CyberWire Daily - "The bug that got everyone’s attention."

Date: December 9, 2025
Host: Dave Bittner (N2K Networks)
Featured Interview: Dave Lindner, CISO, Contrast Security

Main Theme

This episode centers on a newly disclosed, critical “React to Shell” vulnerability that has triggered a global cybersecurity response. The episode delivers rapid insights on major cybersecurity developments, including state-sponsored hacking campaigns, shifting insurance industry stances on AI, the persistence of ransomware, and how adversaries are targeting software supply chains. A special interview provides deep analysis on how nation-state actors infiltrate organizations via source code and the unique challenges they pose.

Key News Highlights & Analysis

1. React to Shell Vulnerability Sparks International Scramble

[03:27-04:31]
- Tens of thousands of organizations worldwide are urgently addressing the severe React to Shell bug.
- Active exploitation is tied to actors linked with China’s Ministry of State Security.
- Palo Alto Networks' Unit 42 reported attacks on over 30 organizations, with hackers stealing AWS credentials and deploying MSS-related malware.
- Rapid, widespread scanning is evident from both cybercriminal and state-sponsored groups.
- U.S. authorities urge immediate action: the FBI calls for “immediate patching and targeted threat hunting,” while CISA sets a Dec. 26 deadline for federal agencies.
- Quote: "Millions of potentially exposed internet-facing services." (Host, [03:50])

2. Insurers Retreat from AI Risk Coverage

[04:31-05:37]
- Major insurers (AIG, Great American, WR Berkeley) seek to exclude coverage for damages related to AI, citing costly, unpredictable losses.
- Exclusions target AI’s tendency for hallucinations and ambiguous liability among developers and users.
- High-profile AI abuses (e.g., deepfakes, fraud) increase industry caution.
- Expect tighter policies and reduced coverage for anything AI-related.

3. China-based Hacking Groups Exploit SharePoint Flaws

[05:37-07:53]
- Three Chinese hacking groups exploited two major SharePoint vulnerabilities in near synchronization—a campaign called “toolshell.”
- Attackers moved before Microsoft issued patches, compromising hundreds worldwide.
- Security community questions rapid access to exploits, citing China’s legal requirements for zero-day disclosure.
- Varied attacker motives: two groups pursued intelligence, a third unleashed ransomware behaviors as potential cover.
- Quote: "The convergence underscores China's complex cyber ecosystem and persistent strategic targeting." (Host, [07:22])

4. Ransomware Shifts to Targeting Hypervisors

[07:53-08:45]
- Hypervisors increasingly under attack—25% of ransomware cases by late 2025 (up from 3%).
- Akira group is a principal threat, attacking VM infrastructure to evade legacy defenses.
- Techniques: using OpenSSL to encrypt virtual machine volumes, abusing Hyper-V tools to disable security.
- Recommendations: patching, MFA, allowlisting, and strong logging.

5. Other Headlines

NHS Barts Health Ransomware Lawsuit ([07:53-08:45]): Seeks to block publication of patient/staff data stolen by Clop gang. Officials warn of potential fraud.
Nvidia AI Chip Exports to China ([08:45-09:22]): U.S. (President Trump) permits limited exports, taking a 25% sales cut.
App Store Lawsuit ([09:22-10:19]): Ice Block app developer sues government for alleged pressure on Apple. Highlights controversy over anonymity and law enforcement risk.
FBI Warns of AI "Virtual Kidnapping" Scams ([10:19-11:03]): AI-generated images escalate scam threats. Families are urged to set code words, verify safety.
FTC Upholds Ban on Stalkerware Firm ([11:03-12:00]): Spy Phone’s founder’s appeal to lift ban rejected due to ongoing security/privacy risks.

Featured Interview: Dave Lindner, CISO, Contrast Security — Nation State Adversaries and Source Code Abuse

Overview

[14:30-24:52]
Dave Lindner breaks down the evolving tactics of nation-state actors who infiltrate organizations not via direct attacks, but through the very software supply chains organizations rely on.

