A

You're listening to the Cyberwire Network powered by N2K.

B

We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first. And it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indee indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need.

Organizations worldwide scramble to address this critical React to Shell vulnerability. Major insurers look to exclude artificial intelligence risks from corporate policies. Three Chinese hacking groups converge on the same SharePoint flaws. Ransomware crews target hypervisors. A UK hospital asks the high court to block publication of data stolen by the Clump gang. The White House approves additional Nvidia AI chip exports to China. The Ice Block app creator sues the feds over app store removal. The FBI warns of virtual kidnapping scams. The FT upholds a ban on a stalker waremaker. Dave Lindner, CISO of Contrast Security, joins us to discuss nation state adversaries targeting source code to infiltrate the government and private sector. And Craigslist's founder pledges support for cybersecurity veterans and pigeons.

Tuesday, December 9, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing.

Thanks for joining us here today. It's great to have you with us. Major organizations worldwide are scrambling to address the critical React to Shell vulnerability as researchers confirm active exploitation tied to China's Ministry of State security. Palo Alto Network's Unit 42 says more than 30 organizations have been affected, with attackers conducting reconnaissance attempting to steal AWS credentials and deploying malware linked to pass MSS operations. The bug was publicly disclosed last week with a maximum security rating, triggering widespread scanning by both cybercriminals and state backed actors. U.S. and international security groups report millions of potentially exposed Internet facing services. The FBI is urging immediate patching and targeted threat hunting, while CISA has added the flaw to its known Exploited Vulnerabilities catalog, setting a Dec. 26 deadline for federal agencies to update systems.

Major insurers are moving to exclude artificial intelligence risks from corporate policies as concerns rise over cost, costly, unpredictable AI failures. AIG Great American and WR Berkeley have sought regulatory approval for exclusions tied to companies using AI tools, reflecting industry unease as businesses rapidly adopt systems prone to hallucinations and opaque decision making. Some proposed exclusions are sweeping, barring claims involving any AI use. While AIG says it has no immediate plans to apply its exclusions, insurers warn that unclear liability across developers, model providers and users makes AI risk potentially exponential. Recent high profile errors, fraud enabled by deepfakes and fears of systemic losses are pushing insurers toward tighter limits, narrower endorsements and cautious coverage for AI related incidents.

Chinese threat activity around two critical SharePoint flaws has escalated into the broad toolshell campaign, where three distinct China based hacking groups exploited the same vulnerabilities almost simultaneously. The bugs first demonstrated at PWN to own were meant to be patched quietly, yet attackers moved even before Microsoft released fixes. Within weeks, hundreds of governments and businesses worldwide were compromised by prompting urgent patch revisions after hackers bypassed initial mitigations. Analysts are probing how multiple Chinese groups obtained working exploits so quickly, including scrutiny of China based partners in Microsoft's early warning program and that country's laws requiring zero day reporting to the state. The campaign follows a growing pattern where Chinese clusters surge exploitation just before or after disclosure. Motivations also vary. Two groups appear focused on intelligence collection, while a third shows ransomware behavior that may mask deeper objectives. The convergence underscores China's complex cyber ecosystem and persistent strategic targeting. Ransomware crews are increasingly targeting hypervisors, the software that creates and manages virtual machines. According to new data from Huntress, attacks jumped from 3% of cases in early 2024 to 25% in the second half of the year. Researchers say the Akira ransomware group is driving much of the surge, aiming at hypervisors to evade endpoint and network defenses. Compromising a hypervisor gives attackers control over hosted virtual machines, greatly amplifying impact. Huntress has seen operators use built in tools like OpenSSL to encrypt VM volumes and abuse Hyper V Utilities to disable protections and prepare large scale deployments. The company urges strict patching, multi factor authentication, strong passwords, allow listing for binaries and full log ingestion into security information and event management systems. To counter the growing threat.

NHS Barts Health in London is seeking a UK High court order to block the publication or use of data stolen in an August ransomware attack by the Clop Group. The hospital says Clop accessed invoice records containing names and addresses of patients and staff, though core IT systems were not breached. The data also included information from nearby NHS trusts. Officials warn the stolen details could be exploited for scams or payment fraud. Investigators say Klopp targeted zero days in Oracle's E Business suite, part of a broader campaign in which the gang emailed victims, threatening to leak data unless large cryptocurrency ransoms were paid. NHS England and the National Cybersecurity center are assessing the incident's impact.

The White House has approved Nvidia to export its H200AI chips to select customers in China under conditions meant to protect national security. President Trump said the US will take a 25% cut of sales. The H200 is more capable than Nvidia's previously allowed H20 chips, but still below its Blackwell line, which is not part of the deal. Trump said the policy supports U.S. jobs and manufacturing. The decision follows political pressure to limit China's access to advanced AI hardware.

