Summary5 min read

Cyber Security Headlines – December 24, 2025

Host: Sarah Lane
Episode Theme:
A rapid-fire update on key incidents and trends in cybersecurity, including major corporate acquisitions, newly discovered threats, significant breaches, and law enforcement actions.

Main Topics and Key Insights

1. ServiceNow Acquires Armis for $7.75 Billion

[00:13]

Summary:
- ServiceNow, a leader in digital workflow solutions, is set to acquire cybersecurity firm Armis in a deal valued at $7.75 billion—the largest in ServiceNow's history.
- Armis is renowned for cyber exposure management, specifically protecting IT systems, operational technology, medical devices, and various connected endpoints.
- Around 950 Armis employees will transition to ServiceNow post-acquisition.
Insight:
- This acquisition signals ServiceNow’s intention to expand its security footprint deeper into the realm of connected devices and enterprise operational infrastructure.
Notable Moment:
- “Armis specializes in cyber exposure management and cybersecurity for IT systems, operational technology, medical devices and other connected assets.” (Sarah Lane, 00:18)

2. MacSync Stealer Malware Goes Stealthier

[00:48]

Summary:
- JAMF Threat Labs identified a new variant of the MacSync stealer for macOS.
- The malware now masquerades as an Apple-signed Swift app, utilizing a mostly automatic, low-interaction installation to evade detection.
- Delivered via a disk image pretending to be a chat app, the installer executes a payload directly in memory, minimizing forensic evidence.
- JAMF reported the fraudulent developer certificate to Apple, which has since revoked it.
Notable Moment:
- “Installer silently downloads and executes an encoded second stage payload in memory, then leaves minimal forensic traces.” (Sarah Lane, 01:02)

3. SEC Sues Crypto Firms Over Deepfake-Driven Fraud

[01:25]

Summary:
- The SEC filed lawsuits against seven crypto-related firms accused of defrauding investors through WhatsApp groups.
- The scams used deepfake videos, fictitious professors, and AI-generated trading tips to swindle retail investors out of more than $14 million.
- Victims were lured to fake platforms, blocked from withdrawing funds without paying extra fees, with money funneled to Southeast Asian bank accounts and wallets.
Contextual Insight:
- This suit reflects a growing regulatory crackdown on high-tech, large-scale scam operations in the crypto space.
Quote:
- “The Securities and Exchange Commission sued seven crypto related firms, accusing each of running WhatsApp based investment clubs that used deepfake videos, fake professors and AI generated trading tips to defraud retail investors...” (Sarah Lane, 01:29)

4. Nissan Data Breach Exposes Japanese Customer Info

[02:10]

Summary:
- Nissan reported the breach of a Red Hat-managed GitLab server, leading to the exposure of data for roughly 21,000 customers in Japan.
- Compromised data included names, addresses, phone numbers, and partial emails, but not payment information.
- Red Hat detected the breach in September, alerted Nissan in October. This marks Nissan's third major breach in three years.
Security Consequence:
- Highlights the ongoing challenges automotive firms face in managing third-party and auxiliary cloud tools securely.
Memorable Moment:
- “The incident is Nissan's third major breach in three years.” (Sarah Lane, 02:30)

5. N8N Workflow Platform Vulnerability

[03:02]

Summary:
- A critical flaw was disclosed in the N8N automation platform, allowing authenticated attackers to execute arbitrary code, exposing both data flows and systems.
- Over 100,000 internet-facing instances could be vulnerable; immediate upgrades urged.
Security Threat:
- The issue lies within N8N’s expression evaluation system, underlining the risks associated with workflow and automation tools.
Key Line:
- “With more than 100,000 Internet facing instances potentially vulnerable as of December 22, users are urged to upgrade immediately.” (Sarah Lane, 03:13)

6. Web RAT Distributed via Malicious GitHub Repos

[03:30]

Summary:
- Web RAT malware is being circulated through fake GitHub repos, which pose as proof-of-concept exploits for new vulnerabilities.
- At least 15 repositories used AI-generated vulnerability write-ups to deceive users into installing malware.
- The malware disables Windows Defender, installs a backdoor, and can steal credentials, crypto wallet data, and spy via webcams.
- All discovered repositories have been removed.
Cautionary Takeaway:
- Researchers and hobbyists are cautioned to vet code samples and POCs carefully, as attackers exploit the current trends of rapid exploit sharing.
Notable Moment:
- “Researchers who found at least 15 repositories using AI generated vulnerability descriptions to trick users...” (Sarah Lane, 03:48)

7. DOJ Disrupts Major Bank Account Takeover Operation

[04:05]

Summary:
- The U.S. Justice Department seized web3adspanels[.]org, used to control a bank account takeover operation.
- The operation stole millions from Americans through fraudulent search ads mimicking major banks.
- At least 19 identified victims, with an estimated $14.6 million in confirmed losses (attempted losses at $28 million). The total reported losses linked to such fraud this year: $262 million.
Notable Quote:
- “Bank takeover fraud has generated more than $262 million in reported losses this year.” (Sarah Lane, 04:44)

8. Malicious Chrome Extensions Steal Credentials

[05:02]

Summary:
- Two Chrome extensions, posing as network speed tests and VPN services, secretly intercepted traffic and harvested credentials from over 170 websites for several years.
- They funneled selected traffic through attacker proxies, exfiltrating emails, passwords, payment data, and developer secrets; apparent origin is China.
- The operation maintained persistent command-and-control connections for ongoing data theft.
Security Reminder:
- Even browser extensions can be potent attack vectors, especially when granted broad permissions.

