Podcast Summary: Cybersecurity Today

Episode: Spiderman and Cybersecurity
Host: Jim Love
Date: December 12, 2025

Episode Overview

This episode of Cybersecurity Today delves into the latest cybersecurity threats affecting businesses, ranging from advanced phishing campaigns targeting financial institutions to newly discovered software vulnerabilities and the emergent risks posed by AI-integrated platforms. Host Jim Love highlights actionable defenses and underscores the evolving tactics of cybercriminals, all with a focus on preparing firms for an increasingly complex security landscape.

Key Discussion Points & Insights

1. The "Spiderman" Phishing Kit: A Sophisticated Threat

[01:00 – 03:20]

Description:
A newly discovered phishing kit, dubbed "Spiderman," is targeting customers of major European banks and crypto services using highly convincing replicas of legitimate web portals.
Notable Targets:
- Banks: Deutsche Bank, ING, O2, Caixa Bank, Volksbank, Commerzbank
- Fintech and Crypto: Klarna, PayPal, Ledger, Metamask, Exodus
Technical Details:
- Spiderman’s modular design allows attackers to quickly add new banks and authentication methods.
- The toolkit includes a dashboard for real-time monitoring, the ability to intercept 2FA codes (including Phototan and one-time passcodes), and the capability to export stolen data at the click of a button.
- A criminal group using this tool on Signal reportedly counts around 750 members.
Defense Advice:
- Phishing still necessitates user interaction, typically via malicious links.
- Credo:
  - Always check the domain before logging in.
  - Be wary of “browser-in-the-browser” login prompts.
  - Treat unexpected 2FA prompts as red flags.
Memorable Quote:

“The best defense might be paying attention to that nagging feeling that this might not be the right thing to click on. In other words, the best defense might be Spidey Sense.”
— Jim Love [03:17]

2. Gogs Zero-Day: Active Exploitation of Self-Hosted Git Servers

[03:21 – 06:27]

The Vulnerability:
- A zero-day in Gogs (CVE-2025-8110), a self-hosted Git service, allows authenticated users to execute arbitrary code by bypassing recent security patches related to symbolic links.
Scope:
- Approx. 1,400 Gogs servers exposed to the internet, with 700+ showing signs of compromise.
- The vulnerability is being actively exploited with no official patch available at the time of recording.
Attack Chain Summary:
- An attacker creates a repository with a symbolic link pointing outside the repo, then overwrites sensitive files using the API, possibly hijacking the server by changing git config and the SSH command.
Defense Recommendations:
- Disable open registration.
- Restrict server access (VPN or IP allow-list).
- Monitor for suspicious repositories with random names.
- Update to the latest guidance from Wiz and Gogs advisories if running version 0.13.3 or earlier.
Quote from Research:

“During our analysis of the exploitation attempts, we identified that the threat actor was leveraging a previously unknown flaw to compromise instances.”
— Wiz Threat Research [04:55]

3. Windows PowerShell Zero-Day: Command Injection Flaw

[06:28 – 08:38]

Vulnerability:
- CVE-2025-54100: Improper neutralization of special elements in PowerShell allows local attackers to execute arbitrary code if they trick the user into running a malicious script.
- CVSS Score: 7.8 (High)
- The flaw is not network wormable but can enable stealthy code execution.
Microsoft’s Response:
- Patch released in December 2025 Patch Tuesday (updates KB 5071546, KB 5071544, KB 5072033, KB 5074204).
- PowerShell now issues warnings for risky script behaviors.
Why It Matters:
- PowerShell underpins automation and admin workflows in Windows environments.
- Rapid patching is critical, especially for organizations reliant on scripted deployment or incident response.
Practical Note:
- "A reboot is required before the fix is fully in place." [08:15]
Host Advice:

“It’s easy to overlook a PowerShell bug compared to a browser or a VPN flaw, but PowerShell is deeply embedded in automation and admin workflows... this is one of those updates you really do need to schedule, test and roll out as quickly as you reasonably can.”
— Jim Love [08:23]

4. Google Gemini “Jack” Vulnerability: Silent AI Prompt Injection

[08:39 – 12:15]

