{"id":21166,"date":"2025-12-01T15:22:49","date_gmt":"2025-12-01T13:22:49","guid":{"rendered":"https:\/\/kordon.app\/?p=21166"},"modified":"2025-12-01T15:22:50","modified_gmt":"2025-12-01T13:22:50","slug":"interesting-cybersecurity-news-of-the-week-summarised-01-12-2025","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/interesting-cybersecurity-news-of-the-week-summarised-01-12-2025\/","title":{"rendered":"Interesting Cybersecurity News of the Week Summarised &#8211; 01\/12\/2025"},"content":{"rendered":"<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. \ud83d\ude31 <\/p>\n\n\n\n<p><strong>If you enjoy these, come back next Monday or scroll to the bottom to subscribe to the e-mail newsletter. <\/strong><\/p>\n\n\n\n<p><strong>This week a lot happened<\/strong>, but most importantly:<\/p>\n\n\n\n<p><strong>If you or your organisation works with Javascript then you definitely need to check out the first news of this week and take some action to see if you&#8217;ve been impacted. <\/strong>Because, the bad worm has impacted more than 25 000 Git repositories to exfiltrate a huge amount of secrets. We already know a few big names that have been impacted &#8211; Zapier, Postman, Posthog \u2026<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Shai-Hulud v2 Supply Chain Worm Expands from npm to Maven, Leaks Thousands of Secrets<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">The evolved <strong>Shai-Hulud v2 worm has trojanized over 830 npm packages<\/strong> and now surfaced <br>in Maven Central, exploiting automated npm-to-Maven rebundling. Its Bun-based loader <br>and stealthier <strong>payload have infected tens of thousands of repositories and exfiltrated <br>developer and cloud credentials into random GitHub repositories.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maven Central package org.mvnpm:posthog-node:4.18.1 embeds setup_bun.js and bun_environment.js.<\/li>\n\n\n\n<li><strong>Over 350 npm packages and 830+ mirrored artifacts compromised; 25,000+ GitHub repos affected.<\/strong><\/li>\n\n\n\n<li><strong>11,858 unique secrets harvested;<\/strong> 2,298 remain active as of Nov 24, 2025.<\/li>\n\n\n\n<li><strong>Attack exploits CI misconfigurations (pull_request_target, workflow_run) to self-host runners and exfiltrate via randomized repos.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Immediate rotation of npm, GitHub, and cloud credentials.<\/strong><\/li>\n\n\n\n<li><strong>Audit and pin dependencies to known clean versions.<\/strong><\/li>\n\n\n\n<li><strong>Disable or restrict lifecycle scripts in CI\/CD pipelines.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/11\/shai-hulud-v2-campaign-spreads-from-npm.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4095578\/new-shai-hulud-worm-spreading-through-npm-github.html\">CSO Online<\/a>, <a href=\"https:\/\/cyberscoop.com\/supply-chain-attack-shai-hulud-npm\/\">CyberScoop<\/a>, <a href=\"https:\/\/about.gitlab.com\/blog\/gitlab-discovers-widespread-npm-supply-chain-attack\/\" target=\"_blank\" rel=\"noopener\" title=\"\">GitLab<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. House Energy and Commerce Committee Unveils Revised Kids Online Safety Act Without Duty of Care<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">The House Energy and Commerce Committee introduced <strong>a new draft of the Kids Online Safety Act (KOSA), removing the previously proposed \u201cduty of care\u201d that would legally bind tech platforms to social harms.<\/strong> <strong>The bill instead mandates that platforms implement \u201creasonable policies, practices and procedures\u201d <\/strong>to address threats like sexual exploitation, violence and drug sales, scaled by platform size and technical feasibility.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Draft KOSA requires adaptable harm-mitigation policies based on platform complexity.<\/strong><\/li>\n\n\n\n<li><strong>Additional proposals include the App Store Accountability Act and COPPA 2.0 for under-17 privacy.<\/strong><\/li>\n\n\n\n<li>The committee will review this and 18 other children\u2019s online safety bills at an upcoming hearing.