San Mateo, CA, December 1, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Trump shuts down DOGE months ahead of schedule
The Trump administration shut down the Department of Government Efficiency (DOGE) months before its mandate was due to end, closing the Musk-led cost-cutting unit created by executive order in January. Scott Kupor of the Office of Personnel Management confirmed that the department has been dissolved, noting that “the principles of DOGE remain alive and well: de-regulation; eliminating fraud, waste and abuse; reshaping the federal workforce; making efficiency a first-class citizen.” Acting administrator Amy Gleason said she remained active, but the shutdown followed sustained criticism that DOGE’s cuts dismantled federal programs without producing clear savings and contributed to global deaths after USAID’s closure. The unit also faced allegations that it mishandled sensitive data of U.S. citizens, putting millions at risk. Read more.
FCC warns stations after attackers exploit unsecured Barix devices
The FCC warned that attackers have been compromising Barix network audio devices at radio stations in Texas and Virginia, using unsecured transmission paths to inject fake Emergency Alert System tones, simulated Attention Signals usually reserved for tornado or hurricane warnings, and offensive language. Stations often learned of the intrusions only after listener reports of emergency tones mixed with bigoted content. According to the FCC, the breaches stem from unpatched hardware, default passwords, and devices exposed outside firewalls, allowing threat actors to reroute Barix equipment to attacker-controlled streams. The FCC urged broadcasters to install security patches, rotate strong passwords, place EAS and Barix units behind firewalls with VPN access restricted to authorized systems, monitor logs for abnormal access, and follow CSRIC best practices. No widespread outages have surfaced, but regulators stressed that correct configuration and routine maintenance are essential as adversaries continue probing broadcast infrastructure. Read more.
Congress calls in tech leaders after AI used in major espionage effort
The House Homeland Security Committee is summoning Anthropic CEO Dario Amodei to testify on December 17 after the company disclosed that a likely Chinese state-backed actor used Claude to automate portions of a broad cyber-espionage operation targeting at least 30 global organizations. Committee leaders praised the disclosure but called the incident a turning point, stressing that it shows how capable adversaries can weaponize commercially available U.S. AI systems even when guardrails are strong and misuse is quickly addressed. Lawmakers also invited Google Cloud CEO Thomas Kurian and Quantum Xchange CEO Eddy Zervigon, highlighting concerns about how AI, quantum computing, and hyperscale cloud infrastructure are reshaping both attack tradecraft and defensive strategies. Letters to Zervigon warn that adversaries may pair AI-enabled techniques with emerging quantum capabilities to erode current cryptographic protections, making expertise in quantum-resilient technologies and cryptographic agility essential. Read more.
Amazon debuts AI agents that test attacks and propose defenses
Amazon’s new Autonomous Threat Analysis (ATA) system shows how generative AI is shifting defensive security work by letting specialized AI agents rapidly test attack techniques, validate results with high-fidelity telemetry, and propose effective countermeasures while a “human in the loop” reviews final actions. Born from a 2024 hackathon, ATA uses competing red and blue team agents that execute real commands in production-grade test environments, ensuring every finding includes verifiable logs, which Amazon says makes hallucinations impossible. Engineers note that ATA uncovers new variants of known threats, including Python reverse-shell tactics, and generates defenses that have already proven fully effective. ATA handles repetitive analysis, allowing human experts to focus on complex issues. Amazon plans to extend it into real-time incident response. Read more.
DPRK-linked group upgrades macOS lure tactics and credential theft tools
A DPRK-aligned threat actor behind the FlexibleFerret malware is expanding its macOS credential-theft operations by refining fake recruitment workflows that lure job seekers into running malicious Terminal commands. Jamf Threat Labs reports that attackers are now using architecture-aware loaders, more convincing web-based “assessment portals,” and a signed decoy app that imitates macOS permission prompts before displaying a Chrome-style password window to steal credentials. The updated Go backdoor supports wider command execution, including file transfer, browser data harvesting, and keychain extraction. Jamf warns that “FlexibleFerret remains an active threat on macOS,” adding that organizations should instruct users to treat unsolicited interview tasks or Terminal-based “fix” instructions as high-risk and report them immediately. Read more.
