Cyber Security Headlines – Episode Summary

Podcast: Cyber Security Headlines
Host: Steve Prentiss (CISO Series)
Date: December 22, 2025
Episode: President's cyber bill, Iranian APT resurfaces, Kimwold DDoS attack

Overview

This episode covers major cybersecurity news, including the passage of a crucial U.S. defense bill impacting federal cyber operations, a resurgence of an Iranian APT group, the discovery of a massive new Android botnet, legal cases of cybercrime insiders, and attempted mitigation by NIST following a time server outage. Host Steve Prentiss summarizes each headline with key details about their security implications.

Key Discussion Points & Insights

1. President Signs National Defense Authorization Act (NDAA) for Cyber Command and Pentagon Phone Security

[00:06–01:03]
- President signed the 2026 NDAA, with $901 billion in funding for national security programs.
- Maintains “dual hat” leadership for both U.S. Cyber Command and the NSA.
- Mandates DoD senior leaders be supplied with “mobile phones with enhanced cybersecurity protections, including data encryption.”
- Insight: The bill sets a new precedent in security funding and signals increasing priority for securing leadership communications.
  
  “It authorizes unprecedented spending levels for national security programs and effectively preserves the dual hat leadership structure of U.S. cyber Command and the National Security Agency.”
  – Steve Prentiss ([00:13])

2. Iranian APT “INFI” (Prince of Persia) Resurfaces with New Malware

[01:05–02:01]
- Safe Breach researchers identify renewed activity from the INFI group (also known as Prince of Persia), dormant since campaigns in Sweden, the Netherlands, Turkey (~5 years ago).
- INFI, one of the oldest APTs (active since December 2004), uses two key tools:
  - Foudre (downloader and victim profiler)
  - Tonair (data extraction tool)
- Delivered via phishing emails with malicious Excel files.
- INFI is “more publicity shy than its Iranian compatriots” (Charming Kitten, Muddy Water, Oil Rig).
  
  “Described as still active, relevant and dangerous, INFI is one of the oldest APT actors in existence, dating back to December 2004.”
  – Steve Prentiss ([01:18])

3. Massive Android Botnet ‘Kimwolf’ Launches DDoS Attacks

[02:02–02:55]
- XLab reports over 1.8 million infected devices, launching more than 1.7 billion DDoS attack commands.
- Kimwolf targets TV boxes and evades detection by:
  - Using DNS over TLS for covert communications
  - Authenticating C2 servers with elliptic curve digital signatures
- Built off Isuru malware family, but “redesigned by its operators.”
- Notable threat to IoT and Android device security.
  
  “Kimwolf primarily targets TV boxes and uses DNS over TLS to hide communication and authenticates its command and control servers with elliptic curve digital signatures.”
  – Steve Prentiss ([02:23])

4. Microsoft Teams Suffers Brief Outage

[02:56–03:21]
- Thousands impacted in the US and Europe; affected all Teams clients.
- Issues resolved within the hour.
- Reassurance of rapid incident response but highlights reliance on messaging infrastructure.
  
  “The outage, however, was brief and was resolved within the hour.”
  – Steve Prentiss ([03:17])

5. Former Cyber Incident Responders Plead Guilty to Ransomware Attacks

[03:23–04:33]
- Ryan Clifford Goldberg (Signia) and Kevin Tyler Mart (Digital Mint) admitted to perpetrating ransomware attacks (2023) while employed as cyber incident responders.
- Used ALFV/Black Cat ransomware; attacked companies in healthcare, pharma, engineering, and drones.
- Charges: conspiracy to interfere with interstate commerce by extortion.
- Emphasizes insider threat risk in cybersecurity firms.
  
  “Goldberg, who was a manager of incident response at Signia, and Martin, a ransomware negotiator at Digital Mint at the time, collaborated…to attack victim computers and networks and use ALFV, also known as Black Cat ransomware to extort payments.”
  – Steve Prentiss ([03:43])

6. DOJ Indicts 54 in ATM Jackpotting Malware Scheme

[04:35–05:25]
- Group stole millions by infecting ATMs with malware that forced them to dispense all cash (“jackpotting”).
- Crimes tied to Trend Aragua; charges include fraud, money laundering, and supporting terrorism.
- Sentencing potential ranges from 20 to 335 years.
- Highlights sophistication and severity of organized cybercrime exploiting financial infrastructure.
  
