News provided by
OWASP
Dec 10, 2025, 03:03 ET
WILMINGTON, Del., Dec. 10, 2025 /PRNewswire/ -- The OWASP GenAI Security Project (genai.owasp.org), a leading global open-source and expert community dedicated to delivering practical guidance and tools for securing generative and agentic AI, today released the OWASP Top 10 for Agentic Applications, a key resource to help organizations identify and mitigate the unique risks posed by autonomous AI agents.
Following more than a year of research, review and refinement, this Top 10 list reflects a culmination of input from over 100 security researchers, industry practitioners, user organizations and leading cybersecurity and generative AI technology providers. The result is not only a list of risks and mitigations, but a suite of resources designed for practitioners providing data-driven guidance.
The framework was further evaluated by the GenAI Security Project's Agentic Security Initiative Expert Review Board, which includes representatives from recognized bodies around the world such as NIST, European Commission and the Alan Turing Institute, among others. A full list of contributing organizations can be found here.
"This new OWASP Top 10 reflects incredible collaboration between AI security leaders and practitioners across the industry," said Scott Clinton, the OWASP GenAI Security Project's Co-Chair, Board Member, and Co-Founder. "As AI adoption accelerates faster than ever, security best practices must keep pace. The community's responsiveness has been remarkable, and this Top 10, along with our broader open-source resources, ensures organizations are better equipped to adopt this technology safely and securely."
Agent Behavior Hijacking, Tool Misuse and Exploitation and Identity and Privilege Abuse are some of the highlighted threats within the Top 10 and they showcase how attackers can subvert agent capabilities or their supporting infrastructure. Incidents involving these agentic systems are increasingly capable across industries, elevating the need for these new resources.
"Companies are already exposed to Agentic AI attacks - often without realizing that agents are running in their environments," said Keren Katz, Co-Lead for OWASP's Top 10 for Agentic AI Applications and Senior Group Manager of AI Security at Tenable. "While the threat is already here, the information available about this new attack vector is overwhelming. Effectively protecting a company against Agentic AI requires not only strong security intuition but also a deep understanding of how AI agents fundamentally operate."
"Agentic AI introduces a fundamentally new threshold of security challenges, and we are already seeing real incidents emerge across industry," said John Sotiropoulos, GenAI Security Project Board member, Agentic Security Initiative and Top 10 for Agentic Applications Co-lead, and Head of AI Security at Kainose. "Our response must match the pace of innovation, which is why this Top 10 focuses on practical, actionable guidance grounded in real-world attacks and mitigations. This release marks a pivotal moment in securing the next generation of autonomous AI systems."
The Top 10 for Agentic Applications joins a growing portfolio peer-reviewed resources released by the OWASP GenAI Security Project and its Agentic Security Initiative, including:
The State of Agentic Security and Governance 1.0: A practical guide to the governance and regulations for the safe and responsible deployment of autonomous AI systems.
The Agentic Security Solutions Landscape: A quarterly, peer-reviewed map of open-source and commercial agentic AI tools and how they support SecOps and mitigate DevOps–SecOps risks.
A Practical Guide to Securing Agentic Applications: Practical technical guidance for securely designing and deploying LLM-powered agentic applications.
Reference Application for Agentic Security: An OWASP FinBot Capture The Flag applications , designed to test and practice agentic security skills in a controlled environment.
Agentic AI Threats and Mitigations: This document is the first in a series to provide a threat-model-based reference of emerging agentic threats and discuss mitigations.
And more
"Over the past two and a half years, the OWASP Top 10 for LLM Applications has shaped much of the industry's thinking on AI security," said, Steve Wilson, OWASP GenAI Security Project Board Co-Chair, Founder of OWASP Top 10 for LLM, and CPO of Exabeam, Inc. "This year, we've seen agentic systems move from experiments to real deployments, and that shift brings a different class of threats into clear view. Our team met that challenge by expanding our guidance to address how agentic systems behave, interact, and make decisions. The LLM Top 10 will remain a core, regularly updated resource, and aligning both efforts is key to helping the community build safer, more reliable intelligent systems.
Discover what industry experts, researchers and leading global organizations have to say about the new Top 10 for Agentic Applications here.
The OWASP GenAI Security Project invites organizations, researchers, policymakers and practitioners to access the new Top 10 for Agentic Applications, contribute to future updates and join the global effort to build secure, trustworthy AI systems. Visit our site to learn more and how you can contribute.
About OWASP Gen AI Security Project
The OWASP Gen AI Security Project (genai.owasp.org) is a global, open-source initiative and expert community dedicated to identifying, mitigating, and documenting security and safety risks associated with generative AI technologies, including large language models (LLMs), agentic AI systems, and AI-driven applications. Our mission is to empower organizations, security professionals, AI practitioners, and policymakers with comprehensive, actionable guidance and tools to ensure the secure development, deployment, and governance of generative AI systems. Visit our site to learn more.
From:
Foreign, Commonwealth & Development Office gov.uk
Published
9 December 2025
Two tech companies based in China have been sanctioned for reckless and indiscriminate cyberattacks
Sichuan Anxun Information Technology Co. Ltd (known as i-Soon) for targeting over 80 government and private industry IT systems across the world, and for supporting others planning to carry out malicious cyber activity.
Integrity Technology Group Incorporated (known as Integrity Tech) for controlling and managing a covert cyber network and providing technical assistance for others to carry out cyberattacks. Targets have included UK public sector IT systems.
I-Soon and Integrity Tech are examples of the threat posed by the cyber industry in China, which includes information security companies, data brokers (that collect and sell personal data), and ‘hackers for hire’. Some of these companies provide cyber services to the Chinese intelligence services.
The UK’s National Cyber Security Centre (NCSC) assesses that it is almost certain that this ‘ecosystem’ or complex network of private sector actors, supports Chinese state-linked cyber operations.
The announcement follows the August 2025 exposure by the UK and international partners of three China-based companies linked to the cyber-espionage campaign known as SALT TYPHOON. Combined, they highlight the vast scale of cyberattacks by China-based companies targeting governments, telecommunications, military institutions, and public services worldwide.
These cyberattacks from unrestrained actors in China go against agreed UN cyber principles. The measures announced today are designed to reduce the risk of such threats to the UK’s security and broader international stability.
As the Prime Minister set out recently in a speech at the Guildhall, protecting our security is non-negotiable and the first duty of the government. The UK recognises that China poses a series of threats to UK national security. China is also a fellow permanent member of the UN Security Council, the world’s second largest economy and a nuclear power which has delivered almost a third of global economic growth over the past decade. We challenge threats robustly, enabling us to pursue cooperation where it is in our interest.
Notes to Editors
In August 2025, the UK alongside 12 other countries co-sealed a cyber security advisory linking China-based technology companies to some of the activities associated with a China state-affiliated APT group (commonly known as SALT TYPHOON). These companies are: Sichuan Juxinhe Network Technology Co. Ltd, Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruije Network Technology Co. Ltd.
This activity targeted governments, telecommunications, transportation, and military infrastructure globally, and sought to provide Chinese intelligence services with the capability to identify and track targets’ communications and movements worldwide.
Together with France, the UK continues to lead the Pall Mall Process, an international initiative which seeks to establish a framework for responsible behaviour for those involved in the rapidly growing market in commercial cyber intrusion capabilities.
The UK has consistently promoted the UN normative framework for responsible state behaviour in cyberspace. The UK remains the first and only country to publish guidelines for its National Cyber Force detailing the principles that we adhere to. We firmly believe that states should use cyber capabilities in a responsible manner, whether commercial or otherwise.
breakingnews.ie
Darragh Mc Donagh
It has now emerged that a second ransomware attack took place last February
There is no evidence that patients’ data was stolen during a second ransomware attack targeting Health Service Executive (HSE) systems earlier this year, the authority has said.
Earlier this week, the HSE began offering compensation to victims of a cyberattack that caused widespread disruption in May 2021, costing the agency an estimated €102 million.
It has now emerged that a second ransomware attack took place last February, targeting a third-party processor and resulting in a data protection breach reported by HSE primary care services in the midlands.
IT systems were fully recovered following the cyberattack and there was no evidence that data had been exfiltrated, according to HSE records obtained under the Freedom of Information Act.
A ransomware attack occurs when malicious software locks or encrypts a victim’s computer systems, blocking access until a ransom is paid. Some attacks involve a threat to leak stolen data.
A spokeswoman for the HSE did not respond when asked whether the health authority had paid a ransom following the February cyberattack.
“The HSE manages and responds to thousands of cyber threats annually, taking appropriate action to ensure awareness of current threats, while maintaining the ability to deliver healthcare services securely and reliably, regardless of the evolving threat landscape,” she said.
The spokeswoman said HSE systems were not “directly” impacted by the February ransomware attack.
