A

You're listening to the Cyberwire Network powered by N2K. AI agents are now reading sensitive data, executing actions and making decisions across our environments. But are we managing their access safely? Join Dave Bittner and Barak Shalef from Oasis Security on on Wednesday, December 3rd at 1pm Eastern for a live discussion on agentic access management and how to secure non human identities without slowing. Innovation can't make it live. Register now to get on demand access after the event, visit events.thecyberwire.com that's events with an s.thecyberwire.com to save your spot.

B

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Shadypanda plays the long game India mandates tracking software on mobile devices Korea weighs punitive damages after a massive breach Qualcomm patches a critical boot flaw impacting millions OpenAI patches a codec CLI vulnerability Google patches Android zero days Cybersecurity issues prompt an FDA permanent recall for an at home ventilator system Switzerland questions the security of Hyperscale clouds and SaaS services one of the world's largest cyber insurers pulls back from the market on our Threat Vector segment. David Moulton sits down with Stavsetti to unpack the Jingle Thief campaign. And in Russia, Porsches take a hol. It's Tuesday, December 2, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. A seven year campaign used seemingly legitimate Chrome and Edge extensions to infect 4.3 million users with backdoors and spyware, according to KOI researchers. The group dubbed Shadypanda published clean extensions, waited years to build large user databases, then pushed malicious updates that auto installed across all devices. Five extensions with more than 4 million installs remain live in the Microsoft Edge store. One campaign delivered a remote code execution backdoor to 300,000 users through five extensions, including one named CleanMaster, which exfiltrated full browsing activity to attacker controlled servers and included anti analysis features. Another set of five edge extensions, including the 3 million install WeTab, still collects extensive behavioral data and sends it in real time to servers in China and Google Analytics. Earlier campaigns silently monetized user traffic or hijacked searches. Koi says the incidents highlight a core marketplace weakness. Extension stores review submissions but do not monitor updates after approval. India is expanding its anti theft and cybersecurity program to cover new and used smartphones, according to reporting from Reuters and also confirmed by the Telecom Ministry. Companies that buy or trade second hand devices must now verify each phone's IMEI number against a central database. The move follows a directive requiring manufacturers to pre install the government's Sanchar Saathi app on new phones and push it to existing devices through software updates. Sanchar Saathi has blocked or traced millions of stolen phones and has seen rapid adoption since its 2023 launch. Critics say mandatory installation expands state access to personal devices without adequate safeguards. Apple has told officials it will not comply, citing privacy and security concerns for its ecosystem. South Korean President Lee Jae Myung ordered a rapid investigation into Coupang's massive data breach, calling the five month undetected leak astonishing in scale. Officials say information tied to at least 30 million users was accessed after an attacker exploited an electronic signature key. The government is considering punitive damages to deter future lapses, a shift from Korea's compensatory only model. Coupang's CEO said the company will comply with penalties that could reach record levels. Police have not confirmed the attacker's identity. Qualcomm issued an urgent security bulletin warning of six high priority vulnerabilities across millions of devices. The most serious threatens the secure boot process that protects devices during startup. Qualcomm says an attacker could bypass checks, install persistent malware or gain control before the operating system loads. The flaw was found internally, raising questions about how long it existed in deployed devices. Five additional vulnerabilities affect the high level operating system, trusted zone firmware, audio, DSP services and camera functions. Qualcomm is distributing patches to manufacturers and urges immediate deployment. Users should check with their