Podcast Summary: Cyber Security Headlines

Episode: US taps private firms in cyber offensive, Microsoft updates cause queuing failures, phishing campaign delivers Phantom Stealer

Host: Sarah Lane
Date: December 16, 2025
Podcast: CISO Series

Episode Overview

This episode delivers a concise roundup of the latest cybersecurity news, focusing on significant developments affecting enterprises, governments, and individual users. Topics include the US government's collaboration with the private sector for cyber offensives, Microsoft patch complications, a sophisticated Russian phishing campaign, critical data breaches, browser vulnerabilities, and changes to popular cyber tools and policies.

Key Discussion Points and Insights

1. U.S. Taps Private Companies for Cyber Offensives

Timestamp: 00:09 - 01:06

The U.S. Administration is developing a new national cyber strategy that would enlist private firms to help with offensive cyber operations against criminal and state-backed adversaries.
- This strategy aims to expand government cyber capacity.
Legal and security risks:
- Private firms aren't currently authorized for such cyber activities.
- Enlistment could make private companies potential targets.
The plan encompasses:
- Streamlining cyber regulations
- Modernizing federal systems
- Accelerating post-quantum security
- Further details are forthcoming via executive orders or legislation.
Quote:
- “The plan would expand the government's cyber capacity but raises legal and security risks since private firms currently lack clear authority to conduct attacks and could become targets themselves.” (Sarah Lane, 00:17)

2. Microsoft Patch Tuesday Update Disruptions

Timestamp: 01:07 - 01:49

Recent Patch Tuesday updates by Microsoft caused failures in the message queuing (MSMQ) security model.
- Impacted platforms: Windows 10 22H2, Windows Server 2016, 2019.
Issue: NTFS permissions on a core MSMQ folder were changed, now requiring write access typically reserved for admins.
- Result: Resource errors and broken applications, especially in clustered environments.
Enterprises must choose between rolling back security updates or leaving systems exposed—a lose/lose scenario given MSMQ’s history of critical RCE vulnerabilities.
Quote:
- “Admins now face rolling back the patches or leaving systems exposed. MSMQ has a history of critical remote code execution flaws.” (Sarah Lane, 01:40)

3. Russian Phishing Campaign Delivers Phantom Stealer

Timestamp: 01:50 - 02:38

Researchers at Socrite Labs discovered a new phishing operation dubbed Operation Money Mount ISO.
- Delivers Phantom Stealer malware via ISO files.
Method:
- Spoofed payment confirmation emails in Russian.
- Target: Finance staff.
- ISO files bypass email security and deploy a hidden executable, injecting the stealer into memory.
Phantom Stealer collects:
- Browsers credentials, financial data, cryptocurrency info, keystrokes, tokens.
- Data is exfiltrated via Telegram, Discord, and FTP channels.
Quote:
- “Phantom Stealer harvests browser credentials, financial and crypto data, keystrokes and tokens, exfiltrating the information via Telegram, Discord and FTP.” (Sarah Lane, 02:25)

4. Jaguar Land Rover Payroll Data Breach

Timestamp: 02:39 - 03:19

Jaguar Land Rover (JLR) reported its August cyberattack also resulted in the theft of sensitive payroll data (bank and tax details) of thousands of employees.
No evidence of data misuse yet, but employees have been cautioned about potential fraud and phishing risks.
The attack, linked to the Scattered Lapses/Hunters group, has cost JLR about £1.5 billion in lost sales and could impact the UK economy by over £2 billion.
Quote:
- “The attack is attributed to the scattered Lapses Hunters group and has already cost JLR around £1.5 billion in lost sales and has been classified as a systemic event that could cost the UK economy more than 2 billion pounds.” (Sarah Lane, 03:12)

5. CISA Adds Apple and Gladonet Flaws to Known Exploited Catalog

Timestamp: 04:04 - 04:35

CISA (US Cybersecurity and Infrastructure Security Agency) listed two new exploited vulnerabilities:
- Use-after-free flaw in Apple’s WebKit (impacts iOS, iPadOS, macOS)
- Hard-coded AES key in Gladonet Center Stack & Trio Fox
Exploited in attacks targeting high-value individuals.
Federal agencies must remediate by January 5. Private sector advised to patch urgently.
Quote:
- “Federal agencies are required to remediate these flaws by January 5th. Private organizations should review and patch affected systems to prevent exploitation.” (Sarah Lane, 04:30)

