Ticker feed

Ransomware payments fell sharply in 2024, dropping 33% from $1.1 billion to $734 million, according to a new Treasury Department report. The Financial Crimes Enforcement Network study offers cautious hope after ransomware payments skyrocketed 77% in 2023.

However, the number of attacks barely budged—1,476 incidents in 2024 versus 1,512 in 2023. Manufacturing bore the heaviest burden with 456 attacks and $285 million in payments, followed by financial services (432 incidents, $366 million) and healthcare (389 attacks, $305 million).

Officials identified 267 ransomware variants over three years, with ALPHV/BlackCat leading the pack. While the payment decline is encouraging, experts warn it's too early to declare victory over ransomware.

Source: CyberScoop

Cybersecurity researcher Mazin Ahmed discovered that attackers are exploiting VS Code and AI-powered IDEs like Cursor AI by publishing malicious extensions that bypass security screening. A fake Python linter called "Piithon-linter" successfully made it through Microsoft's marketplace security checks and could steal developer credentials and deploy remote access tools.

The malware activates automatically when VS Code launches, first checking for antivirus software before harvesting sensitive environment variables. It uses geofencing to avoid detection during Microsoft's sandbox testing and can target Windows, macOS, or Linux systems.

Most concerning is that OpenVSX marketplace, which powers Cursor AI, performs virtually no security verification. Since developers have access to source code, credentials, and production systems, these compromised extensions could lead to major supply chain attacks targeting entire organizations.

Source: Cybersecurity News

AT&T customers have until December 18 to claim their share of a $177 million settlement from two major data breaches. The 2019 breach exposed Social Security numbers and personal data of 73 million customers, while the 2024 Snowflake hack affected phone records of 109 million users.

Customers who can prove documented losses may receive up to $5,000 for the 2019 breach or $2,500 for the 2024 incident. Those without proof of loss will receive smaller tiered payments. You need a Class Member ID from Kroll's email notification to file your claim.

If you can't find the notification, check spam folders or call 833-890-4930. Customers affected by both breaches can file separate claims for each incident.

Source: CNET

US cybersecurity officials revealed Thursday that Chinese state-sponsored hackers have been using sophisticated Brickstorm malware to infiltrate critical infrastructure and government networks since at least 2022. The attackers maintain persistent access for an average of 393 days, targeting VMware vSphere and Windows environments while staying hidden in poorly monitored edge devices.

Dozens of US organizations have been compromised, including government agencies, IT firms, and legal services. The malware automatically reinstalls itself if disrupted and allows attackers to steal configuration data, emails, and documents aligned with China's strategic interests. CISA warns this represents an evolution in Chinese cyber tradecraft, with attackers positioning themselves for potential future sabotage operations.

Source: CyberScoop

Cybercriminals are actively targeting Palo Alto Networks' GlobalProtect VPN portals using over 7,000 IP addresses worldwide. The attacks, detected in late November 2025, exploit vulnerabilities in internet-facing VPN gateways through UDP port 4501.

Threat actors are using residential proxies and compromised servers across Asia, Europe, and North America to probe for weak configurations and deploy custom scripts. They're targeting historical flaws like CVE-2024-3400 and misconfigurations that allow unauthorized access.

Palo Alto Networks issued an urgent advisory December 5, recommending multi-factor authentication and firewall restrictions. CISA added related indicators to its Known Exploited Vulnerabilities catalog, giving federal agencies 72 hours to patch.

Source: Cybersecurity News

A Chinese hacking group called Warp Panda has been secretly infiltrating US legal, manufacturing, and tech companies since 2022, staying hidden in networks for up to 400 days. The group uses sophisticated malware called BrickStorm that disguises itself as legitimate VMware processes and automatically reinstalls if detected.

The hackers exploit vulnerabilities in popular business tools like Ivanti VPN devices and VMware servers to gain initial access, then move through networks using stolen credentials. They've also targeted Microsoft Azure environments and government entities across Asia Pacific.

CISA issued an alert Thursday warning that one BrickStorm infection went undetected from April 2024 until September 2025. The persistent attacks appear designed to steal intelligence for China's strategic interests.

Source: Security Week

A devastating vulnerability in React's JavaScript library, dubbed "React2Shell," earned a perfect 10 CVSS severity score and is already under attack by Chinese state-backed groups. CVE-2025-55182 allows unauthenticated remote code execution in React Server Components versions 19.0.0 through 19.2.0.

Amazon's security team spotted exploitation attempts within hours of the December 3rd disclosure, with Earth Lamia and Jackpot Panda among the attackers. The groups are using automated scanning tools and simultaneously targeting other recent vulnerabilities in broad campaigns.

Patches are available for React versions 19.0.1, 19.1.2, and 19.2.1. Organizations should update immediately, as working proof-of-concept exploits are circulating publicly and broader exploitation is expected.

Source: Dark Reading

Britain's cybercrime intervention programme is seeing children as young as seven referred for hacking, with the average age just 15. The National Crime Agency reports year-on-year increases in referrals, mostly gamers aged 10-16, while UK business hack payouts have rocketed 230%.

Former cybercriminals Ricky Handschumacher and Joseph Harris warn the problem is getting worse. Both started hacking as teenagers through gaming - Handschumacher via Halo 3, Harris through Club Penguin at age 12. Gaming serves as a major pathway since 97% of children aged 8-17 participate.

Recent attacks cost millions: Marks & Spencer lost £136m, Jaguar Land Rover's shutdown caused £1.9bn in UK economic disruption. Teenagers were suspects in major cases including Co-op and Transport for London breaches.

Experts say bored, isolated kids seek community and status in hacking forums. The solution requires better cybersecurity career pathways and higher bug bounty payments to compete with criminal profits.

Source: Sky News

A critical vulnerability dubbed React2Shell (CVE-2025-55182) has been discovered in React, the popular JavaScript library powering millions of websites including Airbnb, Instagram, and Netflix. The flaw allows remote attackers to execute code without authentication and affects React versions 19.0 through 19.2.0.

Patches are available in versions 19.0.1, 19.1.2, and 19.2.1. The vulnerability impacts applications using React Server Components, even if they don't implement Server Function endpoints. Security researchers warn that 39% of cloud environments contain vulnerable React instances, with over 968,000 servers potentially at risk.

Major cloud providers including Google, AWS, and Cloudflare have deployed protective measures, while cybersecurity experts expect widespread exploitation attempts soon.

Source: SecurityWeek

CISA issued an urgent alert Thursday about ongoing cyberattacks by Chinese state-backed hackers targeting U.S. government and IT organizations using the sophisticated Brickstorm backdoor. The attackers are specifically going after VMware vSphere environments, where they can steal virtual machine snapshots and create hidden rogue VMs.

The Go-based malware automatically reinstalls itself if disrupted and uses multiple encryption layers to communicate with command-and-control servers. In one documented case, attackers maintained network access from April 11 through September 2, 2024, moving from a web server to domain controllers and eventually VMware systems.

CISA recommends keeping VMware servers updated, monitoring for unauthorized VMs, and blocking external DNS-over-HTTPS traffic to prevent these stealth attacks.

Source: Dark Reading