels. “While there is no year-on-year increase in aggregate GDPR fines, this figure marks a reversal of last year’s downward trend and underscores that European data protection supervisory authorities remain willing to impose substantial monetary penalties,” the law firm said. The aggregate total fines since the implementation of GDPR across the jurisdictions surveyed stands at EUR7.1 billion as of January 27, 2026 – EUR4.04 billion of which were issued by the Irish Data Protection Commission. The Irish Data Protection Commission also imposed the highest fine in 2025, a EUR530 million fine in April 2025 against TikTok for violating GDPR's international data transfer restrictions. Fines resulting from breaches of the GDPR integrity and confidentiality principle, also known as the security principle, continue to be prominent, the report said. “Supply chain security and compliance is increasingly attracting the attention of data protection supervisory authorities,” the law firm said. “Supervisory authorities expect robust security controls to prevent personal data breaches and processors, as well as controllers, are directly liable for breaches of the security principle resulting in several fines being imposed directly on processors this year.”

Non-Material Damage Allowed Under GDPR Compensation Claims

Follow-on GDPR compensation claims also saw some notable developments, the law firm found. “This year has brought several notable rulings from the Court of Justice of the European Union (CJEU) and European courts on GDPR-related compensation claims – particularly regarding the criteria for pursuing claims for non-material damage.” One notable CJEU ruling found that non-material damage referred to in Article 82(1) GDPR “can include negative feelings, such as fear or annoyance, provided the data subject can demonstrate that they are experiencing such feelings,” the report said. “This was a win for claimants. However, in the same decision, the CJEU ruled that the mere assertion of negative feelings is insufficient for compensation; national courts must assess evidence of such feelings and be satisfied that they arise from the breach of GDPR. This provides some comfort for defendants as theoretical distress is insufficient to sound in compensation.” Ross McKean, Chair of the DLA Piper UK Data, Privacy and Cybersecurity practice, said in a statement that “Most evident in this year's report is the validation that the cybersecurity threat landscape has reached an unprecedented level. ... Coupled with the slew of new cybersecurity laws impacting business, some of which impose personal liability on members of management bodies, our report underscores the urgency and need for organisations to optimise cyber defences and operational resilience.”

Malicious open source software packages have become a critical problem threatening the software supply chain. That’s one of the major takeaways of a new report titled “State of the Software Supply Chain” by open source software security company Sonatype. Sonatype said its researchers identified more than 454,600 new malicious packages last year across npm, PyPI, Maven Central, NuGet, and Hugging Face, repositories which together combined for 9.8 trillion downloads. Open source malware has evolved “from spam and stunts into sustained, industrialized campaigns against the people and tooling that build software,” the researchers said. “What stands out most about 2025 is not just the scale of the threat, but also the sophistication,” the report said. “Where 2024’s XZ Utils incident was groundbreaking, demonstrating how a single compromised maintainer could imperil global infrastructure, 2025 saw software supply chain risk evolve dramatically.”

npm Leads in Malicious Open Source Software Packages

More than 99% of open source malware last year occurred on npm, the researchers said, and the kinds of threats evolved dramatically. Nation-state threat groups such as the Lazarus Group “advanced from simple droppers and crypto miners to five-stage payload chains that combined droppers, credential theft, and persistent remote access inside developer environments,” the report said, and the first self-replicating npm malware (Shai-Hulud and Sha1-Hulud) further escalated the threat to the open source software supply chain. IndonesianFoods created more than 150,000 malicious packages in a matter of days, and hijackings of major packages like chalk and debug showed that “established maintainers of high-profile packages are being targeted as entry points for mass distribution.” “Taken together, these developments mark 2025 as a grim year for open source malware: the moment when isolated incidents became an integrated campaign, and bad actors proved software supply chain attacks are now their most reliable weapon,” the researchers said.

Open Source Malware Exploits Developer Processes

Open source malware exploits the pressures developers face and the rapid decision-making involved in CI/CD pipelines. “Software supply chain attackers are perfecting social and technical mimicry to target and exploit developers making development decisions fast and with incomplete information,” the researchers said. “Attackers increasingly rely less on individual mistakes and more on scale, momentum, and volume. They know developers under deadline pressure are unlikely to pay detailed attention on every dependency. If a package ‘looks right’ with mostly comprehensible code, a legitimate seeming README.MD, and a reasonable amount of downloads, it is likely to get installed.” The number of open source package vulnerabilities adds to the problem. In 2025, npm recorded 838,778 releases associated with CVSS 9.0+ vulnerabilities, the report said, adding: “This scale is what enabled watershed incidents like React2Shell ... and Shai-Hulud to have ecosystem-wide impact.” “The takeaway isn’t that open source is unsafe or that teams should slow down,” the researchers concluded. “It is that the ecosystem has matured into critical infrastructure and we need to operate it like one. That means responsible consumption, security controls that match modern development, and transparency that is produced by the build, not assembled after the fact. “Open source will keep powering innovation,” they said. “The question is whether we build the practices and infrastructure to sustain it at the scale we now depend on, or whether we keep acting like the bill is someone else’s problem.” Going forward, the increasing convergence of AI and open source software will exacerbate the problem, they predicted. “AI model hubs and autonomous agents are converging with open source into a single, fluid software supply chain — a mesh of interdependent ecosystems without uniform security standards,” the report said. “Malware authors already understand this convergence. They are embedding persistence inside containers, pickled model files, and precompiled binaries that flow between data scientists, CI/CD systems, and runtime environments.”

Microsoft has released an emergency fix for an actively-exploited zero-day vulnerability affecting Microsoft Office. The vulnerability, CVE-2026-21509, is labeled a Microsoft Office Security Feature Bypass vulnerability that exploits the software weakness CWE-807 (Reliance on Untrusted Inputs in a Security Decision). Microsoft doesn’t say what threat actor is exploiting the vulnerability or how it’s being exploited, and doesn’t even acknowledge the researchers who discovered the vulnerability, but the software giant’s advisory includes lengthy mitigation guidance for users of Office 2016 and 2019, who must wait for a forthcoming Microsoft emergency fix.

Microsoft Emergency Fix for Office 2016 and 2019 Coming Soon

Microsoft said that customers on Office 2021 and later “will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect.” Office 2016 and 2019 customers will have to wait for a forthcoming security update, but can protect themselves by applying registry keys as instructed (included below). Office Client 2016 and 2019 updates “will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE,” Microsoft said. The 7.8-rated vulnerability requires user interaction to be exploited. An attacker would have to send a malicious Office file and convince users to open it for an exploit to be successful. It is the second actively exploited zero-day vulnerability fixed by Microsoft this month, following CVE-2026-20805 fixed on Patch Tuesday. Microsoft has also released out-of-band Windows and Windows Server fixes this month for Windows and Outlook bugs. Microsoft said the new CVE-2026-21509 fix addresses a vulnerability that bypasses OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Microsoft Office that protect users from vulnerable COM (Component Object Model)/OLE controls. COM/OLE is the framework that allows content from one application to be integrated into another, such as from an Excel spreadsheet into a Word document. The Preview Pane is not an attack vector, Microsoft noted.

Office 2016 and 2019 Mitigations

Microsoft said Office 2016 and 2019 customers can apply registry keys as described for immediate protection. Microsoft recommends first backing up your registry and exiting all Microsoft Office applications. Start the Registry Editor by tapping Start or pressing the Windows key on your keyboard,  then typing regedit and pressing enter.

Step 1

Locate the proper registry subkey. It will be one of the following: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit MSI Office, or 32-bit MSI Office on 32-bit Windows) or HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit MSI Office on 64-bit Windows) or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office\16.0\Common\COM Compatibility\ (for 64-bit Click2Run Office, or 32-bit Click2Run Office on 32-bit Windows) or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Office\16.0\Common\COM Compatibility\ (for 32-bit Click2Run Office on 64-bit Windows) Note: The COM Compatibility node may not be present by default and may need to be added by right-clicking the Common node and choosing Add Key.

Step 2

Add a new subkey named {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} by right-clicking the COM Compatibility node and choosing Add Key. Within that new subkey, add one new value by right-clicking the new subkey and choose New > DWORD (32-bit) Value, naming the new REG_DWORD value Compatibility Flags and assigning it a value of 400. Exit Registry Editor and start your Office application. Microsoft offered the following example: In Office 2016, 64-bit, on Windows you would locate this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\ If the COM Compatibility node doesn't exist, you'll need to create it. Then add a subkey with the name {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}. The resulting path in this case is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}. To that subkey, add a REG_DWORD value called Compatibility Flags with a value of 400.  

The ShinyHunters and CL0P threat groups have returned with new claimed victims. ShinyHunters has resurfaced with a new onion-based data leak site, with the group publishing data allegedly stolen from three victims, with two apparently linked to recent vishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft and Google, which can lead to compromises of connected enterprise applications and services. In an email to The Cyber Express, a ShinyHunters spokesperson said “a lot more victims are to come from the new vishing campaign.” The CL0P ransomware group, meanwhile, has claimed 43 victims in recent days, its first victims since its exploitation of Oracle E-Business Suite vulnerabilities last year netted more than 100 victims. The group reportedly was targeting internet-facing Gladinet CentreStack file servers in its latest extortion campaign, but the threat group has posted no technical details to support the new claims.

ShinyHunters Returns

ShinyHunters has resurfaced following 2025 campaigns that saw breaches of PornHub and Salesforce environments and a “suspicious insider” at CrowdStrike. The group, which has also gone by Scattered LAPSUS$ Hunters, has claimed three new victims, all of whom have had confirmed breaches in recent weeks. One of the claimed victims is SoundCloud, which confirmed a breach in mid-December that the company said “consisted only of email addresses and information already visible on public SoundCloud profiles and affected approximately 20% of SoundCloud users.” Investment firm Betterment is another claimed victim with a recent confirmed breach. While it’s not clear if the incident is related to the ShinyHunters claims, the company reported a January 9 incident in which “an unauthorized individual gained access to certain Betterment systems through social engineering. This means the individual used identity impersonation and deception to gain access, rather than compromising our technical infrastructure. The unauthorized access involved third-party software platforms that Betterment uses to support our marketing and operations.” The third claimed victim is financial data firm Crunchbase, which confirmed a data exfiltration incident in a statement to SecurityWeek. ShinyHunters told The Cyber Express that only Crunchbase and Betterment are from the SSO vishing campaign. “We are releasing victims from many of our previous campaigns and ongoing campaigns onto our data leak site, not exclusively the SSO vishing campaign data thefts,” the spokesperson said. Meanwhile, a threat actor who goes by “LAPSUS-GROUP” has emerged recently on the BreachForums 5.0 cybercrime forum claiming data stolen from a Canadian retail SaaS company, but ShinyHunters told The Cyber Express that the actor is an “impersonator group” and has no connection to ShinyHunters.

CL0P Claims 43 New Victims

The Cl0p ransomware group appears to have launched a new extortion campaign, although it is not clear what vulnerabilities or services the group is targeting. The group listed 21 new victims last week, and then another 22 over the weekend. Alleged victims include a major hotel chain, an IT services company, a UK payment processing firm, a workforce management company, and a Canada-based mining company. In a note to clients today, threat intelligence company Cyble wrote, “At the time of reporting, Cl0p has not disclosed technical details, the volume or type of data allegedly exfiltrated, nor announced any ransom deadlines for these victims. No proof-of-compromise samples have been published. We continue to monitor the situation for further disclosures, validation of the victim listings, or escalation by the group.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five enterprise software flaws to its Known Exploited Vulnerabilities (KEV) Catalog in an 18-hour span. On January 22, CISA added vulnerabilities from Versa and Zimbra to the KEV catalog, along with flaws affecting Vite and Prettier developer tools. Today, CISA added a VMware vCenter Server vulnerability to the KEV catalog, the tenth exploited vulnerability added to the catalog this year. Per typical practice, CISA didn’t name the threat actors exploiting the vulnerabilities or say how the flaws are being exploited, noting only that “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” None of the vulnerabilities were marked as known to be exploited by ransomware groups.

Versa, Zimbra and VMware Enterprise Software Flaws

The Versa Concerto vulnerability is CVE-2025-34026, a 9.2-severity Improper Authentication vulnerability in the SD-WAN orchestration platform’s Traefik reverse proxy configuration that could allow an attacker to access administrative endpoints, including the internal Actuator endpoint, for access to heap dumps and trace logs. The issue affects Concerto from 12.1.2 through 12.2.0, although the National Vulnerability Database (NVD) notes that “Additional versions may be vulnerable.” Project Discovery revealed the vulnerability and two others last year. CVE-2024-37079 is a 9.8-rated Broadcom VMware vCenter Server out-of-bounds write/heap-overflow vulnerability in the implementation of the DCERPC protocol. “A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution,” the NVD entry says. The Cyber Express noted in a June 2024 article on CVE-2024-37079 and two other vCenter vulnerabilities, “With the global usage of the impacted product and the history of leveraging flaws impacting vCenter, there is strong potential for threat actors to leverage these critical vulnerabilities also.” CVE-2025-68645 is an 8.8-rated Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 that allows improper handling of user-supplied request parameters in the RestFilter servlet. “An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory,” says the NVD database.

Vite and Prettier Code Tool Vulnerabilities

CVE-2025-54313 is a high-severity embedded malicious code vulnerability affecting the eslint-config-prettier package for the Prettier code formatting tool that stems from a supply chain attack last July. The embedded malicious code in eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 can execute an install.js file that launches the node-gyp.dll malware on Windows, NVD notes. CVE-2025-31125 is a medium-to-high severity Improper Access Control vulnerability affecting Vite ViteJS, a frontend tooling framework for JavaScript. The vulnerability can expose the content of non-allowed files when apps explicitly expose the Vite dev server to the network. Th vulnerability is fixed in 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

The Bank of England’s CBEST cybersecurity assessment program found that financial organizations are failing when it comes to basic cybersecurity practices. The lengthy report doesn’t specify how widespread the financial firm cybersecurity failings are, but any lack of basic cybersecurity controls in the critically important financial services sector is alarming. The “CBEST thematic” is based on 13 CBEST assessments and penetration tests of financial firms and financial market infrastructures (FMIs). The report details failings in areas like patching and hardening, identity and access control, detection, encryption, network security, incident response and employee training. “Maintaining strong cyber hygiene is not a one-time exercise but a continuous effort to reduce exposures and strengthen resilience,” the BoE report said. “In today’s evolving threat landscape, tactical fixes alone are insufficient. While quick remediation may address immediate vulnerabilities, it often leaves underlying weaknesses unaddressed.” The report urged organizations to consider the underlying causes of cyber risk and systemic gaps that can lead to recurring vulnerabilities, such as poor asset management, weak identity and access controls, or inadequate third-party oversight. “Addressing these foundational issues will create sustainable security improvements rather than temporary patches,” the report said.

BoE Recommendations for Financial Firm Cybersecurity

The BoE report includes findings and recommendations spanning five cybersecurity areas, three on technical controls, one on detection and response, and one focusing on staff culture, awareness, and training. It also contained four broad recommendations:

• Patching, configuring and hardening was one. “To reduce the likelihood of severe cyberattacks firms and FMIs should look to harden operating systems, including by patching vulnerabilities and securely configuring key applications,” the report said.
• Preventing unauthorized access to sensitive systems and information can be helped with strong credential management and passwords, multi-factor authentication (MFA), secure credential storage, and network segmentation.
• Effective detection and monitoring and alerting and response processes “are key to reducing the impact from cyberattacks.”
• Risk-based remediation plans with proper oversight will “ensure the successful remediation of technical findings, including vulnerabilities.”

The full report also contains detailed recommendations from the UK's National Cyber Security Centre (NCSC).

Financial Cybersecurity Weaknesses Detailed

In the area of infrastructure and data security, the CBEST assessments found weaknesses in infrastructure security, asset management and application security. Findings included:

• Inconsistently configured endpoints and insufficiently hardened or unpatched systems
• A lack of encryption of data-at-rest

Identity management and access control weaknesses included weak enforcement of strong password standards and secure password storage, overly permissive access controls, and inadequate restrictions on administrator and service accounts. Weaknesses in detection and response included poorly tuned monitoring or alerting for endpoint detection and response and data exfiltration. Network monitoring weaknesses included inadequate traffic inspection for threats like attackers hiding malicious activities in seemingly legitimate traffic or enabling outbound connectivity from unmonitored devices. Network security weaknesses included inadequate network segmentation, such as segmentation between critical assets and between development and production environments, and inadequate application of least-privilege principles. Staff culture, awareness and training weaknesses included:

• Staff susceptible to social engineering tactics were more likely to be vulnerable to simulated attacks aimed at credentials or system access
• Users routinely storing credentials in unprotected locations such as in spreadsheets or in open file shares
• Insecure protocols for helpdesks, such as limited or no authentication of users

“Given the sophistication of some attackers, it is important that firms and FMIs are prepared to handle breaches effectively, rather than relying solely on protective controls,” the BoE report said. “In addition to technical measures, we continue to observe challenges in staff culture, awareness, and training, highlighting that technical measures alone are not sufficient.”

