CyberWire Daily - ShadyPanda’s patient poisoning.
Episode Date: December 2, 2025ShadyPanda plays the long game. India mandates tracking software on mobile devices. Korea weighs punitive damages after a massive breach. Qualcomm patches a critical boot flaw impacting millions. Open...AI patches a Codex CLI vulnerability. Google patches Android zero-days. Cybersecurity issues prompt an FDA permanent recall for an at-home ventilator system. Switzerland questions the security of hyperscale clouds and SaaS services. One of the world’s largest cyber insurers pulls back from the market. On our Threat Vector segment, David Moulton sits down with Stav Setty to unpack the Jingle Thief campaign. In Russia, Porsches take a holiday. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector segment In today’s Threat Vector segment, host David Moulton, Senior Director of Thought Leadership for Unit 42, sits down with Stav Setty, Principal Researcher at Palo Alto Networks, to unpack Jingle Thief a cloud-only, identity-driven campaign that turned Microsoft 365 into a gift card printing press. Stav explains how the Morocco-based group known as Atlas Lion lived off the land inside M365 for months at a time, using tailored phishing and smishing pages, URL tricks, and internal phishing to compromise one user and quietly pivot to dozens more. To listen to the full conversation on Threat Vector, listen here. You can catch new episodes of Threat Vector every Thursday on your favorite podcast app. Selected Reading Browser extensions pushed malware to 4.3M Chrome, Edge users (The Register) India plans to verify and record every smartphone in circulation (TechCrunch) Apple to Resist India's Order to Preload Government App on iPhones (MacRumors) President orders probe into Coupang breach (The Korea Herald) Qualcomm Alerts Users to Critical Flaws That Compromise the Secure Boot Process (GB Hackers) Vulnerability in OpenAI Coding Agent Could Facilitate Attacks on Developers (SecurityWeek) Google Releases Patches for Android Zero-Day Flaws Exploited in the Wild (Infosecurity Magazine) 'Cyber Issue' Leads to FDA Recall of Baxter Respiratory Gear (GovInfoSecurity) Swiss government bans SaaS and cloud for sensitive info (The Register) Publication: Resolution on outsourcing data processing to the cloud (Privatim) Insurer Beazley Steps Back From Cyber Market as Attacks Surge (PYMNTS.com) Hundreds of Porsche Owners in Russia Unable to Start Cars After System Failure (The Moscow Times) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI agents are now reading sensitive data, executing actions, and making decisions across our environments.
But are we managing their access safely? Join Dave Bittner and Barack Shalef from Oasis Security on Wednesday, December 3rd, at 1-Py,
Eastern for a live discussion on agentic access management and how to secure non-human identities
without slowing innovation. Can't make it live? Register now to get on-demand access after the event.
Visit events.thecyberwire.com. That's events with an s.thecyberwire.com to save your spot.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meeter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result?
Fast, reliable, and secure connectivity without the constant patching, vendor-juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN, every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters.
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
India mandates tracking software on mobile devices.
Korea weighs punitive damages after a massive breach.
Qualcomm patches a critical boot flaw impacting millions.
OpenAI patches a codex CLI vulnerability.
Google patches Android zero days.
Cyber security issues prompt an FDA permanent recall for an at-home ventilator system.
Switzerland questions the security of hyperscale clouds and SaaS services.
One of the world's largest cyber insurers pulls back from the
the market. On our threat vector segment, David Moulton sits down with Stavsetti to unpack
the jingle thief campaign. And in Russia, Portia's take a holiday. It's Tuesday, December 2nd,
2025. I'm Dave Bittner and this is your Cyberwire Intel briefing. Thanks for joining us here today.
It's great to have you with us. A seven-year campaign used seemingly legitimate chrome and edge extensions to infect 4.3
million users with backdoors and spyware, according to Koi researchers.
The group dubbed Shady Panda, published clean extensions, waited years to build large user databases,
then pushed malicious updates that auto-installed across all devices.
Five extensions with more than 4 million installs remain live in the Microsoft Edge Store.
One campaign delivered a remote code execution backdoor to 300,000 users.
users through five extensions, including one named Clean Master, which exfiltrated full browsing
activity to attacker-controlled servers and included anti-analysis features. Another set of five
edge extensions, including the 3 million install WeTab, still collects extensive behavioral data
and sends it in real time to servers in China and Google Analytics. Earlier campaign,
silently monetized user traffic or hijacked searches.
Coy says the incidents highlight a core marketplace weakness.
Extension stores review submissions but do not monitor updates after approval.
India is expanding its anti-theft and cybersecurity program to cover new and used smartphones,
according to reporting from Reuters and also confirmed by the telecom ministry.
companies that buy or trade secondhand devices must now verify each phone's IMEI number against a central database.
