Cyber News 09DEC2025
General
- Examination of the SharePoint attacks from mid-year.
What does it mean that three separate China-linked groups all moved on the same SharePoint vulnerabilities at nearly the same time? Were the three threat clusters truly independent, how did they all obtain workable exploits so quickly, and what were their ultimate objectives?
- More malicious activity out of China - exploitation of the recent React (v19) Server vulnerability.
In the attacks tracked by Unit 42, the hackers used malware strains known as Snowlight and Vshell — malicious tools previously tied to a contractor for China's Ministry of State Security (MSS) by incident responders at Mandiant.
- IBM to buy Apache Kafka and Apache Flink maker Confluent, for US$11b
- (Wall Street Journal) https://archive.is/qGYwl
- [EU] Europol "Operational Taskforce" (OTF) GRIMM, is taking on Violence-as-a-Service (VaaS).
63 perpetrators arrested, directly preventing violent crimes
40 enablers apprehended, halting their facilitation of violence-for-hire services
84 recruiters detained, obstructing efforts to exploit vulnerable young people
6 instigators arrested, including 5 High Value Targets
- https://www.europol.europa.eu/media-press/newsroom/news/operational-taskforce-grimm-193-arrests-in-6-months-tackling-violence-service-networks
- https://www.theregister.com/2025/12/08/european_cops_arrest_193/
- [RU] Russian crims make the mistake of stealing inside Russia. This "interregional criminal group" used NFC relay attacks ("NFCGate") to withdraw cash from ATMs.
The fraudsters' attack began according to the traditional scenario with a phone call. The victim was persuaded to install a special file disguised as an official banking application on his device. In the authorization application, it is allegedly necessary to bring a bank card to the back of the smartphone, and then enter the PIN code on the keyboard. As a result of its activation, accomplices were able to withdraw money from ATMs in any region of Russia.
- (Telegram) https://archive.is/Cjn7v
- https://therecord.media/russian-police-bust-banking-hackers-nfcgate-based-malware
- [RU] The kids aren't alright - backlash to Russia's ban of Roblox.
Roskomnadzor has blocked the Roblox gaming platform, popular with children, in the Russian Federation for distributing extremist materials and LGBT-themed propaganda
- https://therecord.media/russia-bans-roblox-drawing-criticism-from-kids
- (Telegram) https://archive.is/5qgtM
- [US] Good news from US Financial Crimes Enforcement Network (FinCEN) data - ransomware payments peaked in 2023.
In 2023, the value of reported ransomware payments reached an all-time high, totaling approximately $1.1 billion... In 2024, there were 1,476 reported ransomware incidents, and approximately $734 million in reported ransomware payments in BSA reports.
The highest cumulative suspicious payment amounts were associated with ALPHV/BlackCat (approximately $395.3 million) and LockBit (approximately $252.4 million), according to BSA reports filed with FinCEN during the review period.
- https://www.fincen.gov/system/files/2025-12/FTA-Ransomware.pdf
- https://www.bleepingcomputer.com/news/security/fincen-says-ransomware-gangs-extorted-over-21b-from-2022-to-2024/
- https://www.cybersecuritydive.com/news/ransomware-peaked-2023-enforcement-decrease/807291/
- https://therecord.media/fincen-treasury-2-billion-ransomware-payments-report
- [US] Report from Check Point suggests threat actors are getting more professional, pre-positioning for access, more likely to be ideologically motivated (but still targeting financial outcomes).
Geo-Politics
- [UK] Ministry of Defence (MoD) is stepping up protection of subsea cables, "in direct response to a resurgence in Russian submarine and underwater activity, including the activities of Russian spy ship Yantar around UK waters".
Britain will be more secure from Russian undersea threats in the North Atlantic through a transformation of the Royal Navy and its submarine-hunting capabilities. ...
Atlantic Bastion will create an advanced hybrid naval force to defend the UK and NATO allies against evolving threats. It will enable the UK to find, track and, if required, act against adversaries with unprecedented effectiveness across vast areas of ocean.
Privacy
- [EU] In response to an EU fine in April, Meta have proposed allowing EU residents "to share less personal data and see fewer personalized ads".
Meta will give users the effective choice between: consenting to share all their data and seeing fully personalised advertising, and opting to share less personal data for an experience with more limited personalised advertising. Meta will present these new options to users in the EU in January 2026.
- https://digital-markets-act.ec.europa.eu/meta-commits-give-eu-users-choice-personalised-ads-under-dma-2025-12-08_en
- https://therecord.media/meta-less-data-sharing-european-commission
- [UK] Information Commissioner's Office (ICO) criticises Home Office for hiding "significant biases in police facial recognition technology".
"It's disappointing that we had not previously been told about this, despite regular engagement with the Home Office and police bodies as part of our wider work to hold government and the public sector to account on how data is being used in their services.
- [US] Joshua Aaron, the developer of Immigration and Customs Enforcement (ICE) spotting app "ICEBlock" is fighting back. The lawsuit is targeting Attorney General Pam Bondi, head of Department of Homeland Security (DHS) Kristi Noem, and acting director of ICE Tom Homan, on the basis of First Amendment rights.
AI
- A really good write-up on Prompt Injection from the UK's NCSC
Current large language models (LLMs) simply do not enforce a security boundary between instructions and data inside a prompt
Under the hood of an LLM, there’s no distinction made between ‘data' or ‘instructions'; there is only ever ‘next token’ ... As there is no inherent distinction between ‘data’ and ‘instruction’, it’s very possible that prompt injection attacks may never be totally mitigated in the way that SQL injection attacks can be.
- https://www.ncsc.gov.uk/blog-post/prompt-injection-is-not-sql-injection
- https://therecord.media/prompt-injection-attacks-uk-intelligence-warning
- Google's Chrome is taking the highly questionable approach of using an LLM to check an LLM's work. In an attempt to add safety to 'agentic browsing', one instance of Gemini controls the browser, another instance checks the other's work. It might help, but won't be a complete protection.
Origin Sets - a more traditional, deterministic control - sounds promising. It splits origins into either No Access, Read-Only or Read-Write. This will hopefully limit the potential sites available for data exfiltration...however the decision about which set the origin goes into is made by.... the second LLM, sigh. - Gartner not so bullish on AI Browsers
Gartner’s fears about the agentic capabilities of AI browser relate to their susceptibility to “indirect prompt-injection-induced rogue agent actions, inaccurate reasoning-driven erroneous agent actions, and further loss and abuse of credentials if the AI browser is deceived into autonomously navigating to a phishing website.”
- [US] Trump planning Executive Order to stop states from regulating AI
There must be only One Rulebook if we are going to continue to lead in AI. We are beating ALL COUNTRIES at this point in the race, but that won’t last long if we are going to have 50 States, many of them bad actors, involved in RULES and the APPROVAL PROCESS. THERE CAN BE NO DOUBT ABOUT THIS! AI WILL BE DESTROYED IN ITS INFANCY! I will be doing a ONE RULE Executive Order this week. You can’t expect a company to get 50 Approvals every time they want to do something. THAT WILL NEVER WORK!