CyberWire Daily - Cyber shock to the oil trade.
Episode Date: December 16, 2025Venezuela’s state oil company blames a cyberattack on the U.S. An Iranian hacker group offers cash bounties for doxing Israelis. Germany’s lower house of parliament suffers a major email outage. S...outh Korea’s e-commerce breach exposes personal information of nearly all of that nation’s adults. Researchers report active exploitation of two critical Fortinet authentication bypass vulnerabilities, and three critical vulnerabilities in the FreePBX VoIP platform. An auto-industry credit reporting agency suffers a data breach. Google is shutting down its dark web reporting service. European law enforcement dismantles a Ukrainian fraud network. Our guest is Christiaan Beek, Senior Director Threat Intelligence & Analytics from Rapid7, discussing how attackers are accelerating exploitation, refining ransomware, and expanding nation-state operations. A Pornhub breach proves the internet never forgets. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices segment, guest Christiaan Beek, Senior Director Threat Intelligence & Analytics from Rapid7, discusses how attackers are accelerating exploitation, refining ransomware, and expanding nation-state operations. Dive into the details in Rapid7’s report. Tune into Christiaan's full conversation here. Selected Reading Venezuela Says Oil Export System Down After Weekend Cyberattack (Bloomberg) Iran-linked hackers dox Israelis, offer cash bounties (The Jerusalem Post) German Parliament Allegedly Hit by Email Outage During US-Ukraine Talks Amid Cyberattack Suspicions (TechNadu) Breach at South Korea’s Equivalent of Amazon Exposed Data of Almost Every Adult (Wall Street Journal) Arctic Wolf Observes Malicious SSO Logins on FortiGate Devices Following Disclosure of CVE-2025-59718 and CVE-2025-59719 (Arctic Wolf) Critical authentication bypass and multiple flaws discovered in FreePBX VoIP platform (Beyond Machines) Millions Affected by Massive 700Credit Data Breach (Tech.co) Google Is Shutting Down Its Dark Web Monitoring Tool (Technology.org) European authorities dismantle call center fraud ring in Ukraine (Bleeping Computer) Porn User Data Stolen—Pornhub ‘Search, Watch And Download’ Activity (Forbes) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result, fast, reliable, and secure connectivity
without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meeter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
Venezuela's state oil company blames a cyber attack on the U.S.
An Iranian hacker group offers cash bounties for doxing Israelis.
Germany's lower house of parliament suffers a major email outage.
South Korea's e-commerce breach exposes personal information of nearly all of that nation's adults.
Researchers report active exploitation of two critical.
Fortnite authentication bypass vulnerabilities, and three critical vulnerabilities in the free
PBX VoIP platform.
An auto industry credit reporting agency suffers a data breach.
Google is shutting down its dark web reporting service.
European law enforcement dismantles the Ukrainian fraud network.
Our guest is Christian Beek, senior director of threat intelligence and analytics at Rapid
7, discussing how attackers are accelerating exploitation, refining ransomware, and expanding nation-state
operations. And a Pornhub breach proves the internet never forgets.
It's Tuesday, December 16th, 2025. I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
Venezuela's state oil company PDVSA reported a cyber attack on Monday and said operations
were unaffected, though multiple sources said key systems remain down and oil cargo deliveries
were suspended. PDVSA and the oil ministry blamed the United States, calling the incident
part of efforts to seize control of Venezuela's oil sector. A company's source said the
disruption stemmed from a ransomware attack detected days earlier, with antivirus efforts
crippling administrative systems. Oil production, refining, and domestic distribution continued,
but exports were hit, forcing staff to keep handwritten records and halting loading instructions.
The incident comes amid rising U.S. Venezuela attentions, including the recent U.S. seizure of a tanker
carrying Venezuelan crude. As a result, exports have fallen sharply.
Millions of barrels remain stranded offshore, and several tankers have turned back.
An Iran-linked hacker group known as Handala has launched a campaign offering cash bounties
for information on more than a dozen Israelis, it claims, are involved in developing Israel's
patriot, arrow, and David's sling air defense systems.
The group published photos and extensive personal details of engineers and technicians
alongside explicit threats, including references to their families.
A $30,000 bounty was offered for information on some targets, with additional lists offering $10,000 rewards.
The data has spread widely on Arab media and telegram, including via Hamas, though its accuracy has not been independently verified.
The effort is part of Handala's broader red-wanted doxing campaign, which is targeted nearly 200 Israelis since October.
