A

You're listening to the Cyberwire Network powered by N2K.

B

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effort, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Apple and Google issue emergency Updates to Patch 0 days Google links five additional Chinese state backed hacking groups to react to Shell France's Ministry of the Interior was hit by a cyber attack. Atlassian patches roughly 30 third party vulnerabilities Microsoft says its December 2025 Patch Tuesday updates are breaking Message que uncover a massive exposed database with nearly 4.3 billion professional records openly accessible online. Britain's new MI6 chief warns of an aggressive expansionist and revisionist Russia we got our Monday business brief on today's threat vector. Michael Heller from Unit 42 chats with security leaders Greg Conti and Tom Cross to unpack the hacker mindset and the idea of dark capabilities and a cyber holiday gift guide for the rest of us. Foreign. It's Monday, december 15th, 2025. I'm dave bittner and this is your cyberwire intel briefing. Thanks for joining us here today. Happy Monday. It is great to have you with us. As always, Apple and Google have both issued emergency security updates after zero day vulnerabilities were found under active exploitation in what they describe as sophisticated real world attacks. Apple released patches across iPhones, iPads and Macs to fix two WebKit flaws it says were used in highly targeted attacks, offering few technical details beyond confirming the exploits were already circulating. Google, meanwhile, updated Chrome's stable channel to address several bugs, including an actively exploited zero day, an out of bounds memory access flaw. Google acknowledged the exploit was in the wild and later revealed Apple's security team and Google's threat analysis group were involved in its discovery, suggesting spyware grade activity. The incidents add to a growing tally with Apple patching nine in the wild zero days in 2025 and Google addressing eight in Chrome. So far this year, Google's Threat Intelligence team has linked five additional Chinese state backed hacking groups to active exploitation of the maximum severity React to shell vulnerability. The flaw affects recent versions of the React JavaScript library and enables unauthenticated remote code execution with a single HTTP request impacting React and Next JS applications using vulnerable server components. Attacks began shortly after public disclosure on December 3, with Palo Alto Networks reporting dozens of breaches and AWS warning that multiple China linked groups were exploiting the bug. Within hours, Google says the attackers are deploying a range of backdoors and tunneling tools, while other actors including Iranian groups and cybercriminals are also abusing the flaw. More than 116,000 systems remain exposed, highlighting widespread risk across Internet facing applications France's interior minister has confirmed that the Ministry of the Interior was hit by a cyber attack that compromised its email servers. The breach, detected overnight between December 11th and 12th, allowed attackers to access some document files, though authorities have not confirmed whether any data was stolen. In response, the ministry tightened security protocols and strengthened access controls while opening an investigation into the attack's origin and scope. Officials say multiple scenarios are being considered, including foreign interference, activist activity or cybercrime. The Interior Ministry, which oversees police internal security and immigration services, is a high value target. The incident follows previous French attributions of state backed campaigns, including activity linked to Russia's APT28 group targeting government and diplomatic email systems. Atlassian has released patches for roughly 30 third party vulnerabilities affecting multiple products, including several critical flaws. The most severe is a maximum severity XML external entity vulnerability in Apache Tika that could enable information disclosure, denial of service, SSRF or remote code execution via crafted PDF files. Atlassian products using Tika, including Jira, Confluence and Bamboo, have been fixed. The updates also address critical prototype pollution bugs and more than two dozen high severity issues across Atlassian's