A

You're listening to the Cyberwire Network powered by N2K.

B

We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indee indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. CISA warns that pro Russia hacktivist groups are targeting targeting US Critical infrastructure Google patches three new Chrome zero days North Korean actors exploit react to shell to deploy a new backdoor. Researchers claim Docker Hub secret leakage is now a systemic problem. Attackers exploit an unpatched zero day in Gogs. The self hosted git service IBM patches more than 100 vulnerabilities Storm 0249 abuses Endpoint detection and response tools the DOJ indicts a former Accenture employee for allegedly misleading federal customers about cloud security. Our guest is Kavitha Mariapan, Chief Transformation Officer at Rubrik, talking about understanding and building resilience against identity driven threats. And a malware tutor gets schooled by the law. It's Thursday, December 11, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. Foreign. Thanks for joining us here today. It is great as always to have you with us. The US Government is warning that pro Russia hacktivist groups are targeting US Critical infrastructure, attempting to access operational technology systems through poorly secured Internet facing VNC connections. An advisory from the FBI, CISA, NSA and international partners identifies four main Cyber army of Russia Reborn also known as CAR, Z Pentest, no Name O5716 and Sector 16, which have recently targeted water and wastewater facilities, food and agriculture, and the energy sector. These actors are considered unsophisticated but opportunistic, using brute force attacks to access human machine interfaces with weak or default passwords, then modifying device settings, disabling alarms and causing operational disruptions. Some groups show ties or indirect alignment with Russian state interests, with CAR in particular linked by researchers to the gru. The DOJ has also announced related indictments. Although current impacts have been limited, authorities warn the activity could escalate. CISA urges OT operators to harden authentication, reduce Internet exposure, and strengthen recovery plans elsewhere Global cybersecurity agencies have issued their first unified guidance on using artificial intelligence in critical infrastructure, signaling a shift from theory to practical safeguards. The document warns that AI introduces new safety and reliability risks for ot, including model drift and unsafe process changes. Agencies stress that large language models should not make safety decisions. They recommend strong architectural boundaries, push based data flows and human oversight. The guidance urges operators to demand transparency from vendors and maintain manual skills as AI adoption expands. Google has issued patches for three new Chrome zero day vulnerabilities, including a high severity flaw already exploited in the wild. The primary zero day has no CVE and remains under coordination, with details withheld until most users update or dependent third party libraries are fixed. The update also addresses two medium severity issues, one a use after free in Password Manager and the second an inappropriate implementation in the Chrome toolbar. This marks Chrome's eighth zero day exploited in 2025. North Korea linked actors are exploiting the React to Shell flaw to deploy a new backdoor called etherrat. According to Sysdig, React to Shell is a maximum severity deserialization bug in React server components that enables unauthenticated remote code execution and has been widely abused since its Dec. 3 disclosure. Sysdig recovered Ether Rad from a compromised Next JS app and reports traits consistent with Lazarus Group tooling, including similarities to Beavertail. Ether Rad establishes persistent access and uses the Ethereum blockchain for command and control resolution through an Ether hiding technique. The backdoor regularly polls its C2, replaces its own code to hinder analysis, and uses multiple Linux persistence mechanisms. Sysdig urges immediate updates to patched React and Next JS versions, and checks for Ether Rat's persistence artifacts and