CyberWire Daily - Just another day of scamming and jamming.
Episode Date: December 3, 2025The DOJ shuts down another scam center in Myanmar. OpenAI confirms a Mixpanel data breach. A new phishing campaign targets company executives. A bipartisan bill looks to preserve the State and Local C...ybersecurity Grant Program. Universities suffer Oracle EBS data breaches. India reports GPS jamming at eight major airports. Kaiser Permanente settles a class action suit over tracking pixels. The FTC plans to require a cloud provider to delete unnecessary student data. An international initiative is developing guidelines for commercial spyware. Our N2K Producer Liz Stokes speaks with Kristiina Omri, Director of Special Programs for CybExer Technologies about the cyber ranges for NATO and ESA. Iranian hackers give malware a retro reboot. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, we bring you a conversation our N2K Producer Liz Stokes and Kristiina Omri, Director of Special Programs for CybExer Technologies, had during Liz’s visit to Tallinn, Estonia about the cyber ranges for NATO and ESA. We are pleased to share that our N2K colleagues Liz Stokes and Maria Varmazis were in Tallinn, Estonia this week for the NATO Cyber Coalition 2025 Cyber Range Exercise. Their visit marks the CyberWire as the only United States podcasters invited to attend. We’ll be sharing interviews and insights from the event, starting today with our producer Liz Stokes’ conversation with Kristiina Omri, Director of Special Programs for CybExer Technologies. Selected ReadingDOJ takes down Myanmar scam center website spoofing TickMill trading platform (The Record) OpenAI Confirms Mixpanel Data Breach—Was Your Data Stolen? (KnowTechie) New “Executive Award” Scam Exploits ClickFix to Deliver Stealerium Malware (GB Hackers) Hassan and Cornyn bring in bipartisan bill to keep state and local cyber grant program alive (Industrial Cyber) Penn and Phoenix Universities Disclose Data Breach After Oracle Hack (SecurityWeek) Indian government reveals GPS spoofing at eight major airports (The Register) Kaiser Permanente to Pay Up to $47.5M in Web Tracker Lawsuit (BankInfo Security) FTC settlement requires Illuminate to delete unnecessary student data (Bleeping Computer) Pall Mall Process to Define Responsible Commercial Cyber Intrusion (Infosecurity Magazine) Iran Hackers Take Inspiration From Snake Video Game (GovInfo Security) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result, fast, reliable, and secure connectivity
without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
The DOJ shuts down another scam center in Myanmar.
OpenAI confirms a mixed panel data breach.
A new fishing campaign targets company executives.
A bipartisan bill looks to preserve the state and local cybersecurity grant program.
Universities suffer Oracle EBS data breaches.
India reports GPS jamming at eight major airports.
Kaiser Permanente settles a class action suit over tracking pixels.
The FTC plans to require a cloud provider to delete unnecessary student data.
An international initiative is developing guidance for commercial spyware.
Our N2K producer Liz Stokes speaks with Christina Amri,
director of special programs for cyber exor technologies about the cyber ranges for NATO and ISA.
And Iranian hackers give malware a retro reboot.
It's Wednesday, December 3, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great as always to have you with us.
The Department of Justice has seized a fraudulent website that was used by a Miranmar-based scam
center to steal thousands of dollars from multiple victims. According to an affidavit,
the domain spoofed legitimate trading platform Tickmill and was traced by the Scam Center strike force
to the Tai Chang scam compound in Myanmar,
which authorities raided three weeks ago.
Victims were tricked into depositing funds
after scammers showed fabricated investment returns
and fake account deposits.
The FBI says several victims sent cryptocurrency to the site
in the past month.
The domain also pushed fraudulent mobile apps
that have since been removed by Google and Apple.
U.S. officials have placed a law enforcement notice on the site,
as part of broader efforts targeting Southeast Asian scam compounds.
Analytics firm Mix Panel quietly disclosed a security incident
in a brief Thanksgiving Eve blog post that offered almost no specifics.
CEO Jen Taylor said only that something occurred on November 8th
and that it affected some customers.
She did not respond to follow-up questions.
OpenAI, however, confirmed two days later that
customer data was stolen since it uses MixPanel to analyze developer-facing website traffic.
Exposed information included names, emails, approximate locations from IP addresses, and device
details. OpenAI said regular chat GPT users were not affected and ended its use of MixPanel.
The incident highlights how analytics companies collect extensive user data and have become valuable
targets. Mix panel has not explained the breach's cause or scope, leaving open how many people
may have been affected. A new fishing campaign is targeting company executives with a coordinated
attack that steals credentials and installs malware. Identified by Trustwave mail-martial
researchers, the executive award scam begins with a phishing email posing as a Cartier
recognition notice.
