CyberWire Daily - The bug that got everyone’s attention.
Episode Date: December 9, 2025Organizations worldwide scramble to address the critical React2Shell vulnerability. Major insurers look to exclude artificial intelligence risks from corporate policies. Three Chinese hacking groups... converge on the same Sharepoint flaws. Ransomware crews target hypervisors. A UK hospital asks the High Court to block publication of data stolen by the Clop gang. The White House approves additional Nvidia AI chip exports to China. The ICEBlock app creator sues the feds over app store removal. The FBI warns of virtual kidnapping scams. The FTC upholds a ban on a stalkerware maker. Dave Lindner, CISO of Contrast Security, discusses nation-state adversaries targeting source code to infiltrate the government and private sector. Craigslist’s founder pledges support for cybersecurity, veterans and pigeons. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Dave Lindner, CISO of Contrast Security, discusses nation-state adversaries targeting source code to infiltrate the government and private sector. Selected Reading Researchers track dozens of organizations affected by React2Shell compromises tied to China’s MSS (The Record) Insurers retreat from AI cover as risk of multibillion-dollar claims mounts (Financial Times) Three hacking groups, two vulnerabilities and all eyes on China (The Record) Researchers spot 700 percent increase in hypervisor ransomware attacks (The Register) UK Hospital Asks Court to Stymie Ransomware Data Leak (Bank Infosecurity) Trump says Nvidia can sell more powerful AI chips to China (The Verge) ICEBlock developer sues Trump administration over App Store removal (The Verge) New FBI alert urges vigilance on virtual kidnapping schemes (SC Media) FTC upholds ban on stalkerware founder Scott Zuckerman (TechCrunch) Craigslist founder signs the Giving Pledge, and his fortune will go to military families, fighting cyberattacks—and a pigeon rescue (Fortune) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post.
noticed. Indeed's sponsored jobs helps you stand out and hire fast. Your post jumps to the top
of search results, so the right candidates see it first. And it works. Sponsored jobs on Indeed
get 45% more applications than non-sponsored ones. One of the things I love about Indeed is how
fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K Cyberwire. Many
of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed,
according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit to get your job.
more visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now
and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply.
Hiring?
Indeed is all you need.
Organizations worldwide scramble to address the critical react-to-shell vulnerability.
Major insurers look to exclude artificial intelligence risks from corporate policies.
Three Chinese hacking groups converge on the same sharepoint flaws, ransomware crews target hypervisors.
A UK hospital asks the High Court to block publication of data stolen by the Klop gang.
The White House approves additional Nvidia AI-chip.
exports to China, the ice block app creator sues the feds over app store removal. The FBI warns
of virtual kidnapping scams. The FTC upholds a ban on a stocker wearmaker. Dave Lindner,
Sissau of Contrast Security, joins us to discuss nation-state adversaries targeting source code
to infiltrate the government and private sector. And Craigslist's founder pledges support
for cybersecurity, veterans, and pigeons.
It's Tuesday, December 9th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great to have you with us.
Major organizations worldwide are scrambling to address the critical react-to-shell vulnerability
as researchers confirm active exploitation tied to China's Ministry of State Security.
Haloato Networks Unit 42 says more than 30 organizations have been affected,
with attackers conducting reconnaissance, attempting to steal AWS credentials,
and deploying malware linked to pass MS.
operations. The bug was publicly disclosed last week with a maximum security rating,
triggering widespread scanning by both cybercriminals and state-backed actors. U.S. and international
security groups report millions of potentially exposed internet-facing services. The FBI is
urging immediate patching and targeted threat hunting, while SISA has added the flaw to its
known-exploited vulnerabilities catalog, setting a December 26th deadline for federal agencies to
update systems.
Major insurers are moving to exclude artificial intelligence risks from corporate policies
as concerns rise over costly, unpredictable AI failures.
AIG, Great American, and W.R. Berkeley have sought regulatory approval for exclusions
tied to companies using AI tools, reflecting industry unease as businesses rapidly adopt systems
prone to hallucinations and opaque decision-making. Some proposed exclusions are sweeping,
barring claims involving any AI use. While AIG says it has no immediate plans to apply its
exclusions, ensures warn that unclear liability across developers, model providers, and users makes AI risk
potentially exponential.
Recent high-profile errors, fraud enabled by deepfakes and fears of systemic losses are pushing
insurers toward tighter limits, narrower endorsements, and cautious coverage for AI-related
incidents.
Chinese threat activity around two critical sharepoint flaws has escalated into the broad
tool-shell campaign, where three distinct China-based hacking groups exploited the same vulnerabilities
almost simultaneously.
