CyberWire Daily - Weak passwords meet strong motives
Episode Date: December 11, 2025CISA warns that pro-Russia hacktivist groups are targeting US critical infrastructure. Google patches three new Chrome zero-day vulnerabilities. North Korean actors exploit React2Shell to deploy a new... backdoor. Researchers claim Docker Hub secret leakage is now a systemic problem. Attackers exploit an unpatched zero-day in Gogs, the self-hosted Git service. IBM patches more than 100 vulnerabilities across its product line. Storm-0249 abuses endpoint detection and response tools. The DOJ indicts a former Accenture employee for allegedly misleading federal customers about cloud security. Our guest is Kavitha Mariappan, Chief Transformation Officer at Rubrik, talking about understanding & building resilience against identity-driven threats. A malware tutor gets schooled by the law. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices segment, we are joined by Kavitha Mariappan, Chief Transformation Officer at Knowledge Partner Rubrik, talking about understanding and building resilience against identity-driven threats. Tune into Kavitha’s full conversation here. New Rubrik Research Finds Identity Resilience is Imperative as AI Wave Floods the Workplace with AI Agents (Press release) The Identity Crisis: Understanding and Building Resilience Against Identity-Driven Threats (Report) Agentic AI and Identity Sprawl (Data Security Decoded podcast episode) Host Caleb Tolin and guest Joe Hladik, Head of Rubrik Zero Labs, to unpack the findings from their the report Kavitha addresses. Resources: Rubrik’s Data Security Decoded podcast airs semi-monthly on the N2K CyberWire network with host Caleb Tolin. You can catch new episodes twice a month on Tuesdays on your favorite podcast app. Selected Reading CISA: Pro-Russia Hacktivists Target US Critical Infrastructure New cybersecurity guidance paves the way for AI in critical infrastructure | CyberScoop Google Releases Critical Chrome Security Update to Address Zero-Days - Infosecurity Magazine North Korea-linked ‘EtherRAT’ backdoor used in React2Shell attacks | SC Media Thousands of Exposed Secrets Found on Docker Hub - Flare Hackers exploit unpatched Gogs zero-day to breach 700 servers IBM Patches Over 100 Vulnerabilities - SecurityWeek Ransomware IAB abuses EDR for stealthy malware execution US charges former Accenture employee with misleading feds on cloud platform’s security - Nextgov/FCW Man gets jail for filming malware tutorials for syndicate; 129 Singapore victims lost S$3.2m - CNA Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post.
noticed. Indeed's sponsored jobs helps you stand out and hire fast. Your post jumps to the top
of search results, so the right candidates see it first. And it works. Sponsored jobs on Indeed
get 45% more applications than non-sponsored ones. One of the things I love about Indeed is how
fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K Cyberwire. Many
of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed,
according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit to get your job.
more visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now
and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply.
Hiring?
Indeed is all you need.
Sisa warns that pro-Russia hacktivist groups are targeting U.S. critical infrastructure.
Google patches three new Chrome zero days.
North Korea and actors exploit React to Shell to deploy a new back door.
Researchers claim Docker Hub secret leakage is now a systemic problem.
Attackers exploit an unpatched zero-day in Gogs, the self-hosted Git service.
IBM patches more than 100 vulnerabilities.
Storm 0249 abuses endpoint detection and response tools.
The DOJ indicts a former Accenture employee for allegedly misleading federal customers about cloud security.
Our guest is Kavitha Maripon, chief transformation officer at Rubrik,
talking about understanding and building resilience against identity-driven threats.
And a malware tutor gets schooled by the law.
It's Thursday, December 11th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It is great, as always, to have you with us.
The U.S. government is warning that pro-Russia hacktivist
groups are targeting U.S. critical infrastructure, attempting to access operational technology
systems through poorly secured internet-facing VNC connections. An advisory from the FBI, SISA, NSA, and
international partners identifies four main groups, cyber army of Russia reborn, also known as
Carr, Z-Pentest, no-name 05716, and Sector 16, which have recently,
targeted water and wastewater facilities, food and agriculture, and the energy sector.
