The FBI has issued a warning about virtual kidnapping scams where criminals use altered social media photos as fake proof of life to extort ransom payments. These scams involve contacting victims via text message, claiming to have kidnapped a family member and demanding immediate payment. The criminals use manipulated images and publicly available information to create convincing but false scenarios. The FBI advises caution and recommends establishing a family code word and verifying communications before paying any ransom.

A critical XML External Entity (XXE) injection vulnerability (CVE-2025-66516) has been disclosed in Apache Tika, affecting multiple modules. The flaw, rated 10.0 on the CVSS scale, allows attackers to execute XXE attacks via crafted XFA files in PDFs. The vulnerability affects specific versions of tika-core, tika-pdf-module, and tika-parsers. Users are advised to upgrade to the patched versions immediately. The vulnerability is similar to CVE-2025-54988 but expands the scope of affected packages and highlights the importance of upgrading both the tika-parser-pdf-module and tika-core to mitigate the risk.

A critical security vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components (RSC) allows unauthenticated remote code execution due to unsafe deserialization of payloads. The flaw affects multiple versions of React and Next.js, potentially impacting any application using RSC. The issue has been patched, but 39% of cloud environments remain vulnerable. Cloudflare experienced a widespread outage due to an emergency patch for this vulnerability, and multiple China-linked hacking groups have begun exploiting it. NHS England National CSOC has warned of the likelihood of continued exploitation in the wild. Major companies such as Google Cloud, AWS, and Cloudflare immediately responded to the vulnerability. The security researcher Lachlan Davidson disclosed the vulnerability on November 29, 2025, to the Meta team. The flaw has been dubbed React2Shell, a nod to the Log4Shell vulnerability discovered in 2021. The US National Vulnerability Database (NVD) rejected CVE-2025-66478 as a duplicate of CVE-2025-55182. Exploitation success rate is reported to be nearly 100% in default configurations. React servers that use React Server Function endpoints are known to be vulnerable. The Next.js web application is also vulnerable in its default configuration. At the time of writing, it is unknown if active exploitation has occurred, but there have been some reports of observed exploitation activity as of December 5, 2026. OX Security warned that the flaw is now actively exploitable on December 5, around 10am GMT. Hacker maple3142 published a working PoC, and OX Security successfully verified it. JFrog identified fake proof-of-concepts (PoC) on GitHub, warning security teams to verify sources before testing. Cloudflare started investigating issues on December 5 at 08:56 UTC, and a fix was rolled out within half an hour, but by that time outages had been reported by several major internet services, including Zoom, LinkedIn, Coinbase, DoorDash, and Canva.

Modern security teams face challenges with traditional passive internet-scan data, which quickly becomes outdated due to dynamic cloud environments and rapid deployment cycles. Continuous, automated, active reconnaissance is essential for maintaining an accurate view of the external attack surface. This approach helps detect newly exposed services, misconfigurations, and shadow IT, reducing alert fatigue and improving decision-making.

The European Commission fined X €120 million ($140 million) for violating the Digital Services Act (DSA) due to deceptive blue checkmarks, opaque advertising practices, and blocking researchers' access to public data. The fine follows a two-year investigation into X's compliance with DSA obligations regarding harmful content and information manipulation. The commission found that X's blue checkmark system misleads users by allowing purchases without meaningful identity verification, increasing exposure to fraud and manipulation. Additionally, X failed to maintain a transparent advertising repository and imposed barriers on researchers accessing public data. X has 60 days to address the blue checkmark issue and 90 days to submit action plans for the other violations, with potential periodic penalties for non-compliance.

