🛡️ InfoSec Watch — Issue #113

This week, we’re watching three converging forces: state-backed attackers using AI agents for espionage, ransomware crews hitting logistics and software providers that sit in the middle of global supply chains, and Europe hardening its regulatory stance with a fresh NIS2 implementation law in Germany and cloud sovereignty moves at the EU level. Together, they point to a 2025 where who you depend on is as important as what you run.

---

🔝 Top Stories

AI-orchestrated cyber espionage: Chinese state group leans on agentic AI
Anthropic disclosed what it calls the first “AI-orchestrated” cyber-espionage campaign, where a China-linked group used Claude’s coding agent to automate intrusion steps against about 30 global targets. The AI agent handled 80–90% of mundane attack work: scripting recon, generating exploit proof-of-concepts, and iterating on tooling while operators steered it via higher-level prompts. Anthropic
💡 Key Takeaway: Assume that state actors can now industrialize intrusion workflows with AI agents. Treat detection of “weird but compilable” code and bursty recon activity as signals, and ensure red-teaming and threat hunting incorporate AI-powered adversary simulations.

Ransomware at logistics and software providers turns supply chains into blast-radius multipliers
Ransomware operators continued to aim upstream at logistics and software platforms that move goods and data for everyone else:

• Japanese retailer Askul halted online orders and shipments after a ransomware incident crippled its systems, disrupting operations for several major retailers that rely on its logistics network. The Record
• In the UK, a ransomware hit on retail software provider Blue Yonder disrupted operations for major brands, including Starbucks and leading supermarket chains, highlighting how a single SaaS provider can stall hundreds of stores. BlackFog

We’re seeing ransomware groups behave more like systemic risk investors: going after logistics hubs, routing software, and fulfillment partners that sit between manufacturers, retailers, and customers.

💡 Key Takeaway: Treat logistics, retail platforms, and operational SaaS providers as tier-1 critical suppliers, even if they’re “just” backend services. Map these dependencies explicitly and require ransomware playbooks, immutable backup proofs, and incident communication SLAs in contracts.

Europe sharpens cloud & data sovereignty – Cloud & AI Act plus sovereignty push
French and German leaders jointly called for a unified EU data-governance and cloud sovereignty architecture, urging the European Commission to adjust cybersecurity and data rules to ensure that critical EU data stays under EU law and infrastructure. Élysée

In parallel, the Commission is preparing a Cloud and AI Development Act to at least triple EU data-centre capacity over the next 5–7 years and reduce reliance on non-EU hyperscalers, framed explicitly as a digital sovereignty and security move. European Commission

💡 Key Takeaway: If you operate in or serve the EU, start tagging workloads by sovereignty sensitivity now and design multi-cloud / regional portability—so you’re not refactoring under regulatory fire drills in 12–24 months.

---

🐞 Vulnerability Spotlight

Cisco Secure Firewall ASA/FTD flaws still exploited in ArcaneDoor-style campaigns
CISA re-warned that two Cisco Secure Firewall ASA and FTD vulnerabilities (CVE-2025-20333 and CVE-2025-20362) remain under active exploitation in ArcaneDoor-linked campaigns against government and high-value networks. Despite an emergency directive and patches, tens of thousands of vulnerable devices are still online, especially where web services on older ASA 5500-X gear are exposed. Cisco · TechRadar Pro

💡 Key Takeaway: Treat edge firewalls like domain controllers for patch priority. Verify, don’t assume, that the Cisco fixes are actually applied—especially where appliances were upgraded or replaced after September.

WSUS remote code execution (CVE-2025-59287) enters KEV – patch your update servers
A Windows Server Update Services (WSUS) remote code execution flaw, CVE-2025-59287, was patched in October and November security updates and is now called out in multiple advisories as actively exploited. The bug allows attackers who can reach WSUS to achieve RCE on the server—a prime target for supply-chain style compromise of downstream endpoints. Orca Security · TechRadar Pro

💡 Key Takeaway: Prioritize WSUS and other patch/orchestration servers as “crown-jewel infra.” Segment them, require strong auth, and confirm the November patches (and subsequent mitigations) are deployed before year-end change freezes.

D-Link DIR-878 end-of-life routers get public PoC for multiple RCE bugs
D-Link warned that four vulnerabilities (CVE-2025-60672 through -60676) in its discontinued DIR-878 routers allow unauthenticated remote code execution and arbitrary command execution. Security researchers have already released detailed technical write-ups and PoC exploit code, and while the model is end-of-life, it’s still widely deployed in SMB and home-office environments and popular on resale markets—prime botnet fodder. D-Link · BleepingComputer

💡 Key Takeaway: You can’t harden what you don’t inventory. Sweep for DIR-878 and other EoL routers (especially in home/branch offices), replace them, and block management interfaces from the open internet.

---

📈 Trend to Watch

The “Golden Quarter” of ransomware – volume up 41%, with supply chains in the crosshairs
October ransomware volumes jumped 41% month-over-month, kicking off what some analysts are calling ransomware’s “Golden Quarter” of 2025. At the same time, incident data shows groups like Akira, Qilin, Inc Ransom and others concentrating on service providers, logistics platforms, and retailers, aiming to multiply leakage and downtime across dependent enterprises. NCC Group

This is less about single “big game” victims and more about compounding systemic pressure—especially as attackers chain data theft, DDoS, and harassment tactics.