Joshua Aaron, creator of the Ice Block app, is suing Attorney General Pam Bondi and several federal officials, alleging the Trump administration made unlawful threats and pressured Apple to remove his app from the App Store. Iceblock, which lets users anonymously report Immigration and Customs Enforcement activity, surged to over 500,000 downloads after a CNN story. Although Apple initially approved the app after legal review, it removed iceblock in October following public pressure from Bondi. Google and Facebook later removed similar content. Federal officials defend the takedowns, arguing such apps endanger law enforcement. The lawsuit comes as Republican lawmakers push for tighter restrictions, including a bill that would criminalize publishing information about federal officers if it risks targeted harassment or violence.

The FBI warns that criminals are using altered or AI generated images to create fake proof of life photos. In virtual kidnapping scams, fraudsters text victims claiming a loved one has been abducted or often sending doctored images and threatening violence to force quick payment. Some scams exploit photos of real missing people scraped from social media. The FBI says these emergency scams mirror grandparent fraud schemes but now use AI to enhance credibility. Officials urge families to use code words, verify the victim's safety, and report incidents to IC3.

The US Federal Trade Commission has rejected a petition from Scott Zuckerman, founder of stalkerware firms Spy Phone Support King and OneClick monitor, to lift a 2021 ban preventing him from selling surveillance apps. The ban followed a major data breach that exposed both customers and the people they secretly monitored and required Zuckerman to delete collected data and implement strict security and auditing measures. The FTC called Spy Phone a tool that enabled stalkers while failing to protect sensitive information. Zuckerman argued the order's security requirements impose financial burdens on his unrelated businesses, but the FTC declined to modify the restrictions. He offered no further comment.

Coming up after the break, my conversation with Dave Lindner from Contrast Security. We're discussing nation state adversaries targeting source code, and Craigslist's founder pledges support for cybersecurity veterans and pigeons. Stay with us.

Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker, allow listing, you stop unknown executables cold. With Ring Fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

AI is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with. Assessments today are fragmented, overlapping, and often specific to industries, geographies or regulations. That's why Black kite created the BKGA3AI assessment framework to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk across their own organizations and their vendors. AI use it's global, research driven, built to evolve with the threat landscape and free to use because Black Kite is committed to strengthening the entire cybersecurity community. Learn more@blackkite.com.

Dave Lindner is CISO of Contrast Security. I recently sat down with him for a conversation on nation state adversaries targeting source code to infiltrate the government and private sector.

C

We find ourselves in A pretty bad place.

These attacks have been going on for quite some time. Many organizations probably don't even know that they have adversaries in their source code. You even go back to SolarWinds, that was an adversarial nation state level type attack. And they all have different reasons for doing so. But it's really difficult when a nation state wants to wreak havoc, right? They have the means, they have the money, they have the technology, they have the time to be able to do so. And for the average organization, they probably don't have the means to prevent it just because they're maybe focusing on different things.

B

And what is it about source code specifically that makes it so appealing?

C

So I think it's the kind of that supply chain aspect. You know, I even, I was thinking about this, you know, from a supply chain, you know, Solar Winds was. It was a supply chain issue. This recent F5 breach was really a supply chain issue. But what nation states want to do is they want to infiltrate a place that maybe has broad reach. F5, heavily used by the United States government, heavily used by some of the largest corporations in the world. Right. They want to infiltrate this source code and maybe find zero days in the source code, maybe find ways to inject maliciousness in that source code. So once it's delivered to the government, to the bigger organizations now, they can compromise them as well. Right? So it is very, very important for them. And I look at like Hollywood movies, right, and you look at things like Ocean's Eleven or some of those where they're trying to infiltrate these massive places. They're always doing it through some other mechanism. They're getting involved with the serving crew at that party that night, or they get put as part of the security team that's part of the security detail. They're coming at them from a third party that they're inherently trusting to be secure. And that's kind of the problem. There's no good mechanism to prove that trust security questionnaires aren't doing it.

B

And to what degree is this an open source software problem?

C

I mean, it's open source, it's closed source, it's cots, it's a software problem. Right. However you look at recent things like the Shai Hulud attacks that have recently taken place against a bunch of node repositories where people are compromising credentials or maybe credentials of repositories that haven't been touched in years, and they're injecting maliciousness into those repositories that are then automatically downloaded and used by thousands, if not hundreds of thousands of organizations. So it's easier, but it's really a software problem. In the F5 case that wasn't an open source problem, they now have all of F5's big IP software. Right. That's a bad place to be.

B

And what makes it so difficult to.

C

Detect these things so, you know, when I started earlier is like they have the means.

They take a low and slow approach. You know, some of them use what we call living off the land attacks, where these advanced actors, they're not even installing maliciousness. Right. They're using tools that are already in the environments they want to get into.

To be undetectable. Right. And I think that's some of the problem is they're okay with taking time. You know, sometimes they might create some diversion or you know, create some other really loud attack to get the security operations teams looking at that instead of the not so loud. I found these compromised credentials. Sure, I may be logging in from Russia, but are you going to detect that type of thing? And it's as simple as that. They're compromising credentials. Phishing is still a problem, believe it or not.

And in some cases they're exploiting zero days that the world doesn't really know about yet. So it's hard to detect things that we don't know about.