server and data center products. Users are urged to patch promptly. Microsoft says its December 2025 Patch Tuesday updates are breaking message queuing or MSMQ on some Windows systems, disrupting enterprise applications and IIS websites. The issue affects multiple Windows versions after specific security updates are installed. Microsoft says Recent changes to MSMQ's security model are altered permissions on a system folder, causing message failures unless users have administrative rights. Symptoms include stalled queues, application errors and misleading resource warnings. Microsoft is investigating but has not announced a fix, leaving administrators to weigh rolling back updates against security risks. Researchers have uncovered a massive exposed database that left roughly 4.3 billion professional records openly accessible online. Cybersecurity researcher Bob Dychenko, working with Nexos AI, found the unsecured 16 terabyte MongoDB instance on November 23. It was secured two days later, but it remains unclear whether attackers accessed the data beforehand. Analysis showed multiple collections containing names, email addresses, phone numbers, job roles, employment history, education details, photos and links to professional profiles such as LinkedIn. Researchers say the data appears to have been aggregated from multiple sources, likely through large scale scraping, possibly including older leaks. While ownership has not been confirmed, evidence suggests ties to a lead generation business. Experts warn the database could enable highly targeted phishing, fraud and other social engineering attacks against professionals. Britain's new MI6 chief, Blaise Metroele, is warning that the United Kingdom now faces a constant, borderless threat environment, driven in large part by an aggressive expansionist and revisionist Russia. In her first public speech, Metruelli says the front line is everywhere, pointing to cyber attacks, espionage, sabotage and other hybrid tactics as tools Moscow uses to export instability. She signals Britain's intent to increase pressure on the Kremlin until President Putin is forced to rethink his strategy. Her remarks follow recent UK sanctions targeting Russia's military, intelligence agency and cyber operators, as well as additional sanctions against Russian and Chinese groups accused of cyber and influence operations. Metrovali, the first woman to lead MI6, also emphasizes blending human intelligence with advanced technology, arguing officers must be as fluent in code as in languages. Still, she stresses that human judgment, ethics and agency will ultimately define security in the digital age. Turning to our Monday business brief, cybersecurity and AI focused companies saw a surge of funding and deal activity last week, highlighted by several large investment rounds and acquisitions. Savint led the week with a $700 million Series B to accelerate identity security development and AI driven migration from legacy platforms. Aeon raised $300 million to expand its cloud backup and AI analytics platform, while Agentic AI security startups 7ai Prime Security and Lumia collectively secured more than $160 million. Hardware and infrastructure players including Exadio and Niobium also attracted significant capital for AI and quantum resilient security technologies. At the lower end, multiple seed and pre seed rounds backed startups focused on impersonation prevention, identity security, AI governance and compliance. Mergers and acquisitions were equally active, with Proofpoint closing its $1.8 billion acquisition of Hornet Security and Checkmarks buying Tromso to strengthen autonomous AppSec. Overall, the activity underscores sustained investor confidence in cybersecurity, particularly around AI identity and software supply chain risk. Be sure to check out our complete business briefing newsletter on our website. It's part of Cyberwire Pro. Coming up after the break on today's threat vector, Michael Heller from Unit 42 chats with security leaders Greg Conte and Tom Cross. They're unpacking the hacker mindset and the idea of dark capabilities and a cyber holiday gift guide for the rest of us. Stick around. What's your 2am Security worry? Is it do I have the right controls in place? Maybe Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N-T A.com cyber.

