A

You're listening to the Cyberwire Network powered by N2K.

B

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effort, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Venezuela's state oil company blames a cyber attack on the U.S. an Iranian hacker group offers cash bounties for doxing Israelis. Germany's lower house of parliament suffers a major email outage. South Korea's E Commerce breach exposes personal information of nearly all of that nation's adults. Researchers report active exploitation of two critical Fortinet authentication bypass vaults vulnerabilities and three critical vulnerabilities in the free PBX VOIP platform. An auto industry credit reporting agency suffers a data breach. Google is shutting down its dark web reporting service. European law enforcement dismantles a Ukrainian fraud network. Our guest is Christian Beek, senior director of Threat Intelligence and analytics at Rapid7, discussing how attackers are accelerating exploitation, refining, ransomware and expanding nation state operations. And a pornhub breach proves the Internet Internet never forgets. It's Tuesday, december 16, 2025. I'm dave bittner and this is your cyberwire intel brief. Foreign. Thanks for joining us here today. It's great as always to have you with us. Venezuela's state oil company PDVSA reported a cyber attack on Monday and said operations were unaffected, though multiple sources said key systems remained down and oil cargo deliveries were suspended. PDVSA and the Oil Ministry blamed the United States, calling the incident part of efforts to seize control of Venezuela's oil sector. A company source said the disruption stemmed from a ransomware attack detected days earlier, with antivirus efforts crippling administrative systems. Oil production, refining and domestic distribution continued, but exports were hit, forcing staff to keep handwritten records and halting loading instructions. The incident comes amid rising U S, Venezuela tensions, including the recent U.S. seizure of a tanker carrying Venezuelan crude. As a result, exports have fallen sharply, millions of barrels remain stranded offshore and several tankers have turned back. An Iran linked hacker group known as Handala has launched a campaign offering cash bounties for information on more than a dozen Israelis it claims are involved in developing Israel's Patriot Arrow and David's Sling air defense systems. The group published photos and extensive personal details of engineers and technicians alongside explicit threats, including references to their families. A $30,000 bounty was offered for information on some targets, with additional lists offering $10,000 rewards. The data has spread widely on Arab media and Telegram, including via Hamas, though its accuracy has not been independently verified. The effort is part of Handala's broader Red Wanted doxxing campaign, which has targeted nearly 200 Israelis since October. The group is widely assessed to have ties to Iranian intelligence and a history of cyber and leak operations. Germany's lower house of parliament suffered a major email outage on Monday, leaving lawmakers without access for more than four hours and prompting suspicions of a targeted cyber attack. The disruption coincided with sensitive US Ukraine discussions hosted in Germany, raising concerns about timing and intent. While technical details remain undisclosed, senior lawmakers have acknowledged an ongoing investigation of According to Reuters, citing the Financial Times, the incident highlights persistent cyber risks to government institutions, particularly during periods of heightened geopolitical activity and diplomatic engagement. Coupang, South Korea's largest e commerce company and often compared to Amazon, suffered one of the country's largest data breaches, exposing personal information from up to 34 million user accounts. That's more than 90% of the working age population. The leak, which went undetected for nearly five months, included names, phone numbers and residential entry codes, but not credit card or government ID data. Authorities say. The alleged perpetrator was a former Coupang software developer who retained internal authentication credentials after leaving the company and accessed systems from overseas. The breach triggered lawsuits, police raids, multiple government investigations and the resignation of Kupang's South Korea CEO. Regulators are considering record fines, while public anger has intensified calls for tougher penalties over personal data protection failures. Researchers at Arctic Wolf report active exploitation of two critical Fortinet authentication bypass vulnerabilities beginning December 12th. The flaws allowed unauthenticated SSO logins via crafted SAML messages When ForticLoud SSO is enabled, leading to admin access and configuration exfiltration on Fortigate devices. Affected products include fortaos, fortaproxy, Forta Web and Forta Switch Manager. Arctic Wolf advises resetting credentials, restricting management interface access and upgrading immediately to patched versions. They note forticloud SSO may be enabled during device registration despite being disabled by default. Elsewhere, researchers at Horizon 3 AI disclosed three critical vulnerabilities in the free PBX VoIP platform that could be chained to fully compromise affected systems. The most severe allows authentication bypass when a non default web server authentication setting is enabled. Additional flaws include SQL injection and arbitrary file upload vulnerabilities that enable database access and remote code execution. While some issues were exploited in the wild, FreepBX has released patches across multiple versions. Organizations are urged to update immediately and ensure authentication settings remain on the default user manager option. 700 credit, a major credit reporting and identity verification provider for the North American automotive industry, disclosed a data breach affecting more than 5.8 million individuals. The incident was discovered on October 25 and traced to a compromised third party API tied to the company's Web application. Attackers accessed data collected from automotive dealers between May and October of this year, including names, addresses, dates of birth and Social Security numbers. The breach impacted the 700dealer.com application layer, but the company says its internal network and operations were unaffected. 700 credit reports no evidence so far of identity theft or data misuse and is notifying affected individuals. Google will shut down its Dark Web report feature on February 16th of next year, ending a service launched about 18 months ago to help users monitor stolen personal data. The tool will stop scanning for new breaches on January 16, with all stored data deleted a month later, Google acknowledged that while the feature alerted users when information like emails, phone numbers or Social Security numbers appeared in breach dumps, it failed to offer clear, actionable guidance on what to do next. User feedback, including complaints on Reddit, highlighted the lack of specificity about which accounts were at risk. Google says it will instead focus on existing security tools such as Security Checkup, Password Manager and password checkup, which provide more practical steps for protecting accounts. European law enforcement agencies have dismantled a large fraud network, operating call centers in Ukraine that scammed victims across Europe out of more than 10 million euros. Authorities from several countries supported by Eurojust, arrested 12 suspects and carried out 72 searches in Ukraine, seizing vehicles, weapons, cash, computers and forged identification. The network ran multiple call centers employing around 100 people and targeted more than 400 victims through bank and police impersonation scams, remote access fraud and in person cash collection. Employees were paid commissions of up to 7%, with promised bonuses that were never delivered. Officials say the operation highlights the continued scale of organized call center fraud across Europe. Coming up after the after the break, my Conversation with Christiane Beek from Rapid7. We're discussing how attackers are accelerating exploitation, refining ransomware and expanding nation state operations. And a pornhub breach proves the Internet never forgets. Stay with us. Foreign. What's your 2am Security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep. Get started@vanta.com cyber. That's V A N T A dot com cyber.