“The HSE has invested significantly in cyber remediation since the cyberattack in May 2021. Multiple ongoing programmes of work are focused on addressing all issues highlighted in the wake of the attack,” she added.
The original ransomware attack occurred when an employee clicked on a malicious MS Excel file that was attached to a phishing email on March 18th, 2021.
This enabled the hackers to gain access to the HSE’s IT environment, where they continued to operate undetected for more than eight weeks before detonating the ransomware on May 14th.
The attack caused widespread disruption and some information relating to patients was illegally accessed and copied.
Last year, the HSE said it had written to 90,936 people affected by the cyberattack. It has reportedly offered compensation of €750 to more than 600 individuals who took legal action over the breach.
A subsequent investigation found that the HSE was operating a frail IT system and did not have adequate cyber expertise or resources prior to the attack. The attack is estimated to have cost the HSE €102 million.
ico.org.uk | The Information Commissioner’s Office (ICO)
Date 11 December 2025
The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users.
Service which promises to help people improve their security, has failed them, leaving them vulnerable
Combination of two isolated incidents enabled hacker to steal personal information relating to 1.6m customer
‘Zero knowledge’ encryption system ensures customer passwords and vaults are not decrypted
We have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users.
We found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass.
The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs.
John Edwards, UK Information Commissioner, said:
“Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.
“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”.
Details of the two incidents
Incident one
A hacker compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment.
No personal information was taken however encrypted company credentials were. If decrypted, this would allow access to the company’s backup database.
LastPass took steps to mitigate the hacker’s activity and believed encryption keys remained safe as they were stored outside of the area accessed by the hacker in the account vaults of four senior employees.
Incident two
The hacker then targeted one of the senior employees who had access to the decryption keys, gaining access to their personal device via a known vulnerability in a third-party streaming service.
A keylogger was installed capturing the employee’s master password and multi factor authentication was bypassed using a trusted device cookie.
The hacker then gained access to the employee’s personal and business LastPass vaults, which were linked using a single master password.
The hacker then gained access to the employee’s business vault which contained the Amazon Web Service (AWS) access key and decryption key.
This information, combined with information taken the day before, enabled the hacker to extract the contents of the backup database which contained the personal information.
Our investigation found no evidence that encrypted passwords and other credentials were able to be unencrypted by the hacker. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, whereby the master password required to access a password vault is stored locally on a customer’s own device and never shared with LastPass.
Advice and guidance
We urge organisations to ensure internal security policies explicitly consider and address data breach risks. Where risks are identified access should be restricted to specific user groups.
Businesses wishing to review their procedures should turn to our and the National Cyber Security Centre websites which provide a rich source of information detailing ways to improve practices including Working from home – security checklist for employers, Data security guidance and Device security guidance.
Kyiv • UNN - unn.ua | УНН
December 6 2025
On December 6, the HUR MOD Cyber Corps and BO Team attacked the Russian logistics company "Eltrans+". Over 700 computers and servers were deactivated, 165 terabytes of data were destroyed, and network equipment was disabled.
The GUR Cyber Corps attacked Russia's leading logistics company on the night of December 6 - more than 700 computers and servers were deactivated, 165 terabytes of critical data were destroyed or encrypted, UNN reports with reference to sources.
On the night of December 6, specialists from the Main Intelligence Directorate of the Ministry of Defense, together with the BO Team, launched a cyberattack on the information and communication infrastructure of the Eltrans + group of companies. As a result of the attack, more than 700 computers and servers were deactivated, more than a thousand company users were deleted, and 165 terabytes of critical data were destroyed or encrypted.
ccording to the UNN interlocutor, in addition, the access control system, video surveillance data storage and backup system were affected, network equipment along with the core of the data center was deactivated and disabled, declarations for all cargo were destroyed, and all company websites were "defaced", which now greet Russian users with the Day of the Armed Forces of Ukraine.
Let's add
"Eltrans+" is among the top 10 largest customs representatives and freight forwarders in Russia. More than 5,000 Russian small, medium and large businesses use the services of "Eltrans+".
The company carries out international and domestic transportation (road, sea, air, multimodal), warehouse storage, transportation of consolidated cargo, as well as full customs clearance of goods.
"Eltrans+" is engaged in the delivery of sanctioned goods, as well as various electronic components from China, which are used by the Russian military-industrial complex, the UNN interlocutor reported.
koreajoongangdaily.joins.com
BY LEE YOUNG-KEUN, KIM JI-HYE
The former Coupang employee accused of leaking 33.7 million customer data had worked at the company for just two years, according to police on Thursday.
According to the Seoul Metropolitan Police Agency and sources familiar with the case who spoke to the JoongAng Ilbo, the suspect in the data breach — identified as a 43-year-old developer and Chinese national — was affiliated with Coupang's Seoul office. The person joined Coupang in November 2022 and was assigned to work on a key management security system before leaving the company late last year.
It’s difficult to understand from a common sense perspective why a newly hired developer with foreign nationality would be given access to sensitive customer information — especially in today’s security-conscious corporate environment,” said an industry source. “Given that such duties typically require strict security training and pledges, it raises questions about whether the company’s protocols were adequate.”
Coupang disclosed on Nov. 29 that approximately 37.7 million customer accounts had been exposed. The compromised data includes names, email addresses, saved delivery addresses, partial order histories and, in some cases, access codes for shared building entrances.
Due to the massive scale of the breach, police have been raiding Coupang’s headquarters in Songpa District, southern Seoul, for three consecutive days since Tuesday. Thursday's raid began around 9:40 a.m. Investigators are focused on securing records that can explain how the suspect allegedly gained access to Coupang’s security system and extracted the data. These include internal documents, work logs and system records related to the key management platform the suspect worked on during the employment period.
Police are also analyzing logs stored in the company’s security system, such as IP addresses, user credentials and access histories.
Coupang filed a criminal complaint with police on Nov. 25 regarding the leak. The police initially began an investigation based on documents submitted voluntarily by the company, but launched a compulsory search starting Tuesday. Investigators plan to trace the suspect’s methods and movements using the evidence collected in the raid. If Coupang’s negligence or legal violations are uncovered in the process, the company — currently treated as the victim — and employees responsible for handling personal information may also become subjects of investigation.
Meanwhile, the number of phishing scams linked to the Coupang breach has surged in recent days. According to Democratic Party lawmaker Lee Jeong-heon of the National Assembly’s Science, ICT, Broadcasting and Communications Committee, police received 229 phishing reports between Nov. 30 and Tuesday.
Most reports involved scams impersonating Coupang and offering fake compensation or claiming to be sending deliveries. Other familiar tactics, such as fake product review programs or phony prize announcements, were also used — many of which predate the breach.
“This incident is raising serious concerns over secondary damage such as phishing crimes,” Lee said. “Coupang and Executive Chairman Kim Bom must stop hiding behind silence and urgently take responsibility with transparent disclosure and a comprehensive compensation plan.”
techcrunch.com
1:06 PM PST · December 10, 2025
Zack Whittaker
CEO of South Korean retail giant techcrunch.comresigns after massive data breach
Park Dae-jun has resigned as chief executive of South Korean retail giant Coupang after a data breach exposed the personal information of more than half of the country’s population.
In a statement, Park apologized for the breach, citing a “deep sense of responsibility for the outbreak and the subsequent recovery process.”
Coupang has replaced Park with Harold Rogers, the top lawyer at Coupang’s U.S.-based parent company, according to a machine translation of the company statement.
The retail giant, often compared to Amazon for its dominance in South Korean e-commerce and logistics, last month revealed details of a data breach affecting close to 34 million people. The breach allegedly began in June but wasn’t noticed until November, when Coupang initially said over 4,500 customers had their data stolen. The company later revised that figure dramatically upward.
The Coupang hack is the latest in a string of security incidents affecting corporate giants and the central government across the country this year, including a data center fire that led to a massive, irretrievable loss of South Korean government data.
noyb.eu
Blog post by Max Schrems
As instability in the US legal system becomes undeniable and the US shows open signs of hostility towards the EU, it is time to reconsider where our data is flowing
Most EU-US data transfers are based on the “Transatlantic Data Privacy Framework” (TAFPF) or so-called “Standard Contract Clauses” (SCCs). Both instruments rely on fragile US laws, non-binding regulations and case law that is under attack – and is likely blown up in the next months. As instability in the US legal system becomes undeniable and the US shows open signs of hostility towards the EU, it is time to reconsider where our data is flowing – and how long the legal “house of cards” that the EU has built is holding up.
Layers of US and EU law. The “bridge” that the European Commission and previous Democratic US administrations built to allow EU personal data to be processed in the US does not rely on a simple, stable US privacy law. Instead, the EU and the US relied on a wild patchwork of tons of internal guidelines and regulations, Supreme Court case law, US factual “practices” or Executive Orders.
