CyberWire Daily - Another day, another emergency patch.
Episode Date: December 15, 2025Apple and Google issue emergency updates to patch zero-days. Google links five additional Chinese state-backed hacking groups to “React2Shell.” France’s Ministry of the Interior was hit by a c...yberattack. Atlassian patches roughly 30 third-party vulnerabilities. Microsoft says its December 2025 Patch Tuesday updates are breaking Message Queuing. Researchers uncovered a massive exposed database with nearly 4.3 billion professional records openly accessible online. Britain’s new MI6 chief warns of an “aggressive, expansionist, and revisionist” Russia. Monday Business Brief. On today’s Threat Vector, Michael Heller from Unit 42 chats with security leaders Greg Conti and Tom Cross to unpack the hacker mindset and the idea of “dark capabilities”. A cyber holiday gift guide for the rest of us. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment In this segment of Threat Vector, host Michael Heller, Managing Editor for Cortex and Unit 42 and Executive Producer of the podcast, sits down with long-time security leaders Greg Conti and Tom Cross to unpack the hacker mindset and the idea of “dark capabilities” inside modern technology companies. You can listen to their full discussion here. Be sure to catch new episodes of Threat Vector by Palo Alto Networks every Thursday on your favorite podcast app. Selected Reading Apple, Google forced to issue emergency 0-day patches (The Register) Google links more Chinese hacking groups to React2Shell attacks (Bleeping Computer) French Interior Ministry confirms cyberattack on email servers (Bleeping Computer) Atlassian Patches Critical Apache Tika Flaw (SecurityWeek) Microsoft: December security updates cause Message Queuing failures (Bleeping Computer) 16TB of MongoDB Database Exposes 4.3 Billion Lead Gen Records (Hackread) MI6 chief warns 'front line is everywhere' and signals intent to pressure Putin (The Record) Saviynt raises $700 million in Series B growth equity financing. (The CyberWire Business Brief) Last-minute cybersecurity and privacy gifts your friends and family won't hate (This Week In Security) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result, fast, reliable, and secure connectivity
without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
Apple and Google issue emergency updates to patch zero days.
Google links five additional Chinese state-backed hacking groups to react to Shell.
France's Ministry of the Interior was hit by a cyber attack.
Atlassian patches roughly 30 third-party vulnerabilities.
Microsoft says it's December 2025 patch Tuesday updates are breaking
message queuing. Researchers uncover a massive exposed database with nearly 4.3 billion professional
records openly accessible online. Britain's new MI6 chief warns of an aggressive expansionist
and revisionist Russia. We got our Monday business brief. On today's threat vector, Michael Heller
from Unit 42, chats with security leaders Greg Conti and Tom Cross to unpack the hacker mindset
and the idea of dark capabilities. And a cyber holiday gift guide.
for the rest of us.
It's Monday, December 15th, 20205. I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
Happy Monday.
It is great to have you with us, as always.
Apple and Google have both issued emergency security updates
after zero-day vulnerabilities were found under active exploitation
in what they describe as sophisticated real-world attacks.
Apple released patches across iPhones, iPads, and Macs to fix two webcings.
flaws, it says, were used in highly targeted attacks, offering few technical details beyond
confirming the exploits were already circulating. Google, meanwhile, updated Chrome's stable channel
to address several bugs, including an actively exploited zero-day, an out-of-bounds
memory access flaw. Google acknowledged the exploit was in the wild, and later revealed
Apple's security team and Google's threat analysis group were involved.
in its discovery, suggesting spyware grade activity. The incidents add to a growing tally,
with Apple patching nine in the wild zero days in 2025 and Google addressing eight in Chrome so
far this year. Google's threat intelligence team has linked five additional Chinese state-backed
hacking groups to active exploitation of the maximum severity react-to-shell vulnerability. The flaw affects
recent versions of the React JavaScript library and enables unauthenticated remote code execution
with a single HTTP request impacting React and Next.js applications using vulnerable server
components. Attacks began shortly after public disclosure on December 3rd, with Palo Alto networks
reporting dozens of breaches and AWS warning that multiple China-linked groups were exploiting
the bug within hours.
Google says the attackers are deploying a range of backdoors and tunneling tools,
while other actors, including Iranian groups and cybercriminals, are also abusing the flaw.
More than 116,000 systems remain exposed, highlighting widespread risk across internet-facing applications.
France's Interior Minister has confirmed that the Ministry of the Interior was hit by a cyber attack
that compromised its email servers.
