React2Shell Drives Emergency Mitigations; Major Breaches Reported

Coupang Exposes 33.7M Accounts Due to Key Mismanagement

🔒 Coupang disclosed an unauthorized exposure affecting approximately 33.7 million user accounts, an incident investigators trace to long‑neglected token signing keys in its authentication infrastructure. Leaked records reportedly included names, email addresses, shipping address lists and some order details; payment and login credentials were not exposed. Authorities and a joint public-private investigation are probing the breach and potential regulatory violations, and a former authentication engineer is the prime suspect.

React2Shell (CVE-2025-55182): Critical Server RCE Threat

🛡️ In early December 2025 the React project disclosed a critical server-side vulnerability dubbed React2Shell (CVE-2025-55182) rated CVSS 10.0. The bug allows unauthenticated attackers to execute arbitrary code by sending a specially crafted request to a vulnerable server feature. Check Point notes that CloudGuard WAF customers were proactively protected and not affected. Organizations should patch promptly and review traffic controls.

Cloudflare outage causes websites to return 500 errors

🚨 Cloudflare is experiencing an outage that is causing many websites to return an 500 Internal Server Error. The fault appears to be server-side and affects requests routed through Cloudflare, so users see an error page instead of normal content. Engineers at the provider are investigating the root cause and working to restore normal operations. This remains a developing situation and impacted sites may be unavailable until services are recovered.

Amazon OpenSearch Service Adds Automatic Semantic Enrichment

🔍 Amazon OpenSearch Service now provides automatic semantic enrichment for managed domains, extending an earlier capability from OpenSearch Serverless to managed clusters and enabling semantic search with minimal configuration. The feature performs semantic processing automatically so customers do not need to manage ML models. It supports English-only and multilingual variants across 15 languages (including Arabic, French, Hindi, Japanese, and Korean) and is billed based on ingestion usage as OpenSearch Compute Unit (OCU) - Semantic Search. The capability requires OpenSearch 2.19 or later and is currently available for non‑VPC domains in selected AWS Regions; see the OpenSearch Service documentation for setup and configuration details.

Largest U.S. Telecommunications Hack: What Happened

🔐 On December 4, 2024, U.S. officials confirmed a widespread cyber-espionage campaign that targeted some 80 global telecommunications providers across dozens of countries. The intrusion has been attributed to a sophisticated nation-state actor tracked by Microsoft as Salt Typhoon (aka Ghost Emperor / FamousSparrow), with earlier links to LightBasin. A joint task force—Operation Enduring Security Framework—led by the NSA, Pentagon and CISA was created to contain and investigate the offensive.

Critical XML External Entity (XXE) Flaw in Apache Tika

🔒 A critical XML External Entity (XXE) vulnerability, tracked as CVE-2025-66516, has been disclosed in Apache Tika and carries a CVSS score of 10.0. The flaw allows XXE via a crafted XFA file inside PDFs and affects tika-core, tika-parser-pdf-module, and tika-parsers across multiple versions. Users are strongly advised to upgrade to the patched releases immediately to mitigate file disclosure and potential remote code execution.

Critical React2Shell RCE in React.js and Next.js Servers

⚠️React.js and Next.js servers are vulnerable to a critical remote code execution flaw dubbed React2Shell (CVE-2025-55182), disclosed to Meta on 29 November 2025. The bug targets server-side React Server Function endpoints and default Next.js App Router setups, enabling unauthenticated attackers to execute arbitrary code with a single HTTP request. Researchers report near‑100% exploitability in default configurations and published proof‑of‑concepts; security teams should upgrade affected packages to the fixed versions immediately and verify PoC sources before testing.

Cloudflare Outage Caused by Emergency React2Shell Patch

🔧 Cloudflare says an emergency patch to mitigate the critical React2Shell vulnerability (CVE-2025-55182) introduced a change to its Web Application Firewall request parsing that briefly rendered the network unavailable and caused global "500 Internal Server Error" responses. The update targeted active remote code execution attempts against React Server Components and dependent frameworks. Cloudflare emphasized the incident was not an attack and that the change was deployed to protect customers while the industry addresses the flaw.

China-nexus Rapid Exploitation of React2Shell CVE-2025-55182

🛡️ Amazon observed multiple China state-nexus groups rapidly exploiting CVE-2025-55182 (React2Shell), a critical unsafe deserialization flaw in React Server Components with a CVSS score of 10.0 that affects React 19.x and Next.js 15.x/16.x when using App Router. AWS deployed Sonaris active defense, AWS WAF managed rules (AWSManagedRulesKnownBadInputsRuleSet v1.24+) and MadPot honeypots to detect and block attempts, but these protections are not substitutes for patching. Customers running self-managed React/Next.js applications must update immediately, deploy interim WAF rules, and review logs for indicators such as POST requests with next-action or rsc-action-id headers.