These actors are considered unsophisticated but opportunistic, using brute force attacks to
access human machine interfaces with weak or default passwords, then modifying device settings,
disabling alarms, and causing operational disruptions. Some groups show ties or indirect
alignment with Russian state interests, with Carr, in particular, linked by researchers to the
GRU. The DOJ has also announced related indictments. Although current impacts have been limited,
authorities warn the activity could escalate. SISA urges OT operators to harden authentication,
reduce internet exposure, and strengthen recovery plans.
Elsewhere, global cybersecurity agencies have issued their first unit.
guidance on using artificial intelligence in critical infrastructure, signaling a shift from
theory to practical safeguards. The document warns that AI introduces new safety and reliability
risks for OT, including model drift and unsafe process changes. Agency stress that large language
models should not make safety decisions. They recommend strong architectural boundaries, push-based
data flows and human oversight. The guidance urges operators to demand transparency from vendors
and maintain manual skills as AI adoption expands. Google has issued patches for three new Chrome
Zero Day vulnerabilities, including a high-severity flaw already exploited in the wild. The primary
zero-day has no CVE and remains under coordination with details withheld until most users update
or dependent third-party libraries are fixed.
The update also addresses two medium severity issues,
one, a use after free in password manager,
and the second an inappropriate implementation in the Chrome toolbar.
This marks Chrome's eighth zero-day exploited in 2025.
North Korea-linked actors are exploiting the React to Shell flaw
to deploy a new back door called Etherrat, according to Sistig.
React to Shell is a maximum severity deserialization bug in React server components that enables
unauthenticated remote code execution and has been widely abused since its December 3rd disclosure.
SISDIG recovered EtherRat from a compromised Next.js app and reports traits consistent
with Lazarus Group tooling, including similarities to Beaver Tail.
Etherrat establishes persistent access and uses the Ethereum blockchain for command and control resolution through an ether hiding technique.
The back door regularly pulls its C2, replaces its own code to hinder analysis, and uses multiple Linux persistence mechanisms.
SISDIG urges immediate updates to patched React and NextJS versions, and checks for Etherat's persistence artifacts and unusual Ether.
RPM RPC traffic.
Research from Flair into Docker Hub shows that secret leakage is now a systemic problem,
not an edge case.
In one month of scanning, they found more than 10,000 container images with exposed credentials,
affecting over 100 organizations, including a Fortune 500 and a major national bank.
42% of those images contained five or more secrets, often enough to unlock in time.
higher cloud environments, CICD pipelines, and databases.
AI model keys were the most frequently leaked, with nearly 4,000 exposed, and many secrets
came from shadow IT accounts outside corporate monitoring.
Even when developers removed exposed secrets from images, 75% failed to revoke the underlying
keys.
Flair argues that modern breaches increasingly follow a new pattern.
Attackers do not hack in, they authenticate in, using credentials companies accidentally publish
themselves.
Attackers are exploiting an unpatched zero-day in Goggs, the self-hosted Git service,
to gain remote code execution and compromise hundreds of internet-facing servers.
The flaw abuses a path traversal weakness in the Put Contents API,
allowing symbolic links to overwrite files out.
outside a repository and revive a previously patched RCE bug.
WIS research found over 1,400 exposed Gogs servers,
with more than 700 showing signs of compromise
linked to automated attacks deploying SuperShell-based malware.
Users should disable open registration and restrict access immediately.
IBM has released security updates addressing more than 100 vulnerabilities
across its product line, including several critical flaws largely tied to third-party components.
Storage Defender received fixes for six critical bugs in its data protect module,
while IBM Guardian patched a Tomcat flaw enabling code execution.
Additional critical issues were resolved in Maximo's form data library,
edge data collector's Django SQL injection bug,
and Instania's Tomcat, LibXML2, and WebKit components.
IBM DB2 updates also addressed a critical corosync flaw.
Numerous other products received high and medium severity fixes.
Storm 0249, an initial access broker,
is abusing endpoint detection and response tools
and trusted Windows components
to stealthily deploy malware and prepare environments for ransomware.
operators. ReliaQuest analyzed an attack where users were tricked through ClickFix
Social Engineering into executing curl commands that installed a malicious MSI with system privileges.
The payload sidelode sideloded a rogue DLL through Sentinel One's legitimate Sentinel agent
worker executable, allowing persistent privileged execution that appears benign to security tools.