Victims receive a password-protected zip file
containing a personalized lure
that leads to a fake webmail login page
where stolen credentials are sent to a telegram channel.
A second stage uses a deceptive click-fix technique
delivered through a malicious SVG file
that displays a fake Chrome error
and urges users to run a PowerShell fix.
This executes a multi-stage chain
that installs the Stillerium Infostealer,
which can harvest browser data,
wallets, and system information.
Researchers have linked the infrastructure
to a specific IP address
and two telegram bots used for exfiltration.
A bipartisan group of senators
has introduced legislation
to reauthorize the state and local
cybersecurity grant program,
which has supplied $1 billion over four years
to help state,
local and tribal governments defend against cyber attacks. The state and local cybersecurity grant
program reauthorization act, led by Senators Maggie Hassan and John Corrin, is intended to ensure
continued support for ongoing cybersecurity projects. Hassan said the program helps protect
essential services such as schools, utilities, and emergency response systems. Cornyn noted that
Texas had received nearly $40 million and said communities,
need sustained resources as digital threats grow.
Hassan has also backed efforts to create state-level cybersecurity coordinator roles.
Last month's temporary funding bill included short-term extensions of this grant program
and the Cybersecurity Information Sharing Act of 2015, giving lawmakers more time to pursue
long-term reauthorizations.
The University of Pennsylvania is notifying individuals of a data breach involving its
Oracle EBS system, which supports supplier payments and other business functions.
Nearly 1,500 main residents were affected, though the total number remains undisclosed.
The University of Phoenix also reported an Oracle-related intrusion discovered after it appeared
on the Klopp leak site. Exposed data includes names, contact details, dates of birth,
social security numbers, and bank account information. The broader Oracle EBSI,
campaign has impacted more than 100 organizations, including multiple universities and major companies.
India's civil aviation minister has reported GPS spoofing and jamming at eight major airports,
noting recent incidents in Delhi and ongoing activities since 2003 in Kolkata, Amrissar, Mumbai,
Hyderabad, Bangladesh, and Shani. GPS interference can overwhelm,
or mimic satellite signals, preventing pilots from relying on navigation systems.
A 2025 jamming incident forced pilots carrying European Commission President Ursula von der Leyen
to switch to manual navigation, though the minister offered no attribution for India's events
and said no harm occurred. The airport's authority of India has asked the wireless monitoring
organization to identify the source of interference. The minister adds that the airport's
Authority of India is deploying advanced cybersecurity measures and continually upgrading protections
as aviation cyber threats evolve.
Kaiser Permanente has agreed to pay up to $47.5 million to settle consolidated class action
claims over its use of tracking codes on websites, patient portals, and mobile apps, which
allegedly shared patient data with third parties such as Google, Microsoft, and X-Twitter.
Kaiser reported the incidents in April 2024 as a HIPAA breach, affecting 13.4 million people,
the year's second largest health care data breach.
The settlement covers members in nine states and D.C.
with pro-rata payments for approved claimants.
Kaiser denies wrongdoing and says it has removed the tracking tools.
The Federal Trade Commission plans to require illuminate education to delete unnecessary student
data and strengthen its security as part of a proposed settlement over a 2021 incident
that exposed information on about 10 million students.
The move follows a separate $5.1 million settlement with California, Connecticut, and New York.
Illuminate, a cloud provider for K-12 schools, collected extensive academic and demographic data,
but, according to the FTC, lacked access controls, monitoring, patching, and encryption.
A hacker used credentials from a former employee to access databases hosted by a third-party cloud provider
and exfiltrated student records, health information, and other personal details.
The FTC says the company ignored prior warnings and misrepresented its security practices
and waited two years to notify schools.
The order will require security improvements, data deletion, and accurate future disclosures.
An international initiative is developing guidelines for commercial spyware and related cyber intrusion providers to curb irresponsible behavior.
The Palmol process launched in 2024 by the UK and France now includes 27 governments and major tech companies like Google, Microsoft, Apple, and META.
Its second phase seeks input from the offensive cyber industry to define responsible conduct.
for private sector firms.
The UK's National Cyber Security Center says commercial cyber intrusion capabilities,
including exploit development, malware creation, C2 services, and hacking as a service,
can support law enforcement and national security, but pose risks without safeguards.
The effort aims to set expectations across the broader ecosystem of developers, brokers,
and operators, while addressing misuse as demand for zero-day exploits grows.
The consultation closes December 22nd.