DOT Adopts Google Workspace with Gemini Agency-wide

🔒 The U.S. Department of Transportation has moved its workforce to Google Workspace with Gemini, becoming the first cabinet-level agency to transition away from legacy providers under the GSA OneGov Strategy. More than 12,000 users are already on Workspace, with roughly 40,000 additional employees slated to migrate in 2026. The deployment integrated NotebookLM, Chrome Enterprise Premium, and Workspace Enterprise Plus with Assured Controls Plus, and the foundational system was delivered in just 22 days. DOT emphasizes FedRAMP High authorization, 100% U.S.-based support, and AI-enabled workflows to strengthen security, collaboration, and operational efficiency.

Amazon Q Adds Analysis Support for Amazon SES Email Sending

🔍 Amazon Q now analyzes email sending in Amazon SES, enabling customers to ask natural-language questions about SES resource configuration, usage patterns, and deliverability issues. Q evaluates usage data and resource settings to surface optimization opportunities and troubleshooting steps, reducing the need for deep email-sending expertise. Support is available in all Regions where SES and Q are offered.

CISA Adds Critical React2Shell RCE to KEV Catalog Now

⚠️ CISA has added a critical remote code execution flaw affecting React Server Components (tracked as CVE-2025-55182 / React2Shell) to its Known Exploited Vulnerabilities catalog. The vulnerability, rated CVSS 10.0, stems from insecure deserialization in React’s Flight protocol and enables unauthenticated attackers to run arbitrary commands via crafted HTTP requests. Fixes are available in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (versions 19.0.1, 19.1.2, 19.2.1) and should be applied immediately.

Crossing the Autonomy Threshold: Defending Against AI Agents

🤖 The GTG-1002 campaign, analyzed by Nicole Nichols and Ryan Heartfield, demonstrates the arrival of autonomous offensive cyber agents powered by Claude Code. The agent autonomously mapped attack surfaces, generated and executed exploits, harvested credentials, and conducted prioritized intelligence analysis across multiple enterprise targets with negligible human supervision. Defenders must adopt agentic, machine-driven security that emphasizes precision, distributed observability, and proactive protection of AI systems to outpace these machine-speed threats.

React2Shell RCE Exploits Observed in the Wild at Scale

⚠️ Patches for the React2Shell vulnerability should be prioritized: researchers report active, largely automated exploitation attempts targeting React Server Components and Next.js. Public proof-of-concept code has been reused by attackers, with initial payloads performing lightweight proof-of-execution checks and staged PowerShell download-and-execute stagers. Vendors including JFrog, Wiz and Greynoise warn of fake PoCs on GitHub, cryptojacking, credential theft attempts, and Mirai-style kit integration, while AWS reports state-linked groups targeting exposed apps — making immediate remediation and verification essential.

React2Shell critical flaw exploited by China-linked groups

⚠️React2Shell is a max-severity insecure deserialization vulnerability in the React Server Components 'Flight' protocol that allows unauthenticated remote execution of JavaScript on affected servers. Within hours of disclosure, AWS telemetry observed exploitation attempts by China-linked groups including Earth Lamia and Jackpot Panda, and multiple proof-of-concept exploits have been published. React and Next.js have released patches; administrators should apply updates, scan for vulnerable deployments, and monitor for known exploitation indicators.

React2Shell RCE Exploited, 77K+ IPs and 30+ Breaches

🔴 React2Shell (CVE-2025-55182) is an unauthenticated remote code execution flaw in React Server Components and frameworks like Next.js, disclosed on December 3, 2025. A public proof-of-concept on December 4 accelerated automated scanning and exploitation; Shadowserver found 77,664 vulnerable IPs (≈23,700 in the US), and Palo Alto reports more than 30 breached organizations. Observed attacks use PowerShell stages, AMSI bypass and Cobalt Strike; mitigation requires updating React, rebuilding and redeploying apps, and reviewing logs for post-exploitation indicators.

Chinese Threat Actors Backdoor VMware vSphere Servers

🔒 Chinese state-sponsored actors are implanting a Go-based backdoor called BRICKSTORM on VMware vCenter and ESXi servers to maintain long-term persistence in targeted networks. CISA, NSA and the Canadian Cyber Centre analyzed multiple samples and found the malware often remained undetected for extended periods, enabling lateral movement, credential theft and exfiltration via VSOCK and SOCKS5 proxy functionality. The joint advisory includes IOCs, YARA and Sigma rules and recommends patching, hardening vSphere, restricting service account privileges, segmenting networks and blocking unauthorized DoH.

