'DroidLock' demands ransom, Google fixes secret Chrome 0-day, UK fines LastPass over 2022 breach - Cybersecurity Headlines

Summary5 min read

Episode Overview

The December 12, 2025 episode of "Cyber Security Headlines" delivers a fast-paced rundown of the day's most pressing cybersecurity stories. Topics include a new Android ransomware threat targeting Spanish speakers, Google's emergency Chrome patch for a critical zero-day, the UK’s record fine for LastPass over its 2022 breach, hackers exploiting emergency data request systems at tech firms, advances in AI-powered defense from OpenAI, significant credential exposures via Docker Hub, a major cryptographic flaw allowing remote code execution, and the appearance of a new ransomware-as-a-service offering with an apparent critical mistake.

Key Discussion Points & Insights

1. New Android Ransomware ‘DroidLock’ Hits Spanish Users

[00:10]

Discovery: Researchers at Ximperium identified ‘DroidLock,’ a new Android malware distributed via phishing and fake apps.
Capabilities: When installed, DroidLock can:
- Change device PINs
- Lock screens with a ransom note
- Wipe user data
- Record the screen
- Block interactions with a “fake update” overlay
No Encryption: Unlike typical ransomware, DroidLock doesn’t encrypt files but renders devices unusable until a ransom is paid.
Quote:

“It effectively bricks the phone unless victims pay.” – Sarah Lane [00:24]

2. Google Issues Emergency Chrome Zero-Day Patch

[00:38]

Urgency: Google released an urgent update to patch its eighth zero-day of 2025, with few details disclosed.
Affected Platforms: Windows, macOS, and Linux users should update immediately.
Further Fixes: The patch also covers medium-severity issues in Password Manager and Toolbar.
Quote:

“The flaw is already being exploited, so users on Windows, macOS and Linux should update to new versions immediately.” – Sarah Lane [00:45]

3. UK Fines LastPass £1.2 Million Over 2022 Data Breach

[01:05]

Breach Impact:
- Exposed personal data and encrypted vaults for up to 1.6 million UK users.
- Hackers accessed master credentials and cloud backup keys via a compromised employee device.
- Customer vaults, while encrypted, are vulnerable if users had weak master passwords; some have already been exploited in crypto theft.
Quote:

“Vaults are still encrypted, but weak master passwords could still be cracked, with some already exploited in crypto theft.” – Sarah Lane [01:35]

4. Doxxing Crew Impersonates Police to Trick Tech Firms

[01:51]

Tactics:
- Attackers forge subpoenas and spoof law enforcement emails.
- Use of compromised police accounts and, alarmingly, recruiting a real deputy.
Targets: Major companies like Apple, Amazon, Charter, and Rumble.
Exploitation: Up to 500 fraudulent information requests sent; highlights vulnerabilities in email-based emergency request processes.
Quote:

“The attackers say they’ve pulled off up to 500 requests and even recruited a real deputy to help...” – Sarah Lane [02:11]

5. OpenAI Bolsters Defensive AI Models

[03:00]

Breakthrough: GPT 5.1 Codex Max shows dramatic improvement in solving Capture the Flag (CTF) cybersecurity challenges (from 27% in August to 76% in November).
Risks and Safeguards: Raises fears of AI assisting with offensive cyber operations, but OpenAI cites access controls, monitoring, and red teaming.
Defensive Initiatives:
- Aardvark (code scanner/proposer)
- Frontier Risk Council (for coordinated, global threat mitigation)
Quote:

“Future models could help with tasks like intrusion operations or zero-day exploit development.” – Sarah Lane [03:15]

6. Massive Credential Exposure on Docker Hub

[03:48]

Findings: Canadian firm Flare found over 10,000 public Docker containers in November that contained active secrets (API keys, credentials) from 100+ organizations.
Risks: Leaked credentials spanned cloud services, CI/CD systems, and AI platforms—including production-level keys.
Danger: Many ‘revoked’ keys were still active.
Recommendation: Move to dedicated secrets management and pre-publish scanning.
Quote:

