A

From the CISO series. It's Cybersecurity Headlines.

B

These are the cybersecurity headlines for Monday, December 8, 2025. I'm Steve Prentiss. New wave of VPN login attempts on Palo Alto portals this new campaign started on December 2 and originated from more than 7,000 IP addresses from infrastructure operated by the German IT company 3xk, which operates as a hosting provider. The target is Palo Alto Global Protect Portals and the activity has taken the form of brute force and login attempts pivoting to scanning Sonicwall API endpoints, according to threat intelligence company Greynoise. Notably, the Global Protect VPN and remote access component of Palo Alto Network's firewall platform is used by large enterprises, government agencies and service providers.

NATO holds its largest ever cyber defense exercise According to the record, NATO this week challenged around 1,300 participants in a cyber defense exercise to guard against major attacks on critical infrastructure, including power plants, fuel depots, commercial satellites and military networks. This was part of its annual Cyber Coalition exercise and involved 29 allies and seven partner nations seeking to coordinate their responses to seven major storylines. This was NATO's largest ever cyber defence exercise, with most of the participants logging in from their own desks rather than traveling to a central location. It was directed by U.S. navy Commander Brian Kaplan. Chinese hackers exploiting React to Shell bug According to a report from Amazon Integrated Security, State backed hackers in China are exploiting a vulnerability referred to colloquially as React to Shell, a popular open source tool built into thousands of widely used digital products. The vulnerability carries a critical severity score of 10 out of 10 and has been added to CISA's kev catalog. Amazon says exploitation attempts came from IP addresses and infrastructure linked to known China state nexus threat actors, but noted that attribution is challenging due to anonymization infrastructure among Chinese threat groups. Adding the speed at which the Chinese groups were able to operationalize public proof of concept exploits underscores a critical reality of how quickly sophisticated threat actors can weaponize them. End quote UK bart's Health National Health Service discloses Oracle related data breach the organization, based in London, has disclosed that CLOP ransomware actors stole invoice data from a database by exploiting a zero day flaw in Oracle E business suite. The breach exposed names and addresses of people who paid for treatments, as well as some former staff and supplier information. Data relating to accounting services for a neighbouring trust was also taken and later leaked on Klopp's dark web portal. Although the theft occurred in August, BARTS only became aware in November the trust says Clinical Systems were unaffected and has notified UK authorities. Affected patients are advised to review invoices and watch for suspicious communications.

Huge thanks to our sponsor Adaptive Security.

This episode is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI. Deepfakes aren't science fiction anymore, they are a daily threat. So here's a quick tip. If your voicemail greeting is your real voice, switch it to the default robot voice. A few seconds of audio can be enough to clone you. Adaptive helps teams spot and stop these AI powered social engineering attacks and you can learn more@adaptivesecurity.com that is adaptive security all1word.com.

Virtual kidnapping scams gaining Popularity A new and rather heinous twist on cyber extortion is the virtual kidnapping scam, in which criminals alter social media photographs of people as proof of life as they contact family members of the individual with a ransom demand, according to an alert from the FBI. This campaign can also include scraping images from legitimate missing person alerts, as well as choosing regular non missing people as part of what the FBI calls emergency scams. Naturally, some of the threat actors use AI to alter the photos into short videos, threatening violence if payment is not forthcoming, and using timed messages that disappear quickly to avoid victims scrutinizing them too closely.

Pharma firm Innotiv discloses data breach following August attack Following up on a story we covered in August, this particular pharmaceutical firm, spelled Inotiv, is now notifying its current and former employees, their family members, as well as certain other people who have interacted with the company or with the companies it has acquired that the ransomware attack that occurred in August has resulted in the theft of data. The company has not yet shared publicly which types of data were stolen during the incident, nor has it attributed the attack to a specific cybercrime operation. Porsche outage in Russia locks down cars According to owners and dealers in the country, hundreds of Porsche vehicles became undriveable after their factory installed satellite security system malfunctioned. The outage included sudden engine shutdowns and fuel delivery blocks after their cars lost satellite alarm module connectivity LE models at the risk of self locking. The problem appears to be caused by the vehicle tracking system vts, which is an onboard module and can affect every model of the brand. Some users have been able to implement a workaround by disabling or rebooting the VTS system, while others succeeded after disconnecting the battery for a few hours.

Organizations warned to choose their next CISO wisely, according to an article posted in Dark Reading by David Schwed, COO of Sovereign AI we are enjoying a global CISO hiring spree. This is due to an increase in the number of AI labs, cryptocurrency exchanges and financial institutions who all need one. The article, however, warns that companies and organizations must choose between two very different archetypes of ciso. This means that choosing an engineering focused CISO over a holistic CISO can be risky. In short, he says, an engineering focused CISO treats security as solely a technical problem, which can build clean architecture and preventative controls. But this approach often just moves the risk, with attackers exploiting weaknesses elsewhere, such as human workflow gaps. A holistic ciso, by contrast, understands security as a broader system involving people, process and technology, and designs for resilience, not just prevention. A link to this article in all its detail is available in the show Notes to this Episode It's Monday, and that means it's time for the Department of Know at 4pm Eastern today, join us on our YouTube channel for the livestream. We'll be breaking down the biggest news items from the past week and helping you understand what they mean for your security program. Join in the chat, have some fun, and learn something to kick off your week. It starts at 4pm Eastern today, so be sure you're subscribed to the CISO Series YouTube channel and join us. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.

A

Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.