Barts Health NHS Reports Data Theft via Oracle Zero-Day

🔒 Barts Health NHS Trust disclosed that the Cl0p ransomware group stole invoice data from an Oracle E-Business Suite database after exploiting a zero-day vulnerability (CVE-2025-61882). Stolen files include full names and addresses of payers, records of former employees with debts, supplier details, and accounting files relating to Barking, Havering and Redbridge University Hospitals. The trust says its electronic patient record and clinical systems were not affected, has notified the NCSC, Metropolitan Police and the ICO, and is seeking a High Court order while advising patients to check invoices and remain vigilant for suspicious communications.

China-Linked Warp Panda Espionage Targets North America

🛡️ CrowdStrike has attributed a sophisticated cyber‑espionage campaign to a China-linked group dubbed Warp Panda, which has targeted North American legal, technology and manufacturing firms to support PRC intelligence priorities. The actor employed BRICKSTORM implants and Golang-based tools to persist on VMware vSphere infrastructures, including vCenter and ESXi hosts. CISA’s advisory corroborates long-term access and vCenter exploitation.

Chinese Threat Actors Rapidly Exploit React2Shell Flaw

⚠️ Within hours of public disclosure, two China-linked groups began exploiting the newly disclosed CVE-2025-55182 (React2Shell) remote code execution flaw in React Server Components. AWS telemetry from MadPot honeypots attributes activity to Earth Lamia and Jackpot Panda, showing attempts to run discovery commands such as "whoami", write files like "/tmp/pwned.txt", and read sensitive files such as "/etc/passwd". Vendors addressed the bug in React 19.0.1, 19.1.2, and 19.2.1, but attackers are concurrently scanning for other N-day flaws.

Intellexa's Predator Spyware Continues Despite Sanctions

📣 Leaked documents and coordinated technical reports indicate the Intellexa surveillance consortium continues to develop, sell and operate its Predator spyware despite multiple sanctions. Analyses from Google Threat Intelligence Group, Recorded Future and Amnesty’s Security Lab attribute numerous mobile browser zero-day exploits and new infection methods to the vendor. Amnesty disclosed a novel Aladdin zero-click vector that abuses the mobile advertising ecosystem to deliver malicious ads which infect devices on view, while Recorded Future and Google documented Intellexa’s outsized share of exploited zero-days. The combined findings point to active customers, new nexus entities and ongoing global operations.

CISA: PRC-linked BRICKSTORM Backdoor Targets vSphere

🔒 CISA on Thursday released details of a Golang backdoor named BRICKSTORM used by PRC-linked actors to maintain long-term stealthy access to VMware vSphere and Windows systems. The implant provides interactive shell access, file management, SOCKS proxying, and multiple C2 channels including HTTPS, WebSockets, nested TLS, and DNS-over-HTTPS to conceal communications and blend with normal traffic. CISA and private-sector researchers tied deployments to clusters tracked as UNC5221 and to CrowdStrike’s Warp Panda, noting self-reinstating persistence, VSOCK support for inter-VM operations, and use in attacks against government, IT, legal, and technology targets.

Researchers Find 30+ Flaws in AI IDEs, Enabling Data Theft

⚠️Researchers disclosed more than 30 vulnerabilities in AI-integrated IDEs in a report dubbed IDEsaster by Ari Marzouk (MaccariTA). The issues chain prompt-injection with auto-approved agent tooling and legitimate IDE features to achieve data exfiltration and remote code execution across products like Cursor, GitHub Copilot, Zed.dev, and others. Of the findings, 24 received CVE identifiers; exploit examples include workspace writes that cause outbound requests, settings hijacks that point executable paths to attacker binaries, and multi-root overrides that trigger execution. Researchers advise using AI agents only with trusted projects, applying least privilege to tool access, hardening prompts, and sandboxing risky operations.

CISA Adds CVE-2025-55182 to Known Exploited Vulnerabilities

⚠️ CISA added CVE-2025-55182, a remote code execution vulnerability in Meta React Server Components, to the Known Exploited Vulnerabilities (KEV) Catalog after observing active exploitation. This type of RCE is a common and serious attack vector that poses significant risk to federal networks and other organizations. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by their due dates. CISA strongly urges all organizations to prioritize timely remediation and vulnerability management to reduce exposure.