The bugs, first demonstrated at Pone to Own, were meant to be patched quietly, yet
attackers moved even before Microsoft released fixes.
Within weeks, hundreds of governments and businesses worldwide were compromised, prompting
urgent patch revisions after hackers bypassed initial mitigations.
Analysts are probing how multiple Chinese groups obtained working exploits so quickly,
including scrutiny of China-based partners in Microsoft's early warning program
and that country's laws requiring zero-day reporting to the state.
The campaign follows a growing pattern where Chinese clusters surge exploitation just before or after disclosure.
Motivations also vary.
Two groups appear focused on intelligence collection,
while a third shows ransomware behavior that may mask deeper objectives.
The convergence underscores China's complex cyber ecosystem and persistent strategic targeting.
Ransomware crews are increasingly targeting hypervisors, the software that creates and manages
virtual machines. According to new data from Huntress, attacks jumped from 3% of cases in early
24 to 25% in the second half of the year. Researchers say the Akira Ransomware Group is driving much of the
surge, aiming at hypervisors to evade endpoint and network defenses. Compromising a hypervisor
gives attackers control over hosted virtual machines, greatly amplifying impact. Huntress has seen
operators use built-in tools like OpenSSL to encrypt VM volumes and abuse hyperv utilities
to disable protections and prepare large-scale deployments. The company urges strict patching,
multi-factor authentication, strong passwords, allow listing for binaries, and full log ingestion into
security information and event management systems to counter the growing threat.
NHS Bart's Health in London is seeking a UK high court order to block the publication or
use of data stolen in an August ransomware attack by the Klopp Group.
The hospital says Klop accessed invoice records containing names and
addresses of patients and staff, though core IT systems were not breached. The data also included
information from nearby NHS trusts. Officials warned the stolen details could be exploited for
scams or payment fraud. Investigators say Klop targeted zero days in Oracle's e-business suite,
part of a broader campaign in which the gang emailed victims threatening to leak data
unless large cryptocurrency ransoms were paid. NHS England and the
National Cybersecurity Center are assessing the incident's impact.
The White House has approved NVIDIA to export its H-200 AI chips to select customers in China
under conditions meant to protect national security, President Trump said.
The U.S. will take a 25% cut of sales.
The H-200 is more capable than NVIDIA's previously allowed H-20 chips, but still below its
Blackwell line, which is not part of the deal. Trump said the policy supports U.S. jobs and
manufacturing. The decision follows political pressure to limit China's access to advanced
AI hardware. Joshua Aaron, creator of the Ice Block app, is suing Attorney General Pam Bondi
and several federal officials, alleging the Trump administration made unlawful threats and
pressured Apple to remove his app from the app store.
ICE Block, which lets users anonymously report immigration and customs enforcement activity,
surge to over 500,000 downloads after a CNN story.
Although Apple initially approved the app after legal review,
it removed Ice Block in October following public pressure from Bondi.
Google and Facebook later removed similar content.
Federal officials defend the takedowns, arguing such apps endanger law enforcement.
The lawsuit comes as Republican lawmakers push for tighter restrictions,
including a bill that would criminalize publishing information about federal officers
if it risks targeted harassment or violence.
The FBI warns that criminals are using altered or AI-generated images
to create fake proof-of-life photos in virtual kidnapping scams.
Fraudsters text victims claiming a loved one has been abducted,
often sending doctored images and threatening violence to force quick payment.
Some scams exploit photos of real missing people scraped from social media.
The FBI says these emergency scams mirror grandparent fraud schemes,
but now use AI to enhance credibility.
Officials urge families to use code words,
verify the victim's safety, and report incidents to IC3.
The U.S. Federal Trade Commission has rejected a petition from Scott Zuckerman,
founder of stalkerware firm's spy phone, support king, and one-click monitor
to lift a 2021 ban preventing him from selling surveillance apps.
The ban followed a major data breach that exposed both customers and the people they secretly monitored
and required Zuckerman to delete collected data
and implement strict security and auditing measures.
The FTC called spy phone, a tool that enabled stalkers while failing to protect sensitive information.
Zuckerman argued the order's security requirements imposed financial burdens on his unrelated businesses,
but the FTC declined to modify the restrictions.
He offered no further comment.
Coming up after the bird,
break, my conversation with Dave Lindner from Contrast Security. We're discussing nation-state
adversaries targeting source code. And Craig's List's founder pledges support for cyber security,
veterans, and pigeons. Stay with us.
It.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
And with Threat Locker, DAC, defense against configurations, you get real assurance that your
environment is free of misconfigurations and clear visibility into whether you meet
compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational
operational pain. It's powerful protection that gives SISO's real visibility, real control,
and real peace of mind. Threat Locker makes zero trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
AI is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with.