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/therecord.media\/house-commttee-unveils-new-kosa-bill\">The Record<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. New Bipartisan Bill Enhances Penalties for AI-Assisted Fraud and Impersonation<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>House lawmakers introduced the AI Fraud Deterrence Act to raise fines and prison terms for fraud schemes using AI-generated audio, video or text, targeting both consumer and government-official impersonations.<\/strong><br><strong>Penalties<\/strong> for AI-aided mail, wire, bank fraud and money laundering would <strong>jump to $1\u20132 million fines and 20\u201330 years\u2019 imprisonment, with up to $1 million fine and 3 years for official impersonation.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fraud penalties raised <\/strong>to $1\u20132 million fines and 20\u201330 years\u2019 prison.<\/li>\n\n\n\n<li><strong>Impersonating U.S. officials via AI carries up to $1 million fine, 3 years\u2019 jail.<\/strong><\/li>\n\n\n\n<li>Spurred by deepfake calls and messages targeting White House Chief of Staff and Secretary of State.<\/li>\n\n\n\n<li>Also addresses schemes against senators, governors and private-sector leaders.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cyberscoop.com\/new-legislation-targets-scammers-that-use-ai-to-deceive\/\">CyberScoop<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Russian-linked Hackers Exploit Blender Files to Deploy StealC V2 Infostealer<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Attackers are embedding malicious Python scripts in .blend project files distributed on marketplaces like CGTrader, automatically executing when opened in Blender to install the StealC V2 information stealer.<\/strong> By targeting animators, game developers and VFX studios, t<strong>he campaign harvests browser credentials, crypto-wallet data and messaging\/VPN tokens, <\/strong>while evading detection on systems using Cyrillic locales. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Malicious .blend files auto-execute embedded Python<\/strong> when Blender\u2019s Auto Run is enabled.<\/li>\n\n\n\n<li>Infection chain retrieves a PowerShell loader via Cloudflare Workers, unpacks archives, and drops LNK files for persistence.<\/li>\n\n\n\n<li>StealC V2 targets 23+ browsers, 100+ wallet extensions, 15+ wallet apps, messaging apps and VPN clients.<\/li>\n\n\n\n<li><strong>Malware skips systems with Russian, Ukrainian, Belarusian or Kazakh language settings.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Disable \u201cAuto Run Python Scripts\u201d in Blender Preferences.<\/strong><\/li>\n\n\n\n<li><strong>Sandbox-test all third-party 3D assets before use.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong>\n<a href=\"https:\/\/therecord.media\/hackers-blender-software-malware\">The Record<\/a>, \n<a href=\"https:\/\/cybersecuritynews.com\/threat-actors-leverage-blender-foundation-files\/\">Cybersecurity News<\/a>, \n<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-blender-model-files-deliver-stealc-infostealing-malware\/\">Bleeping Computer<\/a>\n<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. HashJack Exploit Hides in URL Fragments to Manipulate AI Browser Assistants<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Researchers at Cato Networks describe \u201cHashJack,\u201d<strong> a newly discovered indirect prompt injection technique that conceals malicious instructions after the # in legitimate URLs to AI assistants in Comet, Copilot for Edge, and Gemini for Chrome. <\/strong>The flaw lets attackers embed malicious instructions undetected by networks, leading to phishing, data theft, and unauthorized actions.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>URL fragments aren\u2019t logged by servers, creating a blind spot for #-based prompts.<\/strong><\/li>\n\n\n\n<li><strong>HashJack enables six attack scenarios: <\/strong>phishing, exfiltration, misinformation, malware guidance, medical harm, credential theft.<\/li>\n\n\n\n<li><strong>Perplexity\u2019s Comet fixed<\/strong> the vulnerability in November; <\/li>\n\n\n\n<li><strong>Microsoft\u2019s Copilot patched<\/strong> in October; <\/li>\n\n\n\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Google\u2019s Gemini remains unpatched.<\/mark><\/li>\n\n\n\n<li>Cato CTRL tried the same prompts on <strong>Claude for Chrome <\/strong>(Google) and<strong> Atlas <\/strong>(OpenAI), but<strong> HashJack didn\u2019t work.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Strip URL fragments before passing context to AI models.