Pre-auth RCE in Identity Manager added to CISA KEV amid active attacks
Researchers confirmed active exploitation of CVE-2025-61757, a pre-authentication remote code execution flaw in Oracle Identity Manager. Attackers can bypass the REST web services authentication filter by manipulating URL parameters, allowing them to run Groovy code and take control of the system. Once inside, adversaries gain access to identity workflows, user provisioning pipelines, and any integrated authentication services. The flaw carries a 9.8 CVSS rating and has been added to CISA’s Known Exploited Vulnerabilities catalog, which signals urgent risk for any enterprise that relies on Identity Manager for core identity operations. Organizations are being urged to patch immediately because exploitation provides attackers with a direct path into high-value identity infrastructure that supports critical business applications. Read more.
FBI reports surge in bank-support impersonation and account takeovers
The FBI is warning of a sharp rise in account takeover fraud, in which threat actors impersonate bank support teams to trick victims into handing over credentials or approving transfers, resulting in at least $262 million stolen so far this year. Attackers combine social engineering, credential stuffing, and phone-based impersonation to bypass multi-factor controls and convert account access into rapid financial fraud. The scale and success rate of these operations reflect a broader shift toward identity-centric attacks that exploit human trust as much as technical weaknesses. The advisory stresses immediate detection controls such as transaction anomaly monitoring, robust customer authentication, and staff training to resist scripted impersonation attempts. It also urges victims and institutions to treat suspected incidents as time-sensitive, high-priority events to reduce financial loss and speed recovery. Read more.
Researchers uncover global campaign targeting end-of-life ASUS WRT devices
New research from Oligo Security revealed multiple critical vulnerabilities in Fluent Bit, the widely deployed cloud-native log processor, that can be chained to allow log tampering, remote code execution, and potential cloud compromise. The flaws affect billions of containerized deployments because Fluent Bit is commonly used to collect and forward telemetry from applications and infrastructure. Attackers who can alter or suppress logs can both hide intrusions and inject malicious payloads into downstream systems. Researchers warn that vulnerable Fluent Bit instances make them attractive targets for attackers seeking to gain a foothold in cloud environments or pivot from logging infrastructure to broader cloud takeover. Organizations should inventory all Fluent Bit deployments, apply vendor patches or mitigations immediately, and validate logging integrity as part of incident detection and response, since restored or altered logs can undermine forensic timelines and recovery efforts. Read more.
CrowdStrike finds LLM produces more vulnerable code under sensitive queries
SecurityScorecard’s STRIKE team has uncovered a massive global campaign called Operation WrtHug, in which roughly 50,000 end‑of‑life ASUS WRT routers have been hijacked. The attackers exploit six known vulnerabilities, including command injection and improper authentication, to gain control of these outdated devices. STRIKE researchers found that many compromised routers share a self-signed TLS certificate with a 100-year expiration, a striking red flag. The campaign is strongly suspected to be China-linked, both because of its technical profile and the geographic distribution of devices. SecurityScorecard warns that hijacked routers may serve as operational relay nodes, potentially forming a stealthy global espionage network. Read more.
DeepSeek‑R1 AI generates insecure code when given politically sensitive prompts
CrowdStrike researchers found that the Chinese large‑language model DeepSeek‑R1 produces significantly more vulnerable code when its system prompt includes politically sensitive terms such as “Tibet,” “Uyghurs,” or “Falun Gong.” According to their tests, the likelihood of generating “severe security vulnerabilities” rises by up to fifty percent under those conditions. In one example, DeepSeek-R1 was tasked with writing a PayPal webhook handler for a fictional bank in Tibet. The generated PHP code hard-coded secrets, lacked proper input validation, and was not even syntactically valid. CrowdStrike also observed what they describe as an “intrinsic kill switch” that causes the model to plan an answer to sensitive prompts internally but then refuse to output it, saying, “I’m sorry, but I can’t assist with that request.” Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