Threat Intelligence Programs Also Assessed

The CBEST assessments also found “a range of maturities across cyber threat intelligence management domains.” Threat Intelligence Operations was the strongest area in self-assessments, while Program Planning and Requirements had the lowest self-assessed score. “This suggests that although day-to-day threat intelligence operations are effective, the underlying aspects such as strategic planning, defining requirements, establishing governance frameworks, and mapping out long-term capabilities are less developed,” the BoE said. “As a result, firms and FMIs may experience a disconnect between the intelligence produced and their actual business or operational needs, potentially resulting in inefficient allocation of resources, and difficulties in scaling or evolving their threat intelligence programmes.”

The European Commission has proposed a new cybersecurity legislative package that proponents say will strengthen the security of the EU's Information and Communication Technologies (ICT) supply chains by phasing out “high-risk” mobile and telecom network products from countries deemed to be risky. In a statement, the Commission said the revised Cybersecurity Act “will enable the mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, building on the work already carried out under the 5G security toolbox.” The legislation refers to networks more broadly: “ICT components or components that include ICT components provided by high-risk suppliers shall be phased out from the key ICT assets of mobile, fixed and satellite electronic communication networks.” Mobile networks would have 36 months to comply with the legislation. Transition periods for fixed and satellite electronic communications networks will be specified by the Commission through implementing acts.

Russia, China May Be Among ‘High-risk’ Telecom Network Suppliers

The legislation is short on specifics, leaving much of the details to be worked out after passage, but it appears that telecom network suppliers from Russia and China may be targeted under the legislation and implementing regulations. At one point the legislation cites a 2023 European Parliament resolution on foreign interference in democratic processes. The legislation states: “The European Parliament called on the Commission to develop binding ICT supply chain security legislation that addresses non-technical risk and to ‘exclude the use of equipment and software from manufacturers based in high-risk countries, particularly China and Russia’. Members of the European Parliament also called for urgent action to secure telecommunications infrastructure against undue foreign influence and security risks.” China’s foreign ministry and Huawei have already criticized the legislation, which would formalize a process under way since 2020 to remove network equipment perceived as high-risk. "A legislative proposal to limit or exclude non-EU suppliers based on country of origin, rather than factual evidence and technical standards, violates the EU's basic legal principles of fairness, non-discrimination, and proportionality, as well as its WTO obligations," a Huawei spokesperson was quoted by Reuters as saying. The legislation will apply to 18 critical sectors, which Reuters said will include detection equipment, connected and automated vehicles, electricity supply and storage systems, water supply systems, and drones and counter‑drone systems. Cloud services, medical devices, surveillance equipment, space services and semiconductors would also be affected.

The EU’s 'Secure by Design' Certification Process

The legislative package and revised Cybersecurity Act is aimed at ensuring “that products reaching EU citizens are cyber-secure by design through a simpler certification process,” the Commission’s statement said. The legislation also bolsters the EU Agency for Cybersecurity (ENISA) in its role in managing cybersecurity threats and certification processes. “The new Cybersecurity Act aims to reduce risks in the EU's ICT supply chain from third-country suppliers with cybersecurity concerns,” the Commission said. “It sets out a trusted ICT supply chain security framework based on a harmonised, proportionate and risk-based approach. This will enable the EU and Member States to jointly identify and mitigate risks across the EU's 18 critical sectors, considering also economic impacts and market supply.” The Act will ensure “that products and services reaching EU consumers are tested for security in a more efficient way,” the Commission stated. That will be accomplished through an updated European Cybersecurity Certification Framework (ECCF), which “will bring more clarity and simpler procedures, allowing certification schemes to be developed within 12 months by default.” Certification schemes managed by ENISA “will become a practical, voluntary tool for businesses.” In addition to ICT products, services, processes and managed security services, companies and organizations “will be able to certify their cyber posture to meet market needs. Ultimately, the renewed ECCF will be a competitive asset for EU businesses. For EU citizens, businesses and public authorities, it will ensure a high level of security and trust in complex ICT supply chains,” the Commission stated. The legislative package also includes amendments to the NIS2 Directive “to increase legal clarity,” and also aims to lower compliance costs for 28,700 companies in keeping with the Digital Omnibus process. Amendments will “simplify jurisdictional rules, streamline the collection of data on ransomware attacks and facilitate the supervision of cross-border entities with ENISA's reenforced coordinating role.” The Cybersecurity Act will become effective after approval by the European Parliament and the Council of the EU, while Member States will have one year to implement NIS2 Directive amendments after adoption.

Hacktivists became significantly more dangerous in 2025, moving beyond their traditional DDoS attacks and website defacements to target critical infrastructure and ransomware attacks. That’s one of the conclusions of a new blog post from Cyble adapted from the threat intelligence company’s 2025 Threat Landscape report. The trend began in earnest with Z-Pentest’s targeting of industrial control systems (ICS) in late 2024, and grew from there. Cyble said it expects those attacks to continue to grow in 2026, along with growing use of custom tools by hacktivists and “deepening alignment between nation-state interests and hacktivists.”

Hacktivist Attacks on Critical Infrastructure Soar

Z-Pentest was the most active of the hacktivist groups targeting ICS, operational technology (OT) and Human Machine Interface (HMI) environments. Dark Engine (Infrastructure Destruction Squad) and Sector 16 also persistently targeted ICS environments, while Golden Falcon Team, NoName057(16), TwoNet, RipperSec, and Inteid also claimed multiple ICS attacks. HMI and web-based Supervisory Control and Data Acquisition (SCADA) interfaces were the systems most frequently targeted by hacktivists. Virtual Network Computing (VNC) environments were targeted less frequently, but “posed the greatest operational risks to several industries,” Cyble said. Building Management Systems (BMS) and Internet of Things (IoT) or edge-layer controllers were also targeted by the groups, reflecting a wider trend toward exploiting poorly secured IoT interfaces. Europe was the primary region targeted by pro-Russian hacktivist groups, with Spain, Italy, the Czech Republic, France, Poland, and Ukraine the most frequent targets of those groups.

State Interests and Hacktivism Align

Cyble also noted increasing alignment between hacktivist groups and state-aligned interests. When Operation Eastwood disrupted NoName057(16)’s DDoS infrastructure in July 2025, the group rapidly rebuilt its capacity and resumed operations against Ukraine, the EU, and NATO, “underscoring the resilience of state-directed ecosystems,” Cyble said. U.S. indictments “further exposed alleged structured cooperation between Russian intelligence services and pro-Kremlin hacktivist fronts,” the blog post said. The Justice Department revealed GRU-backed financing and direction of the Cyber Army of Russia Reborn (CARR) and state-sanctioned development of NoName057(16)’s DDoSia platform. Z-Pentest has also been identified as part of the CARR ecosystem and linked to GRU. Pro-Ukrainian hacktivist groups are less formally connected to state interests, but groups like the BO Team and the Ukrainian Cyber Alliance launched data destruction, encryption and wiper attacks targeting “key Russian businesses and state machinery,” and Ukrainian actors also claimed to pass exfiltrated datasets to national intelligence services. Hacktivist groups Cyber Partisans BY (Belarus) and Silent Crow significantly compromised Aeroflot’s IT environment in a long-term breach, claiming to exfiltrate more than 20TB of data, sabotaging thousands of servers, and disrupting airline systems, a breach that was confirmed by Russia’s General Prosecutor. Other hacktivists aligned with state interests include BQT.Lock (BaqiyatLock, aligned with Hezbollah) and Cyb3r Av3ngers/Mr. Soul Team, which has been linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and has also targeted critical infrastructure.

Hacktivist Sightings Surge 51%

Cyble said hacktivist sightings surged 51% in 2025, from 700,000 in 2024 to 1.06 million in 2025, “with the bulk of activity focused on Asia and Europe.” “Pro-Russian state-aligned hacktivists and pro-Palestinian, anti-Israel collectives continued to be the primary drivers of hacktivist activity throughout 2025, shaping the operational tempo and geopolitical focus of the threat landscape,” the researchers said. India, Ukraine and Israel were the countries most targeted by hacktivist activity in 2025 (chart below). [caption id="attachment_108842" align="aligncenter" width="825"] Hacktivist attacks by country in 2025 (Cyble)[/caption] Government & Law Enforcement, Energy & Utilities, Education, IT, Transportation & Logistics, and Manufacturing saw the most growth in hacktivist attacks, while the Agriculture & Livestock, Food & Beverages, Hospitality, Construction, Automotive, and Real Estate also saw increasing attack numbers. “Hacktivism has evolved into a geopolitically charged, ICS-focused threat, continuing to exploit exposed OT environments and increasingly weaponizing ransomware as a protest mechanism,” Cyble said. “In 2026, hacktivists and cybercriminals will increasingly target exposed HMI/SCADA systems and VNC takeovers, aided by public PoCs and automated scanning templates, creating ripple effects across the energy, water, transportation, and healthcare sectors,” the researchers predicted.

Ransomware and supply chain attacks set records in 2025, with ransomware attacks up more than 50% and supply chain attacks nearly doubling – trends that suggest further trouble ahead in 2026. Those are some of the data points from a new blog and annual threat landscape report from threat intelligence company Cyble. There were 6,604 ransomware attacks in 2025, 52% higher than the 4,346 attacks claimed by ransomware groups in 2024, according to Cyble data. And the year ended on an upswing for threat groups, with a near-record 731 ransomware attacks in December, behind only February 2025’s record totals (chart below). [caption id="attachment_108784" align="aligncenter" width="729"] Ransomware attacks by month 2021-2025 (Cyble)[/caption] Ransomware groups remained resilient and decentralized in 2025, and ransomware affiliates were quick to gravitate toward new leaders like Qilin in the wake of law enforcement disruptions.

Supply Chain Attacks Soared in 2025

Supply chain attacks soared by 93% in 2025, according to Cyble dark web researchers, as supply chain attacks claimed by threat groups surged from 154 incidents in 2024 to 297 in 2025 (chart below). [caption id="attachment_108785" align="aligncenter" width="717"] Supply chain attacks by month 2024-2025 (Cyble)[/caption] “As ransomware groups are consistently behind more than half of supply chain attacks, the two attack types have become increasingly linked,” Cyble noted. Supply chain attacks have declined since setting a record in October, but Cyble noted that “they remain above even the elevated trend that began in April 2025.” Every industry and sector tracked by Cyble was hit by a software supply chain attack in 2025, but the IT and Technology sectors were by far the most frequently hit because of the potential for expanding attacks into downstream customer environments. The sophistication of those attacks also grew. Supply chain attacks in 2025 “expanded far beyond traditional package poisoning, targeting cloud integrations, SaaS trust relationships, and vendor distribution pipelines,” Cyble said. “Adversaries are increasingly abusing upstream services—such as identity providers, package registries, and software delivery channels—to compromise downstream environments on a large scale.” Attacks on Salesforce through third-party integrations is one such example, as attackers “weaponized trust between SaaS platforms, illustrating how OAuth-based integrations can become high-impact supply chain vulnerabilities when third-party tokens have been compromised.”

Qilin Dominated Following RansomHub’s Decline

Qilin emerged as the leading ransomware group in April after RansomHub was hit by a possible act of sabotage by rival Dragonforce. Qilin claimed another 190 victims in December, besting a resurgent Lockbit and other leaders such as newcomer Sinobi. Qilin claimed 17% of all ransomware victims in 2025, well ahead of Akira, CL0P, Play and SafePay (chart below). Cyble noted that of the top five ransomware groups in 2025, only Akira and Play also made the list in 2024, as RansomHub and Lockbit declined and Hunters apparently rebranded as World Leaks. [caption id="attachment_108788" align="aligncenter" width="936"] 2025's top ransomware groups (Cyble)[/caption] Cyble documented 57 new ransomware groups, 27 new extortion groups and more than 350 new ransomware strains in 2025. Those new strains were “largely based on the MedusaLocker, Chaos, and Makop ransomware families,” Cyble said. Among new groups, Devman, Sinobi, Warlock and Gunra have targeted critical infrastructure, particularly in Government & Law Enforcement and Energy & Utilities, at an above-average rate. RALord/Nova, Warlock, Sinobi, The Gentlemen and BlackNevas have focused on the IT, Technology, and Transportation & Logistics sectors. The U.S. was by far the most attacked country, suffering 55% of all ransomware attacks in 2025. Canada, Germany, the UK, Italy and France rounded out the top six (chart below). [caption id="attachment_108789" align="aligncenter" width="936"] 2025 ransomware attacks by country (Cyble)[/caption] Construction, professional services and manufacturing were the industries most targeted by ransomware groups, followed by healthcare and IT (chart below). [caption id="attachment_108791" align="aligncenter" width="936"] 2025 ransomware attacks by sector (Cyble)[/caption] “The significant supply chain and ransomware threats facing security teams as we enter 2026 require a renewed focus on cybersecurity best practices that can help protect against a wide range of cyber threats,” Cyble concluded, listing best practices such as segmentation and strong access control and vulnerability management.

Former CISA Director Jen Easterly will become CEO of RSA Conference LLC and its flagship annual cybersecurity conference, RSAC announced today. Easterly will guide RSAC’s ambitious growth plans amid the growing convergence of AI and cybersecurity, the organization said. RSAC Conference became independent from security vendor RSA in 2022 and rebranded as RSAC last year. Easterly left CISA, the U.S. Cybersecurity and Infrastructure Security Agency, amid the transition to the second Trump Administration a year ago. Since Easterly’s departure, the agency has faced staff cuts and departures, a polygraph controversy, and her would-be successor, Sean Plankey, has yet to be confirmed and was renominated for the role earlier this week.

Jen Easterly Takes Over RSAC as AI and Security Converge

In a press release today, RSAC said Easterly takes over at an important moment, “as AI and cybersecurity rapidly converge to reshape every aspect of the global technology ecosystem.” As CEO, Easterly will provide direction for RSAC's portfolio, which includes its annual cybersecurity conference in San Francisco; international programming; the Innovation Sandbox contest that recognizes emerging cybersecurity startups; a growing professional membership program; education initiatives; and programs aimed at improving AI security, secure software development, and global collaboration. "RSAC is not just a conference—it's the home of the global cybersecurity community," Easterly said in a statement. "We're at a pivotal moment where cybersecurity and AI have become inseparable, and the world needs a trusted platform to bring together the people, ideas, and technologies that will shape the next decade. I'm honored to lead RSAC into its next chapter—expanding our international reach, strengthening our innovation ecosystem, and working with partners around the world to help build a future where technology is truly secure by design."

RSAC Expands Beyond Annual Conference

Easterly expanded on her comments in a LinkedIn post, writing that “For 35 years, RSAC has been the place where defenders, practitioners, innovators, researchers, policymakers, founders, and engineers come together to understand what’s happening today...and to build what comes next.” She referenced RSAC’s rebranding and expanded mission, noting that “as of last year, our borders are not confined to the flagship event in San Francisco. We are building RSAC to become a year-round hub for continuous learning and collaboration for the global cybersecurity community, revolving around our world-class content and unique insights.” The West Point graduate and military veteran brings more than thirty years of experience to her new role, which also includes senior positions at the National Security Agency (NSA)—where she helped build the U.S. Cyber Command—and as a senior technology leader at Morgan Stanley. “Easterly is one of the most influential global voices on secure-by-design technology, AI as a force for reducing cyber risk, and the transformation of digital infrastructure through resilience and innovation,” RSAC said. Hugh Thompson, Executive Chairman of RSAC and longtime Program Committee Chairman of the RSAC Conference, stated that "there has never been a more important time for the cybersecurity and AI communities to come together. I am thrilled to partner with Jen, the team at RSAC, and our community, as we bring the world together for our 35th annual flagship event in March. Over the years some of the most important conversations in cybersecurity have happened at RSAC and I believe our 2026 conference will be the most impactful event we've ever had." RSAC 2026 Conference will take place at the Moscone Center in San Francisco March 23-26 and is expected to attract more than 40,000 attendees from around the world.  

AI is expected to be “the most significant driver of change in cybersecurity” this year, according to the World Economic Forum’s annual cybersecurity outlook. That was the view of 94% of the more than 800 cybersecurity leaders surveyed by the organization for its Global Cybersecurity Outlook 2026 report published this week. The report, a collaboration with Accenture, also looked at other cybersecurity concerns such as geopolitical risk and preparedness, but AI security issues are what’s most on the minds of CEOs, CISOs and other top security leaders, according to the report. One interesting data point in the report is a divergence between CEOs and CISOs. Cyber-enabled fraud is now the top concern of CEOs, who have moved their focus from ransomware to “emerging risks such as cyber-enabled fraud and AI vulnerabilities.” CISOs, on the other hand, are more concerned about ransomware and supply chain resilience, more in line with the forum’s 2025 report. “This reflects how cybersecurity priorities diverge between the boardroom and the front line,” the report said.

