Summary6 min read

Podcast Summary: Cyber Security Headlines

Episode: US taps private firms in cyber offensive, Microsoft updates cause queuing failures, phishing campaign delivers Phantom Stealer

Host: Sarah Lane
Date: December 16, 2025
Podcast: CISO Series

Episode Overview

This episode delivers a concise roundup of the latest cybersecurity news, focusing on significant developments affecting enterprises, governments, and individual users. Topics include the US government's collaboration with the private sector for cyber offensives, Microsoft patch complications, a sophisticated Russian phishing campaign, critical data breaches, browser vulnerabilities, and changes to popular cyber tools and policies.

Key Discussion Points and Insights

1. U.S. Taps Private Companies for Cyber Offensives

Timestamp: 00:09 - 01:06

The U.S. Administration is developing a new national cyber strategy that would enlist private firms to help with offensive cyber operations against criminal and state-backed adversaries.
- This strategy aims to expand government cyber capacity.
Legal and security risks:
- Private firms aren't currently authorized for such cyber activities.
- Enlistment could make private companies potential targets.
The plan encompasses:
- Streamlining cyber regulations
- Modernizing federal systems
- Accelerating post-quantum security
- Further details are forthcoming via executive orders or legislation.
Quote:
- “The plan would expand the government's cyber capacity but raises legal and security risks since private firms currently lack clear authority to conduct attacks and could become targets themselves.” (Sarah Lane, 00:17)

2. Microsoft Patch Tuesday Update Disruptions

Timestamp: 01:07 - 01:49

Recent Patch Tuesday updates by Microsoft caused failures in the message queuing (MSMQ) security model.
- Impacted platforms: Windows 10 22H2, Windows Server 2016, 2019.
Issue: NTFS permissions on a core MSMQ folder were changed, now requiring write access typically reserved for admins.
- Result: Resource errors and broken applications, especially in clustered environments.
Enterprises must choose between rolling back security updates or leaving systems exposed—a lose/lose scenario given MSMQ’s history of critical RCE vulnerabilities.
Quote:
- “Admins now face rolling back the patches or leaving systems exposed. MSMQ has a history of critical remote code execution flaws.” (Sarah Lane, 01:40)

3. Russian Phishing Campaign Delivers Phantom Stealer

Timestamp: 01:50 - 02:38

Researchers at Socrite Labs discovered a new phishing operation dubbed Operation Money Mount ISO.
- Delivers Phantom Stealer malware via ISO files.
Method:
- Spoofed payment confirmation emails in Russian.
- Target: Finance staff.
- ISO files bypass email security and deploy a hidden executable, injecting the stealer into memory.
Phantom Stealer collects:
- Browsers credentials, financial data, cryptocurrency info, keystrokes, tokens.
- Data is exfiltrated via Telegram, Discord, and FTP channels.
Quote:
- “Phantom Stealer harvests browser credentials, financial and crypto data, keystrokes and tokens, exfiltrating the information via Telegram, Discord and FTP.” (Sarah Lane, 02:25)

4. Jaguar Land Rover Payroll Data Breach

Timestamp: 02:39 - 03:19

Jaguar Land Rover (JLR) reported its August cyberattack also resulted in the theft of sensitive payroll data (bank and tax details) of thousands of employees.
No evidence of data misuse yet, but employees have been cautioned about potential fraud and phishing risks.
The attack, linked to the Scattered Lapses/Hunters group, has cost JLR about £1.5 billion in lost sales and could impact the UK economy by over £2 billion.
Quote:
- “The attack is attributed to the scattered Lapses Hunters group and has already cost JLR around £1.5 billion in lost sales and has been classified as a systemic event that could cost the UK economy more than 2 billion pounds.” (Sarah Lane, 03:12)

5. CISA Adds Apple and Gladonet Flaws to Known Exploited Catalog

Timestamp: 04:04 - 04:35

CISA (US Cybersecurity and Infrastructure Security Agency) listed two new exploited vulnerabilities:
- Use-after-free flaw in Apple’s WebKit (impacts iOS, iPadOS, macOS)
- Hard-coded AES key in Gladonet Center Stack & Trio Fox
Exploited in attacks targeting high-value individuals.
Federal agencies must remediate by January 5. Private sector advised to patch urgently.
Quote:
- “Federal agencies are required to remediate these flaws by January 5th. Private organizations should review and patch affected systems to prevent exploitation.” (Sarah Lane, 04:30)