The breach, detected overnight between December 11th and 12th,
allowed attackers to access some document files,
though authorities have not confirmed whether any data was stolen.
In response, the Ministry tightened security protocols
and strengthened access controls
while opening an investigation into the attack's origin and scope.
Officials say multiple scenarios are being considered,
including foreign interference,
activist activity or cybercrime, the Interior Ministry, which oversees police, internal security,
and immigration services is a high-value target. The incident follows previous French attributions
of state-backed campaigns, including activity linked to Russia's APT-28 group, targeting government
and diplomatic email systems. Atlasian has released patches for roughly 30 third-party vulnerability
affecting multiple products, including several critical flaws.
The most severe is a maximum severity XML external entity vulnerability in Apache TICA
that could enable information disclosure, denial of service, SSRF, or remote code execution
via crafted PDF files.
Atlassian products using TICA, including Jira, Confluence, and Bamboo have been fixed.
The updates also address critical prototype pollution bugs
and more than two dozen high-severity issues
across Atlassian's server and data center products.
Users are urged to patch promptly.
Microsoft says it's December 2025 patch Tuesday updates
are breaking message queuing or MSMQ on some Windows systems,
disrupting enterprise applications and IIS websites.
The issue affects multiple Windows versions after specific security updates are installed.
Microsoft says recent changes to MSMQ's security model altered permissions on a system folder,
causing message failures unless users have administrative rights.
Symptoms include stalled cues, application errors, and misleading resource warnings.
Microsoft is investigating but has not announced a fix, leaving administrative,
to weigh rolling-back updates against security risks.
Researchers have uncovered a massive exposed database
that left roughly 4.3 billion professional records
openly accessible online.
Cybersecurity researcher Bob Dichenko,
working with nexus.a.I., found the unsecured 16-terabyte MongoDB instance
on November 23rd.
It was secured two days later,
but it remains unclear whether attackers accessed the data beforehand.
Analysis showed multiple collections containing names, email addresses, phone numbers, job roles, employment history, education details, photos, and links to professional profiles, such as LinkedIn.
Researchers say the data appears to have been aggregated from multiple sources, likely through large-scale scraping, possibly including older leaks.
While ownership has not been confirmed, evidence suggests ties to a lead-generation business.
Experts warn the database could enable highly targeted fishing, fraud, and other social engineering attacks against professionals.
Britain's new MI6 chief, Blaze Metroelli, is warning that the United Kingdom now faces a constant borderless threat environment,
driven in large part by an aggressive expansionist and revisionist Russia.
In her first public speech, Metrowelli says the front line is everywhere,
pointing to cyber attacks, espionage, sabotage, and other hybrid tactics
as tools Moscow uses to export instability.
She signals Britain's intent to increase pressure on the Kremlin
until President Putin is forced to rethink his strategy.
Her remarks follow recent UK sanctions targeting Russia's military intelligence agency and cyber operators,
as well as additional sanctions against Russian and Chinese groups accused of cyber and influence operations.
Metrovelli, the first woman to lead MI6, also emphasizes blending human intelligence with advanced technology,
arguing officers must be as fluent in code as in languages.
Still, she stresses that human judgment, ethics, and agency will ultimately define security in the digital age.
Turning to our Monday business brief, cybersecurity and AI-focused companies saw a surge of funding and deal activity last week,
highlighted by several large investment rounds and acquisitions.
Saveint led the week with a $700 million series B to accelerate identity security development and AI-driven migration from legacy platforms.
Eon raised $300 million to expand its cloud backup and AI analytics platform, while Agentic AI security startup's 7 AI, Prime Security, and Lumia collectively secured more than $160 million.
dollars. Hardware and infrastructure players, including Exadio and Neobium, also attracted significant
capital for AI and quantum resilient security technologies. At the lower end, multiple seed and
pre-seed rounds backed startups focused on impersonation prevention, identity security,
AI governance, and compliance. Mergers and acquisitions were equally active, with ProofPoint
closing its $1.8 billion acquisition of Hornet security
and checkmarks buying Tromzo to strengthen autonomous Apsec.
Overall, the activity underscores sustained investor confidence in cybersecurity,
particularly around AI, identity, and software supply chain risk.
Be sure to check out our complete business briefing newsletter on our website.
It's part of Cyberwire Pro.
Coming up after the break on today's threat vector, Michael Heller from Unit 42 chats with security leaders Greg Conti and Tom Cross.
They're unpacking the hacker mindset and the idea of dark capabilities and a cyber holiday gift guide for the rest of us.
