The Irish Health Service Executive offers €750 compensation to victims of 2021 cyberattack

Four years after the Conti ransomware attack crippled Ireland’s national health system, the HSE has begun offering €750 in compensation to individuals whose data was compromised, alongside €650 to cover legal costs. The Cork-based O’Dowd Solicitors, representing over 100 affected people, confirmed the first wave of offers, calling it a significant step that signals the HSE’s acknowledgement of its responsibility to compensate victims.

The 2021 incident remains the most extensive cyberattack on any health service worldwide, disrupting critical care, delaying treatments and exposing sensitive data belonging to nearly 100,000 patients and staff. The move follows a recent high-profile case that strengthened the precedent for awarding damages after data breaches.

According to the HSE, more than 620 legal actions are currently ongoing. The organisation says it has “invested significantly” in cyber capability since the attack, implementing wide-ranging improvements to strengthen resilience and reduce future risk.

Microsoft patches 57 vulnerabilities, including three zero-days, in December 2025 Patch Tuesday

Microsoft’s final Patch Tuesday of the year delivers fixes for 57 security flaws, including one actively exploited and two publicly disclosed zero-day vulnerabilities. Three of the patched issues are rated Critical due to their potential for remote code execution. The breakdown spans 28 elevation-of-privilege flaws, 19 remote code execution bugs, four information disclosure issues, three denial-of-service flaws and two spoofing vulnerabilities.

The most urgent fix is CVE-2025-62221, an actively exploited privilege escalation flaw in the Windows Cloud Files Mini Filter Driver. Microsoft warns that attackers exploiting the vulnerability can obtain SYSTEM-level access, though details of real-world exploitation remain undisclosed.

Two publicly disclosed zero-days were also addressed: CVE-2025-64671, a GitHub Copilot for JetBrains command injection vulnerability linked to recent Cross Prompt Injection research, and CVE-2025-54100, a PowerShell flaw enabling unwanted script execution via Invoke-WebRequest.

December also saw updates from Adobe, Fortinet, Google, Ivanti, React and SAP, underscoring widespread patching needs across the ecosystem.

Spanish police arrest 19-year-old accused of stealing 64 million personal records

Spain’s National Police have arrested a 19-year-old in Barcelona for allegedly breaching nine companies and stealing 64 million personal records, which he then attempted to sell on hacker forums. The investigation began in June after authorities detected multiple intrusions at unnamed organisations. Officers later traced the suspect to Igualada, where they seized computers and cryptocurrency wallets believed to contain proceeds from data sales.

The stolen data includes full names, home addresses, email addresses, phone numbers, DNI numbers and even IBAN codes. Using six accounts and five pseudonyms, the suspect is said to have marketed the datasets across several criminal platforms. The teen now faces charges related to cybercrime, unauthorised access and disclosure of private information.

In a separate case, Ukrainian cyberpolice arrested a 22-year-old who created custom malware to automatically compromise online accounts across Europe and the United States. He allegedly ran a 5,000-strong bot farm to inflate and sell access to hijacked profiles. The suspect faces up to 15 years in prison under Ukraine’s criminal code.

Fortinet, Ivanti and SAP issue urgent patches for critical vulnerabilities

A new round of critical security flaws has prompted Fortinet, Ivanti and SAP to release urgent updates, with several vulnerabilities enabling authentication bypass and remote code execution if left unpatched.

Fortinet’s advisory highlights CVE-2025-59718 and CVE-2025-59719, both scoring 9.8, affecting FortiOS, FortiWeb, FortiProxy and FortiSwitchManager. The issue stems from improper cryptographic signature verification, allowing an unauthenticated attacker to bypass FortiCloud SSO login using crafted SAML messages. While the feature isn’t enabled by default, affected devices should be updated immediately.

Ivanti has addressed a critical Stored XSS flaw (CVE-2025-10573) in Endpoint Manager, enabling attackers to inject malicious JavaScript into admin dashboards simply by submitting fake endpoint reports. Researchers warn the exploit is trivial and likely to trigger during standard admin activity. Three additional high-severity EPM flaws, including another signature-verification issue, were patched in the same release.

SAP’s December updates fix 14 vulnerabilities, including three critical issues: a 9.9 code-injection flaw in SAP Solution Manager, multiple Tomcat bugs in Commerce Cloud and a deserialization flaw in the jConnect SDK. Security researchers stress the urgency due to the central role these components play in enterprise systems.

Organisations should apply patches as soon as possible to reduce exposure.

Ransomware attacks on hypervisors surge as Akira group ramps up targeting

Huntress researchers are warning of a dramatic rise in ransomware attacks on hypervisors, signalling a worrying shift in threat actor tactics. Their recent data shows hypervisor-related ransomware incidents jumping from 3 percent in the first half of the year to 25 percent in the second, with the Akira ransomware group leading the trend. Attackers are increasingly focusing on hypervisors because they sit beneath all virtual machines, making them a powerful point of control once compromised.

Huntress has observed incidents where ransomware payloads were deployed directly through the hypervisor, completely bypassing endpoint defences. In some cases, attackers used built-in tools like OpenSSL to encrypt VM volumes without needing custom malware. The group has also seen compromised credentials being used to manipulate Hyper-V settings, disable protections and prepare large-scale ransomware deployment.

Researchers urge organisations to prioritise MFA, patching, allow-listed binaries and stronger hypervisor log monitoring to reduce the growing risk.

North Korean threat actors suspected in advanced React2Shell exploitation

Researchers believe North Korean threat actors may be behind some of the more sophisticated attacks exploiting React2Shell (CVE-2025-55182), a critical remote code execution flaw affecting React 19 and related frameworks such as Next.js and RedwoodSDK. Although roughly 70,000 systems appear vulnerable, exploitation began almost immediately after disclosure on 3 December, initially driven by China-linked groups. Attacks quickly expanded to include credential theft, botnets and cryptocurrency miners.

The researchers observed a particularly advanced campaign involving EtherRAT, a persistent implant using Ethereum smart contracts for command-and-control and multiple Linux persistence techniques. Its encrypted loader closely mirrors DPRK malware from the Contagious Interview campaigns, historically used to steal cryptocurrency. Notably, attackers now download Node.js from the official website rather than bundling it, a shift that reduces detection risk.

While attribution is not yet definitive, the tactics strongly suggest involvement from Lazarus Group or another DPRK-linked operator exploiting React2Shell as a new entry point.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.