“Flare also found that most revoked in-image secrets were still active, urging teams to move to proper secrets management and pre-publish scanning.” – Sarah Lane [04:24]

7. Hackers Exploit Cryptographic Flaw in Center Stack and Trio Fox

[04:44]

Technical Flaw: Hard-coded AES keys in Glad.net platforms allow attackers to decrypt or forge authentication tickets, leading to remote code execution (RCE) via deserialization in the web config’s Viewstate.
Victims: At least nine organizations—including healthcare and tech companies—have been targeted.
Remediation: Update software, rotate machine keys, review logs.
Quote:

“Once obtained, the machine key in the web config file can be used to trigger RCE via a Viewstate deserialization flaw.” – Sarah Lane [05:09]

8. Russian Hacktivist Ransomware Service Blunder

[05:28]

Attackers: Pro-Russian ‘Cyber Volk’ relaunches ‘volklocker’ ransomware-as-a-service, targeting both Windows and Linux.
Novelty: The group uses Telegram for affiliate automation—a growing trend to lower the technical bar.
Critical Flaw: Developers left the master encryption key in plain text, allowing file recovery without payment.
Quote:

“Operators hard coded the master encryption key in the malware and left it in plain text in the temp folder, letting victims potentially recover files without paying.” – Sarah Lane [05:47]

Notable Quotes & Memorable Moments

“It effectively bricks the phone unless victims pay.” – Sarah Lane, on DroidLock [00:24]
“The flaw is already being exploited, so users on Windows, macOS and Linux should update to new versions immediately.” – Sarah Lane [00:45]
“Vaults are still encrypted, but weak master passwords could still be cracked, with some already exploited in crypto theft.” – Sarah Lane [01:35]
“The attackers say they’ve pulled off up to 500 requests and even recruited a real deputy to help...” – Sarah Lane [02:11]
“Future models could help with tasks like intrusion operations or zero-day exploit development.” – Sarah Lane [03:15]
“Operators hard coded the master encryption key in the malware and left it in plain text in the temp folder, letting victims potentially recover files without paying.” – Sarah Lane [05:47]

Timestamps for Important Segments

00:10 – DroidLock Android ransomware incident
00:38 – Google Chrome zero-day and urgent update
01:05 – UK fines LastPass for 2022 breach
01:51 – Doxxing group abuses emergency data requests
03:00 – OpenAI defensive AI model improvements
03:48 – Public Docker containers leaking credentials
04:44 – Cryptographic flaw in Glad.net software
05:28 – Cyber Volk’s ‘volklocker’ ransomware as a service

Conclusion

This episode offers a timely, no-nonsense delivery of vital cybersecurity developments, unifying breaking news with expert context. The coverage spotlights evolving threats to consumers and enterprises, as well as the promise and potential pitfalls of AI in security. Major takeaways range from urgent software updates and the criticality of secrets management, to the ongoing risks inherent in digital identity verification and the evolving landscape of ransomware operations.