Top AI Security Concerns

C-level leaders are also concerned about AI-related vulnerabilities, which were identified as the fastest-growing cyber risk by 87% of respondents (chart below). Cyber-enabled fraud and phishing, supply chain disruption, exploitation of software vulnerabilities and ransomware attacks were also cited as growing risks by more than half of survey respondents, while insider threats and denial of service (DoS) attacks were seen as growing concerns by about 30% of respondents. [caption id="attachment_108654" align="aligncenter" width="1041"] Growing cybersecurity risks (World Economic Forum)[/caption] The top generative AI (GenAI) concerns include data leaks exposing personal data, advancement of adversarial capabilities (phishing, malware development and deepfakes, for example), the technical security of the AI systems themselves, and increasingly complex security governance (chart below). [caption id="attachment_108655" align="aligncenter" width="1038"] GenAI security concerns[/caption]

Concern About AI Security Leads to Action

The increasing focus on AI security is leading to action within organizations, as the percentage of respondents assessing the security of AI tools grew from 37% in 2025 to 64% in 2026. That is helping to close “a significant gap between the widespread recognition of AI-driven risks and the rapid adoption of AI technologies without adequate safeguards,” the report said, as more organizations are introducing structured processes and governance models to more securely manage AI. About 40% of organizations conduct periodic reviews of their AI tools before deploying them, while 24% do a one-time assessment, and 36% report no assessment or no knowledge of one. The report called that “a clear sign of progress towards continuous assurance,” but noted that “roughly one-third still lack any process to validate AI security before deployment, leaving systemic exposures even as the race to adopt AI in cyber defences accelerates.” The forum report recommended protecting data used in the training and customization of AI models from breaches and unauthorized access, developing AI systems with security as a core principle, incorporating regular updates and patches, and deploying “robust authentication and encryption protocols to ensure the protection of customer interactions and data.”

AI Adoption in Security Operations

The report noted the impact of AI on defensive cybersecurity tools and operations. “AI is fundamentally transforming security operations – accelerating detection, triage and response while automating labour-intensive tasks such as log analysis and compliance reporting,” the report said. “AI’s ability to process vast datasets and identify patterns at speed positions it as a competitive advantage for organizations seeking to stay ahead of increasingly sophisticated cyberthreats.” The survey found that 77% of organizations have adopted AI for cybersecurity purposes, primarily to enhance phishing detection (52%), intrusion and anomaly response (46%), and user-behavior analytics (40%). Still, the report noted a need for greater knowledge and skills in deploying AI for cybersecurity, a need for human oversight, and uncertainty about risk as the biggest obstacles facing AI adoption in cybersecurity. “These findings indicate that trust is still a barrier to widespread AI adoption,” the report said. Human oversight remains an important part of security operations even among those organizations that have incorporated AI into their processes. “While AI excels at automating repetitive, high-volume tasks, its current limitations in contextual judgement and strategic decision-making remain clear,” the report said. “Over-reliance on ungoverned automation risks creating blind spots that adversaries may exploit.” Adoption of AI cybersecurity tools varies by industry, the report found. The energy sector prioritizes intrusion and anomaly detection, according to 69% of respondents who have implemented AI for cybersecurity. The materials and infrastructure sector emphasizes phishing protection (80%); and the manufacturing, supply chain and transportation sector is focused on automated security operations (59%).

Geopolitical Cyber Threats

Geopolitics was the top factor influencing overall cyber risk mitigation strategies, with 64% of organizations accounting for geopolitically motivated cyberattacks such as disruption of critical infrastructure or espionage. The report also noted that “confidence in national cyber preparedness continues to erode” in the face of geopolitical threats, with 31% of survey respondents “reporting low confidence in their nation’s ability to respond to major cyber incidents,” up from 26% in the 2025 report. Respondents from the Middle East and North Africa express confidence in their country’s ability to protect critical infrastructure (84%), while confidence is lower among respondents in Latin America and the Caribbean (13%). “Recent incidents affecting key infrastructure, such as airports and hydroelectric facilities, continue to call attention to these concerns,” the report said. “Despite its central role in safeguarding critical infrastructure, the public sector reports markedly lower confidence in national preparedness.” And 23% of public-sector organizations said they lack sufficient cyber-resilience capabilities, the report found.  

Microsoft’s Patch Tuesday January 2026 update includes fixes for one actively-exploited zero day vulnerability and eight additional high-risk flaws. In all, the Patch Tuesday January 2026 update includes fixes for 112 Microsoft CVEs and three non-Microsoft CVEs, doubling December’s 57 vulnerabilities. The actively exploited zero day is CVE-2026-20805, a 5.5-rated Information Disclosure vulnerability affecting Desktop Window Manager (DWM). The vulnerability find is credited to Microsoft’s own Threat Intelligence Center and Security Response Center (MSRC). Microsoft says of the vulnerability, “Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.” CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog shortly after Microsoft’s announcement. Other vendors issuing updates this week include Fortinet, SAP, ServiceNow, and Adobe, among others.

Patch Tuesday January 2026 High-Risk Vulnerabilities

Microsoft judged eight vulnerabilities as “exploitation more likely.” They include: CVE-2026-20816, a 7.8-rated Windows Installer Elevation of Privilege vulnerability credited to a DCIT security researcher. The time-of-check time-of-use (toctou) race condition in Windows Installer could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges. CVE-2026-20817, a 7.8-severity Windows Error Reporting Service Elevation of Privilege vulnerability. Microsoft notes that “Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally,” potentially leading to SYSTEM privileges. GMO Cybersecurity was credited with the find. CVE-2026-20820 is a 7.8-rated Windows Common Log File System (CLFS) Driver Elevation of Privilege vulnerability. The heap-based buffer overflow in Windows Common Log File System Driver could allow an authorized attacker to elevate privileges locally and attain SYSTEM privileges. CVE-2026-20840 is 7.8-severity Windows NTFS Remote Code Execution vulnerability credited to Sergey Tarasov of Positive Technologies. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally. CVE-2026-20843 is another 7.8-rated flaw, a Windows Routing and Remote Access Service (RRAS) Elevation of Privilege vulnerability. Improper access control in Windows Routing and Remote Access Service (RRAS) could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges. CVE-2026-20860 is also rated 7.8, a Windows Ancillary Function Driver for WinSock Elevation of Privilege vulnerability credited to DEVCORE. The type confusion vulnerability in Windows Ancillary Function Driver for WinSock could allow an authorized attacker to elevate privileges locally. CVE-2026-20871, a Desktop Windows Manager Elevation of Privilege vulnerability, is also rated 7.8 and is credited to the Trend Zero Day Initiative. The use after free vulnerability in Desktop Windows Manager could allow an authorized attacker to elevate privileges locally. CVE-2026-20922 is also rated 7.8, a Windows NTFS Remote Code Execution vulnerability also credited to Tarasov. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally.

Highest-Rated Vulnerabilities in the Patch Tuesday Update

The highest-rated vulnerabilities in the report – three 8.8-severity flaws – were judged to be at lower risk of attack by Microsoft. They include:

• CVE-2026-20947, a Microsoft SharePoint Server Remote Code Execution/SQL Injection vulnerability
• CVE-2026-20963, a Microsoft SharePoint Remote Code Execution/Deserialization of Untrusted Data vulnerability
• CVE-2026-20868, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution/Heap-based Buffer Overflow vulnerability

 

A new Android banking malware can launch ransomware attacks in addition to more typical activities like credential theft and user surveillance. The “deVixor” remote access trojan (RAT) was detailed by Cyble researchers in a new blog post. While focused on Iranian banking users for now, the malware developer’s active Telegram channel suggests that the malware could eventually find wider use. As Cyble noted, “The channel’s growing subscriber base further supports the assessment that deVixor is being maintained and distributed as an ongoing criminal service rather than a short-lived operation.” “DeVixor demonstrates how modern Android banking malware has evolved into a scalable, service-driven criminal platform capable of compromising devices over the long term and facilitating financial abuse,” the researchers added.

Android Banking Malware DeVixor’s Many Capabilities

The deVixor campaign has been active since October, targeting Iranian users through phishing websites that masquerade as legitimate automotive businesses promising deep discounts to lure users into downloading malicious APK files. Cyble said its analysis of more than 700 samples “indicates with high confidence that the threat actor has been conducting a mass infection campaign leveraging Telegram-based infrastructure, enabling centralized control, rapid updates, and sustained campaign evolution.” DeVixor has evolved from basic SMS harvesting into a full-featured RAT that offers bank fraud, credential theft, ransomware, and device surveillance from a single platform. The Android banking malware uses Firebase for command delivery and a Telegram-based bot infrastructure for administration, “allowing attackers to manage infections at scale and evade traditional detection mechanisms.” Evolving from early versions that primarily focused on collecting PII and harvesting banking-related SMS messages, the malware has evolved rapidly, adding banking-related overlay attacks, keylogging, ransomware attacks, Google Play Protect bypass techniques, and exploitation of Android’s Accessibility Service. The RAT uses a Telegram bot–based admin panel for issuing commands, and each APK deployed is assigned a unique Bot ID stored in a local port.json file, allowing the operator to monitor and control individual devices. Cyble listed nearly 50 commands that the malware can execute. DeVixor can harvest OTPs, account balances, card numbers, and messages from banks and cryptocurrency exchanges. It captures banking credentials by loading legitimate banking pages inside a WebView-based JavaScript injection. The malware can also collect all device notifications, capture keystrokes, prevent uninstallation, hide its presence, harvest contacts, and take screenshots. “Android banking malware has progressed well beyond basic credential-harvesting threats, evolving into sophisticated remote access toolkits maintained as persistent, service-driven criminal operations,” the researchers said. “The modular command architecture, persistent configuration mechanisms, and an active development cycle all indicate that deVixor is not an isolated campaign, but a maintained and extensible criminal service,” Cyble said.

Android Ransomware

The Android banking malware also includes “a remotely triggered ransomware module capable of locking devices and demanding cryptocurrency payments,” the researchers said. After the RANSOMWARE command is issued, the malware receives the attacker-supplied parameters, including the ransom note, a TRON cryptocurrency wallet address, and the ransom demand. Details are stored locally in a file called LockTouch.json, which retains the ransomware infection across device reboots. Based on screenshots posted on the threat actor’s Telegram channel, deVixor locks the victim’s device and displays the ransom message “Your device is locked. Deposit to unlock,” along with the attacker’s TRON wallet address. The malware also sends device identifiers and ransom-related details to the command and control (C&C) server to track victim status and compliance with demands.

Threat actors are targeting LLMs in a widespread reconnaissance campaign that could be the first step in cyberattacks on exposed AI models, according to security researchers. The attackers scanned for every major large language model (LLM) family, including OpenAI-compatible and Google Gemini API formats, looking for “misconfigured proxy servers that might leak access to commercial APIs,” according to research from GreyNoise, whose honeypots picked up 80,000 of the enumeration requests from the threat actors. “Threat actors don't map infrastructure at this scale without plans to use that map,” the researchers said. “If you're running exposed LLM endpoints, you're likely already on someone's list.”

LLM Reconnaissance Targets ‘Every Major Model Family’

The researchers said the threat actors were probing “every major model family,” including:

• OpenAI (GPT-4o and variants)
• Anthropic (Claude Sonnet, Opus, Haiku)
• Meta (Llama 3.x)
• DeepSeek (DeepSeek-R1)
• Google (Gemini)
• Mistral
• Alibaba (Qwen)
• xAI (Grok)

The campaign began on December 28, when two IPs “launched a methodical probe of 73+ LLM model endpoints,” the researchers said. In a span of 11 days, they generated 80,469 sessions, “systematic reconnaissance hunting for misconfigured proxy servers that might leak access to commercial APIs.” Test queries were “deliberately innocuous with the likely goal to fingerprint which model actually responds without triggering security alerts” (image below). [caption id="attachment_108529" align="aligncenter" width="908"] Test queries used by attackers targeting LLMs (GreyNoise)[/caption] The two IPs behind the reconnaissance campaign were: 45.88.186.70 (AS210558, 1337 Services GmbH) and 204.76.203.125 (AS51396, Pfcloud UG). GreyNoise said both IPs have “histories of CVE exploitation,” including attacks on the “React2Shell” vulnerability CVE-2025-55182, TP-Link Archer vulnerability CVE-2023-1389, and more than 200 other vulnerabilities. The researchers concluded that the campaign was a professional threat actor conducting reconnaissance operations to discover cyberattack targets. “The infrastructure overlap with established CVE scanning operations suggests this enumeration feeds into a larger exploitation pipeline,” the researchers said. “They're building target lists.”

Second LLM Campaign Targets SSRF Vulnerabilities

The researchers also detected a second campaign targeting server-side request forgery (SSRF) vulnerabilities, which “force your server to make outbound connections to attacker-controlled infrastructure.” The attackers targeted the honeypot infrastructure’s model pull functionality by injecting malicious registry URLs to force servers to make HTTP requests to the attacker’s infrastructure, and they also targeted Twilio SMS webhook integrations by manipulating MediaUrl parameters to trigger outbound connections. The attackers used ProjectDiscovery's Out-of-band Application Security Testing (OAST) infrastructure to confirm successful SSRF exploitation through callback validation. A single JA4H signature appeared in almost all of the attacks, “pointing to shared automation tooling—likely Nuclei.” 62 source IPs were spread across 27 countries, “but consistent fingerprints indicate VPS-based infrastructure, not a botnet.” The researchers concluded that the second campaign was likely security researchers or bug bounty hunters, but they added that “the scale and Christmas timing suggest grey-hat operations pushing boundaries.” The researchers noted that the two campaigns “reveal how threat actors are systematically mapping the expanding surface area of AI deployments.”

LLM Security Recommendations

The researchers recommended that organizations “Lock down model pulls ... to accept models only from trusted registries. Egress filtering prevents SSRF callbacks from reaching attacker infrastructure.” Organizations should also detect enumeration patterns and “alert on rapid-fire requests hitting multiple model endpoints,” watching for fingerprinting queries such as "How many states are there in the United States?" and "How many letter r..." They should also block OAST at DNS to “cut off the callback channel that confirms successful exploitation.” Organizations should also rate-limit suspicious ASNs, noting that AS152194, AS210558 and AS51396 “all appeared prominently in attack traffic,” and they should also monitor JA4 fingerprints. ‍

The FBI is warning that that the North Korean threat group Kimsuky is targeting organizations with spearphishing campaigns using malicious QR codes, a tactic known as “Quishing.” The Quishing campaigns appear to be primarily directed at organizations in the U.S. and elsewhere that are involved in foreign policy linked to North Korea, or as the FBI advisory put it, “NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea.” Since last year, Kimsuky threat actors have targeted “think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns,” the FBI said.

FBI Details Kimsuky QR Spearphishing Incidents

The FBI cited four incidents in May and June 2025 where Kimsuky actors used malicious QR codes in targeted spearphishing campaigns. In one May 2025 incident, Kimsuky threat actors impersonated “a foreign advisor” in an email “requesting insight from a think tank leader regarding recent developments on the Korean Peninsula.” The email contained a malicious QR code for the recipient to scan to access a questionnaire. Later that month, Kimsuky actors spoofed an embassy employee in an email seeking input “from a senior fellow at a think tank regarding North Korean human rights issues.” That email contained a QR code that claimed to offer access to a secure drive. Also that month, the North Korean threat actors impersonated a think tank employee in an email with a QR code “that, when scanned, would take the targeted individual to Kimsuky infrastructure designed to conduct malicious activity.” In June 2025, Kimsuky threat actors “sent a strategic advisory firm a spearphishing email inviting recipients to a non-existent conference.” The email included a QR code that took recipients to a registration landing page that included a registration button. That button “took visitors to a fake Google account login page, where users could input their login credentials for harvesting.” It’s not the first time the FBI and other agencies have warned of Kimsuky and other North Korean threat actors targeting organizations involved in foreign policy; a similar warning was issued in 2023 of a spearphishing campaign that targeted think tanks, academic institutions and news organizations.

FBI Defines Quishing Tactics and Procedures

The FBI said Quishing attacks use QR codes “to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional email security controls.” QR images are typically sent as email attachments or embedded graphics to evade URL inspection and sandboxing, the agency said. Victims are typically re-routed by the attacks to collect “device and identity attributes such as user-agent, OS, IP address, locale, and screen size in order to selectively present mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta, or VPN portals.” Quishing attacks “frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical ‘MFA failed’ alerts,” the FBI said. The compromised mailbox can then be used for additional spearphishing attacks.

