A

You're listening to the Cyberwire Network powered by N2K.

B

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effort, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire.

Chinese Threat Actors Deploy Brickstorm malware the critical react to shell vulnerability is under active exploitation. Cloudflare's emergency patch triggered a brief global outage. Phishing kits pivot to fake e commerce sites. The European Commission Fines Ex Twitter 120 million euros for violating the Digital Services Act. Creditor spyware has a new bag of trick A Russian physicist gets 21 years in prison for cybercrimes. Twin brothers are arrested for allegedly stealing and destroying government data. Our guest is Blair Canavan, Director of Alliances for PKI and PQC Portfolio from Thales, discussing post quantum cryptography and smart toilet encryption Claims don't hold water.

It's Friday, December 5th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing.

Thanks for joining us here today. Happy Friday. It is great to have you with us. Chinese state sponsored threat actors are deploying Brickstorm malware to maintain persistent access, steal files and eavesdrop on government and IT networks worldwide, according to a joint report from cisa, the NSA and the Canadian Centre for Cybersecurity. The agencies analyzed eight samples taken from victim environments. The report says the People's Republic of China is targeting government and information technology organizations, though it does not identify specific victims. CrowdStrike separately observed activity against a government entity in the Asia Pacific region. One investigated intrusion showed PRC actors gaining long term access to an organization's VMware and Windows systems, compromising domain controllers and an Active Directory Federation Services server to export cryptographic keys. Officials warn the operation reflects China's intent to embed deeply for espionage, disruption or future sabotage. Though China denies the allegations, multiple China linked threat actors began exploiting the critical React to shell vulnerability within hours of its public disclosure. The flaw is an insecure deserialization issue in the React Server Components flight protocol that enables unauthenticated remote code execution in React and Next JS applications. Although initially assigned a separate identifier, the Next JS tracking number was rejected as a duplicate. The bug affects several recent REACT versions, placing thousands of projects at risk. Wiz estimates 39% of observed cloud environments are vulnerable. AWS reports that China Nexus Group Earth, Lamia and Jackpot Panda immediately incorporated incorporated the flaw into active campaigns. Alongside additional activity from unattributed China based infrastructure, attackers are manually testing payloads, running reconnaissance commands and adjusting exploits in real time. Valid proof of concept exploits have been published, increasing risk despite available patches. Researchers have released scanners to help organizations determine exposure.

As a follow on to the React to shell disclosures, Cloudflare confirmed that a brief global outage today was the unintended result of its emergency mitigation efforts. The company deployed a rapid patch to its web application firewall to blunt exploitation of the vulnerability. That change, meant to block malicious HTTP requests targeting vulnerable React versions, inadvertently caused sections of Cloudflare's network to return 500 internal server errors for several minutes. Cloudflare emphasized that the disruption was not an attack, but a side effect of its accelerated response. China based phishing groups behind persistent scam SMS campaigns are now selling phishing kits that mass produce convincing fake e commerce sites designed to steal payment card data and enroll victims cards into Apple or Google Mobile wallets. Krebs on Security says these groups are also pushing new lures, including fake tax refunds and mobile rewards points. Thousands of recently registered domains spoof T Mobile and AT and T directing mobile users to sites that harvest personal and card data, then request bank one time codes to finalize fraudulent wallet enrollment. Experts warn that fake storefronts are harder to detect because they blend in to normal shopping behavior and often go unnoticed until purchases fail to arrive. Security researchers urge quick reporting of smishing messages to help identify and block these domains.

Speaking of phishing kits, Barracuda says a previously unidentified phishing kit now called Ghost Frame has fueled more than 1 million attacks since September of this year. The kit hides all malicious activity inside an iframe embedded in an otherwise harmless HTML page, letting attackers swap phishing content, rotate targets and evade scanners that only inspect the outer layer. Ghostframe uses dynamic subdomains, anti analysis controls and image based login screens to obscure credential harvesting. A two stage design funnels victims from benign looking pages to concealed forms buried in large file streams. The phishing emails use common business themes to lure clicks, and multiple kit variants are circulating. Barracuda says the framework's stealth and adaptivity make it difficult to detect, underscoring the need for layered defenses and careful user training.