The attacker then used Windows utilities for system profiling.
and funneled encrypted command and control traffic through the trusted EDR process.
RelyAQuest notes the profiling aligns with ransomware group requirements
and recommends behavior-based monitoring for unsigned DLL loading
and tighter controls over curl, power shell, and living off the land binaries.
The Justice Department has charged Danielle Hillmer,
a former product manager at Accenture Federal Services,
with misleading federal customers about the security of a cloud platform intended for government
use. According to the indictment, between March 2020 and November 2021, she obstructed auditors
and falsely claimed the system met required controls under FedRamp and the Department of Defense
Risk Management Framework. Prosecutors say she hid security gaps, directed others to mask deficiencies
during assessments and provided false information to secure approvals,
despite internal warnings that more than 100 controls were missing.
Accenture says it self-reported the issue and is cooperating.
The case reflects growing federal enforcement against contractors
that misrepresent cybersecurity compliance to win or retain government business.
Coming up after the break, my conversation with Kavitha Mariupan, chief transformation officer at Rubrik.
We're discussing building resilience against identity-driven threats.
And a malware tutor gets schooled by the law.
Stay with us.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
And with Threat Locker, DAC, defense against configurations, you get real assurance
that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K3.
today.
AI is transforming every industry, but it's also creating new risks that traditional frameworks can't
keep up with.
Assessments today are fragmented, overlapping, and often specific to industries, geographies,
or regulations.
That's why Black Kite created the BKGA3 AI Assessment Framework.
to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk
across their own organizations and their vendors' AI use.
It's global, research-driven, built to evolve with the threat landscape and free to use.
Because Black Kite is committed to strengthening the entire cybersecurity community.
Learn more at Blackkite.com.
Kavitha Maripan is chief transformation officer at Rubrik.
I recently got together with her to discuss understanding
and building resilience against identity-driven threats.
We as a security insight and research lab,
constantly monitoring sort of the threat landscape, right?
And so we put out a report every six months.
We definitely notice an increase in the number
of identity-based threats.
And so as a team, we decided, you know,
we should really hyper-focus for the fall report
on creating sort of a substantial body work here
around identity threats.
And so that really was the motivation behind why we double down
on an identity-based report.
Well, one of the things that caught my eye
was about how leaders are really looking
to hire identity talent right now.
What is driving that urgency?
Well, lots of interesting things.
I think first and foremost, if we take a look at just the threat landscape, right?
And if you take a look at this recent report, 90% of IT and security leaders were surveyed,
at least through our study, agreed that identity has driven, you know,
identity-driven cyber attacks are like top threat to their organizations.
And we saw that number increase within the last six months by X points, right?
That is a critical area, right?
Why organizations should be really thinking about, like, you know, identity was always considered more of an access management technology, right?
Like, you know, we're governing user access, ensuring people have the right credentials and the privileges to access applications or have access to corporate network.
But really, it's sort of the frontier for security right now.
You know, at the end of the day, I think one of the things we're seeing, obviously, is that.
when your identities compromise, you've lost your ability to log in, much less recover from
any identity-based threat, any breach of your permitors. So there's a real need to sort of enhance
and augment sort of the skill sets and the capabilities within the organization. And that's kind
of really the movement we're seeing where a lot of enterprises are, one, focused on
up-leveling their identity talent.
Two, we're saying that many of these organizations,
at least that we surveyed, up to 60% of them,
had switched IAM providers within the last three years.
That said, 87% of them are currently still planning to change IAM providers.
So even though they had looked at this and made some tremendous changes in the last three years,
many of them are actually planning to make further changes and have already begun the process.
and they're realizing the skill sets needed
are not aligned internally,
are not aligned to sort of,
well, skill sets require
are not aligned to the talent
that they have internally.
And, you know,
there's just new capabilities.
I mean, we're not just dealing with perimeter defense.
We're dealing with the changing sort of landscape
of like a hybrid workforce.
We're dealing with the advent
and sort of like production adoption of AI.
And AI sort of introduces a whole new,
flu of security parameters, one specifically being non-human identities, sort of added to that mix.
