President's cyber bill, Iranian APT resurfaces, Kimwold DDoS attack - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – Episode Summary

Podcast: Cyber Security Headlines
Host: Steve Prentiss (CISO Series)
Date: December 22, 2025
Episode: President's cyber bill, Iranian APT resurfaces, Kimwold DDoS attack

Overview

This episode covers major cybersecurity news, including the passage of a crucial U.S. defense bill impacting federal cyber operations, a resurgence of an Iranian APT group, the discovery of a massive new Android botnet, legal cases of cybercrime insiders, and attempted mitigation by NIST following a time server outage. Host Steve Prentiss summarizes each headline with key details about their security implications.

Key Discussion Points & Insights

1. President Signs National Defense Authorization Act (NDAA) for Cyber Command and Pentagon Phone Security

[00:06–01:03]
- President signed the 2026 NDAA, with $901 billion in funding for national security programs.
- Maintains “dual hat” leadership for both U.S. Cyber Command and the NSA.
- Mandates DoD senior leaders be supplied with “mobile phones with enhanced cybersecurity protections, including data encryption.”
- Insight: The bill sets a new precedent in security funding and signals increasing priority for securing leadership communications.
  
  “It authorizes unprecedented spending levels for national security programs and effectively preserves the dual hat leadership structure of U.S. cyber Command and the National Security Agency.”
  – Steve Prentiss ([00:13])

2. Iranian APT “INFI” (Prince of Persia) Resurfaces with New Malware

[01:05–02:01]
- Safe Breach researchers identify renewed activity from the INFI group (also known as Prince of Persia), dormant since campaigns in Sweden, the Netherlands, Turkey (~5 years ago).
- INFI, one of the oldest APTs (active since December 2004), uses two key tools:
  - Foudre (downloader and victim profiler)
  - Tonair (data extraction tool)
- Delivered via phishing emails with malicious Excel files.
- INFI is “more publicity shy than its Iranian compatriots” (Charming Kitten, Muddy Water, Oil Rig).
  
  “Described as still active, relevant and dangerous, INFI is one of the oldest APT actors in existence, dating back to December 2004.”
  – Steve Prentiss ([01:18])

3. Massive Android Botnet ‘Kimwolf’ Launches DDoS Attacks

[02:02–02:55]
- XLab reports over 1.8 million infected devices, launching more than 1.7 billion DDoS attack commands.
- Kimwolf targets TV boxes and evades detection by:
  - Using DNS over TLS for covert communications
  - Authenticating C2 servers with elliptic curve digital signatures
- Built off Isuru malware family, but “redesigned by its operators.”
- Notable threat to IoT and Android device security.
  
  “Kimwolf primarily targets TV boxes and uses DNS over TLS to hide communication and authenticates its command and control servers with elliptic curve digital signatures.”
  – Steve Prentiss ([02:23])

4. Microsoft Teams Suffers Brief Outage

[02:56–03:21]
- Thousands impacted in the US and Europe; affected all Teams clients.
- Issues resolved within the hour.
- Reassurance of rapid incident response but highlights reliance on messaging infrastructure.
  
  “The outage, however, was brief and was resolved within the hour.”
  – Steve Prentiss ([03:17])

5. Former Cyber Incident Responders Plead Guilty to Ransomware Attacks

[03:23–04:33]
- Ryan Clifford Goldberg (Signia) and Kevin Tyler Mart (Digital Mint) admitted to perpetrating ransomware attacks (2023) while employed as cyber incident responders.
- Used ALFV/Black Cat ransomware; attacked companies in healthcare, pharma, engineering, and drones.
- Charges: conspiracy to interfere with interstate commerce by extortion.
- Emphasizes insider threat risk in cybersecurity firms.
  
  “Goldberg, who was a manager of incident response at Signia, and Martin, a ransomware negotiator at Digital Mint at the time, collaborated…to attack victim computers and networks and use ALFV, also known as Black Cat ransomware to extort payments.”
  – Steve Prentiss ([03:43])

6. DOJ Indicts 54 in ATM Jackpotting Malware Scheme

[04:35–05:25]
- Group stole millions by infecting ATMs with malware that forced them to dispense all cash (“jackpotting”).
- Crimes tied to Trend Aragua; charges include fraud, money laundering, and supporting terrorism.
- Sentencing potential ranges from 20 to 335 years.
- Highlights sophistication and severity of organized cybercrime exploiting financial infrastructure.
  
  “ATM jackpotting involves infecting an ATM with malware, usually by opening its cabinet, connecting a device, or replacing the hard drive with one that is loaded with malicious software…”
  – Steve Prentiss ([04:46])

7. NIST Attempted to Take Down NTP Servers After Atomic Clock Drift

[05:26–06:10]
- Jeffrey Sherman, NIST physicist, tried to disable time servers after Boulder, CO outage, which induced atomic clock drift and time errors.
- Backup generators prevented an easy shutdown/restart.
- NIST advised users to use alternate time sources.
- Incidents like this have widespread downstream impacts across computing ecosystems.
  
