The bug that got everyone’s attention.

Organizations worldwide scramble to address the critical React2Shell vulnerability. Major insurers look to exclude artificial intelligence risks from corporate policies. Three Chinese hacking groups converge on the same Sharepoint flaws. Ransomware crews target hypervisors. A UK hospital asks the High Court to block publication of data stolen by the Clop gang. The White House approves additional Nvidia AI chip exports to China. The ICEBlock app creator sues the feds over app store removal. The FBI warns of virtual kidnapping scams. The FTC upholds a ban on a stalkerware maker. Dave Lindner, CISO of Contrast Security, discusses nation-state adversaries targeting source code to infiltrate the government and private sector. Craigslist’s founder pledges support for cybersecurity, veterans and pigeons. 

Today is Tuesday December 9th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Organizations worldwide scramble to address the critical React2Shell vulnerability.  

Major organizations worldwide are scrambling to address the critical React2Shell vulnerability as researchers confirm active exploitation tied to China’s Ministry of State Security. Palo Alto Networks’ Unit 42 says more than 30 organizations have been affected, with attackers conducting reconnaissance, attempting to steal AWS credentials and deploying malware linked to past MSS operations. The bug, CVE-2025-55182, was publicly disclosed last week with a maximum severity rating, triggering widespread scanning by both cybercriminals and state-backed actors. U.S. and international security groups report millions of potentially exposed internet-facing services. The FBI is urging immediate patching and targeted threat hunting, while CISA has added the flaw to its Known Exploited Vulnerabilities catalog, setting a December 26 deadline for federal agencies to update systems.

Major insurers look to exclude artificial intelligence risks from corporate policies. 

Major insurers are moving to exclude artificial intelligence risks from corporate policies as concerns rise over costly, unpredictable AI failures. AIG, Great American and WR Berkley have sought regulatory approval for exclusions tied to companies using AI tools, reflecting industry unease as businesses rapidly adopt systems prone to hallucinations and opaque decision making. Some proposed exclusions are sweeping, barring claims involving any AI use. While AIG says it has no immediate plans to apply its exclusions, insurers warn that unclear liability across developers, model providers and users makes AI risk potentially exponential. Recent high-profile errors, fraud enabled by deepfakes and fears of systemic losses are pushing insurers toward tighter limits, narrower endorsements and cautious coverage for AI-related incidents.

Three Chinese hacking groups converge on the same Sharepoint flaws. 

Chinese threat activity around two critical SharePoint flaws has escalated into the broad ToolShell campaign, where three distinct China-based hacking groups exploited the same vulnerabilities almost simultaneously. The bugs, first demonstrated at Pwn2Own, were meant to be patched quietly, yet attackers moved even before Microsoft released fixes. Within weeks, hundreds of governments and businesses worldwide were compromised, prompting urgent patch revisions after hackers bypassed initial mitigations. Analysts are probing how multiple Chinese groups obtained working exploits so quickly, including scrutiny of China-based partners in Microsoft’s early-warning program and the country’s laws requiring zero-day reporting to the state. The campaign follows a growing pattern where Chinese clusters surge exploitation just before or after disclosure. Motivations also vary: two groups appear focused on intelligence collection, while a third shows ransomware behavior that may mask deeper objectives. The convergence underscores China’s complex cyber ecosystem and persistent strategic targeting.

Ransomware crews target hypervisors. 

Ransomware crews are increasingly targeting hypervisors, the software that creates and manages virtual machines. According to new data from Huntress, attacks jumped from 3 percent of cases in early 2024 to 25 percent in the second half of the year. Researchers say the Akira ransomware group is driving much of the surge, aiming at hypervisors to evade endpoint and network defenses. Compromising a hypervisor gives attackers control over hosted virtual machines, greatly amplifying impact. Huntress has seen operators use built-in tools like OpenSSL to encrypt VM volumes and abuse Hyper-V utilities to disable protections and prepare large-scale deployments. The company urges strict patching, multi-factor authentication, strong passwords, allow-listing for binaries, and full log ingestion into Security Information and Event Management systems to counter the growing threat.