Well, I mean, let's talk about that. The report points out that non-human identities outnumber humans
by 82 to 1. That's a striking statistic there. How are enterprises discovering and
classifying and governing those identities without throwing sand in the gears, without slowing people
down. Well, I think this is really important, right, for us because, you know, one of the things
organizations are doing is leading into AI, embracing AI, right? And then that said, protecting
their organizations from like agents that will be potentially compromised or going rogue is
those are a capability we've got to build. And I think doing so requires these organizations
to have visibility of kind of what these active agents are in their IT environment.
what are the interactions that they're having, right, with your data,
specifically what applications, what identities?
And then this is sort of like raising to the top the need to have observability
across their infrastructure and their landscape.
And it doesn't mean much if with all those insights,
you aren't able to remediate sort of any potential harmful actions being taken by an AI agent.
So one of the things that, you know, organizations are,
like, as we're seeing, sort of the 82 to 1 is actually just like the tip of the iceberg, right?
And six months from nowadays, when we talk, you know, I think that number is going to be,
would have scaled up, right?
It's really important for them to be able to understand how, one, are they classifying
and understanding sort of this, you know, roles and behaviors, but how to rewind these
sort of inadvertent or nefarious actions back to a clean state?
what about human oversight you know how do you draw the line between let's say assistive
AI and more authoritative AI yeah it's actually a great question right look human oversight has
always remained essential as we think about you know human users human workers right now with
lLMs that we're already starting to use today we know that we've got to validate these outputs right
I mean, you know, it's no accident.
A lot of Gen. AI tools today include disclaimers that they say, look, we're capable of making mistakes, you know, and then that you should really verify all important information.
But we're definitely seeing hallucinations still.
And I think we'll continue to see hallucinations, hallucinations within the environment and all these interactions and tools.
So I think specifically when you ask about assistive AI, like this human's oversight is going to become important.
Now, we take that to the next level as we cross into the use of authoritative VA where you've got agents that are able to take multiple steps, right, towards sort of accomplishing very complex tasks, then you start to really have to factor in how human oversight becomes critically essential, right?
And it's a powerful thing that these agents are able to perform what they can, like to be able to automate tasks from end to end at agent scale, not human scale.
and we believe having a human in the loop is important.
But I think that model for how we inject a human in the loop across the distributive process
is also we'll have to rethink that, right?
Because it's not just about having a human in the loop to understand
are there hallucinations or are there in-written actions.
But having humans play a role help create these guardrails and processes
where we have the ability to sort of reverse and roll back actions taken by those agents.
Otherwise, I think we're going to really seek sort of the risk being like magnified.
What about recovery time? The report points out that there are a lot of leaders out there who
worried that recovery time is increasing. They're looking at days instead of hours to recover.
What does identity-centric practices, how do they play into this? How can you help shorten these
recovery times.
I think having good, good hygiene in the environment becomes really important, right?
First and foremost, let's, let's think about, right?
Organizations today focus on, I would say, legacy KPIs, right?
They report on KPIs, not wrong, not bad, but if you look at a lot of organizations
that have been compromised, they all followed process.
They followed audits, met all their compliance requirements, put a lot of, I know, security
measures in place. Many actually adopted, you know, some level of zero trust, you know,
architecture. But I think we need to make sure that we're also focusing on proper security
hygiene internally, right? So let's kind of think about like, you know, what this looks like
in terms of understanding the environment, right? I think we need to start making sure that,
you know, they're prioritizing an accurate up-to-date understanding of all identities in their
environment specific to recovery time, right? Because nominally what we put down as a RPO, for example,
is not what is happening in practicality today in many organizations. So one thing I'd like to,
you know, we'd like to think about is like let us evolve the KPI's, you know, especially specific to
recovery time as part of this report around like identity, human and non-human identities. So really sort of
bucketing this into, like, I would say, three categories. One being, let's look at like the
traditional RTO capability, but like reporting on MTTR, right? Meantime to recover specific to, I would
say, like, compromise identity infrastructure. So as you look at sort of the granularity,
today we have like an RPO number and an RTO number. But can we like actually get a little bit more
granular around the specifics, since we are talking about identity? What is the MTTR specific to
your identity infrastructure? So this.