A

Close your eyes, exhale, feel your body relax and let go of whatever you're carrying today. Well, I'm letting go of the worry that I wouldn't get my new contacts in time for this class. I got them delivered free from 1-800-contacts. Oh my gosh, they're so fast. And breathe. Oh, sorry. I almost couldn't breathe when I saw the discount they gave me on my first order. Oh, sorry. Namaste. Visit 1-800contacts.com today to save on your first order.

B

1-800-Contacts. Christiane Beek is senior director for threat Intelligence and Analytics at Rapid seven. And in today's sponsored Industry Voices conversation, we discuss how attackers are accelerating exploitation, refining ransomware and expanding nation state operations.

C

I think in Q3, look, we always track ransomware, right? And we always hope that at some point the numbers will go down. And I was hoping that for two years ago. Then last year came in and I thought like, oh wow, this is really worse. And it really felt like this quarter like ramping up so much groups and initiatives that it's like, hey, I think people need some Christmas money for buying Christmas gifts or something. But my God, like 80 groups almost daily active trying to do ransomware operations. And it goes up and down, right? Like you see groups disappear and then new, new ones are surfacing. And I would say that those are the smaller ones, but yes, one of those steady operations that goes on and on and on and it's like unbelievable the volume of attacks we observe there, right? And I think that was one of the key findings there in the report. But also if you talk about vulnerabilities, well, hey, we're in the middle of this react server stuff going on this week. Yeah, it proved the point we made, actually. Like, hey, if a vulnerability is actually made public, then it's no longer a zero day, but an end day is being exported in the wild immediately. And, well, that's exactly what we saw happening this week when it was announced. I think we hit at some point like 30 attacks an hour on our honeypots with regards to this particular vulnerability. And also it's not only like, hey, let's try if I can use this exploit by some people. But no, it was also like really ranging from cybercriminals to nation states incorporating this new vulnerability immediately in their attack plan and starting to exploit it. So it was fascinating to see, like, hey, the observation we mentioned in the report now actually seeing proven alive as well now out in the wild there.