The Supply Chain Problem

Supply chains as key targets:
- "It's really difficult when a nation state wants to wreak havoc. They have the means, they have the money, they have the technology, they have the time to be able to do so." — Dave Lindner, [14:47]
- Incidents like SolarWinds and the recent F5 breach are prime examples. Attackers aim for widely used products so that compromises propagate downstream.
Hollywood analogy:
- "They're getting involved with the serving crew at that party that night, or they get put as part of the security team... They're coming at them from a third party." — Dave Lindner, [16:28]

Open Source & Proprietary Software Both at Risk

Not just an open-source issue:
- Attacks like Shai Hulud show attackers compromising “dormant” repositories, injecting malicious code that gets mass-adopted.
- Closed-source vulnerabilities (F5, Microsoft) equally dangerous.
- "It's open source, it's closed source, it's COTS, it's a software problem." — Dave Lindner, [17:08]

Tactics: Stealth, Patience, Subtlety

Attackers take “low and slow” approaches:
- Living off the land: Using built-in tools, not dropping new malware.
- Diversion and stealth: Loud attacks distract from real infiltration.
- "They're okay with taking time... sometimes [years]." — Dave Lindner, [18:22]
- Example: Chinese actors waited 7 years before weaponizing browser plugins ([19:06]).

Persistent Espionage Goals

Motivations: Intelligence, disruption, financial theft (e.g., North Korea’s focus on cryptocurrency).
"If I'm in an organization and my whole goal is to get as much intel as possible, I'm happy to be there forever." — Dave Lindner, [19:26]
Past breaches (e.g., Russian actors’ persistence in Microsoft’s lower environments) underscore the level of patience and stealth involved.

Recommendations: Resilience, Layered Defense, Anomaly Detection

Vetting third parties:
- The weakest link is often a vendor or partner with deep access.
- "The hardest part... is vetting third parties. At what point do you feel they're trustworthy enough knowing that at some point if they're compromised, you probably are as well?" — Dave Lindner, [20:33]
Assume breach mentality:
- Larger orgs must operate this way; smaller orgs should focus on understanding their own threat models and critical assets.
Emphasize defense in depth:
- Layered controls, anomaly detection (“huge part of understanding environment”), and robust logging are vital.
- Leverage AI for detecting subtle threats in massive activity logs.
- No perfect solution—continuous vigilance and threat modeling are essential.
- "Detecting something that's different is going to be so important moving forward..." — Dave Lindner, [22:48]

Notable Quotes

"Security questionnaires aren't doing it." — Dave Lindner, [16:54]
"Phishing is still a problem, believe it or not." — Dave Lindner, [18:22]
"They don't need these things to happen overnight. The long game is fine." — Dave Lindner, [19:26]
"There's no really good way to, you know, give that rubber stamp of approval." — Dave Lindner, [21:05]

Segment Timestamps

| Segment/Story | Timestamp | |------------------------------------------------|---------------| | React to Shell & International Response | 03:27-04:31 | | Insurers Move to Exclude AI Risks | 04:31-05:37 | | Chinese SharePoint Campaigns | 05:37-07:53 | | Ransomware Against Hypervisors | 07:53-08:45 | | NHS Data Lawsuit / Nvidia AI Chips / App Takedown| 08:45-10:19 | | FBI on AI Scams / FTC Stalkerware Ban | 10:19-12:00 | | Lindner Interview - Nation State Threats | 14:30-24:52 | | Craig Newmark's Cybersecurity Philanthropy | 26:15-27:36 |

Memorable Moment

Craig Newmark’s (Craigslist founder) charming announcement:
- "...his philanthropy will continue to focus on cybersecurity, veterans, and pigeon rescue. Yes, pigeons. Newmark insists pigeons are misunderstood underdogs, possibly even our future overlords, which he admires." — Host, [26:15]

Conclusion

This episode captures the urgency, complexity, and evolving nature of contemporary cybersecurity threats. The React to Shell vulnerability highlights the persistent, global risk posed by even a single bug, while the interview with Dave Lindner provides a sobering but actionable framework for defending against sophisticated, patient adversaries. The consensus: Resilience requires vigilance at all levels—technology, people, and process.