In an attempt to make ends meet, these layers are not supporting each other, but are lined up to generate the thinnest possible connection between EU and US law – meaning that the failure of just one of the many legal elements would likely make most EU-US data transfers instantly illegal. Just like a house of cards, the instability of any individual card will make the house collapse.
Given the enormously destructive approach of the Trump administration, many elements of EU-US transfers are under attack – often times not because of any direct intentions. Instead, the current US administration just widely attacks the US legal system and constitutional fabric (with the help of a highly politicised Supreme Court) – with many potential consequences for EU-US data flows.
1st Likely Point of Failure: FTC independence. This past Monday, the US Supreme Court has heard a case about the independence of the Federal Trade Commission (FTC). Ever since a case in 1935 (Humphrey's Executor), it is US Supreme Court case law that the US legislator can create “independent” bodies within the executive branch, which is somewhat isolated from the US President.
A previously fringe theory that, under the US Constitution, all powers of the executive must rest with one person only (the President) has now gained traction among US conservative lawyers. This so-called “unitary executive theory” would make any independent authority, such as the FTC, typically unconstitutional. All powers would need to be concentrated in the President.
In Trump v. Slaughter, the US Supreme Court now heard arguments of an FTC commissioner that was removed by Trump despite all independence guarantees in 15 U.S.C. § 41. Based on the comments and questions of the Judges, it is widely believed (see e.g. The Guardian, CNN or SCOTUS Blog) that the conservative majority on the US Supreme Court will side with Trump and (to one extent or another) follow the “unitary executive theory”, overturning FTC independence.
In combination with the US Supreme Court rulings on absolute immunity of the President, the US would thereby move increasingly towards a system where the President is an absolute “King” – at least for four years.
From a European perspective, FTC independence is a crucial element, because Article 8(3) of the EU Charter of Fundamental Rights (CFR) requires that the processing of personal data is monitored and enforce by an “independent” body. In the TADPF (and previously in the “Safe Harbor” and “Privacy Shield” systems), the EU and the US have agreed to give these powers to the FTC in the US – being such an “independent” body. Section 2.3.4. of the TADPF decision of the European Commission highlights the Enforcement role being with the FTC. Recital 61 and Footnote 92 explicitly refer to 15 U.S.C. § 41 as a basis to have the necessary independence guarantees in the US.
No other element in the TADPF has the necessary investigative powers and independence. There is private arbitration as well, but they lack any investigative powers or relevant enforcement powers. Consequently, any TADPF participant must be either governed by the independent FTC or the DoT (for transport organizations).
Trump v. Slaughter is scheduled to be decided in June or July 2026 the latest, but could be decided earlier. So, it’s time to “buckle up” on this one and get prepared.
One path could be to switch to SCCs or BCRs, as they do not require an independent US body for enforcement, but also allow to make the agreement subject to an EU data protection authority. However, there are also massive questions as to how already transferred data can be brought “back” to any EU approved system or even brought “back” to the EU in general. Furthermore, SCCs and BRCs may also be affected by massive shifts in US law (see below).
2nd Likely Point of Failure: Data Protection Review Court. Directly in connection to Trump v. Slaughter, which deals with oversight in the private sector, the parallel question arises on how the so-called “Data Protection Review Court” (DPRC) can still be relied upon as any form of realistic redress against US government surveillance.
The DPRC has many legal issues (you could easily fill a PhD thesis with these problems), but crucially the DPRC is not a real US court – also because it is not established by law. It is actually a group of people within the executive branch that is solely established by an Executive Order of Biden (EO 14.086, see details below). This group of people may at best be called a “tribunal” from the perspective of Article 6 ECHR, but even this claim is probably an overstatement.
The crux is that, in relation to Trump v. Slaughter, the “independence” of this so-called “Court” is not even established by law (as 15 USC § 41 for the FTC), but by EO 14.086, so a merely internal Presidential Order that can be changed at any time.
Logically, if the Supreme Court in Trump v. Slaughter holds that independent executive bodies are unconstitutional, it may well be that any independence claims in EO 14.086 itself are (logically) also unconstitutional. This very much depends on the line of arguments that the Supreme Court will use in Trump v. Slaughter, but we may very likely see this as a direct consequence of any broader ruling.
This problem would expand far beyond the TADPF, because other transfer systems (SCCs or BCRs) rely on so-called “Transfer Impact Assessments” (TIAs) that in turn usually point to EO 14.086 and the DPRC as a ground why any EU controller came to the conclusion that US law may not overrule SCCs or BCRs beyond what is permissible under Article 7, 8 and 47 of the Charter.
If these elements are gone, we are down to Article 49 GDPR for “necessary” transfers (e.g. sending an email to the US, placing an order or booking a hotel or flight), but any “outsourcing” to US cloud providers or SaaS providers would typically not have any viable legal basis anymore.
3rd Likely Point of Failure: EO 14.086. Beyond changes in US constitutional law, there is also Trump himself as a major risk factor. As explained above, basically all forms of EU-US data transfers rely on a Biden Executive Order (EO 14.086). Trump has repeatedly threatened to overturn this EO. Already on the day of his inauguration, media reports indicated he will blindly overturn all Biden EOs. In the end he signed EO 14.148, which only overturned 68 Biden EOs and 11 Biden Presidential Memoranda – but not EO 14.086.
EO 14.148 demands that all “national security” EOs should have been reviewed within 45 days by the National Security Advisor – this should have happened by 06.03.2025. There were no reports about any consequent changes. This does not mean that EO 14.086 was not (partially) overturned in the meantime, as the US President can issue “secret” EOs that change the published EO 14.086. Given the erratic actions by Trump, this is not an unlikely scenario.
In a recent outburst on Biden’s use of the so-called Autopen, Trump has declared all Biden EOs signed with autopens void via a Truth Social posting. It is entirely unclear whether EO 14.086 is such an “autopen” EO and if Trump’s social media postings amount to the formal overturning of these EOs. At the same time, one has to wonder if any NSA official feels overly bound by them anymore. It is also not unlikely that the Truth Social posting may be followed up with a formal EO overturning these Biden EOs.
Another indication that EO 14.086 may be on the line is the “Project 2025” agenda for the conservative takeover of the US government. On page 225, the author lashes out against EO 14.086, the EU and the allegedly unfair treatment of the US - so EO 14.086 is clearly on the agenda. To make things even more absurd, the author (Dustin Carmack) is now the new “Republican” lobbyist of Meta – a company that relies on EO 14.086 to justify its EU-US data transfers that were challenged in Schrems I and Schrems II.
Overall, EO 14.086 could fall any moment – and with it the TADPF and with it almost all TIAS and most SCCs, BCRs.
Many other options. While this goes beyond this blog post, there are many additional questions as to the many other elements used in the TADPF.
There are obviously still the principal questions to the TADPF ever having achieved “essential equivalence”. For example:
The protections in EO 14.086 were largely a 1:1 copy of an Obama EO called PPD-28, which was rejected by the CJEU in Schrems II.
The extremely high burdens for redress or the lack of any real right to be heard before the DPRC are miles away from Article 47 of the Charter.
The commercial data protection principles of the TADPF do not even require a legal basis (as required in Article 8(2) of the Charter and Article 6(1) of the GDPR), but only require to allow for an opt-out.
Furthermore, there were questions about the independence of the PCLOB or the heavy reliance of the EU on (unwritten) “US practices” – when Trump has shown that he and his administration do not even respect laws, let alone previous “practices”.
What can we do? In my view, EU governments and controllers must (more than ever) urgently prepare for very likely hits to EU-US data transfers in the next months. The US National Security Strategy has made it clear that the Trump Administration sees Europe more as an enemy than a partner and that European digital legislation is a core focus point of likely US aggression.
The only long-term solution is (unfortunately) to limit any data transfers to US providers, insofar as they have “possession, custody or control” of European personal data. There may be more offers where all factual access from the US is technically impossible – however, so far the only realistic protection that is available on the market is to switch to European providers.
| United States Department of Justice
justice.gov
Updated December 10, 2025
Ukrainian National Indicted and Rewards Announced for Co-Conspirators Relating to Destructive Cyberattacks Worldwide
The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests. Dubranova was extradited to the United States earlier this year on an indictment charging her for her actions supporting CyberArmyofRussia_Reborn (CARR). Today, Dubranova was arraigned on a second indictment charging her for her actions supporting NoName057(16) (NoName). Dubranova pleaded not guilty in both cases, and is scheduled to begin trial in the NoName matter on Feb. 3, 2026 and in the CARR matter on April 7, 2026.
As described in the indictments, the Russian government backed CARR and NoName by providing, among other things, financial support. CARR used this financial support to access various cybercriminal services, including subscriptions to distributed denial of service-for-hire services. NoName was a state-sanctioned project administered in part by an information technology organization established by order of the President of Russia in October 2018 that developed, along with other co-conspirators, NoName’s proprietary distributed denial of service (DDoS) program.
