Summary5 min read

Podcast Summary: Cyber Security Headlines – December 11, 2025

Host: Sarah Lane
Produced by: CISO Series

Episode Overview

This episode delivers the latest developments in the cybersecurity world, focusing on high-profile incidents and trends such as the Coupang CEO’s resignation after a massive data breach, the actions of pro-Russia hacktivist groups against US infrastructure, record investments in Israeli cyber startups, and multiple critical vulnerabilities and cyberattack techniques being leveraged globally. Information is presented in a concise, news-style report designed for security professionals and those tracking the global cybersecurity landscape.

Key Discussion Points & Insights

1. Coupang CEO Resigns Following Massive Breach

Summary:
Park Dae Joon, CEO of Coupang, South Korea's leading retailer, resigned after a breach exposed the data of approximately 34 million customers.
Details:
- Incident discovered on November 18, 2025.
- Harold Rogers (Chief Administrative Officer) named interim CEO, focusing on stabilizing operations and user reassurance.
- South Korean authorities raided Coupang's HQ and are investigating, including a probe into a former Chinese employee.
Quote:
“The company said he resigned out of responsibility for the incident discovered on November 18.” — Sarah Lane [00:17]

2. Pro-Russia Hacktivists Targeting US Critical Infrastructure

Summary:
Hacktivist groups aligned with Russia are exploiting weak VNC (Virtual Network Computing) connections across US critical infrastructure—particularly water, food, and energy sectors.
Tactics:
- Groups include Car Z Pen Test, no Name 05716, and Sector 16.
- Methods involve brute-forcing VNC access to compromise HMI devices, alter system settings, and disable alarms.
- DOJ has indicted a Ukrainian national tied to these groups.
- CISA warns current activity is unsophisticated but could escalate with evolved tactics.
Quote:
“CISA warns the activity is unsophisticated but could become more dangerous as tactics evolve...” — Sarah Lane [00:56]

3. Israeli Cybersecurity Industry Achieves Record Funding

Summary:
Israel’s cyber startup sector saw an unprecedented $4.4 billion in investment—a 9% year-over-year increase, with 130 funding rounds completed.
Key Points:
- AI security and endpoint security leading investment momentum.
- Major raises mentioned for firms like Armis, Cato Networks, Sierra Dream, and Island.
- Sector growth highlighted: over 500% expansion in the past decade.
Quote:
“Israeli cybersecurity startups pulled in a record $4.4 billion this year... the ecosystem has expanded more than 500% over the past decade.” — Sarah Lane [01:37]

4. Aeroflot Breached via Small Vendor

Summary:
Hackers Silent Crow and the Belarusian cyber partisans gained control over Aeroflot’s systems via a third-party contractor, Bakasoft.
Breach Details:
- Long-term access achieved, including escalation into Active Directory and high-privilege accounts.
- More than 100 flights grounded, tens of millions of dollars in damages.
- Core issues: lack of two-factor authentication and overly permissive vendor remote access.
Quote:
“Investigators say that Aeroflot lacked two-factor authentication on key servers and let the vendor keep remote access.” — Sarah Lane [02:38]

5. Fortinet Issues Critical Authentication Bypass Patches

Summary:
Fortinet released patches for 18 vulnerabilities, notably two critical authentication bypass flaws affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitch Manager.
Key Details:
- Bugs allow attackers to bypass FortiCloud SSO via crafted SAML messages.
- SSO is off by default but auto-enabled during FortiCare registration.
- Fortinet urges users to disable FortiCloud SSO until fully updated.
Quote:
“Fortinet recommends turning off FortiCloud SSO until systems are updated. No evidence yet of exploitation.” — Sarah Lane [03:55]