The move follows a directive requiring manufacturers to pre-install the government's Sanchar Sati app on new phones
and push it to existing devices through software updates.
Sanchar Sathi has blocked or traced millions of stolen phones and has seen rapid adoption since its 2023 launch.
Critics say mandatory installation expand state access to personal devices without adequate safeguards.
Apple has told officials it will not comply, citing privacy and security concerns for its ecosystem.
South Korean President Li Jé Myung ordered a rapid investigation into Kupang's massive data breach,
calling the five-month undetected leak astonishing in scale.
Officials say information tied to at least 30 million.
million users was accessed after an attacker exploited an electronic signature key.
The government is considering punitive damages to deter future lapses, a shift from Korea's
compensatory-only model.
Kupang's CEO said the company will comply with penalties that could reach record levels.
Police have not confirmed the attacker's identity.
Qualcomm issued an urgent security bulletin warning of six high-priority vulnerabilities
across millions of devices.
The most serious threatens the secure boot process that protects devices during startup.
Qualcomm says an attacker could bypass checks, install persistent malware, or gain control
before the operating system loads.
The flaw was found internally, raising questions about how long it existed in deployed devices.
Five additional vulnerabilities affect the high-level operating system, trusted zone firmware,
audio, DSP services, and camera functions.
Qualcomm is distributing patches to manufacturers
and urges immediate deployment.
Users should check with their device makers
for update timelines.
OpenAI patched a Codex CLI vulnerability
that allowed malicious commands to run automatically
on developers' machines, according to Checkpoint.
The tool implicitly trusted configuration files
inside local repositories and executed their instructions without user approval.
Attackers who could commit or merge crafted configs could trigger remote access, command
execution, credential theft, and lateral movement, creating a reproducible supply chain back door.
Compromise templates or popular repos could also infect downstream users.
Google's latest Android Security Bulletin disclosed 107-0-day-day-1-7-2-2.
vulnerabilities affecting Android and the Android open source project. 51 flaws were
patched on December 1st, including three high-impact issues in the Android framework.
Google says two may be under limited targeted exploitation and can enable unauthorized
information disclosure or elevated access across Android 13 through 16. A third flaw could
trigger remote denial of service. Google says they'll release the remaining
56 patches on December 5th.
The FDA has issued a permanent recall for Baxter's Life 2000 at-home ventilator system,
citing an unspecified cybersecurity issue that could let someone with physical access
alter therapy settings or access device data.
Baxter began notifying patients in April, but the FDA's public alert came in late November,
warning that continued use could cause serious injury or death.
Patients are urged to stop using the device and consult providers for replacements.
Baxter reports no related injuries or deaths as of April 10th.
It remains unclear whether this recall is connected to earlier Life 2000 advisories
involving multiple vulnerabilities.
Security experts say a permanent recall for a cyber issue is rare
and signal significant patient safety concerns,
while noting that neither Baxter nor the FDA has detailed the specific flaw involved.
Switzerland's Conference of Data Protection Officers, Privateim,
issued a resolution urging public bodies to avoid hyperscale clouds
and most SaaS services due to security risks.
The group warns that many SaaS platforms lack true end-to-end encryption
and that providers, especially those subject to the U.S. Cloud Act, could access sensitive data.
Private Tim also notes that vendors can change terms unilaterally, reducing government control.
The resolution concludes that large international SaaS offerings, including Microsoft 365,
are generally inappropriate for handling particularly sensitive Swiss government data.
Beasley, one of the world's largest cyber insurer,
is pulling back from the market as rising ransomware and hacking claims drive higher losses,
according to the financial times. The company's cyber gross written premiums fell 8% to $848 million
through September, and executive cite geopolitical volatility is fueling more costly attacks.
While Beasley reduces its exposure, rivals like Chubb and AIG are maintaining or expanding their cyber books,
Premiums have been declining since early 2024 due to intense competition for a limited pool of buyers.
The sector's strain shows up in the UK as well, where the Association of British Insurers reports a 230% year-over-year surge in cyberclaims, driven largely by malware and ransomware incidents.
Coming up after the break on our threat vector segment, David Moulton sits down with Stavsetti to unpack the jingle thief campaign.
And in Russia, Corses take a holiday.
Stick around.
What's your 2 a.m. security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night?
How do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual work,
so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data,
and simplifies your security at scale.
And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep.
Get started at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber.
AI is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with.
Assessments today are fragmented, overlapping, and often specific to industries, geographies, or regulations.
That's why Black Kite created the BKGA3 AI Assessment Framework to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk across their own organizations and their vendors' AI.
use. It's global, research-driven, built to evolve with the threat landscape and free to use.
Because Black Kite is committed to strengthening the entire cybersecurity community.
Learn more at blackkite.com.