B

Yeah. I mean, one of the things that struck me when I was reading the report is how this is a story about Velocity also that these exploitations are happening within hours of disclosure. How do you suppose defenders need to respond to that uptick in Velocity?

C

I think it's a challenge to be fair. Right. With all respect, not every vulnerability and actually the platform impact that lends itself for like, hey, let's patch this tonight. Right? So let's say on Friday afternoon we get this notification indication that we have this vulnerability. It's not standard that we actually patch this in the evening. Right. Or it really depends on what type of software we're talking about. So it's really becoming a really a challenge for defenders to actually actively. Or how you say that. Yeah. Adequately respond in fast enough on these kind of threats. And that's a challenge for sure.

B

Yeah. What about the ransomware that you're tracking here? How have you seen these operations evolve? And are there any particular groups that seem to have the biggest impact?

C

Well, traditionally, ransomware was really like, hey, let's go into a company, we go after the endpoints. You actually launch the ransomware. You find this ransom note on your desktop with this nasty message that you have been a victim that is gone, kind of. That's really disappeared. What we really observe is that first when they come in, they're not so much interested anymore in the endpoint itself. It's more like, hey, where do you stash your data? And let's go after that. So that's already going on for a while, I think. We see now more trends. This is of the last couple of weeks where some of those major groups are really going after the virtualization environments. That's not new on itself, but that's becoming a focus and really going after the data. Yeah, that's definitely a trend we're observing.

B

Are there any particular sectors that they seem to be targeting?

C

Surprisingly, we saw a new sector rising in Q3 which was the construction sector. And with all due respect, in all those years we're tracking rent somewhere, this was like a new one for me. It's like, wow, I haven't that one scene coming, but that was interesting. Healthcare unfortunately still very popular. But yeah, those are some of the significant sectors we observe for sure in Q3.

B

Yeah, we've seen some alliances among these ransomware groups. That's reflected in the report as well.

C

Well, at some point there was this kind of, we call it in Dutch here like a fitty. It's like a fight going on. It's like a gang language, the word fitty, but it means like, yeah, you're fighting each other, you're doxing each other. And they were making fun of some of those groups that were being hit by law enforcement. And there are messages on those forums where it's like, hey, these guys can't do their job. So let's come over to us, work with us. We give you, we host the infrastructure for you, we help you even with negotiations. So we would talk about Dragon Force here and at some point we even saw alliances with Scattered Spider. Right. That initial group of teenagers trying to attack some high value targets. But definitely that some of those alliances were definitely observed. Yeah, I think if they want to survive at some point, yeah, this will probably observe this more happening.

B

One of the things that the report highlights is how nation state actors seem to be focusing on stealth and persistence. What insights can you share about that?

C

If you look at nation states on itself, right. Of course they are not into the game for like hey, let's, let's attack a target and let's be detected very soon. They are in for the long term. Right. That's why the persistence comes from as well, I would say. But also most of the operations for nation states is really like long term information, classic intelligence gathering. So they really try novel ways to bypass some of these security technologies. We of course courses, vendors develop at the same time, stay below the radar. And yeah, we've observed some innovation happening over the past couple of months. We have seen some really stealthy backdoors that are really hard to detect. You Know, you have to know exactly, like they're sleeping on the system. And until they get like a specific command or like what we call a network packet sent to them, that's when they become alive. And then it's still very limited what they are doing. So it's really, really hard to spot. And yeah, that's some of the observation we have seen.