  “ATM jackpotting involves infecting an ATM with malware, usually by opening its cabinet, connecting a device, or replacing the hard drive with one that is loaded with malicious software…”
  – Steve Prentiss ([04:46])

7. NIST Attempted to Take Down NTP Servers After Atomic Clock Drift

[05:26–06:10]
- Jeffrey Sherman, NIST physicist, tried to disable time servers after Boulder, CO outage, which induced atomic clock drift and time errors.
- Backup generators prevented an easy shutdown/restart.
- NIST advised users to use alternate time sources.
- Incidents like this have widespread downstream impacts across computing ecosystems.
  
  “NIST uses its atomic clocks to provide a network time protocol service, which much of the computing world relies on to synchronize events.”
  – Steve Prentiss ([05:38])

Notable Quotes & Memorable Moments

“In addition to funding for Cyber Command, the bill also, quote, requires the Defense secretary to ensure DoD senior leaders are provided with mobile phones with enhanced cybersecurity protections, including data encryption.”
– Steve Prentiss ([00:28])
“The INFI attacks generally involve a downloader and victim profiler named Foudre, which is French for lightning, paired with a data extraction tool called Tonair, which is French for thunder.”
– Steve Prentiss ([01:27])
“If convicted, some defendants face sentences ranging from 20 to 335 years in prison.”
– Steve Prentiss ([05:14])

Timestamps for Important Segments

00:06 – President signs NDAA (cyber funding and DoD phone security)
01:05 – Iranian APT INFI returns
02:02 – Kimwolf Android botnet launches DDoS attack
02:56 – Microsoft Teams outage
03:23 – Insiders plead guilty to ransomware campaign
04:35 – DOJ indicts ATM jackpotting group
05:26 – NIST atomic clock/NTP server blackout

Tone & Language

Host Steve Prentiss maintains an informative and direct tone, efficiently summarizing each story with relevant context and technical details, suitable for busy cybersecurity professionals.

For more information or deeper dives into any specific story, listeners are encouraged to visit CISOseries.com.

Cyber Security Headlines – Episode Summary

Podcast: Cyber Security Headlines
Host: Steve Prentiss (CISO Series)
Date: December 22, 2025
Episode: President's cyber bill, Iranian APT resurfaces, Kimwold DDoS attack

Overview

Key Discussion Points & Insights

1. President Signs National Defense Authorization Act (NDAA) for Cyber Command and Pentagon Phone Security

[00:06–01:03]
- President signed the 2026 NDAA, with $901 billion in funding for national security programs.
- Maintains “dual hat” leadership for both U.S. Cyber Command and the NSA.
- Mandates DoD senior leaders be supplied with “mobile phones with enhanced cybersecurity protections, including data encryption.”
- Insight: The bill sets a new precedent in security funding and signals increasing priority for securing leadership communications.
  
  “It authorizes unprecedented spending levels for national security programs and effectively preserves the dual hat leadership structure of U.S. cyber Command and the National Security Agency.”
  – Steve Prentiss ([00:13])

2. Iranian APT “INFI” (Prince of Persia) Resurfaces with New Malware

[01:05–02:01]
- Safe Breach researchers identify renewed activity from the INFI group (also known as Prince of Persia), dormant since campaigns in Sweden, the Netherlands, Turkey (~5 years ago).
- INFI, one of the oldest APTs (active since December 2004), uses two key tools:
  - Foudre (downloader and victim profiler)
  - Tonair (data extraction tool)
- Delivered via phishing emails with malicious Excel files.
- INFI is “more publicity shy than its Iranian compatriots” (Charming Kitten, Muddy Water, Oil Rig).
  
  “Described as still active, relevant and dangerous, INFI is one of the oldest APT actors in existence, dating back to December 2004.”
  – Steve Prentiss ([01:18])

3. Massive Android Botnet ‘Kimwolf’ Launches DDoS Attacks

[02:02–02:55]
- XLab reports over 1.8 million infected devices, launching more than 1.7 billion DDoS attack commands.
- Kimwolf targets TV boxes and evades detection by:
  - Using DNS over TLS for covert communications
  - Authenticating C2 servers with elliptic curve digital signatures
- Built off Isuru malware family, but “redesigned by its operators.”
- Notable threat to IoT and Android device security.
  
  “Kimwolf primarily targets TV boxes and uses DNS over TLS to hide communication and authenticates its command and control servers with elliptic curve digital signatures.”
  – Steve Prentiss ([02:23])

4. Microsoft Teams Suffers Brief Outage

[02:56–03:21]
- Thousands impacted in the US and Europe; affected all Teams clients.
- Issues resolved within the hour.
- Reassurance of rapid incident response but highlights reliance on messaging infrastructure.
  