On today's threat vector segment, David Moulton, Senior Director of Thought Leadership at
Unit 42 with Palo Alto Networks, sits down with Stav SETI, principal researcher at Palo Alto
Networks to unpack the jingle thief, cloud-only, identity-driven campaign.
Hi, I'm David Moulton, host of the Threat Vector podcast, where we break down cybersecurity threats,
resilience, and the industry trends that matter most.
What you're about to hear is a snapshot from my conversation with StavSetti, a principal
researcher at Palo Alto Networks.
Stav and the Unit 42 research team uncovered a financially motivated operation called Jingle Thief,
where attackers abused Microsoft 360 and identity features to quietly steal gift cards from some of the biggest global retailers.
As Stab puts it, attackers don't need exploits or malware anymore.
They just need to compromise identities.
One stolen account can become dozens and a matter of months,
all while they sit inside your cloud environment using your own workflows against you.
staff welcome to the threat factor i'm really excited to have you here this morning thanks david
i'm really happy to be here so today we're going to talk about this jingle thief campaign which
is really centered around identity based cloud compromise and gift card fraud and i wanted to start
with the basics you know for the listeners what exactly is the jingle thief campaign you know some
folks maybe haven't read the research that we've got out on the Unif 42 Threat Research Center,
what was it that first drew the Cortex Research's team to this specific activity?
The Jingle Thief campaign is a campaign that we found very fascinating, and it came up because of
our Cortex U.
ITDR alerts that were raised.
And what makes us so interesting is it's attackers going after gift cards, and they
were able to steal and target.
gift cards from some of the biggest retail brands that you know. So that's really fascinating.
And what makes it even more fascinating is that this is in the cloud. There's no malware.
There's no exploits. They're purely living in Microsoft 365, which is a bit unusual because
nowadays you don't see that too often with the gift card fraud. And yeah, so they would try and target
retailers or just anyone that can issue gift cards. Who's behind this campaign? Talk to me.
about the threat actor?
Yeah, so we're pretty sure that this group is what people know as Atlas Line.
This line is a Moroccan-based group.
They've been active since 2021.
And while we don't have 100% attribution, I say for the purposes of this chat,
let's call them Atlas Line.
What do you think?
Yeah, that works for me.
And you said Moroccan-based financially motivated.
That's probably part of the crime.
side of cyber attacks, not necessarily something's tied to a state actor. What distinguishes the
campaign from maybe some of the other financially motivated operations that we've been looking
at recently? I think there's a few things. I think the first thing is the patience and the
discipline. They stay months within an organization. In one case we saw, we saw them active in
an organization for over 10 months, which is really crazy. That kind of patience made us go,
hey, this is really something different here. I think another aspect is the living off the land
in Microsoft 365. It's all cloud. That's a little bit unusual as well. And lastly, it's the
gift card aspect, the gift card theft. A lot of times financially motivated actors will go for
ransomware.
And this was all about gift cards.
What are some of the lessons that security teams need to take away from this attack and
this misuse of trust?
That's a great question.
I think the first thing is a lot of times security teams will say, hey, MFA, that equals
safety.
And I think it's really important to recognize that MFA is not safety.
It's not safe.
and they should really monitor every new password reset, every new device enrollment,
all that needs to be monitored and it's not enough just to be like, hey, that user logged in
with MFA, it's safe.
Steph, thanks for this awesome conversation today.
I learned so much and, you know, this one seems like it's kind of a weak spot that we need
to really focus on or suffer the consequences.
Thank you so much, David.
It was great being here.
Jingle Thief shows how identity-based compromise turns trusted cloud features into a revenue engine for attackers and why identity really is the new perimeter.
If this got your attention, don't wait, listen to the full special episode in your Threat Factor podcast feed.
It's called Inside Jingle Thief, Cloud Fraud Unwrapped, and it's live now.
Thanks for listening.
Stay secure.
Goodbye for now.
Be sure to check out the complete episode of Threat Vector.
here on the N2K Cyberwire Network
or wherever you get your favorite podcasts.
And finally,
hundreds of Porsche owners across Russia
found their high-performance machines
reduced to very expensive
lawn ornaments last week, as a factory-installed satellite security system abruptly stopped
talking to the cars it was meant to protect. Drivers from Moscow to Krasnodar reported sudden
engine shutdowns and fuel blockages, prompting a rush of service requests for Rolf, the
country's largest dealership group. The outage appears tied to the vehicle tracking system,
which some owners coaxed back to life by rebooting, disabling, or performing the
timeless ritual of leaving the battery unplugged for 10 hours. A Rolf representative floated the
idea of deliberate interference, though no evidence supports it. Portia has stayed silent,
still unable to divest its remaining Russian subsidiaries two years after suspending operations.
And that's the Cyberwire for links to all of today's stories.
Check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to
to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
We're going to be.
I'm going to be.