CyberWire Daily - "The bug that got everyone’s attention."

Date: December 9, 2025
Host: Dave Bittner (N2K Networks)
Featured Interview: Dave Lindner, CISO, Contrast Security

Main Theme

Key News Highlights & Analysis

1. React to Shell Vulnerability Sparks International Scramble

[03:27-04:31]
- Tens of thousands of organizations worldwide are urgently addressing the severe React to Shell bug.
- Active exploitation is tied to actors linked with China’s Ministry of State Security.
- Palo Alto Networks' Unit 42 reported attacks on over 30 organizations, with hackers stealing AWS credentials and deploying MSS-related malware.
- Rapid, widespread scanning is evident from both cybercriminal and state-sponsored groups.
- U.S. authorities urge immediate action: the FBI calls for “immediate patching and targeted threat hunting,” while CISA sets a Dec. 26 deadline for federal agencies.
- Quote: "Millions of potentially exposed internet-facing services." (Host, [03:50])

2. Insurers Retreat from AI Risk Coverage

[04:31-05:37]
- Major insurers (AIG, Great American, WR Berkeley) seek to exclude coverage for damages related to AI, citing costly, unpredictable losses.
- Exclusions target AI’s tendency for hallucinations and ambiguous liability among developers and users.
- High-profile AI abuses (e.g., deepfakes, fraud) increase industry caution.
- Expect tighter policies and reduced coverage for anything AI-related.

3. China-based Hacking Groups Exploit SharePoint Flaws

[05:37-07:53]
- Three Chinese hacking groups exploited two major SharePoint vulnerabilities in near synchronization—a campaign called “toolshell.”
- Attackers moved before Microsoft issued patches, compromising hundreds worldwide.
- Security community questions rapid access to exploits, citing China’s legal requirements for zero-day disclosure.
- Varied attacker motives: two groups pursued intelligence, a third unleashed ransomware behaviors as potential cover.
- Quote: "The convergence underscores China's complex cyber ecosystem and persistent strategic targeting." (Host, [07:22])

4. Ransomware Shifts to Targeting Hypervisors

[07:53-08:45]
- Hypervisors increasingly under attack—25% of ransomware cases by late 2025 (up from 3%).
- Akira group is a principal threat, attacking VM infrastructure to evade legacy defenses.
- Techniques: using OpenSSL to encrypt virtual machine volumes, abusing Hyper-V tools to disable security.
- Recommendations: patching, MFA, allowlisting, and strong logging.

5. Other Headlines

NHS Barts Health Ransomware Lawsuit ([07:53-08:45]): Seeks to block publication of patient/staff data stolen by Clop gang. Officials warn of potential fraud.
Nvidia AI Chip Exports to China ([08:45-09:22]): U.S. (President Trump) permits limited exports, taking a 25% sales cut.
App Store Lawsuit ([09:22-10:19]): Ice Block app developer sues government for alleged pressure on Apple. Highlights controversy over anonymity and law enforcement risk.
FBI Warns of AI "Virtual Kidnapping" Scams ([10:19-11:03]): AI-generated images escalate scam threats. Families are urged to set code words, verify safety.
FTC Upholds Ban on Stalkerware Firm ([11:03-12:00]): Spy Phone’s founder’s appeal to lift ban rejected due to ongoing security/privacy risks.

Featured Interview: Dave Lindner, CISO, Contrast Security — Nation State Adversaries and Source Code Abuse

Overview

The Supply Chain Problem

Supply chains as key targets:
- "It's really difficult when a nation state wants to wreak havoc. They have the means, they have the money, they have the technology, they have the time to be able to do so." — Dave Lindner, [14:47]
- Incidents like SolarWinds and the recent F5 breach are prime examples. Attackers aim for widely used products so that compromises propagate downstream.
Hollywood analogy:
- "They're getting involved with the serving crew at that party that night, or they get put as part of the security team... They're coming at them from a third party." — Dave Lindner, [16:28]

Open Source & Proprietary Software Both at Risk

Not just an open-source issue:
- Attacks like Shai Hulud show attackers compromising “dormant” repositories, injecting malicious code that gets mass-adopted.
- Closed-source vulnerabilities (F5, Microsoft) equally dangerous.
- "It's open source, it's closed source, it's COTS, it's a software problem." — Dave Lindner, [17:08]

Tactics: Stealth, Patience, Subtlety

Attackers take “low and slow” approaches:
- Living off the land: Using built-in tools, not dropping new malware.
- Diversion and stealth: Loud attacks distract from real infiltration.
- "They're okay with taking time... sometimes [years]." — Dave Lindner, [18:22]
- Example: Chinese actors waited 7 years before weaponizing browser plugins ([19:06]).