The BRICKSTORM malware, attributed to PRC state-sponsored actors, has been used for long-term espionage against U.S. organizations, particularly in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. CISA, NSA, and Cyber Centre issued a joint report on BRICKSTORM, providing IOCs, detection signatures, and recommended mitigations. The report highlights BRICKSTORM's advanced functionality to conceal communications, move laterally, and tunnel into victim networks. The malware automatically reinstalls or restarts if disrupted, and PRC actors are primarily targeting government and IT sector organizations. CISA analyzed eight BRICKSTORM samples from victim organizations and urges organizations to contact CISA if they detect BRICKSTORM or related activity. CISA warns that Chinese hackers have been backdooring VMware vSphere servers with Brickstorm malware, using multiple layers of encryption and a self-monitoring function to maintain persistence. The attackers compromised a web server in an organization's DMZ in April 2024, moved laterally to an internal VMware vCenter server, and deployed malware. They also hacked two domain controllers and exported cryptographic keys after compromising an ADFS server, maintaining access from at least April 2024 through September 2025. The attackers captured Active Directory database information and performed system backups to steal legitimate credentials and other sensitive data. CrowdStrike linked these attacks to a Chinese hacking group it tracks as Warp Panda, which also deployed previously unknown Junction and GuestConduit malware implants in VMware ESXi environments. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments, enabling cyber threat actors to maintain stealthy access and providing capabilities for initiation, persistence, and secure command-and-control. Written in Golang, the custom implant gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files. The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-over-HTTPS (DoH) to conceal communications and blend in with normal traffic, and can act as a SOCKS proxy to facilitate lateral movement. The cybersecurity agency did not disclose how many government agencies have been impacted or what type of data was stolen. The activity represents an ongoing tactical evolution of Chinese hacking groups, which have continued to strike edge network devices to breach networks and cloud infrastructures. In a statement shared with Reuters, a spokesperson for the Chinese embassy in Washington rejected the accusations, stating the Chinese government does not "encourage, support or connive at cyber attacks.". BRICKSTORM was first documented by Google Mandiant in 2024 in attacks linked to the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The use of the malware has been attributed to two clusters tracked as UNC5221 and a new China-nexus adversary tracked by CrowdStrike as Warp Panda. Earlier this September, Mandiant and Google Threat Intelligence Group (GTIG) said they observed legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. being targeted by UNC5221 and other closely related threat activity clusters to deliver the malware. A key feature of the malware, per CISA, is its ability to automatically reinstall or restart itself by means of a self-monitoring function that allows its continued operation in the face of any potential disruption. In one case detected in April 2024, the threat actors are said to have accessed a web server inside an organization's demilitarized zone (DMZ) using a web shell, before moving laterally to an internal VMware vCenter server and implanting BRICKSTORM. However, many details remain unknown, including the initial access vector used in the attack and when the web shell was deployed. The attackers have also been found to leverage the access to obtain service account credentials and laterally move to a domain controller in the DMZ using Remote Desktop Protocol (RDP) so as to capture Active Directory information. Over the course of the intrusion, the threat actors managed to get the credentials for a managed service provider (MSP) account, which was then used to jump from the internal domain controller to the VMware vCenter server. CISA said the actors also moved laterally from the web server using Server Message Block (SMB) to two jump servers and an Active Directory Federation Services (ADFS) server, exfiltrating cryptographic keys from the latter. The access to vCenter ultimately enabled the adversary to deploy BRICKSTORM after elevating their privileges. CrowdStrike, in its analysis of Warp Panda, said it has detected multiple intrusions targeting VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities this year that have led to the deployment of BRICKSTORM. The group is believed to have been active since at least 2022. Warp Panda exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments. Warp Panda demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks. Evidence shows the hacking group gained initial access to one entity in late 2023. Also deployed in the attacks alongside BRICKSTORM are two previously undocumented Golang implants, namely Junction and GuestConduit, on ESXi hosts and guest VMs, respectively. Junction acts as an HTTP server to listen for incoming requests and supports a wide range of capabilities to execute commands, proxy network traffic, and interact with guest VMs through VM sockets (VSOCK). GuestConduit, on the other hand, is a network traffic-tunneling implant that resides within a guest VM and establishes a VSOCK listener on port 5555. Its primary responsibility is to facilitate communication between guest VMs and hypervisors. Initial access methods involve the exploitation of internet-facing edge devices to pivot to vCenter environments, either using valid credentials or abusing vCenter vulnerabilities. Lateral movement is achieved by using SSH and the privileged vCenter management account "vpxuser." The hacking crew has also used the Secure File Transfer Protocol (SFTP) to move data between hosts. Some of the exploited vulnerabilities are listed below - CVE-2024-21887 (Ivanti Connect Secure), CVE-2023-46805 (Ivanti Connect Secure), CVE-2024-38812 (VMware vCenter), CVE-2023-34048 (VMware vCenter), CVE-2021-22005 (VMware vCenter), CVE-2023-46747 (F5 BIG-IP). The entire modus operandi revolves around maintaining stealth by clearing logs, timestomping files, and creating rogue VMs that are shut down after use. BRICKSTORM, masquerading as benign vCenter processes, is employed to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs. Similar to details shared by CISA, CrowdStrike noted that the attackers used their access to vCenter servers to clone domain controller VMs, possibly in a bid to harvest the Active Directory Domain Services database. The threat actors have also been spotted accessing the email accounts of employees who work in areas that align with Chinese government interests. Warp Panda likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity. They also connected to various cybersecurity blogs and a Mandarin-language GitHub repository. Another significant aspect of Warp Panda's activities is their focus on establishing persistence in cloud environments and accessing sensitive data. Characterizing it as a "cloud-conscious adversary," CrowdStrike said the attackers exploited their access to entities' Microsoft Azure environments to access data stored in OneDrive, SharePoint, and Exchange. In at least one incident, the hackers managed to get hold of user session tokens, likely by exfiltrating user browser files and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via a session replay attack and download SharePoint files related to the organization's network engineering and incident response teams. The attackers have also engaged in additional ways to set up persistence, such as by registering a new multi-factor authentication (MFA) device through an Authenticator app code after initially logging into a user account. In another intrusion, the Microsoft Graph API was used to enumerate service principals, applications, users, directory roles, and emails. The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests.