The group is widely assessed to have ties to Iranian intelligence and a history of cyber and leak operations.
Germany's lower House of Parliament suffered a major email outage on Monday,
leaving lawmakers without access for more than four hours and prompting suspicions of a targeted cyber attack.
The disruption coincided with sensitive U.S.-Ukraine discussions hosted in Germany,
raising concerns about timing and intent.
While technical details remain undisclosed, senior lawmakers have acknowledged an ongoing investigation,
according to Reuters, citing the Financial Times.
The incident highlights persistent cyber risks to government institutions,
particularly during periods of heightened geopolitical activity and diplomatic engagement.
Hupang, South Korea's largest e-commerce company and, often compared to Amazon,
suffered one of the country's largest data breaches, exposing personal information from up to 34 million user accounts.
That's more than 90% of the working age population.
The leak, which went undetected for nearly five months, included names, phone numbers, and residential entry codes, but not credit card or government ID data.
Authorities say the alleged perpetrator was a former Kupang software developer who retained internal authentication.
credentials after leaving the company and accessed systems from overseas.
The breach triggered lawsuits, police raids, multiple government investigations, and the
resignation of Kupang's South Korea CEO. Regulators are considering record fines, while
public anger has intensified calls for tougher penalties over personal data protection failures.
Researchers at Arctic Wolf report active exploitation of two critical
Fortinette authentication bypass vulnerabilities beginning December 12th. The flaws allowed unauthenticated
SSO logins via crafted SAML messages when Forta Cloud SSO is enabled, leading to admin access
and configuration ex-filtration on Fortagate devices. Effected products include Forda OS,
forda proxy, Forta Web, and Forta Switch manager. Arctic Wolf advises resetting credentials,
restricting management interface access, and upgrading immediately to patched versions.
They note, FortaCloud SSO may be enabled during device registration despite being disabled by default.
Elsewhere, researchers at Horizon3.a.I disclosed three critical vulnerabilities in the free PBX VoIP platform
that could be chained to fully compromise-affected systems.
The most severe allows authentication bypass when a non-default web server authentication setting is enabled.
Additional flaws include SQL injection and arbitrary file upload vulnerabilities that enable database access and remote code execution.
While some issues were exploited in the wild, free PBX has released patches across multiple versions.
Organizations are urged to update immediately and ensure authentication settings remain.
on the default user manager option.
700 credit, a major credit reporting and identity verification provider for the North American
automotive industry, disclosed a data breach affecting more than 5.8 million individuals.
The incident was discovered on October 25th and traced to a compromise third-party API
tied to the company's web application.
Attackers access data collected from automotive dealers between May and October.
of this year, including names, addresses, dates of birth, and social security numbers.
The breach impacted the 700dealer.com application layer, but the company says its internal network
and operations were unaffected. 700 credit reports no evidence so far of identity theft or
data misuse and is notifying affected individuals.
Google will shut down its dark web report feature on February 16.
of next year, ending a service launched about 18 months ago to help users monitor stolen personal
data. The tool will stop scanning for new breaches on January 16th, with all stored data
deleted a month later. Google acknowledged that while the feature alerted users when information
like emails, phone numbers, or social security numbers appeared in breach dumps, it failed to
offer clear, actionable guidance on what to do next. User feedback, including
including complaints on Reddit, highlighted the lack of specificity about which accounts were at risk.
Google says it will instead focus on existing security tools such as security checkup,
password manager, and password checkup, which provide more practical steps for protecting accounts.
European law enforcement agencies have dismantled a large fraud network operating call centers in Ukraine
that scammed victims across Europe out of more than 10 million euros.
Authorities from several countries, supported by Eurojust, arrested 12 suspects and carried out 72 searches in Ukraine,
seizing vehicles, weapons, cash, computers, and forged identification.
The network ran multiple call centers employing around 100 people and targeted more than 400 victims
through bank and police impersonation scams, remote access fraud, and in-person cash collection.
employees were paid commissions of up to 7% with promised bonuses that were never delivered.
Officials say the operation highlights the continued scale of organized call center fraud across Europe.
Coming up after the break, my conversation with Christian Beak from Rapid 7,
We're discussing how attackers are accelerating exploitation, refining ransomware, and expanding nation-state operations.
And a Pornhub breach proves the Internet never forgets.
Stay with us.
What's your 2 a.m. security worry?
Do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night?
