Cyber News 08DEC2025

General

• Cloudflare’s attempt to patch React2Shell in their WAF product, led to outages. The WAF update was a staged rollout, however disabling the WAF testing tool was not. This latter change caused the 500 errors.

A change made to how Cloudflare's Web Application Firewall parses requests caused Cloudflare's network to be unavailable for several minutes this morning. This was not an attack; the change was deployed by our team to help mitigate the industry-wide vulnerability disclosed this week in React Server Components.

• https://www.cloudflarestatus.com/incidents/lfrm31y6sw9q
• https://blog.cloudflare.com/5-december-2025-outage/
• https://www.bleepingcomputer.com/news/technology/cloudflare-down-websites-offline-with-500-internal-server-error/
• https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-outage-on-emergency-react2shell-patch/
• https://www.theregister.com/2025/12/05/react2shell_pocs_exploitation/
• Attackers are already trying to exploit React2Shell. Initially, there was a flood of fake exploits, however real ones are now available.
  • https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
  • https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
  • https://www.bleepingcomputer.com/news/security/react2shell-critical-flaw-actively-exploited-in-china-linked-attacks/
  • https://www.cybersecuritydive.com/news/state-linked-critical-vulnerability-react-server/807228/
  • https://therecord.media/chinese-hackers-exploiting-react2shell-vulnerability-amazon
  • https://www.theregister.com/2025/12/05/aws_beijing_react_bug/
• Smishers are back for Christmas – china-based smishers have deployeds thousands of phishing domains “in just the past few days”. This time, using points-redemption as the lure.
  • https://krebsonsecurity.com/2025/12/sms-phishers-pivot-to-points-taxes-fake-retailers/
• More from Brian Krebs – Russian cheating service “Nerdify”, and other business ventures by Olekszij Pokatilo and Filip Perkon.
  • https://krebsonsecurity.com/2025/12/drones-to-diplomas-how-russias-largest-private-university-is-linked-to-a-25m-essay-mill/
• Sky news has a long-form article on the pathways for kids into hacking.
  • https://news.sky.com/story/children-as-young-as-seven-caught-hacking-as-former-cybercriminals-warn-its-mainstream-now-13479365
• Lockbit’s new infrastructure has leaked already
  • https://databreaches.net/2025/12/07/lockbit-5s-new-secure-blog-domain-infra-leaked-already/
• [EU] X (Twitter) fined €120m over “deceptive design of its ‘blue checkmark’, the lack of transparency of its advertising repository, and the failure to provide access to public data for researchers”
  • https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2934
  • https://www.bleepingcomputer.com/news/security/eu-fines-x-140-million-over-deceptive-blue-checkmarks-transparency-violations/
  • https://therecord.media/eu-fines-x-under-digital-services-act-disinformation-transparecy-rules
• [PT] Portugal has a “legal safe harbor for good-faith security research”
  • https://www.bleepingcomputer.com/news/security/portugal-updates-cybercrime-law-to-exempt-security-researchers/

Getting Techy

• Messing with SVG overlays in a webpage, to mislead a user (Click-jacking)
  • https://lyra.horse/blog/2025/12/svg-clickjacking/
  • https://www.theregister.com/2025/12/05/css_svg_clickjacking/

Geo-Politics

• Chatbots can sway voters better than traditional advertising

In the U.S. experiment, the pro-Harris AI model moved likely Trump voters 3.9 points toward Harris, which is a shift that is four times larger than the impact of traditional video ads used in the 2016 and 2020 elections.

• https://www.404media.co/scientists-are-increasingly-worried-ai-will-sway-elections/
• [US] Trump’s national security strategy has been released.

The goal is to enable the U.S. to “conduct real-time discovery, attribution, and response (i.e., network defense and offensive cyber operations) while protecting the competitiveness of the U.S. economy and bolstering the resilience of the American technology sector,”

“Ending the perception, and preventing the reality, of NATO as a perpetually expanding alliance”

“Encouraging Europe to take action to combat mercantilist overcapacity, technological theft, cyber espionage, and other hostile economic practices”

• https://www.whitehouse.gov/wp-content/uploads/2025/12/2025-National-Security-Strategy.pdf
• https://therecord.media/trump-national-security-strategy-cyber-elements

Privacy

• [US] The Customs and Border Protection (CBP) app for non-ICE (e.g. police) usage has disappeared from the Google Play store. Unclear at this stage who removed it – update – it was CBP, and for how long.

Google told 404 Media it did not remove the app, and directed inquiries to its developer. CBP did not immediately respond to a request for comment.

• (404 Media) https://archive.is/ioCQI

AI

• Interesting essay from Embrace the Red, on “The Normalization of Deviance in AI” – LLM’s still hallucinate, are still vulnerable to prompt-injection attacks, however the warnings about these issues are so ‘normal’, they’re largely ignored.
  • https://embracethered.com/blog/posts/2025/the-normalization-of-deviance-in-ai/
• Anthropic introduces a new benchmark “SCONE” Smart CONtracts Exploitation “evaluates agents’ ability to exploit smart contracts, measured by the total dollar value[2] of simulated stolen funds”.

Collectively, these models produced turnkey exploits for 207 (51.11%) of these problems, yielding $550.1 million in simulated stolen funds.

• (Anthropic) https://archive.is/rd9JL
• https://www.theregister.com/2025/12/05/an_ai_for_an_ai/
• OpenAI adverts for ChatGPT Plus users – it’s not “advertising”, it’s an “app recommendation from a pilot partner”.
  • https://www.bleepingcomputer.com/news/artificial-intelligence/openai-denies-rolling-out-ads-on-chatgpt-paid-plans/
• CISA (along with a suite of partners) have released their “Principles for the Secure Integration of Artificial Intelligence in Operational Technology”

“AI may not be reliable enough to independently make critical decisions in industrial environments. AI can also hallucinate, which would provide operators with incorrect information for decision-making”

• https://www.cisa.gov/sites/default/files/2025-12/joint-guidance-principles-for-the-secure-integration-of-artificial-intelligence-in-operational-technology-508c.pdf
• [US] Concerning melding of AI and Nuclear Power.

The problem is that AI requires massive datacenters to run and those datacenters need an incredible amount of energy. To solve the problem, the US is rushing to build out new nuclear reactors.

the presentation attempted to quantify the amount of human involvement these new AI-controlled power plants would have. He estimated  less than five percent “human intervention during normal operations.”

• https://www.404media.co/nuclear-rian-bahran-iaea-international-symposium-on-artificial-intelligence/