CyberWire Daily – “Another day, another emergency patch.”

Date: December 15, 2025
Host: Dave Bittner, N2K Networks

Episode Overview

This episode delivers a rapid-fire update on a series of major cybersecurity incidents, including emergency zero-day patches from Apple and Google, critical vulnerabilities in Atlassian products, a massive exposed database affecting billions, and a notable cyberattack on France's Ministry of the Interior. The episode also explores the evolving "hacker mindset" and "dark capabilities" within organizations through a deep-dive conversation, then wraps up with cybersecurity industry business news and a tongue-in-cheek holiday gift guide for security nerds.

Key News Highlights & Analysis

1. Emergency Zero-Day Patches: Apple and Google

• [01:06-03:04]

  • Apple released urgent security updates for iPhones, iPads, and Macs to fix two WebKit zero-days being actively exploited. The company provided scant details but confirmed the attacks were “sophisticated and real-world.”
  • Google patched Chrome’s stable channel to address multiple bugs, including an out-of-bounds memory access zero-day. The exploit was “in the wild“ and discovered jointly by Apple Security and Google’s Threat Analysis Group, suggesting it is “spyware-grade.”
  • Trend: Both companies have addressed a high number of zero-days this year (Apple: 9; Google: 8 in Chrome), highlighting the increasing pace and sophistication of attacks.

  “Apple and Google have both issued emergency security updates after zero-day vulnerabilities were found under active exploitation in what they describe as sophisticated real world attacks.” — Dave Bittner [01:36]

2. Chinese State-Backed Groups Target ‘React to Shell’ Vulnerability

• [03:10-04:20]

  • Google’s Threat Intelligence team linked five Chinese state-backed hacking groups to attacks exploiting the maximum severity React to Shell bug, which enables unauthenticated remote code execution in React/Next.js apps.
  • Attacks began within hours of public disclosure, with reports from Palo Alto Networks and AWS indicating mass exploitation and the use of backdoors/tunneling tools. Iranian actors and cybercriminals also joined in.
  • Over 116,000 systems remain exposed.

  “Google says the attackers are deploying a range of backdoors and tunneling tools, while other actors including Iranian groups and cybercriminals are also abusing the flaw.” — Dave Bittner [03:57]

3. France Ministry of Interior Breach

• [04:30-05:23]
  • Attackers compromised ministry email servers between Dec 11–12, accessing undisclosed document files.
  • Motives remain unclear; possibilities include foreign interference, activism, or cybercrime.
  • The incident raises concern given the ministry’s role in police, internal security, and immigration.
  • Follows a pattern of Russian-linked campaigns targeting French government systems.

4. Atlassian: 30 Third-Party Vulnerabilities Patched

• [05:26-06:17]
  • Major patches addressed critical vulnerabilities, chiefly an XML entity vulnerability in Apache Tika (used by Jira, Confluence, Bamboo).
  • Prototype pollution bugs and over two dozen high-severity issues also patched.
  • Users advised to update immediately.

5. Microsoft Patch Tuesday: MSMQ Outages

• [06:22-07:14]
  • Patch Tuesday updates disrupted Microsoft Message Queuing (MSMQ) on multiple Windows versions, breaking enterprise applications and IIS sites.
  • Root cause: Permission changes to a critical system folder; only admins retain functionality.
  • Microsoft is investigating; workaround is to weigh rollback against security risks.

6. 4.3 Billion Professional Records Exposed

• [07:18–08:22]
  • Researcher Bob Dychenko and Nexos AI found an unsecured 16TB MongoDB with over 4.3 billion records (names, emails, job history, LinkedIn–like data).
  • Impact: Enables highly targeted phishing, fraud, and social engineering.
  • This appears to tie back to a lead generation business; provenance remains unclear.

7. Britain’s New MI6 Chief Warns of Russian Cyber Threats

• [08:29–09:51]

  • Blaise Metroele, the first woman to lead MI6, warns of a “constant, borderless threat environment” and “aggressive, expansionist, and revisionist Russia.”
  • Emphasizes cyber attacks as part of hybrid tactics and the need for blending tech and human intelligence.

  “The front line is everywhere, pointing to cyber attacks, espionage, sabotage and other hybrid tactics as tools Moscow uses to export instability.” — Dave Bittner [09:01]

8. Cybersecurity Business Brief: Surge in AI and Security Investment

• [09:55-11:43]
  • Highlights from the week:
    • Savint: $700M Series B for identity security/AI
    • Aeon: $300M for cloud backup/AI analytics
    • Multiple seed/pre-seed rounds in AI governance, compliance, impersonation prevention.
    • Proofpoint closed $1.8B Hornet Security acquisition.
    • Checkmarx bought Tromso for autonomous AppSec.
  • Trend: Big investor confidence in AI, identity, and supply chain security.

