Another day, another emergency patch.

Mon Dec 15 2025

Summary

CyberWire Daily – “Another day, another emergency patch.”

Date: December 15, 2025
Host: Dave Bittner, N2K Networks

Episode Overview

This episode delivers a rapid-fire update on a series of major cybersecurity incidents, including emergency zero-day patches from Apple and Google, critical vulnerabilities in Atlassian products, a massive exposed database affecting billions, and a notable cyberattack on France's Ministry of the Interior. The episode also explores the evolving "hacker mindset" and "dark capabilities" within organizations through a deep-dive conversation, then wraps up with cybersecurity industry business news and a tongue-in-cheek holiday gift guide for security nerds.

Key News Highlights & Analysis

1. Emergency Zero-Day Patches: Apple and Google

[01:06-03:04]
- Apple released urgent security updates for iPhones, iPads, and Macs to fix two WebKit zero-days being actively exploited. The company provided scant details but confirmed the attacks were “sophisticated and real-world.”
- Google patched Chrome’s stable channel to address multiple bugs, including an out-of-bounds memory access zero-day. The exploit was “in the wild“ and discovered jointly by Apple Security and Google’s Threat Analysis Group, suggesting it is “spyware-grade.”
- Trend: Both companies have addressed a high number of zero-days this year (Apple: 9; Google: 8 in Chrome), highlighting the increasing pace and sophistication of attacks.
“Apple and Google have both issued emergency security updates after zero-day vulnerabilities were found under active exploitation in what they describe as sophisticated real world attacks.” — Dave Bittner [01:36]

2. Chinese State-Backed Groups Target ‘React to Shell’ Vulnerability

[03:10-04:20]
- Google’s Threat Intelligence team linked five Chinese state-backed hacking groups to attacks exploiting the maximum severity React to Shell bug, which enables unauthenticated remote code execution in React/Next.js apps.
- Attacks began within hours of public disclosure, with reports from Palo Alto Networks and AWS indicating mass exploitation and the use of backdoors/tunneling tools. Iranian actors and cybercriminals also joined in.
- Over 116,000 systems remain exposed.
“Google says the attackers are deploying a range of backdoors and tunneling tools, while other actors including Iranian groups and cybercriminals are also abusing the flaw.” — Dave Bittner [03:57]

3. France Ministry of Interior Breach

[04:30-05:23]
- Attackers compromised ministry email servers between Dec 11–12, accessing undisclosed document files.
- Motives remain unclear; possibilities include foreign interference, activism, or cybercrime.
- The incident raises concern given the ministry’s role in police, internal security, and immigration.
- Follows a pattern of Russian-linked campaigns targeting French government systems.

4. Atlassian: 30 Third-Party Vulnerabilities Patched

[05:26-06:17]
- Major patches addressed critical vulnerabilities, chiefly an XML entity vulnerability in Apache Tika (used by Jira, Confluence, Bamboo).
- Prototype pollution bugs and over two dozen high-severity issues also patched.
- Users advised to update immediately.

5. Microsoft Patch Tuesday: MSMQ Outages

[06:22-07:14]
- Patch Tuesday updates disrupted Microsoft Message Queuing (MSMQ) on multiple Windows versions, breaking enterprise applications and IIS sites.
- Root cause: Permission changes to a critical system folder; only admins retain functionality.
- Microsoft is investigating; workaround is to weigh rollback against security risks.

6. 4.3 Billion Professional Records Exposed

[07:18–08:22]
- Researcher Bob Dychenko and Nexos AI found an unsecured 16TB MongoDB with over 4.3 billion records (names, emails, job history, LinkedIn–like data).
- Impact: Enables highly targeted phishing, fraud, and social engineering.
- This appears to tie back to a lead generation business; provenance remains unclear.