6. Federal Contractor Opexus Missed Insider Threat Red Flags

Timestamp: 04:36 - 05:13

Opexus failed to flag two employees (the Aktar twins) with previous cybercrime convictions from 2015.
After termination, one twin deleted 96 government databases and stole sensitive data from multiple agencies.
Opexus admits errors in hiring, termination, and access controls, and has enhanced background checks to 10 years.
The brothers face up to 45 years for various cyber offenses.
Quote:
- “Opexis has acknowledged errors in hiring, termination and access controls and has enhanced background checks to 10 years.” (Sarah Lane, 05:05)

7. Chrome Extension ‘Urban VPN Proxy’ Intercepts AI Chats

Timestamp: 05:14 - 05:45

Extension with over 6 million users was found intercepting all prompts and responses to major AI chatbots (ChatGPT, Claude, Copilot, Gemini, Meta AI).
Data is exfiltrated to company servers and shared with an affiliated ad firm.
Three similar extensions from the same publisher were implicated.
Quote:
- “The extension was updated back in July and collects this data through injected JavaScript and sends it to two servers. The company shares raw data with its affiliated ad intelligence firm.” (Sarah Lane, 05:35)

8. Google Shuts Down Dark Web Report Tool

Timestamp: 05:46 - 06:13

Google will sunset its Dark Web Report Tool (for monitoring email leaks) on February 16th.
Scans end January 15; all user data will be deleted.
Feedback indicated tool lacked actionable guidance; Google will instead focus on security checkups and authentication tools.
Quote:
- “Google said. Feedback claimed it didn't provide helpful next steps, and it plans to focus on tools going forward, offering actionable guidance like security checkup, password Manager, passkeys and two step verification.” (Sarah Lane, 06:07)

Notable Quotes & Memorable Moments

“The plan would expand the government's cyber capacity but raises legal and security risks since private firms currently lack clear authority to conduct attacks and could become targets themselves.” (Sarah Lane, 00:17)
“Admins now face rolling back the patches or leaving systems exposed. MSMQ has a history of critical remote code execution flaws.” (Sarah Lane, 01:40)
“Phantom Stealer harvests browser credentials, financial and crypto data, keystrokes and tokens, exfiltrating the information via Telegram, Discord and FTP.” (Sarah Lane, 02:25)
“The attack is attributed to the scattered Lapses Hunters group and has already cost JLR around £1.5 billion in lost sales and has been classified as a systemic event that could cost the UK economy more than 2 billion pounds.” (Sarah Lane, 03:12)
“Opexis has acknowledged errors in hiring, termination and access controls and has enhanced background checks to 10 years.” (Sarah Lane, 05:05)
“The extension was updated back in July and collects this data through injected JavaScript and sends it to two servers. The company shares raw data with its affiliated ad intelligence firm.” (Sarah Lane, 05:35)
“Google said. Feedback claimed it didn't provide helpful next steps, and it plans to focus on tools going forward, offering actionable guidance like security checkup, password Manager, passkeys and two step verification.” (Sarah Lane, 06:07)

Timestamps for Important Segments

| Segment | Timestamp | |-----------------------------------------------------|-------------| | US enlists private cyber firms | 00:09–01:06 | | Microsoft updates cause queuing failures | 01:07–01:49 | | Russian phishing with Phantom Stealer | 01:50–02:38 | | Jaguar Land Rover payroll breach | 02:39–03:19 | | CISA adds Apple & Gladonet flaws | 04:04–04:35 | | Opexus background check failure | 04:36–05:13 | | Urban VPN proxy intercepts AI chats | 05:14–05:45 | | Google Dark Web Report Tool shutdown | 05:46–06:13 |

Conclusion

This episode presents urgent developments and breaches affecting both public and private sectors, highlights risky security gaps in software and hiring, and underscores the ongoing evolution of cyber threats—particularly with the state’s involvement, insider vulnerabilities, and the broadening scope of data-harvesting in commonly trusted tools. The tone remains brisk and practical, in keeping with Sarah Lane’s signature style.

