Cyber News 05DEC2025

General

• Yes, there's a bug in React Server, no it's not that big a deal. React 19 only (1 year old), and in a new component (React Server). Most use of React is client-side only, with other code providing the server-side backend. Likely the biggest way this is getting into codebases is via React Router.

We've seen some great scanners from the likes of Assetnote, which are very effective at detecting unpatched Next.js instances that use Server Components.

• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
• https://react2shell.com/
• https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/
• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerability-in-react-server-components-cve-2025-55182
• https://arstechnica.com/security/2025/12/admins-and-defenders-gird-themselves-against-maximum-severity-server-vulnerability/
• https://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-in-react-nextjs-lets-hackers-run-javascript-code/
• https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
• https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
• Insider Threats - sometimes a "second chance" doesn't pay off.

Twin brothers Muneeb and Sohaib Akhter, both 34, were also sentenced to several years in prison in June 2015, after pleading guilty to accessing U.S. State Department systems without authorization and stealing personal information belonging to dozens of co-workers and a federal law enforcement agent who was investigating their crimes.

After serving their sentences, they were rehired as government contractors and were indicted again last month on charges of computer fraud, destruction of records, aggravated identity theft, and theft of government information.

"Following the termination of their employment, the brothers allegedly sought to harm the company and its U.S. government customers by accessing computers without authorization, issuing commands to prevent others from modifying the databases before deletion, deleting databases, stealing information, and destroying evidence of their unlawful activities"

• https://www.bleepingcomputer.com/news/security/contractors-with-hacking-records-accused-of-wiping-96-govt-databases/
• https://therecord.media/twin-brothers-arrested-hacking-deleting-foia-databases
• https://www.theregister.com/2025/12/04/twin_brothers_charged_with_deleting_databases/
• Get ready to patch your Palo Altos (and SonicWalls). Grey Noise is seeing a spike in scanning. Previous reporting from Grey Noise has revealed a strong correlation between a spike in scanning, and disclosure of a vulnerability within 30-90 days.
  • https://www.greynoise.io/blog/hidden-pattern-credential-based-attacks-palo-alto-sonicwall
  • https://risky.biz/video/risky-biz-soap-box-greynoise-knows-when-bad-bugs-are-coming/
• Totally Trustworthy....RaidForums is back again. Is it a scam, is it a sting - who knows?
  • https://infosec.exchange/@DarkWebInformer/115663200505868862
  • raidforums[.]st
  • http://763olyp74dxnq4wrzukk3dde6ffahxxjzealf3bzvdoyd7tptksxiiad[.]onion
• [RU] Unsurprising - Russia is now blocking FaceTime and Snapchat, using the standard excuse "used to organize and carry out terrorist attacks in the country". Roskomnadzor is trying to push people on to the government's Max app (created in the image of WeChat).
  • https://www.bleepingcomputer.com/news/security/russia-blocks-facetime-and-snapchat-over-use-in-terrorist-attacks/
• [US] Financial Software provider Marquis suffered a breach - likely Akira - in August, due to a SonicWall device on its perimeter. Marquis serves 700+ banks, credit unions and lenders, with over 400k customer records impacted.
  • https://www.bleepingcomputer.com/news/security/marquis-data-breach-impacts-over-74-us-banks-credit-unions/
• [US] Pentagon Auditors agree that US Defence Secretary Pete Hegseth "broke the rules when he sent sensitive information to a Signal chat group".

The DoD OIG...finding that the Signal messages repeated material taken from a USCENTCOM email labeled "SECRET//NOFORN" and contained operational details that should have been handled at the secret level.

even though Hegseth insisted he'd declassified what he sent, the OIG found he still broke Pentagon rules by using both a personal device and a nonapproved commercial messaging app to share it.

• https://www.theregister.com/2025/12/04/dod_hegseth_broke_pentagon_policy_signal/
• The latest in quality Microsoft code - M365 licence check failing

"Our analysis of the components of Microsoft 365 infrastructure, as well as recently deployed changes, identified that a recent service update containing a code issue is impacting the license check process, leading to users being unable to download Microsoft 365 desktop apps from the homepage"

• https://www.bleepingcomputer.com/news/microsoft/microsoft-bug-in-microsoft-365-license-checks-blocks-desktop-app-downloads/

Getting Techy

• Exposé on Intellexa's Predator Spyware

The video begins with an instructor connecting directly to a remotely deployed, “on-premises” Predator customer system, with codename EAGLE_2, usingTeamViewer.