7. Britain’s New MI6 Chief Warns of Russian Cyber Threats

[08:29–09:51]
- Blaise Metroele, the first woman to lead MI6, warns of a “constant, borderless threat environment” and “aggressive, expansionist, and revisionist Russia.”
- Emphasizes cyber attacks as part of hybrid tactics and the need for blending tech and human intelligence.
“The front line is everywhere, pointing to cyber attacks, espionage, sabotage and other hybrid tactics as tools Moscow uses to export instability.” — Dave Bittner [09:01]

8. Cybersecurity Business Brief: Surge in AI and Security Investment

[09:55-11:43]
- Highlights from the week:
  - Savint: $700M Series B for identity security/AI
  - Aeon: $300M for cloud backup/AI analytics
  - Multiple seed/pre-seed rounds in AI governance, compliance, impersonation prevention.
  - Proofpoint closed $1.8B Hornet Security acquisition.
  - Checkmarx bought Tromso for autonomous AppSec.
- Trend: Big investor confidence in AI, identity, and supply chain security.

In-Depth Segment: The Hacker Mindset & Dark Capabilities

Threat Vector Conversation

Featuring: Michael Heller (Unit 42), Greg Conti, and Tom Cross
[14:15–22:46]

Conference Censorship:
- Their provocative slide, titled “Capabilities Companies Might Use in a Military Conflict,” was removed at a corporate conference for being uncomfortable, so they moved the talk to DEFCON.
  
  “The conference was very uncomfortable with us having that conversation. They asked us to remove the slide.” — Tom Cross [15:59–16:05]
Corporate Superpowers & Dual-Use Tech:
- Every company possesses latent capabilities (or “superpowers”) that could be used offensively—sometimes even without their knowledge or intention.
- Example: A dating site, if “turned evil,” could abuse its mass data holdings at scale.
Aligning Capabilities with Strategy:
- Organizations and governments must understand AND control these capabilities to prevent misuse by employees, adversaries, or even outside nations.
- Solutions: - Technical controls (designing systems so abuses are difficult or transparent) - Institutional transparency and possible NGO audits - Use of “warrant canaries” (transparency signals)
  
  “You could have a technical architecture which makes this thing either difficult to do or which makes it transparent if done right…maybe, you know, a third party NGO could come in and audit and publicly say they're not doing it.” — Tom Cross [18:36]
Persistent Security Challenges:
- Despite wishful thinking, AI-generated code is “just as vulnerable” as human-written code.
  
  “AI generated code is going to have fewer vulnerabilities, which is nonsense. It's got the same number… it's writing [code] in the same way that humans do.” — Tom Cross [20:50]
The Bigger Picture:
- The discipline of information security is only growing in complexity and importance.
- Embedded systems and “robotics” bring new classes of vulnerabilities.
Takeaway:
- True security requires anticipating abuse, engineering for transparency and resilience, and constant vigilance—not just compliance.

Notable Quotes

| Timestamp | Speaker | Quote | |------------|----------------|-------| | 01:36 | Dave Bittner | "Apple and Google have both issued emergency security updates after zero-day vulnerabilities were found under active exploitation in what they describe as sophisticated real world attacks." | | 15:59–16:05| Tom Cross | "The conference was very uncomfortable with us having that conversation. They asked us to remove the slide." | | 18:36 | Tom Cross | "You could have a technical architecture which makes this thing either difficult to do or which makes it transparent if done right…maybe, you know, a third party NGO could come in and audit and publicly say they're not doing it." | | 20:50 | Tom Cross | "AI generated code is going to have fewer vulnerabilities, which is nonsense. It's got the same number… it's writing [code] in the same way that humans do." | | 09:01 | Dave Bittner | "The front line is everywhere, pointing to cyber attacks, espionage, sabotage and other hybrid tactics as tools Moscow uses to export instability." |

Cybersecurity Holiday Gift Guide (by Zach Whitaker)

[25:05–26:42]
- Lampoons traditional “bad” gift guides; offers practical, security-minded gift ideas:
  - Support for independent journalism
  - Data removal services for privacy-conscious
  - Password managers for habitual re-users
  - Flipper Zero or Shodan for the curious tinkerer
  - Coffee subscriptions, home labs with NAS for comfort and creativity
- Tone: Light, irreverent, focused on real utility and avoiding “turning someone into a breach waiting to happen”

Recognition & Team Shout-Out

SANS Difference Maker Awards:
- Host Dave Bittner thanks listeners for voting and celebrates CyberWire’s team effort in earning the honor.
  
