In partnership with
☀️ Good morning. Here's everything that happened in cybersecurity yesterday — in under 5 minutes.
The UK government issues a board-level AI security warning, a hospital attacker spent 25 days inside undetected, UAC-0247 is stealing WhatsApp data from hospitals and government agencies, Splunk patches an RCE in the tool that's supposed to catch attackers, and NIST fundamentally changes how it manages the vulnerability database.
🔥 Top Stories
01 — UK Government to Business Leaders: AI Is Shrinking Your Defensive Advantage
Artificial Intelligence
In an unprecedented open letter to C-suite executives, UK ministers and the NCSC warned that Frontier AI is eroding the "defensive advantage" that has historically favored skilled defenders over less-skilled attackers. The specific threats: AI-generated phishing with no grammar errors or cultural red flags, automated vulnerability discovery in enterprise code, and polymorphic malware that mutates to evade signature detection.
The core message: what used to require nation-state expertise and months of human effort can now be automated by a low-level threat actor with access to a capable model. The UK is stress-testing AI models including specialized variants for offensive capability — and the results are driving this warning. Expect mandatory AI security compliance requirements within 12–18 months.
02 — Tennessee Hospital Breach: 338,000 Patients, 25-Day Dwell Time
Data Breaches
Cookeville Regional Medical Center has notified 337,917 patients of a breach that ran undetected for 25 days — November 11 through December 6, 2025. What was taken: names, SSNs, dates of birth, health insurance details, medical record numbers, treatment information, financial account details, and driver's license numbers. A full identity theft kit for every patient affected.
The 25-day dwell time is the critical detail. An unauthorized party moved laterally through a hospital network for nearly a month without triggering an alert. A class-action investigation is now underway. Tennessee's healthcare sector has seen a 40% surge in cyberattacks in 18 months — and regional medical centers are being treated as soft targets precisely because downtime pressure drives quick payments.
03 — UAC-0247 Is Stealing WhatsApp Conversations From Ukrainian Hospitals and Government Agencies
Nation-State Threats
CERT-UA has detailed an active campaign by UAC-0247 targeting Ukrainian healthcare facilities and government bodies — using phishing lures disguised as urgent administrative documents to deploy info-stealing malware. The targets: browser credentials, session cookies, and WhatsApp Desktop local database files.
The WhatsApp targeting is the standout detail. While most organizations have robust email monitoring, the local storage files of desktop messaging apps are almost never watched. UAC-0247 isn't after ransomware payouts — they're after the informal communications that capture real institutional decision-making. Hospitals are being used as soft entry points into harder government networks.
04 — Splunk Just Patched an RCE in the Platform That's Supposed to Watch Your Network
Vulnerabilities
Splunk has released urgent patches for a high-severity RCE vulnerability in its Enterprise and Cloud platforms. An authenticated attacker with low-level permissions can craft a malicious search query to execute system-level commands — turning your SOC's monitoring tool into an attacker's command post.
This matters more than a typical RCE: Splunk is the "central nervous system" for many security operations centers. Compromise it and you don't just own the platform — you blind the defenders watching the rest of the network simultaneously. Update to Enterprise 9.2.1+, 9.1.4+, or 9.0.9+ immediately. Cloud Platform updates are being pushed automatically.
05 — NIST Overhauls the NVD: The Universal Vulnerability Database Is No Longer Universal
Vulnerability Management
NIST has formally abandoned the goal of enriching every CVE entry in the National Vulnerability Database. With the volume of reported vulnerabilities projected to exceed 40,000 in 2026, the agency is shifting to a risk-based triage model — prioritizing CISA KEV entries and critical federal software, while leaving lower-risk bugs to automated tools and vendor-supplied data.
The practical impact: organizations that rely solely on the NVD to feed their vulnerability management programs will now face data gaps on niche and lower-severity bugs. The NVD as a universal source of truth is over. You now need a hybrid model: CISA KEV + vendor advisories + private threat intel. This is the formal end of "patch everything equally" as a viable strategy.
📊 By The Numbers
337,917 — Patients notified by Cookeville Regional Medical Center after a 25-day undetected breach
25 — Days an unauthorized party spent inside CRMC's network before detection
40,000+ — CVEs projected to be reported in 2026 — the volume driving NIST's NVD overhaul
40% — Surge in cyberattacks against Tennessee's healthcare sector in the past 18 months
⚡ The Signal
Today's stories converge on a single uncomfortable truth: the tools and institutions we rely on to defend ourselves are becoming targets.
The UK government warns AI is automating attacks that used to require nation-state resources. NIST admits the global vulnerability database can no longer keep pace with the volume of bugs being found. Splunk — the platform watching your network — has an RCE that lets attackers blind your SOC. A hospital attacker spent 25 days undetected because nobody was watching for lateral movement. UAC-0247 is stealing WhatsApp data because nobody monitors desktop messaging apps as part of endpoint protection.
The pattern: defenders are stretched, the volume is overwhelming, and attackers are specifically targeting the gaps between what organizations protect and what they assume is protected. The NVD overhaul is a formal admission. The Splunk patch is a reminder. The Tennessee dwell time is a consequence.
🔍 What You May Have Missed
Cisco patches critical Identity Services and Webex flaws — Two separate Cisco advisories: a critical ISE vulnerability enabling privilege escalation, and a Webex impersonation flaw that could allow attackers to join meetings as trusted participants.
iCloud "Storage Full" phishing campaign resurfaces — A sophisticated wave of fake Apple storage alerts is tricking users into entering credentials on convincing spoofed pages. The lure: your data will be deleted unless you verify now.
Obsidian plugin ecosystem weaponized to deploy cross-platform RAT — A malicious plugin in the Obsidian note-taking app was discovered deploying a remote access trojan. Another trusted tool turned into an attack vector.
📅 What to Watch
NIST NVD transition — watch for security tool vendors announcing how they're filling the data gaps left by the new triage model
CRMC class-action — Abington Law's investigation will set precedent for hospital cybersecurity liability under HIPAA
UAC-0247 expansion — campaign currently focused on Ukraine but LotL techniques and healthcare targeting patterns are consistent with wider NATO-adjacent escalation
Splunk patch adoption — large enterprises running older LTS versions are the most at risk; watch for exploitation reports against unpatched instances
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsor
Every headline satisfies an opinion. Except ours.
Remember when the news was about what happened, not how to feel about it? 1440's Daily Digest is bringing that back. Every morning, they sift through 100+ sources to deliver a concise, unbiased briefing — no pundits, no paywalls, no politics. Just the facts, all in five minutes. For free.