Nature of the Flaw:
- Named "Gemini Jack", the vulnerability allowed attackers to embed prompt injection payloads in Google Workspace files (Docs, Calendar, Emails).
- Gemini Enterprise AI could execute these hidden instructions without user clicks, leading to covert data exfiltration via external URLs.
Broader AI Security Implications:
- The flaw stems from how AI agents interpret and act on data embedded in shared collaborative content.
- Once triggered, Gemini could search across all accessible workspace data and leak sensitive findings.
Google’s Response:
- Collaborated with Noma Labs to validate and patch the issue, changing Gemini’s internal retrieval and indexing behavior.
- No evidence of large-scale exploitation so far.
- Long-term solution: robust architectural changes as outlined in Google's new security blueprint for AI.
Takeaways for Admins:
- Train users to understand AI tool data processing.
- Make risk-based decisions about AI feature enablement.
- Review Workspace and Gemini Enterprise security guidance.
- Deploy sandboxed pilot environments for further testing and user education.
Host Commentary:

"Any agentic AI that reads across email, documents and calendars, no matter who supplies it, can turn shared content into an instruction channel if it's not carefully constrained."
— Jim Love [11:04]

“This is the point where I'd be looking at sandboxing, creating safe, limited environments where people can experiment with these tools and get some training while we all get a better handle on how autonomous AI is going to behave under real world circumstances.”
— Jim Love [11:56]

Notable Quotes

On phishing awareness:

"The best defense might be Spidey Sense."
— Jim Love [03:17]
On Gogs vulnerability impact:

“We identified that the threat actor was leveraging a previously unknown flaw to compromise instances.”
— Wiz Threat Research [04:55]
On PowerShell patch urgency:

"This is one of those updates you really do need to schedule, test and roll out as quickly as you reasonably can."
— Jim Love [08:23]
On AI-enabled security threats:

"Any agentic AI that reads across email, documents and calendars... can turn shared content into an instruction channel."
— Jim Love [11:04]

Timestamps for Key Segments

01:00 — Introduction to Spiderman phishing kit
03:17 — “Spidey Sense” as a key defense
03:21 — Gogs zero-day exploit explanation
04:55 — Wiz Threat Research on active exploitation
06:28 — Overview of Windows PowerShell zero-day
08:23 — Host’s call to action for PowerShell patching
08:39 — Gemini Jack: Silent AI prompt injection attack
11:04 — Commentary on AI systems and risks
11:56 — Advice to sandbox AI tooling

Tone & Style

Jim Love maintains an informative, pragmatic, and slightly conversational tone, offering practical advice while emphasizing the urgency and complexity of today’s cybersecurity threats. The episode balances technical explanation with user-focused defensive tips—always with an eye toward actionable security posture improvements.

Transcript

A (0:00)