  “NIST uses its atomic clocks to provide a network time protocol service, which much of the computing world relies on to synchronize events.”
  – Steve Prentiss ([05:38])

Notable Quotes & Memorable Moments

“In addition to funding for Cyber Command, the bill also, quote, requires the Defense secretary to ensure DoD senior leaders are provided with mobile phones with enhanced cybersecurity protections, including data encryption.”
– Steve Prentiss ([00:28])
“The INFI attacks generally involve a downloader and victim profiler named Foudre, which is French for lightning, paired with a data extraction tool called Tonair, which is French for thunder.”
– Steve Prentiss ([01:27])
“If convicted, some defendants face sentences ranging from 20 to 335 years in prison.”
– Steve Prentiss ([05:14])

Timestamps for Important Segments

00:06 – President signs NDAA (cyber funding and DoD phone security)
01:05 – Iranian APT INFI returns
02:02 – Kimwolf Android botnet launches DDoS attack
02:56 – Microsoft Teams outage
03:23 – Insiders plead guilty to ransomware campaign
04:35 – DOJ indicts ATM jackpotting group
05:26 – NIST atomic clock/NTP server blackout

Tone & Language

Host Steve Prentiss maintains an informative and direct tone, efficiently summarizing each story with relevant context and technical details, suitable for busy cybersecurity professionals.

For more information or deeper dives into any specific story, listeners are encouraged to visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Monday, December 22, 2025. I'm Steve Prentiss. President signs Defense bill funding Cyber Command and Pentagon phone security the 901 billion dollar Pentagon policy bill named the 2026 National Defense Authorization act was signed on Thursday night with bipartis both the House and the Senate. It authorizes unprecedented spending levels for national security programs and effectively preserves the dual hat leadership structure of U.S. cyber Command and the National Security Agency. In addition to funding for Cyber Command, the bill also, quote, requires the Defense secretary to ensure DoD senior leaders are provided with mobile phones with enhanced cybersecurity protections, including data encryption. Iranian APT resurfaces with New malware Threat hunters at Safe Breach are warning of new activity from an Iranian threat actor known as infi, also known as Prince of Persia. This nearly five years after it was observed targeting victims in Sweden, the Netherlands and Turkey. Described as still active, relevant and dangerous, INFI is one of the oldest APT actors in existence, dating back to December 2004. More publicity shy than its Iranian compatriots Charming Kitten, Muddy Water and Oil Rig. The INFI attacks generally involve a downloader and victim profiler named Foudre, which is French for lightning, paired with a data extraction tool called Tonair, which is French for thunder. To extract data from high value machines is distributed via phishing emails, often with a poisoned Microsoft Excel file as the delivery vehicle. Further details about the extents of this campaign are available through a link in the show Notes to this episode. Massive Android botnet Kimwolf launches DDoS attack According to XLab, this new Android botnet linked to the Isuru botnet has infected more than 1.8 million devices in order to launch more than 1.7 billion DDoS attack commands and boost its command and control domain. Kimwolf primarily targets TV boxes and uses DNS over TLS to hide communication and authenticates its command and control servers with elliptic curve digital signatures. Although the botnet uses code from the Isuru family, its operators have redesigned it to evade detection. Microsoft Teams suffers a brief outage Thousands of users in the US and Europe reported problems sending messages through the platform on Friday. The issue affected all teams, clients, including the Windows app and mobile apps. The outage, however, was brief and was resolved within the hour. Huge thanks to our sponsor ThreatLocker. Want real zero trust training? Zero Trust World 2026 delivers hands on labs and workshops that show CISOs exactly how to implement and maintain zero trust in real environments. Join us March 4th through 6th in Orlando, plus a live CISO series episode on March 6th and get $200 off with the code ZTWCISO26@ZTW.com Former cyber incident responders plead guilty to ransomware spree as quoted in cyberscoop Former cybersecurity professionals Ryan Clifford Goldberg and Kevin Tyler Mart pleaded guilty Thursday to participating in a series of ransomware attacks in 2023 while they were employed at cybersecurity companies tasked with helping organizations respond to ransomware attacks. Goldberg, who was a manager of incident response at Signia, and Martin, a ransomware negotiator at Digital Mint at the time, collaborated with an unnamed co conspirator to attack victim computers and networks and use ALF V, also known as Black Cat ransomware to extort payments. Each pleaded guilty to conspiracy to interfere with interstate commerce by extortion. Victims of the attacks included a medical company based in Florida, a pharmaceutical company based in Maryland, a California doctor's office, an engineering company based in California and a drone manufacturer in Virginia. This According to the indictment Department of justice indicts 54 over ATM jackpotting ring the indictments follow a nationwide ATM jackpotting scheme that stole millions through malware. The crimes are linked to a cybercrime group, Trend Aragua, and the charges include fraud, money laundering and material support to a terrorist organization. ATM jackpotting involves infecting an ATM with malware, usually by opening its cabinet, connecting a device, or replacing the hard drive with one that is loaded with malicious software that sends unauthorized commands to the cash dispenser, causing the machine to jackpot and release all available money. If convicted, some defendants face sentences ranging from 20 to 335 years in prison. NIST tried to take down NTP servers after blackout caused atomic clock drift. Jeffrey Sherman, a NIST supervisory physicist who maintains the institute's atomic clocks, acknowledged in a mailing list post that he tried to disable backup generators powering some of its network time protocol infrastructure after a power outage in Boulder, Colorado, led to errors. The power failure was due to intense, stormy weather. NIST uses its atomic clocks to provide a network time protocol service, which much of the computing world relies on to synchronize events. Sherman wasn't able to simply turn the main system off and back on again due to backup generators that automatically kick in to keep the servers running during the outage. NIST advised users to refer to the organization's other sources of time information. Remember to join us later today for our Department of no livestream at 4pm Eastern time. You're probably taking some time off for the holidays or the end of the year, so why not spend 30 minutes with us on the CISO series YouTube channel? We'll discuss the biggest news stories of the week and break down how they apply to your cybersecurity program. If you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentice reporting for the CISO series.
[07:05]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines. It.