C

This message may be shocking to many millennials. If you are one, you might want to sit down right now. Loads of people are searching the following on Depop Low rise Jeans, halter top, velour, tracksuit, puka shell necklace, disc belt. You likely place these in the dark of your closet in 2004, never to be seen again. But if you can find it in yourself to dust them off, there are a lot of people who will give you money for them. Sell on Depop, where taste recognizes taste.

B

On this week's Threat Vector segment, Michael Heller, managing editor for Cortex and unit 42 and executive producer of the podcast, sits down with longtime security leaders Greg Conte and Tom Cross to unpack the hacker mindset and the ideas of dark capabilities inside modern technology companies.

D

Hi, I'm David Moulton, host of the Threat Vector podcast, where we break down cybersecurity threats, resilience and the industry trends that matter the most. Last week, executive producer Michael Heller sat down with Greg Conte and Tom Cross. Or a conversation that pulls back the curtain on how attackers really think. They explore the adversarial hacker mindset and expose the dangerous gap between what your security products promise and what they actually deliver when someone skilled decides to break them apart. Scariest part? The risks aren't hidden at all they're right there in plain sight.

E

So the backstory of our talk is that Greg and I gave a talk at a very, we'll say, corporate computer security conference, and we had a slide in it that talked about capabilities that companies might use in a military conflict that they don't realize they have. Right. How could they, how, how might they use the capabilities of, of their organization in an offensive way in the midst of a conflict, which they might choose to do depending upon their valence to that conflict?

B

Right.

E

And the, the, the conference was very uncomfortable with us having that conversation.

F

They asked us to remove the slide.

E

They asked us to remove the slide. And so Craig said, well, okay, we're going to do an entire talk based on that slide and we're going to do it at defcon, where we're allowed.

F

Yeah, we can have the conversation.

E

We're allowed to wade into these, like, ethically challenging discussions. And I think it's great, like, DEFCON is the right room for these, for these kinds of dialogues. And again, my point is that, you know, that they're vital to have, I think it's valuable to put on the black hat and look at, look at things from that perspective and understand that. And then, and then what you choose to do with it is, is, is your decision. Right. And so it's, you know, any tool has both, like malicious and beneficial uses.

F

Before your adversaries do the same to you.

E

So one of the things that we recommended was that, you know, the governments consider this. So we talked about what companies should do, which is something we've discussed. We also talked about what governments should do. And governments could think about what kinds of capabilities exist within companies that could be used in, we'll say, evil ways. But then they have to ask, maybe they want to use them. But then they have to ask, maybe another state will come in and use them in a way that's not aligned with my strategy. Or maybe the people that run that company will use that capability in a way that's not aligned with my strategy. And this really happens in places where conflicts are occurring. Companies may independently shut off a satellite system, so they're making their own choices that affect the course of events. Right. And so looking at all, you have to understand what the capability is to ask those three different questions. Right. And then what can you do to make sure that that capability is in fact used in a way that's aligned with your strategic objectives and not someone else's?

G

Once you find these, these points, these, these products that can be used in a Malicious way, whatever. What then? Like obviously you can put in policies where you know, you're not going to comply with government. You can't, you can't, you can't put in policies. You have to put in technical.

D

Well, I mean.

E

You have to remove.

G

Capability or you have to.

E

Yeah, you, you. So what is the list? Certainly you could remove capability.

B

Right.

E

You could have a technical architecture which makes this thing either difficult to do or which makes it transparent if done right. There are also sort of, I think there are institutional processes. Perhaps it's not possible for you to prevent the institution from deciding to do it, but you could design things in such a way that lots of people in the institution would know if it was being done right. So that they can't be done, you know, sort of quietly in a corner. And then one of the things that I talked about is like, maybe, maybe, you know, a third party NGO could come in and audit and publicly say they're not doing it. And you know, if that relationship were to break down, the organization may not admit that they're doing it now. But it, you know, sort of like creates that assumption. So like there's this concept that of, I don't know if you've ever heard of the concept of a warning warrant canary. You know, if you're running a social media site, you might put something out there that says, I've never had to respond to a warrant for which I was, you know, prohibited from disclosing. And then if the warrant canary goes away, we can make certain assumptions. Right.

F

I've always thought like that's legal, you can do it.

E

I don't know. Right.

G

Yeah, we've seen companies do it.

E

There certainly are warrant canaries out there. Yeah, you know, maybe, maybe the, the government tells you you can't take your warrant canary down.

G

And I'm pretty sure that Google, like as part of Google's transparency report, I'm quite sure I've seen them use canaries before.

E

Interesting.

G

I would have to go back and double check, but I've definitely seen that in use.

F

Every company has superpowers. You mentioned industrial control systems. Right. Clearly they have powerful tech that if maliciously used can be highly impactful. But what we're finding is basically every major company has superpowers. Imagine what a dating site. Just for sake of making this simpler, just think about evil dating site. What type of data leakage could be collected from that? And also at scale.