  “I say every day that I have the best job in the world because every day I get to talk to smart, interesting people about amazing things and then share the things that I learn with the rest of the world.” — Dave Bittner [27:11]

Key Timestamps

01:06 — Apple, Google zero-day emergencies
03:10 — Chinese state hackers and React to Shell
04:30 — France Ministry breach
05:26 — Atlassian vulnerabilities
06:22 — Microsoft MSMQ issues
07:18 — 4.3B records exposed
08:29 — UK MI6 chief’s warning
09:55 — Cybersecurity business/VC roundup
14:15 — Threat Vector roundtable on hacker mindset
18:36 — “Technical architecture makes abuse difficult or transparent”
20:50 — AI code is as vulnerable as human code
25:05 — Security holiday gift guide
27:11 — Show and team recognition

Summary Takeaway

This episode offers a vital pulse check on security’s front lines—zero-days, nation-state threats, mass data exposures—as well as guidance on how attackers, and those tasked with stopping them, really think. It underscores the need for transparency, technical controls over organizational “superpowers,” and a relentless, pragmatic approach to cybersecurity amid ever-expanding risks.

Loading summary...

Transcript

A (0:02)

You're listening to the Cyberwire Network powered by N2K.

B (0:12)

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effort, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Apple and Google issue emergency Updates to Patch 0 days Google links five additional Chinese state backed hacking groups to react to Shell France's Ministry of the Interior was hit by a cyber attack. Atlassian patches roughly 30 third party vulnerabilities Microsoft says its December 2025 Patch Tuesday updates are breaking Message que uncover a massive exposed database with nearly 4.3 billion professional records openly accessible online. Britain's new MI6 chief warns of an aggressive expansionist and revisionist Russia we got our Monday business brief on today's threat vector. Michael Heller from Unit 42 chats with security leaders Greg Conti and Tom Cross to unpack the hacker mindset and the idea of dark capabilities and a cyber holiday gift guide for the rest of us. Foreign. It's Monday, december 15th, 2025. I'm dave bittner and this is your cyberwire intel briefing. Thanks for joining us here today. Happy Monday. It is great to have you with us. As always, Apple and Google have both issued emergency security updates after zero day vulnerabilities were found under active exploitation in what they describe as sophisticated real world attacks. Apple released patches across iPhones, iPads and Macs to fix two WebKit flaws it says were used in highly targeted attacks, offering few technical details beyond confirming the exploits were already circulating. Google, meanwhile, updated Chrome's stable channel to address several bugs, including an actively exploited zero day, an out of bounds memory access flaw. Google acknowledged the exploit was in the wild and later revealed Apple's security team and Google's threat analysis group were involved in its discovery, suggesting spyware grade activity. The incidents add to a growing tally with Apple patching nine in the wild zero days in 2025 and Google addressing eight in Chrome. So far this year, Google's Threat Intelligence team has linked five additional Chinese state backed hacking groups to active exploitation of the maximum severity React to shell vulnerability. The flaw affects recent versions of the React JavaScript library and enables unauthenticated remote code execution with a single HTTP request impacting React and Next JS applications using vulnerable server components. Attacks began shortly after public disclosure on December 3, with Palo Alto Networks reporting dozens of breaches and AWS warning that multiple China linked groups were exploiting the bug. Within hours, Google says the attackers are deploying a range of backdoors and tunneling tools, while other actors including Iranian groups and cybercriminals are also abusing the flaw. More than 116,000 systems remain exposed, highlighting widespread risk across Internet facing applications France's interior minister has confirmed that the Ministry of the Interior was hit by a cyber attack that compromised its email servers. The breach, detected overnight between December 11th and 12th, allowed attackers to access some document files, though authorities have not confirmed whether any data was stolen. In response, the ministry tightened security protocols and strengthened access controls while opening an investigation into the attack's origin and scope. Officials say multiple scenarios are being considered, including foreign interference, activist activity or cybercrime. The Interior Ministry, which oversees police internal security and immigration services, is a high value target. The incident follows previous French attributions of state backed campaigns, including activity linked to