unusual Ethereum RPC traffic. Research from Flare into Docker Hub shows that secret leakage is now a systemic problem, not an Edge case. In one month of scanning, they found more than 10,000 container images with exposed credentials affecting over 100 organizations, including a Fortune 500 and a major national bank. 42% of those images contained five or more secrets, often enough to unlock entire cloud environments, CI CD pipelines and databases. AI model keys were the most frequently leaked, with nearly 4,000 exposed, and many secrets came from shadow IT accounts outside corporate monitoring. Even when developers removed exposed secrets from images, 75% failed to revoke the underlying keys. Flair argues that modern breaches increasingly follow a new pattern. Attackers do not hack in they authenticate in using credentials companies accidentally publish themselves. Attackers are exploiting an unpatched zero day in gogs, the self hosted Git service, to gain remote code execution and compromise hundreds of Internet facing servers. The flaw abuses a path traversal weakness in the Put Contents API, allowing symbolic links to overwrite files outside a repository and revive a previously patched RCE bug. Wiz research found over 1400 exposed Gogs servers, with more than 700 showing signs of compromise linked to automated attacks. Deploying Super Shell based malware Users should disable open registration and restrict access immediately. IBM has released security updates addressing more than 100 vulnerabilities across its product line, including several critical flaws largely tied to third party components. Storage Defender received fixes for six critical bugs in its Data Protect module, while IBM Guardium patched a tomcat flaw enabling code execution. Additional critical issues were resolved in Maximo's form data library, Edge Data Collector's Django SQL injection bug and Instagna's Tomcat LibXML2 and WebKit components. IBM DB2 updates also addressed a critical corosync flaw. Numerous other products received high and Medium severity fixes. Storm 0249, an initial access broker, is abusing endpoint detection and response tools and trusted Windows components to stealthily deploy malware and prepare environments for ransomware operators. ReliaQuest analyzed an attack where users were tricked through ClickFix Social Engineering into executing curl commands that installed a malicious MSI with system privileges. The payload sideloaded a Rogue dll through SentinelOne's legitimate Sentinel agent Worker executable, allowing persistent privileged execution that appears benign to security tools. The attacker then used Windows utilities for system profiling and funneled encrypted command and control traffic through the trusted EDR process. ReliaQuest notes the profiling aligns with Ransomware group requirements and recommends behavior based monitoring for unsigned DLL loading and tighter controls over Curl, powershell and living off the land binaries. The Justice Department has charged Danielle Hilmer, a former product manager at Accenture federal services with misleading federal customers about the security of a cloud platform intended for government use, according to the indictment. Between March 2020 and November 2021, she obstructed auditors and falsely claimed the system met required controls under FedRAMP and the Department of Defense risk management framework. Prosecutors say she hid security gaps, directed others to mask deficiencies during assessments, and provided false information to secure approvals despite internal warnings that more than 100 controls were missing. Accenture says it self reported the issue and is cooperating. The case reflects growing federal enforcement against contractors that misrepresent cybersecurity compliance to win or retain government business. Coming up after the break, my conversation with Kavitha Maryapan, Chief transformation officer at Rubrik. We're discussing building resilience against identity driven threats and a malware tutor gets schooled by the law. Stay with us. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source and regain control over their environments. Schedule your demo@threatlocker.com n2k today.