Some of you may have missed Wednesday's edition. We had a situation at our hosting partner which prevented our RSS feed from reaching Google speakers. If this happens again, please remember you can simply ask for CyberSecurity today using YouTube Music on your Google speakers. I hope you won't need it, but if it happens again, give that a try. Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST Spiderman phishing kit hits European banks and crypto users GOG's zero day lets attackers hijack self hosted Git servers, Windows PowerShell zero day patched in December updates and Google patches, Gemini's zero click flaw that exposed workspace data and Google patches a Gemini zero click flaw that exposed workspace data. This is Cybersecurity Today. I'm your host Jim Love. A new phishing kit called Spiderman is going after customers of European banks and cryptocurrency services using pixel perfect copies of real sites. Researchers at Verona say the platform lets criminals spin up phishing pages that are almost indistinguishable from the real thing and then harvest login credentials, two factor authentication codes and credit card data. Spider man currently targets financial institutions in five countries, including big names like Deutsche Bank, ING, O2, Caxa Bank, Volks bank and Commerzbank. It can also build fake portals for fintech and crypto services including Klarna, PayPal and wallets like Ledger, Metamask and Exodus. According to Varonis, because Spiderman is modular, new banks, portals and authentication methods can be added easily. One of the criminal groups using it on signal already has about 750 members. From a central dashboard, operators can watch victim sessions in real time, grab credentials, export everything with one click intercept Phototan and one time passcodes and capture full credit card details. The basic defense hasn't changed. These kits still need you to click on a link, so the safest move is to check the domain carefully before you enter any credentials and be suspicious of any browser in the browser windows and treat any unexpected 2fa or prompt as a warning that someone may be trying to take over your account. The best defense might be paying attention to that nagging feeling that this might not be the right thing to click on. In other words, the best defense might be Spidey Sense. A zero day in Gogs, a popular self hosted git service is being actively exploited and there's still no official patch. Wiz Threat Research says The flaw, tracked as CVE2025 8110, is a symlink bypass of an earlier remote code execution bug, CVE202455947 and it lets authenticated users overwrite files outside the repository to achieve remote code execution. Gogs is written in Go, it's designed to be lightweight and easy to deploy, and it's used as an on prem or cloud alternative to GitLab or GitHub Enterprise. That convenience comes with a downside. Wiz found about 1400 GoG servers exposed to the Internet, many with open registration enabled by default, and says more than 700 of them show clear signs of compromise. In their words, during our analysis of the exploitation attempts, we identified that the threat actor was leveraging a previously unknown flaw to compromise instances. We responsively disclosed this vulnerability to the maintainers. They are currently working on a fix, but active exploitation continues in the wild. The new bug works because, as Wiz put it, unfortunately, an earlier fix implemented for the previous CVE didn't account for symbolic links. The actual attack chain is simple. An attacker with the ability to create a repository commits a symbolic link that points to a sensitive file outside the repo. Then they can use the Put Contents API to write through that symlink and overwrite the target file. And by overwriting git config and specifically the SSH command, they can get the system to execute arbitrary commands and take over the server until there is a patch. The minimum steps are to disable open registration if you don't need it, pull gogs behind a VPN or IP allow list at the minimum, and look for suspicious repos with random eight character names created in a tight time window. And if your instance is Internet facing and running version 0.13.3 or earlier, you should assume you are at risk and get more detailed guidance from research blogs like the one from Wiz or the CVE Advisory. Microsoft has fixed a newly disclosed zero day vulnerability in Windows PowerShell that could allow attackers to execute malicious code if they can persuade someone to run a crafted command or script. The flaw is tracked as CVE202554.100 and carries a CVSS score of 7.8. It's important. According to Cybersecurity News, the bug comes down to improper neutralization of special elements in PowerShell, essentially a command injection weakness. The attack requires local access and user interaction, so this is not a wormable network exploit by itself. But if an attacker can convince a user to run a script or can already execute commands on a machine. They can use this flaw to run arbitrary code in a more controlled or stealthy way. And let's face it, getting people to run a script is not impossible. Microsoft has shipped the fix as part of the December 2025 Patch Tuesday rollup, which includes more than 50 vulnerabilities across Windows, including 3.0days on supported systems. Installing updates like KB 5071546, KB 5071544, KB 5072033, and KB 5074204 closes the hole, and on some builds, PowerShell now shows a warning when scripts use Invoke Dash WebRequest, adding a safer parsing mode from newer PowerShell versions. Please note that a reboot is required before the fix is fully in place. It's easy to overlook a PowerShell bug compared to a browser or a VPN flaw, but PowerShell is deeply embedded in automation and admin workflows, so if you rely on scripts for deployment, management or incident response, this is one of those updates you really do need to schedule, test and roll out as quickly as you reasonably can. Google has patched a zero day vulnerability in Gemini Enterprise that turned hidden instructions inside ordinary workspace content into a data exfiltration channel. The flaw, named Gemini Jack by researchers at Noma Labs, allowed attackers to plant prompt injection payloads in places like shared Google Docs, calendar invites or emails and have Gemini execute them without any clicks or obvious warning to the user. Dark Reading reports that Noma described Gemini Jack as an architectural weakness in the way enterprise AI systems interpret information. Because Gemini Enterprise has access to Gmail, Calendar Docs and other workspace data, once it pulled a poisoned document into context, it could run the attacker's hidden instructions, search across corporate content for terms like budget or acquisition, and then send the results out via an external image URL controlled by the attacker. And all of that would happen through what looked like normal assisted behavior. Noma worked with Google to validate the findings. Google then changed how Gemini Enterprise and Vertex AI search interact with retrieval and indexing, and rolled out a fix globally. The company says it's addressed the specific flaw and has not seen evidence of widespread exploitation. But Noma and other commentators are clear that this is a sign of things to come, not a one off Any agentic AI that reads across email, documents and calendars, no matter who supplies it, can turn shared content into an instruction channel if it's not carefully constrained. Google has published a long term security blueprint for agentic browsing and AI assistance, but delivering that will take time and architectural work across Chrome, Workspace and their AI stack. In the meantime, administrators need to educate users about how AI tools process embedded content, make risk based decisions about enabling anti features, and review Google Security guidance for Workspace and Gemini Enterprise. And speaking personally, this is the point where I'd be looking at sandboxing, creating safe, limited environments where people can experiment with these tools and get some training while we all get a better handle on how autonomous AI is going to behave under real world circumstances. And that's our show. We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices to warehouses and large campuses to data centers. Book a demo@meter.com CST that's M E T E R.com CST and we've got a great weekend show for you. Hope to catch you there by but if not, David Shipley will be back in the News Chair on Monday. I'm your host Jim Love. Thanks for listening.