Podcast Summary: Cyber Security Headlines

Episode: US taps private firms in cyber offensive, Microsoft updates cause queuing failures, phishing campaign delivers Phantom Stealer

Host: Sarah Lane
Date: December 16, 2025
Podcast: CISO Series

Episode Overview

Key Discussion Points and Insights

1. U.S. Taps Private Companies for Cyber Offensives

Timestamp: 00:09 - 01:06

The U.S. Administration is developing a new national cyber strategy that would enlist private firms to help with offensive cyber operations against criminal and state-backed adversaries.
- This strategy aims to expand government cyber capacity.
Legal and security risks:
- Private firms aren't currently authorized for such cyber activities.
- Enlistment could make private companies potential targets.
The plan encompasses:
- Streamlining cyber regulations
- Modernizing federal systems
- Accelerating post-quantum security
- Further details are forthcoming via executive orders or legislation.
Quote:
- “The plan would expand the government's cyber capacity but raises legal and security risks since private firms currently lack clear authority to conduct attacks and could become targets themselves.” (Sarah Lane, 00:17)

2. Microsoft Patch Tuesday Update Disruptions

Timestamp: 01:07 - 01:49

Recent Patch Tuesday updates by Microsoft caused failures in the message queuing (MSMQ) security model.
- Impacted platforms: Windows 10 22H2, Windows Server 2016, 2019.
Issue: NTFS permissions on a core MSMQ folder were changed, now requiring write access typically reserved for admins.
- Result: Resource errors and broken applications, especially in clustered environments.
Enterprises must choose between rolling back security updates or leaving systems exposed—a lose/lose scenario given MSMQ’s history of critical RCE vulnerabilities.
Quote:
- “Admins now face rolling back the patches or leaving systems exposed. MSMQ has a history of critical remote code execution flaws.” (Sarah Lane, 01:40)

3. Russian Phishing Campaign Delivers Phantom Stealer

Timestamp: 01:50 - 02:38

Researchers at Socrite Labs discovered a new phishing operation dubbed Operation Money Mount ISO.
- Delivers Phantom Stealer malware via ISO files.
Method:
- Spoofed payment confirmation emails in Russian.
- Target: Finance staff.
- ISO files bypass email security and deploy a hidden executable, injecting the stealer into memory.
Phantom Stealer collects:
- Browsers credentials, financial data, cryptocurrency info, keystrokes, tokens.
- Data is exfiltrated via Telegram, Discord, and FTP channels.
Quote:
- “Phantom Stealer harvests browser credentials, financial and crypto data, keystrokes and tokens, exfiltrating the information via Telegram, Discord and FTP.” (Sarah Lane, 02:25)

4. Jaguar Land Rover Payroll Data Breach

Timestamp: 02:39 - 03:19

Jaguar Land Rover (JLR) reported its August cyberattack also resulted in the theft of sensitive payroll data (bank and tax details) of thousands of employees.
No evidence of data misuse yet, but employees have been cautioned about potential fraud and phishing risks.
The attack, linked to the Scattered Lapses/Hunters group, has cost JLR about £1.5 billion in lost sales and could impact the UK economy by over £2 billion.
Quote:
- “The attack is attributed to the scattered Lapses Hunters group and has already cost JLR around £1.5 billion in lost sales and has been classified as a systemic event that could cost the UK economy more than 2 billion pounds.” (Sarah Lane, 03:12)

5. CISA Adds Apple and Gladonet Flaws to Known Exploited Catalog

Timestamp: 04:04 - 04:35

CISA (US Cybersecurity and Infrastructure Security Agency) listed two new exploited vulnerabilities:
- Use-after-free flaw in Apple’s WebKit (impacts iOS, iPadOS, macOS)
- Hard-coded AES key in Gladonet Center Stack & Trio Fox
Exploited in attacks targeting high-value individuals.
Federal agencies must remediate by January 5. Private sector advised to patch urgently.
Quote:
- “Federal agencies are required to remediate these flaws by January 5th. Private organizations should review and patch affected systems to prevent exploitation.” (Sarah Lane, 04:30)

6. Federal Contractor Opexus Missed Insider Threat Red Flags

Timestamp: 04:36 - 05:13

Opexus failed to flag two employees (the Aktar twins) with previous cybercrime convictions from 2015.
After termination, one twin deleted 96 government databases and stole sensitive data from multiple agencies.
Opexus admits errors in hiring, termination, and access controls, and has enhanced background checks to 10 years.
The brothers face up to 45 years for various cyber offenses.
Quote:
- “Opexis has acknowledged errors in hiring, termination and access controls and has enhanced background checks to 10 years.” (Sarah Lane, 05:05)