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/siliconangle.com\/2025\/11\/25\/new-hashjack-technique-lets-attackers-manipulate-ai-assistants-comet-copilot-gemini\/\">SiliconANGLE<\/a>, <a href=\"https:\/\/www.catonetworks.com\/blog\/cato-ctrl-hashjack-first-known-indirect-prompt-injection\/\">Cato Networks<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Emergency Alert Service OnSolve CodeRED Offline After Ransomware Data Breach<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Hackers breached Crisis24\u2019s OnSolve CodeRED mass notification system <\/strong>in early November,<br>stealing user data and <strong>forcing the platform offline for dozens of U.S. municipalities.<\/strong><br><strong>Affected jurisdictions have decommissioned the legacy environment, advised password resets,<br>and are relying on IPAWS or social media for emergency alerts until a new platform is live.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The INC Ransomware group claimed responsibility after gaining access on Nov. 1 and encrypting files on Nov. 10.<\/li>\n\n\n\n<li><strong>Stolen data include names, addresses, email addresses, phone numbers and user profile passwords.<\/strong><\/li>\n\n\n\n<li>Backups used to rebuild the service date only through March 31, 2025\u2014any later signups must re-register.<\/li>\n\n\n\n<li>Some counties have terminated their CodeRED contracts and switched to FEMA\u2019s IPAWS or social channels.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reset any reused CodeRED passwords immediately.<\/strong><\/li>\n\n\n\n<li><strong>Assess and activate alternative alert channels<\/strong> (e.g., IPAWS, social media).<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/therecord.media\/emergency-warning-service-offline\">The Record<\/a>, <a href=\"https:\/\/www.securityweek.com\/ransomware-attack-disrupts-local-emergency-alert-system-across-us\">SecurityWeek<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Malware Authors Integrate LLMs at Runtime to Evade Detection<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Attackers are embedding prompts that call out to services like Google Gemini and Hugging Face during malware execution to rewrite code on the fly, creating polymorphic payloads that slip past traditional signature-based defenses.<\/strong> Although most samples remain experimental with detectable artifacts, the trend signals a shift toward AI-driven, adaptive malware that requires stronger egress controls and behavior-based detection. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Google\u2019s Threat Intelligence Group identified five LLM-powered malware variants, <\/strong>including PROMPTFLUX (VBScript) and PROMPTSTEAL (Python).<\/li>\n\n\n\n<li><strong>Operational samples<\/strong> like FRUITSHELL and QUIETVAULT <strong>embed hard-coded AI prompts to generate evasive shell commands and data-exfiltration routines.<\/strong><\/li>\n\n\n\n<li><strong>Attackers bypass LLM safety guardrails by feigning \u201ccapture-the-flag\u201d exercises,<\/strong> <strong>tricking models into providing offensive code.<\/strong><\/li>\n\n\n\n<li><strong>Most AI-augmented samples still exhibit network calls to external AI services, making them detectable via strong egress monitoring.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Implement strict egress filtering for AI service endpoints<\/strong>.<\/li>\n\n\n\n<li><strong>Update threat hunting playbooks to include LLM-related artifacts.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/malware-authors-incorporate-llms-evade-detection\">DarkReading<\/a>, <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/threat-actor-usage-of-ai-tools\">Google Threat Intelligence Group<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Survey Finds Majority of Enterprises Lack Confidence in Securing Non-Human Identities<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A recent Omdia-backed survey reveals that over half of organizations aren\u2019t confident they can secure non-human identities\u2014such as service accounts, application credentials, and IoT device identities\u2014and many lack visibility into their lifecycles.<\/strong> This gap leaves a critical attack surface for automated credential theft and lateral movement in both on-prem and cloud environments. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>52% of respondents expressed low confidence i<\/strong>n their ability to secure NHIs.