CyberWire Daily - When preview pane becomes preview pain.
Episode Date: December 10, 2025Patch Tuesday. Federal prosecutors charge a Houston man with smuggling Nvidia chips to China, a Ukrainian woman for targeting critical infrastructure, and an Atlanta activist for wiping his phone. The... power sector sees cyber threats doubling. The new Spiderman phishing kit slings its way across the dark web. Our guest is Dick O'Brien, Principal Intelligence Analyst from Symantec and Carbon Black Threat Hunter Team, discussing “Unwanted Gifts: Major Campaign Lures Targets with Fake Party Invites.” The Pentagon unveils a killer chatbot. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Dick O'Brien, Principal Intelligence Analyst from Symantec and Carbon Black Threat Hunter Team, is discussing “Unwanted Gifts: Major Campaign Lures Targets with Fake Party Invites." Selected Reading Microsoft Patches 57 Vulnerabilities, Three Zero-Days (SecurityWeek) Google Patches Gemini Enterprise Vulnerability Exposing Corporate Data (SecurityWeek) Adobe Patches Nearly 140 Vulnerabilities (SecurityWeek) ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Rockwell, Schneider (SecurityWeek) Fortinet Patches Critical Authentication Bypass Vulnerabilities (SecurityWeek) Smuggling Ring Charged as Trump Okays Nvidia Sales to China (Gov Infosecurity) Cybersecurity in power: supply chain most vulnerable, varying confidence in resilience (Power Technology) Spiderman Phishing Kit Targets European Banks with Real-Time Credential Theft (Hackread) Hospice Firm, Eye Care Practice Notifying 520,000 of Hacks (Bank Infosecurity) Ukrainian hacker charged with helping Russian hacktivist groups (Bleeping Computer) Man Charged for Wiping Phone Before CBP Could Search It (404 Media) Pete Hegseth Says the Pentagon's New Chatbot Will Make America 'More Lethal' (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post.
noticed. Indeed's sponsored jobs helps you stand out and hire fast. Your post jumps to the top
of search results, so the right candidates see it first. And it works. Sponsored jobs on Indeed
get 45% more applications than non-sponsored ones. One of the things I love about Indeed is how
fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K Cyberwire. Many
of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed,
according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit to get your job.
more visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now
and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply.
Hiring?
Indeed is all you need.
We got your patch Tuesday rundown.
Federal prosecutors charge a Houston man with smuggling invidia chips to China,
a Ukrainian woman for targeting critical infrastructure,
and an Atlanta activist for wiping his phone.
The power sector sees cyber threats doubling.
The new Spider-Man fishing kits slings its way across the dark web.
Our guest is Dick O'Brien, principal intelligence analyst with Symantec
and Carbon Black Threathunter team discussing unwanted gifts,
a major campaign that lures targets with fake party invites.
And the Pentagon unveils a killer checkbot.
It's Wednesday, December 10, 2025.
Dave Bittner, and this is your Cyberwire Intel Briefing.
Thanks for joining us here today. It's great to have you with us.
Microsoft's December patch Tuesday rolled out fixes for 57 vulnerabilities, including
three zero days. Only one is.
under active exploitation, a use-after-free flaw in the Windows Cloud Files Mini Filter Driver
that allows privilege escalation to system. Microsoft says it has seen in the wild activity
but has not shared attack details. A second mini-filter driver bug carries the same severity and
is likely to be exploited. Publicly disclosed command injection issues in co-pilot for JetBrains
and PowerShell also received patches,
along with 13 office vulnerabilities
that include two high-severity remote code execution flaws
triggered through the preview pane.
Adobe issued nearly 140 fixes across Cold Fusion and Experience Manager,
addressing critical remote code execution,
widespread cross-site scripting, and vulnerable components.
Major industrial vendors published advisories
covering code execution, denial of service,
and unauthorized access across Siemens, Schneider Electric, Rockwell Automation, and Phoenix
contact products. Google closed the Gemini Jack prompt injection weakness in Gemini Enterprise,
which allowed hidden instructions in documents or emails to drive automated data exfiltration.
Fortinette patched 18 vulnerabilities, including two authentication bypass flaws in Fortecloud
SSO login and several high-severity issues across Forta Web, Forta Sandbox, and Forta Voice.
Federal prosecutors say a Houston business owner illegally moved at least $160 million
in restricted Nvidia AI chips to China. The Justice Department says Alan Hao-Su pleaded guilty
to smuggling H-100 and H-200 GPUs by falsifying shipping documents and routed.
more than $50 million in payments from China to fund the operation.
Authorities tied Sue and his company to Operation Gatekeeper,
a broader crackdown that also led to arrests of two additional suspects
accused of using straw buyers, fake labels, and misclassified paperwork
to secretly ship GPUs to China and Hong Kong.
Unrelated, U.S. prosecutors have charged Ukrainian national Victoria Dubranova
for allegedly supporting Russian state-backed activist groups
behind cyber attacks on critical infrastructure,
including U.S. water systems, election systems, and nuclear entities.