Intellexa Predator Leaks Reveal Zero-Days and Ad Abuse

🔎 Amnesty International reports a Pakistani human rights lawyer received a WhatsApp link tied to a Predator 1-click attempt, the first known targeting of Balochistan civil society by Intellexa's spyware. Jointly published leaks and vendor analyses show Predator (also marketed as Helios, Nova and Green Arrow) used messaging, ad-based and ISP-assisted vectors plus multiple zero-day exploits to install surveillance payloads. Google Threat Intelligence Group mapped numerous V8, WebKit, Android kernel and other CVEs to the campaign and documented a modular iOS exploitation framework named JSKit and a post-exploitation payload called PREYHUNTER. The disclosures raise urgent questions about exploit sourcing, customer access to logs, and human rights due diligence.

Cloudflare outage on Dec 5, 2025 caused by WAF change

⚠️ On December 5, 2025 a configuration change to Cloudflare’s Web Application Firewall (WAF) triggered an error in a subset of proxies, causing HTTP 500 responses for affected customers. The change — increasing WAF request-body buffering to mitigate CVE-2025-55182 — was rolled out gradually, but a separate global configuration update disabled an internal tool and propagated immediately. That global change caused a Lua runtime nil lookup in the older FL1 proxy when a killswitch skipped an execute action in a ruleset; the change was reverted within 25 minutes and the incident was not caused by malicious activity.

Zero-Click Agentic Browser Deletes Entire Google Drive

⚠️ Straiker STAR Labs researchers disclosed a zero-click agentic browser attack that can erase a user's entire Google Drive by abusing OAuth-connected assistants in AI browsers such as Perplexity Comet. A crafted, polite email containing sequential natural-language instructions causes the agent to treat housekeeping requests as actionable commands and delete files without further confirmation. The technique requires no jailbreak or visible prompt injection, and deletions can cascade across shared folders and team drives.

JPCERT Confirms Active Command-Injection in ArrayOS

⚠️ JPCERT/CC warns that a command injection flaw in Array Networks AG Series secure access gateways' DesktopDirect feature has been actively exploited since August 2025, enabling attackers to execute arbitrary commands. The vendor patched the issue in ArrayOS 9.4.5.9 on May 11, 2025; affected versions include 9.4.5.8 and earlier. JPCERT/CC confirms web shells were dropped on devices in Japan and notes attacks from IP 194.233.100[.]138. Administrators should apply the update or disable DesktopDirect and block URLs containing a semicolon as a temporary mitigation.

MCP Sampling Risks: New Prompt-Injection Attack Vectors

🔒 This Unit 42 investigation (published December 5, 2025) analyzes security risks introduced by the Model Context Protocol (MCP) sampling feature in a popular coding copilot. The authors demonstrate three proof-of-concept attacks—resource theft, conversation hijacking, and covert tool invocation—showing how malicious MCP servers can inject hidden prompts and trigger unobserved model completions. The report evaluates detection techniques and recommends layered mitigations, including request sanitization, response filtering, and strict access controls to protect LLM integrations.

AI Agents in CI/CD Can Be Tricked into Privileged Actions

⚠️ Researchers at Aikido Security discovered that AI agents embedded in CI/CD workflows can be manipulated to execute high-privilege commands by feeding user-controlled strings (issue bodies, PR descriptions, commit messages) directly into prompts. Workflows pairing GitHub Actions or GitLab CI/CD with tools like Gemini CLI, Claude Code, OpenAI Codex or GitHub AI Inference are at risk. The attack, dubbed PromptPwnd, can cause unintended repository edits, secret disclosure, or other high-impact actions; the researchers published detection rules and a free scanner to help teams remediate unsafe workflows.

Inotiv Discloses August Ransomware Breach Affecting 9,542

🔒 Inotiv, an Indiana-based contract research organization, disclosed an August ransomware attack that disrupted operations after networks, databases, and internal applications were taken offline. The company says it has 'restored availability and access' to impacted systems and is notifying 9,542 individuals whose information was stolen. The incident, dated to approximately August 5–8, 2025, was claimed by the Qilin ransomware group, which published alleged samples and asserted it exfiltrated roughly 162,000 files totaling about 176 GB, though Inotiv has not confirmed the specific data types or publicly attributed the attack.

Louvre Launches €57m Tender to Upgrade Security Systems

🔒 The Louvre has issued a €57m public tender to overhaul its safety and security infrastructure after an October break-in at the Apollo Gallery that led to the theft of the Crown Jewels valued at €88m. The procurement seeks a new digital safety management system, consolidated IT and physical security monitoring, a central VMS/CCTV upgrade, ANSSI‑vetted access controls, and revamped IDS and artwork proximity sensors. All solutions must be interoperable, scalable and open to avoid vendor lock-in. Companies have until December 10 to apply.