Russia's APT28 group targeting government and diplomatic email systems. Atlassian has released patches for roughly 30 third party vulnerabilities affecting multiple products, including several critical flaws. The most severe is a maximum severity XML external entity vulnerability in Apache Tika that could enable information disclosure, denial of service, SSRF or remote code execution via crafted PDF files. Atlassian products using Tika, including Jira, Confluence and Bamboo, have been fixed. The updates also address critical prototype pollution bugs and more than two dozen high severity issues across Atlassian's server and data center products. Users are urged to patch promptly. Microsoft says its December 2025 Patch Tuesday updates are breaking message queuing or MSMQ on some Windows systems, disrupting enterprise applications and IIS websites. The issue affects multiple Windows versions after specific security updates are installed. Microsoft says Recent changes to MSMQ's security model are altered permissions on a system folder, causing message failures unless users have administrative rights. Symptoms include stalled queues, application errors and misleading resource warnings. Microsoft is investigating but has not announced a fix, leaving administrators to weigh rolling back updates against security risks. Researchers have uncovered a massive exposed database that left roughly 4.3 billion professional records openly accessible online. Cybersecurity researcher Bob Dychenko, working with Nexos AI, found the unsecured 16 terabyte MongoDB instance on November 23. It was secured two days later, but it remains unclear whether attackers accessed the data beforehand. Analysis showed multiple collections containing names, email addresses, phone numbers, job roles, employment history, education details, photos and links to professional profiles such as LinkedIn. Researchers say the data appears to have been aggregated from multiple sources, likely through large scale scraping, possibly including older leaks. While ownership has not been confirmed, evidence suggests ties to a lead generation business. Experts warn the database could enable highly targeted phishing, fraud and other social engineering attacks against professionals. Britain's new MI6 chief, Blaise Metroele, is warning that the United Kingdom now faces a constant, borderless threat environment, driven in large part by an aggressive expansionist and revisionist Russia. In her first public speech, Metruelli says the front line is everywhere, pointing to cyber attacks, espionage, sabotage and other hybrid tactics as tools Moscow uses to export instability. She signals Britain's intent to increase pressure on the Kremlin until President Putin is forced to rethink his strategy. Her remarks follow recent UK sanctions targeting Russia's military, intelligence agency and cyber operators, as well as additional sanctions against Russian and Chinese groups accused of cyber and influence operations. Metrovali, the first woman to lead MI6, also emphasizes blending human intelligence with advanced technology, arguing officers must be as fluent in code as in languages. Still, she stresses that human judgment, ethics and agency will ultimately define security in the digital age. Turning to our Monday business brief, cybersecurity and AI focused companies saw a surge of funding and deal activity last week, highlighted by several large investment rounds and acquisitions. Savint led the week with a $700 million Series B to accelerate identity security development and AI driven migration from legacy platforms. Aeon raised $300 million to expand its cloud backup and AI analytics platform, while Agentic AI security startups 7ai Prime Security and Lumia collectively secured more than $160 million. Hardware and infrastructure players including Exadio and Niobium also attracted significant capital for AI and quantum resilient security technologies. At the lower end, multiple seed and pre seed rounds backed startups focused on impersonation prevention, identity security, AI governance and compliance. Mergers and acquisitions were equally active, with Proofpoint closing its $1.8 billion acquisition of Hornet Security and Checkmarks buying Tromso to strengthen autonomous AppSec. Overall, the activity underscores sustained investor confidence in cybersecurity, particularly around AI identity and software supply chain risk. Be sure to check out our complete business briefing newsletter on our website. It's part of Cyberwire Pro. Coming up after the break on today's threat vector, Michael Heller from Unit 42 chats with security leaders Greg Conte and Tom Cross. They're unpacking the hacker mindset and the idea of dark capabilities and a cyber holiday gift guide for the rest of us. Stick around. What's your 2am Security worry? Is it do I have the right controls in place? Maybe Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N-T A.com cyber.