The European Commission FINED EX TWITTER 120 million euros for violating the Digital Services act, marking the law's first enforcement action. Regulators say X misled users with its paid verification system and failed to provide required transparency for political ads and researcher access to public data. The commission argues X's ad repository lacks essential information and imposes barriers that hinder scrutiny of influence operations. The penalty has sparked geopolitical tension, with US officials criticizing the EU's approach and X rejecting the findings as censorship. A joint investigation by Inside Story, Heretz and Wave Research Collective reveals that Intellexa's Predator spyware uses a powerful zero click infection method called Aladdin, which compromises targets through malicious advertisements based on leaked Intellexa documents and research from Amnesty International, Google and recorded future. Investigators say Aladdin abuses commercial ad networks to deliver weaponized ads to specific users identified by IP addresses and other markers. Viewing the ad alone triggers redirection to exploit servers. The leaks also detail other vectors, including Triton baseband exploits for Samsung Exynos devices and highlight Intellexa's extensive zero day use. Despite sanctions, Predator development continues, prompting experts to recommend stronger mobile defenses.

A Moscow court has sentenced physicist artyom Koroshalov to 21 years in prison on charges of treason, infrastructure attacks and plotting sabotage, according to state media. Prosecutors accused him of donating over $9,000 to a Ukrainian charity they say supports the military, possessing materials for an explosive device, photographing rail lines near a military unit and conducting a DDoS attack on Russian postal systems. Karoshlov admitted the donations but said they were meant for civilians, denied any sabotage intent and claimed limited technical skills. Colleagues echoed that he lacked the ability to carry out cyberattacks. His case reflects a series of harsh prosecutions in Russia targeting alleged cyber activity linked to Ukraine since the war began.

Twin brothers Muneeb and Sohaib Akhtar were arrested in Virginia for allegedly stealing and destroying government data within minutes of being fired from a federal contractor in February, according to the Justice Department. Prosecutors say the brothers compromised information from multiple agencies, including dhs, the IRS and the EEOC during a week long spree. Muni is accused of deleting 96 databases, stealing sensitive files and using an AI tool to seek guidance on covering his tracks, Sahaib allegedly trafficked a password granting access to an EEOC system. Both previously served prison sentences for hacking while working as government contractors in 2015. Investigators say the pair abused privileged access and technical expertise, posing a significant threat to government systems.

Coming up after the break, my conversation with Blair Canavan from Thales, discussing post Quantum cryptography and smart toilet encryption Claims don't hold water, Stick around.

What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.

AI is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with. Assessments today are fragmented, overlapping, and often specific to industries, geographies or regulations. That's why Black Kite created the BK GA3AI assessment framework to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk across their own organizations and their vendors. AI use it's global, research driven, built to evolve with the threat landscape, and free to use because Black Kite is committed to strengthening the entire cybersecurity community. Learn more@blackkite.com.

Blair Canavan is Director of Alliances for PKI and PQC Portfolio at Thales. In today's sponsored Industry Voices segment, we discuss Post Quantum Cryptography Every year I.

C

Think we do a Where are we at with regards to the onset of a cryptographically relevant quantum computer? So crqc, yet another acronym to think about. And what I mean by that is many years ago, probably eight or nine years ago, when I started talking about post quantum cryptography or quantum or pqc, I think most people's arms were crossed. They were a little skeptical. A lot skeptical, meaning that this was so far off in the distance, if ever, why would we concern ourselves over this? And these are early discussions about, well, we should be crypto agile, we should be this, we should be that. But if you Fast forward to 2025, what we've seen is a dramatic trend, dramatic trend away from procrastination and those that are quite frankly completely what sort I'm trying to find here, my brain's cramping. But we're probably not all that concerned or weren't that all that concerned about it. So apathy, there's the word. So apathy has quickly and is quickly disappearing for most large organizations around the world. You have to live under a rock. If you're not aware of quantum or post quantum cryptography these days. Much like AI emerged into the scene a few years ago, post quantum is now becoming, and I'll speak for Thales, the number one most recognizable thing that our company is hearing. It leads us in lead generation, clicks, downloads, you name it, across the enterprise. So this is why I would say that we're seeing now a dramatic shift towards readiness which is, I know it's coming, I've heard it's within a few years. We got to get started.

B

Well, when we talk about PQC readiness.

How do you assess whether that readiness is real or still aspirational?