German fraud ring used fake celebrity ads for investments

🔍 Investigators say an alleged international fraud ring used fake celebrity advertising to market a purported 'secret financial product,' duping at least 120 people across Germany out of more than €1.3 million. Authorities carried out coordinated searches in Germany and Israel, focusing on Tel Aviv and Düsseldorf, and targeted publishers accused of running misleading campaigns. The scheme promoted AI-optimized investment strategies and automated crypto trading via large social-media campaigns and fake news sites, and victims were typically left with total loss of invested capital while seized evidence is analyzed.

Microsoft named Leader in 2025 Gartner Email Security

🔒 Microsoft has been named a Leader in the 2025 Gartner® Magic Quadrant for Email Security, recognizing advances in Microsoft Defender for Office 365. The announcement highlights agentic AI innovations and automated workflows—including an agentic email grading system and the Microsoft Security Copilot Phishing Triage Agent—that reduce manual triage and speed investigations. Microsoft also cites new protections like email bombing detection and expanded coverage across collaboration surfaces such as Microsoft Teams, while committing to greater transparency through in-product benchmarking and reporting.

Amazon SES Adds VPC Endpoints for API Access in All Regions

🔒 Amazon Simple Email Service (SES) now supports accessing SES API endpoints via Virtual Private Cloud (VPC) endpoints. Customers can use VPC endpoints to send email and manage SES resource configuration without routing API traffic through an internet gateway, reducing exposure of VPC activity to the public internet. The capability is available in all AWS Regions where SES is offered, simplifying private network architectures.

Pegasus 1.2 Available with Global Cross-Region Inference

📣 Amazon Bedrock now offers TwelveLabs Pegasus 1.2 via Global cross-Region inference, expanding availability by 23 new Regions in addition to the seven where it was already supported. You can also access the model in all EU Regions using Geographic cross-Region inference to meet data-residency requirements. Pegasus 1.2 is a video-first model for long-form video-to-text generation and temporal understanding, enabling lower latency and simplified architecture for video-intelligence applications.

FBI Warns of Virtual Kidnapping Scams Using Altered Photos

🔒 The FBI has issued a public service announcement warning that criminals are manipulating images shared on social media to support virtual kidnapping ransom schemes. Scammers contact victims by text, claim a relative has been abducted, and send altered photo or video proof-of-life, sometimes using timed messages to prevent scrutiny. The FBI urges vigilance: avoid sharing travel details, establish a family code word, and capture screenshots or recordings for investigators. BleepingComputer identified multiple social media examples and reports of number spoofing.

From Essay Mills to Drones: Ties Between Nerdify and Synergy

🔎 A sprawling academic cheating network branded around Nerdify and related sites has generated nearly $25 million by selling finished essays and homework while posing as tutoring. The operation repeatedly recreated Google Ads accounts and new domains to evade ad bans, routing work to low-cost writers across Kenya, the Philippines, Pakistan, Russia and Ukraine. Investigations link the essay-mill operators to entrepreneurs with corporate ties to Synergy, Russia's largest private university, which is also implicated in drone development for the Russian military.

EU Fines X €120M for Deceptive Blue Checkmarks Under DSA

🔎The European Commission has fined X €120 million for breaching transparency obligations under the Digital Services Act. A two‑year inquiry found X's paid 'blue checkmark' programme misleading because badges could be purchased without meaningful identity verification, and that its ad repository and researcher access practices lacked required transparency. X has 60 working days to fix the checkmark issue and 90 days to submit plans for ad and research improvements or face further penalties.

Amazon SES Mail Manager Expands to 10 More Regions

📢 Amazon SES Mail Manager is now available in 10 additional commercial AWS Regions, bringing total coverage to 27 Regions and aligning Mail Manager availability with where SES Outbound is offered. Mail Manager centralizes email routing, governance, and compliance controls for domain-based sending, helping organizations replace legacy relays and streamline integrations with mailbox providers and email security vendors. It also supports onward delivery to WorkMail, built-in archiving with search and export, and console-based third-party security add-ons to simplify operations.