A UK hospital asks the High Court to block publication of data stolen by the Clop gang. 

NHS Barts Health in London is seeking a U.K. High Court order to block the publication or use of data stolen in an August ransomware attack by the Clop group. The hospital says Clop accessed invoice records containing names and addresses of patients and staff, though core IT systems were not breached. The data also included information from nearby NHS trusts. Officials warn the stolen details could be exploited for scams or payment fraud. Investigators say Clop targeted zero-day flaws in Oracle’s E-Business Suite, part of a broader campaign in which the gang emailed victims threatening to leak data unless large cryptocurrency ransoms were paid. NHS England and the National Cyber Security Centre are assessing the incident’s impact.

The White House approves additional Nvidia AI chip exports to China. 

The White House has approved Nvidia to export its H200 AI chips to select customers in China under conditions meant to protect national security, President Trump said. The U.S. will take a 25 percent cut of sales. The H200 is more capable than Nvidia’s previously allowed H20 chips but still below its Blackwell line, which is not part of the deal. Trump said the policy supports U.S. jobs and manufacturing. The decision follows political pressure to limit China’s access to advanced AI hardware.

The ICEBlock app creator sues the feds over app store removal. 

Joshua Aaron, creator of the ICEBlock app, is suing Attorney General Pam Bondi and several federal officials, alleging the Trump administration made unlawful threats and pressured Apple to remove his app from the App Store. ICEBlock, which lets users anonymously report Immigration and Customs Enforcement activity, surged to over 500,000 downloads after a CNN story. Although Apple initially approved the app after legal review, it removed ICEBlock in October following public pressure from Bondi. Google and Facebook later removed similar content. Federal officials defend the takedowns, arguing such apps endanger law enforcement. The lawsuit comes as Republican lawmakers push for tighter restrictions, including a bill that would criminalize publishing information about federal officers if it risks targeted harassment or violence.

The FBI warns of virtual kidnapping scams. 

The FBI warns that criminals are using altered or AI-generated images to create fake “proof of life” photos in virtual kidnapping scams. Fraudsters text victims claiming a loved one has been abducted, often sending doctored images and threatening violence to force quick payment. Some scams exploit photos of real missing people scraped from social media. The FBI says these emergency scams mirror grandparent fraud schemes but now use AI to enhance credibility. Officials urge families to use code words, verify the victim’s safety, and report incidents to IC3.

The FTC upholds a ban on a stalkerware maker. 

The U.S. Federal Trade Commission has rejected a petition from Scott Zuckerman, founder of stalkerware firms SpyFone, Support King, and OneClickMonitor, to lift a 2021 ban preventing him from selling surveillance apps. The ban followed a major data breach that exposed both customers and the people they secretly monitored, and required Zuckerman to delete collected data and implement strict security and auditing measures. The FTC called SpyFone a tool that enabled stalkers while failing to protect sensitive information. Zuckerman argued the order’s security requirements impose financial burdens on his unrelated businesses, but the FTC declined to modify the restrictions. He offered no further comment.

Craigslist’s founder pledges support for cybersecurity, veterans and pigeons. 

Craig Newmark, the mild-mannered founder of Craigslist and self-described non-billionaire billionaire, has officially joined the Giving Pledge. In a LinkedIn post marking both his commitment and his entry into his “middle seventies,” he noted he gave away his Craigslist equity long ago, which does complicate the whole billionaire label. Still, turning down an estimated $11 billion in dot-com era enthusiasm buys a certain moral high ground. Newmark says his philanthropy will continue to focus on cybersecurity, veterans, and—naturally—pigeon rescue. Yes, pigeons. His favorite, Ghostface Killah, even has a place of honor on his mantle. Newmark insists pigeons are misunderstood underdogs, possibly even our future overlords, which he admires. His foundation recently gave $30,000 to a rescue group, its largest gift ever. In true Craigslist fashion, he’s simply posting goodwill into the universe, one charitable listing at a time.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.