When a staff member asks if they were connecting to a testing environment, the instructor states in the video that they are accessing and viewing a live “customer environment”. Amnesty International believes that the code names represent real customer deployments, and indeed some of the same customer code names are referenced in email communication also visible at points during the same training video.

• https://securitylab.amnesty.org/latest/2025/12/intellexa-leaks-predator-spyware-operations-exposed/
• https://techcrunch.com/2025/12/04/sanctioned-spyware-maker-intellexa-had-direct-access-to-government-espionage-victims-researchers-say/
• (Haaretz) https://archive.is/7zhMz
• https://therecord.media/intellexa-predator-spyware-continues-despite-sanctions
• Nice little dive into Named Pipes and EDR bypasses, eases you in.
  • https://bl4ckarch.github.io/posts/PrintSpoofer_from_scratch/

Geo-Politics

• [UK] Fresh sanctions against Russia, over a badly botched assassination attempt in 2018 (Sergei Skripal). The Novichok nerve agent was in a perfume bottle the would-be assassins failed to dispose of safely. It was found by a bystander, and gifted to his partner, who later died from Novichok exposure.

Charlie Rowley told the police that he had found the ‘perfume box’ at some time previously, and that on the morning of Saturday 30 June 2018, at the flat in Muggleton Road, he had offered it to Dawn Sturgess in case she was interested in it. He explained that it seemed to him a good idea to make a gift to her, given that he was anticipating a complaint from her about the previous night’s excesses and their hungover condition

I have concluded that the operation to assassinate Sergei Skripal must have been authorised at the highest level, by President Putin.

• https://dsiweb-prod.s3.eu-west-2.amazonaws.com/uploads/Web_Accessible_E03283426_Project-Orbit.pdf
• https://therecord.media/uk-sanctions-russia-gru-cyber-spies-nerve-agent-attack
• [US] ICE is teaming up with unrelated agencies, to expand coverage.

LDWF partnered with ICE under the agency’s 287(g) program, named after the section of the Immigration and Nationality Act that enables officers and employees at the state or local level to perform some of the functions of US immigration officers, such as investigating, apprehending, detaining, or transporting people suspected of violating immigration law

The report claims that no one on the patrol witnessed any crimes or civil violations. Despite this, it says that “the federal partners were able to identify and detain 3 subjects for immigration issues,” adding that “all arrestees were transported by Federal agencies to detention centers.” It’s unclear why these individuals were singled out, but all three appear to have Hispanic last names.

• https://www.wired.com/story/story/the-louisiana-department-of-wildlife-and-fisheries-is-detaining-people-for-ice/

Privacy

• [UK] British Home Office wants to expand the use of Facial Recognition - this could rapidly approach the same levels as Automated Licence Plate Recognition (ALPR, such as Flock) in the US. Dangers include creating sequence-of-life trails for innocent parties, potentially disclosing sensitive associations.
  • https://therecord.media/british-officials-seek-to-expand-facial-recognition-tech-use
• [US] New Virtual Mobile Network Operator Phreeli aims to bring back privacy to mobile phone service.
  • (Wired) https://archive.is/EgEkS

AI

• Cloudflare CEO Matthew Prince discusses AI Crawlers

Since July 2024, Cloudflare has offered customers tools to block AI bots from scraping their content. Cloudflare told WIRED that the number of AI bots blocked since July 1, 2025 is 416 billion.

Google combined its search and AI crawlers into one, so blocking its AI scraper also blocks a site’s ability to be indexed in Google search. The move has put content creators in a bind, because they don’t want AI models to train on their creations, but they typically need their place in Google search to help audiences find their material.

Prince says Cloudflare found that Google currently sees 3.2 times more pages on the internet than OpenAI, 4.6 times more than Microsoft, and 4.8 times more than Anthropic or Meta does.

• (Wired) https://archive.is/i6IMt