Stick around.
what's your 2 a.m. security worry is it do I have the right controls in place maybe are my vendors secure or the one that really keeps you up at night how do I get out from under these old tools and manual processes that's where Vanta comes in Vanta automates the manual works so you can stop sweating over spreadsheets chasing audit evidence and filling out endless questionnaires
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection, flag risks,
and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently,
and finally get back to sleep.
Get started at Vanta.com slash cyber.
That's VAN.
dot com slash cyber
on this week's threat
on this week's threat vector segment
michael heller managing editor for cortex and unit 42 and executive producer of the
podcast sits down with long-time security leaders gregg conti and tom cross
to unpack the hacker mindset and the ideas of dark capabilities inside modern
technology companies
Hi, I'm David Moulton, host of the Threat Factor podcast, where we break down cybersecurity threats, resilience, and the industry trends that matter the most.
Last week, executive producer Michael Heller sat down with Greg Conti and Tom Cross for a conversation that pulls back the curtain on how attackers really think.
They explore the adversarial hacker mindset and expose the dangerous gap between what your security products promise and what they actually deliver when someone's skisero hacker mindset.
And expose the dangerous gap between what your security products promise and what they actually deliver when someone's
decides to break them apart.
The scariest part, the risk aren't hidden at all.
They're right there in plain sight.
So the backstory of our talk is that Greg and I gave a talk at a very, say at a very, we'll say, corporate computer security conference.
and we had a slide in it that talked about capabilities
that companies might use in a military conflict
that they don't realize they have, right?
How could they, how might they use
the capabilities of their organization
in an offensive way in the midst of a conflict,
which they might choose to do depending upon their valence
to that conflict, right?
And the conference was very uncomfortable
with us having that conversation.
They asked us to remove the slide.
And so Greg said, well, okay, we're going to do an entire talk based on that slide,
and we're going to do it at DefCon.
Yeah, we can have the conversation.
We're allowed to wade into these like ethically challenging discussions.
And I think it's great.
Like a DefCon is the right room for these kinds of dialogues.
And again, my point is that, you know, that they're vital to have.
I think it's valuable to, you know, put on the black hat and look at,
look at things from that perspective and understand that.
And then what you choose to do with it is your decision, right?
And so it's, you know, any tool has both like malicious and beneficial uses.
Before your adversaries do the same to you.
So one of the things that we recommended was that, you know, the governments consider
the, so we talked about what companies should do, which is something we've discussed.
We also talked about what governments should do.
And governments, you know, could think about like what kinds of capabilities exist within companies that could be used in, you know, sort of, we'll say evil ways, right?
But then they have to ask, you know, one, maybe they want to use them, right?
But then they have to ask maybe another state will come in and use them in a way that's not aligned with my strategy, right?
Or maybe the people that run that company will use that capability in a way that's not aligned with my strategy.
And this really happens in places where conflicts are occurring.
You know, the companies may independently shut off a satellite system.
You know, and so they're making their own choices that affect, you know, the course of events, right?
And so, you know, looking at all, you have to understand what the capability is to ask those three different questions, right?
And then, you know, what can you do to make sure that that capability is, in fact, used in a way that's aligned with your strategic objectives and not someone else's?
Once you find these points, these products that can be used in a malicious way, whatever, what then?
Like, obviously you can put in policies where, you know, you're not going to comply with government.
You can't put in policies.
You have to put in technical solutions.
Or remove capability.
Yeah, you have to remove capability.
I think you've got three, yeah.
So what is the list, right?
So certainly you could remove capability, right?
You could have a technical architecture, which makes this thing either difficult to do
or which makes it transparent if done, right?
There are also, you know, sort of there, I think there are institutional processes.
Perhaps it's not possible for you to prevent the instinct.
from deciding to do it, but you could design things in such a way that lots of people in the
institution would know if it was being done, right, so that they can't be done, you know,
sort of quietly in a corner. And then one of the things that I talked about is like maybe,
maybe, you know, a third-party NGO could come in an audit and publicly say they're not doing it.
And, you know, if that relationship were to break down, the organization may not admit that
they're doing it now, but it, you know, sort of like creates that assumption. So, like,
there's this concept that of, I don't you've ever heard of the concept of a warrant canary.
You know, if you're running a social media site, you might put something out there that says,
I've never had to respond to a warrant for which I was, you know, prohibited from disclosing.
And then if the warrant canary goes away, we can make certain assumptions, right? I've always thought,
like, that's legal? You can do it. I don't know, right? Yeah. It is. I've, we've seen companies do it.
There certainly are Warren Canaries out there.