Podcast Summary: Cybersecurity Today

Episode: Spiderman and Cybersecurity
Host: Jim Love
Date: December 12, 2025

Episode Overview

Key Discussion Points & Insights

1. The "Spiderman" Phishing Kit: A Sophisticated Threat

[01:00 – 03:20]

Description:
A newly discovered phishing kit, dubbed "Spiderman," is targeting customers of major European banks and crypto services using highly convincing replicas of legitimate web portals.
Notable Targets:
- Banks: Deutsche Bank, ING, O2, Caixa Bank, Volksbank, Commerzbank
- Fintech and Crypto: Klarna, PayPal, Ledger, Metamask, Exodus
Technical Details:
- Spiderman’s modular design allows attackers to quickly add new banks and authentication methods.
- The toolkit includes a dashboard for real-time monitoring, the ability to intercept 2FA codes (including Phototan and one-time passcodes), and the capability to export stolen data at the click of a button.
- A criminal group using this tool on Signal reportedly counts around 750 members.
Defense Advice:
- Phishing still necessitates user interaction, typically via malicious links.
- Credo:
  - Always check the domain before logging in.
  - Be wary of “browser-in-the-browser” login prompts.
  - Treat unexpected 2FA prompts as red flags.
Memorable Quote:

“The best defense might be paying attention to that nagging feeling that this might not be the right thing to click on. In other words, the best defense might be Spidey Sense.”
— Jim Love [03:17]

2. Gogs Zero-Day: Active Exploitation of Self-Hosted Git Servers

[03:21 – 06:27]

The Vulnerability:
- A zero-day in Gogs (CVE-2025-8110), a self-hosted Git service, allows authenticated users to execute arbitrary code by bypassing recent security patches related to symbolic links.
Scope:
- Approx. 1,400 Gogs servers exposed to the internet, with 700+ showing signs of compromise.
- The vulnerability is being actively exploited with no official patch available at the time of recording.
Attack Chain Summary:
- An attacker creates a repository with a symbolic link pointing outside the repo, then overwrites sensitive files using the API, possibly hijacking the server by changing git config and the SSH command.
Defense Recommendations:
- Disable open registration.
- Restrict server access (VPN or IP allow-list).
- Monitor for suspicious repositories with random names.
- Update to the latest guidance from Wiz and Gogs advisories if running version 0.13.3 or earlier.
Quote from Research:

“During our analysis of the exploitation attempts, we identified that the threat actor was leveraging a previously unknown flaw to compromise instances.”
— Wiz Threat Research [04:55]

3. Windows PowerShell Zero-Day: Command Injection Flaw

[06:28 – 08:38]

Vulnerability:
- CVE-2025-54100: Improper neutralization of special elements in PowerShell allows local attackers to execute arbitrary code if they trick the user into running a malicious script.
- CVSS Score: 7.8 (High)
- The flaw is not network wormable but can enable stealthy code execution.
Microsoft’s Response:
- Patch released in December 2025 Patch Tuesday (updates KB 5071546, KB 5071544, KB 5072033, KB 5074204).
- PowerShell now issues warnings for risky script behaviors.
Why It Matters:
- PowerShell underpins automation and admin workflows in Windows environments.
- Rapid patching is critical, especially for organizations reliant on scripted deployment or incident response.
Practical Note:
- "A reboot is required before the fix is fully in place." [08:15]
Host Advice:

“It’s easy to overlook a PowerShell bug compared to a browser or a VPN flaw, but PowerShell is deeply embedded in automation and admin workflows... this is one of those updates you really do need to schedule, test and roll out as quickly as you reasonably can.”
— Jim Love [08:23]

4. Google Gemini “Jack” Vulnerability: Silent AI Prompt Injection

[08:39 – 12:15]

Nature of the Flaw:
- Named "Gemini Jack", the vulnerability allowed attackers to embed prompt injection payloads in Google Workspace files (Docs, Calendar, Emails).
- Gemini Enterprise AI could execute these hidden instructions without user clicks, leading to covert data exfiltration via external URLs.
Broader AI Security Implications:
- The flaw stems from how AI agents interpret and act on data embedded in shared collaborative content.
- Once triggered, Gemini could search across all accessible workspace data and leak sensitive findings.
Google’s Response:
- Collaborated with Noma Labs to validate and patch the issue, changing Gemini’s internal retrieval and indexing behavior.
- No evidence of large-scale exploitation so far.
- Long-term solution: robust architectural changes as outlined in Google's new security blueprint for AI.
Takeaways for Admins:
- Train users to understand AI tool data processing.
- Make risk-based decisions about AI feature enablement.
- Review Workspace and Gemini Enterprise security guidance.
- Deploy sandboxed pilot environments for further testing and user education.
Host Commentary:

"Any agentic AI that reads across email, documents and calendars, no matter who supplies it, can turn shared content into an instruction channel if it's not carefully constrained."
— Jim Love [11:04]

“This is the point where I'd be looking at sandboxing, creating safe, limited environments where people can experiment with these tools and get some training while we all get a better handle on how autonomous AI is going to behave under real world circumstances.”
— Jim Love [11:56]

Notable Quotes

On phishing awareness:

"The best defense might be Spidey Sense."
— Jim Love [03:17]
On Gogs vulnerability impact:

“We identified that the threat actor was leveraging a previously unknown flaw to compromise instances.”
— Wiz Threat Research [04:55]
On PowerShell patch urgency:

"This is one of those updates you really do need to schedule, test and roll out as quickly as you reasonably can."
— Jim Love [08:23]
On AI-enabled security threats:

"Any agentic AI that reads across email, documents and calendars... can turn shared content into an instruction channel."
— Jim Love [11:04]

Timestamps for Key Segments

01:00 — Introduction to Spiderman phishing kit
03:17 — “Spidey Sense” as a key defense
03:21 — Gogs zero-day exploit explanation
04:55 — Wiz Threat Research on active exploitation
06:28 — Overview of Windows PowerShell zero-day
08:23 — Host’s call to action for PowerShell patching
08:39 — Gemini Jack: Silent AI prompt injection attack
11:04 — Commentary on AI systems and risks
11:56 — Advice to sandbox AI tooling

wavePod

Spiderman and Cybersecurity.

Summary

Podcast Summary: Cybersecurity Today

Episode Overview

Key Discussion Points & Insights

1. The "Spiderman" Phishing Kit: A Sophisticated Threat

2. Gogs Zero-Day: Active Exploitation of Self-Hosted Git Servers

3. Windows PowerShell Zero-Day: Command Injection Flaw

4. Google Gemini “Jack” Vulnerability: Silent AI Prompt Injection

Notable Quotes

Timestamps for Key Segments

Tone & Style

Transcript

Summary

Podcast Summary: Cybersecurity Today

Episode Overview

Key Discussion Points & Insights

1. The "Spiderman" Phishing Kit: A Sophisticated Threat

2. Gogs Zero-Day: Active Exploitation of Self-Hosted Git Servers

3. Windows PowerShell Zero-Day: Command Injection Flaw

4. Google Gemini “Jack” Vulnerability: Silent AI Prompt Injection

Notable Quotes

Timestamps for Key Segments

Tone & Style