C

Foreign.

B

Is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with. Assessments today are fragmented, overlapping and often specific to industries, geographies or regulations. That's why Black Kite created the BKGA3AI assessment framework to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk across their own organizations and their vendors. AI use it's global, research driven, built to evolve with the threat landscape and free to use because Black Kite is committed to strengthening the entire cybersecurity community. Learn more@blackkite.com. Kavitha Mariapan is chief Transformation Officer at Rubrik. I recently got together with her to discuss understanding and building resilience against identity driven threats.

C

We as a security insight and research lab constantly monitoring sort of the threat landscape, right? And so we put out a report every six Months we definitely noticed an increase in the number of identity based threats. And so as a team we decided we should really hyper focus for the fall report on creating a substantial body of work here around identity threats. And so that really was the motivation behind why we doubled down on an identity based report.

B

One of the things that caught my eye was about how leaders are really looking to hire identity talent right now. What is driving that urgency?

C

Well, lots of interesting things. I think first and foremost if we take a look at just the threat landscape, right. And if you take a look at this recent report, 90% of IT and security leaders were surveyed, at least throughout our study, agree that identity has driven identity driven cyber attacks are top threat to their organizations. And we see, we saw that number increase within the last six months by X points. Right. That is a critical area, right. Why organizations should be really thinking about like you know, identity was always considered more, more of an access management technology. Right. Like you know, we're governing user access, ensuring people have the right credentials and the privileges to access applications or have access to a corporate network. But really it's sort of the frontier for security right now. At the end of the day, I think one of the things we're seeing obviously is that when your identity is compromised, you've lost your ability to log in, much less recover from any identity based threat, any breach of your perimeter. So there's a real need to enhance and augment the skill sets and the capabilities within the organization. And that's kind of really the, you know, the movement we're seeing where a lot of enterprises are, one, focused on up leveling their identity talent. Two, we're seeing that many of these organizations, at least that we surveyed, up to 60% of them had switched IAM providers within the last three years. That said, 87% of them are currently still planning to change IAM providers. So even though they had looked at this and made some tremendous changes in the last three years, many of them are actually planning to make further changes and have already begun the process. And they're realizing the skill sets needed are not aligned internally, are not aligned to sort of, well, skill sets required are not aligned to the talent that they have internally. And you know, they're just new capabilities. I mean we're not just dealing with perimeter defense, we're dealing with the changing sort of landscape of like a hybrid workforce. We're dealing with the advent and sort of like production adoption of AI. And AI sort of introduces a whole new slew of security parameters. One specifically being non human identities Sort of added to that mix.

B

Well, I mean, let's talk about that. The report points out that non human identities outnumber humans by 82 to 1. That's a striking statistic there. How are enterprises discovering and classifying and governing those identities without throwing sand in the gears, without slowing people down?

C

Well, I think this is really important, right for us because one of the things organizations are doing is leaning into AI embracing AI. Right. And then that said protecting their organizations from agents that will be potentially compromised or going rogue is those are a capability we've got to build. And I think doing so requires these organizations to have visibility of kind of what these active agents are in their IT environment, what are the interactions that they're having. Right. With your data, specifically what applications, what identities. And then this is sort of like raising to the top the need to have observability across, across their infrastructure and their landscape. And it doesn't mean much if with all those insights you aren't able to remediate sort of any potential harmful actions being taken by an AI agent. So one of the things that organizations are like, as we're seeing sort of the 82 to 1 is actually just like the tip of the iceberg. Right. In six months from now, Dave, when we talk, I think that number is going to be would have scaled up. Right. It's really important for them to be able to understand how one are they classifying and understanding sort of this roles and behaviors. But how to rewind these sort of inadvertent or nefarious actions back to a clean state.

B

What about human oversight? How do you draw the line between let's say assistive AI and more authoritative AI?

C

Yeah, it's actually a great question. Right. Look, human oversight has always remained essential as we think about human users, human workers. Right now with LLMs that we're already starting to use today, we know that we've got to validate these outputs. It's no accident. A lot of gen AI tools today include disclaimers that they say look, we're capable of making mistakes and that you should really verify all important information. But we're definitely seeing hallucinations still and I think we'll continue to see hallucinations within the environment and all these interactions and tools. So I think specifically when you ask about assistive AI like this, human's oversight is going to become important. Now you take that to the next level as we cross into the use of authoritative AI where you've got agents that are able to take multiple steps right towards sort of accomplishing very complex tasks, Then you start to really have to factor in how human oversight becomes critically essential. Right. And it's a powerful thing that these agents are able to perform what they can. Like to be able to automate tasks from end to end at agent scale, not human scale. And we believe having a human in the loop is important. But I think that model for how we inject a human in the loop across the distributive process is also. We'll have to rethink that. Right. Because it's not just about having a human in the loop to understand are there other hallucinations or are there inadvertent actions? But having humans play a role, help create these guardrails and processes where we have the ability to sort of reverse and roll back actions taken by those agents. Otherwise I think we're going to really seek sort of the risk being like magnified.

B

What about recovery time? The report points out that there are a lot of leaders out there who worried that recovery time is increasing. They're looking at days instead of hours to recover. What does identity centric practices, how do they play into this? How can you help shorten these recovery times?

