Transcript
A (0:00)
From the CISO series, it's Cybersecurity Headlines.
B (0:06)
These are the cybersecurity headlines for Thursday, December 18, 2025. I'm Lauren Verno. FTC orders crypto company to pay the Federal Trade Commission says crypto bridge operator Nomad must repay users for funds lost in a 2022 breach that drained roug US$186 million. According to the FTC. The company pushed inadequately tested code that introduced a critical vulnerability despite marketing the platform as security first, leaving customers out nearly 100 million after partial recoveries. Under a proposed settlement, Nomad would be required to repay about 30 37.5 million, implement a comprehensive security program and stop misrepresenting the security of its products. New exploit of React to Shell a ransomware gang has been observed exploiting the critical React to Shell vulnerability to gain initial access and deploy ransomware in under a minute, a quick pivot from the espionage and crypto mining activity reported when the flaw first emerged. Now, according to researchers, attackers used the bug to remotely execute JavaScript on a vulnerable React server components Endpoint before dropping the wexer ransomware stream. The attackers quickly disabled a Windows Defender deployed Cobalt Strike for command and control, encrypted files, wiped shadow copies and cleared logs, all without moving laterally. Researchers also warn that patching alone isn't enough. Ukraine based fraud ring taken Down European law enforcement has dismantled a network of fraudulent call centers operating out of Ukraine that scammed hundreds of victims out of more than US$11.7 million, according to Eurojust. The group posed as police officers and bank employees, pressuring victims into transferring funds to so called safe accounts or installing remote access software to take over their banking apps. Authorities believe roughly 100 people were involved and the true financial impact is likely far higher than currently known. French Interior Ministry confirms breach France's Interior Ministry is investigating a cyber intrusion that gave an attacker access to several internal email accounts and dozens of confidential files, including records tied to judicial cases and wanted individuals, according to the ministry. The intruder remained in the network for several days, though officials say no ransom demand was made and there's no indication the breach put lives at risk. Huge thanks to today's episode sponsor Adaptive Security. This episode is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI in deepfake scams. The tells aren't glitchy video anymore, it's behavior. Do this right now or keep it a secret. If you hear urgency and secrecy together, stop and verify through a second channel, call a known number, start a chat thread or ask something only the real person would know. Adaptive trains teams against exactly these tactics. Learn more@adaptive security.com. Malicious Firefox Extensions Hidden Malware in plain Sight Researchers have uncovered a malicious Firefox campaign dubbed Ghost Poster, where malware was hidden inside the browser extensions logo images. The extensions, posing as VPNs, ad blockers, translation tools and weather apps were installed more than 50,000 times and quietly deployed a delayed multi stage payload that tracked users, stripped browser security protections, enabled remote code execution, hijacked affiliate links, and injected tracking code. Mozilla has since removed the affected add ons from its Marketplace Microsoft Update breaks MSMQ Microsoft's December 2025 security update is breaking message queuing or MSMQ on older Windows 10 and server systems, queues fail apps can't write messages and IIS throws misleading email, insufficient resources errors, all thanks to stricter folder permissions. Uninstalling the update can fix it, but at the cost of losing security patches. The choice is up to you. ISACA takes Over CMMC credentialing the U.S. department of Defense has appointed ISACA as the exclusive organization to train, certify and credential professionals under the Cybersecurity Maturity Model Certification, or CMMC program. Starting now, all DoD contractors handling sensitive data must meet CMMC standards. With a full rollout expected by 2028. Over 200,000 organizations, including European suppliers, will need certification. And as ISACA takes over from the Cyber ab, Privacy concerns surround Meta AI Privacy experts are warning about a new Meta policy that uses AI chat interactions to tailor ads. The change, rolled out Tuesday, automatically affects users of meta AI across Facebook, Instagram, WhatsApp and Messenger. There's no opt out option. So what's this all got to do with cybersecurity? Well, AI chats often include sensitive personal information, health, religion, finances, mental health. And feeding that into ad targeting could expose users to profiling, scams or other exploitation. Even if Meta filters some topics, proxy signals could still reveal private details. Most CISOs can talk tech inside and out, but when they have to communicate that to the business, the conversation doesn't flow nearly as smoothly. Why is translating cyber to the business still a struggle? That's what we're trying to answer on our latest episode of Defense In Depth. Look for the episode how should CISOs talk to the business? Wherever you get your podcast, and if you have some thoughts on the news from today or about the show in general, be sure to reach out to us@feedbacksoseries.com we'd love to hear from you. I'm Lauren Verno reporting for the CISO series.