6. Storm0249 Leveraging EDR Tools for Persistence

Summary:
Ransomware access broker group Storm0249 is abusing trusted EDR software and Windows tools to remain undetected and maintain access.
Techniques:
- Users tricked into running commands that covertly install malware (e.g., as Microsoft Support files or SentinelOne DLLs).
- Use of legitimate tools like Curl and fileless PowerShell scripts.
Defense Advice:
- Behavioral monitoring, EDR baselining, and strict restrictions on legitimate binaries ("lobin").
Quote:
“These tactics highlight gaps in signature based defenses and urge behavioral monitoring, EDR baselining and strict lobin restrictions.” — Sarah Lane [04:48]

7. Gogs Zero Day Hits Hundreds of Self-Hosted Git Services

Summary:
An unpatched vulnerability in Gogs, a popular self-hosted git service, is being exploited, compromising over 700 Internet-exposed instances.
Risk Factors:
- Vulnerability allows authenticated users to overwrite files using symbolic links, enabling remote code execution.
- Attackers use Super Shell C2 framework; extent of post-compromise activity unknown.
- Recommendations from Wiz researchers: disable open registration, limit internet exposure, and closely monitor for API abuse.
Quote:
“Attackers have used the Super Shell C2 framework to deploy payloads, though post compromise activity largely unknown at this time.” — Sarah Lane [05:17]

8. AI-Powered Qlik Fix Attack Delivers Infostealers

Summary:
Attackers use SEO poisoning and AI chat platforms (ChatGPT, Grok) to deliver Mac-based infostealer malware.
Method:
- Victims searching common troubleshooting topics are redirected to AI-generated scripts containing malicious commands.
- Trust in AI and search results is weaponized to distribute malware and harvest credentials.
- Seen as an emerging stealthy initial access vector.
Defensive Measures:
- Behavioral anomaly monitoring, terminal command restrictions, and strong password hygiene.
Quote:
“This method exploits trust in AI and bypasses traditional protections, potentially becoming a major initial access vector for stealers over the next six to 18 months.” — Sarah Lane [06:00]

Memorable Moments & Quotes

On Responsibility:
“He resigned out of responsibility for the incident discovered...” — Sarah Lane [00:15]
On Evolving Threats:
“CISA warns the activity is unsophisticated but could become more dangerous as tactics evolve...” [00:56]

Important Segment Timestamps

| Segment | Timestamp | |---------------------------------------------|------------| | Coupang CEO Resigns | 00:15 | | Russian Hacktivists Target US Infrastructure| 00:56 | | Record Israeli Cyber Funding | 01:37 | | Aeroflot Vendor Breach | 02:38 | | Fortinet Auth Bypass Vulnerabilities | 03:55 | | Storm0249 EDR Abuse | 04:48 | | Gogs Zero Day Exploitation | 05:17 | | Qlik Fix AI Infostealers | 06:00 |

Closing Note & Tone

The episode concludes with concise recommendations and defense strategies, reflecting the show’s expert yet approachable tone. Sarah Lane’s delivery is direct, keeping listeners informed and engaged on fast-moving security threats.

Quote:
“You stay safe and warm out there. You hear me?” — Sarah Lane [07:32]

For more details on each story, visit CISOseries.com.