“Today’s actions demonstrate the Department’s commitment to disrupting malicious Russian cyber activity — whether conducted directly by state actors or their criminal proxies — aimed at furthering Russia’s geopolitical interests,” said Assistant Attorney General for National Security John A. Eisenberg. “We remain steadfast in defending essential services, including food and water systems Americans rely on each day, and holding accountable those who seek to undermine them.”
“Politically motivated hacktivist groups, whether state-sponsored like CARR or state-sanctioned like NoName, pose a serious threat to our national security, particularly when foreign intelligence services use civilians to obfuscate their malicious cyber activity targeting American critical infrastructure as well as attacking proponents of NATO and U.S. interests abroad,” said First Assistant U.S. Attorney Bill Essayli for the Central District of California. “The charges announced today demonstrate our commitment to eradicating global threats to cybersecurity and pursuing malicious cyber actors working on behalf of adversarial foreign interests.”
“When pro-Russia hacktivist groups target our infrastructure, the FBI will use all available tools to expose their activity and hold them accountable,” said Assistant Director Brett Leatherman of the FBI Cyber Division. “Today’s announcement demonstrates the FBI’s commitment to disrupt Russian state-sponsored cyber threats, including reckless criminal groups supported by the GRU. The FBI doesn’t just track cyber adversaries – we work with global partners to bring them to justice.”
“The defendant’s illegal actions to tamper with the nation’s public water systems put communities and the nation’s drinking water resources at risk,” said EPA Acting Assistant Administrator Craig Pritzlaff. “These criminal charges serve as an unequivocal warning to malicious cyber actors in the U.S. and abroad: EPA’s Criminal Investigation Division and our law enforcement partners will not tolerate threats to our nation’s water infrastructure and will pursue justice against those who endanger the American public. EPA is unwavering in its commitment to clean, safe water for all Americans.”
Cyber Army of Russia Reborn
According to the indictment, CARR, also known as Z-Pentest, was founded, funded, and directed by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). CARR claimed credit for hundreds of cyberattacks against victims worldwide, including attacks against critical infrastructure in the United States, in support of Russia’s geopolitical interests. CARR regularly posted on Telegram claiming credit for its attacks and published photos and videos depicting its attacks. CARR primarily hacked industrial control facilities and conducted DDoS attacks. CARR’s victims included public drinking water systems across several states in the U.S., resulting in damage to controls and the spilling of hundreds of thousands of gallons of drinking water. CARR also attacked a meat processing facility in Los Angeles in November 2024, spoiling thousands of pounds of meat and triggering an ammonia leak in the facility. CARR has attacked U.S. election infrastructure during U.S. elections, and websites for U.S. nuclear regulatory entities, among other sensitive targets.
An individual operating as “Cyber_1ce_Killer,” a moniker associated with at least one GRU officer instructed CARR leadership on what kinds of victims CARR should target, and his organization financed CARR’s access to various cybercriminal services, including subscriptions to DDoS-for-hire services. At times, CARR had more than 100 members, including juveniles, and more than 75,000 followers on Telegram.
The CARR indictment charges Dubranova with one count of conspiracy to damage protected computers and tamper with public water systems, one count of damaging protected computers, one count of access device fraud, and one count of aggravated identity theft. If convicted of these charges, Dubranova would face a statutory maximum penalty of 27 years in federal prison.
NoName057(16)
NoName was covert project whose membership included multiple employees of The Center for the Study and Network Monitoring of the Youth Environment (CISM), among other cyber actors. CISM was an information technology organization established by order of the President of Russia in October 2018 that purported to, among other things, monitor the safety of the internet for Russian youth.
According to the indictment, NoName claimed credit for hundreds of cyberattacks against victims worldwide in support of Russia’s geopolitical interests. NoName regularly posted on Telegram claiming credit for its attacks and published proof of victim websites being taken offline. The group primarily conducted DDoS cyberattacks using their own proprietary DDoS tool, DDoSia, which relied on network infrastructure around the world created by employees of CISM.
NoName’s victims included government agencies, financial institutions, and critical infrastructure, such as public railways and ports. NoName recruited volunteers from around the world to download DDoSia and used their computers to launch DDoS attacks on the victims that NoName leaders selected. NoName also published a daily leaderboard of volunteers who launched the most DDoS attacks on its Telegram channel and paid top-ranking volunteers in cryptocurrency for their attacks.
The NoName indictment charges Dubranova with one count of conspiracy to damage protected computers. If convicted of this charge, Dubranova would face a statutory maximum penalty of five years in federal prison.
Concurrent with today’s actions, the U.S. Department of State has offered potential rewards for up to $2 million for information on individuals associated with CARR and up to $10 million for information on individuals associated with NoName. Additionally, today the FBI, CISA, NSA, DOE, EPA, and DC3 issued a Joint Cybersecurity Advisory assessing that pro-Russia hacktivist groups, like CARR and NoName, target minimally secured, internet-facing virtual network computing connections to infiltrate (or gain access to) operational technology control devices within critical infrastructure systems to execute attacks against critical infrastructure, resulting in varying degrees of impact, including physical damage.
On July 19, 2024, U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions targeting two CARR members, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, for their roles in cyber operations against U.S. critical infrastructure. These two individuals were the group’s leader and a primary hacker, respectively.
The FBI Los Angeles Field Office investigated the CARR and NoName cases as part of FBI’s Operation Red Circus, an ongoing operation to disrupt Russian state-sponsored cyberthreats to U.S. critical infrastructure and interests abroad.
Assistant U.S. Attorneys Angela Makabali and Alexander Gorin for the Central District of California and Trial Attorney Greg Nicosia of the National Security Division’s National Security Cyber Section are prosecuting these cases. Assistant U.S. Attorney James E. Dochterman for the Central District of California is handling the forfeiture cases. The Justice Department’s Office of International Affairs provided significant assistance for both investigations.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
space.com
By Tereza Pultarova published 2 days ago
An AI start-up has found a vulnerability in security software protecting NASA's ground control communications with satellites in space.
"A vulnerability in this software poses a threat to billions of dollars in space infrastructure and the scientific missions they enable."
Communications between Earth and NASA spacecraft were critically vulnerable to hacking for years until an AI found the flaw and fixed it in just four days.
The vulnerability was sniffed out by an AI cybersecurity algorithm developed by California-based start-up AISLE and resides in the CryptoLib security software that protects spacecraft-to-ground communications. The vulnerability could have enabled hackers to seize control over countless space missions including NASA's Mars rovers, according to the cybersecurity researchers.
"For three years, the security system meant to protect spacecraft-to-ground communications contained a vulnerability that could undermine that protection." the AISLE cyber-security researchers wrote in a blog post on the company's website describing the vulnerability. "A vulnerability in this software poses a threat to billions of dollars in space infrastructure and the scientific missions they enable."
The researchers said the vulnerability was found in the authentication system and could have been exploited through compromised operator credentials. For example, the attackers could have gained access to user names and passwords of NASA employees through social engineering, methods such as phishing or infecting computers with viruses uploaded to USB drives and left where personnel could find them.
"The vulnerability transforms what should be routine authentication configuration into a weapon," the researchers wrote. "An attacker … can inject arbitrary commands that execute with full system privileges."
In other words, an attacker could remotely hijack the spacecraft or just intercept the data it is exchanging with ground control.
Fortunately, to gain access to the spacecraft through the CryptoLib vulnerability would require the attackers to, at some point, have local access to the system, which "reduces the attack surface compared to a remotely exploitable flaw," the researchers said in the blog post.
by GPSPATRON and Gdynia Maritime University | GPSPATRON.com
Discover the latest findings on GNSS interference in the Baltic Sea from a joint study by GPSPATRON and Gdynia Maritime University.
Introduction
GNSS interference has become a growing challenge in the Baltic Sea, affecting maritime navigation, aviation, and critical infrastructure. While numerous datasets and services, such as gpsjam.org, spoofing.skai-data-services.com, and flightradar24, report high-altitude GNSS interference based on ADS-B data, there is a significant lack of studies focusing on ground-level interference. Since most critical infrastructure relies on GNSS at ground level, this gap in research leaves many questions unanswered about the real-world impact of interference on essential systems. To bridge this knowledge gap, GPSPATRON and Gdynia Maritime University have established a scientific and technical collaboration aimed at systematically studying GNSS interference at ground level. This partnership combines GPSPATRON’s expertise in real-time GNSS interference monitoring and classification is complemented by the Faculty of Navigation at Gdynia Maritime University’s extensive knowledge of how GNSS spoofing and jamming affect maritime navigation, port security, and vessel operations.