C

Well, actions speak louder than words for sure. So what you're going to see, if not already, is a segment of the population, the organizations that we speak to that's used, the financial sector for example, or governments, is that they're already undertaking various levels of cryptographic discovery to determine first of all the problem and where is this crypto that we need to swap out and change out. So that's one of the major steps in determining what the scope of the problem is for your organization, knowing and admitting full well that crypto is everywhere. So what we're seeing is instead of just talking about it, we're starting to see systems integration firms, the big five are well entrenched in providing assessment services. So I'm starting to see on a, on a, let's call it a timeline or a critical path. If you're a project management guru or somebody that likes that, you look at a series of tasks over the next few years with milestones and some of the major milestones that are becoming quite prevalent are cryptographic discovery and remediation has already begun on some of the low lying areas that we can address. So for example, maybe you have some very significant applications that you're looking at that you want to make sure or ensure are developed crypto agilely. So everything moving forward from this point on, that's an absolute metric that we're seeing. And also cryptographic hygiene. You're starting to see organizations apply what they probably should have some time ago, which is if we're going to manage our certificates, our public certificates, certificate lifecycle management, we can figure that out now, key management, or what I jokingly say, key mismanagement. You'll see a lot of companies that have been either using various levels of data at rest encryption capabilities or various platforms across the enterprise, but with no consistency or persistent. So now they're starting to get smarter about making sure that we're across the board using those technologies. And as you may know, data REST encryption is PQC safe right now, meaning that we can use AES256 as a standard symmetric algorithm. And that's for the majority of what we see out in the world that's already PQC safe. But it's the upfront RSA and ECC that is used to generate those keys for decrypting that data. That's the concern. It's always on the public key side at this point, the asymmetric side. So I'm starting to see, we're starting to see PQC assessments, project plans being put in place. We're starting to also see C level or board level sponsorship to make sure that we're on the right track or that we're reporting that we're on the right track. And as I think we emerge into 2026 and 2027, this will just become normal, everyday best practice for readying ourselves for this.

B

Well, help me understand because I see folks talking about hybrid approaches. What exactly do they mean by that?

C

Well, hybrid is an interesting term that I think a number of us are talking about. Some organizations look at hybrid crypto as a stopgap, meaning that we can use the combination of classical or existing operational crypto we rely on today, the rsa, the ECC and so on. But some countries, some governments, some organizations believe that a full pure PQC enablement means we get rid of the, what we call classical crypto today and put in the next generation algorithms, which is what they call FIPs 203, 204 or 205 or dilithium or MLDSA and MLChem or Kyber, whatever you want to describe those as. But the next generation of algorithms, hybrid refers to using both. So for example, for public key infrastructure we'll have hybrid certificates, or for cryptographic reasons, for signatures and, and handshakes and so on, we'll use hybrid. But a lot of people think that's fraught with difficulty and maybe we should just go straight to pqc. But that in effect is a leap of faith that these algorithms are going to stand the test of time. And because we don't have soak, we don't have 25 years of seeing them in the wild, in the field being deployed. I think we can all appreciate why some organizations are a little bit, I wouldn't say nervous, but you know, hedging their bets per se. So I think what we're going to see is a combination of pure, you know, what we have today, some hybrid and some pure PQC enabled.

B

Going forward, what do you see as being roadblocks here? Are the delays? Are they coming from technology issues or process or cost or what's keep, what's holding people back?

C

Oh, all the above. As I mentioned earlier, there are some, some organizations who perceive and believe that this is far enough out that they can just procrastinate until the last minute. And I don't mean to point fingers, nor would I, but it depends. Some have very skeptical personnel involved and believe that this is all a hype curve that we're all worried about, same as Y2K. Others are absolutely pragmatic about it and saying regardless, we're going to be ready for this because as I said earlier, we can fix a lot of stuff on the way from a cryptographic hygiene point of view and make ourselves crypto agile and hedge our bets because now we have protection should this arrive in the next three, four, five years. And then there are of course those who might, might be so pure quantum and post quantum that they've already started on that journey. I see very little of that. I think most organizations are being careful, as they should be. And this also, by the way, is not just an organization what they want to do. They rely on the vendor community, they rely on the implementation of those things. And by the way, you can't just wave a magic wand, find all your crypto, swap it out magically overnight. This is going to take an enormous amount of resources and budget. So some of the roadblocks are who's going to pay for it, how much money do we need and what's our tiger team look like? For example, who do we have here in the organization? Do we need to seek external advice, things like that?

B

Well, I mean, a lot of folks have their fingers in this pie, right? There's standards organizations, there's vendors, researchers, and as you say, governments. They're all involved. How do these different players shape the pace and direction of PQC operations adoption?

C

Well, I think it's, it's a combination of many things. I think lead by example is, is what I'm starting to see. Not only evidence of, I'm personally experiencing it. Where organizations have overcome the obstacles it's within. So they've been. For example, you can point public examples from the likes of Wells Fargo and HSBC and many other organizations around the world that are publicly admitting or publicly not admitting is the wrong word. Publicly explaining how they're doing this. Why is that important? Well, nobody wants to be the guinea pig but they also want to know is this the best practice? Should we do this first, should we do this second? Third, what's the recipe for success? So I think as it becomes more sophisticated and we start to see more organizations moving into this over the next year or two, as I said to you personally, I'm involved with well over 100 organizations that give me a pretty good vantage point. And with with zero exception, they've all got plans in place. What they're all determining is when did those plans start? How much do we put into those plans? Meaning people process technology, simply put, resources and do we have executive sponsorship? I think that's incredibly important that from the C level or the board level we have acknowledgement that we're doing these things but also backing us up that if we run into a bit of a. We get into a where we have to turn left instead of what we thought we had to turn right. That's where patience is. Virtue is going to apply for a lot of these implementations.