Coming up after the break, our N2K producer Liz Stokes speaks with Christina Omri,
director of special programs for cyberexer technologies about cyber ranges for NATO and
ISA, and Iranian hackers give malware a retro reboot.
Stay with us.
What's your 2 a.m. security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night, how do I get out from under the
these old tools and manual processes.
That's where Vanta comes in.
Vanta automates the manual works,
so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection,
flag risks, and keep your program audit ready.
all the time. With Vanta, you get everything you need to move faster, scale confidently, and
finally get back to sleep. Get started at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber.
AI is transforming every industry, but it's also creating new risks that traditional frameworks can't
keep up with. Assessments today are fragmented, overlapping, and often specific to industries,
geographies, or regulations. That's why Black Kite created the BKGA3 AI Assessment Framework
to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk
across their own organizations and their vendors' AI use. It's global, research-driven,
built to evolve with the threat landscape, and free to use.
because Black Kite is committed to strengthening the entire cybersecurity community.
Learn more at Blackkite.com.
We are pleased to share that our N2K colleagues Liz Stokes and Maria Vermazis
were in Tallinn, Estonia this week for the NATO Cyber Coalition 2025 Cyberrange exercise.
Their visit marks the Cyberwire as the only United States podcasters invited to attend.
We'll be sharing interviews and insights from the event, starting today with our producer Liz Stokes' conversation with Christina Omri,
director of special programs for CyberXER technologies.
Cybexor is Estonian-based or headquartered company, but we do operate globally.
So there are approximately 55 countries in which we have conducted different.
cybersecurity-related projects or sold our technology.
So we are a cybersecurity company on the preparedness side of cybersecurity.
And you guys provide cyber ranges for NATO and ISA.
What do those entail exactly?
Yes, cyber range technology comes historically from military,
from the need to train and exercise also on the digital battlefield.
use the tools they would be using in the actual operations, but to do it in a simulated environment
so that the real systems do not get harmed.
And how do you research for cyber instances in space?
So space is interesting domain.
How did we get into the space project wars through the military?
At some point, military started asking besides the other domain,
also for the elements from the space. Because as also the current conflicts around the world and
war has shown that the space-based assets are crucial for the information. Yeah, yeah, exactly.
Can you go a little bit further into like that? Like, how do you guys defend against those types of
things? So first of all, it usually goes and how we do it. We bring the technologies to the cyber range.
So to the simulation environment where we build up an infrastructure or digital twins of different technologies.
And this is what we do also in the space domain.
So we build it in.
We build an infrastructure containing then a satellite, ground control station, mission control station,
and also different other technologies when they make it relevant for the specific use case.
Do you have any examples of problem solved using the same?
cyberspace range? The first aim of our solution is to improve the capabilities and skills in
cybersecurity, because first of all, in general, in cybersecurity, there's a great lack of
cybersecurity specialists around the world. There are millions of unfulfilled job places because
there's just lack of suitable potential employees then.
And when we even look it closer to the space segment,
the gap there is also quite big.
So we have space engineers, we have IT people,
we have cybersecurity specialists,
but how to combine those skills
so that the cybersecurity specialists
that come out of the universities
this would have understanding of space engineering or vice versa,
that the space engineers would already get from the beginning
the basics key elements of cybersecurity.
And maybe this is one of the specifics of space industry
is that the systems will be up there
and running for quite a long time on the orbit once you finish them.
You cannot take them down and relaunch it usually.
So it has to be taken into account.
when engineering, but also designing the systems.
What do you want space companies to know about space and cybersecurity?
Like, what are you trying to explain to them?
So we are a bit in a situation when everyone knows that they should pay attention on cybersecurity,
but quite often there are so many other things to worry about.
And at the same time, maybe also a bit of lack of knowledge, what and how should we do it.
So there's a bit of an elephant in the room.
We know that there are a lot of legacy systems in the space industry.
There have not been that many attacks that have been spoken openly about.
There are few, but it is a bit like a situation where the understanding and the perception can change very easily when something big happens.
What we nowadays do not think, and probably you don't think that you rely every day,
in your work on space systems, but we both do when using the basic satellite information
for the GPS, but also for the weather forecast to see if it's snowy the next day or not.
So this information we get through space.
So it's not about only for the space industry, but it's part of the way we'll live nowadays.
Right, right.
And I see there are a ton of televisions to our left here.
Would you mind telling our audience what's going on on these televisions?
Explain them a little bit more.
Yes.
So the TVs here present different views from the cyber range.
So cyber range is a platform for the hands-on learning cyber skills.
We build up the virtual environments, let's say digital twins, networks, everything.
and the aim of the trainees there, be it a team-based exercise or individual-based exercise,
is to go and see, depending of the scope, of course, where are the vulnerabilities,
what can I do to repair it, and so on and so forth.