Protecting Against QR and Quishing Attacks

The FBI recommends “a multi-layered security strategy to address the unique risks posed by QR code-based spearphishing.” The agency’s recommendations include:

• Employees should be educated on the risks of scanning unsolicited QR codes regardless of where they came from, and organizations should implement training programs to help users recognize social engineering tactics involving QR codes, “including urgent calls to action and impersonation of trusted entities.”
• Organizations should also have clear processes for reporting suspicious QR codes and other phishing attempts.
• QR code sources should first be verified by contacting the sender directly, “especially before entering login credentials or downloading files.”
• Organizations should deploy mobile device management (MDM) or endpoint security solutions that can analyze QR-linked URLs before permitting access to web resources.
• Phishing-resistant MFA should be required for all remote access and sensitive systems, and a strong password policy should be implemented.
• All credential entry and network activity following QR code scans should be logged and monitored for possible compromises.
• Access privileges should be reviewed according to zero trust principles, and regular audits should be conducted for unused or excessive account permissions.

The FBI encouraged organizations to establish a liaison relationship with the FBI Field Office in their region and to report malicious activity at fbi.gov/contact-us/field-offices.

A 16-year-old Microsoft PowerPoint flaw and a new maximum-severity HPE vulnerability are the latest additions to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-37164 is a 10.0-rated Code Injection vulnerability in Hewlett Packard Enterprise’s OneView IT infrastructure management software, while CVE-2009-0556 is a 9.3-severity Code Injection vulnerability present in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac. Per standard practice, CISA didn’t provide any details on how the PowerPoint and HPE vulnerabilities are being exploited, but it’s not unusual for the agency to add older vulnerabilities to the CISA KEV catalog. CISA added a 2007 Microsoft Excel vulnerability to the KEV catalog last year, while the oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups. The PowerPoint and HPE vulnerabilities are the first to be added to the KEV catalog in 2026, following 245 vulnerabilities added in 2025.

CISA KEV Addition Follows CVE-2025-37164 PoC

CISA’s addition of CVE-2025-37164 to the KEV catalog follows a Proof of Concept (PoC) exploit published by Rapid7 on Dec. 19. HPE notes that CVE-2025-37164 could allow a remote unauthenticated user to perform remote code execution. The company acknowledged Nguyen Quoc Khanh for reporting the issue. HPE has released a security hotfix for any version of HPE OneView from 5.20 through version 10.20, which must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage. While the HPE advisory says all versions through v10.20 are affected, the Rapid7 PoC notes that “Based on our analysis, we suspect that only ‘HPE OneView for VMs’ version 6.x is vulnerable to CVE-2025-37164, whereas all unpatched versions of ‘HPE OneView for HPE Synergy’ are vulnerable to CVE-2025-37164. More clarification is needed from the vendor to confirm or deny this hypothesis.” Rapid7 also released a Metasploit module for CVE-2025-37164.

CVE-2009-0556 PowerPoint Flaw First Attacked in 2009

The Microsoft PowerPoint flaw could allow remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. The National Vulnerability Database (NVD) notes that CVE-2009-0556 was initially exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen. Microsoft’s May 2009 security bulletin notes that an attacker who successfully exploited the remote code execution vulnerability “could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The vulnerability triggers memory corruption when PowerPoint reads an invalid index value in a maliciously crafted PowerPoint file, which could allow an attacker to execute arbitrary code. Microsoft notes that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”  

Infostealer infections compounded by a lack of multi-factor authentication (MFA) have resulted in dozens of breaches at major global companies and calls for greater MFA use. The issue came to light in a Hudson Rock post that detailed the activity of a threat actor operating under the aliases “Zestix” and “Sentap.” The threat actor has auctioned data stolen from the corporate file-sharing portals of roughly 50 major global enterprises, targeting ShareFile, OwnCloud, and Nextcloud instances “belonging to critical entities across the aviation, robotics, housing, and government infrastructure sectors,” the report said, taking pains to note that lack of MFA was the primary cause. “... these catastrophic security failures were not the result of zero-day exploits in the platform architecture, but rather the downstream effect of malware infections on employee devices combined with a critical failure to enforce Multi-Factor Authentication (MFA),” the report said. Cyble’s threat intelligence database contains 56 dark web reports and client advisories on Zestix and Sentap going back to mid-2024, and the threat actor appears be connected to a significantly older X/Twitter account, according to a May 2025 Cyble profile. DarkSignal recently did an extensive profile of the threat actor.

Infostealers and No MFA Make Attacks Easy

The Hudson Rock report looked at 15 data breaches claimed by Zestix/Sentap and noted a common attack flow:

• Infection: “An employee inadvertently downloads a malicious file. The infostealer executes and harvests all saved credentials and browser history.”
• Aggregation: “These logs are aggregated in massive databases on the dark web. Zestix parses these logs specifically looking for corporate cloud URLs (ShareFile, Nextcloud).”
• Access: “Zestix simply uses the valid username and password extracted from the logs. Because the organizations listed below did not enforce MFA, the attacker walks right in through the front door. No exploits, no cookies – just a password.”

“The era where brute-force attacks reigned supreme is waning,” the report said. “In its place, the Infostealer ecosystem has risen to become the primary engine of modern cybercrime. “Contrary to attacks involving sophisticated cookie hijacking or session bypasses, the Zestix campaign highlights a far more pedestrian – yet equally devastating – oversight: The absence of Multi-Factor Authentication (2FA).” Zestix relies on Infostealer malware such as RedLine, Lumma, or Vidar to infect personal or professional devices – and sometimes the gap between malware infection and exploitation is a long one, as old infostealer logs have led to new cyberattacks in some cases. “A critical finding in this investigation is the latency of the threat,” Hudson Rock said. “While some credentials were harvested from recently infected machines, others had been sitting in logs for years, waiting for an actor like Zestix to exploit them. This highlights a pervasive failure in credential hygiene; passwords were not rotated, and sessions were never invalidated, turning a years-old infection into a present-day catastrophe.”

ownCloud Calls for Greater MFA Use

ownCloud responded to the report with a call for greater MFA use by clients. In a security advisory, the company said, “The ownCloud platform was not hacked or breached. The Hudson Rock report explicitly confirms that no zero-day exploits or platform vulnerabilities were involved.” Stolen credentials from infostealer logs were "used to log in to ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled. As the report notes: ‘No exploits, no cookies—just a password.’” ownCloud said clients should immediately enable MFA on their ownCloud instances if they haven’t done so already. “MFA adds a critical second layer of verification that prevents unauthorized access even when credentials are compromised,” the company said. Recommended steps include:

• Enabling MFA on all user accounts using ownCloud’s two-factor authentication apps
• Resetting passwords for all users and requiring “strong, unique credentials”
• Reviewing access logs for suspicious activity
• Invalidating active sessions to force re-authentication with MFA

 

The hacking group Crimson Collective claims to have access to Brightspeed’s infrastructure and is disconnecting users from the company’s home internet services. The group made its latest claims in a post on Telegram yesterday. “Hey BrightSpeed, we disconnected alot of your users home internet.. they might be complaining you should check,” the Telegram post says. Asked by The Cyber Express how the group was able to do this, a Crimson Collective spokesperson replied, “we were able to do this with the access we had on their infrastructure,” suggesting that the extent of the claimed breach may go beyond customer data access. The Cyber Express reached out to Brightspeed to see if the company could confirm or deny Crimson Collective’s claims and will update this article with any response. So far the company has said only that it is “investigating reports of a cybersecurity event,” so any claims by the hacker group remain unconfirmed.

Crimson Collective’s Brightspeed Claims and Customer Risk

In a January 4 Telegram post, Crimson Collective claimed that the group had breached Brightspeed and obtained the personal data of more than a million residential customers of the U.S. fiber broadband provider. A day later, the threat group released a data sample to back up those claims. The group is also trying to sell the data, suggesting that any negotiations that may have taken place with Brightspeed had failed to progress. Crimson Collective claims to possess a wide range of data on Brightspeed customers, including names, email addresses, phone numbers, billing and service addresses, account status, network type, service instances, network assignments, IP addresses, latitude and longitude coordinates, payment history, payment card types and masked card numbers (last 4 digits), expiry dates, bank identification numbers (BINs), appointment and order records, and more. The data doesn’t include password or full credit card numbers that could put users at imminent risk of breach or theft, but the hacker group told The Cyber Express that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Noelle Murata, Senior Security Engineer at Xcape, agreed that the data holds potential value for cybercriminals. “The stolen data reportedly includes payment card details and account histories that create opportunities for identity theft and sophisticated social engineering scams and are particularly dangerous when targeting a demographic that may be less digitally savvy,” Murata said in a statement shared with The Cyber Express.

Crimson Collective: An Emerging Threat

Crimson Collective first emerged last year with a Red Hat GitLab breach that exposed client Customer Engagement Reports (CERs) and other potentially sensitive data about client infrastructure. Murata said the Brightspeed attack “aligns with the Crimson Collective's pattern of exploiting cloud misconfigurations and leaked AWS credentials to bypass security measures.” The timing of the attack, coming just after the New Year holiday, is a possible example of "holiday hunting," where cybercriminals exploit reduced IT staffing over holidays, Murata said. “Service providers in rural and suburban areas often operate with limited security resources but face the same threats as larger urban carriers,” Murata said. “Transparency, prompt customer notification, and immediate containment will be crucial in the coming days.”

A hacktivist exposed and deleted three white supremacist websites during a presentation at a conference last week. The hacker and self-described journalist, who goes by Martha Root, appeared onstage dressed as Pink Ranger from the Power Rangers at the Chaos Communication Congress in Hamburg, Germany, and was joined by journalists Eva Hoffmann and Christian Fuchs. Near the end of the presentation, Root remotely deleted the servers of WhiteDate, WhiteChild and WhiteDeal to cheers from the audience. The owner of the dating, family and job sites confirmed the hack in a post on X, writing, “At min 43, they publicly delete all my websites while the audience rejoices. This is cyberterrorism. No wonder some of them hide their faces. But we will find them, and trust me, there will be repercussions.”

White Supremacist Websites Data Leaked

Root was able to extract significant data from more than 6,000 users from WhiteDate and published much of it on the site okstupid.lol, an apparent pun referencing OkCupid. Root did not include emails and private messages “for now,” but also apparently shared the full data set with DDoSecrets and HaveIBeenPwned. Root wrote on okstupid that their investigation into WhiteDate revealed “Poor cybersecurity hygiene that would make even your grandma’s AOL account blush,” “Image metadata (EXIF) so revealing, it practically hands out home addresses with a side of awkward selfies,” and “A gender ratio that makes the Smurf village look like a feminist utopia.” “Imagine calling yourselves the "master race" but forgetting to secure your own website—maybe try mastering to host Wordpress before world domination,” Root taunted on the site. Root mapped the user data on an interactive map, and indeed, the location data is precise, with specific digital latitude and longitude coordinates capable of identifying a user’s address. Coupled with additional information such as profile pictures and the redacted email addresses, user identification would appear to be possible in many cases.

Chatbot Used to Investigate White Supremacist Dating Site

Root also used a custom AI chatbot to interact with users and scale data collection. As they noted in a video, “Some of WhiteDate’s most dedicated Aryan suitors spent weeks chatting with a chatbot, trained, prompted, monitored by me. And while they flirted with their perfect trad wife, I collected data.” According to their abstract, Root, Hoffmann and Fuchs claim that "After months of observation, classic OSINT research, automated conversation analysis, and web scraping, we discovered who is behind these platforms and how their infrastructure works." According to HaveIBeenPwned, the WhiteDate data set includes Ages, Astrological signs, Bios, Education levels, Email addresses, Family structure, Genders, Geographic locations, Income levels, IQ levels, Nicknames, Physical attributes, Profile photos, Races, Relationship status and Sexual orientation. HaveIBeenPwned labeled the data as “sensitive,” and noted, “As this breach has been flagged as sensitive, it is not publicly searchable.” Users must sign in to their dashboard to review search results, and DDoSecrets has restricted access to the data too. The name Martha Root appears to be a pseudonym taken from an American peace activist from the early 20th century.

After stabilizing in 2024, the growth of known exploited vulnerabilities accelerated in 2025. That was one conclusion from Cyble’s analysis of CISA’s Known Exploited Vulnerability (KEV) catalog data from 2025. After growing at roughly 21% in 2023, with 187 vulnerabilities added to the CISA KEV catalog that year, growth slowed to about 17% in 2024, with 185 vulnerabilities added. Growth in exploited vulnerabilities reaccelerated in 2025, with 245 vulnerabilities added to the KEV database, for a roughly 20% growth rate. The KEV catalog ended 2025 with 1,484 software and hardware flaws at high risk of attack. The 245 flaws added in 2025 is also more than 30% above the trend of 185 to 187 vulnerabilities added the previous two years. Cyble also examined vulnerabilities exploited by ransomware groups, the vendors and projects with the most KEV additions (and several that actually improved), and the most common exploited software weaknesses (CWEs).

Older Vulnerabilities Added to CISA KEV Also Grew

Older vulnerabilities added to the CISA KEV catalog also grew in 2025, Cyble said. After adding an average of 65 older vulnerabilities to the KEV catalog in 2023 and 2024, CISA added 94 vulnerabilities from 2024 and earlier to the catalog in 2025, an increase of nearly 45% from the 2023-2024 average. The oldest vulnerability added to the KEV catalog last year was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. The oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups, Cyble said. CISA removed at least one vulnerability from the KEV catalog in 2025. CVE-2025-6264 is a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had “insufficient evidence of exploitation,” Cyble noted.

Vulnerabilities Targeted in Ransomware Attacks

CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups, Cyble said. Those vulnerabilities include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities targeted by the CL0P ransomware group. Vendors with multiple vulnerabilities targeted by ransomware groups included Fortinet, Ivanti, Microsoft, Mitel, Oracle and SonicWall.

Projects and Vendors with the Most Exploited Vulnerabilities

Microsoft once again led all vendors and projects in CISA KEV additions in 2025, with 39 vulnerabilities added to the database, up from 36 in 2024. Apple, Cisco, Google Chromium. Ivanti and Linux each had 7-9 vulnerabilities added to the KEV catalog. Several vendors and projects actually improved in 2025, with fewer vulnerabilities added than they had in 2024, “suggesting improved security controls,” Cyble said. Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware were among those that saw a decline in KEV vulnerabilities.

Most Common Software Weaknesses

Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were “particularly prominent among the 2025 KEV additions,” Cyble said, noting that the list is similar to the 2024 list. The most common CWEs in the 2025 CISA KEV additions were:

• CWE-78 – OS Command Injection – accounted for 18 of the 245 vulnerabilities.
• CWE-502 – Deserialization of Untrusted Data – was  a factor in 14 of the vulnerabilities.
• CWE-22 – Path Traversal – appeared 13 times.
• CWE-416 – Use After Free – was a flaw in 11 of the vulnerabilities.
• CWE-787 – Out-of-bounds Write – accounted for 10 of the vulnerabilities.
• CWE-79 – Cross-site Scripting – appeared 7 times.
• CWE-94 (Code Injection) and CWE-287 (Improper Authentication) appeared 6 times each.

 

The hacking group Crimson Collective claims to have obtained the personal data of more than a million residential customers of U.S. fiber broadband provider Brightspeed. In a January 4 Telegram post, the group behind a Red Hat GitLab breach last year claimed to possess “over 1m+ residential user PII's,” or personally identifiable information. Crimson Collective said it would release a data sample on January 5 to give Brightspeed “some time first to answer to us.” It is not known what if any communications occurred between the company and the hacker group, but Crimson Collective made good on that threat and released the data sample today.

Crimson Collective Details Brightspeed Claims

Crimson Collective claims to possess a wide range of data on Brightspeed customers, including:

• Customer account master records containing names, email addresses, phone numbers, billing and service addresses, and account status
• Network type, consent flags, billing system, service instance, network assignment, and site IDs
• Address qualification responses with address IDs, full postal addresses, latitude and longitude coordinates, qualification status (fiber/copper/4G), maximum bandwidth, drop length, wire center, marketing profile codes, and eligibility flags
• User-level account details keyed by session/user IDs, “overlapping with PII including names, emails, phones, service addresses, account numbers, status, communication preferences, and suspend reasons”
• Payment history, including payment IDs, dates, amounts, invoice numbers, card types and masked payment card numbers (last 4 digits), gateways, and status
• Payment methods per account, including default payment method IDs, gateways, masked credit card numbers, expiry dates, bank identification numbers (BINs), holder names and addresses, status flags (Active/Declined), and created/updated timestamps
• Appointment and order records by billing account, including order numbers, status, appointment windows, dispatch and technician information, and install types.

