InfoSec News 19DEC2025

General

• CVSS10 in HPE's "OneView" infrastructure management software. Hopefully, this is only exposed inside a datacentre, so will only be used for pivoting and PrivEsc, post initial access.
  • https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US
  • https://nvd.nist.gov/vuln/detail/CVE-2025-37164
  • https://www.bleepingcomputer.com/news/security/hpe-warns-of-maximum-severity-rce-flaw-in-oneview-software/
• Wiz held its Zeroday Cloud hacking contest. Payouts included: Redis x 5, Postgresql x 3, Grafana, Linux Kernel, MariaDB
  • https://www.wiz.io/blog/wiz-zeroday-cloud-hacking-competition-behind-the-scenes
  • https://www.bleepingcomputer.com/news/security/zeroday-cloud-hacking-event-awards-320-0000-for-11-zero-days/
• Amazon catches North Korean IT worker

Normally, a U.S.-based remote worker’s computer would send keystroke data within tens of milliseconds. This suspicious individual’s keyboard lag was “more than 110 milliseconds,”

• https://www.tomshardware.com/tech-industry/cyber-security/north-korean-infiltrator-caught-working-in-amazon-it-department-thanks-to-lag-110ms-keystroke-input-raises-red-flags-over-true-location
• [AU] University of Sydney notifies of a data breach from a Code Repository, containing personal information on approximately 27,500 staff, alumni and affiliates.

Last week we were alerted to suspicious activity in one of our online IT code libraries....While principally used for code storage and development, unfortunately there were also historical data files in this code library containing personal information about some members of our community.

Our current investigations indicate the accessed data includes:
- personal information of around 10,000 current staff and affiliates, that were employed or affiliated as at 4 September 2018
- personal information of around 12,500 former staff and affiliates, that were employed or affiliated as at 4 September 2018
- a series of historical data sets predominantly from 2010-2019 containing personal information of around 5000 alumni and students, as well as six supporters.

• https://www.sydney.edu.au/news-opinion/news/2025/12/18/notification-of-cyber-and-data-breach.html
• https://www.sydney.edu.au/news-opinion/news/2025/12/18/cyber-data-breach-faqs.html
• https://www.bleepingcomputer.com/news/security/university-of-sydney-suffers-data-breach-exposing-student-and-staff-info/
• [EU] French authorities have arrested a Latvian suspect, for installing malware on an Italian passenger ferry. To round out the trans-European edge, French authorities obliquely inferred Russia was behind the attack.
  • https://www.bleepingcomputer.com/news/security/france-arrests-latvian-for-installing-malware-on-italian-ferry/
  • https://www.france24.com/en/live-news/20251217-france-probes-foreign-interference-after-malware-found-on-ferry-1
• [FR] A 22yo person has been arrested in relation to the hack of the French Ministry of the Interior (including emails). A post by the new admin of yest-another-BreachForums claimed responsibility earlier. No formal attribution has been announced.

Prosecutors say the suspect, born in 2003, was already known to them after having been convicted of similar crimes earlier this year.

• https://www.bleepingcomputer.com/news/security/france-arrests-suspect-tied-to-cyberattack-on-interior-ministry/
• https://www.bleepingcomputer.com/news/security/university-of-sydney-suffers-data-breach-exposing-student-and-staff-info/
• Maybe related - internal disputes in Shiny Hunters
  • (shinyhunte.rs) https://archive.is/I4JNm

Getting Techy

• RansomHouse (Ransomware as a Service platform) tweaks their encryption algorithm - both how it encrypts (two different keys), and which parts of a file it encrypts. This encryption 'efficiency' makes sense, given its primary target of VMware ESXi servers, where the disk images its encrypting can be quite large.
  • https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/
• GreyNoise have fun looking at some of the exploits being thrown around forReact2Shell, especially some of the - fairly comical - early ones.
  • https://www.greynoise.io/blog/react2shell-payload-analysis

Geo-Politics

• [KP] North Korea had a very successful year stealing cryptocurrency, starting strongly with Bybit (US$1.5b), then cruising to finish the year on at least US$2.02b. Claiming ~75% of total service compromises, they're the ones to watch out for.
  • https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2026/
  • https://therecord.media/over-3-billion-crypto-stolen-2025-north-korea
  • https://www.theregister.com/2025/12/18/north_korea_stole_2b_crypto_2025/

Privacy

• [US] The Pennsylvania Supreme Court has decided that police don't need a warrant to obtain Google Search data.

In its opinion, the court said that internet users making searches have no reasonable right to privacy because “it is common knowledge that websites, internet-based applications, and internet service providers collect, and then sell, user data.”

• https://therecord.media/google-searches-police-access-without-warrant-pennsylvania-court-ruling
• [US] Customs and Border Patrol want to expand their drone programme - not just small "vertical-takeoff and -landing drones small enough to be carried and launched by individual teams", but also expanding their purchasing of Predator (MQ9) drones. "MQ-9 can reportedly remain aloft for more than 27 hours at altitudes approaching 50,000 feet, surveying vast areas with multi-sensor payloads."

drone and counter-drone technology and “mitigation measures” that can be used not only for federally secured special events, such as the 2026 FIFA World Cup

Flight logs and public records show that the agency has repeatedly deployed uncrewed aircraft in support of other federal missions, including aerial monitoring during protests and assistance with interior immigration enforcement. That overlap has intensified concerns that tools developed for border control can migrate quickly into domestic policing.

• (Wired) https://archive.is/wQXgX
• [US] Immigrations and Customs Enforcement (ICE) is looking to beef up its internal logging and insider-threat detection. On the surface, this sounds good, however concerns have been raised about internal dissent, and considerations of 'loyalty'.

The expansion of internal monitoring comes as the Trump administration has framed dissent inside federal agencies as a threat, moving to aggressively identify and remove career officials viewed as ideologically misaligned with the administration, particularly in national security and law enforcement roles.

Since returning to office, the Trump White House has portrayed internal dissent in explicitly loyalty-based terms—as opposed to misconduct, malfeasance, or efforts to deliberately undermine the government—framing political disagreement with the president’s goals as grounds for firing.

Several watchdog groups have warned that expanded monitoring systems, when paired with weakened oversight, can blur the line between cybersecurity and retaliation. Tools built to detect breaches or misuse, they say, can just as easily be repurposed to track internal critics, especially when privacy safeguards and independent review are thin.

• (Wired) https://archive.is/5ydN5

AI

• [US] Immigrations and Customs Enforcement (ICE) contracted with an AI "skip tracing" service, allegedly as part of ICE's Enforcement and Removal Operations (ERO).
  • https://www.404media.co/ice-contracts-company-making-bounty-hunter-ai-agents/