device makers for update timelines. OpenAI patched a Codex CLI vulnerability that allowed malicious commands to run automatically on developers machines, according to Checkpoint. The tool implicitly trusted configuration files inside local repositories and executed their instructions without user approval. Attackers who could commit or merge crafted configs could trigger remote access, command execution, credential theft and lateral movement, creating a reproducible supply chain backdoor. Compromised templates or popular repos could also infect downstream users. Google's latest Android Security Bulletin disclosed 107 zero day vulnerabilities affecting Android and the Android Open Source Project. 51 flaws were patched on December 1, including three high impact issues in the Android framework. Google says two may be under limited targeted exploitation and can enable unauthorized information disclosure or elevated access across Android 13 through 16. A third flaw could trigger remote denial of service. Google says they'll release the remaining 56 patches on December 5th. The FDA has issued a permanent recall for Baxter's Life 2000 at Home ventilator system, citing an unspecified cybersecurity issue that could let someone with physical access alter therapy settings or access device data. Baxter began notifying patients in April, but the FDA's public alert came in late November, warning that continued use could cause serious injury or death. Patients are urged to stop using the device and consult providers for replacements. Baxter reports no related injuries or Deaths as of April 10. It remains unclear whether this recall is connected to earlier life 2000 advisories involving multiple vulnerabilities. Security experts say a permanent recall for a cyber issue is rare and signals significant patient safety concerns, while noting that neither Baxter nor the FDA has detailed the specific flaw involved. Switzerland's Conference of Data Protection Officers, Privatim issued a resolution urging public bodies to avoid hyperscale clouds and most SaaS services due to security risks. The group warns that many SaaS platforms lack true end to end encryption and that providers, especially those subject to the US Cloud act, could access sensitive data. Privatim also notes that vendors can change terms unilaterally, reducing government control. The resolution concludes that large international SaaS offerings, including Microsoft 365, are generally inappropriate for handling particularly sensitive Swiss government data. Beasley, one of the world's largest cyber insurers, is pulling back from the market as rising ransomware and hacking claims drive higher losses. According to the Financial Times, the company's cyber gross written premiums fell 8% to $848 million through September, and executives cite geopolitical volatility as fueling more costly attacks. While Beasley reduces its exposure, rivals like Chubb and AIG are maintaining or expanding their cyber books. Premiums have been declining since early 2024 due to intense competition for a limited pool of buyers the sector strain shows up in the UK as well, where the association of British insurers reports a 230% year over year surge in cyber claims driven largely by malware and ransomware incidents. Coming up after the break on our Threat Vector segment, David Moulton sits down with Stav Seti to unpack the Jingle Thief campaign. And in Russia, Porsches take a holiday, stick around. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks and keep your program audit ready all a time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber. AI is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with. Assessments today are fragmented, overlapping and often specific to industries, geographies or regulations. That's why Black kite created the BKGA3AI assessment framework to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk across their own organizations and their vendors. AI use it's global, research driven, built to evolve with the threat landscape and free to use because Black Kite is committed to strengthening the entire cybersecurity community. Learn more@blackkite.com. On today's Threat Vector segment, David Moulton, Senior Director of thought leadership at Unit 42 with Palo Alto Networks, sits down with Stav Seti, principal researcher at Palo Alto Networks, to unpack the Jingle Thief Cloud Only Identity Driven campaign.