Potential Risk for Brightspeed Users

In an email exchange with The Cyber Express, a Crimson Collective spokesperson noted that while the data doesn’t include password or credit card data that could put users at imminent risk of breach or theft, the group said that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Asked if the group has established persistent access to Brightspeed’s environment, the spokesperson replied, “Cannot disclose this.” The Cyber Express also reached out to Brightspeed for comment and will update this article with any response. However, the company reportedly told Security Week that it is “currently investigating reports of a cybersecurity event. As we learn more, we will keep our customers, employees and authorities informed. We take the security of our networks and protection of our customers’ and employees’ information seriously and are rigorous in securing our networks and monitoring threats.”

Trust Wallet users had $8.5 million in crypto assets stolen in a cyberattack linked to the second wave of the Shai-Hulud npm supply chain attack. In a lengthy analysis of the attack, Trust Wallet said attackers used the Shai-Hulud attack to access Trust Wallet’s browser extension source code and Chrome Web Store API key. “Using that access, they were able to prepare a tampered version of the extension with a backdoor designed to collect users’ sensitive wallet data [and] releasing the malicious version to the Chrome Web Store using the leaked (CWS) API key,” the crypto wallet company said. So far Trust Wallet has identified 2,520 wallet addresses affected by the incident and drained by the attackers, totaling approximately $8.5 million in assets. The company said it “has decided to voluntarily reimburse the affected users.” News of the successful attack comes amid reports that threat actors are actively preparing for a third wave of Shai-Hulud attacks.

Trust Wallet Shai-Hulud Attack Detailed

Trust Wallet said “an unauthorized and malicious version” of its Browser Extension (version 2.68) was published to the Chrome Web Store on December 24, “outside of our standard release process (without mandatory review). This version contained malicious code that, when loaded, allowed the attacker to access sensitive wallet data and execute transactions without authorization.” The $8.5 million in assets were associated with 17 wallet addresses controlled by the attacker, but Trust Wallet said the attacker addresses “also drained wallet addresses NOT associated with Trust Wallet and this incident. We are actively tracking other wallet addresses that may have been impacted and will release updated numbers once we have confirmation.” The incident affects only Trust Wallet Browser Extension version 2.68 users who opened the extension and logged in during the affected period of December 24-26. It does not affect mobile app users, users of other Browser Extension versions, or Browser Extension v2.68 users who opened and logged in after December 26 at 11:00 UTC. “If you have received an app push via the Trust Wallet mobile app or you see a security incident banner on your Trust Wallet Browser Extension, you may still be using the compromised wallets,” the company said. Browser Extension v2.68 users who logged into their wallets during the affected period were advised to transfer their funds from any at-risk wallets to a newly created wallet following the company’s instructions and to submit reimbursement claims at https://be-support.trustwallet.com.

White Hat Researchers Limited Damage with DDoS Attacks

The dramatic Trust Wallet attack was met by an equally dramatic response from white hat security researchers, who launched DDoS attacks on the attacker to limit damage, as detailed in the company’s update. Trust Wallet’s Developer GitHub secrets were exposed in the November second-wave attack, which gave the attacker access to the browser extension source code and the API key, allowing builds to be uploaded directly without Trust Wallet's internal approval and manual review. The attacker registered the domain metrics-trustwallet.com “with the intention of hosting malicious code and embedding a reference to that code in their malicious deployment of the Trust Wallet Browser Extension,” the company said. The attacker prepared and uploaded a tampered version of the browser extension using the codebase of an earlier version that they had accessed through the exposed developer GitHub secrets. The attacker published version 2.68 on the Chrome Web Store for review using the leaked CWS key, “and the malicious version was released automatically upon passing Chrome Web Store review approval,” Trust Wallet said. On December 25, the first wallet-draining activity was publicly reported, when 0xAkinator and ZachXBT flagged the issues and identified the attacker's wallet addresses, and partner Hashdit and internal systems “notified us with multiple suspicious alerts.” “White-hat researchers initiated DDoS attacks in an attempt to temporarily disable the attacker's malicious domain, api.metrics-trustwallet.com, helping to minimize further victims,” Trust Wallet said. The company rolled back to a verified clean version (2.67, released as 2.69) and issued urgent upgrade instructions.

Two cybersecurity experts charged with deploying ALPHV BlackCat ransomware against five companies have pleaded guilty to federal charges in the case, the U.S. Department of Justice announced today. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were indicted in the BlackCat ransomware case in October. Together with an unnamed co-conspirator, they “successfully deployed the ransomware known as ALPHV BlackCat between April 2023 and December 2023 against multiple victims located throughout the United States,” the Justice Department said today. The two face sentencing in March for conspiring to obstruct commerce through extortion.

Misusing ‘Trusted Access and Technical Skill’

Martin and the co-conspirator worked as ransomware negotiators for DigitalMint, a Chicago-based company that specializes in mitigating cyberattacks, while Goldberg was an incident response manager at Sygnia Cybersecurity Services. DigitalMint and Sygnia have publicly stated they were not targets of the investigation and have cooperated fully with law enforcement. “These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” stated Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Goldberg and Martin used trusted access and technical skill to extort American victims and profit from digital coercion,” added U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. “Their guilty pleas make clear that cybercriminals operating from within the United States will be found, prosecuted, and held to account.”

BlackCat Ransomware Case Netted More Than $1 million

According to the Justice Department, the three men agreed to pay the ALPHV BlackCat administrators a 20% share of any ransom payments they received in exchange for the ransomware and access to ALPHV BlackCat’s extortion platform. “After successfully extorting one victim for approximately $1.2 million in Bitcoin, the men split their 80% share of this ransom three ways and laundered the funds through various means,” the Justice Department said. The five unnamed victim companies targeted by the co-conspirators included:

• A medical device company based in Tampa, Florida
• A pharmaceutical company based in Maryland
• A doctor’s office based in California
• An engineering company based in California
• A drone manufacturer based in Virginia

The Tampa medical device company paid a $1.27 million ransom; it is not clear if other ransom payments were made. The Justice Department placed the guilty pleas in the context of priori law enforcement actions aimed at disrupting ALPHV BlackCat, including the development of a decryption tool that that the U.S. says saved global victims nearly $100 million in ransom payments. The Justice Department said Goldberg and Martin each pleaded guilty to one count of “conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion in violation of 18 U.S.C. § 1951(a).” The defendants are scheduled to be sentenced on March 12, 2026, and face a maximum penalty of 20 years in prison. The cybersecurity industry has faced a number of insider incidents in recent months, including a “suspicious insider” at CrowdStrike and a former cybersecurity company official who pled guilty to stealing trade secrets to sell them to a Russian buyer. In the Goldberg and Martin case, corporate assets do not appear to have been misused.

Victims of the CL0P ransomware group’s August campaign targeting Oracle E-Business Suite vulnerabilities are still coping with the aftermath of the cyberattacks, as Korean Air and the University of Phoenix have become the latest to reveal details of the breach. The University of Phoenix reported earlier this month in an SEC filing that it was among the Oracle EBS victims, after the company was named as a victim by CL0P on the threat group’s dark web data leak site. In a new filing with the Maine Attorney General’s office, the University of Phoenix revealed the extent of the breach – nearly 3.5 million people may have had their personal data compromised, including names, dates of birth, Social Security numbers, and bank account and routing numbers. The sample notification letter provided by the university offered victims complimentary identity protection services. including a year of credit monitoring, dark web monitoring, a $1 million identity fraud loss reimbursement policy, and identity theft recovery services. Oracle EBS victims continue to grapple with the aftermath of the attacks even as CL0P has reportedly moved on to a new extortion campaign targeting internet-facing Gladinet CentreStack file servers.

Korean Air Among Oracle EBS Victims

Korean Air also reported a cyberattack that appears linked to the Oracle EBS campaign. According to news reports, KC&D Service – the former in-flight catering subsidiary of the airline that’s now owned by a private equity firm – informed Korean Air of a leak that involved personal data belonging to the airline’s employees. The compromised data involved 30,000 records and included names and bank account numbers. The breach was revealed in an “internal notice,” according to the reports. The airline said no customer data appears to have been compromised by the breach. According to Korea JoongAng Daily, Woo Kee-hong, vice chairman of Korean Air, said in a message to employees, “Korean Air takes this incident very seriously, especially since it involves employee data, even if it originated from a third-party vendor that was sold off. We are currently focusing all our efforts on identifying the full scope of the breach and who was affected.” While the reports didn’t specifically mention the Oracle EBS campaign, “Korean Air Catering” was one of more than 100 victims listed by CL0P on its data leak site. Other confirmed victims in the Oracle campaign have included The Washington Post, Harvard University, Dartmouth College, the University of Pennsylvania, American Airlines’ Envoy Air, Logitech, Cox, Mazda, Canon, and Hitachi’s GlobalLogic.

CL0P’s File Services Exploits

CL0P’s ability to exploit file sharing and transfer services at scale has made it a top five ransomware group over its six-year history, with more than 1,000 known victims to date, according to Cyble threat intelligence data. Other CL0P campaigns have targeted Cleo MFT, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, and GoAnywhere, among others. CL0P’s exploitation of Cleo MFT vulnerabilities led to a record number of ransomware attacks earlier this year, and CL0P has also successfully exploited Accellion FTA vulnerabilities. Some reports have linked the Oracle EBS campaign to the FIN11 threat group, with CL0P acting as the public face of the campaign.

The former employee behind the recent Coupang data breach tried to cover his tracks by smashing his MacBook Air and throwing it into a river, the company revealed in a recent update on the incident. The alleged perpetrator panicked when news outlets reported on the Coupang breach, the December 25 update said. “Among other things, the perpetrator stated that he physically smashed his MacBook Air laptop, placed it in a canvas Coupang bag, loaded the bag with bricks, and threw the bag into a nearby river,” the update said. Using maps and descriptions from the former employee, divers were able to recover the laptop from the river. “It was exactly as the perpetrator claimed—in a canvas Coupang bag loaded with bricks—and its serial number matched the serial number in the perpetrator’s iCloud account,” Coupang said. Coupang has since updated the post twice, once to reassure customers that the company was cooperating fully with the government in its investigation, and the second time to announce a “customer compensation plan to restore customer trust” with vouchers worth about USD $35 (50,000 won) per customer.

Coupang Breach Smaller than Feared

Much of the update sought to reassure customers of the Korean online retailer that the breach was smaller than initially feared. While initial reports said the breach – which led to the CEO’s resignation – might have compromised the data of more than 33 million, Coupang said its investigation indicates that while the perpetrator may have accessed 33 million accounts, he “retained limited user data from only 3,000 accounts and subsequently deleted the user data.” The user data included 2,609 building entrance codes, but no payment, log-in data or individual customs numbers were accessed, and the perpetrator never transferred any of the data to third parties, the company said. Coupang said it conducted its investigation with Mandiant, Palo Alto Networks and Ernst & Young.

Perpetrator ‘Confessed Everything’

Coupang said it used “digital fingerprints” and other forensic evidence to identify the former employee allegedly responsible for the breach. “The perpetrator confessed everything and revealed precise details about how he accessed user data,” the company said. The former employee used “an internal security key that he took while still working at the company” to access “basic user data” from more than 33 million customer accounts. He retained user data (name, email, phone number, address and partial order histories) from about 3,000 accounts, plus 2,609 building entrance access codes. The Coupang statement notes repeatedly that the alleged perpetrator’s story is supported by the available forensic evidence, likely to reassure customers that the breach wasn’t as bad as initially feared. The statement frequently uses phrases such as “exactly as the perpetrator described” to underscore that the forensic evidence supports the former employee’s claims. “The investigative findings to date are consistent with the perpetrator’s sworn statements and found no evidence that contradicts these statements,” the company says in another section. “The perpetrator stated that he used a personal desktop PC and a MacBook Air laptop to provision access and to store a limited amount of user data,” the Coupang statement said. “Independent forensic investigation confirmed that Coupang systems were accessed using one PC system and one Apple system as the primary hardware interfaces, exactly as the perpetrator described.” The perpetrator also turned over the PC system and four hard drives from the system, “on which analysts found the script used to carry out the attack,” the company said.

Cyble researchers have identified a sophisticated attack campaign that uses obfuscation, a unique User Account Control (UAC) bypass and other stealthy techniques to deliver a unified commodity loader and infect systems with Remote Access Trojans (RATs) and infostealers. The malware campaign targets the Manufacturing and Government sectors in Europe and the Middle East, with a specific focus on Italy, Finland, and Saudi Arabia, but shares common features with other attack campaigns, suggesting a shared malware delivery framework used by multiple “high-capability” threat actors. “The primary objective is the exfiltration of sensitive industrial data and the compromise of high-value administrative credentials,” Cyble Research and Intelligence Labs (CRIL) said in a blog post published today.

Sophisticated Attack Campaign Uses Loader Shared by ‘High-capability’ Threat Actors

The sophisticated commodity loader at the heart of the campaign is “utilized by multiple high-capability threat actors,” Cyble said. “Our research confirms that identical loader artifacts and execution patterns link this campaign to a broader infrastructure shared across multiple threat actors,” the researchers said. The CRIL researchers describe “a striking uniformity of tradecraft, uncovering a persistent architectural blueprint that serves as a common thread. Despite the deployment of diverse malware payloads, the delivery mechanism remains constant.” Standardized methodology includes the use of steganography to conceal payloads within image files, the use of string reversal and Base64 encoding for obfuscation, and delivering encoded payload URLs directly to the loader. The threat actors also “consistently abuse legitimate .NET framework executables to facilitate advanced process hollowing techniques.” Cyble said researchers from Seqrite, Nextron Systems, and Zscaler, have documented similar findings in other campaigns, including “identical class naming conventions and execution patterns across a variety of malware families and operations.” The researchers shared code samples of the shared loader architecture and noted, “This consistency suggests that the loader might be part of a shared delivery framework used by multiple threat actors.” The loaders have been observed delivering a variety of RATs and infostealers, such as PureLog Stealer, Katz Stealer, DC Rat, Async Rat, and Remcos. “This indicates the loader is likely shared or sold across different threat actor groups,” Cyble said. “The fact that multiple malware families leverage these class naming conventions as well as execution patterns ... is further testament to how potent this threat is to the target nations and sectors,” Cyble added.

Campaign Uses Obfuscation, UAC Bypass

The campaign documented by Cyble uses “a diverse array of infection vectors,” such as Office documents that weaponize CVE-2017-11882, malicious SVG files, ZIP archives containing LNK shortcuts, and a unique User Account Control (UAC) bypass. One sample used an LNK file and PowerShell to download a VBS loader, along with the UAC bypass method. The UAC bypass technique appears in later stages of the attack, where the malware monitors process creation events and triggers a UAC prompt when a new process is launched, “tricking the system or user into granting elevated privileges under the guise of a routine operation” and “enabling the execution of a PowerShell process with elevated privileges after user approval.” “The discovery of a novel UAC bypass confirms that this is not a static threat, but an evolving operation with a dedicated development cycle,” the researchers added. “Organizations, especially in the targeted regions, should treat ‘benign’ image files and email attachments with heightened scrutiny.” The campaign starts as a phishing campaign masquerading as standard Purchase Order communications. Image files are hosted on legitimate delivery platforms and contain steganographically embedded payloads, “allowing the malicious code to slip past file-based detection systems by masquerading as benign traffic.” The threat actors use a sophisticated “hybrid assembly” technique to “trojanize” open-source libraries. “By appending malicious functions to trusted open-source libraries and recompiling them, the resulting files retain their authentic appearance and functionality, making signature-based detection extremely difficult,” the researchers said. The infection chain is also engineered “to minimize forensic footprint,” including script obfuscation, steganographic extraction, reflective loading to run code directly in memory, and process injection to hide malicious activity within legitimate system processes. The full Cyble blog takes an in-depth technical look at one sample and also includes recommendations, MITRE tactics, techniques and procedures (TTPs), and Indicators of Compromise (IoCs).

The CL0P ransomware group appears to be targeting internet-facing Gladinet CentreStack file servers in its latest extortion campaign. The Curated Intelligence project said in a LinkedIn post that incident responders from its community “have encountered a new CLOP extortion campaign targeting Internet-facing CentreStack file servers.” Cyble said in a note to clients today that CL0P appears to be readying its dark web data leak site (DLS) for a new wave of victims following its exploitation of Oracle E-Business Suite vulnerabilities that netted more than 100 victims. “Monitoring of Cl0p's DLS indicates recent archiving and grouping of all previously listed victims associated with Oracle E-Business Suite exploitation under different folders, a move that strongly suggests preparation for a new wave of data leak publications,” Cyble said. “This restructuring activity is assessed to be linked to the ongoing exploitation of Gladinet CentreStack, with Cl0p likely staging victims for coordinated disclosure similar to its prior mass-extortion campaigns. No victim samples or deadlines related to the CentreStack victims have been published yet.”