How do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual work,
so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep.
Get started at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber.
Christian Beek is Senior Director for Threat Intelligence and Analytics at Rapid 7,
and in today's sponsored Industry Voices conversation,
we discuss how attackers are accelerating exploitation, refining ransomware,
and expanding nation-state operations.
I think in Q3, look, we always track ransomware, right?
And we always hope that at some point the numbers will go down.
and I was hoping that for two years ago
then last year came in
and I thought like oh wow
this is really worse
and it really felt like this quarter
like ramping up so much groups and initiatives
that is like hey I think people need some Christmas money
for buying Christmas gifts or something
but my God like 80 groups
almost daily active trying to
ransomware operations and it goes up and down right
like you see groups disappear
and then new ones are surfacing
and I always say that those are the smaller ones
But you have some of those steady operations that goes on and on and on.
And it's like unbelievable the volume of attacks we observed there, right?
And I think that was one of the key findings there in the report.
But also if you talk about vulnerabilities, well, hey,
we're in the middle of this React server stuff going on this week.
Yeah, it proved the point we've made actually like,
hey, if a vulnerability is actually made public, then it's no longer a zero day,
but an end day is being exploited in the wild immediately.
And, well, there's exactly what we saw happening this week when it was announced.
I think we hit at some point like 30 attacks an hour on our honeypots with regards to this particular vulnerability.
And also, it's not only like, hey, let's try if I can use this exploit by some people.
But no, it was also like really ranging from cybercriminals to nation states incorporating this new vulnerability immediately in their attack plan and starting to exploit it.
So it was fascinating to see like, hey, the observation we.
mentioned in the report, now actually seeing proven alive as well, now out in a while there.
Yeah, I mean, one of the things that struck me when I was reading the report is how this is a
story about velocity also, that these, the exploitations are happening within hours of disclosure.
How do you suppose defenders need to respond to that uptick in velocity?
I think it's a challenge to be fair, right? With all respect, like not every vulnerability and
actually the platform is impacted lends itself for like hey let's patch this tonight right so let's say
on friday afternoon we get this notification that we have this vulnerability it's not standard that
we actually patch this in in the evening right or it really depends on what type of software we're
talking about so it's really becoming a really a challenge for defenders to actually actively
or how you say that um yeah adequately respond in fast fast enough
on these kind of threats and that's a challenge for sure yeah what about the ransomware that you're
tracking here how have you seen these operations evolve and are there any particular groups that
seem to have the biggest impact well traditionally ransomware was really like hey let's go
into a company we go after the endpoints you actually launched the ransomware you find this
ransom note on your desktop with this nasty message that you have been a victim that is gone kind of
I know that's really disappeared.
What we really observe is that first when they come in,
they're not so much interested anymore in the endpoint itself.
It's more like, hey, where do you stash your data?
And let's go after that.
So that's already going on for a while.
I think we've seen now more trends.
This is of the last couple of weeks where some of those major groups
are really going after the virtualization environments.
That's not new on itself, but that's becoming a focus.
really going after that data.
Yeah, that's definitely a trend we're observing.
Are there any particular sectors that they seem to be targeting?
Surprisingly, we saw a new sector arising in Q3, which was the construction sector.
And with all the respect, in all those years, we're tracking rents and this was like a new
one for me.
It's like, wow, I haven't that one seen coming.
But I was interesting.
Healthcare, unfortunately, still very popular.
But yeah, those are some of the significant sectors we observe for sure in Q3.
Yeah.
We've seen some alliances among these ransomware groups.
That's reflected in the report as well.
Well, at some point there was this kind of, yeah, we call it in Dutch here like a fitty.
It's like a fight going on.
It's like a gang language, the word fitty.
But it means like, yeah, you're fighting each other, you're doxing each other.
And they were making fun of some of those groups that,
who are being hit by law enforcement,
and there were messages on those forms where it's like,
hey, these guys can't do their job.
So let's come over to us, work with us.
We host the infrastructure for you.
We help you even with negotiations.
So we were talking about Dragon Force here.
And at some point, we even saw alliances with scattered spider,
right, that initial group of teenagers trying to attack some high value targets.
But definitely that some of those alliances were definitely observed.
And yeah, I think if they want to survive at some point, yeah, this will probably observe this more happening.
One of the things that the report highlights is how nation state actors seem to be focusing on stealth and persistence.
What insights can you share about that?
