DigiCert’s Open-Source Intelligence (OSINT) Report – December 5 – December 11, 2025

Broadside Botnet Hits TBK DVRs, Raising Alarms for Maritime Logistics

(TLP: CLEAR) An active campaign involving Broadside, a new variant of the longstanding Mirai botnet. First publicly reported in early December 2025, Broadside specifically targets the maritime logistics sector by exploiting CVE-2024-3721, a critical OS command injection vulnerability in TBK Vision DVR devices (models DVR-4104 and DVR-4216). These DVRs are commonly deployed on vessels for CCTV monitoring of bridges, cargo holds, and engine rooms. The campaign has been tracked for months, with fluctuating infrastructure indicating ongoing operator activity. CVE-2024-3721, disclosed in April 2024, allows unauthenticated remote command execution via crafted HTTP POST requests to the /device.rsp endpoint. Proof-of-concept exploits were available shortly after disclosure, leading to widespread abuse by multiple Mirai-derived botnets by mid-2025. Earlier in June 2025, Kaspersky reported a separate Mirai variant exploiting the same flaw, primarily affecting exposed devices in regions like China, India, Egypt, Ukraine, Russia, Turkey, and Brazil (with over 50,000 potentially vulnerable DVRs identified globally).

(TLP: CLEAR) Comments: The emerging Broadside botnet—a sophisticated new variant of the Mirai malware that’s actively targeting security camera systems on cargo ships and other vessels in the maritime logistics sector. Hackers are exploiting a known vulnerability in affordable DVR devices (like those from TBK Vision and rebranded as Night Owl or QSee) to turn these cameras into remote-controlled zombies that not only launch massive online attacks but also quietly steal passwords and spy on critical areas such as the ship’s bridge, engine room, or cargo holds. This is particularly alarming because ships rely on limited satellite internet for navigation and communication, and a compromised device could disrupt operations, cut off vital connections at sea, or serve as a hidden entry point for far more dangerous attacks like ransomware or sabotage. With global shipping already a high-value target and many vessels running outdated, unpatched equipment due to the challenges of updating at sea, this threat could lead to real-world disruptions—delaying goods, raising costs, and even creating safety risks—that affect everyday supply chains and the prices we all pay at the store. It’s a stark reminder that as the maritime industry becomes more connected, it urgently needs stronger cybersecurity protections to keep the world’s trade moving safely.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) DigiCert: DigiCert UltraDDoS Protect provides proven and consistent DDoS protection for any of your assets whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds.
Source: https://securityaffairs.com/185491/malware/broadside-botnet-hits-tbk-dvrs-raising-alarms-for-maritime-logistics.html

Half of Exposed React Servers Remain Unpatched Amid Active Exploitation

(TLP: CLEAR) The critical remote code execution vulnerability in React Server Components and the widely used Next.js framework (CVE-2025-55182, nicknamed “React2Shell”) has become one of the fastest-escalating mass-exploitation events of the year. Only weeks after disclosure, roughly half of all internet-facing vulnerable instances remain completely unpatched, and active exploitation has exploded into at least 15 distinct clusters observed in the wild over the past few days. Attackers range from opportunistic cryptojackers dropping traditional miners to far more dangerous campaigns that deploy interactive command-and-control frameworks, credential-harvesting backdoors, aggressive JavaScript file infectors, and stealthy Linux implants previously linked to nation-state actors. Many clusters are now using anti-forensic techniques—timestamp manipulation, log scrubbing, and evidence removal—indicating clear intent for long-term persistence rather than quick profit. Given the enormous footprint of affected frameworks across cloud-native, serverless, and traditional web applications, this flaw has effectively become an open door into countless production environments, making immediate patching, credential rotation, and compromise checks an urgent priority for any organization running exposed instances.

(TLP: CLEAR) Comments: The vulnerability provides unauthenticated remote code execution in React Server Components and Next.js applications — frameworks that power a significant percentage of modern cloud-native and internet-facing web services. Current telemetry shows that approximately 50 % of exposed vulnerable instances remain unpatched weeks after disclosure, creating an unusually large and persistent attack surface. While the definitive remediation is to upgrade to patched versions of Next.js (≥15.2.4) and affected React packages, the reality of dependency chains and change-control processes means many organizations will remain exposed for days to weeks. During this window, the single most effective compensating control is immediate activation of the virtual patch / mitigation rule for CVE-2025-55182 in the organization’s web application firewall (WAF) or cloud WAF service. Signatures were released by all major vendors within 72 hours of disclosure and provide high-fidelity blocking of known exploit vectors with negligible false-positive risk.

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”

(TLP: CLEAR) DigiCert: DigiCert’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.

Source: https://www.theregister.com/2025/12/12/vulnerable_react_instances_unpatched/

Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups

(TLP: CLEAR) On December 10, 2025, the U.S. Department of Justice announced indictments against Ukrainian national Victoria Eduardovna Dubranova, 33 (known online as Vika, Tory, or SovaSonya), for her alleged involvement with two pro-Russia hacktivist groups: Cyber Army of Russia Reborn (CARR, also referred to as Z-Pentest) and NoName057(16). Dubranova, who was extradited to the U.S. earlier this year, pleaded not guilty to charges in both cases and is scheduled for trials in early 2026. The CARR indictment includes serious counts related to damaging protected computers and tampering with public water systems, while the NoName case focuses on conspiracy to damage protected computers. Both groups received support from Russian state entities—CARR through GRU funding for tools and services, and NoName as a project linked to a Kremlin-established organization that developed the DDoSia tool. Their activities have included hundreds of claimed cyberattacks, ranging from DDoS campaigns to intrusions affecting U.S. water systems, food processing facilities, election infrastructure, and other sensitive targets. Alongside the indictments, the State Department offered rewards for information on group members, and a joint advisory from multiple agencies highlighted ongoing risks from these actors.