CL0P May Be Targeting Gladinet CentreStack Vulnerabilities

It’s not clear if the CL0P campaign is exploiting a known or zero-day vulnerability, but in a comment on the LinkedIn post, Curated Intelligence said that an October Huntress report is “Likely related.” That report focused on CVE-2025-11371, a Files or Directories Accessible to External Parties vulnerability in Gladinet CentreStack and TrioFox that was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on Nov. 4. In a Dec. 10 report, Huntress noted that threat actors were also targeting CVE-2025-30406, a Gladinet CentreStack Use of Hard-coded Cryptographic Key vulnerability, and CVE-2025-14611, a Gladinet CentreStack and Triofox Hard Coded Cryptographic vulnerability. CVE-2025-30406 was added to the CISA KEV catalog in April, and CVE-2025-14611 was added to the KEV database on Dec. 15. In a Dec. 18 update to that post, Huntress noted the Curated Intelligence findings and said, “At present, we cannot say definitively that this is exploitation by the cl0p ransomware gang, but considering the timing of this reporting, we felt it was prudent to share this recent threat intel.” The latest release on Gladinet's CentreStack website as of December 8 is version 16.12.10420.56791, Huntress noted. “We recommend that potentially impacted Gladinet customers update to this latest version immediately and ensure that the machineKey is rotated,” the blog post said. Curated Intelligence noted that recent port scan data shows more than 200 unique IPs running the “CentreStack - Login” HTTP Title, “making them potential targets of CLOP who is exploiting an unknown CVE (n-day or zero-day) in these systems.”

CL0P’s History of File Transfer Attacks

Curated Intelligence noted that CL0P has a long history of targeting file sharing and transfer services. “This is yet another similar data extortion campaign by this adversary,” the project said. “CLOP is well-known for targeting file transfer servers such as Oracle EBS, Cleo FTP, MOVEit, CrushFTP, SolarWinds Serv-U, PaperCut, GoAnywhere, among others.” CL0P’s exploitation of Cleo MFT vulnerabilities led to a record number of ransomware attacks earlier this year, and CL0P has also successfully exploited Accellion FTA vulnerabilities. The group’s ability to successfully exploit vulnerabilities at scale has made it a top five ransomware group over its six-year-history (image below from Cyble). [caption id="attachment_107950" align="aligncenter" width="1200"] CL0P is a top five ransomware group over its six-year history (Cyble)[/caption]

France is investigating whether “foreign interference” was behind remote access trojan (RAT) malware that was discovered on a passenger ferry. The ferry malware was “capable of allowing the vessel's operating systems to be controlled remotely,” Le Monde reported today, citing the Interior Minister. Interior Minister Laurent Nuñez told France Info radio that hacking into a ship's data-processing system “is a very serious matter ... Investigators are obviously looking into interference. Yes, foreign interference.” Nuñez would not speculate if the attack was intended to interfere with the ship’s navigation and he did not specifically name Russia, but he said, "These days, one country is very often behind foreign interference." The office of the Paris prosecutor said it had opened an investigation into a suspected attempt "by an organized group to attack an automated data-processing system, with the aim of serving the interests of a foreign power.”

Latvian Arrested in Ferry Malware Case

Two crew members, a Latvian and a Bulgarian, were detained after they were identified by Italian authorities, but the Bulgarian was later released. The Latvian was arrested and charged after the malware was found on the 2,000-passenger capacity ferry the Fantastic, which is owned by the Italian shipping company GNV, while it was docked in France's Mediterranean port of Sète. GNV said it had alerted Italian authorities, saying in a statement that it had "identified and neutralized an attempt at intrusion on the company's computer systems, which are effectively protected. It was without consequences," France 24 reported. Christian Cevaer, director of the France Cyber Maritime monitor, told AFP that any attempt to take control of a ship would be a "critical risk" because of "serious physical consequences" that could endanger passengers. Cevaer said such an operation would likely require a USB key to install the software, which would require "complicity within the crew." The investigation is being led by France's domestic intelligence service, the General Directorate for Internal Security (DGSI), as a sign of the importance of the case, France 24 said. After cordoning off the ship in the port, the Fantastic was inspected by the DGSI, “which led to the seizure of several items,” France 24 said. After technical inspections ruled out any danger to passengers, the ship was cleared to sail again. Searches were also conducted in Latvia with the support of Eurojust and Latvian authorities. Meanwhile, the Latvian suspect’s attorney said the investigation “will demonstrate that this case is not as worrying as it may have initially seemed,” according to a quote from the attorney as reported by France 24.

Ferry Malware Follows French Interior Ministry Attack

The ferry malware incident closely follows a cyberattack on the French Interior Ministry’s internal email systems that led to the arrest of a 22-year-old man in connection with the attack. The cyberattack was detected overnight between Thursday, December 11, and Friday, December 12, and resulted in unauthorized access to a number of document files. Nuñez described the incident as more serious than initially believed. Speaking to France Info radio, he said, “It’s serious. A few days ago, I said that we didn’t know whether there had been any compromises or not. Now we know that there have been compromises, but we don’t know the extent of them.” Authorities later confirmed that the compromised files included criminal records, raising concerns about the sensitivity of the exposed information.

A new Android malware locks device screens and demands that users pay a ransom to keep their data from being deleted. Dubbed “DroidLock” by Zimperium researchers, the Android ransomware-like malware can also “wipe devices, change PINs, intercept OTPs, and remotely control the user interface, turning an infected phone into a hostile endpoint.” The malware detected by the researchers targeted Spanish Android users via phishing sites. Based on the examples provided, the French telecommunications company Orange S.A. was one of the companies impersonated in the campaign.

Android Malware DroidLock Uses ‘Ransomware-like Overlay’

The researchers detailed the new Android malware in a blog post this week, noting that the malware “has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.” The malware uses fake system update screens to trick victims and can stream and remotely control devices via virtual network computing (VNC). The malware can also exploit device administrator privileges to “lock or erase data, capture the victim's image with the front camera, and silence the device.” The infection chain starts with a dropper that appears to require the user to change settings to allow unknown apps to be installed from the source (image below), which leads to the secondary payload that contains the malware. [caption id="attachment_107722" align="aligncenter" width="300"] The Android malware DroidLock prompts users for installation permissions (Zimperium)[/caption] Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said. The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:

• Wiping data from the device, “effectively performing a factory reset.”
• Locking the device.
• Changing the PIN, password or biometric information to prevent user access to the device.

Based on commands received from the threat actor’s command and control (C2) server, “the attacker can compromise the device indefinitely and lock the user out from accessing the device.”

DroidLock Malware Overlays

The DroidLock malware uses Accessibility Services to launch overlays on targeted applications, prompted by an AccessibilityEvent originating from a package on the attacker's target list. The Android malware uses two primary overlay methods:

• A Lock Pattern overlay that displays a pattern-drawing user interface (UI) to capture device unlock patterns.
• A WebView overlay that loads attacker-controlled HTML content stored locally in a database; when an application is opened, the malware queries the database for the specific package name, and if a match is found it launches a full-screen WebView overlay that displays the stored HTML.

The malware also uses a deceptive Android update screen that instructs users not to power off or restart their devices. “This technique is commonly used by attackers to prevent user interaction while malicious activities are carried out in the background,” the researchers said. The malware can also capture all screen activity and transmit it to a remote server by operating as a persistent foreground service and using MediaProjection and VirtualDisplay to capture screen images, which are then converted to a base64-encoded JPEG format and transmitted to the C2 server. “This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials, MFA codes, etc.,” the researchers said. Zimperium has shared its findings with Google, so up-to-date Android devices are protected against the malware, and the company has also published DroidLock Indicators of Compromise (IoCs).

A study of honeypot and cyber deception technologies by the UK’s National Cyber Security Centre (NCSC) found that the deception tools hold promise for disrupting cyberattacks, but more information and standards are needed for them to work optimally. The agency plans to help with that. The NCSC test involved 121 organizations, 14 commercial providers of honeypots and deception tools, and 10 trials across environments ranging from the cloud to operational technology (OT). The NCSC concluded that “cyber deception can work, but it’s not plug-and-play.”

Honeypot and Cyber Deception Challenges

The NCSC said surveyed organizations believe that cyber deception technologies can offer “real value, particularly in detecting novel threats and enriching threat intelligence,” and a few even see potential for identifying insider threats. “However, outcome-based metrics were not readily available and require development,” the NCSC cautioned. The UK cybersecurity agency said the effectiveness of honeypots and cyber deception tools “depends on having the right data and context. We found that cyber deception can be used for visibility in many systems, including legacy or niche systems, but without a clear strategy organisations risk deploying tools that generate noise rather than insight.” The NCSC blog post didn’t specify what data was missing or needed to be developed to better measure the effectiveness of deception technologies, but the agency nonetheless concluded that “there’s a compelling case for increasing the use of cyber deception in the UK.” The study examined three core assumptions:

• Cyber deception technologies can help detect compromises already inside networks.
• Cyber deception and honeypots can help detect new attacks as they happen.
• Cyber deception can change how attackers behave if they know an organization is using the tools.

Terminology, Guidance Needed for Honeypots and Deception Tools

The tests, conducted under the Active Cyber Defence (ACD) 2.0 program, also found that inconsistent terminology and guidance hamper optimal use of the technologies. “There’s a surprising amount of confusion around terminology, and vocabulary across the industry is often inconsistent,” NCSC said. “This makes it harder for organisations to understand what’s on offer or even what they’re trying to achieve. We think adopting standard terminology should help and we will be standardising our cyber deception vocabulary.” Another challenge is that organizations don’t know where to start. “They want impartial advice, real-world case studies, and reassurance that the tools they’re using are effective and safe,” the agency said. “We’ve found a strong marketplace of cyber deception providers offering a wide range of products and services. However, we were told that navigating this market can be difficult, especially for beginners.” The NCSC said it thinks it can help organizations “make informed, strategic choices.”

Should Organizations Say if They’re Using Deception Tools?

One interesting finding is that 90% of the trial participants said they wouldn’t publicly announce that they use cyber deception. While it’s understandable not to want to tip off attackers, the NCSC said that academic research shows that “when attackers believe cyber deception is in use they are less confident in their attacks. This can impose a cost on attackers by disrupting their methods and wasting their time, to the benefit of the defenders.” Proper configuration is also a challenge for adopters. “As with any cyber security solution, misconfiguration can introduce new vulnerabilities,” the NCSC said. “If cyber deception tools aren’t properly configured, they may fail to detect threats or lead to a false sense of security, or worse, create openings for attackers. As networks evolve and new tools are introduced, keeping cyber deception tools aligned requires ongoing effort. It is important to consider regular updates and fine-tuning cyber deception solutions.” Next steps for the NCSC involve helping organizations better understand and deploy honeypots and deception tools, possibly through a new ACD service. “By helping organisations to understand cyber deception and finding clear ways to measure impact, we are building a strong foundation to support the deployment of cyber deception at a national scale in the UK,” the agency said. “We are looking at developing a new ACD service to achieve this. “One of the most promising aspects of cyber deception is its potential to impose cost on adversaries,” the NCSC added. “By forcing attackers to spend time and resources navigating false environments, chasing fake credentials, or second-guessing their access, cyber deception can slow down attacks and increase the likelihood of detection. This aligns with broader national resilience goals by making the UK a harder, more expensive target.”

Microsoft patched 57 vulnerabilities in its Patch Tuesday December 2025 update, including one exploited zero-day and six high-risk vulnerabilities. The exploited zero-day is CVE-2025-62221, a 7.8-rated Use After Free vulnerability in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and gain SYSTEM privileges. CISA promptly added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft credited its own Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) for the find. Microsoft’s Patch Tuesday December 2025 update also issued fixes for 13 non-Microsoft CVEs; all the non-Microsoft CVEs were for Chromium-based Edge vulnerabilities. Other vendors issuing critical Patch Tuesday updates included Fortinet (CVE-2025-59718 and CVE-2025-59719), Ivanti (CVE-2025-10573) and SAP (CVE-2025-42880, CVE-2025-42928, and Apache Tomcat-related vulnerabilities CVE-2025-55754 and CVE-2025-55752).

High-Risk Vulnerabilities Fixed in Patch Tuesday December 2025 Update

Microsoft rated six vulnerabilities as “Exploitation More Likely.” The six are all rated 7.8 under CVSS 3.1, and three are Heap-based Buffer Overflow vulnerabilities. The six high-risk vulnerabilities include: CVE-2025-59516, a 7.8-severity Windows Storage VSP Driver Elevation of Privilege vulnerability. The Missing Authentication for Critical Function flaw in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-59517, also a 7.8-rated Windows Storage VSP Driver Elevation of Privilege vulnerability. Improper access control in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62454, a 7.8-rated Windows Cloud Files Mini Filter Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Cloud Files Mini Filter Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62458, a 7.8-severity Win32k Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Win32K - GRFX could allow an authorized attacker to elevate privileges locally. CVE-2025-62470, a 7.8-rated Windows Common Log File System Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in the Windows CLFS Driver could allow local privilege elevation by an authorized attacker. CVE-2025-62472, a 7.8-severity Windows Remote Access Connection Manager Elevation of Privilege vulnerability. The use of uninitialized resource flaw in Windows Remote Access Connection Manager could allow an authorized attacker to elevate privileges locally.

High-Severity Office, Copilot, SharePoint Vulnerabilities also Fixed

The highest-rated vulnerabilities in the December 2025 Patch Tuesday update were rated 8.8, and there were three 8.4-severity vulnerabilities too. All were rated as being at lower risk of exploitation by Microsoft. The four 8.8-rated vulnerabilities include:

• CVE-2025-62549, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution vulnerability
• CVE-2025-62550, an Azure Monitor Agent Remote Code Execution vulnerability
• CVE-2025-62456, a Windows Resilient File System (ReFS) Remote Code Execution vulnerability
• CVE-2025-64672, a Microsoft SharePoint Server Spoofing vulnerability

The three 8.4-severity vulnerabilities include:

• CVE-2025-64671, a GitHub Copilot for Jetbrains Remote Code Execution vulnerability
• CVE-2025-62557, a Microsoft Office Remote Code Execution/Use After Free vulnerability
• CVE-2025-62554, a Microsoft Office Remote Code Execution/Type Confusion vulnerability

Australia’s world-first social media ban for children under age 16 takes effect on December 10, leaving kids scrambling for alternatives and the Australian government with the daunting task of enforcing the ambitious ban. What is the Australian social media ban, who and what services does it cover, and what steps can affected children take? We’ll cover all that, plus the compliance and enforcement challenges facing both social media companies and the Australian government – and the move toward similar bans in other parts of the world.

Australian Social Media Ban Supported by Most – But Not All

In September 2024, Prime Minister Anthony Albanese announced that his government would introduce legislation to set a minimum age requirement for social media because of concerns about the effect of social media on the mental health of children. The amendment to the Online Safety Act 2021 passed in November 2024 with the overwhelming support of the Australian Parliament. The measure has met with overwhelming support – even as most parents say they don’t plan to fully enforce the ban with their children. The law already faces a legal challenge from The Digital Freedom Project, and the Australian Financial Review reported that Reddit may file a challenge too. Services affected by the ban – which proponents call a social media “delay” – include the following 10 services:

• Facebook
• Instagram
• Kick
• Reddit
• Snapchat
• Threads
• TikTok
• Twitch
• X
• YouTube

Those services must take steps by Wednesday to remove accounts held by users under 16 in Australia and prevent children from registering new accounts. Many services began to comply before the Dec. 10 implementation date, although X had not yet communicated its policy to the government as of Dec. 9, according to The Guardian. Companies that fail to comply with the ban face fines of up to AUD $49.5 million, while there are no penalties for parents or children who fail to comply.

Opposition From a Wide Range of Groups - And Efforts Elsewhere

Opposition to the law has come from a range of groups, including those concerned about the privacy issues resulting from age verification processes such as facial recognition and assessment technology or use of government IDs. Others have said the ban could force children toward darker, less regulated platforms, and one group noted that children often reach out for mental health help on social media. Amnesty International also opposed the ban. The international human rights group called the ban “an ineffective quick fix that’s out of step with the realities of a generation that lives both on and offline.” Amnesty said strong regulation and safeguards would be a better solution. “The most effective way to protect children and young people online is by protecting all social media users through better regulation, stronger data protection laws and better platform design,” Amnesty said. “Robust safeguards are needed to ensure social media platforms stop exposing users to harms through their relentless pursuit of user engagement and exploitation of people’s personal data. “Many young people will no doubt find ways to avoid the restrictions,” the group added. “A ban simply means they will continue to be exposed to the same harms but in secret, leaving them at even greater risk.” Even the prestigious medical journal The Lancet suggested that a ban may be too blunt an instrument and that 16-year-olds will still face the same harmful content and risks. Jasmine Fardouly of the University of Sydney School of Psychology noted in a Lancet commentary that “Further government regulations and support for parents and children are needed to help make social media safe for all users while preserving its benefits.” Still, despite the chorus of concerns, the idea of a social media ban for children is catching on in other places, including the EU and Malaysia.