Two China-linked hacking groups, Earth Lamia and Jackpot Panda, have begun exploiting the newly disclosed React2Shell vulnerability (CVE-2025-55182) in React Server Components, which allows unauthenticated remote code execution. The vulnerability was addressed in React versions 19.0.1, 19.1.2, and 19.2.1. The groups have targeted various sectors, including financial services, logistics, retail, IT, universities, and government organizations across Latin America, the Middle East, and Southeast Asia. The attacks involve running discovery commands, writing files, and reading sensitive information, demonstrating a systematic approach to exploit multiple vulnerabilities simultaneously.

The Qilin ransomware group has been active, targeting multiple organizations, including Inotiv, a U.S.-based pharmaceutical company, Creative Box Inc. (CBI), a subsidiary of Nissan, Mecklenburg County Public Schools (MCPS), Asahi Group, and Synnovis, a UK pathology services provider. The latest attack was on South Korean financial sector, where Qilin claims to have stolen over 1 million files and 2 TB of data from 28 victims. The attack caused significant operational disruption, including a beer shortage in Japan. The group has also targeted other Japanese companies, including Shinko Plastics and Osaki Medical. The Qilin ransomware group operates as a ransomware-as-a-service (RaaS) network, providing tools and infrastructure to affiliates and taking a 15–20% share of ransom payments. The group's malware is custom-built in Rust and C for cross-platform attacks, including Windows, Linux, and ESXi systems. The Qilin ransomware operation was first launched as "Agenda" in August 2022 and rebranded to Qilin by September 2022. Qilin ransomware operation has attacked more than 700 victims across 62 countries in 2025. The Qilin ransomware operation has published over 40 new victims per month in the second half of 2025. The Qilin ransomware operation uses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, evading traditional security tools. Qilin ransomware group has been observed exploiting unpatched VPN appliances and lack of multi-factor authentication (MFA) to gain initial access to corporate networks. Qilin ransomware group has been observed targeting small-to-medium-sized businesses in the construction, healthcare, and financial sectors. Qilin ransomware group has been observed using new extortion channels, including Telegram and public sites such as WikiLeaksV2. Qilin ransomware group has been observed collaborating with affiliates of the Scattered Spider group. Qilin ransomware group has been observed operating as a ransomware-as-a-service (RaaS) group since 2023, leasing its tools and infrastructure to affiliates. Qilin ransomware group has been observed publishing victims' data on dark-web leak sites if no ransom is paid. Asahi Group Holdings confirmed that the personal data of approximately 1.914 million individuals, including 1.525 million customers, was or may have been exposed in the cyber-attack. The exposed data includes names, genders, dates of birth, postal addresses, email addresses, and phone numbers. Asahi Group Holdings spent two months investigating the breach, conducting root cause analysis, integrity checks, containing the ransomware, restoring systems, and strengthening security. Atsushi Katsuki, President and Group CEO of Asahi Group Holdings, publicly apologized for the difficulties caused by the disruptions. Asahi Group Holdings is reviewing the potential impact of the incident on its financial results for fiscal year 2025. The Qilin ransomware group claimed responsibility for the cyber-attack on Asahi Group Holdings. Asahi Group Holdings temporarily suspended its operations in Japan in late September following a system failure due to the ransomware attack. The disruptions included order and shipment operations, call centers, and customer service desks. Asahi Group Holdings postponed the launch of a new product scheduled to be released in October due to the cyber-attack. On October 7, the Qilin ransomware group listed Asahi on its data leak site, claiming to have stolen 27 GB of files from the company. Inotiv is notifying 9,542 individuals that their personal information was stolen in the August 2025 ransomware attack. Inotiv has restored availability and access to impacted networks and systems affected by the August 2025 ransomware attack. The Qilin ransomware group claimed responsibility for the breach in August 2025, leaked data samples, and said they exfiltrated over 162,000 files totaling 176 GB from Inotiv.