She faces separate indictments tied to No Name 05716
and Cyber Army of Russia reborn
and has pleaded not guilty in both cases.
The indictments say No Name operated a state-sanctioned DDoS effort
using its didosia tool, while Carr, the Cyber Army of Russia Reborn, founded and directed by Russia's
GRU, claimed hundreds of attacks worldwide. Prosecutors say Carr damaged U.S. drinking water systems,
triggered an ammonia leak at a Los Angeles facility, and targeted nuclear and election systems.
Federal prosecutors have charged Atlanta activist Samuel Tunic for allegedly deleting data from a Google Pixel
phone before a customs and border protection officer could search it.
Court records say Tunic intentionally wiped the device on January 24th to prevent the government
from taking it into custody. The indictment was filed in November, and he was arrested earlier
this month. The search was to be carried out by a CBP Tactical Terrorism Response Team Officer,
a unit civil liberties groups describe as secretive and aggressive in targeting and detaining
travelers. Tunic has since been released with travel restrictions as the case continues.
Charges tied specifically to wiping a phone are uncommon, raising questions about device searches
at U.S. ports of entry. The power sector's rapid digital transformation is boosting efficiency,
yet cyber attacks are growing faster than utilities can respond. Schneider Electric's Shrubronil
Roy says grid threats have more than double.
in two years, creating real risk of large-scale disruption.
A global data survey shows uneven readiness.
Only 36% of respondents fully implement and regularly test cybersecurity measures,
while others report partial adoption, stalled plans or no plans at all.
Professional cites supply chain exposure as the sector's weakest point,
followed by risks across smart meters, IT and OT systems,
human error. Experts warn that software dependencies, IT-O-T convergence, and emerging AI-driven
attacks are widening the attack surface. Researchers say a new fishing kit called Spider-Man is spreading
on the dark web and making it simple for low-skill attackers to mimic European banks and
crypto platforms. Veronis reports that the full-stack kit lets operators clone login pages for dozens of
institutions and launch broad cross-country campaigns. Targets include Deutsche Bank, Commerce Bank,
ING, and Kikesa Bank, along with crypto wallets. The seller's community has about 750 members suggesting
active use. The kit collects victims' credentials in real time and can request more data,
such as credit card numbers and one-time security codes, enabling full account takeover.
built-in geoblocking and filters help the fishing pages evade detection.
Researchers expect real-time code interception to accelerate financial fraud across Europe.
Two U.S. healthcare organizations are notifying about 520,000 people
that their sensitive information was exposed in separate hacking incidents.
Vitas Hospice Services reported that an unauthorized party compromised a vendor account,
and accessed its systems between late September and late October,
affecting more than 319,000 individuals.
Exposed data may include personal details, medical information, and insurance records.
Tri-century eye care reported a separate intrusion impacting 200,000 people
after an unknown actor accessed its network and obtained files containing personal and health information.
Both organizations say they strengthened security and informed security and informed,
regulators and law enforcement.
These breaches show how vendor access and network intrusions continue to expose large volumes
of protected health information.
Coming up after the break, Dick O'Brien from Symantec and Carbon Black's Threathunter team
discusses a major campaign that lures targets with fake party invites.
And the Pentagon unveils a killer chatbot.
Stay with us.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave,
and with Threat Locker, DAC, defense against configurations,
you get real assurance that your environment is free of misconfigurations
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable.
even for small security teams.
See why thousands of organizations
choose Threat Locker to minimize
alert fatigue, stop ransomware
at the source, and regain control
over their environments.
Schedule your demo at Threatlocker.com
slash N2K today.
AI is transforming every industry,
but it's also creating new risk.
that traditional frameworks can't keep up with.
Assessments today are fragmented, overlapping,
and often specific to industries, geographies, or regulations.
That's why Black Kite created the BKGA3 AI Assessment Framework
to give cybersecurity and risk teams a unified,
evolving standard for measuring AI risk across their own organizations
and their vendors' AI use.
It's global, research-driven, built to evolve
with the threat landscape and free to use because Black Kite is committed to strengthening the
entire cybersecurity community. Learn more at blackkite.com.
a major campaign that lures targets with fake party invites.
Is there anything in particular that makes this campaign stand out from typical holiday-themed
fishing? There's a couple of things that are noteworthy. You mentioned typical holiday-themed
fishing, but this is something that we used to see a lot of going back maybe a decade or so.
and not just holidays, but big events like the Olympics and soccer World Cup and things like that,
we would always see fishing campaigns built around current events.
And it's kind of died off.
So it's unusual or interesting to see attackers take up this tactic again.
In the meantime, more recently, they've usually kind of masqueraded their emails as routine correspondence,
It's the kind of stuff that crops up in everybody's inboxes.
So receipts, invoices, letters from the tax authorities, meeting invites.
So it's interesting to see the revival of this tactic.
And maybe it's a case of this, there's at least one group of attackers
who think that people are no longer familiar with this type of lure anymore
and that maybe it's worth trying again.
It's hard to ponder the thought of a generation.
cycle with these sorts of things, right?