💡 Key Takeaway: Move from “my org” to “my ecosystem” in ransomware planning. Extend tabletop exercises and backup validation to include key SaaS/logistics providers, and define what “minimum viable operations” looks like if two or three of them fail at once.

---

⚖️ Policy & Regulation Watch

Germany finally implements NIS2 – with real teeth for management
Germany has passed its long-delayed NIS2 Implementation Act, bringing the EU’s updated network and information security directive into German law. The law significantly expands the number of entities in scope and makes cybersecurity a management-level duty, with personal liability and substantial fines for non-compliance. It is expected to enter into force before the end of 2025, with no generous transition period. SKW Schwarz

For many medium and large German organizations—plus non-EU providers serving them—this turns “nice-to-have” best practices into binding governance and documentation obligations.

💡 Key Takeaway: If you’re in or serving Germany/EU, treat NIS2 like GDPR for operational security. Assign accountable execs, run a NIS2 gap assessment, and align your risk register, incident response, and supply-chain controls to the directive’s language.

---

🛠️ Tool / Resource of the Week

Ransomware.live – near–real-time view of who’s getting hit
Ransomware.live tracks victims claimed by major ransomware groups, including industry, geography, and discovery dates, offering a near real-time picture of campaigns and sectors under pressure.

Used correctly (and carefully), it’s a simple but powerful way to:

• See which sectors and regions attackers are currently prioritizing.
• Cross-check whether your suppliers or partners have quietly appeared on leak sites.
• Feed threat intel and tabletop scenarios with real, recent incidents.

💡 Key Takeaway: Subscribe your intel / TI team to a lightweight daily or weekly review of ransomware victim feeds and bake “supplier on leak site” into third-party incident playbooks.

---

⚡ Quick Hits

Oracle reportedly listed by Clop after E-Business Suite 0-day exploitation — Clop claims to have breached Oracle via an E-Business Suite zero-day, listing the company and dozens of others on its leak site and tying the campaign to exploitation of the same ERP exposure across multiple victims. Google Cloud TI
💡 Key Takeaway: If you run Oracle E-Business Suite, confirm you’ve applied all recent EBS security patches and mitigations, and monitor for abnormal ERP access and data exfiltration.

LG Energy Solution hit by Akira ransomware, 1.7 TB of data claimed stolen — LG’s battery subsidiary disclosed a ransomware attack affecting an overseas facility; Akira claims to have taken 1.7 TB of data including employee PII, NDAs, financial data, and client records. The Record
💡 Key Takeaway: Industrial and energy suppliers remain high-value data-theft targets, not just OT disruption targets. Tighten access to design, supplier, and HR systems, and validate breach-notification and identity-protection workflows.

Under Armour allegedly breached by Everest ransomware — The Everest group claims a 343 GB data breach at Under Armour, including internal documents and extensive customer/employee PII, and has issued a short response window for negotiations. TechRadar Pro
💡 Key Takeaway: Brand-name consumer companies need crisis-comms and trust recovery plans as much as technical playbooks. Make sure legal, PR, and customer-support teams are exercised for large-scale data-exposure events.

Gambling-tech giant IGT reportedly targeted by Qilin — Qilin claims to have exfiltrated around 10 GB of data from International Game Technology, a key supplier to lotteries and gambling operators worldwide, with leaked files allegedly circulating on the dark web. TechRadar Pro
💡 Key Takeaway: Critical entertainment and gaming platforms—especially where payments and identity data intersect—should be in scope for threat modeling and red teaming, not treated as “just apps.”

Fulgar, major synthetic-yarn supplier, confirms ransomware attack — Italian yarn producer Fulgar, which supplies brands like H&M and Adidas, confirmed a ransomware incident attributed to RansomHouse, with leaked samples including internal docs and financials. TechRadar Pro
💡 Key Takeaway: Even deep-tier manufacturing suppliers are now brand-risk amplifiers. Expand third-party risk reviews beyond direct vendors to critical tier-2/tier-3 producers.

---

✅ Actionable Defense Move of the Week

Run a 7-day “edge & orchestrator hardening sprint”

In the next week, carve out a focused sprint to:

1. Patch and verify edge appliances
   • Confirm Cisco ASA/FTD devices are patched for CVE-2025-20333/20362 and not exposing unnecessary web services.
   • Review firewall management exposure (VPN-only, MFA-protected, no direct internet admin).
2. Lock down WSUS and orchestration servers
   • Confirm October/November fixes including CVE-2025-59287 are applied on WSUS.
   • Restrict network access, enforce strong auth, and monitor for suspicious process creation and script execution from these hosts.
3. Purge or isolate end-of-life routers and gateways
   • Identify DIR-878 and similar EoL devices via asset discovery; either replace or move them behind managed, patched firewalls.

💡 Key Takeaway: You’ll get more risk reduction from hardening 10–20 truly critical edge/orchestration assets than patching hundreds of low-impact endpoints. Make this a discrete, measured sprint and report results to the exec team.

---

🧠 Final Word

This week’s stories reinforce a simple pattern: attackers focus where your visibility is lowest and your dependency is highest—AI-assisted intrusion tooling, logistics and software providers, and regulatory grey zones around sovereignty and resilience. If you can see your real dependencies, harden your control planes, and prepare for ecosystem-level disruption, you’ll be ahead of most of the field going into 2026.