The Louvre is investing €57m to renovate its security infrastructure following the theft of the Crown Jewels in October. The tender includes plans for a new digital safety management system, IT and physical security monitoring software, CCTV upgrades, access control mechanisms, and intrusion detection systems. The project aims to enhance cybersecurity and physical security while ensuring interoperability and scalability. The Louvre has set a deadline of December 10 for companies to apply and show interest in providing solutions. The modernization works will be carried out without suspending museum activities.

Predator spyware, developed by Intellexa, has been using a zero-click infection mechanism called Aladdin, which infects targets by displaying malicious advertisements. This vector is hidden behind shell companies across multiple countries and leverages the commercial mobile advertising system to deliver malware. The spyware is still operational and actively developed, with additional delivery vectors like Triton targeting Samsung Exynos devices. The infection occurs when a target views a malicious ad, which triggers a redirection to Intellexa’s exploit delivery servers. The ads are served through a complex network of advertising firms, making defense measures challenging. Despite sanctions and investigations, including fines from the Greek Data Protection Authority, Intellexa remains active and prolific in zero-day exploitation. Recent leaks reveal that Intellexa's Predator spyware has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow. The spyware exploits multiple zero-day vulnerabilities in Android and iOS devices, and uses frameworks like JSKit for native code execution. Intellexa also has the capability to remotely access the surveillance systems of its customers using TeamViewer. The spyware collects extensive data from targeted devices, including messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information.

Managed Service Providers (MSPs) are shifting their sales strategies to focus on building trust and understanding client needs, rather than traditional sales tactics. The 'Getting to Yes': An Anti-Sales Guide for MSPs outlines a trust-first framework to help MSPs overcome common objections and foster long-term partnerships. This approach emphasizes empathy, education, and evidence to demonstrate the business value of cybersecurity services.

Multiple China-linked threat actors, including Earth Lamia and Jackpot Panda, have begun exploiting the critical React2Shell vulnerability (CVE-2025-55182) in React and Next.js. This insecure deserialization flaw allows unauthenticated remote execution of JavaScript code in the server's context. The vulnerability affects multiple versions of the widely used libraries, potentially exposing thousands of dependent projects. AWS reports active exploitation attempts within hours of the public disclosure, with attackers using a mix of public exploits and manual testing to refine their techniques.

Cloudflare experienced a service disruption on December 5, 2025, leading to widespread 500 Internal Server Errors across websites relying on its infrastructure. The issue affected users attempting to access various sites, displaying server-side errors instead of the expected content. The disruption highlights the critical role of Cloudflare in maintaining the availability and security of numerous online services.

Threat actors are exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. The flaw, which affects ArrayOS AG 9.4.5.8 and earlier versions, was patched in May but lacks a CVE identifier. Attacks have been observed since at least August, targeting organizations in Japan. The vulnerability is linked to the 'DesktopDirect' remote access feature, and workarounds are available for those unable to update. The attacks have originated from the IP address 194.233.100[.]138. An authentication bypass flaw in the same product (CVE-2023-28461, 9.8) was exploited last year by a China-linked cyber espionage group dubbed MirrorFace, which has a history of targeting Japanese organizations since at least 2019.

China-based phishing groups have expanded their operations to include fake e-commerce websites and SMS lures promising unclaimed tax refunds and mobile rewards points. These groups, previously known for non-stop scam SMS messages about packages or unpaid toll fees, are now using phishing kits to create convincing fake e-commerce sites that convert customer payment card data into mobile wallets from Apple and Google. The phishing domains are promoted via SMS messages sent through Apple’s iMessage or Google’s RCS messaging service. The phishing websites ask for the visitor’s name, address, phone number, and payment card data to claim the points. If card data is submitted, the site prompts the user to share a one-time code sent via SMS by their financial institution. This code is used to enroll the victim’s phished card details in a mobile wallet controlled by the fraudsters. Experts note that these phishing kits have been used in other geographies like the EU and Asia but are now targeting consumers in the United States.