B

As someone who is in this day to day, what sort of signals do you think defenders should be looking out for? Or do you anticipate that we're going to have a Sputnik moment here?

C

I haven't heard Sputnik as an example but I think if we're old enough, most of us know when the Russians were the first, the rest of the world first of all, awe was the first response. Are you kidding? Is this real to we're late or we're second, yeah, the race to Quantum is real. I think what we're concerned about from a nation state or a bad actor is that this isn't going to be broadcast necessarily. That's like saying I've got the keys to I've got the skeleton key to the world. I'm just going to tell everybody I have that key. I think what we have to realize is a lot of this is going to go on behind the scenes. It's going to merge into reality. And then when this zero day or this acknowledgement that that was a quantum computer that use Shor's algorithm, that compromised that algorithm or compromised that implementation, is that going to be Q day? We'll see. Is it going to be an organization like the government of X, Y and Z? We don't know. But that moment is unfortunately that's a crystal ball we all are looking for. But what we are seeing is progress being made, certainly from a Western civilization point of view. And with China, I have to throw in as well, the amount of pure billions being spent on building this next generation of quantum computing platforms is underway. And this race to Quantum can be used for good and not so good. And I think it's the same with AI. We're in the exact same parallel in a parallel universe of the two paradigms and the paradox of both of them, which is they can do wonderful amazing things AI to solve for simulation and drug testing, et cetera, et cetera, but also turned against. They can be used to build incredibly robust exploits. In fact, looking for old crypto or looking for compromise points and running scenarios of a thousand times automagically. The same applies for quantum which we use it for. Like I said, simulation and amazing things to for AI and agentic AI and all those good things. But if used to run Shor's algorithm, it is in effect the skeleton key that I explained. That's the concern is the good, the bad, the otherwise of both of these platforms and when they eventually converge using quantum compute platforms to run AI, we're in a different paradigm entirely after that.

B

That's Blair Canavan from talas.

A

This episode is brought to you by indeed. You're ready to move your business forward, but first you need to find the right team. Start your search with Indeed sponsored Jobs. It can help you reach qualified candidates fast, ensuring your listing is the first one they see. According to Indeed data, sponsored jobs are 90% more likely to report a hire than non sponsored jobs. See the results for yourself. Get a $75 sponsored job credit at Indeed.com podcast terms and conditions apply.

This episode is brought to you by State Farm. Listening to this podcast Smart move Being financially savvy Smart move. Another smart move having State Farm help you create a competitive price when you choose to bundle home and auto bundling. Just another way to save with a personal price plan like a good neighbor, State Farm is there. Prices are based on rating plans that vary by state. Coverage options are selected by the customer. Availability, amount of discounts and savings and eligibility vary by state.

B

And finally, Dakota is Kohler's smart toilet mounted camera that snaps photos of the bowl after use, offering gut health insights in exchange for a few tasteful porcelain portraits to calm privacy nerves. The company assured customers their data enjoys end to end encryption, a phrase that raised eyebrows among people who know what that actually means. Researcher Simon Fondri Tytler pointed out that Kohler is really talking about standard TLS encryption, not the user to user lockdown found in Signal or WhatsApp. Kohler later clarified that yes, it can decrypt and view your bold data because that's how the service works, though it stresses information is encrypted at rest and only de identified images. Train its algorithms and only with user consent. Still at $599 plus a monthly subscription, the Dakota may be the rare gadget that asks you to pay handsomely for the privilege of being misunderstood by a toilet. End to end, indeed.

And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Jerome Bradley, director of JAMF Threat Labs. The research is titled Chilly A Deep Dive into a modular macOS backdoor. That's research Saturday. Do check it out. N2K's senior producer is Alice Carruthers. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

A

The Uniswap Wallet makes it easier and safer to own and use crypto Created by pioneers of the crypto economy, the Uniswap protocol has powered over $3 trillion in trading volume, and it's trusted by tens of millions worldwide. With the Uniswap Wallet, you can discover, swap and manage your crypto all from your phone. Buy your first crypto assets in just a few taps and start exploring the freedom of decentralized finance with Uniswap. Tap the banner to get started.