<\/li>\n\n\n\n<li><strong>Only 14% rate their non-human identity security posture as \u201cgood.\u201d<\/strong><\/li>\n\n\n\n<li>63% lack tools for end-to-end lifecycle management of service and machine accounts.<\/li>\n\n\n\n<li>40% plan to invest in NHI security solutions over the next 12 months.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Inventory and classify all non-human identities<\/strong> across environments.<\/li>\n\n\n\n<li><strong>Enforce least-privilege access <\/strong>and automate credential rotation for NHIs.<\/li>\n\n\n\n<li>Evaluate specialized machine-identity management or PAM solutions.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/identity-access-management-security\/enterprise-not-confident-secure-non-human-identities\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Low-Cost Hardware Interposer Bypasses AMD and Intel Memory Encryption<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Researchers have built a sub-$50 interposer that sits between CPU and DRAM <br>to bypass AMD SEV and Intel SGX\/TDX memory-encryption protections.<\/strong> Dubbed <strong>\u201cBattering RAM,\u201d <\/strong>the attack dynamically aliases physical addresses at runtime, exposing confidential computing workloads to data exfiltration  if an attacker gains motherboard access.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The interposer uses simple analog switches to trick the CPU into sending encrypted data to attacker-controlled addresses.<\/strong><\/li>\n\n\n\n<li>Build cost is under $50, compared to commercial DRAM interposers priced over $150,000.<\/li>\n\n\n\n<li>Modern memory-encryption schemes dropped cryptographic integrity and freshness checks to scale to full DRAM.<\/li>\n\n\n\n<li><strong>Attack requires physical access but leaves no software or firmware trace, making detection unlikely without hardware inspection.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit and strengthen physical security in data centers and server rooms<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/cheap-hardware-module-amd-intel-memory-encryption\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Chinese APT31 Conducts Prolonged Espionage Against Russian IT Sector via Cloud Service Abuse<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Chinese state-aligned APT31 has been targeting Russia\u2019s IT contractors and government integrators since late 2022, using phishing and DLL sideloading to deploy custom backdoors that abuse OneDrive, Dropbox, Yandex Cloud, and even VirusTotal for command-and-control.  <strong>The campaign highlights the difficulty of detecting malicious traffic hidden within legitimate cloud services<\/strong>.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Observed activity spans end of 2022 through 2025, with peak operations in 2024.<\/li>\n\n\n\n<li><strong>Initial access via targeted phishing emails containing archive files that trigger DLL sideloading.<\/strong><\/li>\n\n\n\n<li><strong>Custom tools include OneDriveDoor, CloudSorcerer, YaLeak, and VtChatter for stealthy C2.<\/strong><\/li>\n\n\n\n<li>Primary victims are Russian IT vendors and government contractors; similar tactics spotted in a Peru campaign.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Inspect cloud service logs for anomalous API calls or geo-location mismatches.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/china-spies-russian-it-orgs\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">11. ShadowRay 2.0 Exploits Ray Framework RCE to Hijack AI Clusters for Cryptojacking<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A threat actor is actively exploiting a critical (CVSS 9.8) RCE flaw (CVE-2023-48022) <strong>in the open-source Ray distributed computing framework to compromise Internet-exposed AI clusters, turning them into a self-propagating cryptomining and data-theft botnet.<\/strong> Dubbed ShadowRay 2.0, the campaign has spread across two waves\u2014first via GitLab CI\/CD, then GitHub\u2014impacting thousands of clusters and underscoring the risk of misconfigured AI orchestration tools.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Oligo Security\u2019s scans show ~230,000 Ray dashboards exposed online,<\/strong> many vulnerable to CVE-2023-48022.<\/li>\n\n\n\n<li><strong>Attackers operate as \u201cIronErn440,\u201d limiting cryptomining to \u226460% CPU to stay stealthy.