B

Yeah, I think you mentioned that patience is such a component of this. We had a recent story where I think it was Chinese threat actors who waited seven years to update some browser plugins that to. To make them malicious, where they'd been clean for, for seven years.

C

Yeah, for sure. I mean, and if, and if you take a step back and kind of think about what these nation states are looking for, right? It's intel, it's, you know, espionage, it's disruption, it's, you know, in the case of like a North Korea, it's financial theft. I mean, North Korea is heavily invested in stealing crypto. I mean, that's been their thing for a while now. And trying to really understand, like they don't need these things to happen overnight. The long game is fine. If I'm in an organization and my whole goal is to get as much intel as possible, I'm happy to be there forever. Right. And I think that's part of the issue. I mean, there was a couple years ago, Russia was in Microsoft, right? They had compromised like a lower environment, a QA environment of the internal email system. But they were able to compromise a bunch of very sensitive emails doing so, and it took forever. To detect them because it was in a lower environment.

B

So should organizations assume breach here?

C

I don't want to be like a FUD type of person. I don't think we assume breach. You know, I think you have to really do a good job of understanding and threat modeling your organization. The hardest part and even like for a small organization like ours at Contra Security is vetting third parties. At what point do you feel they're trustworthy enough knowing that at some point if they're compromised, you probably are as well?

I think that's going to be the hardest part for any organization because these nation states probably are not coming directly at F5, directly at Microsoft. They're trying to backdoor it somehow through some third party. I mean, years and years ago Target had a breach of their credit card processors, right. And it was through a third party that they hadn't shut access off to those credit card processors. So no one really knew about it that they even still had access and they compromised those credentials to get in. Right. So it's, it's just, it's a really, really difficult place to be because there's no really good way to, you know, give that rubber stamp of approval. I mean we get security questionnaires all the time. Does that mean we're secure? According to, you know, our customers? Yes. But at the end of the day, what's a security questionnaire do? It's a bunch of words. And so it's, it's, it's a really. But assuming breach, I don't. The larger org with a, with a bigger say like Target on their back. F5 for sure. I mean anyone who's in the federal government in massive financial sector, you know, I think they have that mentality where they kind of assume breach. They have the, the red teamers, they have the folks that are doing OSINT looking for threats in all their logs, in all their systems all the time, they can. Right. I don't think every org probably has the same sort of threat that some of these larger.

More attractive organizations would.

B

So what are your recommendations then given these realities? What should security professionals be doing to protect their organizations against this sort of thing?

C

Focusing on locking your environment down as much as possible and understanding there's layers to this. And I'm always a huge fan of having different control layers and visibility into those different control layers. So if one fails, something else might pick it up. I think anomaly detection is such a huge part of understanding environment. Even in the case of the recent F5 breach, I think what ended up happening is There was some vulnerability in one of their develop systems that was taken advantage of to get that initial access point for China. And just knowing that and understanding that detecting something that's different is going to be so important moving forward and you're going to have to make sure you have the right tools in place to do so. And sometimes, you know, I do think AI is going to play a massive role in kind of correlating all of this data because people can't, right? I mean we've known that for a while. I mean I think we have terabytes and terabytes of logs, you know, on an hourly basis just in our small systems. I can't imagine what a Microsoft or an F5 has. Right. And I think that that anomaly detection is really, is something that someone has to really focus time and energy on. I don't think there's a perfect approach to preventing a breach in some third party that you're using.

I don't know what the direction should be there other than when you bring someone on board or pull in that open source. You need to know that it's a pretty good possibility that someone could be trying to infiltrate through. But again, it gets back to threat model. What's your threat look like? Who really wants to get into your environment and why and kind of start there?

B

That's Dave Lindner, CISO of Contrast Security.

A

Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles. Terms apply. Does not replace safe driving. See ford.com for more details.

D

This episode is brought to you by State Farm. Listening to this podcast Smart move Being financially savvy Smart move. Another smart move Having State Farm help you create a competitive price when you choose to bundle home and auto bundling. Just another way to save with a personal price plan like a good neighbor, State Farm is there. Prices are based on rating plans that vary by state. Coverage options are selected by the customer. Availability, amount of discounts and savings and eligibility vary by state.

B

And finally, Craig Newmark, the mild mannered founder of Craigslist and self described non billionaire billionaire, has officially joined the giving pledge in a LinkedIn post marking both his commitment and his entry into his middle 70s. He noted he gave away his Craigslist equity long ago, which does complicate the whole billionaire label. Still turning down an estimated $11 billion in dotcom era enthusiasm buys a certain moral high ground. Newmark says his philanthropy will continue to focus on cybersecurity veterans and pigeon rescue. Yes, pigeons. Newmark insists pigeons are misunderstood underdogs, possibly even our future overlords, which he admires. His foundation recently gave $30,000 to a rescue group, its largest gift ever. In true Craigslist fashion, he's simply posting goodwill into the universe. One charitable listing at a.

And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapid, rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.