Persistent Espionage Goals

Motivations: Intelligence, disruption, financial theft (e.g., North Korea’s focus on cryptocurrency).
"If I'm in an organization and my whole goal is to get as much intel as possible, I'm happy to be there forever." — Dave Lindner, [19:26]
Past breaches (e.g., Russian actors’ persistence in Microsoft’s lower environments) underscore the level of patience and stealth involved.

Recommendations: Resilience, Layered Defense, Anomaly Detection

Vetting third parties:
- The weakest link is often a vendor or partner with deep access.
- "The hardest part... is vetting third parties. At what point do you feel they're trustworthy enough knowing that at some point if they're compromised, you probably are as well?" — Dave Lindner, [20:33]
Assume breach mentality:
- Larger orgs must operate this way; smaller orgs should focus on understanding their own threat models and critical assets.
Emphasize defense in depth:
- Layered controls, anomaly detection (“huge part of understanding environment”), and robust logging are vital.
- Leverage AI for detecting subtle threats in massive activity logs.
- No perfect solution—continuous vigilance and threat modeling are essential.
- "Detecting something that's different is going to be so important moving forward..." — Dave Lindner, [22:48]

Notable Quotes

"Security questionnaires aren't doing it." — Dave Lindner, [16:54]
"Phishing is still a problem, believe it or not." — Dave Lindner, [18:22]
"They don't need these things to happen overnight. The long game is fine." — Dave Lindner, [19:26]
"There's no really good way to, you know, give that rubber stamp of approval." — Dave Lindner, [21:05]

Segment Timestamps

Memorable Moment

Craig Newmark’s (Craigslist founder) charming announcement:
- "...his philanthropy will continue to focus on cybersecurity, veterans, and pigeon rescue. Yes, pigeons. Newmark insists pigeons are misunderstood underdogs, possibly even our future overlords, which he admires." — Host, [26:15]

The bug that got everyone’s attention.

Powered by Wave AI

Summary

CyberWire Daily - "The bug that got everyone’s attention."

Main Theme

Key News Highlights & Analysis

1. React to Shell Vulnerability Sparks International Scramble

2. Insurers Retreat from AI Risk Coverage

3. China-based Hacking Groups Exploit SharePoint Flaws

4. Ransomware Shifts to Targeting Hypervisors

5. Other Headlines

Featured Interview: Dave Lindner, CISO, Contrast Security — Nation State Adversaries and Source Code Abuse

Overview

The Supply Chain Problem

Open Source & Proprietary Software Both at Risk

Tactics: Stealth, Patience, Subtlety

Persistent Espionage Goals

Recommendations: Resilience, Layered Defense, Anomaly Detection

Notable Quotes

Segment Timestamps

Memorable Moment

Conclusion

Summary

CyberWire Daily - "The bug that got everyone’s attention."

Main Theme

Key News Highlights & Analysis

1. React to Shell Vulnerability Sparks International Scramble

2. Insurers Retreat from AI Risk Coverage

3. China-based Hacking Groups Exploit SharePoint Flaws

4. Ransomware Shifts to Targeting Hypervisors

5. Other Headlines

Featured Interview: Dave Lindner, CISO, Contrast Security — Nation State Adversaries and Source Code Abuse

Overview

The Supply Chain Problem

Open Source & Proprietary Software Both at Risk

Tactics: Stealth, Patience, Subtlety

Persistent Espionage Goals

Recommendations: Resilience, Layered Defense, Anomaly Detection

Notable Quotes

Segment Timestamps

Memorable Moment

Conclusion