If you look at nation states on itself, right, of course, they are not into the game for like, hey, let's attack a target and let's be detected very soon.
They are in for the long term, right?
That's why the persistence come from as well, I would say.
But also, most of the operations for nation-state is really like long-term information,
classic intelligence gathering.
So they really try novel ways to bypass some of these security technologies we, of course,
as vendors develop at the same time, stay below the radar.
And, yeah, we've observed some innovation happening over the past couple of months.
We have seen some really stealthy backdoors that are really hard to detect.
You know, you have to know exactly like they're sleeping on the system.
And until they get like a specific command or like what we call a network packet sent to them,
that's when they become alive.
And then it's still very limited to what they are doing.
So it's really, really hard to spot.
And yeah, that's somewhat the observation we've seen.
Yeah, interesting.
Being 2025, I would be remiss to not.
ask you about AI and the influence that you're seeing that on things today yeah well I was expecting
anticipating on this question right like that there's hardly in any interview when this
bus word is passing by right right well AI I think honestly I was still would call it machine learning
what they are doing it's mostly like what we all are doing right like for example you write a piece
of code they use like hey can you check my code is anything I can do better for sure that
some of the stuff we're seeing.
I think the professionalism of creating a fishing campaign
using AI technology, yeah, that's obvious, right?
Some of those campaigns are so real hard to detect,
like if it's fake yes or no.
So that's why we see the embracing.
And I heard also, of course, like this whole DPRK IT workers
think that they are heavily using AI to mimic people.
They create fake profiles on LinkedIn,
where they leverage AI to create the image,
all those kind of, hey, these are the educations you need to put in a profile to make it really
convincing that you're dealing with a professional in engineering. So yeah, it's really like
widespread being used. Well, based on the information you've gathered here, what are your recommendations
for defenders in terms of prioritizing their efforts? I would really say like, if you look at the
ransomware actors themselves, right, they're really doing like in what we call like a shift left.
So they go really for the security devices at the edge of the networks,
like the firewalls, the VPNs and all that stuff.
And I think what we really need to ask ourselves,
like back to your prior point,
why you're asked like, hey, if you have this vulnerability
and we can't patch quick enough, what can you do?
And I think that's where we need to do our homework,
where we say, like, hey, if they bypass some of this,
I would say, edge protecting technology,
where in my technology stack, in my people, in my processes, where is the next step
where properly we can actually spot them?
And actually, is there something where I might have a gap in my visibility, aka what is
my attack surface, right?
And do I exactly have the visibility?
I need to respond.
And it sounds really like, do we need to go back to the foundations?
Yes, big yes, I would say.
Like, sometimes we are doing a lot with technology.
you mentioned AI, with cloud, we have all those beautiful technologies.
But sometimes it makes it so complex that we hardly understand anymore.
Like, hey, what are some of those attack factors and where do we need to look for this?
Well, given these realities, what's your outlook for the fourth quarter and into 2026?
I think the fourth quarter would be a lot different than the third quarter.
I think the numbers even go up if you look for different perspectives.
And then 2026, well, I think this year, I think at the second half of 2025,
we had with quite some of those supply chain attacks, Salesforce, for example, and Oracle
e-business, those had a major, major impact on what's happening and how we had to respond.
And I think we should take some lessons learned from those supply chain attacks and really
apply them into the next year or anticipate on those because, yeah,
that will only grow bigger, in my humble opinion.
That's Christian Beak from Rapid 7.
We have a link to their research in our show notes.
And finally, Hornhub says,
data linked to its premium members was exposed. The incident traces back not to Pornhub itself,
but to a breach at analytics firm Mix Panel. A vendor, Pornhub, says it stopped using in 2021.
Attackers linked to the Shiny Hunter's extortion group allegedly accessed Mix Panel via an SMS
fishing attack and stole roughly 94 gigabytes of historical analytics data. That data reportedly
includes email addresses, viewing activity, search terms, video titles, locations, and
timestamps. Shiny Hunters is now extorting affected companies, raising awkward questions about
why such intimate data was retained for years.
And that's the CyberWire, or links to all of today's stories.
Check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to CyberWire.
at N2K.com.
N2K's senior producer
is Alice Carruth.
Our Cyberwire producer
is Liz Stokes.
We're mixed by Trey Hester
with original music
by Elliot Peltzman.
Our executive producer
is Jennifer Ibin.
Peter Kilpe is our publisher
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.
Thank you.