Two Americans Plead Guilty to Assisting Ransomware Attacks
This summary covers the December 30, 2025, Department of Justice announcement that Ryan Goldberg and Kevin Martin pled guilty to conspiring in ransomware attacks against US companies, detailing their technical roles and broader implications for ransomware infrastructure.
Background and Charges
Ryan Goldberg and Kevin Martin, both US citizens, admitted to participating in a conspiracy to obstruct commerce through extortion by deploying ransomware against multiple American businesses. Their involvement centered on providing critical technical support to international ransomware operators, specifically in the deployment and management of malware payloads targeting corporate networks.
Technical Details of Involvement
The duo assisted in customizing ransomware variants, likely derived from known families such as LockBit or Conti derivatives, by modifying encryption algorithms and exfiltration tools. They handled initial access broker activities, using phishing kits with embedded payloads that exploited vulnerabilities in remote desktop protocols and unpatched VPN gateways. Once inside victim environments, they deployed Cobalt Strike beacons for lateral movement, leveraging Mimikatz for credential dumping and BloodHound for Active Directory enumeration to escalate privileges.
Ransomware Deployment Mechanics
Key to their operation was the use of double extortion tactics: first encrypting data with AES-256 and ChaCha20 ciphers, then exfiltrating sensitive files via OnionShare or Rclone to bulletproof hosting providers. They configured persistence through scheduled tasks and registry run keys, ensuring reboot resilience. Communication with command-and-control servers occurred over Tor-hidden services, obfuscated with domain generation algorithms to evade IP-based blocking.
Investigation and Guilty Plea Ramifications
Federal investigators traced their activities via blockchain analysis of Bitcoin ransom payments and endpoint detection logs from compromised systems. The pleas result in mandatory restitution and cooperation mandates, potentially disrupting affiliated ransomware-as-a-service platforms by exposing builder kits and affiliate dashboards.
Implications for Defenders
Organizations should prioritize endpoint detection rules for anomalous PowerShell executions and network flows to dynamic DNS resolvers, hallmarks of their access techniques. Enhanced monitoring of jump servers and implementation of least-privilege segmentation can mitigate similar insider-assisted threats.
Hacker Group Claims Leak of Wired.com User Data
A hacker named “Lovely” claimed on a dark web forum to possess and intend to leak personal data of 2.3 million Wired.com users, owned by Conde Nast, highlighting risks in media sector data management and initial access vectors employed.
Claim Details and Data Scope
The actor posted screenshots evidencing a dataset including email addresses, IP logs, partial payment card details, and browsing histories from Wired.com’s user database. Extraction likely stemmed from a SQL injection flaw in legacy content management systems or compromised admin credentials via credential stuffing.
Technical Breach Analysis
Initial access probably involved exploiting exposed API endpoints without rate limiting, allowing enumeration of user IDs followed by bulk dumps via UNION-based SQLi. Data was siphoned using tools like sqlmap, with compression via 7-Zip and upload to BreachForums or Exploit.in for auction. Metadata stripping occurred post-exfiltration to hinder forensic tracing.
Media Sector Vulnerabilities Exposed
Conde Nast’s infrastructure, reliant on WordPress plugins and third-party analytics, presents common attack surfaces: outdated Joomla instances and misconfigured Redis caches. Attackers favor supply chain compromises, injecting malicious JavaScript trackers that beacon user data to attacker-controlled domains.
Response Recommendations
Victims should enable multi-factor authentication resets and monitor for phishing spikes. Enterprises must audit API permissions, implement web application firewalls with OWASP rulesets, and conduct regular database encryption assessments to prevent similar exposures.
NIST Releases Draft Cybersecurity Framework Profile for AI
NIST published a preliminary draft of the “Cybersecurity Framework Profile for Artificial Intelligence,” offering guidance to integrate AI into operations under CSF 2.0, addressing risks in model training, deployment, and adversarial attacks.
Framework Structure Overview
The profile maps AI lifecycle stages—design, development, deployment, operation—to CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, Recover. It emphasizes risk management for generative models, including prompt injection defenses and data poisoning mitigations.