6. Federal Contractor Opexus Missed Insider Threat Red Flags

Timestamp: 04:36 - 05:13

Opexus failed to flag two employees (the Aktar twins) with previous cybercrime convictions from 2015.
After termination, one twin deleted 96 government databases and stole sensitive data from multiple agencies.
Opexus admits errors in hiring, termination, and access controls, and has enhanced background checks to 10 years.
The brothers face up to 45 years for various cyber offenses.
Quote:
- “Opexis has acknowledged errors in hiring, termination and access controls and has enhanced background checks to 10 years.” (Sarah Lane, 05:05)

7. Chrome Extension ‘Urban VPN Proxy’ Intercepts AI Chats

Timestamp: 05:14 - 05:45

Extension with over 6 million users was found intercepting all prompts and responses to major AI chatbots (ChatGPT, Claude, Copilot, Gemini, Meta AI).
Data is exfiltrated to company servers and shared with an affiliated ad firm.
Three similar extensions from the same publisher were implicated.
Quote:
- “The extension was updated back in July and collects this data through injected JavaScript and sends it to two servers. The company shares raw data with its affiliated ad intelligence firm.” (Sarah Lane, 05:35)

8. Google Shuts Down Dark Web Report Tool

Timestamp: 05:46 - 06:13

Google will sunset its Dark Web Report Tool (for monitoring email leaks) on February 16th.
Scans end January 15; all user data will be deleted.
Feedback indicated tool lacked actionable guidance; Google will instead focus on security checkups and authentication tools.
Quote:
- “Google said. Feedback claimed it didn't provide helpful next steps, and it plans to focus on tools going forward, offering actionable guidance like security checkup, password Manager, passkeys and two step verification.” (Sarah Lane, 06:07)

Notable Quotes & Memorable Moments

“The plan would expand the government's cyber capacity but raises legal and security risks since private firms currently lack clear authority to conduct attacks and could become targets themselves.” (Sarah Lane, 00:17)
“Admins now face rolling back the patches or leaving systems exposed. MSMQ has a history of critical remote code execution flaws.” (Sarah Lane, 01:40)
“Phantom Stealer harvests browser credentials, financial and crypto data, keystrokes and tokens, exfiltrating the information via Telegram, Discord and FTP.” (Sarah Lane, 02:25)
“The attack is attributed to the scattered Lapses Hunters group and has already cost JLR around £1.5 billion in lost sales and has been classified as a systemic event that could cost the UK economy more than 2 billion pounds.” (Sarah Lane, 03:12)
“Opexis has acknowledged errors in hiring, termination and access controls and has enhanced background checks to 10 years.” (Sarah Lane, 05:05)
“The extension was updated back in July and collects this data through injected JavaScript and sends it to two servers. The company shares raw data with its affiliated ad intelligence firm.” (Sarah Lane, 05:35)
“Google said. Feedback claimed it didn't provide helpful next steps, and it plans to focus on tools going forward, offering actionable guidance like security checkup, password Manager, passkeys and two step verification.” (Sarah Lane, 06:07)

Timestamps for Important Segments

| Segment | Timestamp | |-----------------------------------------------------|-------------| | US enlists private cyber firms | 00:09–01:06 | | Microsoft updates cause queuing failures | 01:07–01:49 | | Russian phishing with Phantom Stealer | 01:50–02:38 | | Jaguar Land Rover payroll breach | 02:39–03:19 | | CISA adds Apple & Gladonet flaws | 04:04–04:35 | | Opexus background check failure | 04:36–05:13 | | Urban VPN proxy intercepts AI chats | 05:14–05:45 | | Google Dark Web Report Tool shutdown | 05:46–06:13 |