B

Yeah. Interesting. Being 2025, I would be remiss to not ask you about AI and the influence that you're seeing that on things today.

C

Yeah, well, I was expecting and anticipating on this question, right. Like, there's hardly in any interview when this buzzword is passing by. Right, right, right. Well, AI, I think, honestly I still would call it machine learning. What they are doing, it's mostly are doing.

B

Right.

C

Like for example, you write a piece of code and you say, like, hey, can you check my code? Is there anything I can do better? For sure, that. That's all the stuff we're seeing, I think the professionalism of creating a phishing campaign using AI technology. Yeah, that's, that's obvious, right? Some of those campaigns are so real hard to detect, like if it's fake, yes or no. So that's why we see the embracing. And I've heard also, of course, like, this whole DPRK IT workers think that they are heavily using AI to mimic people. They create fake profiles on LinkedIn where they leverage AI to create the images. All those kind of, hey, these are the allocations you need to put in a profile to make it really convincing that you're dealing with a professional in engineering. So, yeah, it's really like widespread being used.

B

Well, based on the information you've gathered here, what are your recommendations for defenders in terms of prioritizing their efforts?

C

I would really say, like, if you look at the ransomware actors themselves, right, they're really doing like in what they call like a shift left. So they go really for the security devices at the edge of the networks, like the firewalls, the VPNs and all that stuff. And I think what we really need to ask ourselves, like back to your prior point, why you asked, like, hey, if you have this vulnerability and we can't patch quick enough, what can you do? And I think that's where we need to do our homework, where we say, like, hey, if they bypass some of this, I would say edge protecting technology. Where in my technology stack, in my people, in my processes, where is the next step where properly we can actually spot them? And actually, is this something where I might have a gap in my visibility AKA what is my attack surface. Right. And do I exactly have the visibility I need to respond? And it sounds really like do we need to go back to the foundations? Yes. Big, yes. I would say like sometimes we are doing a lot with technology. You mentioned AI with cloud. We have all those beautiful technologies, but sometimes it makes it so complex that we hardly understand anymore. Like hey, what are some of those attack factors and where do we need to look for this?

B

Well, given these realities, what's your outlook for the fourth quarter and into 2026?

C

I think the fourth quarter would be a lot different than the third quarter. I think the numbers even go up if you look for different perspectives. And then 2026. Well, I think this year, I think at the second half of 2025 we had with quite some of those supply chain attacks. Salesforce for example, and Oracle E Business, those had a major, major impact on what's happening and how we had to respond. And I think we should take some lessons learned from those supply chain attacks and really apply them into the next year or anticipate on those because that will only grow bigger, in my humble opinion.

B

That's Christian Bieck from Rapid7. We have a link to their research in our show Notes.

A

So good, so good, so good Score. Holiday gifts Everyone wants for way less at your Nordstrom Rack store. Save on Ugg, Nike, Rag and Bone, Vince Frame, Kurt Geiger, London and more.

C

Cause there's always something new.

A

I'm giving all the gifts this year with that extra 5% off when I use my Nordstrom credit card Santa who join the Nordy Club at Nordstrom Custom Rack to unlock our best deals. It's easy. Big gifts, big perks. That's why You Rack Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles Terms apply does not replace safe driving. See Ford.com BlueCruise for more details.

B

And finally, pornhub says data linked to its premium members was exposed. The incident traces back not to pornhub itself, but to a breach at analytics firm mixpanel, a vendor Pornhub says it stopped using in 2021. Attackers linked to the Shiny Hunters extortion group allegedly accessed Mixpanel via an SMS phishing attack and stole roughly 94 gigabytes of historical analytics data. That data reportedly includes email addresses, viewing activity, search terms, video titles, locations and timestamps. Shiny Hunters is now extorting affected companies, raising awkward questions about why such intimate data was retained for years. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire n2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.