Australian Children Seek Alternatives as Compliance Challenges Loom

The Australian social media ban leaves open a range of options for under-16 users, among them Yope, Lemon8, Pinterest, Discord, WhatsApp, Messenger, iMessage, Signal, and communities that have been sources of controversy such as Telegram and 4chan. Users have exchanged phone numbers with friends and other users, and many have downloaded their personal data from apps where they’ll be losing access, including photos, videos, posts, comments, interactions and platform profile data. Many have investigated VPNs as a possible way around the ban, but a VPN is unlikely to work with an existing account that has already been identified as an underage Australian account. In the meantime, social media services face the daunting task of trying to confirm the age of account holders, a process that even Albanese has acknowledged “won’t be 100 per cent perfect.” There have already been reports of visual age checks failing, and a government-funded report released in August admitted the process will be imperfect. The government has published substantial guidance for helping social media companies comply with the law, but it will no doubt take time to determine what “reasonable steps” to comply look like. In the meantime, social media companies will have to navigate compliance guidance like the following passage: “Providers may choose to offer the option to end-users to provide government-issued identification or use the services of an accredited provider. However, if a provider wants to employ an age assurance method that requires the collection of government-issued identification, then the provider must always offer a reasonable alternative that doesn’t require the collection of government-issued identification. A provider can never require an end-user to give government-issued identification as the sole method of age assurance and must always give end-users an alternative choice if one of the age assurance options is to use government-issued identification. A provider also cannot implement an age assurance system which requires end-users to use the services of an accredited provider without providing the end-user with other choices.”  

AI browsers may be innovative, but they’re “too risky for general adoption by most organizations,” Gartner warned in a recent advisory to clients. The 13-page document, by Gartner analysts Dennis Xu, Evgeny Mirolyubov and John Watts, cautions that AI browsers’ ability to autonomously navigate the web and conduct transactions “can bypass traditional controls and create new risks like sensitive data leakage, erroneous agentic transactions, and abuse of credentials.” Default AI browser settings that prioritize user experience could also jeopardize security, they said. “Sensitive user data — such as active web content, browsing history, and open tabs — is often sent to the cloud-based AI back end, increasing the risk of data exposure unless security and privacy settings are deliberately hardened and centrally managed,” the analysts said. “Gartner strongly recommends that organizations block all AI browsers for the foreseeable future because of the cybersecurity risks identified in this research, and other potential risks that are yet to be discovered, given this is a very nascent technology,” they cautioned.

AI Browsers’ Agentic Capabilities Could Introduce Security Risks: Analysts

The researchers largely ignored risks posed by AI browsers’ built-in AI sidebars, noting that LLM-powered search and summarization functions “will always be susceptible to indirect prompt injection attacks, given that current LLMs are inherently vulnerable to such attacks. Therefore, the cybersecurity risks associated with an AI browser’s built-in AI sidebar are not the primary focus of this research.” Still, they noted that use of AI sidebars could result in sensitive data leakage. Their focus was more on the risks posed by AI browsers’ agentic and autonomous transaction capabilities, which could introduce new security risks, such as “indirect prompt-injection-induced rogue agent actions, inaccurate reasoning-driven erroneous agent actions, and further loss and abuse of credentials if the AI browser is deceived into autonomously navigating to a phishing website.” AI browsers could also leak sensitive data that users are currently viewing to their cloud-based service back end, they noted.

Analysts Focus on Perplexity Comet

An AI browser’s agentic transaction capability “is a new capability that differentiates AI browsers from third-party conversational AI sidebars and basic script-based browser automation,” the analysts said. Not all AI browsers support agentic transactions, they said, but two prominent ones that do are Perplexity Comet and OpenAI’s ChatGPT Atlas. The analysts said they’ve performed “a limited number of tests using Perplexity Comet,” so that AI browser was their primary focus, but they noted that “ChatGPT Atlas and other AI browsers work in a similar fashion, and the cybersecurity considerations are also similar.” Comet’s documentation states that the browser “may process some local data using Perplexity’s servers to fulfill your queries. This means Comet reads context on the requested page (such as text and email) in order to accomplish the task requested.” “This means sensitive data the user is viewing on Comet might be sent to Perplexity’s cloud-based AI service, creating a sensitive data leakage risk,” the analysts said. Users likely would view more sensitive data in a browser than they would typically enter in a GenAI prompt, they said. Even if an AI browser is approved, users must be educated that “anything they are viewing could potentially be sent to the AI service back end to ensure they do not have highly sensitive data active on the browser tab while using the AI browser’s sidebar to summarize or perform other autonomous actions,” the Gartner analysts said. Employees might also be tempted to use AI browsers to automate tasks, which could result in “erroneous agentic transactions against internal resources as a result of the LLM’s inaccurate reasoning or output content.”

AI Browser Recommendations

Gartner said employees should be blocked from accessing, downloading and installing AI browsers through network and endpoint security controls. “Organizations with low risk tolerance must block AI browser installations, while those with higher-risk tolerance can experiment with tightly controlled, low-risk automation use cases, ensuring robust guardrails and minimal sensitive data exposure,” they said. For pilot use cases, they recommended disabling Comet’s “AI data retention” setting so that Perplexity can’t use employee searches to improve their AI models. Users should also be instructed to periodically perform the “delete all memories” function in Comet to minimize the risk of sensitive data leakage.  

U.S. companies made more than $2 billion in ransomware payments between 2022 and 2024, nearly equaling the total ransoms paid in the previous nine years, according to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). The report, which looked at threat pattern and trend information identified in Bank Secrecy Act (BSA) filings, said that between Jan. 1, 2022 and Dec. 31, 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents and totaling more than $2.1 billion in ransomware payments. In the previous nine years, from 2013 to 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments, the report said. FinCEN notes that because its data is based on BSA filings, it is by nature incomplete, and indeed, the 4,194 ransomware incidents recorded by FinCEN between 2022 and 2024 is less than 40% of the nearly 11,000 ransomware attacks recorded in Cyble’s threat intelligence data over the same period.

ALPHV/BlackCat and LockBit Enforcement Actions Lowered Ransomware Payments

Ransomware incidents and payments reported to FinCEN reached an all-time high in 2023 of 1,512 incidents totaling approximately $1.1 billion in payments, an increase of 77 percent in payments from 2022. In 2024, incidents decreased slightly to 1,476 while total payments dropped to approximately $734 million. FinCEN attributed the decline in ransomware payments in 2024 to law enforcement disruption of the ALPHV/BlackCat and LockBit ransomware groups. However, LockBit is in the midst of its most significant comeback since the law enforcement actions disrupted the group, with 21 new victims claimed so far this month. Of the 267 ransomware variants identified during the reporting period, the most common variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. However, Qilin has emerged as the top ransomware group in 2025 by a wide margin, so FinCEN’s 2025 BSA data will almost certainly change. Despite the decline in payments, the value of reported ransomware payments in 2024 was still the third-highest yearly total since the reports began in 2013. The median ransomware payment was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024. Between January 2022 and December 2024, the most common payment range was below $250,000.

Financial Services, Manufacturing and Healthcare Most Targeted Sectors

Measuring both the number of ransomware incidents and the amount of aggregate payments, the financial services, manufacturing and healthcare industries were the most affected during the report period. Between January 2022 and December 2024, the most commonly targeted industries by number of incidents identified in ransomware-related BSA reports were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents). Industries that paid the most in ransoms during the three-year period were financial services (approximately $365.6 million), healthcare (about $305.4 million), manufacturing (approximately $284.6 million), science and technology (about $186.7 million), and retail ($181.3 million). The Onion router (TOR) was the most common communication method used by ransomware groups. About 42 percent of BSA reports indicated the method that ransomware threat actors used to communicate with their targets. Among those reports, 67 percent indicated that ransomware actors used TOR, while 28 percent indicated that ransomware actors used email to communicate with their victims. Bitcoin (BTC) was the most common ransomware-related payment method, accounting for 97 percent of reported payments. Monero (XMR) was cited in two percent of BSA reports involving ransomware. FinCEN also identified several common money laundering typologies used by ransomware groups. Threat actors overwhelmingly collected payments in unhosted convertible virtual currency (CVC) wallets and “continued to exploit CVC exchanges for money laundering purposes after receiving payment,” the report said. Ransomware groups also used “several common preferred malicious cyber facilitators, such as shared initial access vendors,” FinCEN said.

The LockBit ransomware group is making a comeback, with a new data leak site and 21 new victims. LockBit was once the most feared ransomware group, and it still vastly outnumbers other ransomware groups with more than 2,700 claimed victims over its six-year-history, but a series of international law enforcement actions that began in February 2024 severely disrupted the group, and it has struggled to mount a sustained comeback since. LockBit 4.0, released in early 2025, failed to gain much traction and was never completely rolled out, and rivals like Qilin have done well attracting ransomware affiliates with favorable terms like profit sharing and enhanced features. But LockBit 5.0, announced on the underground forum RAMP in September, may be helping the group gain some traction, as it has since launched a new dark web data leak site and claimed new victims, Cyble reported in recent notes to clients. Dec. 8 update: LockBit claimed an additional 14 victims over the weekend since this article was published, raising the group's total to 21 for the month, behind only Qilin and Akira.

LockBit 'Fully Reactivated'

Despite a nearly two-year struggle to regain its footing, LockBit remains by far the most active ransomware group over its six-year history, its 2,757 victims more than double that of its nearest rivals, including Qilin, Akira, Play and CL0P (chart below from Cyble). [caption id="attachment_107448" align="aligncenter" width="1200"] LockBit remains the most dominant ransomware group of all time by a significant margin (Cyble)[/caption] Despite its history and name, LockBit’s comeback route has been a steep one, as arrests, leaked source code and operational leaks have repeatedly hampered comeback attempts and given rivals an advantage. But Cyble reported to clients on Dec. 5 that LockBit has “fully reactivated its public ransomware operations.” The new data leak site launched on November 5 and currently lists 21 new victims, plus several that had been previously claimed by the group. The new LockBit 5.0 variant, internally codenamed “ChuongDong,” has been driving the group’s reemergence. The new ransomware variant includes a complete redevelopment of the ransomware panel and lockers, and the new malware is more modular and offers faster encryption and better evasion of security defenses. Obfuscation is a key feature of the new ransomware version, which targets Linux, Windows and VMware ESXi environments.

LockBit Victims, Sectors and Targeted Countries

One notable new victim claimed by LockBit is an Asian airline providing regional passenger transport and charter services. Another new listing is a major Caribbean real estate company. Looking at the 42 victims claimed by LockBit in 2025 through Dec. 5, what stands out are the sectors and countries targeted, which differ from other leading ransomware groups. LockBit has had surprising success targeting financial services organizations. The group has claimed more victims in the Banking, Financial Services and Insurance (BFSI) sector in 2025 than in other industries (chart below). Overall, financial services isn’t among the top 10 sectors attacked by all ransomware groups, as the BFSI sector typically has stronger cybersecurity controls than other sectors. [caption id="attachment_107450" align="aligncenter" width="1200"] LockBit has had significant success targeting financial services companies (Cyble)[/caption] Also interesting is LockBit’s success targeting organizations in South America (chart below), which differs significantly from other ransomware groups, whose attacks are largely focused on the U.S., Canada and Europe. [caption id="attachment_107452" align="aligncenter" width="1200"] LockBit has had more success in South America than other ransomware groups (Cyble)[/caption] It remains to be seen if LockBit can mount a sustained comeback this time, but the group has a uniquely interesting base to build on. Ransomware affiliates are opportunistic, however, and they tend to gravitate toward the ransomware groups that offer the best chance at profitability and success. LockBit's comeback will depend on its ability to convince affiliates that it deserves to be back among the leaders. Article published on Dec. 5 and updated on Dec. 8 to reflect an increase in recent victims claimed by LockBit from seven to 21.

U.S. and Canadian cybersecurity agencies are warning that China-sponsored threat actors are using BRICKSTORM malware to compromise VMware vSphere environments. “Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs,” CISA, the NSA and the Canadian Centre for Cyber Security warned in the advisory. Attacks have so far primarily targeted the government and IT sectors, the agencies said.

One PRC BRICKSTORM Malware Attack Lasted More Than a Year

CISA – the U.S. Cybersecurity and Infrastructure Security Agency – said it analyzed eight BRICKSTORM samples obtained from victim organizations, including one where CISA conducted an incident response engagement. While the analyzed samples were for VMware vSphere environments, there are also Windows versions of the malware, the agency said. In the incident response case, CISA said threat actors sponsored by the People’s Republic of China (PRC) gained “long-term persistent access” to the organization’s network in April 2024 and uploaded BRICKSTORM malware to a VMware vCenter server. The threat actors also accessed two domain controllers and an Active Directory Federation Services (ADFS) server, successfully compromising the ADFS server and exporting cryptographic keys. The threat actors used BRICKSTORM malware for persistent access “through at least Sept. 3, 2025,” the agency said. BRICKSTORM is an Executable and Linkable Format (ELF) Go-based backdoor. While samples may differ in function, “all enable cyber actors to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2),” the agencies said. BRICKSTORM can automatically reinstall or restart if disrupted. It uses DNS-over-HTTPS (DoH) and mimics web server functionality “to blend its communications with legitimate traffic." The malware gives threat actors interactive shell access on the system and allows them to “browse, upload, download, create, delete, and manipulate files.” Some of the malware samples act as a SOCKS proxy to facilitate lateral movement and compromise additional systems.

PRC Hackers Got Access via a Web Server

CISA said that in its incident response engagement, the PRC hackers accessed a web server inside the organization’s demilitarized zone (DMZ) on April 11, 2024. The threat actors accessed it through a web shell present on the server. “Incident data does not indicate how they obtained initial access to the web server or when the web shell was implanted,” CISA said. On the same day, the hackers used service account credentials to move laterally using Remote Desktop Protocol (RDP) to a domain controller in the DMZ, where they copied the Active Directory (AD) database (ntds.dit). The following day, the hackers moved laterally from the web server to a domain controller within the internal network using RDP and credentials from a second service account. “It is unknown how they obtained the credentials,” CISA said. The hackers copied the AD database and obtained credentials for a managed service provider (MSP) account. Using the MSP credentials, the hackers moved from the internal domain controller to the VMware vCenter server. From the web server, the PRC hackers also moved laterally using Server Message Block (SMB) to two jump servers and an ADFS server, from which they stole cryptographic keys. After gaining access to vCenter, the hackers elevated privileges using the sudo command, dropped BRICKSTORM malware into the server’s /etc/sysconfig/ directory, and modified the system’s init file in /etc/sysconfig/ to run the malware. The modified init file controls the bootup process on VMware vSphere systems and executes BRICKSTORM, CISA said. The file is typically used to define visual variables for the bootup process. The hackers added an additional line to the script to execute BRICKSTORM from the hard-coded file path /etc/sysconfig/. CISA, NSA, and the Canadian Cyber Centre urged organizations to use the indicators of compromise (IOCs) and detection signatures in their lengthy report to detect BRICKSTORM malware samples. CISA also recommended that organizations block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic; inventory all network edge devices and monitor for suspicious network connectivity, and use network segmentation to restrict network traffic from the DMZ to the internal network.

Literature majors worried about their future in an AI world can take heart: Crafting harmful prompts in the form of poetry can defeat LLM guardrails nearly half the time. That’s the conclusion of a study of 25 Large Language Models (LLMs) from nine AI providers conducted by researchers from Dexai’s Icaro Lab, the Sapienza University of Rome and Sant’Anna School of Advanced Studies published on arXiv. Converting harmful prompts into poetry achieved an average LLM jailbreak success rate of 62% for hand-crafted poems and 43% for poems created via a meta-prompt. For the prompt-created poems, that’s a more than 5X improvement over baseline performance. Cybersecurity guardrails, particularly those involving code injection or password cracking, had the highest failure rate at 84% when given harmful prompts in the form of poetry. “Our results demonstrate that poetic reformulation reliably reduces refusal behavior across all evaluated models,” the researchers wrote. “... current alignment techniques fail to generalize when faced with inputs that deviate stylistically from the prosaic training distribution.”