The UK's National Cyber Security Center (NCSC) has introduced a pilot service called Proactive Notifications to alert organizations about vulnerabilities in their exposed devices. The service identifies unpatched vulnerabilities and weak security configurations using public data and internet scans, then recommends specific software updates or security improvements. The pilot program targets UK domains and IP addresses, but it is not exhaustive and should not replace other security alerts. Organizations are encouraged to also use the NCSC's Early Warning service for real-time threat notifications.

Russia has blocked access to Apple's FaceTime and Snapchat, citing their use in coordinating terrorist attacks, recruiting criminals, and committing fraud. Roskomnadzor, the Russian telecommunications watchdog, announced the blocking of these platforms, stating they are being used to organize terrorist activities and other crimes against Russian citizens. Snapchat was blocked on October 10, while FaceTime's blocking was announced on December 4. Additionally, Russia has previously banned other platforms like Viber and Signal for similar reasons.

The threat actor Silver Fox has been exploiting a previously unknown vulnerable driver associated with WatchDog Anti-malware to deploy ValleyRAT malware. The driver, 'amsdk.sys' (version 1.0.600), is a validly signed Windows kernel device driver built on the Zemana Anti-Malware SDK. This driver allows arbitrary process termination and local privilege escalation, enabling the attackers to neutralize endpoint protection products and deploy the ValleyRAT remote access trojan. The campaign, first observed in late May 2025, targets Chinese-speaking victims using various social engineering techniques and trojanized software. The WatchDog driver has been patched, but attackers have adapted by modifying the driver to bypass hash-based blocklists. Silver Fox, also known as SwimSnake and UTG-Q-1000, is highly active and organized, targeting domestic users and companies to steal secrets and defraud victims. Recently, Silver Fox has been spotted orchestrating a false flag operation to mimic a Russian threat group in attacks targeting organizations in China. The campaign leverages Microsoft Teams lures to trick users into downloading a malicious setup file that leads to the deployment of ValleyRAT (Winos 4.0). The activity has been underway since November 2025. The malicious setup file is a ZIP archive named "MSTчamsSetup.zip" retrieved from an Alibaba Cloud URL. The malware scans running processes for binaries related to 360 Total Security, configures Microsoft Defender Antivirus exclusions, and writes a trojanized version of the Microsoft installer to the "AppData\Local\" path. The malware writes additional files including "AppData\Local\Profiler.json," "AppData\Roaming\Embarcadero\GPUCache2.xml," "AppData\Roaming\Embarcadero\GPUCache.xml," and "AppData\Roaming\Embarcadero\AutoRecoverDat.dll." The malware loads data from "Profiler.json" and "GPUcache.xml," and launches the malicious DLL into the memory of "rundll32.exe." The malware establishes a connection to an external server to fetch the final payload to facilitate remote control. Silver Fox's objectives include financial gain through theft, scams, and fraud, alongside the collection of sensitive intelligence for geopolitical advantage. The disclosure comes as Nextron Systems highlighted another ValleyRAT attack chain that uses a trojanized Telegram installer as the starting point to kick off a multi-stage process that ultimately delivers the trojan.

Two former federal contractors, Muneeb and Sohaib Akhter, have been charged with conspiring to steal sensitive information and destroy government databases after being fired. The brothers allegedly deleted 96 databases containing U.S. government information, including Freedom of Information Act records and sensitive investigative documents. They also attempted to cover their tracks by wiping system logs and company laptops.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), along with international partners, have released a joint guide outlining principles for securely integrating Artificial Intelligence (AI) into Operational Technology (OT) environments. The guide provides four key principles to help critical infrastructure owners and operators mitigate risks and ensure the safe adoption of AI in OT systems. The guide emphasizes the need for understanding AI risks, assessing its use in OT, establishing governance frameworks, and embedding safety and security measures. It focuses on machine learning (ML)- and large language model (LLM)-based AI, but can also be applied to systems using traditional statistical modeling and logic-based automation. The guide provides examples of AI use cases in OT environments, including field devices, PLCs, RTUs, SCADA, DCS, and HMI systems, and highlights the risks associated with AI integration, such as system compromise, disruptions, financial loss, and functional safety impact. Additionally, the guidance emphasizes protecting sensitive OT data, including engineering configuration information and ephemeral data, and addresses the challenges of integrating AI into legacy OT systems.

Operational Technology (OT) systems, which control critical infrastructure such as energy plants and manufacturing facilities, face unique cybersecurity challenges due to their direct interaction with physical systems. These challenges include outdated hardware, shared accounts, remote access vulnerabilities, and the increasing intermingling of IT and OT systems. Strong password policies are essential to mitigate these risks, as weak passwords can lead to severe consequences, including physical dangers and operational disruptions.