(TLP: CLEAR) Comments: These cases connect directly to the pro-Russia hacktivist campaigns we’ve been tracking throughout 2025, including the recent OT intrusions and DDoS activity discussed in the December 9 joint cybersecurity advisory. CARR and NoName057(16) form the foundation of a loosely coordinated network that has grown and splintered over time—leading to groups like Z-Pentest and Sector16—which share tactics, channels, and objectives aligned with Russian interests. While their attacks often start with DDoS (using paid services or tools like DDoSia), many have evolved into more hands-on disruptions of operational technology, such as manipulating controls in water and food facilities. This ecosystem differs from purely criminal botnets like Aisuru, which focus on massive volumetric floods for hire or ransom; the hacktivist groups prioritize geopolitical impact and publicity, using lower sophistication but highly replicable methods to create real-world effects. The indictments and rewards signal recognition and a continued effort to combat these groups. 

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “VOLUMETRIC DDOS AGAINST WEB SERVICES TECHNICAL GUIDANCE”: “Agencies should select a provider that has the capacity to scale and withstand large volumetric DDoS attacks. Agencies should also understand their role and the role of the provider if targeted by a DDoS attack. Note the two consumption models previously identified for DDoS mitigation services – always-on and on-call/on-demand. In an always-on model, all traffic always passes through the mitigation provider’s service (which may add latency if the distance between the customer internet circuit and mitigation service are high). Always-on can provide instant protection, but agencies should always validate time-to-mitigation of any proposed solution. The on-demand consumption model only sends traffic to scrubbing centers when directed to do so via human intervention during an attack. Agencies must communicate with their provider to understand which protections are available, the protections that are included in the existing contracts, and those offered à la carte. For services that require manual activation, agencies must understand each organization and individual’s roles, as well as develop, maintain, and test the activation procedures for best response.”

(TLP: CLEAR) DigiCert: DigiCert UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premises hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, DigiCert’s array of DDoS Protection services include blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available.

Source: https://www.justice.gov/opa/pr/justice-department-announces-actions-combat-two-russian-state-sponsored-cyber-criminal

Indonesia’s Gambling Industry Reveals Clues of Nationwide Cyber Involvement

(TLP: CLEAR) A December 2025 investigation by cybersecurity researchers has uncovered a massive, Indonesian-speaking cybercrime ecosystem operating since at least 2011, centered on illegal online gambling but exhibiting the scale, persistence, and sophistication typically seen in state-sponsored operations. The network controls over 328,000 domains—including 236,433 purchased for direct gambling sites (geo-restricted to Indonesian users requiring local phone numbers and banking), 90,125 fully hijacked legitimate domains, and thousands of malicious Android apps distributed via public AWS S3 buckets as droppers for data exfiltration and additional payloads. Annual maintenance costs are estimated at $725,000–$5.3 million, far exceeding ordinary criminal capabilities, raising questions of potential national-level involvement or tolerance. A critical part of the findings, revealing advanced exploitation of dangling DNS records, expired cloud resources, and subdomain takeovers as primary techniques for persistence and evasion. Attackers systematically target misconfigured or decommissioned subdomains (especially on government and enterprise infrastructure worldwide, with a focus on Western entities), hijacking around 1,481 subdomains to deploy NGINX-based reverse proxies. These proxies terminate TLS on legitimate fully qualified domain names (FQDNs), inheriting the parent domain’s reputation and credentials to steal session cookies, proxy command-and-control traffic disguised as official HTTPS communications, and potentially access sensitive systems like financial portals. This DNS abuse not only redirects users to gambling sites but enables long-term infiltration, credential trafficking (over 51,000 stolen logins observed on dark web markets), and blending of malicious activity with trusted traffic—highlighting a highly mature infrastructure that blurs the line between profit-driven crime and strategic cyber operations.

(TLP: CLEAR) Comments: The DNS exploitation techniques deserve particular attention from a threat intelligence perspective. The heavy reliance on dangling records and subdomain hijacking—especially the use of NGINX reverse proxies on 1,481 compromised subdomains to terminate TLS under legitimate FQDNs—is a mature persistence and evasion play. By inheriting the reputation and certificates of trusted parent domains (often government or enterprise sites), the actors can blend malicious traffic with legitimate HTTPS flows, steal session cookies, proxy C2 communications, and potentially pivot into higher-value targets.

(TLP: CLEAR) Recommended best practices/regulations: ICANN SAC 007: “Domain Name Hijacking: Incidents, Threats, Risks and Remediation”: “Registrars should improve registrant awareness of the threats of domain name hijacking and registrant impersonation and fraud and emphasize the need for registrants to keep registration information accurate. Registrars should also inform registrants of the availability and purpose of the Registrar-Lock and encourage its use. Registrars should further inform registrants of the purpose of authorization mechanisms (EPP authInfo) and should develop recommended practices for registrants to protect their domains, including routine monitoring of domain name status, and timely and accurate maintenance of contact and authentication information.”

(TLP: CLEAR) DigiCert: DigiCert’s authoritative DNS solution, UltraDNS, answers up to 100 billion global DNS queries per day with our trusted authoritative networks that use BGP and IP anycast routing schemes. Our DNS nodes are co-located with DigiCert’s recursive and top-level-domain (TLD) servers, providing near-zero latency responses and instant cache updates for the zones that DigiCert hosts.

Source: https://gbhackers.com/indonesias-gambling/