Assessments today are fragmented, overlapping, and often specific to industries, geographies, or regulations.
That's why Black Kite created the BKGA3 AI assessment framework to give cybersecurity and risk teams a unified, evolving standard for,
measuring AI risk across their own organizations and their vendors' AI use.
It's global, research-driven, built to evolve with the threat landscape and free to use.
Because Black Kite is committed to strengthening the entire cybersecurity community.
Learn more at blackkite.com.
Dave Lindner is SISO of Contrast Security.
I recently sat down with him for a conversation on nation-state adversaries
targeting source code to infiltrate the government and private sector.
We find ourselves in a pretty bad place.
These attacks have been going on for quite some time.
Many organizations probably don't even know that they have adversaries in their source code.
You know, you even go back to solar winds.
you know, that was an adversarial nation state level type attack, you know, and they all have
different reasons for doing so. But it's really, really difficult when, you know, a nation state
wants to wreak havoc, right? They have the means. They have the money. They have the technology.
They have the time to be able to do so. And for the average organization, they probably don't
have the means to prevent it, just because they're maybe focusing on different things.
And what is it about source code specifically that makes it so appealing?
So I think it's the kind of that supply chain aspect.
You know, I was thinking about this, you know, from a supply chain.
You know, SolarWind was a supply chain issue.
This recent F5 breach was really a supply chain issue.
But what nation states want to do is they want to infiltrate a place that maybe has broad reach.
F5, heavily used by the United States government, heavily used by some of the largest
corporations in the world, right?
They want to infiltrate this source code and maybe find zero days in the source code, maybe
find ways to inject maliciousness in that source code.
So once it's delivered to the government, to the bigger organizations, now they can
compromise them as well, right?
So it is very, very important for them.
And I look at like Hollywood movies, right?
And you look at things like Ocean's 11 or, you know, some of those where they're trying
infiltrate these massive places, they're always doing it through some other mechanism.
They're getting involved with the serving crew at that party that night, or they get put as
part of the security team, that's part of the security detail. They're coming at them from
a third party that they're inherently trusting to be secure, and that's kind of the problem.
there's no good mechanism to prove that trust.
Security questionnaires aren't doing it.
And to what degree is this an open source software problem?
I mean, it's open source, it's closed source, it's cots, it's a software problem, right?
However, you look at recent things like the Shih Hulud attacks
that have recently taken place against a bunch of node repositories,
where people are compromising credentials
or maybe credentials of repositories
that haven't been touched in years
and they're injecting maliciousness
into those repositories
that are then automatically downloaded
and used by thousands,
if not hundreds of thousands of organizations.
So it's easier,
but it's really a software problem.
In the F5 case,
that wasn't an open source problem.
They now have all of F5's big IP software, right?
That's a bad place.
place to be.
And what makes it so difficult to detect these things?
So, you know, when I started earlier, is like they have the means, they take a low and
slow approach.
You know, some of them use what we call living off the land attacks where these advanced
actors, they're not even installing maliciousness, right?
They're using tools that are already in the environments they want to get into to be
undetectable, right?
And I think that's some of the problem is they're okay with taking time.
You know, sometimes they might create some diversion or, you know,
create some other really loud attack to get the security operations teams looking at that
instead of the not so loud, I found these compromised credentials.
Sure, I may be logging in from Russia, but are you going to detect that type of thing?
And, you know, it's as simple as that.
they're really compromising credentials.
Fishing is still a problem, believe it or not.
And in some cases, they're exploiting zero days
that the world doesn't really know about yet.
So it's hard to detect things that we don't know about.
Yeah, I think you mentioned that patience is such a component of this.
We had a recent story where I think it was Chinese threat actors
who waited seven years to update some browser plug-ins
to make them malicious where they'd been clean for seven years.
Yeah, for sure.
I mean, and if you take a step back and kind of think about what these nation states are looking for, right, it's Intel, it's, you know, espionage, it's disruption.
It's, you know, in the case of like a North Korea, it's financial theft.
I mean, North Korea is heavily invested in stealing crypto.
I mean, that's been their thing for a while now.
and trying to really understand, like,
they don't need these things to happen overnight.
The long game is fine.
If I'm in an organization and my whole goal
is to get as much intel as possible,
I'm happy to be there forever.
And, you know, I think that's part of the issue.
I mean, there was a couple years ago, Russia was in Microsoft, right?