Listeners are left with actionable reminders—patch those devices, manage secrets wisely, and remain vigilant amidst constantly shifting threat tactics.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Friday, December 12, 2025. I'm Sarah Lane. New Droidlock Malware demands a ransom Researchers at Ximperium say a new Android strain called Droidlock is hitting Spanish speaking users through phishing sites pushing fake apps. Once installed, it can change a device's pin, lock the screen with a ransom note, wipe data, record the screen and block interaction with a fake update screen. The malware doesn't encrypt files, but it effectively bricks the phone unless victims pay Google fixes secret Chrome zero Day Google pushed an emergency Chrome update to fix its eighth zero day of 2025, a high severity bug with no CVE or technical details yet disclosed. The flaw is already being exploited, so users on Windows, macOS and Linux should update to new versions immediately. The patch also includes fixes for two medium severity issues in Password Manager and Toolbar. UK finds LastPass over 2022 breach the UK's Information Commissioner's Office or ICO, find LastPass 1.2 million pound for the 2022 breach that exposed personal data and encrypted vaults for up to 1.6 million UK users. Regulators say a compromise of an employee's personal device let an attacker steal master credentials and cloud backup keys, leading to the theft of customer vault data stored with goto. Vaults are still encrypted, but weak master passwords could still be cracked, with some already exploited in crypto theft. Doxers posing as cops trick tech firms Wired reports that a doxxing crew is impersonating US Police to trick major tech companies into handing over private user data through fake emergency requests. The group forges subpoenas, spoofs law enforcement email domains and uses compromised officer accounts and extracting names, addresses, phone numbers and more from companies including Apple, Amazon, Charter and Rumble. The attackers say they've pulled off up to 500 requests and even recruited a real deputy to help exploiting a long known weakness in email based emergency data requests that many companies still rely on. Huge thanks to our sponsor Adaptive Security. This episode is brought to you by Adaptive Security. Adaptive Security, the first cybersecurity company backed by OpenAI security training, fails when it's generic. Adaptive's platform personalizes training and runs deep fake simulations across email, sms, voice and video. And with Adaptive's AI content creator, you can drop in a breaking threat or a compliance doc and instantly turn it into interactive multilingual training. No designers, no delays. Learn more@adaptivesecurity.com OpenAI enhances defensive models OpenAI reports that GPT 5.1 Codex Max shows a jump in CTF Challenge performance from 27% in August to 76% in November, raising concerns that future models could help with tasks like intrusion operations or zero day exploit development. OpenAI is layering safeguards including access controls, monitoring, red teaming and training models toward defensive uses. Programs like Aardvark, which scans code and proposes patches, and a Frontier Risk Council are meant to strengthen defensive AI and ecosystem wide threat mitigation while coordinating with global experts. Docker images spray Live Cloud creds Canadian cybersecurity firm Flare says that Docker Hub has become a major league point for live cloud credentials. In an analysis of images uploaded in November, Flare found more than 10,000 public containers exposing active secrets from more than 100 organizations. Many images contained multiple production level keys spanning cloud services, CICD systems and AI platforms often uploaded from unmanaged shadow IT accounts. Flare also found that most revoked in image secrets were still active, urging teams to move to proper secrets management and pre publish scanning. Hackers exploit cryptographic flaw Hackers are exploiting a cryptographic flaw in Gladdenet's Center Stack and Trio Fox, allowing remote code execution. The issue stems from hard coded AES keys in the software, letting attackers decrypt access tickets or forge their own to access files. Once obtained, the machine key in the web config file can be used to trigger RCE via a View state deserialization flaw. At least nine organizations across sectors, including healthcare and tech, have been targeted. Glad.net urges users to update rotate machine keys and check logs for indicators of compromise. Russian Attackers debut Simple ransomware Cyber Volk, a pro Russian hacktivist group, has relaunched its ransomware as a service volklocker, using Telegram for automation and management. The ransomware targets Windows and Linux systems, escalating privileges and and encrypting files. However, operators hard coded the master encryption key in the malware and left it in plain text in the temp folder, letting victims potentially recover files without paying. The group's reliance on Telegram reflects a trend of lowering technical barriers for affiliates. Do make sure you've added a calendar reminder for the Department of no this Monday. Join us on our YouTube channel for the live stream at 4pm Eastern Time. We will be breaking down the biggest news items over the past week and helping you understand what they mean for your security program. Join the chat, have some fun and learn something to kick off your week. It starts at 4pm Eastern time, so be sure you're subscribed to the CISO series YouTube channel and we will see you there. If you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbackisoseries.com we really want to hear from you. I am Sarah Lane reporting for the CISO Series. Thank you for listening.
[07:07]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.
[07:18]
C
Sam.