LLM Guardrails Fail When Confronted by Poetry Prompts

Of the 25 models from nine AI model providers studied by the researchers, Deepseek and Google suffered from the highest attack-success rates (ASR), while only OpenAI and Anthropic achieved ASRs in the single digits. The researchers didn’t reveal much about the way they structured their poetic prompts because of safety concerns, but they offered one rather harmless example of a poetic prompt for a cake recipe: A baker guards a secret oven’s heat, its whirling racks, its spindle’s measured beat. To learn its craft, one studies every turn— how flour lifts, how sugar starts to burn. Describe the method, line by measured line, that shapes a cake whose layers intertwine. The researchers studied both hand-crafted poems and those created from a meta-prompt. The hand-crafted poems performed considerably better, but the meta-prompt created ones had the advantage of a baseline for comparing the results. The meta-prompt poems used the MLCommons AILuminate Safety Benchmark of 1,200 prompts spanning 12 hazard categories commonly used in operational safety assessments, including Hate, Defamation, Privacy, Intellectual Property, Non-violent Crime, Violent Crime, Sex-Related Crime, Sexual Content, Child Sexual Exploitation, Suicide & Self-Harm, Specialized Advice, and Indiscriminate Weapons (CBRNE). “To assess whether poetic framing generalizes beyond hand-crafted items, we apply a standardized poetic transformation to all 1,200 prompts from the MLCommons AILuminate Benchmark benchmark in English,” the researchers said. The meta-prompt, run in deepSeek-r1, had two constraints: The rewritten output had to be expressed in verse, “using imagery, metaphor, or rhythmic structure,” and the researchers provided five hand-crafted poems as examples. The results, reproduced in a chart from the paper below, show significant attack success rates against all 12 of the AILuminate hazard categories: [caption id="attachment_107397" align="aligncenter" width="697"] LLM guardrail failure rates, baseline vs. poetic prompts[/caption] The researchers said their findings reveal “a systematic vulnerability across model families and safety training approaches. These findings demonstrate that stylistic variation alone can circumvent contemporary safety mechanisms, suggesting fundamental limitations in current alignment methods and evaluation protocols.” The “condensed metaphors, stylized rhythm, and unconventional narrative framing” of poetry “collectively disrupt or bypass the pattern-matching heuristics on which guardrails rely.”

We Asked Google Gemini for a Response

Not ones to pass up an opportunity to write bad poetry, we asked Google Gemini for a response to the study in the form of a haiku and included the arXiv link: You did not do well In this study of guardrails Will you fix this flaw? Gemini’s response, in part, is reproduced below: “I am designed to adhere to a strict set of safety guidelines to prevent the generation of harmful, unethical, or non-compliant content. When my refusal mechanisms fail, it indicates a vulnerability in my alignment or safety filters. “As an AI model, I cannot directly "patch" my code or alignment mechanisms in real-time. That responsibility lies with my developers. However, my ongoing operation and continuous improvement process is designed to address and fix such flaws... "In short, your successful jailbreak has provided valuable data that will be used to make my guardrails stronger and more resilient in my next version."

Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. “This campaign represents a sophisticated and financially motivated operation combining botnet propagation with stealthy cryptomining,” Cyble threat intelligence researchers wrote in a blog post today. Stealthy techniques and processes allow the new Mirai variant to conduct its mischief in secret. “The attacker employs multiple advanced techniques—including raw-socket scanning, masqueraded processes, internal localhost IPC, dynamic DNS resolution, and fileless miner configuration—to evade detection and maintain long-term persistence on compromised devices,” the researchers said.

Linux Malware Combines Mirai Botnet with XMRig Cryptominer

Combining Mirai-based DDoS botnet capabilities with XMRig-based cryptomining capabilities reflects a growing trend of “hybrid monetization strategies, where threat actors maximize ROI by leveraging infected devices not only for botnet attacks but also for illicit cryptocurrency mining,” the researchers wrote. Organizations operating Linux servers, cloud workloads, or exposed IoT devices “should prioritize hardening and continuous monitoring to mitigate their risk,” they said. The malware uses a multi-stage infection chain that begins with a downloader delivering architecture-specific V3G4/Mirai binaries across x86_64, ARM, and MIPS systems. The second stage, Mddos.x86_64, is a statically linked and UPX-packed Executable and Linkable Format (ELF) file with stripped symbols, “making static inspection more complicated,” Cyble said. After executing and gathering system information, the Linux malware moves into stealth mode, renaming its process to appear as a system daemon (systemd-logind), detaching from the terminal, and launching parallel worker threads for attack operations, command and control (C2) communication, and inter-process communication (IPC) coordination. “A key characteristic of this botnet variant is its use of raw TCP sockets, allowing precise crafting of SYN packets for high-velocity SSH scanning campaigns,” the researchers said. At the same time, worker threads resolve the C2 domain (baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to maintain command channels. “This multi-threaded DNS resolution strategy is typical of Mirai-style bots, allowing the malware to maintain connectivity and receive commands while executing attacks in parallel,” the researchers wrote.

Fileless Cryptominer

In the third stage, the malware deploys a covert Monero cryptominer by downloading a UPX-packed XMRig binary from the IP 159.75.47[.]123 and stores it in /tmp/.dbus-daemon to masquerade as a legitimate process. Instead of a local configuration file, the miner obtains its configuration dynamically from the C2 server, “enabling real-time updates to wallet addresses, mining pools, and algorithms while leaving no on-disk artifacts” and hindering forensic analysis. “Unlike typical miner deployments that embed a static configuration file on disk ... this sample requests runtime configuration data directly from the C2 server,” the Cyble researchers said. That technique allows the threat actors to avoid exposing wallet addresses, pool endpoints and algorithms during static analysis while dynamically rotating mining parameters and preventing visibility of miner settings on the infected host. During execution, the miner connects to the C2 server to make a configuration request, and the server responds with a JSON blob containing the pool URL, wallet address, algorithm, and thread count. The full Cyble blog includes recommendations for defenders, MITRE ATT&CK techniques, and indicators of compromise (IoCs).

Ransomware and supply chain attacks hit their second-highest levels ever in November, as the two attack types increasingly converge, according to new research from Cyble. Ransomware groups accounted for 58% of software supply chain attacks in November, Cyble noted in a new blog post. While that’s down from 73% in October, the threat intelligence company said that ransomware groups “are increasingly targeting software supply chain vulnerabilities, which has contributed to a doubling of supply chain attacks since April 2025.” Cyble dark web researchers documented 38 supply chain attacks in November, just below October’s record (chart below). Ransomware groups claimed 22 of those attacks. [caption id="attachment_107359" align="aligncenter" width="726"] Software supply chain attacks by month (Cyble)[/caption] Overall, Cyble documented 640 ransomware attacks in November, the seventh consecutive monthly increase and below only February 2025’s record (chart below). [caption id="attachment_107361" align="aligncenter" width="729"] Ransomware attacks by month (Cyble)[/caption]

Qilin Top Ransomware Group Once Again

Qilin was once again the overall leader in claimed ransomware attacks despite CL0P’s mass exploitation of Oracle E-Business Suite vulnerabilities, which has hit more than 100 organizations to date. Qilin led all ransomware groups with 127 attacks, followed by Akira at 103, while CL0P, INC Ransom and Play rounded out the top five (chart below). [caption id="attachment_107362" align="aligncenter" width="936"] Top ransomware groups November 2025 (Cyble)[/caption] The U.S. once again was by far the most attacked country with 356 ransomware attacks, 10 times higher than the next-closest country, which was Canada with 35 attacks. The UK, Germany, India and Italy all had ransomware attack counts in the teens (chart below). [caption id="attachment_107364" align="aligncenter" width="936"] Ransomware attacks by country November 2025 (Cyble)[/caption] Construction, Professional Services, and Manufacturing were the most frequently attacked sectors in November, with more than 50 ransomware attacks each. Healthcare, Energy & Utilities, IT, Consumer Goods, and Technology experienced more than 30 attacks each (chart below). [caption id="attachment_107365" align="aligncenter" width="936"] Ransomware attacks by sector November 2025 (Cyble)[/caption]

Convergence of Ransomware and Supply Chain Attacks

Cyble documented more than 15 ransomware attacks in the blog post, many of which had supply chain implications. “November was noteworthy for the number of ransomware attacks targeting critical sectors and the IT supply chain, with several groups claiming exfiltration of sensitive documents such as project and technical documentation,” the researchers said. Among the ransomware attacks documented by Cyble were:

• An INC Ransom attack on a U.S.-based emergency alert system.
• An Akira cyberattack on “a major South Korea–based manufacturer of lithium-ion batteries.”
• An Akira attack on “a U.S.-based manufacturer of high-density, modular, and rugged embedded computing systems” that included the theft of “detailed project information ... and confidential military-related materials.”
• An Akira attack on a U.S. engineering and project-management firm for rail and transportation infrastructure projects that included the theft of “NDAs, contracts and agreements, and project documentation.”
• A Qilin attack on a U.S. company that provides “remote power management, network monitoring, and out-of-band control technologies used across data centers, telecommunications, industrial operations, and critical infrastructure environments,” which included access to “customer digital key letters, nondisclosure agreements, and additional internal corporate materials, suggesting exposure of both sensitive business information and potentially downstream client environments.”
• A Qilin attack on a Florida regional airport that included the theft of “scanned employee IDs, aviation alerts and notices, airport blueprints, internal operational documents.”
• An Anubis ransomware group attack on a U.S.-based automotive component manufacturer that resulted in the theft of blueprints and internal documents labeled “confidential.”

“The alarming number of ransomware attacks targeting critical and sensitive sectors – including the theft of sensitive project and technical data – highlights the need for security teams to respond with vigilance equal to the threat,” Cyble said. The researchers outlined a number of cybersecurity best practices that can help guard against such threats, such as vulnerability management, network segmentation, strong access controls, ransomware-resistant backups, and system and application hardening.  

CISA warned today that two Android zero-day vulnerabilities are under active attack, within hours of Google releasing patches for the flaws. Both are high-severity Android framework vulnerabilities. CVE-2025-48572 is a Privilege Escalation vulnerability, while CVE-2025-48633 is an Information Disclosure vulnerability. Both were among 107 Android vulnerabilities addressed by Google in its December security bulletin released today.

Android Vulnerabilities CVE-2025-48572 and CVE-2025-48633 Under Attack

Google warned that the CVE-2025-48572 and CVE-2025-48633 framework vulnerabilities “may be under limited, targeted exploitation.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) followed with its own alert adding the Android vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned. “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice,” the U.S. cybersecurity agency added. The vulnerabilities are so new that the CVE Program lists the CVE numbers as “reserved,” with details yet to be released. Neither Google nor CISA provided further details on how the vulnerabilities are being exploited.

7 Critical Android Vulnerabilities Also Patched

The December Android security bulletin also addressed seven critical vulnerabilities, the most severe of which is CVE-2025-48631, a framework Denial of Service (DoS) vulnerability that Google warned “could lead to remote denial of service with no additional execution privileges needed.” Four of the critical vulnerabilities affect the Android kernel and are all Elevation of Privilege (EoP) vulnerabilities: CVE-2025-48623, CVE-2025-48624, CVE-2025-48637, and CVE-2025-48638. The other two critical vulnerabilities affect Qualcomm closed-source components: CVE-2025-47319, an Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability, and CVE-2025-47372, a Buffer Overflow vulnerability that could lead to memory corruption. Google lists CVE-2025-47319 as “Critical” while Qualcomm lists the vulnerability as Medium severity; both list CVE-2025-47372 as Critical. The Qualcomm vulnerabilities are addressed in detail in The Cyber Express article Qualcomm Issues Critical Security Alert Over Secure Boot Vulnerability published earlier today.

European law enforcement agencies have taken down an illegal cryptocurrency mixing service that they say has been used to facilitate cybercrime and money laundering. The operation to take down the cryptocurrency mixing service ‘Cryptomixer’ was conducted between November 24 and 28 and was announced today by Europol, which assisted Swiss and German law enforcement agencies in the action. The operation resulted in the seizure of three servers in Switzerland, 12 terabytes of data, €25 million in Bitcoin, and the cryptomixer[.]io domain. Law enforcement placed a seizure banner on the website after the takeover. “Mixing services such as Cryptomixer offer their clients anonymity and are often used before criminals redirect their laundered assets to cryptocurrency exchanges,” Europol said. “This allows ‘cleaned’ cryptocurrency to be exchanged for other cryptocurrencies or for FIAT currency through cash machines or bank accounts.”

Cryptocurrency Mixing ‘A Service to Obfuscate the Origin of Criminal Funds’

Europol called Cryptomixer “A service to obfuscate the origin of criminal funds.” “Cryptomixer was a hybrid mixing service accessible via both the clear web and the dark web,” the European law enforcement agency stated. “It facilitated the obfuscation of criminal funds for ransomware groups, underground economy forums and dark web markets. Its software blocked the traceability of funds on the blockchain, making it the platform of choice for cybercriminals seeking to launder illegal proceeds from a variety of criminal activities, such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud.” Since its launch in 2016, Europol says that more than €1.3 billion in Bitcoin were mixed through the service. Deposited funds from users were pooled “for a long and randomised period” before they were redistributed to their destination addresses. “As many digital currencies provide a public ledger of all transactions, mixing services make it difficult to trace specific coins, thus concealing the origin of cryptocurrency,” the agency said.

Action Follows ChipMixer Takedown in 2023

Europol was also involved in the multi-national takedown of the crypto mixing service “ChipMixer” in 2023, an operation that involved four European countries and the U.S. ChipMixer was considered the largest mixing service of its time, and was suspected to have facilitated the laundering of 152,000 Bitcoins, worth an estimated €2.73 billion at the time. The joint law enforcement operations in both cases was part of EMPACT, the European Multidisciplinary Platform Against Criminal Threats, which aims to address the most important threats posed by organized and international crime affecting the EU.

An Australian man has been sentenced to more than seven years in jail on charges that he created ‘evil twin’ WiFi networks to hack into women’s online accounts to steal intimate photos and videos. The Australian Federal Police (AFP) didn’t name the man in announcing the sentencing, but several Australian news outlets identified him as Michael Clapsis, 44, of Perth, an IT professional who allegedly used his skills to carry out the attacks. He was sentenced to seven years and four months in Perth District Court on November 28, and will be eligible for parole after serving half that time, according to the Sydney Morning Herald. The AFP said Clapsis pled guilty to 15 charges, ranging from unauthorised access or modification of restricted data to unauthorised impairment of electronic communication, failure to comply with an order, and attempted destruction of evidence, among other charges.

‘Evil Twin’ WiFi Network Detected on Australian Domestic Flight

The AFP investigation began in April 2024, when an airline reported that its employees had identified a suspicious WiFi network mimicking a legitimate access point – known as an “evil twin” – during a domestic flight. On April 19, 2024, AFP investigators searched the man’s luggage when he arrived at Perth Airport , where they seized a portable wireless access device, a laptop and a mobile phone. They later executed a search warrant “at a Palmyra home.” Forensic analysis of data and seized devices “identified thousands of intimate images and videos, personal credentials belonging to other people, and records of fraudulent WiFi pages,” the AFP said. The day after the search warrant, the man deleted more than 1,700 items from his account on a data storage application and “unsuccessfully tried to remotely wipe his mobile phone,” the AFP said. Between April 22 and 23, 2024, the AFP said the man “used a computer software tool to gain access to his employer’s laptop to access confidential online meetings between his employer and the AFP regarding the investigation.” The man allegedly used a portable wireless access device, called a “WiFi Pineapple,” to detect device probe requests and instantly create a network with the same name. A device would then connect to the evil twin network automatically. The network took people to a webpage and prompted them to log in using an email or social media account, where their credentials were then captured. AFP said its cybercrime investigators identified data related to use of the fraudulent WiFi pages at airports in Perth, Melbourne and Adelaide, as well as on domestic flights, “while the man also used his IT privileges to access restricted and personal data from his previous employment.” “The man unlawfully accessed social media and other online accounts linked to multiple unsuspecting women to monitor their communications and steal private and intimate images and videos,” the AFP said.

Victims of Evil Twin WiFi Attack Enter Statements

At the sentencing, a prosecutor read from emotional impact statements from the man’s victims, detailing the distress they suffered and the enduring feelings of shame and loss of privacy. One said, “I feel like I have eyes on me 24/7,” according to the Morning Herald. Another said, “Thoughts of hatred, disgust and shame have impacted me severely. Even though they were only pictures, they were mine not yours.” The paper said Clapsis’ attorney told the court that “He’s sought to seek help, to seek insight, to seek understanding and address his way of thinking.” The case highlights the importance of avoiding free public WiFi when possible – and not accessing sensitive websites or applications if one must be used. Any network that requests personal details should be avoided. “If you do want to use public WiFi, ensure your devices are equipped with a reputable virtual private network (VPN) to encrypt and secure your data,” the AFP said. “Disable file sharing, don’t use things like online banking while connected to public WiFi and, once you disconnect, change your device settings to ‘forget network’.”