They had compromised, like, a lower environment,
a QA environment of the internal email.
system, but they were able to compromise a bunch of very sensitive emails doing so. And it took
forever to detect them because it was in a lower environment. So should organizations assume breach
here? I don't want to be like a FUD type of person. I don't think we assume breach. You know,
I think you have to really do a good job of understanding and threat modeling your organization. The
hardest part, and even
like for a small organization like ours
at Contra Security,
is vetting third
parties. At what point do
you feel they're trustworthy enough?
Knowing that at some point,
if they're compromised, you probably are as well.
I think
that's going to be the hardest
part for any organization.
Because these nation states probably
are not coming directly
at F5, directly at
Microsoft. They're trying to
backdoor it somehow through some third party.
I mean, years and years ago,
Target had a breach of their credit card processors, right?
And it was through a third party
that they hadn't shut access off
to those credit card processors.
So no one really knew about it
that they even still had access
and they compromised those credentials to get in.
So it's just, it's a really, really difficult
place to be because there's no really good way
to give that rubber stamp of approval.
I mean, we get security questionnaires all the time.
Does that mean, we're secure?
according to, you know, our customers, yes.
But at the end of the day, what's the security questioner do?
It's a bunch of words.
And so it's a really, but assuming breach, I don't, the larger org with a, with a bigger,
let's say, like, target on their back, F5 for sure.
I mean, anyone who's in the federal government, in massive financial sector,
you know, I think they have that mentality where they kind of assume breach.
They have the red teamers, they have the folks that are doing OScent, looking for threats in all their logs and all their systems all the time they can, right?
You know, I don't think every org probably has the same sort of threat that, you know, some of these larger, more attractive organizations would.
So what are your recommendations then?
I mean, given these realities, what should security professionals be doing to protect their organizations against this sort of?
a thing.
Focusing on locking your environment down as much as possible and understanding, you know,
there's layers to this.
And, you know, I'm always a huge fan of having different control layers and visibility into
those different control layers.
So if one fails, you know, something else might pick it up.
I think, you know, anomaly detection is such a huge part of understanding environment.
Even in the case of the recent F5 breach, I think what ended up happening is there was some vulnerability in one of their developed systems that was taken advantage of to get that initial access point for China.
And just knowing that and understanding that, you know, detecting something that's different is going to be so important moving forward.
and you're going to have to make sure
you have the right tools in place to do so.
And sometimes, you know,
I do think AI is going to play a massive role
in kind of correlating all of this data
because people can't, right?
I mean, we've known that for a while.
I mean, I think we have terabytes and terabytes of logs,
you know, on an hourly basis,
just in our small systems.
I can't imagine what a Microsoft or an F5 has, right?
And I think that that anomaly detection is really
is something that someone has to really focus time and energy on.
I don't think there's a perfect approach to preventing a breach
in some third party that you're using.
I don't know what the direction should be there
other than when you bring someone on board or pull in that open source,
you need to know that it's a pretty good possibility
that someone could be trying to infiltrate through those means.
But again, it gets back to a threat model.
What's your threat look like?
Who really wants to get into your environment and why?
And kind of start there.
That's Dave Lindner, Sissau of Contrast Security.
Reason number 37, why Nissan is built.
for our winter. Because winter getaways
should be cozy, not cold.
Kick's standard heated front seats and side
mirrors help keep you warm and your view
clear. That's winter ready.
Now, Lisa 2026 KixS
front wheel drive for 349 monthly
at 3.9%. Or get
$2,000 cash purchase bonus on remaining
2025 models. Visit your local Nissan
dealer today or nissan.ca for more
details. Leasturn for 48 months with
1,249 down conditions apply.
And finally, Craig Newmark, the mild-mannered founder of Craigslist and self-described non-billionaire
has officially joined the Giving Pledge.
In a LinkedIn post marking both his commitment and his entry into his middle 70s, he noted
he gave away his Craigslist equity long ago, which does complicate the whole billionaire label.
Still, turning down an estimated $11 billion in dot-com-era enthusiasm buys a certain moral high ground.
Newmark says his philanthropy will continue to focus on cybersecurity, veterans, and pigeon rescue.
Yes, pigeons.
Newmark insists pigeons are misunderstood underdogs, possibly even our future overlords, which he admires.
His foundation recently gave 30,000.
to a rescue group, its largest gift ever. In true Craig's List fashion, he's simply posting
goodwill into the universe, one charitable listing at a time.
And that's the Cyberwire. For Link's
all of today's stories. Check out our daily briefing at thecyberwire.com. We'd love to know what you
think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity. If you like our show, please share a rating
and review in your favorite podcast app. Please also fill out the survey in the show notes or send
an email to Cyberwire at N2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire
producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin. Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.