It doesn't seem that long ago.
No. Well, walk us through the lore itself. How are these things crafted?
They're fairly simple emails. Like I mentioned, the kind of the subjects.
So the emails are usually structured with fairly terse text.
And the main goal is to get you to click on a link in the email to find out more, to download
the document or get the invite or whatever, and that's when the party starts from the attacker's
perspective. It initiates an attack chain where a malicious installer is downloaded, and then
its patent turn is then used to download further tools onto the victim's computer.
Well, the research mentions the use of legitimate remote management tools. Can you take us
through that part of it? Yeah. These tools, they've really
become a thing among
attackers. And
once you start to look under the
hood a little bit, you can see why
they have a lot of
legitimate use cases. They're
used by organizations
to manage the software that's
on their network like roll out new software
or rollout updates to
existing software. But
from an attacker perspective,
they're effectively a backdoor.
And once you get this installed
on a computer,
You can then install additional tools, some of the malicious.
You can expatriate data.
And, you know, there's encrypted communications between the clients and the server.
So you can't really see what's being taken out of the network and sent back to the attackers.
So what are the operators here after?
What are they going for?
We don't know for sure.
the general
I guess the general
goal of the attack is to
establish a foothold
on the compromise computer
and achieve a little bit of persistence
so they try
and
install defensive
Asian tools
they will
put in
credential stealing tools
and also some tools
simple tools that they try to
hide their malicious activities such as
a utility that will hide the mouse cursor.
And the end goal of these attacks isn't clear,
but we think the most likely motivation is that
they are essentially access brokers as they're known,
and then they will sell on compromised computers
to other attackers who will use them for further exploitation.
It might be ransomware, it might be some other kind of malware.
Well, with the visibility that you have,
Are they targeting any specific industries or organization types, or is it more scattershot?
This is scattershot.
These guys are casting a wide net, and then in the hope that they will turn over some interesting victims.
So if they manage to compromise a computer on a relatively large organization, that would be of interest to ransomware attackers, for example,
and they may sell access to that organization to those attackers.
How do you suppose teams should think about risk during this holiday season?
You know, our inboxes are full of legitimate RSVPs and invites.
Yeah, I mean, it's a timely reminder, you know, not to just believe everything that you see.
And I know we all get a lot of email these days, but it is always worth the time to scrutinize what's in your inbox and don't just blind.
click on
things or open attachments
try and
think about
why am I receiving this email
and should I be receiving this email
is it related to
anything I'm doing
is it from somebody I know
well for organizations
who rely on these remote monitoring
and management platforms
for legitimate work
do you have any recommendations
for practical steps they can do
to reduce this sort of abuse
yes
I would really audit what software is running on your network,
and anything that is not a sanction tool within your organization should be gone.
So most organizations would only use one of these tools if they use any of them at all.
But this attack campaign, they are installing multiple RMN tools on compromised computers.
So that's a real telltale style that was two or three installed on a single machine.
But yeah, keep a close eye on what's running on your network
and anything that shouldn't be there, move fast.
Yeah, you all mention that sometimes they're rotating through multiple tools.
Yeah, I mean, this is, I guess, the thing that drew our attention to this attack campaign.
It's quite a new, it's a new tactic for us.
us at least, usually they would, you know, we see attackers install one RM tool, but they're
installing multiple RRM tools.
And what's even more curious is that they're installing them at intervals.
So they will be an initial compromise and then a couple of weeks later, they'll come back
and then install another RM tool and then, you know, maybe three or four weeks later, another
one will appear.
And that's interesting to see.
It's not something we've seen before,
and we're not sure exactly why they're doing it.
I mean, one hypothesis we had is that they're using trial licenses for all of these tools.
And when the trial license expires, they launch another.
But I think probably the most likely explanation is that they're trying to create some kind of level of redundancy.
So if one is detected and deleted, they're going to have something to fall back on.
So they're going to have a longer presence on the network.
They're hedging their bets.
That's Dick O'Brien from Symantec and Carbon Black's Threathunter team.
And finally, Secretary of War, Pete Hegseth, introduced GenAI. Mill, with the solemn gravitas, usually reserved for unveiling a new missile system, though the platform appears to be a glorified Google Gemini chatbot that mostly rearranges spreadsheets.
In classic fashion, Hegseth framed office automation as an existential race for global dominance.
eminence, assuring the public that formatting documents at unprecedented speed will somehow make
the U.S. military more lethal than ever. Undersecretary Emil Michael followed up with his own sermon
on manifest destiny, suggesting God himself wants federal workers to have AI autocomplete. The Pentagon
insists the system is reliable because it's grounded in Google search, which is bold,
given Google's recent habit of confidently ingesting and regurgitating nonsense.
Officials promised three million users will soon have access,
though the site immediately went down,
perhaps the first recorded instance of a battlefield AI retreating before it ever deployed.
That's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to
cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester
with original music by Elliot Heltsman.
Our executive producer is Jennifer Ibin.
Peter Kilby is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.
Thank you.
Thank you.