The study, conducted from June to November 2024, utilized GPSPATRON’s proprietary GNSS interference monitoring system, integrating the GP-Probe TGE2-CH3 sensor and the GP-Cloud platform. The GP-Probe TGE2-CH3 is a high-end GNSS signal monitoring device designed to capture full-spectrum GNSS signals and transmit them in real time to GP-Cloud for processing. The sensor collects raw signal data, enabling comprehensive analysis of jamming, spoofing, and other anomalies affecting GNSS performance.
GP-Cloud, GPSPATRON’s cloud-based analytics platform, processes and interprets incoming data, identifying interference patterns, classifying anomalies, and providing real-time visualization. By working in tandem, the GP-Probe continuously streams data, while GP-Cloud applies advanced algorithms to detect disruptions, measure their impact, and generate detailed reports.
The sensor was installed on the Faculty of Navigation building at Gdynia Maritime University, directly on the shoreline at approximately 15 meters above sea level. The accompanying screenshot shows the exact installation location on a map, where detection range circles indicate the estimated distances at which interference sources with different antenna heights could be detected.
GPSPATRON Report - GNSS Interference in the Baltic Sea - Article Ico
The primary goal of this research was to characterize the occurrence, patterns, and potential sources of GNSS interference affecting ground-level infrastructure. Unlike previous studies that relied on ADS-B data from aircraft at high altitudes, this research provided a unique perspective by focusing on low-altitude and ground-based disruptions. Through continuous monitoring and spectral analysis, the study aimed to identify the nature of interference, assess its impact on GNSS accuracy, and explore potential mitigation strategies.
This collaborative effort represents a significant step toward understanding and mitigating GNSS interference threats in the Baltic region. The findings contribute valuable insights to maritime authorities, port operators, and regulatory bodies, highlighting the need for enhanced GNSS monitoring capabilities to protect critical navigation and communication systems.
Key Findings
A total of 84 hours of GNSS interference was detected, confirming persistent disruptions in the region, primarily caused by jamming rather than spoofing.
October recorded the highest interference activity, with six major jamming incidents totaling 29 hours, highlighting an intensified interference pattern.
Two primary interference types were identified:
Multi-constellation jamming, detected throughout June to September, indicating broad-spectrum interference affecting multiple GNSS systems.
Multi-tone interference, first observed in October, suggesting a change in jamming tactics, potentially signaling more sophisticated techniques.
Long-duration interference events exceeding 7 hours were recorded, significantly disrupting GNSS-dependent maritime navigation, port operations, and infrastructure reliability.
Severe degradation in GNSS positioning accuracy was observed during interference events, with errors increasing from the nominal 3–5 meters to over 35 meters, posing safety and operational risks.
No correlation was found between terrestrial GNSS interference and ADS-B-based detections, reinforcing the limitations of relying solely on airborne interference monitoring systems to assess threats to ground-level infrastructure.
Strong indications of mobile maritime jamming sources were identified , with interference signals exhibiting movement patterns consistent with vessels navigating in the Baltic Sea.
| FinCEN.gov
December 04, 2025
WASHINGTON—Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024, which totaled more than $2.1 billion in ransomware payments.
WASHINGTON—Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024, which totaled more than $2.1 billion in ransomware payments.
“Banks and other financial institutions play a key role in protecting our economy from ransomware and other cyber threats,” said FinCEN Director Andrea Gacki. “By quickly reporting suspicious activity under the Bank Secrecy Act, they provide law enforcement with critical information to help detect cybersecurity trends that can damage our economy. This work is vital to safeguarding our nation’s financial sector and strengthening our national security.”
Previous FinCEN Financial Trend Analyses have focused on reported ransomware payments and incidents by the date the activity was filed with FinCEN. Today’s report shifts the focus to the incident date of each ransomware attack and offers greater visibility into the activities conducted by ransomware actors.
Reported Ransomware Incidents and Payments Reach All-Time High in 2023
Ransomware incidents and payments reported to FinCEN reached their highest level in 2023 with 1,512 incidents, totaling $1.1 billion in payment—an increase of 77 percent in total payments year-over-year from 2022 to 2023.
Following law enforcement’s disruption of two high-profile ransomware groups, ransomware incidents reported to FinCEN decreased in 2024, with 1,476 incidents, reflecting $734 million in the aggregate value of reported payments in BSA reports.
The median amount of a single ransomware transaction was $124,097 in 2022; $175,000 in 2023; and $155,257 in 2024. Between 2022 and 2024, the most common payment amount range was below $250,000.
FinCEN Data Shows Ransomware Payments Top $2.1B in Just Three Years
During the three-year review period (January 2022 – December 2024), FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents totaling more than $2.1 billion in ransomware payments.
During the previous nine-year period (2013 through the end of 2021) FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments.
Financial Services, Manufacturing, and Healthcare were the Most Impacted Industries
The manufacturing industry accounted for 456 incidents totaling approximately $284.6 million reported payments; the financial services industry accounted for 432 incidents totaling approximately $365.6 million reported payments; and the healthcare industry accounted for 389 incidents totaling approximately $305.4 million reported payments.
The Onion Router (TOR) was the Most Common Communication Method Reported
Threat actors most often communicated with their intended ransomware targets via messages sent over The Onion Router protocol, accounting for 67 percent of reports that provided the communication method.
Other ransomware threat actors communicated with their intended targets via email or through other private encrypted messaging systems.
ALPHV/BlackCat was the Most Prevalent Ransomware Variant Between 2022 and 2024
FinCEN identified more than 200 ransomware variants reported in BSA data.
The most reported variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta.
The 10 variants with the highest cumulative payment amounts identified in BSA reports accounted for approximately $1.5 billion in payments.
Ransomware is a complex cybersecurity problem requiring a variety of preventive, protective, and preparatory best practices. More information on FinCEN’s efforts to combat ransomware, including guidance and other resources for financial institutions, is available at www.fincen.gov/resources/fincen-combats-ransomware.
FinCEN’s FTA is available online at Ransomware Trends in Bank Secrecy Act Data
Questions or comments regarding the contents of this release should be addressed to the FinCEN Regulatory Support Section by submitting an inquiry at www.fincen.gov/contact.
FinCEN periodically publishes Financial Trend Analyses describing threat pattern and trend information derived from Bank Secrecy Act (BSA) filings to highlight priority illicit finance risks. These analyses provide information that is relevant to a wide range of consumers, businesses, and industries; communicate the value of BSA reporting; and enhance feedback loops between government users of BSA reports and their filers. Additionally, Financial Trend Analyses fulfill FinCEN’s obligations pursuant to section 6206 of the Anti-Money Laundering Act of 2020, which requires FinCEN to periodically publish threat pattern and trend information derived from BSA filings.
| Freedom Mobile
December 3, 2025
At Freedom Mobile, we take the protection of personal information very seriously. We want to inform you about a recent privacy incident that requires your attention.
On October 23, we detected unauthorized activity on our customer account management platform. Our investigation revealed that a third party used the account of a subcontractor to gain access to the personal information of a limited number of our customers. We quickly identified the incident and implemented corrective measures and security enhancements, including blocking the suspicious accounts and corresponding IP addresses.
While our teams continue to closely monitor the situation to prevent any further unauthorized access, we wanted to inform you of the incident so that you can take precautionary measures.
What personal information was accessed?
First and last name
Home address
Date of birth
Phone number (home and/or cell)
Freedom Mobile account number
Rest assured that this incident did not affect your payment information or passwords.
Although we have no reason to believe that this information was misused, we encourage you to follow best practices to protect your data:
Protect your personal information: Be cautious of any unexpected messages asking for personal information or directing you to a website to enter it. Freedom Mobile will never ask you for personal information such as credit card numbers, banking information, passwords, or PIN codes by email or SMS.
Stay alert with messages: Avoid clicking on links or downloading attachments from emails or texts that seem suspicious.
Monitor your accounts: Regularly check your accounts for unusual or suspicious activity.
To learn more about different types of fraud and how to protect yourself, visit the Canadian Anti-Fraud Centre website at https://antifraudcentre-centreantifraude.ca.
We’re sorry this happened and understand it may cause concern. If you have any questions, please contact us at privacyofficer@freedommobile.ca
Thank you for your attention.
The cyber group "Banished Kitten," operating under the alias "Handala" and affiliated with the Ministry of Intelligence and Security of Iran (MOIS), has once again exposed its own clumsy operations. This time, the group inadvertently revealed confidential access to Suvarnabhumi Airport (BKK) in Bangkok, Thailand, while attempting to claim they had compromised Israeli airport security. As previously reported, "Handala" operates under MOIS's Counter-Terrorism (CT) division, led by Seyed Yahya Hosseini Panjaki (alias "Seyed Yahya Hamidi"), Deputy of Internal Security at MOIS. Hosseini's reckless actions continue to endanger Iran's national interests, further exposing the group's incompetence.