Notable Quotes & Memorable Moments

“ServiceNow agreed to acquire cybersecurity company Armis for $7.75 billion, marking the largest acquisition in ServiceNow's history.” (Sarah Lane, 00:13)
“Installer silently downloads and executes an encoded second stage payload in memory, then leaves minimal forensic traces.” (Sarah Lane, 01:02)
“The incident is Nissan's third major breach in three years.” (Sarah Lane, 02:30)
“Bank takeover fraud has generated more than $262 million in reported losses this year.” (Sarah Lane, 04:44)

Timestamps for Key Segments

ServiceNow/Armis acquisition – 00:13
MacSync Stealer update – 00:48
SEC crypto fraud lawsuits – 01:25
Nissan data breach – 02:10
N8N vulnerability – 03:02
Web RAT via GitHub – 03:30
DOJ bank account takeovers – 04:05
Malicious Chrome extensions – 05:02

Tone & Closing Remarks

The episode maintains a concise, urgent, and matter-of-fact tone, providing security professionals with actionable information. Sarah Lane ends with a shoutout to practitioners working through the holiday, underscoring the non-stop nature of cybersecurity work:

“...here is a quick shout out to all those cybersecurity professionals that are going to be on call and working through the holidays. You're appreciated and we hope Santa is extra kind to you this year.” (Sarah Lane, 05:38)

For more: Check out CISOseries.com

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Wednesday, December 24, 2025. I'm Sarah Lane. ServiceNow to acquire cybersecurity startup Armis ServiceNow agreed to acquire cybersecurity company Armis for $7.75 billion, market marking the largest acquisition in ServiceNow's history. Armis specializes in cyber exposure management and cybersecurity for IT systems, operational technology, medical devices and other connected assets. ARMIS team, roughly around 950 employees, will join ServiceNow after the deal closes. MacSync Stealer adopts quieter installation JAMF Threat Labs identified a reworked Mac Sync stealer variant for macOS that disguises itself as a legitimate Apple signed and notarized Swift app using a quieter, largely automated installation process that avoids earlier user interaction tricks. The malware is distributed via a disk image posing as a messaging app. Installer silently downloads and executes an encoded second stage payload in memory, then leaves minimal forensic traces. JAMF reported the developer certificate to Apple, which has since revoked it SEC Sues Crypto Firms for Defrauding Investors the Securities and Exchange Commission sued seven crypto related firms, accusing each of running WhatsApp based investment clubs that used deepfake videos. Fake professors and AI generated trading tips to defraud retail investors out of more than $14 million. Victims were steered to bogus crypto platforms and fake security token offerings, then blocked from withdrawing funds unless they paid additional fees with money routed to overseas bank accounts and crypto wallets in Southeast Asia. The SEC is seeking civil penalties as part of a broader US Crackdown on large scale scam operations linked to that region. Nissan Customer Data Stolen in Red Hat Raid Nissan disclosed that around 21,000 customers in Japan had personal data exposed after attackers accessed a red hat managed GitLab server used by a former Nissan dealer. The stolen information includes names, addresses, phone numbers and partial email addresses, though no payment data appears to have been taken. Red Hat detected the breach in late September and alerted Nissan in early October. The incident is Nissan's third major breach in three years, huge thanks to our sponsor Threat Locker. Want Real Zero Trust Training? Zero Trust World 2026 delivers hands on labs and workshops that show CISOs exactly how to implement and maintain Zero Trust in real environment. Join us March 4th through the 6th in Orlando, plus a live CISO series episode on March 6th. Get $200 off with ZTW CISO 26. Find out more at ztw.com N8N Flaw could allow arbitrary code execution a critical vulnerability in the N8N workflow automation platform could let authenticated attackers execute arbitrary code and fully compromise affected instances. The flaw affects N8N's expression evaluation system and potentially exposes data workflows and underlying systems. With more than 100,000 Internet facing instances potentially vulnerable as of December 22, users are urged to upgrade immediately. Web RAT spread through GitHub exploits Web RAT malware is being distributed via malicious GitHub repositories posing as proof of concept exploits for recently disclosed vulnerabilities including Windows and WordPress flaws. This is according to Kaspersky researchers who found at least 15 repositories using AI generated vulnerability descriptions to trick users into running a dropper that disables Windows Defender and installs the backdoor, which then can steal credentials, Crypto Wallet data and Spy via webcams. All identified repositories have since been taken down US disrupts bank account takeover operation the US Justice Department seized the domain web3adspanels.org which officials say was used as a control panel for a bank account takeover operation that stole millions from Americans via fraudulent search ads impersonating major banks. The FBI identified at least 19 victims with attempted losses of around $28 million and confirmed losses of roughly 14.6 million, and says the database hosted credentials for thousands of victims. And bank takeover fraud has generated more than $262 million in reported losses this year. Chrome Extensions caught Stealing Credentials Two malicious Chrome extensions called Phantom Shuttle posed as a network's speed test and VPN service while secretly intercepting traffic and stealing credentials from more than 170 websites. That's according to Socket Security. Researchers found the extensions routed selected traffic through attacker controlled proxies, exfiltrating plain text emails and passwords, payment data, developer secrets and browsing activity while maintaining a persistent connection to a command and control server. The operation has apparently run four years and likely originated in China. From all of us here at Cybersecurity Headlines, here is a quick shout out to all those cybersecurity professionals that are going to be on call and working through the holidays. You're appreciated and we hope Santa is extra kind to you this year. Cheers to you. I am Sarah Lane reporting for the CISO Series and I'll talk to you tomorrow.
[06:38]
A
Cybersecurity Headlines are available every weekday. Head to CISO series.com for the full stop. Stories behind the Headlines.