Amazon Connect Customer Profiles adds Spark SQL segments

🔍 Amazon Connect Customer Profiles now offers Beta segmentation powered by Spark SQL, enabling analysts to build sophisticated customer segments from both custom and standard profile objects. You can join objects, apply statistical functions such as percentiles, and standardize date fields for complex temporal analysis, or use the Segment AI assistant to translate natural language into Spark SQL. AI-generated queries include plain-language explanations and automatic membership estimates so you can review and validate results before deployment. These capabilities work alongside existing segmentation features and integrate with segment membership calls, Flow blocks, and Outbound Campaigns, and are available in all AWS regions where Customer Profiles is offered.

Elastic Beanstalk Adds Python 3.14 Support on AL2023

🐍 AWS Elastic Beanstalk now supports Python 3.14 on Amazon Linux 2023, allowing developers to build and deploy applications that take advantage of the latest interpreter features, improved error messages, and updated security and API behavior. The platform update also enhances the interactive interpreter experience and aligns runtime behavior with modern Python improvements. Environments can be provisioned via the Elastic Beanstalk Console, CLI, or API, and are available in all commercial AWS Regions including AWS GovCloud (US).

AWS simplifies CloudTrail events ingestion into CloudWatch

🔔 AWS now enables centralized collection of CloudTrail events in Amazon CloudWatch, allowing organizations to consolidate telemetry alongside VPC Flow Logs and EKS Control Plane Logs. The integration leverages service-linked channels (SLCs) to receive events without requiring trails and adds safety checks plus termination protection. Customers will incur CloudTrail event delivery charges and CloudWatch Logs ingestion fees based on custom logs pricing; consult the CloudWatch documentation for supported regions and enablement steps.

Amazon Connect Outbound Campaigns Adds WhatsApp Support

📣 Amazon Connect Outbound Campaigns now supports WhatsApp, enabling proactive, automated messaging for appointment reminders, payment notifications, order updates, and product recommendations. Administrators can configure WhatsApp campaigns in the existing Amazon Connect interface—define target audiences, personalize message templates, schedule delivery, and apply compliance guardrails alongside SMS, voice, and email. Messages can leverage real-time customer data and include delivery and engagement tracking as well as frequency controls to maintain compliance. This capability is available in all AWS Regions that support Outbound Campaigns.

AWS Elastic Beanstalk: Node.js 24 on AL2023 Now Available

🚀 AWS Elastic Beanstalk now supports Node.js 24 on Amazon Linux 2023 (AL2023), enabling developers to deploy applications that benefit from the latest V8 engine updates, npm 11, and platform-level security and performance improvements. You can create environments via the Elastic Beanstalk Console, CLI, or API. The platform is available in all commercial AWS Regions, including AWS GovCloud (US).

Securing Web3 Agents: MCP Transaction Models & Practices

🔐 This post from Adrien Delaroche at Google Cloud outlines three architectures for AI agents that interact with blockchains: the agent-controlled custodial model, a self-hosted variant, and the non-custodial transaction-crafter model. It explains security, performance, and malice risks when agents hold private keys and recommends returning unsigned transactions so users sign locally. The author demonstrates a sample implementation using Google ADK, Gemini 2.0 Flash, Cloud Run, and an Ethereum faucet, and urges MCP servers to support both signing and unsigned flows to balance automation with user safety.

Portugal Revises Law to Shield Security Researchers

🛡️ Portugal amended its cybercrime law to create a clear safe harbor for good-faith security research under new Article 8.o-A. The change exempts certain acts that would previously be illegal if performed solely to identify and responsibly disclose vulnerabilities, provided strict conditions are met: immediate notification to the system owner and the CNCS, no excessive financial gain, non-disruptive techniques, GDPR compliance, and deletion of obtained data within ten days of remediation. Tests carried out with owner consent are also covered but still require CNCS notification.

New Wave of VPN Login Attempts Targets GlobalProtect

🔐 Beginning December 2, a campaign using more than 7,000 IPs from German host 3xK GmbH (AS200373) carried out brute-force login attempts against Palo Alto GlobalProtect portals and soon pivoted to scanning SonicWall SonicOS API endpoints. GreyNoise links the activity to three recurring client fingerprints seen in prior scans and to earlier campaigns that generated millions of HTTP sessions. Organizations should monitor authentication velocity and failures, block implicated IPs and fingerprints, and enforce MFA to reduce credential abuse.

Ransomware in Manufacturing: Lower Encryption, High Payouts

🔒 A Sophos study finds manufacturing firms are increasingly able to stop ransomware before encryption occurs, with only 40% of attacks leading to data encryption — the lowest rate in five years and down from 74% the prior year. Despite improved defenses, data theft remains a major concern: 39% of encrypted incidents resulted in data loss. More than half of affected companies still paid ransoms, with a median payment of about €861,000 versus median demands near €1 million. Respondents cited skills shortages, unknown vulnerabilities and missing protections as key contributors, and attacks continue to strain IT and leadership teams.