Conclusion

This episode presents urgent developments and breaches affecting both public and private sectors, highlights risky security gaps in software and hiring, and underscores the ongoing evolution of cyber threats—particularly with the state’s involvement, insider vulnerabilities, and the broadening scope of data-harvesting in commonly trusted tools. The tone remains brisk and practical, in keeping with Sarah Lane’s signature style.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, December 16, 2025. I'm Sarah Lane. U.S. turns to private Firms in Cyber Offensive Late last week, Bloomberg sources say that the US Administration is preparing a new national cyber strategy that that would enlist private companies to help carry out offensive cyber operations against criminal and state backed attackers. The plan would expand the government's cyber capacity but raises legal and security risks since private firms currently lack clear authority to conduct attacks and could become targets themselves. The strategy also calls for streamlining cyber regulations, modernizing federal systems and and accelerating post quantum security with more details expected through an executive order or legislation. Microsoft Updates cause Queuing Failures Microsoft said its latest Patch Tuesday updates introduced a breaking change to the message queuing, or MSMQ security model, causing enterprise apps and some sites to fail on Windows 10 22H2 and Windows Server 2016 and 2019. The updates altered NTFS permissions on a core MSMQ system folder, requiring write access normally limited to administrators, which can trigger misleading resource errors and disrupt clustered environments. Admins now face rolling back the patches or leaving systems exposed. MSMQ has a history of critical remote code execution flaws. Russian phishing campaign delivers Phantom stealer Researchers at socrite Labs have identified a Russian linked phishing campaign dubbed Operation Money Mount ISO that delivers phantom stealer malware using ISO files to bypass email security controls. The attack uses fake payment confirmation emails in Russian, luring finance related staff into opening a zip file that contains a malicious ISO which mounts a disguised executable and injects the stealer directly into memory. Phantom Stealer harvests browser credentials, financial and crypto data, keystrokes and tokens, exfiltrating the information via Telegram, Discord and FTP. Jaguar Land Rover payroll data Stolen Jaguar Land Rover disclosed that the cyber attack that shut down its factories back in August also included theft of sensitive payroll data belonging to thousands of current and former employees, including bank details and tax information. JLR says there's no evidence of misuse. So far, Bud has warned staff to watch for fraud and phishing. The attack is attributed to the scattered Lapses Hunters group and has already cost JLR around £1.5 billion in lost sales and has been classified as a systemic event that could cost the UK economy more than 2 billion pounds. Huge thanks to our sponsor Adaptive Security. This episode is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI. Attackers don't need malware anymore. They need trust. Set a simple passphrase for high risk actions like wire requests or urgent account recovery, especially within finance teams and families. And if the caller can't answer it, pause and verify adaptive runs, deepfake and phishing simulations so employees practice this before it is real. Learn more@adaptivesecurity.com CISA adds Apple and Gladonet center stack and trio Fox flaws to exploits the US Cybersecurity and Infrastructure Security Agency known as CISA added two vulnerabilities to its known exploited catalog, a use after free flaw in Apple's WebKit affecting iOS, iPadOS and macros which we told you about yesterday, and a hard coded AES key issue in gladonet Center Stack and Trio Fox. Both have been actively targeted, including in sophisticated attacks against high value individuals. Federal agencies are required to remediate these flaws by January 5th. Private organizations should review and patch affected systems to prevent exploitation. Opexus says Background checks missed flags before insider breach US Federal contractor Opexus admits it failed to identify red flags when hiring twin brothers Moonib and Sohaib actor who had pleaded guilty to cybercrimes in 2015. Back in February of this year, minutes after being fired, Muneeb allegedly deleted 96 U.S. government databases and stole sensitive records from DHS, IRS and EEOC. Opexis has acknowledged errors in hiring, termination and access controls and has enhanced background checks to 10 years. The brothers face up to 45 years in prison for computer fraud, data theft and aggravated identity theft. Chrome Extension intercepts AI chats Chrome Extension Urban VPN Proxy, which has 6 million users, was found intercepting all prompts and responses from AI chatbots like ChatGPT, Claude, Copilot, Gemini and Meta AI. The extension was updated back in July and collects this data through injected JavaScript and sends it to two servers. The company shares raw data with its affiliated ad intelligence firm By Science, which also owns Urban Cybersecurity. Similar harvesting was observed in three other extensions from the same publisher. Google shutters Dark Web Tool Google emailed users that on February 16th it is shutting down its Dark Web Report tool, which monitored email addresses on the Dark Web. Dark Web scans will end on January 15th and all data will be deleted on the shutdown date. Google said. Feedback claimed it didn't provide helpful next steps, and it plans to focus on tools going forward, offering actionable guidance like security checkup, password Manager, passkeys and two step verification. CISOs first appeared in the C Suite more than 30 years ago, but that their responsibilities and function within an organization still vary pretty wildly. Organizations need to understand how their CISO operates if they want to make them effective. We dig into how to bridge that gap in our latest CISO series podcast episode. Look for the episode how much risk would a CISO risk if a CISO could Risk Risk. Wherever you get your podcasts, if you have thoughts on the news from today or about our show in general this, be sure to reach out to us. Feedbackisoseries.com we would love to hear from you. I am Sarah Lane reporting for the CISO series and I will talk to you tomorrow.
[07:30]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.