E

So I mean, I do think that the practice of information security becomes more and more vital as time goes on. I mean, it's always this question of are we going to maybe we solve the problem right, because we just get really good at coaching developers to write better code. Or we've got this whole debate about AI and whether AI generated code is going to have fewer vulnerabilities, which is nonsense. It's got the same number of vulnerabilities because it's reading code that humans wrote and it's writing it in the same way that humans do. And so it's pretty much producing the same volume of vulnerabilities that humans were. But there's always been this question, people have been asking, asking this question for years. It's like, are we going to fundamentally address some of these problems in a way that means that there isn't as much of a need for this kind of work? And I think I'm continually amazed by how this whole conference continues to expand and grow every year and the scale that is functioning at now. DEFCON used to be maybe 1,000 people in a conference, single conference room in a hotel somewhere. And so, I mean, I think these issues are going to continue to get more and more complicated. And so I feel like there's a lot more work to do in infosec. And I think we're talking about these robot It's a lot of these embedded systems. They don't have the degree of hardening of some of the sort of traditional computers that we use or our ph.

D

This isn't just another security discussion. It's about rewiring how you think so you can spot vulnerabilities before the attackers do and build defenses that actually hold up under pressure. If this got your attention, don't wait. Listen to the full episode now in your Threat Vector podcast Feedback. It's called the Adversarial Hacker Mindset and it's live now. Thanks for listening. Stay secure. Goodbye for now.

B

Be sure to check out the full episode of Threat Vector wherever you get your favorite podcasts.

H

Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles Terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details.

A

This episode is brought to you by Indeed. You're ready to move your business forward. But first you need to find the right team. Start your search with Indeed sponsored jobs. It can help you reach qualified candidates fast, ensuring your listing is the first one they see. According to INDEED data, sponsored jobs are 90% more likely to report a hire than non sponsored jobs. See the results for yourself. Get a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

B

And finally, journalist Zach Whitaker's Holiday Science Gift Guide opens by admitting what many readers already Gift guides are usually terrible, endless lists, questionable recommendations, and very little actual help. This one, he says, is meant to spare you that pain. The idea is to suggest gifts that improve security, privacy, or curiosity without accidentally turning someone into a breach waiting to happen. Whitaker's picks are practical, optional, and deliberately unsalesy. He points readers toward supporting independent journalism because good reporting is still one of the best defenses we have. He suggests data removal services for anyone uneasy about their digital exhaust, password managers for people still reusing the same login everywhere, and tools like Flipper Zero or Shodan for those with a healthy, harmless curiosity about how tech really works. There are also creature comforts like coffee subscriptions and long term projects like building a home lab with a nas. The tone stays lightly irreverent throughout. No kickbacks, no guilt, just thoughtful ideas from someone who's seen how badly security gifts can go wrong. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com One final note before we go. You may recall that not too long ago we asked for your help voting for an award I was nominated for, the Sans Difference Maker Awards. I'm pleased to report that thanks to all of you who voted, we won. Last night I was honored to accept the award live at the awards gala in Washington, dc. Thank you all.

I

Thanks to Sands. Thanks to everyone out here. I say every day that I have the best job in the world because every day I get to talk to smart, interesting people about amazing things and then share the things that I learn.

B

With the rest of the world.

I

I've been doing this for just about 10 years now. I've interviewed over 5,000 people. Some of the people in this room I've had the pleasure of speaking with. I am just the most public facing person that is part of an amazing team at the Cyberwire who make it all look easy. Our producers, our editors, the people who keep the doors open by doing ad sales. Our CEO Peter Kilpeg. Every day it is our privilege to be able to bring the news to you and keep you all informed. So I am honored to receive this and I thank you all.

B

Take care.

E

Thanks.

B

This show is truly a team effort, and I'm thankful for everyone who plays a role in making it possible for us to bring you the news and information that help make our world a little safer every day. Thanks to all of you, our listeners, for supporting our efforts. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

D

Two kinds of phishing out here, one.

B

For fish, one for your data. Hackers try to hook you, but Cisco.

D

Duo keeps every user and device protected.

B

Cisco Duo Fishing season is over. Learn more@duo.com.