The Blunder
On November 15, 2025, "Handala" published a propaganda piece titled "Smile for the Camera – Handala Is Watching," boasting about access to "Shabak's airport security systems" (Israel's domestic security agency). The post threatened: "Our presence defies your imagination. Handala is not just a name; it's a shadow, a watchful gaze in places you never expect, even at the exit cameras of your airport gates."
There's just one problem: the images aren't from Israel. A simple comparison of the published airport surveillance images with publicly available references clearly identifies the location as Suvarnabhumi Airport (BKK) in Bangkok, Thailand, not Ben Gurion Airport. The evidence is clear: the distinctive exposed steel beam ceiling structure, the immigration hall layout with its recognizable queue barriers, and the terminal's characteristic architecture all unmistakably match Bangkok's main international hub. The images show travelers in the passport control area with Suvarnabhumi's signature industrial ceiling design and escalators visible in the background. Once again, the CT Division's amateur operatives have failed basic operational security. This marks the first time the group has publicly disclosed accessing critical infrastructure outside Israel.
Suvarnabhumi Airport is no small target. According to official statistics, BKK handled 62,234,693 passengers in 2024, making it the busiest airport in Thailand, the 9th busiest airport in Asia, and ranking among the top 25 busiest airports worldwide. The airport serves as a major transit hub connecting Asia, Europe, and the Middle East, with traffic increasing 20% compared to the previous year. Since the airport's third runway opened in November 2024, capacity has expanded to 94 flights per hour, Suvarnabhumi is investing heavily in becoming a world-class hub.
What makes this breach particularly concerning is the sophistication of the systems potentially compromised. Suvarnabhumi Airport operates AI-powered facial recognition technology, license plate tracking, and integrated CCTV systems across the facility. The airport's Thailand Immigration System (TIS) maintains both "black lists" and "watch lists" with detection capabilities within 20 seconds of passport scanning. If MOIS has access to these systems, they could potentially monitor travelers, track movements, and identify targets passing through one of Asia's busiest transit points.
Warning to Iranians
Dear Iranians: even in Thailand, a popular destination and transit point for Iranian citizens traveling abroad, the oppressive regime is watching you. The Islamic Republic's intelligence apparatus has extended its surveillance to monitor Iranians traveling through Bangkok. Whether for business, tourism, or seeking freedom abroad, your movements may be tracked by Seyed Yahya's amateur operatives. With over 62 million passengers transiting through BKK annually, the potential for surveillance and targeting of Iranian dissidents, activists, and ordinary citizens is significant. It should be noted that Thailand is among the limited countries that Iranian citizens can travel to without needing a visa.
It's no surprise that "Handala" continues to make operational security mistakes. As recently exposed by Iran International, Ali Bermoudeh, a 27-year-old amateur hacker from Tabriz whose passwords for key accounts are simply his birthdate, works for this reckless group. His handler at MOIS is Morteza Aftabifar. When your cyber operators can't distinguish between Tel Aviv and Bangkok, and secure their accounts with passwords like "1377629" perhaps it's time for Seyed Yahya to reconsider his recruitment standards.
Thai authorities should be aware: the Islamic Republic's Ministry of Intelligence has compromised security systems at Suvarnabhumi Airport. This is not speculation. MOIS's own cyber group published the evidence themselves. A breach of this magnitude by a state-sponsored threat actor, one designated as a terrorist organization by the European Union, demands immediate investigation and response. But hey, at least they got the continent right this time. The real question is: what will Thailand do about it?
chosun.com
Coupang Executives Sell Shares After Data Breach Coupang executives sold shares post-breach; President Lee Jae-myung seeks responsibility Amid growing
Amid growing calls for accountability against Kim Bom-suk, 47, chairman of Coupang Inc., over the data breach affecting 33.7 million individuals, it has been confirmed that key Coupang executives sold billions of won worth of company stock. The timing of these sales—immediately after the incident—is expected to spark significant controversy.
According to a U.S. Securities and Exchange Commission (SEC) filing on the 2nd (local time), Gaurav Anand, Coupang’s chief financial officer (CFO), reported selling 75,350 Coupang Inc. shares at approximately $29 per share on the 10th of last month. The sale amounted to around $2.186 million (approximately 3.2 billion Korean won). Additionally, former Vice President Pranam Kolari sold 27,388 Coupang shares on the 17th of last month, with the transaction valued at $772,000 (approximately 1.13 billion Korean won). Kolari, who oversaw search and recommendation technologies, resigned on the 14th of last month. However, the SEC confirmed he had notified the company of his resignation on October 15th, prior to the incident.
According to a breach incident report submitted to the Korea Internet & Security Agency (KISA) and obtained by the office of Science, ICT, Broadcasting, and Communications Committee Chairman Representative Choi Min-hee, Coupang reported unauthorized access to its account information at 6:38 p.m. on the 6th of last month. This predates the executives’ stock sales. However, the company recorded the time of awareness as 10:52 p.m. on the 18th of last month. While the sales occurred before the company publicly acknowledged the breach, the transactions took place after the incident itself, making controversy inevitable.
Domestically, criticism has emerged holding Chairman Kim ultimately responsible for the incident. President Lee Jae-myung also stated during a Cabinet meeting on the 2nd, “Coupang has caused significant public concern. The cause of the accident must be identified swiftly, and responsibility must be held strictly,” while instructing measures such as strengthening penalties and implementing a punitive damages system.
cyble.com
December 8, 2025
China-nexus groups rapidly exploited React2Shell (CVE-2025-55182). Learn how the React Server Components flaw was weaponized within minutes of disclosure.
React2Shell (CVE-2025-55182) was exploited within minutes by China-nexus groups, exposing critical weaknesses in React Server Components.
The vulnerability disclosure cycle has entered a new era, one where the gap between publication and weaponization is measured in minutes, not days. It has been confirmed that China-nexus threat actors began actively exploiting a critical React Server Components flaw, React2Shell, only hours after its public release.
The vulnerability, tracked as CVE-2025-55182, impacts React Server Components across React 19.x and Next.js 15.x/16.x deployments using the App Router and carries a CVSS 10.0 severity rating, enabling unauthenticated remote code execution (RCE).
CISA immediately added the flaw to its Known Exploited Vulnerabilities catalog, stating:
“CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.”
The Researcher’s PoCs and the Mechanism of Exploitation
Lachlan Davidson, who has been attributed with finding this flaw, published the original PoCs on GitHub, explaining:
“As public PoCs are circulating and Google’s Scanner uses a variation of my original submitted PoC, it’s finally a responsible time to share my original PoCs for React2Shell.”
Davidson released three PoCs, 00-very-first-rce-poc, 01-submitted-poc.js, and 02-meow-rce-poc, and summarized the attack chain:
“$@x gives you access to a Chunk”
“We plant its then on our own object”
“The JS runtime automatically unravels nested promises”
“We now re-enter the parser, but with control of a malicious fake Chunk object”
“Planting things on _response lets us access a lot of gadgets”
“RCE”
He also noted that “the publicly recreated PoC… did otherwise use the same _formData gadget that mine did”, though the chaining primitive in his then implementation was not universally adopted.
Rapid Weaponization by China-Nexus Groups
AWS detected exploitation beginning within hours of public disclosure on December 3, based on telemetry from its MadPot honeypot infrastructure. The actors included:
Earth Lamia, known for targeting financial, logistics, and government sectors across Latin America, MENA, and Southeast Asia.
Jackpot Panda, primarily focused on East and Southeast Asian organizations aligned with domestic security interests.
AWS stated, “China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalizing public exploits within hours or days of disclosure.”
Attackers overwhelmingly prioritized speed over precision, firing flawed and incomplete public PoCs at large swaths of the internet in a high-volume scanning wave. Many PoCs made unrealistic assumptions, such as assuming exposed fs, vm, or child_process modules that never appear in real deployments.
Yet this volume-based strategy still identifies edge-case vulnerable configurations.
Technical Analysis: React2Shell in the RSC Flight Protocol
CRIL (Cyble Research and Intelligence Labs) found that at its core, CVE-2025-55182 (React2Shell) is an unsafe deserialization flaw in the React Server Components Flight protocol. It affects:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
Across React versions 19.0.0–19.2.0, patched in 19.0.1, 19.1.2, and 19.2.1.
Next.js is additionally vulnerable under CVE-2025-66478, impacting all versions from 14.3.0-canary.77, all unpatched 15.x builds, and all 16.x releases before 16.0.7.
Attack telemetry showed:
Automated scanners with user-agent randomization
Parallel exploitation of CVE-2025-1338
Immediate PoC adoption regardless of accuracy
Manual exploitation attempts, including whoami, id, and /etc/passwd reads
File write attempts such as /tmp/pwned.txt
A concentrated cluster originating from 183[.]6.80.214 executed 116 requests over 52 minutes, demonstrating active operator involvement.