  “The outage, however, was brief and was resolved within the hour.”
  – Steve Prentiss ([03:17])

5. Former Cyber Incident Responders Plead Guilty to Ransomware Attacks

[03:23–04:33]
- Ryan Clifford Goldberg (Signia) and Kevin Tyler Mart (Digital Mint) admitted to perpetrating ransomware attacks (2023) while employed as cyber incident responders.
- Used ALFV/Black Cat ransomware; attacked companies in healthcare, pharma, engineering, and drones.
- Charges: conspiracy to interfere with interstate commerce by extortion.
- Emphasizes insider threat risk in cybersecurity firms.
  
  “Goldberg, who was a manager of incident response at Signia, and Martin, a ransomware negotiator at Digital Mint at the time, collaborated…to attack victim computers and networks and use ALFV, also known as Black Cat ransomware to extort payments.”
  – Steve Prentiss ([03:43])

6. DOJ Indicts 54 in ATM Jackpotting Malware Scheme

[04:35–05:25]
- Group stole millions by infecting ATMs with malware that forced them to dispense all cash (“jackpotting”).
- Crimes tied to Trend Aragua; charges include fraud, money laundering, and supporting terrorism.
- Sentencing potential ranges from 20 to 335 years.
- Highlights sophistication and severity of organized cybercrime exploiting financial infrastructure.
  
  “ATM jackpotting involves infecting an ATM with malware, usually by opening its cabinet, connecting a device, or replacing the hard drive with one that is loaded with malicious software…”
  – Steve Prentiss ([04:46])

7. NIST Attempted to Take Down NTP Servers After Atomic Clock Drift

[05:26–06:10]
- Jeffrey Sherman, NIST physicist, tried to disable time servers after Boulder, CO outage, which induced atomic clock drift and time errors.
- Backup generators prevented an easy shutdown/restart.
- NIST advised users to use alternate time sources.
- Incidents like this have widespread downstream impacts across computing ecosystems.
  
  “NIST uses its atomic clocks to provide a network time protocol service, which much of the computing world relies on to synchronize events.”
  – Steve Prentiss ([05:38])

Notable Quotes & Memorable Moments

“In addition to funding for Cyber Command, the bill also, quote, requires the Defense secretary to ensure DoD senior leaders are provided with mobile phones with enhanced cybersecurity protections, including data encryption.”
– Steve Prentiss ([00:28])
“The INFI attacks generally involve a downloader and victim profiler named Foudre, which is French for lightning, paired with a data extraction tool called Tonair, which is French for thunder.”
– Steve Prentiss ([01:27])
“If convicted, some defendants face sentences ranging from 20 to 335 years in prison.”
– Steve Prentiss ([05:14])

Timestamps for Important Segments

00:06 – President signs NDAA (cyber funding and DoD phone security)
01:05 – Iranian APT INFI returns
02:02 – Kimwolf Android botnet launches DDoS attack
02:56 – Microsoft Teams outage
03:23 – Insiders plead guilty to ransomware campaign
04:35 – DOJ indicts ATM jackpotting group
05:26 – NIST atomic clock/NTP server blackout

Tone & Language

Host Steve Prentiss maintains an informative and direct tone, efficiently summarizing each story with relevant context and technical details, suitable for busy cybersecurity professionals.

For more information or deeper dives into any specific story, listeners are encouraged to visit CISOseries.com.

wavePod

President's cyber bill, Iranian APT resurfaces, Kimwold DDoS attack

Powered by Wave AI

Summary

Cyber Security Headlines – Episode Summary

Overview

Key Discussion Points & Insights

1. President Signs National Defense Authorization Act (NDAA) for Cyber Command and Pentagon Phone Security

2. Iranian APT “INFI” (Prince of Persia) Resurfaces with New Malware

3. Massive Android Botnet ‘Kimwolf’ Launches DDoS Attacks

4. Microsoft Teams Suffers Brief Outage

5. Former Cyber Incident Responders Plead Guilty to Ransomware Attacks

6. DOJ Indicts 54 in ATM Jackpotting Malware Scheme

7. NIST Attempted to Take Down NTP Servers After Atomic Clock Drift

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Tone & Language

Summary

Cyber Security Headlines – Episode Summary

Overview

Key Discussion Points & Insights

1. President Signs National Defense Authorization Act (NDAA) for Cyber Command and Pentagon Phone Security

2. Iranian APT “INFI” (Prince of Persia) Resurfaces with New Malware

3. Massive Android Botnet ‘Kimwolf’ Launches DDoS Attacks

4. Microsoft Teams Suffers Brief Outage

5. Former Cyber Incident Responders Plead Guilty to Ransomware Attacks

6. DOJ Indicts 54 in ATM Jackpotting Malware Scheme

7. NIST Attempted to Take Down NTP Servers After Atomic Clock Drift

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Tone & Language