7. Chrome Extension ‘Urban VPN Proxy’ Intercepts AI Chats

Timestamp: 05:14 - 05:45

Extension with over 6 million users was found intercepting all prompts and responses to major AI chatbots (ChatGPT, Claude, Copilot, Gemini, Meta AI).
Data is exfiltrated to company servers and shared with an affiliated ad firm.
Three similar extensions from the same publisher were implicated.
Quote:
- “The extension was updated back in July and collects this data through injected JavaScript and sends it to two servers. The company shares raw data with its affiliated ad intelligence firm.” (Sarah Lane, 05:35)

8. Google Shuts Down Dark Web Report Tool

Timestamp: 05:46 - 06:13

Google will sunset its Dark Web Report Tool (for monitoring email leaks) on February 16th.
Scans end January 15; all user data will be deleted.
Feedback indicated tool lacked actionable guidance; Google will instead focus on security checkups and authentication tools.
Quote:
- “Google said. Feedback claimed it didn't provide helpful next steps, and it plans to focus on tools going forward, offering actionable guidance like security checkup, password Manager, passkeys and two step verification.” (Sarah Lane, 06:07)

Notable Quotes & Memorable Moments

“The plan would expand the government's cyber capacity but raises legal and security risks since private firms currently lack clear authority to conduct attacks and could become targets themselves.” (Sarah Lane, 00:17)
“Admins now face rolling back the patches or leaving systems exposed. MSMQ has a history of critical remote code execution flaws.” (Sarah Lane, 01:40)
“Phantom Stealer harvests browser credentials, financial and crypto data, keystrokes and tokens, exfiltrating the information via Telegram, Discord and FTP.” (Sarah Lane, 02:25)
“The attack is attributed to the scattered Lapses Hunters group and has already cost JLR around £1.5 billion in lost sales and has been classified as a systemic event that could cost the UK economy more than 2 billion pounds.” (Sarah Lane, 03:12)
“Opexis has acknowledged errors in hiring, termination and access controls and has enhanced background checks to 10 years.” (Sarah Lane, 05:05)
“The extension was updated back in July and collects this data through injected JavaScript and sends it to two servers. The company shares raw data with its affiliated ad intelligence firm.” (Sarah Lane, 05:35)
“Google said. Feedback claimed it didn't provide helpful next steps, and it plans to focus on tools going forward, offering actionable guidance like security checkup, password Manager, passkeys and two step verification.” (Sarah Lane, 06:07)

wavePod

US taps private firms in cyber offensive, Microsoft updates cause queuing failures, phishing campaign delivers Phantom Stealer

Powered by Wave AI

Summary

Podcast Summary: Cyber Security Headlines

Episode: US taps private firms in cyber offensive, Microsoft updates cause queuing failures, phishing campaign delivers Phantom Stealer

Episode Overview

Key Discussion Points and Insights

1. U.S. Taps Private Companies for Cyber Offensives

2. Microsoft Patch Tuesday Update Disruptions

3. Russian Phishing Campaign Delivers Phantom Stealer

4. Jaguar Land Rover Payroll Data Breach

5. CISA Adds Apple and Gladonet Flaws to Known Exploited Catalog

6. Federal Contractor Opexus Missed Insider Threat Red Flags

7. Chrome Extension ‘Urban VPN Proxy’ Intercepts AI Chats

8. Google Shuts Down Dark Web Report Tool

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Conclusion

Summary

Podcast Summary: Cyber Security Headlines

Episode: US taps private firms in cyber offensive, Microsoft updates cause queuing failures, phishing campaign delivers Phantom Stealer

Episode Overview

Key Discussion Points and Insights

1. U.S. Taps Private Companies for Cyber Offensives

2. Microsoft Patch Tuesday Update Disruptions

3. Russian Phishing Campaign Delivers Phantom Stealer

4. Jaguar Land Rover Payroll Data Breach

5. CISA Adds Apple and Gladonet Flaws to Known Exploited Catalog

6. Federal Contractor Opexus Missed Insider Threat Red Flags

7. Chrome Extension ‘Urban VPN Proxy’ Intercepts AI Chats

8. Google Shuts Down Dark Web Report Tool

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Conclusion