Cloudflare’s Emergency Downtime While Mitigating React2Shell
The severity of React2Shell (CVE-2025-55182) was spotlighted when Cloudflare intentionally took down part of its own network to apply emergency defenses. The outage affected 28% of Cloudflare-served HTTP traffic early Friday.
Cloudflare CTO Dane Knecht clarified that the disruption “was not caused, directly or indirectly, by a cyberattack… Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components.”
This incident unfolded as researchers observed attackers hammering the vulnerability, alongside waves of legitimate and fraudulent proofs of concept circulating online.
Global Warnings Ring-In
The Australian Cyber Security Centre (ACSC) issued a public notice, stating, “This alert is relevant to all Australian businesses and organizations… ASD’s ACSC is aware of a critical vulnerability in React Server Components… Organizations should review their networks for vulnerable instances of these packages and upgrade to fixed versions.”
Organizations must assume that scanning React2Shell is continuous and widespread. ACSC outlined some Immediate steps for mitigation.
Update all React/Next.js deployments: Verify versions against vulnerable ranges and upgrade to patched releases.
Enable AWS WAF interim protection rules: These block known exploit sequences during patching windows.
Review logs for exploitation indicators: Look for malformed RSC payloads, next-action or rsc-actionid headers, and repeated sequential failures.
Inspect backend systems for post-exploitation behavior: Unexpected execution, unauthorized file writes, or suspicious commands.
Conclusion
The exploitation of React2Shell (CVE-2025-55182) shows how quickly high-severity vulnerabilities in critical and widely adopted components can be weaponized. China-nexus groups and opportunistic actors began targeting the flaw within minutes of disclosure, using shared infrastructure and public PoCs, accurate or not, to launch high-volume attacks. Organizations using React or Next.js App Router must patch immediately and monitor for iterative, operator-driven activity.
Given this tempo, organizations need intelligence and automation that operate in real time. Cyble, ranked #1 globally in Cyber Threat Intelligence Technologies by Gartner Peer Insights, provides AI-native security capabilities through platforms such as Cyble Vision and Blaze AI. These systems identify threats early, correlate IOCs across environments, and automate response actions.
Schedule a personalized demo to evaluate how AI-native threat intelligence can strengthen your security posture against vulnerabilities like React2Shell.
Indicators of Compromise
206[.]237.3.150
45[.]77.33.136
143[.]198.92.82
183[.]6.80.214
MITRE ATT&CK Techniques
Tactic Technique ID Technique Name
Initial Access T1190 Exploit Public-Facing Application
Privilege Escalation T1068 Exploitation for Privilege Escalation
bleepingcomputer.com
By Lawrence Abrams
December 6, 2025
Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors.
React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement React Server Components, including Next.js, which uses the same deserialization logic.
React disclosed the vulnerability on December 3, explaining that unsafe deserialization of client-controlled data inside React Server Components enables attackers to trigger remote, unauthenticated execution of arbitrary commands.
Developers are required to update React to the latest version, rebuild their applications, and then redeploy to fix the vulnerability.
On December 4, security researcher Maple3142 published a working proof-of-concept demonstrating remote command execution against unpatched servers. Soon after, scanning for the flaw accelerated as attackers and researchers began using the public exploit with automated tools.
Over 77,000 vulnerable IP addresses
Shadowserver Internet watchdog group now reports that it has detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States.
The researchers determined that IP addresses were vulnerable using a detection technique developed by Searchlight Cyber/Assetnote, where an HTTP request was sent to servers to exploit the flaw, and a specific response was checked to confirm whether a device was vulnerable.
GreyNoise also recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. The researchers say the scans are primarily originating from the Netherlands, China, the United States, Hong Kong, and a small number of other countries.
Palo Alto Networks reports that more than 30 organizations have already been compromised through the React2Shell flaw, with attackers exploiting the vulnerability to run commands, conduct reconnaissance, and attempt to steal AWS configuration and credential files.
These compromises include intrusions linked to known state-associated Chinese threat actors.
Widespread exploitation of React2Shell
Since its disclosure, researchers and threat intelligence companies have observed widespread exploitation of the CVE-2025-55182 flaw.
GreyNoise reports that attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw.
These tests return predictable results while leaving minimal signs of exploitation:
powershell -c "4013841979"
powershell -c "4032043488"
Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory.
powershell -enc <base64>
One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads.
According to VirusTotal, the PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network.
Amazon AWS threat intelligence teams also saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda.
In this exploitation, the threat actors perform reconnaissance on vulnerable servers by using commands such as whoami and id, attempting to write files, and reading /etc/passwd.
Palo Alto Networks also observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security.
"Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015 (aka UNC5174), a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security," Justin Moore, Senior Manager at Palo Alto Networks Unit 42, told BleepingComputer via email.
"In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015 (also known as UNC5174)."
The deployed malware in these attacks is:
Snowlight: A malware dropper that allows remote attackers to drop additional payloads on breached devices.
Vshell: A backdoor commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network.
The rush to patch
Due to the severity of the React flaw, companies worldwide have rushed to install the patch and apply mitigations.
Yesterday, Cloudflare rolled out emergency detections and mitigations for the React flaw in its Web Application Firewall (WAF) due to its widespread exploitation and severity.
However, the update inadvertently caused an outage affecting numerous websites before the rules were corrected.
CISA has also added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by December 26, 2025, under Binding Operational Directive 22-01.
Organizations using React Server Components or frameworks built on top of them are advised to apply updates immediately, rebuild and redeploy their applications, and review logs for signs of PowerShell or shell command execution.
| The Guardian - theguardian.com
Tess McClure
Tue 2 Dec 2025 03.02 CET
For days before the explosions began, the business park had been emptying out. When the bombs went off, they took down empty office blocks and demolished echoing, multi-cuisine food halls. Dynamite toppled a four-storey hospital, silent karaoke complexes, deserted gyms and dorm rooms.
So came the end of KK Park, one of south-east Asia’s most infamous “scam centres”, press releases from Myanmar’s junta declared. The facility had held tens of thousands of people, forced to relentlessly defraud people around the world. Now, it was being levelled piece by piece.
But the park’s operators were long gone: apparently tipped off that a crackdown was coming, they were busily setting up shop elsewhere. More than 1,000 labourers had managed to flee across the border, and some 2,000 others had been detained. But up to 20,000 labourers, likely trafficked and brutalised, had disappeared. Away from the junta’s cameras, scam centres like KK park have continued to thrive.
So monolithic has the multi-billion dollar global scam industry become that experts say we are entering the era of the “scam state”. Like the narco-state, the term refers to countries where an illicit industry has dug its tentacles deep into legitimate institutions, reshaping the economy, corrupting governments and establishing state reliance on an illegal network.
The raids on KK Park were the latest in a series of highly publicised crackdowns on scam centres across south-east Asia. But regional analysts say these are largely performative or target middling players, amounting to “political theatre” by officials who are under international pressure to crack down on them but have little interest in eliminating a wildly profitable sector.
“It’s a way of playing Whack-a-Mole, where you don’t want to hit a mole,” says Jacob Sims, visiting fellow at Harvard University’s Asia Centre and expert on transnational and cybercrime in the Mekong.
In the past five years scamming, says Sims, has mutated from “small online fraud rings into an industrial-scale political economy”.
“In terms of gross GDP, it’s the dominant economic engine for the entire Mekong sub-region,” he says, “And that means that it’s one of the dominant – if not the dominant – political engine.”
Government spokespeople in Myanmar, Cambodia and Laos did not respond to questions from the Guardian, but Myanmar’s military has previously said it is “working to completely eradicate scam activities from their roots”. The Cambodian government has also described allegations it is home to one of “the world’s largest cybercrime networks supported by the powerful” as “baseless” and “irresponsible”.
Morphing in less than a decade from a world of misspelled emails and implausible Nigerian princes, the industry has become a vast, sophisticated system, raking in tens of billions from victims around the world.
At its heart are “pig-butchering” scams – where a relationship is cultivated online before the scammer pushes their victim to part with their money, often via an “investment” in cryptocurrency. Scammers have harnessed increasingly sophisticated technology to fool targets: using generative AI to translate and drive conversations, deepfake technology to conduct video calls, and mirrored websites to mimic real investment exchanges. One survey found victims were conned for an average of $155,000 (£117,400) each. Most reported losing more than half their net worth.
Those huge potential profits have driven the industrialisation of the scam industry. Estimates of the industry’s global size now range from $70bn into the hundreds of billions – a scale that would put it on a par with the global illicit drug trade. The centres are typically run by transnational criminal networks, often originating from China, but their ground zero has been south-east Asia.