Loading summary

Transcript8 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Thursday, December 11, 2025. I'm Sarah Lane.
[00:16]
CEO of retail giant Coupang Resigns South Korea's Coupang CEO Park Dae Joon stepped down after a breach exposed data from around 34 million customers. The company said he resigned out of responsibility for the incident discovered. On November 18, Coupang named Chief Administrative Officer Harold Rogers interim CEO with a focus on stabilizing operations and reassuring users. South Korean authorities are investigating, including a raid on Coupang's headquarters and a probe involving a former employee from China.
[00:57]
Pro Russia hacktivists target US Infrastructure US Officials say Pro Russia hacktivist groups are breaking into poorly secured VNC connections tied to US Critical infrastructure, mainly water, food and energy Systems. The groups Car Z Pen Test, no Name 05716 and Sector 16 are are using brute forced VNC access to reach HMI devices, capture screens, alter settings, disable alarms and cause limited physical disruption. CISA warns the activity is unsophisticated but could become more dangerous as tactics evolve, and the DOJ has charged a Ukrainian national linked to car and no name 05716 Israeli cybersecurity funding Hits Records Israeli cybersecurity startups pulled in a record $4.4 billion this year. That is, according to YL Ventures. That's a 9% jump from 2024, with 130 total rounds, up from 89. AI security and endpoint Security saw the strongest momentum, and major players like Armis, Cato Networks, Sierra Dream and Island announced big raises. YL Ventures says the ecosystem has expanded more than 500% over the past decade. Aeroflot hacked through Techvendor, Russia's flagship airline. Aeroflot had a difficult summer after pro Ukrainian hackers Silent Crow and the Belarusian cyber partisans breached it through a small contractor called Bakasoft, according to a new investigation from the Bell. The groups allegedly maintained long term access, moved into Aeroflot's active directory, grabbed high privilege accounts and deployed dozens of malware tools. The outage grounded more than 100 flights and caused tens of millions of dollars in damages. Investigators say that Aeroflot lacked two factor authentication on key servers and let the vendor keep remote access.
[03:14]
Huge thanks to our sponsor, Adaptive Security. This episode is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI. In deepfake scams, the tells aren't just glitchy video anymore, it's behavior. Do this right now or keep it secret. If you hear urgency and secrecy together, stop and verify through a second channel, call a known number, start a chat thread, or ask something only the real person would know. Adaptive trains teams against exactly these tactics. Learn more@adaptivesecurity.com.
[03:56]
Fortinet fixes authentication bypass vulnerabilities Fortinet released patches for 18 vulnerabilities, including two critical authentication bypass bugs in Fort OS, Forta Web, FortiProxy and FortiSwitch Manager. When FortiCloud SSO is enabled, the issues let an attacker bypass forticloud SSO using a crafted SAML message. Because of improper signature verification. Forta Cloud SSO is off by default, but is automatically enabled during forticare registration unless manually disabled. Fortinet recommends turning off Forticloud SSO until systems are updated. No evidence yet of exploitation Storm0249 abuses EDR processes Storm0249, a ransomware access broker, is increasingly exploiting legitimate EDR software and Windows tools to move within networks, gather data, and maintain persistence. Its click fix campaigns trick users into running commands that install malware disguised as Microsoft Support files or Sentinel One DLLs, letting attackers execute code without triggering alerts. The group also uses built in utilities like Curl Exe and fileless PowerShell scripts to blend in with normal operations, Relayaquest warns. These tactics highlight gaps in signature based defenses and and urge behavioral monitoring, EDR baselining and strict lobin restrictions. Gits Battered in Zero Day Attacks A zero day vulnerability in Gogs, a self hosted git service, is actively being exploited with more than 700 of roughly 1400 Internet exposed instances already compromised. It lets authenticated users overwrite files outside repositories to via symbolic links, leading to remote code execution. Attackers have used the Super Shell C2 framework to deploy payloads, though post compromise activity largely unknown at this time. Wiz researchers advise disabling open registration, limiting Internet exposure and monitoring for suspicious repositories or put contents API use while Gogs works on effects. Qlik Fix Style attack uses Grok ChatGPT for malware a new Qlik Fix style attack is using SEO poisoning and legitimate AI platforms like ChatGPT and Grok to deliver Mac infostealer malware. Users searching for common troubleshooting tasks are directed to AI chat links that provide instructions which secretly install malware, harvest credentials and maintain persistence, Huntress warns. This method exploits trust in AI and bypasses traditional protections, potentially becoming a major initial access vector for stealers over the next six to 18 months. Defenses include monitoring behavioral anomalies, restricting terminal command use and practicing strong password hygiene. If you have thoughts on the news from today or about our show in general, we would love to hear from you. Be sure to reach out to us@feedbackisoseries.com I am Sarah Lynn reporting for the CISO series and you stay safe and warm out there. You hear me?
[07:36]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.
[07:43]
B
It.