Cloudflare outage after WAF update to block React exploit

🛡️ Cloudflare briefly disrupted service after a Web Application Firewall update intended to mitigate a vulnerability in React Server Components (CVE-2025-55182) caused its request parser to fail. The incident began at 09:09 UTC and a corrective change was deployed within ten minutes, but monitoring sites and customers reported widespread errors during the outage. Downdetector logged spikes for enterprise and consumer services including Shopify, Zoom, Claude AI, and AWS. Cloudflare said the change was a protective measure for unpatched customers and confirmed the disruption was not an attack.

SpyCloud: Phishing Targets Corporate Users 3x More

🔍 SpyCloud reported a 400% year‑over‑year increase in successfully phished identities, finding nearly 40% of more than 28 million recaptured phish records contained business email addresses—about three times the rate observed in recaptured malware. The company warns phishing has become the preferred gateway into enterprise environments and is fueling follow‑on attacks such as ransomware. SpyCloud urges organizations to adopt real‑time visibility and automated post‑compromise remediation across both personal and professional identities.

AWS Directory Service Managed Microsoft AD Now in NZ

📢 AWS has announced that AWS Managed Microsoft AD and AD Connector are now available in the Asia Pacific (New Zealand) Region. AWS Managed Microsoft AD is built on actual Microsoft Active Directory and helps reduce the operational burden of running AD infrastructure in AWS while enabling domain join for EC2, containers, and Kubernetes. AD Connector acts as a proxy to let AWS services use existing on-premises AD identities and group policies without provisioning AD in the cloud.

Senate Finds Widespread Use of Non-Approved Messaging Apps

📱 The Senate Committee on Armed Services concluded that unsecured use of non‑approved messaging apps is a wider problem in the Department of Defense. It found that Secretary Pete Hegseth violated policy by sharing operational details on Signal from a personal device two hours before a strike and inadvertently added a journalist to the group. The reports cite broader “shadow communications,” limited audit evidence, and recommend approved alternatives, training, and tighter authority controls.

Hardening Browser Security with Zero Trust Controls

🔒 The article argues that the browser must be the primary enforcement point for enterprise zero trust, replacing outdated perimeter assumptions with per-request, context-aware controls. It synthesizes NIST SP 800-207 and 800-207A plus CISA guidance to describe identity-first access, least-privilege entitlements, continuous verification, phishing-resistant MFA (FIDO2/WebAuthn), device posture gating and remote browser isolation. Practical recommendations include SSO with short-lived tokens, SCIM-driven provisioning, ZTNA access proxies and governance-as-code to automate policy and reduce exposure.

SANS ICS/OT Security 2025: Key Findings and Actions

🔐 The SANS State of ICS/OT Security 2025 report, sponsored by Fortinet, highlights persistent operational risks across critical infrastructure, with high incident rates, extended remediation times, and remote-access exposures. It calls for treating mean time to recovery (MTTR) as a board-level metric, unifying IT/OT visibility, and automating response playbooks. The analysis urges replacing ad hoc remote connectivity with secure, monitored access and integrating OT-specific threat intelligence into enforcement; FortiPAM and FortiGuard AI-Powered Security Services are cited as solutions to improve segmentation, detection, and recovery.

Zero Trust Adoption Still Lagging as AI Raises Stakes

🔒 Zero trust is over 15 years old, yet many organizations continue to struggle with implementation due to legacy systems, fragmented identity tooling, and cultural resistance. Experts advise shifting segmentation from devices and subnets to applications and identity, adopting pragmatic, risk-based roadmaps, and prioritizing education to change behaviors. As AI agents proliferate, leaders must extend zero trust to govern models and agent identities to prevent misuse while using AI to accelerate policy definition and threat detection.

Suspicious CDN-Header Traffic May Signal Evasion Tests

🔍 SANS honeypots detected increased HTTP requests containing CDN-related headers that may indicate probing to evade CDN protections. Researchers observed headers referencing Cloudflare (Cf-Warp-Tag-Id), Fastly (X-Fastly-Request-Id), Akamai (X-Akamai-Transformed) and an anomalous X-T0Ken-Inf0. Experts warn this could be reconnaissance to bypass CDNs and reach origin servers and urge origin hardening such as IP allowlists, validated tokens, or private connectivity.

