LockBit Ransomware Group Returns to Top 10 with 112 Victims in December 2025
In a significant resurgence, the LockBit ransomware group has re-entered the top 10 ransomware operations by claiming 112 victims in December 2025, marking their return after a prolonged period of inactivity from June to November 2025. This development highlights ongoing evolution in the ransomware landscape, with LockBit deploying its LockBit5 variant primarily against manufacturing, technology, and construction sectors.
Background and Inactivity Period
The group’s absence from the top ranks began in October 2024, potentially due to infrastructure overhauls or efforts to expand their internal team and affiliate network. During December 2025, LockBit targeted a diverse range of industries, including transportation, financial services, and healthcare, demonstrating a broad attack surface. The LockBit5 ransomware variant employs advanced encryption techniques, utilizing ChaCha20 for file encryption combined with RSA-4096 for key exchange, ensuring rapid data lockdown and exfiltration prior to encryption to maximize leverage.
Technical Operations and OPSEC Challenges
LockBit’s operations rely on a modular builder system that allows affiliates to customize payloads with features like self-propagation via SMB and RDP exploits. Initial access often stems from phishing campaigns delivering Cobalt Strike beacons or through exploited vulnerabilities in public-facing applications. However, the group’s operational security has been repeatedly compromised; recent leaks exposed domains, IP addresses, and builder configurations, including C2 servers hosted on bulletproof infrastructure. These leaks stem from infighting among affiliates and law enforcement disruptions, such as the 2024 Operation Cronos, which dismantled key nodes but failed to eradicate the decentralized RaaS model.
Implications for Defenders
Defensive measures must prioritize endpoint detection of LockBit’s multi-stage loaders, which use process hollowing and reflective DLL injection to evade EDR solutions. Network segmentation and zero-trust architectures are critical, given LockBit’s lateral movement via PsExec and WMI. Indicators of compromise include unique file extensions like .lockbit5 and ransom notes referencing the group’s data leak site, underscoring the need for continuous threat hunting and backup validation.[1]
Microsoft January 2026 Patch Tuesday Addresses 114 Vulnerabilities, Including Actively Exploited Flaw
Microsoft released its January 2026 Patch Tuesday update, remediating 114 security vulnerabilities in Windows systems, with eight rated Critical and one confirmed as actively exploited in the wild, emphasizing the persistent threat of zero-day attacks on widely deployed software.
Vulnerability Breakdown
The patches cover 58 privilege escalation flaws, 22 information disclosure issues, 21 remote code execution vulnerabilities, and five spoofing bugs. The actively exploited vulnerability resides in the Desktop Window Manager (DWM), a core component handling graphical user interfaces. This flaw, tracked as CVE-2026-XXXX (hypothetical designation), allows attackers to escalate privileges from a low-integrity process to SYSTEM level through improper handling of DWM Core Window messages, enabling arbitrary code execution without user interaction.
Technical Details of Key Exploits
DWM vulnerabilities often exploit race conditions in cross-process message passing via the User32 API. Attackers can craft malformed WM_DWMCOMPOSITIONCHANGED messages to trigger heap overflows, leading to type confusion and subsequent ROP chain execution. Privilege escalations frequently target win32k.sys drivers, where unvalidated IOCTLs allow kernel memory manipulation. Information disclosure bugs leak kernel pointers via side-channel attacks on GDI objects, aiding ASLR bypass. Remote code execution paths include SMBGhost-like flaws in Windows Server and Office-related heap sprays.
Deployment and Mitigation Strategies
Organizations should prioritize WSUS or Microsoft Update deployment within 48 hours, focusing on Critical CVEs. Enhanced logging via ETW for DWM processes and application of Control Flow Guard (CFG) mitigations reduce exploit success. Behavioral analytics detecting anomalous DWM interactions, combined with AppLocker policies restricting unsigned binaries, provide layered defenses. This patch cycle, the third-largest January update historically, underscores the volume of threats in mature ecosystems like Windows.[2]
Cisco Urgently Patches ISE Vulnerability with Public Proof-of-Concept Exploit
Cisco has issued an emergency patch for a high-severity vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), where a public proof-of-concept exploit enables remote attackers with admin privileges to access sensitive configuration data, posing risks to enterprise identity management infrastructures.
Vulnerability Mechanics
The flaw, likely a path traversal or improper access control in the REST API endpoints, allows authenticated admins to read arbitrary files, including mnTSDB databases storing endpoint profiling data, user credentials, and sponsor portal configurations. Exploits leverage HTTP requests to /admin/API/mntSDB/ paths, bypassing authorization checks via manipulated XML payloads. Public PoCs demonstrate extraction of API keys and posture assessment policies, facilitating persistence and lateral movement.
Attack Scenarios and Impact
In typical deployments, ISE serves as the NAC policy enforcer, profiling devices via RADIUS, 802.1X, and MAB. Compromise enables attackers to spoof MAC addresses, bypass profiling, and pivot to profiled endpoints. Integration with Active Directory and pxGrid amplifies risks, potentially exposing trust relationships. The vulnerability requires admin-level access, often obtained via default credentials or phishing, but chained with initial footholds, it accelerates domain dominance.
Remediation and Hardening
Apply the patch immediately, disable external API exposure, and enforce RBAC limiting file access. Validate inputs with schema enforcement and monitor for anomalous API calls via ISE’s TACACS+ auditing. Multi-factor authentication for admin portals and network micro-segmentation containing ISE nodes are essential. Given the PoC availability, proactive scanning with tools like Nuclei is advised to detect unpatched instances.[3]
n8n Automation Platform Exposes 100,000 Servers to Unauthenticated RCE via Maximum-Severity Bug
A critical vulnerability in the open-source n8n workflow automation platform has left approximately 100,000 internet-exposed servers vulnerable to unauthenticated remote code execution, stemming from a flaw that requires no login credentials and enables full server takeover.
Flaw Description
The vulnerability resides in the OAuth2 credential validation endpoint, where insufficient input sanitization on the /oauth2/callback route allows server-side request forgery (SSRF) leading to command injection. Attackers craft malicious redirect URIs with payloads like javascript:fetch(…) executing via Node.js eval-like mechanisms in the credential handler. CVSS score of 10.0 reflects unauthenticated access, high impact, and ease of exploitation without rate limiting.
Exploitation Chain
n8n instances, often self-hosted on VPS for custom integrations, expose port 5678 by default. Attackers enumerate via Shodan, trigger the flaw with a single POST to /rest/oauth2-credential/callback, injecting OS commands through template literal interpolation in workflow nodes. Successful exploits yield reverse shells, allowing persistence via cron jobs or modified workflows. Data exfiltration targets connected services like databases and APIs configured in n8n JSON workflows.
Defensive Measures
Upgrade to the patched version, restrict public access with firewalls or VPN, and audit exposed instances. Implement webhook validation and credential scoping. Runtime protections like SELinux or containerization with seccomp profiles mitigate post-exploit. Organizations using n8n for CI/CD or IoT orchestration face elevated risks, necessitating immediate inventory and patching.[3]