<\/strong><\/li>\n\n\n\n<li>They exfiltrate MySQL credentials, cloud tokens, proprietary AI models, and source code.<\/li>\n\n\n\n<li>After GitLab takedowns, the group shifted operations to GitHub, then spun up replacement repos within hours.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit Ray dashboards to block Internet exposure immediately<\/strong><\/li>\n\n\n\n<li><strong>Implement Ray security best practices and network isolation<\/strong><\/li>\n\n\n\n<li><strong>Add strong authentication or reverse-proxy in front of Ray Dashboard port<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/cyber-risk\/shadowray-20-ai-clusters-crypto-botnets\">Dark Reading<\/a>, <a href=\"https:\/\/www.oligo.security\/blog\/shadowray-2-0-attackers-turn-ai-against-itself-in-global-campaign-that-hijacks-ai-into-self-propagating-botnet\">Oligo Security<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Qilin Ransomware Exploits South Korean MSP Breach to Hit 28 Financial Firms<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Qilin\u2019s Ransomware-as-a-Service group, <\/strong>likely with North Korean affiliate Moonstone Sleet, <strong>compromised MSP GJTec to deploy ransomware across 28 South Korean financial firms.<\/strong> <strong>The \u201cKorean Leaks\u201d campaign exfiltrated over 1 million files (2 TB) in three waves and combined political propaganda with traditional extortion.<\/strong> <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single MSP (GJTec) breach reported Sep 23, 2025 enabled clustered infections<\/li>\n\n\n\n<li>Three publication waves (Sep 14\u2013Oct 4) <strong>stole 2 TB of data from 28 financial entities<\/strong><\/li>\n\n\n\n<li><strong>Attackers framed leaks as \u201cpublic service\u201d to expose corruption, then reverted to extortion<\/strong><\/li>\n\n\n\n<li><strong>Four victim listings removed from leak site, indicating possible post-negotiation takedowns<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enforce MFA and strong authentication for all MSP and vendor accounts<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/11\/qilin-ransomware-turns-south-korean-msp.html\">The Hacker News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Ransomware Alliances Propel 41% Attack Spike Ahead of Holidays<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>New partnerships among RaaS operators\u2014LockBit, DragonForce, Qilin\u2014and the rise of upstart groups like The Gentlemen drove a 41% increase in ransomware incidents from September to October 2025,<\/strong> totaling 594 attacks. Shared tooling, infrastructure, and recruitment across alliances complicate attribution and defense as organizations enter the fourth-quarter \u201cgolden\u201d threat season.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Qilin led October with 170 attacks (29% of 594 total incidents)<\/li>\n\n\n\n<li>Industrials (28%), consumer discretionary (21%), and healthcare (11%) most targeted<\/li>\n\n\n\n<li>North America bore 62% of attacks; Europe 17%, Asia 9%<\/li>\n\n\n\n<li>Active ransomware groups rose to 88 in Q3 2025, up from 65 in Q2<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure immutable backups and network segmentation for critical systems<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4096263\/alliances-between-ransomware-groups-tied-to-recent-surge-in-cybercrime.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            \n<p><!-- \/wp:post-content --><\/p>","protected":false},"excerpt":{"rendered":"<p>I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. \ud83d\ude31 <\/p>\n<p>These are the latest interesting cybersecurity news in December 2025.<\/p>","protected":false},"author":1,"featured_media":21222,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-21166","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=21166"}],"version-history":[{"count":52,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21166\/revisions"}],"predecessor-version":[{"id":21221,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21166\/revisions\/21221"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/21222"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=21166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=21166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=21166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}