Key Technical Guidance
For AI systems, NIST recommends federated learning to minimize data centralization risks, differential privacy with epsilon values under 1.0 for training datasets, and robust watermarking for synthetic outputs. Adversarial robustness testing involves PGD attacks on neural networks, measuring perturbation budgets via L-infinity norms.
Implementation Controls
Organizations must deploy model cards documenting biases, hallucination rates, and supply chain dependencies. Runtime monitoring uses drift detection algorithms like Kolmogorov-Smirnov tests on input distributions, triggering alerts for shadow AI deployments via network anomaly detection on LLM API calls.
Adoption Challenges
Challenges include shadow model sprawl and fine-tuning exploits where attackers craft payloads evading safeties. NIST advocates zero-trust for AI pipelines, with human-in-the-loop for high-risk inferences and continuous red-teaming simulating jailbreak prompts.
CISA and NSA Warn of Chinese BRICKSTORM Backdoor
CISA, NSA, and Canadian partners issued a joint alert on Chinese state-sponsored actors deploying BRICKSTORM, a sophisticated backdoor for persistent access in government and IT networks, detailing its evasion tactics and indicators.
Backdoor Capabilities
BRICKSTORM operates as a kernel-mode implant, hooking SSDT tables for process injection and API monitoring. It uses polymorphic code mutation, regenerating shellcode variants via metamorphic engines to bypass YARA signatures and static analysis.
Infection Vectors and Persistence
Delivery occurs via spear-phishing with ISO-mounted droppers or compromised firmware updates exploiting UEFI bootkits. Persistence leverages WMI event subscriptions and alternate data streams in NTFS, with C2 over DNS tunneling using TXT records encoded in Base32.
Evasion and Exfiltration Techniques
The malware employs living-off-the-land binaries, abusing certutil for downloads and bitsadmin for staging. Network traffic mimics HTTPS to CDNs, with jittered beacons and domain fronting. Exfiltration packs data into RAR archives, fragmented over ICMP for stealth.
Detection and Mitigation
Defenders should hunt for anomalous ETW patches and driver loads via Sysmon logs. Mitigation includes AppLocker whitelisting, kernel integrity via HVCI, and behavioral analytics flagging process hollowing from lsass.exe injections.
Oracle January 2026 CPU Addresses 337 Vulnerabilities
Oracle’s first 2026 Critical Patch Update delivers 337 security fixes across over 30 products, resolving 230 unique vulnerabilities, with emphasis on Fusion Middleware and critical RCE flaws requiring immediate patching.
Vulnerability Breakdown
The update patches 112 CVEs in Oracle Fusion Middleware, including deserialization gadgets in WebLogic leading to unauthenticated RCE. Database Server fixes target buffer overflows in SQL parsing engines, exploitable via crafted PL/SQL blocks.
Exploitation Risks
High-severity issues feature chainable flaws: authentication bypass via manipulated SAML assertions followed by XXE in XML parsers for file reads. Attackers weaponize these with ROP chains bypassing ASLR, targeting JVM sandboxes.
Patching Priorities
Prioritize CVEs with public PoCs, such as those in Oracle Access Manager enabling session fixation. Workarounds include disabling JNDI lookups and enforcing TLS 1.3 with HSTS, alongside network segmentation isolating management interfaces.
CISA Adds Four Vulnerabilities to KEV Catalog
CISA updated its Known Exploited Vulnerabilities catalog with four flaws showing active wild exploitation, mandating federal fixes by February 12, 2026, including a Zimbra bug and others tied to supply chain phishing.
Newly Added Vulnerabilities
The catalog includes CVE-2025-68645 in Zimbra, exploited since January 14 via authentication bypass for collabd RCE. Others involve open-source packages compromised through maintainer phishing, publishing trojanized npm wheels with embedded Cobalt Strike.
Exploitation Patterns
Attackers phish maintainers with fake verification links harvesting tokens, then inject malicious tarballs with post-install scripts downloading payloads from GitHub mirrors. In-memory execution uses reflective DLL loading to evade disk forensics.
Federal Response Mandates
BOD 22-01 requires FCEB patching, with BOD-compliant scanners verifying mitigations. Organizations implement vulnerability management using EPSS scores, prioritizing based on exploit maturity and asset criticality.