breach_cve_trends 18 Dec 2025

Weekly Cybersecurity Intelligence Report Cyber Threats & Breaches 10 Dec – 17 Dec 2025

Priyanka Aash Co-Founder, FireCompass

Summarize and analyze this article with:

This week (December 10–17, 2025) has been defined by state-level vulnerability exploitation and critical infrastructure sieges. The most significant strategic development is the confirmation of a successful breach of the French Interior Ministry, driven not by a zero-day, but by fundamental hygiene failures—a stark reminder that nation-state targets are often compromised via the path of least resistance.

Simultaneously, the technical landscape shifted with a CVSS 10.0 zero-day in Cisco AsyncOS, actively exploited by China-nexus actors to gain root access to email gateways, arguably the most sensitive perimeter device in any network. Ransomware actors, specifically Interlock and Nitrogen, have pivoted heavily towards healthcare and financial verticals this week, claiming massive data exfiltration from Texas Tech University and SRP Federal Credit Union.

The following report details these incidents with technical granularity to aid your threat hunting and remediation efforts.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Incident Feed: December 10 – December 17, 2025

1. French Interior Ministry: The “Negligence” Compromise

Date: December 11-12, 2025 (Confirmed Dec 17)
Severity: High (State Data Exposure)

Overview

French Interior Minister Laurent Nunez confirmed a breach targeting the Ministry’s email servers during the night of December 11–12. While initial reports feared a massive exfiltration of millions of records, the Ministry has confirmed the extraction of “a few dozen” highly sensitive files, including data from the Criminal Records Processing System and the Wanted Persons File. A 22-year-old suspect was arrested on December 17.

Technical Explanation

Unlike sophisticated APT campaigns relying on zero-days, this breach was attributed to credential negligence. Threat actors did not exploit a software vulnerability but rather leveraged valid credentials.

Vector: Lateral movement via compromised professional email accounts.
Root Cause: Passwords for high-value accounts were reportedly shared via unsecured messaging applications (Shadow IT), allowing attackers to intercept or scrape credentials.
Execution: Once email access was established, attackers pivoted to business applications linked to the email accounts to extract database records.

Impact

Data Loss: Exposure of classified criminal records and wanted persons data.
Operational: Forced reset of ministry-wide access controls and tightening of email hygiene protocols.
Reputation: Public admission of “negligence” by state officials undermines trust in government cybersecurity posture.

Technical Details & IOCs

Attack Type: Credential Harvesting / Account Takeover (ATO).
MITRE ATT&CK Mapping:
- Initial Access: [T1078] Valid Accounts.
- Credential Access: [T1555] Credentials from Password Stores (Messaging Apps).
- Collection: [T1114] Email Collection.
Observed Artifacts: Anomalous login times (overnight Dec 11-12) and bulk file export requests from “Wanted Persons” database interfaces.

Takeaway for the CISO

The “human perimeter” remains your weakest link. This incident validates that even air-gapped or secured databases are accessible if the keys (credentials) are transmitted over insecure channels.

Action: Audit “Shadow IT” communication channels (WhatsApp, Signal, Telegram) used by employees for work purposes. Enforce FIDO2-based MFA which resists credential replay attacks even if passwords are leaked.

2. Cisco AsyncOS Zero-Day: Root Access on Email Gateways

Date: Disclosed Dec 17, 2025 (Active Exploitation since Dec 10)
Severity: Critical (CVSS 10.0)

Overview

Cisco has issued a warning regarding a maximum-severity zero-day vulnerability in AsyncOS, the operating system powering Cisco Secure Email Gateway (ESA). The flaw allows unauthenticated, remote attackers to gain root access to the appliance.

Technical Explanation

The vulnerability resides in the web-based management interface of the AsyncOS software.

Mechanism: An improper validation of HTTP requests allows an attacker to send a specially crafted packet to the management interface.
Privilege Escalation: Successful exploitation bypasses authentication completely, granting the attacker root level privileges on the underlying Linux-based OS.
Actor Attribution: Cisco has linked active exploitation to UAT-9686, a China-nexus APT group.

Impact

Complete Takeover: Attackers can modify email routing, install persistent backdoors, decrypt SSL traffic, and pivot internally to the wider network.
Espionage: Perfect position for long-term intelligence gathering via email interception.