Yeah.
You know, maybe the government tells you you can't take your Warren Canary down.
I'm pretty sure that Google, like, as part of Google's transparency report, I'm quite sure I've seen them use Canaries before.
Interesting.
I would have to go back and double check, but I've definitely seen that in use.
Every company has superpowers.
You mentioned industrial control systems, right?
Clearly, they have powerful tact that, if maliciously used, can be highly impactful.
But what we're finding is basically every major company has superpowers.
Imagine what a dating, like, just for sake of making this simpler.
Just think about an evil dating site.
What type of data leakage, you know, can be collected from that?
And also at scale.
Yeah.
So, I mean, I do think that, like, the practice of information security becomes more and more,
vital as time goes on.
I mean, it's always this question of, like,
are we going to, maybe we solve the problem, right?
Because we just get really good at coaching developers
to write better code, or we've got, you know,
so there's a whole debate about AI,
whether AI generated code is going to have fewer vulnerabilities,
which is nonsense.
It's got the same number of vulnerabilities
because it's reading code that humans wrote
and it's writing it in the same way that humans do.
And so it's, you know, pretty much like,
producing the same volume of vulnerabilities that the humans were.
But the, you know, there's this always been this question,
people have been asking this question for years.
It's like, are we going to fundamentally address some of these problems
in a way that, you know, means that there isn't as much of a need for this kind of work, right?
And I think I'm continually amazed by how this whole conference continues to expand and grow every year.
and the scale that it's functioning at now, right?
You know, DefCon used to be, you know, like maybe a thousand people in a conference,
single conference room in a hotel somewhere, right?
And so, you know, I mean, I think, you know, these issues are going to continue to get
more and more complicated.
And so I feel like there's a lot more work to do at InfoSac.
And I think, you know, we're talking about these robots, a lot of these embedded systems,
like they don't have the degree.
of hardening of, you know, some of the sort of traditional computers that we use or our phones.
This isn't just another security discussion. It's about rewiring how you think so you can spot vulnerabilities before the attackers do and build a
that actually hold up under pressure.
If this got your attention, don't wait.
Listen to the full episode now in your Threatbector podcast feed.
It's called The Adversarial Hacker Mindset, and it's live now.
Thanks for listening.
Stay secure.
Goodbye for now.
Be sure to check out the full episode of Threat Vector wherever you get your favorite podcasts.
And finally, journalist Zach Whitaker's holiday cyber gift guide opens by admitting what many readers already suspect.
Gift guides are usually terrible.
Endless lists, questionable recommendations, and very little actual help.
This one, he says, is meant to spare you that.
pain. The idea is to suggest gifts that improve security, privacy, or curiosity without accidentally
turning someone into a breach waiting to happen. Whitaker's picks are practical, optional,
and deliberately unsalesy. He points readers toward supporting independent journalism because good
reporting is still one of the best defenses we have. He suggests data removal services for
anyone uneasy about their digital exhaust. Password managers for people,
people still reusing the same login everywhere, and tools like Flipper Zero or Shodon for those with
a healthy, harmless curiosity about how tech really works. There are also creature comforts like
coffee subscriptions and long-term projects like building a home lab with a NAS. The tone stays
lightly irreverent throughout, no kickbacks, no guilt, just thoughtful ideas from someone who's seen
how badly security gifts can go wrong.
And that's The Cyberwire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
One final note before we go,
You may recall that not too long ago, we asked for your health voting for an award I was nominated for, the Sands Difference Maker Awards.
I'm pleased to report that, thanks to all of you who voted, we won.
Last night, I was honored to accept the award live at the awards gala in Washington, D.C.
Thank you all. Thanks to Sands. Thanks to everyone out here.
I say every day that I have the best job in the world because every day I get to talk to smart, interesting.
people about amazing things and then share the things that I learn with the rest of the world.
I've been doing this for just about 10 years now.
I've interviewed over 5,000 people, some of the people in this room I've had the pleasure
of speaking with.
I am just the most public-facing person that is part of an amazing team at the Cyberwire
who make it all look easy.
Our producers, our editors, the people who keep the doors open by doing ad sales.
our CEO, Peter Kilphee, every day it is our privilege to be able to bring the news to you
and keep you all informed. So I am honored to receive this, and I thank you all. Take care.
Thanks.
This show is truly a team effort, and I'm thankful for everyone who plays a role in making it possible
for us to bring you the news and information that help make our world a little safer every day.
Thanks to all of you, our listeners, for supporting our efforts.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ivan.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
I'm going to be.