So this is one part of it, that it's about the skills development,
and hence we can also take out the analytics.
Where are they good at?
what are the areas of improvement?
What we say is
it's never about pass and fail
it's about improving and learning
and this is also
what we do, we can on the cyber range
we can clone the systems
so if we do and run a big
military exercise we clone the systems
and the game nets for each team
so that they would each get their
playing field and get the learning
experience. We can also do of course
the shared targets if it's desired
it. But to have in mind this learning, then it's best if everyone gets the same game net and has
their tasks and defense actions to be taken there. Walk me through that process. What's that
like? So if we talk about the exercise and let's say it's a team-based exercise, then usually
we prepare on the cyber range, those game nets. We make sure with the customer,
what are the necessary infrastructure components?
Are there any of the security monitoring systems, internal networks,
what are the other special systems that we connect to?
If we talk about the space, then is there a flat set,
any of the mission control, around control segments that need to be as part of the game net?
And then once we have it ready, those are real virtual machines.
So when the participant actually, when the exercise starts, they log in and everything
looks as it's real.
So we do not compete with the ones who provide the cybersecurity training on paper-based
and theoretical materials.
So we are really hands-on.
What made you think that Tallinn was one of the best places to start this company to build
up from here. I mean, you think of space and you think of cyber. And I think most people don't
come to Estonia to think of that. So what made this place the best for you guys? Well, Tallinn has
a bit of history with cyber. From the 2007, the cyber attacks against Estonia. So against the
governmental institutions, but not only, also commercials. So it started with
attacks against the president's website, okay, if you're a citizen of Estonia and the
website of the present that does not function, you can still continue your everyday life probably.
But if your internet bank does not respond anymore, then you feel it and it starts really
having influence on your daily life. So this was 2007. And from this attack and a large-scale
attack, we learned it even more clear that we have to put more emphasis on the cyber.
And out of this experience, many good initiatives and things have grown out, like the NATO
CCDOE in Tallinn, providing the collaborative platform for the NATO and then other countries
who have joined the CCDOE for those cybersecurity exercises and trainings.
And hence, also the private sector and cybersecurity companies started growing.
They started growing already before, but this definitely was another push towards it.
So, and this is also where our company is a bit rooted in.
So in this need after a collaborative training platform,
I spoke about the training of people and upskilling them, but this type of platforms can also be used for the technology testings.
So our core technology team has actually a background in NATO CCDOE.
And hence Tallinn is a good, a very untypical place for the cyber ranges because you can find different institutions and companies providing the cyber range solutions here.
That's awesome.
Wow, that's amazing.
Is there anything that you want to kind of talk to my audience about and, like, explain a little bit further?
Is there anything that I missed?
Well, it's a long topic, and especially with a space, maybe angle, is that there's a lot to do.
And there's a, we have noticed that there's a growing interest and understanding of it.
But there's still quite the understanding of the vulnerabilities.
It is also, at the same time, when we still have this legacy systems, as I mentioned before,
there still are newer solutions coming up also.
There are more commercial satellites up there with the commercial tasks so that the level of digitalization also is higher here.
And when we base our business models on those satellites,
the information and the exchange of information, it just becomes part of our everyday living
here, at least this is one of the sites we want to explain and make more understandable to
everyone. So it's not only about the real astronauts who go up there, it's about our old
lives here on the planet Earth.
We will have much more reporting from our N2K colleagues Liz Stokes and Maria Vermazzo
and their trip to Tallinn, Estonia,
for the NATO Cyber Coalition 2025 Cyber Range exercise coming soon.
Stay tuned.
And finally, security researchers say,
say Iranian nation-state hackers have taken creative inspiration from a simpler era,
disguising malware as the classic snake game.
ESET found Muddy Water, the group tied by U.S. intelligence to Iran's Ministry of Intelligence and
Security, using Snake's signature lag as a feature, inserting execution delays to dodge antivirus
tools that dislike anything too quick on the trigger. The group targeted to the target. The group targeted
telecom, government, and energy organizations in Israel and Egypt,
leaning, as always, on phishing emails that deliver remote monitoring tools
through free file-sharing services.
Their snake-themed fooder loader deployed a new backdoor dubbed Muddy Viper,
which lives only in memory and settles in through startup folders or scheduled tasks.
Additional credential stealers and a reverse SOX-5 tunnel rounded out the toolkit,
suggesting growing sophistication, if not quite maturity.
And that's the Cyberwire, for links to all of today's stories.
Check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin, Peter Kilpenter.
is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.