In-Depth Segment: The Hacker Mindset & Dark Capabilities

Threat Vector Conversation

Featuring: Michael Heller (Unit 42), Greg Conti, and Tom Cross
[14:15–22:46]

• Conference Censorship:

  • Their provocative slide, titled “Capabilities Companies Might Use in a Military Conflict,” was removed at a corporate conference for being uncomfortable, so they moved the talk to DEFCON.

    “The conference was very uncomfortable with us having that conversation. They asked us to remove the slide.” — Tom Cross [15:59–16:05]

• Corporate Superpowers & Dual-Use Tech:

  • Every company possesses latent capabilities (or “superpowers”) that could be used offensively—sometimes even without their knowledge or intention.
  • Example: A dating site, if “turned evil,” could abuse its mass data holdings at scale.

• Aligning Capabilities with Strategy:

  • Organizations and governments must understand AND control these capabilities to prevent misuse by employees, adversaries, or even outside nations.

  • Solutions: - Technical controls (designing systems so abuses are difficult or transparent) - Institutional transparency and possible NGO audits - Use of “warrant canaries” (transparency signals)

    “You could have a technical architecture which makes this thing either difficult to do or which makes it transparent if done right…maybe, you know, a third party NGO could come in and audit and publicly say they're not doing it.” — Tom Cross [18:36]

• Persistent Security Challenges:

  • Despite wishful thinking, AI-generated code is “just as vulnerable” as human-written code.

    “AI generated code is going to have fewer vulnerabilities, which is nonsense. It's got the same number… it's writing [code] in the same way that humans do.” — Tom Cross [20:50]

• The Bigger Picture:

  • The discipline of information security is only growing in complexity and importance.
  • Embedded systems and “robotics” bring new classes of vulnerabilities.

• Takeaway:

  • True security requires anticipating abuse, engineering for transparency and resilience, and constant vigilance—not just compliance.

Notable Quotes

| Timestamp | Speaker | Quote | |------------|----------------|-------| | 01:36 | Dave Bittner | "Apple and Google have both issued emergency security updates after zero-day vulnerabilities were found under active exploitation in what they describe as sophisticated real world attacks." | | 15:59–16:05| Tom Cross | "The conference was very uncomfortable with us having that conversation. They asked us to remove the slide." | | 18:36 | Tom Cross | "You could have a technical architecture which makes this thing either difficult to do or which makes it transparent if done right…maybe, you know, a third party NGO could come in and audit and publicly say they're not doing it." | | 20:50 | Tom Cross | "AI generated code is going to have fewer vulnerabilities, which is nonsense. It's got the same number… it's writing [code] in the same way that humans do." | | 09:01 | Dave Bittner | "The front line is everywhere, pointing to cyber attacks, espionage, sabotage and other hybrid tactics as tools Moscow uses to export instability." |

Cybersecurity Holiday Gift Guide (by Zach Whitaker)

• [25:05–26:42]
  • Lampoons traditional “bad” gift guides; offers practical, security-minded gift ideas:
    • Support for independent journalism
    • Data removal services for privacy-conscious
    • Password managers for habitual re-users
    • Flipper Zero or Shodan for the curious tinkerer
    • Coffee subscriptions, home labs with NAS for comfort and creativity
  • Tone: Light, irreverent, focused on real utility and avoiding “turning someone into a breach waiting to happen”

Recognition & Team Shout-Out

• SANS Difference Maker Awards:
  • Host Dave Bittner thanks listeners for voting and celebrates CyberWire’s team effort in earning the honor.

    “I say every day that I have the best job in the world because every day I get to talk to smart, interesting people about amazing things and then share the things that I learn with the rest of the world.” — Dave Bittner [27:11]

Key Timestamps

• 01:06 — Apple, Google zero-day emergencies
• 03:10 — Chinese state hackers and React to Shell
• 04:30 — France Ministry breach
• 05:26 — Atlassian vulnerabilities
• 06:22 — Microsoft MSMQ issues
• 07:18 — 4.3B records exposed
• 08:29 — UK MI6 chief’s warning
• 09:55 — Cybersecurity business/VC roundup
• 14:15 — Threat Vector roundtable on hacker mindset
• 18:36 — “Technical architecture makes abuse difficult or transparent”
• 20:50 — AI code is as vulnerable as human code
• 25:05 — Security holiday gift guide
• 27:11 — Show and team recognition

Summary Takeaway

This episode offers a vital pulse check on security’s front lines—zero-days, nation-state threats, mass data exposures—as well as guidance on how attackers, and those tasked with stopping them, really think. It underscores the need for transparency, technical controls over organizational “superpowers,” and a relentless, pragmatic approach to cybersecurity amid ever-expanding risks.