Technical Details & IOCs

Affected Products: Cisco Secure Email Gateway, Cisco Secure Email and Web Manager.
MITRE ATT&CK Mapping:
- Initial Access: [T1190] Exploit Public-Facing Application.
- Privilege Escalation: [T1068] Exploitation for Privilege Escalation.
Threat Hunting (Log Patterns):
- Look for HTTP requests to the management port (usually 443 or 8443) with abnormal header lengths or non-standard characters in the URI.
- Check for unexpected processes running as root on the ESA appliance CLI.
Remediation: Apply the emergency hotfix provided by Cisco immediately. Restrict management interface access to a strict allow-list of internal admin IPs.

Takeaway for the CISO

Email gateways are high-value targets because they hold the “keys to the kingdom” for communication. If your management interfaces are internet-facing, you are already compromised.

Action: Immediate isolation. Ensure no management ports for security appliances are exposed to the public internet.

>>Outpace Attackers With AI-Based Automated Penetration Testing

3. Texas Tech University Health Sciences: The Interlock Ransomware

Date: December 16, 2025
Severity: Critical (Healthcare Disruption)

Overview

The Texas Tech University Health Sciences Center (TTUHSC) and its El Paso counterpart suffered a major ransomware attack disrupting clinical operations. The Interlock Ransomware gang has claimed responsibility.

Technical Explanation

Interlock is a relatively new but aggressive RaaS (Ransomware-as-a-Service) group known for double-extortion.

Infiltration: Likely via phished VPN credentials or unpatched edge vulnerabilities (Citrix/Fortinet).
Payload: Interlock encrypts files and appends a specific extension (randomized in this campaign). It kills backup processes and volume shadow copies using PowerShell scripts prior to encryption.
Exfiltration: The group claims to have exfiltrated 2.6 TB of data, including 2.1 million patient files.

Impact

Patient Safety: Disruption of computer systems and applications used for patient care.

Data Privacy: Potential exposure of 1.4 million patients’ PII and PHI.

Technical Details & IOCs

Malware: Interlock Ransomware.
IOCs (File Artifacts):
- Malicious binary often disguised as svchost.exe in %TEMP%.
- Ransom note: !README_INTERLOCK!.txt.
MITRE ATT&CK Mapping:
- Impact: [T1486] Data Encrypted for Impact.
- Defense Evasion: [T1070] Indicator Removal on Host (Shadow Copies).

Takeaway for the CISO

Healthcare remains the primary target for ransomware in Q4 2025. The sheer volume of data (2.6 TB) suggests a dwell time of days or weeks before encryption.

Action: Review your Data Loss Prevention (DLP) alerts. A 2TB outbound transfer should trigger every alarm in your SOC. If it didn’t, your thresholds are too loose.

4. Rhode Island State Systems: “RIBridges” Blackout

Date: December 16, 2025
Severity: High (Critical Infrastructure)

Overview

A sophisticated cyberattack forced the state of Rhode Island to shut down the RIBridges system, which manages critical social services including Medicaid and food assistance (SNAP). Governor Dan McKee confirmed the breach affects “hundreds of thousands” of residents.

Technical Explanation

While specific attribution is ongoing, the attack pattern—targeting state-managed legacy databases—suggests an SQL Injection (SQLi) or exploitation of an unpatched web logic vulnerability.

Attack Flow: Attackers likely compromised the web frontend of the RIBridges portal, allowing access to the backend database containing banking and personal information.
Response: The state initiated a “hard kill” of the system to prevent further lateral movement, a drastic measure indicating a loss of control over the environment.

Impact

Societal: Vulnerable populations unable to access benefits.
Financial: Exposure of bank account routing numbers used for benefit direct deposits.

Takeaway for the CISO

State/Legacy systems are often fragile. When a “hard kill” (pulling the plug) is the chosen response, it indicates a lack of segmentation or confidence in containment capabilities.

Action: Test your Incident Response (IR) plan for “Segmented Isolation” so you don’t have to take down an entire business unit to stop an infection.

5. Telecom Namibia: Sovereign Data Theft

Date: December 17, 2025
Severity: High (Sovereign/Strategic)

Overview

Hunters International, a ransomware group that rose from the ashes of Hive, has breached Telecom Namibia. The group refused to negotiate and leaked sensitive data regarding top government officials.

Technical Explanation

Actor Profile: Hunters International uses a Rust-based ransomware variant, making analysis difficult due to complex code obfuscation.
Targeting: They specifically target critical infrastructure in developing nations to exert maximum political pressure.
Data Leaked: 500,000 records, including personal and financial data of senior government ministers.

Impact

National Security: Exposure of private data belonging to government leadership could lead to targeted phishing or blackmail operations against state officials.

Takeaway for the CISO

Telecommunications providers are the backbone of national security. If you are in a critical sector, your threat model must include “Destructive/Extortion” actors who do not intend to decrypt, but rather intend to leak for maximum damage.