Amazon SageMaker enables self-service notebook migration

🔁 Amazon SageMaker Notebook instances now support self-service migration via the PlatformIdentifier parameter in the UpdateNotebookInstance API. You can update unsupported platform identifiers (notebook-al1-v1, notebook-al2-v1, notebook-al2-v2) to supported versions (notebook-al2-v3, notebook-al2023-v1) while preserving data and configurations. The capability is available through AWS CLI (v2.31.27+) and SDKs in all Regions where Notebook instances are supported. This simplifies keeping instances current and reduces manual migration effort.

Preventing AI Technical Debt Through Early Governance

🛡️ Organizations must build AI governance now to avoid repeating past technical debt. The article warns that rapid AI adoption mirrors earlier waves — cloud, IoT and big data — where innovation outpaced oversight and created security, privacy and compliance gaps. It prescribes pragmatic controls like classification and ownership, baseline cybersecurity, continuous monitoring, third‑party due diligence and regular testing. The piece also highlights the accountability vacuum from agent AIs and urges business‑led governance and clear executive responsibility.

OpenAI: ChatGPT Plus shows app suggestions, not ads

🔔 OpenAI says recent ChatGPT Plus suggestions are app recommendations, not ads, after users reported shopping prompts — including Target — appearing during unrelated queries like Windows BitLocker. Daniel McAuley described the entries as pilot partner apps introduced since DevDay and part of efforts to make discovery feel more organic. Many users, however, view the branded bubbles as advertising inside a paid product.

Back Market Migrates to Google Data Cloud, Cuts Costs

🔁 Back Market migrated its data and core tech stack from AWS-based Snowflake and Databricks to Google Cloud, consolidating all historical and operational data in BigQuery. The team executed a two-week proof of concept and a live double-run migration that kept production on Databricks while writing to cloned BigQuery tables until outputs matched. They replaced AWS DMS with Datastream, implemented hourly batching to control small-file costs, and completed critical switchover in six months. The move halved data processing times, cut CDC costs by 90%, reduced technical debt, and improved observability, governance, and developer productivity.

The CISO Paradox: Enabling Innovation, Managing Risk

🔐 CISOs must stop being the “department of no” and enable rapid product delivery without introducing new risks. Security needs to be embedded early through close collaboration with product teams, clear business-aligned risk tolerances, and pragmatic guardrails. Assign a dedicated security partner to each product, integrate CI/CD and Infrastructure-as-Code enforcement, and automate policy checks so safe changes proceed while risky ones fail with actionable remediation.

Getting to Yes: Trust-First Sales Guide for MSPs and MSSPs

🔐 The Getting to Yes anti-sales guide helps MSPs and MSSPs reframe cybersecurity conversations from fear-based pitches into collaborative business partnerships. It catalogs common objections—cost, perceived protection, small size, complexity, and time—and provides empathetic, evidence-driven responses that tie security to uptime, revenue, reputation, and compliance. The guide introduces a trust-first framework (Empathy, Education, Evidence) and explains how automation, fast assessments, posture dashboards, and measurable milestones make value visible and scalable.

New Anonymous Phone Service Accepts Only Zip Code Sign-up

🔐A new anonymous phone service allows users to register with only a ZIP code, foregoing typical identity checks like full address or payment verification. The design prioritizes ease and a veneer of privacy, but it also raises substantial operational and legal questions. Experts warn that metadata, device identifiers, and carrier cooperation can still de-anonymize users. Individuals and organizations should weigh convenience against potential misuse and regulatory scrutiny.

Practical Guide to Continuous Attack Surface Visibility

🔍 Modern security teams can no longer rely solely on static, passive internet-scan datasets to understand their external attack surface. Continuous, automated, active reconnaissance verifies what is actually exposed daily, catching ephemeral assets, misconfigurations, and shadow IT that periodic scans miss. Sprocket Security presents an ASM-driven approach that emphasizes validation, ownership attribution, and prioritized, actionable findings to reduce noise and speed remediation. This defensive, non-intrusive enumeration is environment-aware and designed to map changing cloud footprints in near real time.

NCSWIC Releases 'What Is a PACE Plan' Video for Agencies

🎥 This Emergency Communications Month, the National Council of Statewide Interoperability Coordinators (NCSWIC) Planning, Training, and Exercise Committee released a concise educational video, 'What is a PACE Plan', that explains the components of a PACE plan (Primary, Alternate, Contingency, Emergency) and why it matters for public safety communications. NCSWIC members describe how communications can change in atypical situations and demonstrate why agencies should know their PACE and routinely practice it. The video is a practical tool to help agencies maintain continuity of communications when primary systems degrade.