C

Hi, I'm David Moulton, host of the Threat Vector podcast where we break down cybersecurity threats, resilience and the industry trends that matter most. What you're about to hear is a snapshot from my conversation with Stav Seti, a principal researcher at Palo Alto Networks. STAV and the Unit 42 research team uncovered a financially motivated operation called Jingle Fee where attackers abused Microsoft360 and identity features to quietly steal gift cards from some of the biggest global retailers. As Stabb puts it, attackers don't need exploits or malware anymore. They just need to compromise identities. One stolen account can become dozens in a matter of months, all while they sit inside your cloud environment using your own workflows against you. Stav. Welcome to the Threat Vector. I'm really excited to have you here this morning.

D

Thanks, David. I'm really happy to be here.

C

So today we're going to talk about this Jingle Thief campaign, which is really centered around identity based cloud compromise and gift card fraud. And I wanted to start with the basics, you know, for the listeners. What exactly is the Jingle Thief campaign? You know, some folks maybe haven't read the research that we've got out on the Unit 42 Threat Research Center. What was it that first drew the Cortex researchers team to this specific activity?

D

The Jingle Thief campaign is a campaign that we found very fascinating. And it came up because of our Cortex ITDR alerts that were raised. And what makes this so interesting is it's attackers going after gift cards. And they were able to steal and target gift cards from some of the biggest retail brands that you know. So that's really fascinating. And what makes it even more fascinating is that this is in the cloud. There's no malware, there's no exploits. They're purely living in Microsoft 365, which is a bit unusual because nowadays you don't see that too often with the gift card fraud. And yeah, so they would try and target retailers or just anyone that can issue gift cards.

C

Who's behind this campaign? Talk to me about the threat actor.

D

Yeah, so we're pretty sure that this group is what people know as Atlas Line. This line is a Moroccan based group. They've been active since 2021. And while we don't have 100% attribution, I say for the purposes of this chat, let's call them Atlas Line. What do you think?

C

Yeah, that works for me. And you said Moroccan base. Financially motivated. That's probably part of the crime side of cyber attacks, not necessarily something tied to a state actor. What distinguishes the campaign from maybe some of the other financially motivated operations that we've been looking at recently?

D

I think there's a few things. I think the first thing is the patience and the discipline. They stay months within an organization. In one case we saw, we saw them active in an organization for over 10 months, which is really crazy. That kind of patience made us go, hey, this is really something different here. I think another aspect is the living off the land. In Microsoft 365, it's all cloud. That's a little bit unusual as well. And lastly, it's the gift card aspect, the gift card theft. A lot of times financially motivated actors will go for ransomware and this was all about gift cards.

C

What are some of the lessons that security teams need to take away from this attack and this misuse of trust?

D

That's a great question. I think the first thing is a lot of times security teams will say, hey mfa, that equals safety. And I think it's really important to recognize that MFA is not safety, it's not safe. And they should really monitor every new password, reset every new device enrollment, all that things, all that needs to be monitored. And it's not enough just to be like, hey, that user logged in with mfa. It's safe.

C

Steph, thanks for this awesome conversation today. I learned so much and you know, this one seems like it's kind of a weak spot that we need to really focus on or suffer the consequences.

D

Thank you so much, David. It was great being here.

C

Jingle Thief shows how identity based compromise turns trusted cloud features into a revenue engine for attackers and why identity really is the new perimeter. If this got your attention, don't wait. Listen to the full special episode in your Threat Vector podcast feed. It's called Inside Jingle Feed Cloud Fraud Unwrap and it's live now. Thanks for listening. Stay secure. Goodbye for now.

B

Be sure to check out the complete episode of Threat Vector right here on the N2K CyberWire network or wherever you get your favorite podcasts.

A

This episode is brought to you by indeed. You're ready to move your business forward, but first you need to find the right team. Start your search with Indeed Sponsored Jobs. It can help you reach qualified candidates fast, ensuring your listing is the first one they see. According to Indeed data, sponsored jobs are 90% more likely to report a hire than non sponsored jobs. See the results for yourself. Get a $75 sponsored job credit@inneed.com podcast. Terms and conditions apply. Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in blue cruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles. Terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details.

B

And finally, hundreds of Porsche owners across Russia found their high performance machines reduced to very expensive lawn ornaments last week as a factory installed satellite security system abruptly stopped talking to the cars. It was meant to protect. Drivers from Moscow to Krasnodar reported Sudden engine shutdowns and fuel blockages, prompting a rush of service requests for Rolf, the country's largest dealership group. The outage appears tied to the vehicle tracking system, which some owners coaxed back to life by rebooting, disabling or performing the timeless ritual of leaving the Battery unplugged for 10 hours. A Rolf representative floated the idea of deliberate interference, though no evidence supports it. Porsche has stayed silent, still unable to divest its remaining Russian subsidiaries two years after suspending operations. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2n2k's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

D

The Uniswap Wallet makes it easier and safer to own and use crypto Created by pioneers of the crypto economy, the.

A

Uniswap protocol has powered over $3 trillion.

D

In trading volume, and it's trusted by.

A

Tens of millions worldwide.

D

With the Uniswap Wallet, you can discover, swap and manage your crypto all from your phone.

A

Buy your first crypto assets in just.

D

A few taps and start exploring the.

A

Freedom of decentralized finance with Uniswap.

D

Tap the banner to get started.