By late 2024, cyber scamming operations in Mekong countries were generating an estimated $44bn (£33.4bn) a year, equivalent to about 40% of the combined formal economy. That figure is considered conservative, and on the rise. “This is a massive growth area,” says Jason Tower, from the Global Initiative against Transnational Organised Crime. “This has become a global illicit market only since 2021 – and we’re now talking about a $70bn-plus-per-year illicit market. If you go back to 2020, it was nowhere near that size.”
In Cambodia, one company alleged by the US government to run scam compounds across the country had $15bn of cryptocurrency targeted in a Department of Justice (DOJ) seizure last month – funds equal to almost half of Cambodia’s economy.
With such huge potential profits, infrastructure has rapidly been built to facilitate it. The hubs thrive in conflict zones and along lawless and poorly regulated border areas. In Laos, officials have told local media around 400 are operating in the Golden Triangle special economic zone. Cyber Scam Monitor – a collective that monitors scamming Telegram channels, police reports, media and satellite data to identify scam compounds – has located 253 suspected sites across Cambodia. Many are enormous, and operating in public view.
The scale of the compounds is itself an indication of how much the states hosting them have been compromised, experts claim.
“These are massive pieces of infrastructure, set up very publicly. You can go to borders and observe them. You can even walk into some of them,” says Tower. “The fact this is happening in a very public way shows just the extreme level of impunity – and the extent to which states are not only tolerating this, but actually, these criminal actors are becoming state embedded.”
Thailand’s deputy finance minister resigned this October following allegations of links to scam operations in Cambodia, which he denies. Chen Zhi, who was recently hit by joint UK and US sanctions for allegedly masterminding the Prince Group scam network, was an adviser to Cambodia’s prime minister. The Prince Group said it “categorically rejects” claims the company or its chairman have engaged in any unlawful activity. In Myanmar, scam centres have become a key financial flow for armed groups. In the Philippines, ex-mayor Alice Guo, who ran a massive scam centre while in office, has just been sentenced to life in prison.
Across south-east Asia, scam masterminds are “operating at a very high level: they’re obtaining diplomatic credentials, they’re becoming advisers … It is massive in terms of the level of state involvement and co-optation,” Tower says.
“It’s quite unprecedented that you have an illicit market of this nature, that is causing global harm, where there’s blatant impunity, and it’s happening in this public way.”
wired.com
Andy Greenberg
The Big Story
Dec 4, 2025 12:00 PM
Privacy stalwart Nicholas Merrill spent a decade fighting an FBI surveillance order. Now he wants to sell you phone service—without knowing almost anything about you.
Nicholas Merrill has spent his career fighting government surveillance. But he would really rather you didn’t call what he’s selling now a “burner phone.”
Yes, he dreams of a future where anyone in the US can get a working smartphone—complete with cellular coverage and data—without revealing their identity, even to the phone company. But to call such anonymous phones “burners” suggests that they’re for something illegal, shady, or at least subversive. The term calls to mind drug dealers or deep-throat confidential sources in parking garages.
With his new startup, Merrill says he instead wants to offer cellular service for your existing phone that makes near-total mobile privacy the permanent, boring default of daily life in the US. “We're not looking to cater to people doing bad things,” says Merrill. “We're trying to help people feel more comfortable living their normal lives, where they're not doing anything wrong, and not feel watched and exploited by giant surveillance and data mining operations. I think it’s not controversial to say the vast majority of people want that.”
That’s the thinking behind Phreeli, the phone carrier startup Merrill launched today, designed to be the most privacy-focused cellular provider available to Americans. Phreeli, as in, “speak freely,” aims to give its user a different sort of privacy from the kind that can be had with end-to-end encrypted texting and calling tools like Signal or WhatsApp. Those apps hide the content of conversations, or even, in Signal’s case, metadata like the identities of who is talking to whom. Phreeli instead wants to offer actual anonymity. It can’t help government agencies or data brokers obtain users’ identifying information because it has almost none to share. The only piece of information the company records about its users when they sign up for a Phreeli phone number is, in fact, a mere ZIP code. That’s the minimum personal data Merrill has determined his company is legally required to keep about its customers for tax purposes.
By asking users for almost no identifiable information, Merrill wants to protect them from one of the most intractable privacy problems in modern technology: Despite whatever surveillance-resistant communications apps you might use, phone carriers will always know which of their customers’ phones are connecting to which cell towers and when. Carriers have frequently handed that information over to data brokers willing to pay for it—or any FBI or ICE agent that demands it with a court order
Merrill has some firsthand experience with those demands. Starting in 2004, he fought a landmark, decade-plus legal battle against the FBI and the Department of Justice. As the owner of an internet service provider in the post-9/11 era, Merrill had received a secret order from the bureau to hand over data on a particular user—and he refused. After that, he spent another 15 years building and managing the Calyx Institute, a nonprofit that offers privacy tools like a snooping-resistant version of Android and a free VPN that collects no logs of its users’ activities. “Nick is somebody who is extremely principled and willing to take a stand for his principles,” says Cindy Cohn, who as executive director of the Electronic Frontier Foundation has led the group’s own decades-long fight against government surveillance. “He's careful and thoughtful, but also, at a certain level, kind of fearless.”
More recently, Merrill began to realize he had a chance to achieve a win against surveillance at a more fundamental level: by becoming the phone company. “I started to realize that if I controlled the mobile provider, there would be even more opportunities to create privacy for people,” Merrill says. “If we were able to set up our own network of cell towers globally, we can set the privacy policies of what those towers see and collect.”
Building or buying cell towers across the US for billions of dollars, of course, was not within the budget of Merrill’s dozen-person startup. So he’s created the next best thing: a so-called mobile virtual network operator, or MVNO, a kind of virtual phone carrier that pays one of the big, established ones—in Phreeli’s case, T-Mobile—to use its infrastructure.
The result is something like a cellular prophylactic. The towers are T-Mobile’s, but the contracts with users—and the decisions about what private data to require from them—are Phreeli’s. “You can't control the towers. But what can you do?” he says. “You can separate the personally identifiable information of a person from their activities on the phone system.”
Signing up a customer for phone service without knowing their name is, surprisingly, legal in all 50 states, Merrill says. Anonymously accepting money from users—with payment options other than envelopes of cash—presents more technical challenges. To that end, Phreeli has implemented a new encryption system it calls Double-Blind Armadillo, based on cutting-edge cryptographic protocols known as zero-knowledge proofs. Through a kind of mathematical sleight of hand, those crypto functions are capable of tasks like confirming that a certain phone has had its monthly service paid for, but without keeping any record that links a specific credit card number to that phone. Phreeli users can also pay their bills (or rather, prepay them, since Phreeli has no way to track down anonymous users who owe them money) with tough-to-trace cryptocurrency like Zcash or Monero.
| The Jerusalem Post
jpost.com
ByJERUSALEM POST STAFF
NOVEMBER 26, 2025 21:02
A new directive would restrict IDF-issued devices to iPhones for lieutenant colonels, reducing the risk of intrusions for senior officers.
The Israel Defense Forces will tighten rules on mobile devices for senior officers and prohibit Android phones on IDF-issued lines, Army Radio reported on Wednesday.
Under the expected order, commanders from the rank of lieutenant colonel and above will be permitted to use only Apple iPhones for official communications. The step is aimed at reducing the risk of intrusions on senior officers’ handsets, according to the report.
Under the plan, the IDF would standardize operating systems at senior echelons to simplify security controls and updates. The IDF has not publicly detailed timelines or exceptions, and there was no immediate comment on whether the policy will cover personal devices used for work.
Why the IDF is acting now
Israeli security officials have long warned that hostile actors use social platforms and messaging apps to target soldiers’ phones and track troop movements. The IDF previously cautioned that Hamas used WhatsApp to solicit information from troops on the Gaza border, urging soldiers to report suspicious messages to commanders.
Military intelligence has also exposed repeated “honeypot” schemes in which operatives posed as women online to lure personnel into installing malware, most notably in Operation HeartBreaker. Analysts noted that such campaigns sought access to contacts, photos, and real-time location data on soldiers’ devices.
IDF staged scenarios mimicking Hezbollah-linked 'honeypots'
The new step follows earlier efforts to harden mobile use across the force, including training and internal drills designed to raise officers’ awareness of social-engineering tactics. In recent years, the IDF even staged scenarios mimicking Hezbollah-linked “honeypots” to stress-test units’ digital discipline.
Army Radio said the directive is expected to be issued in the coming days, with implementation applying to officers from lieutenant colonel up to the general staff. The reported move aligns with a broader push to curb inadvertent exposure from social media and ubiquitous messaging apps that can reveal patterns of life.
In 2019, the IDF warned troops that Hamas was using WhatsApp to gather data on IDF movement near Gaza and instructed soldiers to flag suspicious contacts to their chains of command.