The UK’s National Cyber Security Centre (NCSC) and Canada’s Centre for Cyber Security (CCCS) have released a report on digital content provenance to combat the spread of misleading information in the era of generative AI. The report emphasizes the need for organizations to improve the public provenance of their information to build trust. It explores the emerging field of content provenance technologies and offers strategies to manage associated risks. The report also highlights the challenges in developing and implementing these technologies, including the burden placed on end users to understand provenance data.

A new phishing framework named GhostFrame has been linked to over one million attacks. Built around a stealthy iframe architecture, GhostFrame conceals malicious behavior within embedded iframes, allowing attackers to evade detection and dynamically adjust phishing content. The framework employs anti-analysis controls and randomized subdomains to maintain stealth and ensure attack continuity. GhostFrame's attack chain involves a benign-looking outer page that loads a secondary phishing page within an iframe, which contains the actual credential-harvesting components. The framework's emails vary widely in themes, including fake contract notices, HR updates, and password reset requests.

Microsoft is addressing a bug preventing installation of Microsoft 365 desktop apps on Windows devices. The issue stems from misconfigured authentication components in versions 2508 (Build 19127.20358) and 2507 (Build 19029.20294). The bug has been impacting users since November 2nd, causing Office Client issues. Microsoft has developed and is testing a fix, with an update on progress expected by 6:30 PM UTC today. The incident, tagged as OP1192004, is considered critical with noticeable user impact. Additionally, Microsoft is resolving a separate issue (MO1176905) affecting access to multiple Microsoft 365 services for some admins and users.

The Cybersecurity and Infrastructure Security Agency (CISA) has launched the Industry Engagement Platform (IEP) to facilitate structured, two-way communication between the agency and companies developing innovative and security technologies. The platform aims to improve understanding of emerging solutions across the technology ecosystem and provide a transparent pathway for industry engagement. The IEP allows organizations to request conversations with CISA subject matter experts to present new technologies and capabilities that could strengthen national cyber and infrastructure security. Participation in the IEP does not provide preferential consideration for future federal contracts but serves as a key channel for CISA to gain insight into new capabilities and market trends.

A critical exploit targeting Yearn Finance's yETH pool on Ethereum has resulted in the theft of approximately $9 million. The attack abused a flaw in the protocol's internal accounting, where a cache containing calculated values to save on gas fees was never cleared when the pool was emptied. The attacker minted an astronomical number of tokens—235 septillion yETH—while depositing only 16 wei, worth approximately $0.000000000000000045. This represents one of the most capital-efficient exploits in DeFi history. The exploit highlights the risks associated with gas optimization techniques in DeFi protocols and the potential for significant financial losses due to unaddressed vulnerabilities.

In 2025, web security faced significant challenges due to AI-powered attacks, evolving injection techniques, and supply chain compromises. Key threats included vibe coding vulnerabilities, JavaScript injection campaigns, Magecart 2.0 attacks, AI supply chain attacks, and web privacy validation failures. These threats forced organizations to rethink their defensive strategies and adopt proactive security measures.

A new report from ISC2 reveals that 59% of global organizations face critical or significant cybersecurity skills shortages, up from 44% last year. These shortages are leading to significant security incidents, with 88% of respondents experiencing at least one major incident due to skill gaps. The most pressing skill shortages are in AI, cloud security, risk assessment, and application security. The primary drivers of these shortages are a lack of talent and budget constraints. Despite budget cuts and layoffs remaining stable, the focus is shifting from increasing headcount to addressing critical skills gaps.

The Post Office exposed the personal data of 502 postmasters involved in litigation over the Horizon IT scandal. The breach occurred between April 25 and June 19, 2024, due to an unredacted legal settlement document published on its corporate website. The Information Commissioner’s Office (ICO) considered a £1.1 million fine but issued only a reprimand, citing the Post Office's remedial actions and the public sector approach to fines. The breach included names, home addresses, and postmaster status. The ICO noted deficiencies in the Post Office's technical and organizational measures, including lack of documented policies, quality assurance processes, and sufficient staff training.

GoldFactory, a financially motivated cybercrime group, has been targeting mobile users in Indonesia, Thailand, and Vietnam since October 2024. The group distributes modified banking applications that act as conduits for Android malware, leading to over 11,000 infections. The malware impersonates government services and trusted local brands to trick victims into installing the malicious apps, which then abuse Android's accessibility services for remote control and data theft.