Cyber Threat Weekly – #106

The week of December 1^st through December 7^th, roughly 368 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about agentic AI and non-human identities.

AI deployment in the enterprise is accelerating.  AI agents need their own identity instead of operating under the credentials of the users that create them.  Without proper identity and access governance, organizations lose visibility into actions taken by human’s vs automation.  AI agents operate continuously, will use whatever access they’re granted, and can be manipulated. 

Let’s start with Remote code execution bug React2Shell actively exploited.  AI Coding tools bugs revealed.  Researchers share new prompt injection attacks via MCP sampling.  CISA and the NSA warn of BRICKSTORM malware abuse by Chinese state-sponsored attackers.

Another example of prompt injection, this time with GitHub actions.  AI in OT security guidance from CISA.  Convergence of ransomware and supply chain attacks.  Researchers share the aftermath of Shai-Hulud 2.0 supply chain attack.

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – December 1^st to December 7^th:

CVE-2025-48633 – Android Framework Information Disclosure Vulnerability:
An unspecified vulnerability that allows for information disclosure.

CVE-2025-48572 – Android Framework Privilege Escalation Vulnerability:
An unspecified vulnerability that allows for privilege escalation.

CVE-2021-26828 – OpenPLC ScadaBR Unrestricted Upload of File with Dangerous Type Vulnerability:
Allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.

CVE-2025-55182 – Meta React Server Components Remote Code Execution Vulnerability:
A bug that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

Disclosed December 3^rd, React2Shell Actively Exploited

A day after the bug was disclosed, a security researcher published a working proof-of-concept exploit demonstrating remote command execution.  Quickly after the exploit was public scanning accelerated.  This is typical behavior that has been seen consistently, soon after exploit release, threat actors pounce.

https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable/

https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/

Over 30 Bugs Found in AI-Powered Coding Tools

This one is for tracking purposes; prompt injection is going to be a big issue.  Dubbed IDEsaster, the researcher used features from the base IDE in the attack chain, 10+ market leading products are affected.  Like many products, IDEs weren’t built with AI agents in mind.  The author shares a “Secure for AI” principle to address challenges introduced by adding AI features to existing products.  This one is worth a read.

https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html

https://maccarita.com/posts/idesaster/

MCP Sampling Introduces New Prompt Injection Attack Vectors

The Model Context Protocol (MCP) sampling feature provides a standardized way for servers to request LLM assistance via clients.   Researchers performed proof-of-concept attacks on a co-pilot that integrates MCP for code assistance and tool access. 

https://unit42.paloaltonetworks.com/model-context-protocol-attack-vectors/

https://modelcontextprotocol.io/specification/2025-11-25/client/sampling

https://www.descope.com/learn/post/mcp

BRICKSTORM Malware Abused by State-Sponsored Attackers

Chinese sponsored threat actors remained undetected for over a year.  Targets included US legal services firms, technology companies, SaaS providers, and business process outsourcers.  VMware servers were abused for persistence.

https://www.csoonline.com/article/4101866/chinese-cyberspies-target-vmware-vsphere-for-long-term-persistence.html

https://www.cisa.gov/news-events/analysis-reports/ar25-338a

https://www.csoonline.com/article/4062723/chinese-spies-had-year-long-access-to-us-tech-and-legal-firms.html

https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/

AI Agents Plus GitHub Actions Equals PromptPwned

Indirect prompt injection is a recurring theme.  Bottom line; issues bodies, commit messages, or PR descriptions can be used to insert LLM prompts.  Google’s Gemini CLI was hacked within a private unlinked fork of proof-of-concept.  A malicious issue was submitted with hidden instructions, leading to leaked secrets.  Other models are susceptible as well.

https://cyberscoop.com/ai-coding-tools-can-be-turned-against-you-aikido-github-prompt-injection/

https://www.aikido.dev/blog/promptpwnd-github-actions-ai-agents

Security Guidance Published for AI in OT

The joint guidance shares four principles for secure integration of AI in OT.  Principle 1 is to understand AI, the risks and potential impact to OT.  Secure design and secure deployment are part of the lifecycle.  The guidance also lays out several risks to mitigate.

https://www.darkreading.com/cybersecurity-operations/cisa-publishes-security-guidance-ai-ot

https://www.cisa.gov/sites/default/files/2025-12/joint-guidance-principles-for-the-secure-integration-of-artificial-intelligence-in-operational-technology-508c.pdf

Ransomware Groups Increasingly Target the Supply Chain

This one is for info and tracking purposes.  Researchers noted that ransomware groups targeting of supply chain has contributed to the doubling of supply chain attacks since April 2025.  Ransomware accounted for 58% of supply chain attacks in November, down from 73% in October.  Qilin was the top group in November. 

https://thecyberexpress.com/ransomware-and-supply-chain-attacks-converge/

https://cyble.com/blog/ransomware-attacks-november-2025/

The Impact so far of the Shai-Hulud 2.0 Supply Chain Attack

Researchers model the trends by pairing GitHub API with GHArchive for a comprehensive dataset.  Visuals for the quick spread of the npm worm are showcased.  Useful resources from other vendors are also shared. 

https://www.bleepingcomputer.com/news/security/shai-hulud-20-npm-malware-attack-exposed-up-to-400-000-dev-secrets/

https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack