Digital Forensics Magazine — 48h News Roundup

Window: 08-12-2025 12:00 to 10-12-2025 12:00 (UTC)

Snapshot Summary

Sector / Section	Headline Highlights	Count
DFIR & Incident Response	New Windows artefacts, after-hours ransomware	2
Cyber Investigations	Coupang raid, SKY ECC decrypted	2
Major Cyber Incidents	Barts NHS breach, Comcast vendor hack	2
Exploits & Threat Intelligence	PowerShell zero-day, React RCE	2
Law Enforcement	Global hacktivist advisory, India cyber labs	2
Policy	Italy golden power, India DPDP SDF	2
Standards & Compliance	Microsoft Patch Tuesday, SAP critical fixes	2
Consumer App Data Leaks	AT&T settlement, pediatric clinic breach	2

Digital Forensics & Incident Response

Uncovering Hidden Forensic Evidence in Windows: The Mystery of AutoLogger-Diagtrack-Listener.etl — FortiGuard incident responders detail how a ransomware case exposed rich telemetry in an obscure Windows trace file that preserved attacker activity even after extensive log clearing [EMEA]. The case highlights how DFIR teams can mine lesser-known Windows logging artefacts to rebuild timelines, improve detections against anti-forensic tradecraft, and justify deeper endpoint visibility to leadership (Source: Cyber Security Review, 09-12-2025).

Midnight Ransomware Attacks Surge in 2025: Stellar Data Recovery Experts Warn CIOs, CISOs & IT Teams to Strengthen Their Defences — Analysts at Stellar Data Recovery report a spike in late-night ransomware incidents encrypting production systems while understaffed IT and security teams sleep, based on incident response engagements across India and international clients [APAC]. The findings reinforce the need for 24x7 monitoring, rehearsed IR runbooks, and offline backups, and give CISOs data points to argue for staffing, managed detection services, and formal recovery playbooks (Source: The Tribune India, 10-12-2025).

Cyber Investigations

South Korea police raid e-commerce giant Coupang over data leak — Seoul’s cyber investigation unit searches Coupang’s headquarters, seizing logs and work records as they probe a massive personal data leak allegedly tied to a former developer accused of exfiltrating customer information [APAC]. The operation underscores how cyber units now blend forensic log analysis with classic search-and-seizure tactics, and signals that regulators are prepared to pursue platform providers when insider security controls and monitoring fall short (Source: The Straits Times, 09-12-2025).

European police hack of SKY ECC triggered wide-ranging drug-trafficking investigations in Turkey — Turkish authorities reveal that a Europe-wide police hack of encrypted communication service SKY ECC has generated far-reaching drug-trafficking investigations by linking decrypted chats to criminal networks operating across Turkey and the EU [EMEA]. For cyber investigators, the case shows how lawful exploitation of secure messaging platforms can unlock years of historical evidence, enabling complex conspiracy prosecutions while raising debates over encryption, surveillance, and evidential handling (Source: Turkish Minute, 09-12-2025).

Major Cyber Incidents

UK Hospital Asks Court to Stymie Ransomware Data Leak — Barts Health NHS Trust confirms that the Cl0p ransomware group exploited an Oracle E-Business Suite vulnerability to steal invoices and personal data for patients and staff linked to accounting services at multiple London hospitals [EMEA]. Although core clinical systems were reportedly unaffected, the breach highlights how finance platforms can expose sensitive health data, forcing hospitals into complex legal action, coordinated incident response with national bodies, and long-term phishing and fraud risks (Source: GovInfoSecurity, 08-12-2025).

Space Bears ransomware claims Comcast data breach via contractor Quasar Inc. — The Space Bears ransomware group claims it obtained internal Comcast materials by first breaching Quasar Inc., a U.S. telecom engineering contractor, and then using that access to steal documents tied to network infrastructure projects [AMER]. If confirmed, the incident would represent another damaging supply-chain compromise, reminding defenders that vendor environments often hold sensitive architecture details and should be governed with the same security requirements as core corporate systems (Source: SC Media, 09-12-2025).

Exploits & Threat Intelligence

Windows PowerShell 0-Day Vulnerability Let Attackers Execute Malicious Code — Researchers disclose CVE-2025-54100, a Windows PowerShell zero-day enabling arbitrary code execution and evasion of existing script-blocking controls, with exploit details published just ahead of December’s Patch Tuesday cycle [AMER]. Because PowerShell is deeply embedded in admin workflows and attack chains, defenders must rapidly inventory exposed versions, enforce constrained language modes, and integrate new detections into EDR and logging pipelines (Source: Cyber Security News, 10-12-2025).

Exploitation of Critical Vulnerability in React Server Components and Next.js — Palo Alto Networks Unit 42 warns that attackers are exploiting critical React Server Components vulnerabilities, including CVE-2025-55182 and a related Next.js bug, in campaigns overlapping with North Korean “Contagious Interview” job-recruitment tooling [GLOBAL]. The activity shows how front-end supply chains and developer frameworks are now prime RCE targets, pushing security teams to treat JavaScript runtimes as high-value attack surface and to prioritise web app patching alongside classic server flaws (Source: Palo Alto Networks Unit 42, 09-12-2025).

Law Enforcement

NSA, FBI, and Others Call Out Pro-Russia Hacktivist Groups Targeting Critical Infrastructure — NSA, FBI, CISA and more than 20 international partners issue a joint advisory on pro-Russia hacktivist groups launching opportunistic DDoS and disruption attacks against U.S. and global critical infrastructure providers [AMER]. The guidance elevates loosely coordinated hacktivist crews to strategic-risk status and gives SOC leaders concrete IOCs and hardening steps for public-facing services, OT networks, and cloud environments (Source: NSA / CISA Joint Advisory, 09-12-2025).

Cyber forensic labs to come up in 34 cyber police stations — The Odisha government in India announces plans to equip 34 cyber police stations with dedicated cyber forensic laboratories, expanding local capacity to analyse seized devices and digital evidence from fast-growing online crime caseloads [APAC]. Building lab infrastructure at police-station level should shorten evidence backlogs, improve chain-of-custody handling, and give investigators better technical support for complex fraud, harassment, and cyber-extortion prosecutions (Source: The Times of India, 10-12-2025).

Policy

Italy sets tough terms on personal data protection to clear Chinese JD.com’s takeover of Ceconomy — Italy uses its golden-power regime to clear JD.com’s takeover of Ceconomy only on strict conditions that data from more than 21 million Italian electronics customers be stored separately from Chinese systems and kept within the EU [EMEA]. For CISOs and DPOs, the decision illustrates how cross-border M&A is now constrained by data-sovereignty expectations, effectively turning cloud architecture, logging locations, and vendor access controls into regulatory approval criteria (Source: Reuters, 09-12-2025).

Govt’s move on data fiduciary tag leaves businesses wary — Indian businesses voice concern over the government’s plan to label some organisations as Significant Data Fiduciaries under the new Digital Personal Data Protection Act, citing scarce detail on criteria, timelines, and additional compliance duties [APAC]. The uncertainty makes it harder for security and privacy leaders to scope budgets, staffing, and technology investments, reinforcing the need to adopt DPIA-style risk assessments and board-level reporting even before formal SDF designations arrive (Source: The Economic Times, 09-12-2025).

Standards & Compliance

Microsoft’s December 2025 Patch Tuesday Addresses 56 CVEs — Microsoft’s December 2025 Patch Tuesday addresses 56 CVEs, including three critical bugs and one zero-day already exploited in the wild, with fixes spanning Hyper-V, Windows firewall services, Edge, and core OS components [GLOBAL]. Organisations that still batch monthly patching will need rapid risk-based prioritisation to avoid lag on internet-facing services, while security teams should tune vulnerability scanning and reporting around the newly patched exploitation-prone components (Source: Tenable, 10-12-2025).

SAP Patches Critical Vulnerabilities With December 2025 Security Updates — SAP’s December 2025 security updates ship fixes for multiple critical vulnerabilities across core business applications, with some flaws allowing unauthenticated attackers to execute code or access sensitive data if customers leave default settings in place [EMEA]. Given SAP’s role in finance and supply-chain processes, CISOs should press for urgent testing and deployment of these patches in tandem with SoD reviews and monitoring to detect exploitation attempts against internet-exposed endpoints (Source: SecurityWeek, 10-12-2025).

Consumer App Data Leaks

How AT&T customers can claim $7,500 from $177 million ‘dark web’ data breach settlement — AT&T customers whose personal data surfaced on the dark web after two 2024 breaches have until 18 December 2025 to claim part of a US$177 million settlement covering Social Security numbers and other sensitive account details [AMER]. The payout, which offers up to US$7,500 for documented losses plus credit monitoring, underlines the long financial tail of large consumer breaches and the value of retaining evidence of fraud and mitigation costs (Source: The US Sun, 09-12-2025).

Millcreek Pediatrics Data Breach Investigation — U.S. law firm Strauss Borrelli launches an investigation into a data breach at Millcreek Pediatrics that exposed personal and protected health information for more than 14,000 patients, including children [AMER]. The case shows how even relatively small healthcare providers can face class-action style scrutiny when ransomware or data-theft incidents hit, reinforcing expectations around HIPAA-grade security controls and transparent breach notifications (Source: Strauss Borrelli PLLC, 09-12-2025).

Editorial Perspective

Across this 48-hour window, the signal is clear: ransomware and data-theft operations continue to converge with supply-chain and insider risks, from contractor-enabled access at major telcos to insider-suspected breaches at platforms like Coupang and regional healthcare providers.

At the same time, regulators and law enforcement are tightening their grip, using golden-power reviews, new data-protection regimes, and joint advisories to push data sovereignty, patch discipline, and critical infrastructure resilience up the executive agenda.

For DFIR teams and CISOs, the next step is to translate these lessons into concrete control changes: richer artefact collection, faster patch pipelines for frameworks and scripting tools, and sharper playbooks for engaging regulators, suppliers, and law enforcement after a breach.

Reference Reading

• CISA Joint Advisory AA25-343A: Pro-Russia Hacktivists Conduct Opportunistic Attacks Against Critical Infrastructure
• Brand Impersonation 2025: Major Threats and What’s Next
• EU Digital Omnibus: Proposed Changes to the EU’s Digital Rulebook
• Gartner Warns of Significant Cybersecurity Risks with AI Browsers
• December 2025 Patch Tuesday Updates from Microsoft
• Digital Forensics Tools to Help Beat Evidence Overwhelm

Tags

DFIR, Ransomware, Threat Intelligence, Cyber Policy, Critical Infrastructure, Law Enforcement, Data Breaches, Healthcare Security, Cloud Security, Supply Chain Risk