could be a real critical measure for CSOs that are actually looking to establish a baseline
for identity resilience, right? In order to be a little bit more informative, I mean, it must be based
on some of the simulated recoveries of their identity infrastructure. Now, based on real world
recovery procedures, how many organizations today think about recovery time by bringing in the
identity infrastructure as part of that tabletop exercise? Probably very few. Second is actually
thinking about recovery times from the perspective of resilience benchmarking against your
industry peers. So what it takes for a hospital network versus a retail chain versus another
manufacturing organization could be very different. And for a lot of CISOs to sort of, you know,
start to really transform kind of what their recovery metrics are, what their resilience metrics are,
like what they report on, you know, it becomes important for them to understand what their
peers are doing, right? So we need to start thinking about baselining some of this and providing a
measurement that's sort of relative to the industry. Because what health care does is different
to manufacturing. And I think like this is where we need to start educating boards and business leaders
and the business themselves, business meaning like the business unit, on what is relevant to their
industry and what are the benchmarks are and where they are. Let's talk some practical solutions
here. I mean, the report points out that there are a lot of companies who are switching
their IAM providers. What's your advice to folks who are switching here? If I'm a security
professional, are there pitfalls I should avoid? Are there things I should absolutely be looking
for? What are your words of wisdom? Switching IAM providers? Let's think about, you know,
I think first and foremost, it's a recognition, like identity compromise without doubt is like
an attack vector of choice for threat actors, right? And I think,
One key area where a lot of organizations have invested in from identity perspective
is cloud-native identity infrastructures and solutions.
The thing is, many of these were rarely designed with security in mind.
They were designed with access in mind.
So I think this is an area, like, you know, if I had to impart any thoughts here,
we need to start thinking about this from a perspective of being purpose built for this new paradigm
that we're in, right?
And I think summarizing some of our conversation is,
I said, thinking about switching IAM providers, think about the type of identities in your
organization that require protection. So they're no longer just your users, you know, bringing in
your human users that are within your organization, your third party, your contractors, and now
start bringing in your machine and, you know, and agentic identities or your non-human identities.
So really start to think about kind of what your attack surface looks like and what kind of
solution or provider best enables that. And then finally, I would say,
Different solutions obviously provide a different range of capabilities,
but go back to like core zero trust principles, right?
What are those core tenants?
How does that align to kind of your ability to enforce least privilege access,
things like role-based access control?
So really insist on strong security controls for IM systems.
And as you're doing that, this is non-negotiable, right?
But as you're doing that, it is also really important to understand
how these solutions and these providers are also going to align with your evolving initiatives,
right, if you're deploying AI and factor recovery and resilience into that. You know, you take
active directory, for example, the manual process to recover active directory is fairly laborious
and is multi-step. How are you going to be able to ensure that you have a one-click orchestrated
recovery for that. How do we ensure that as they're thinking about all of this as well, that
they're thinking about kind of what that minimum viable identity, a solution looks like? What is
minimally viable for your organization should your identity be compromised for you to get
back up and run? That's Kavitha Maripan from Rubrik. We are pleased to add Rubrik as the
latest edition to our knowledge partners.
Build, play, and display with the 3-1 Megablocks preschool sets.
The Build and Go race car revamps into a pickup truck and hot rod,
and the Build and Enchant Unicorn transforms into a puppy and Pegasus.
Each easy-to-build set comes with rolling wheels, 26 blocks,
and easy-to-read building steps, compatible with other Megablock sets for endless,
building fun. Shop three-and-one megablocks at Walmart for ages three-plus.
And finally, Chow High Bang's misadventure began with an unlikely prison friendship in South
Korea, the sort that usually leads to exchange life lessons, not international malware schemes.
Years later, he found himself in the Dominican Republic, sponsored by his old cellmate, Lee,
who introduced him to SpyMax, a remote-access Trojan dressed up as harmless Android apps.
Chow became the unlikely star of a malware masterclass,
recording tutorial videos that showed syndicate partners how to spy on phones, steal credentials,
and empty bank accounts.
His lessons were effective enough for 129 Singaporeans to lose $3.2 million,
though Chow himself earned barely $1,700 for his trouble.
When the operation unraveled, he was arrested and extradited.
Now sentenced to five and a half years,
Chao stands as Singapore's first case of someone prosecuted
not for writing malware, but for teaching it.
Proof that in cybercrime, even being the two-and-a-half-half-earned,
even being the tutorial guy, carries serious consequences.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.