C

I think having good hygiene in the environment becomes really important. Right. First and foremost, let's think about. Right. Organizations today focus on, I would say legacy KPIs, right. They report on KPIs, not wrong, not bad. But if you look at a lot of organizations that have been compromised, they all followed process, they followed audits, met all their compliance requirements, put a lot of security measures in place. Many actually adopted some level of zero trust architecture. But I think we need to make sure that we're also focusing on proper security hygiene internally. Right. So let's kind of think about like, you know, what this looks like in terms of understanding the environment. Right. I think we need to start making sure that they're prioritizing an accurate up to date understanding of all identities in their environment specific to recovery time. Right. Because nominally what we put down as a rpo, for example, is not what, what is happening in practicality today in many organizations. So one thing we'd like to think about is let us evolve the KPIs especially specific to recovery time as part of this report around identity human and non human identities. Really bucketing this into I would say three categories. One being let's look at the traditional RTO capability, but reporting on MTTR mean time to recover, specific to I would say like compromised identity infrastructure. So as you look at sort of the granularity today we have like an RPO number and an RTO number. But can we like actually get a little bit more granular around the specifics since we are talking about identity, what is the MTTR specific to your identity infrastructure? So this could be a real critical measure for CISOs that are actually looking to establish a baseline for identity resilience. Right. In order to be a little bit more informative, I mean, it must be based on some of the simulated recoveries of the identity infrastructure. Now based on real world recovery procedures. How many organizations today think about recovery time by bringing in their identity infrastructure as part of that tabletop exercise? Probably very few. Second is actually thinking about recovery times from the perspective of resilience benchmarking against your industry peers. So what it takes for a, a hospital network versus a retail chain versus another manufacturing organization could be very different. And for a lot of CISOs to sort of start to really transform kind of what their recovery metrics are, what their resilience metrics are like, what they report on. It becomes important for them to understand what their peers are doing. Right. So we need to start thinking about baselining some of this and providing a measurement that's sort of relative to the industry because what healthcare does is different to manufacturing. And I think this is where we need to start educating boards and business leaders and the business themselves, business meaning like the business unit, on what is relevant to their industry and what are the benchmarks are and where they are.

B

Let's talk some practical solutions here. I mean, the report points out that there are a lot of companies who are switching their IAM providers. What's your advice to folks who are switching here? If I'm a security professional, are there pitfalls I should avoid? Are there things I should absolutely be looking for?

C

What are your words of wisdom, switching IAM providers? Let's think about. I think first and foremost it's a recognition. Identity compromise without doubt is an attack vector of choice for threat actors. I think one key area where a lot of organizations have invested in from an identity perspective is cloud native identity infrastructures and solutions. The thing is, many of these were rarely designed with security in mind. They were designed with access in mind. So I think this is an area, if I had to impart any thoughts here, we need to start thinking about this from a perspective of being purpose built for this new paradigm that we're in. I think summarizing some of our conversation is I said thinking about switching IAM providers. Think about the type of identities in your organization that require protection. So they're no longer just your users bringing in your human users that are within your organization, your third party, your contractors, and now start bringing in your machine and agentic identities or your non human identities. So really start to think about what your attack surface looks like and what kind of solution or provider best enables that. And then finally I would say different solutions obviously provide a different range of capabilities. But go back to core zero trust principles. What are those core tenets? How does that align to your ability to enforce least privilege access, things like role based access control? So really insist on strong security controls for IAM systems. And as you're doing that this is non negotiable, right? But as you're doing that it is also really important to understand how these solutions and these providers are also going to align with your evolving initiatives. Right? If you're deploying AI and factor recovery and resilience into that, you take Active Directory for example. The manual process to recover Active Directory is fairly laborious and it's multi step. How are you going to be able to ensure that you have a one click orchestrated recovery for that? How do we ensure that as they're thinking about all of this as well, that they're thinking about kind of what that minimum viable identity solution looks like? What is minimally viable for your organization should your identity be compromised for you to get back up and running?

B

That's Kavitha Mariapan from Rubrik. We are pleased to add Rubrik as well. The latest addition to our knowledge partners.

A

Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while only staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles. Terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details. This message may be shocking to many millennials. If you are one, you might want to sit down. Right now loads of people are searching the following on low rise jeans, halter top, velour, tracksuit, puka shell, necklace, disc belt. You likely place these in the dark of your closet in 2004, never to be seen again. But if you can find it in yourself to dust them off, there are a lot of people who will give you money for them. Sell on Depop where taste recognizes taste.

B

And finally, Chow Hai Bang's misadventure began with an unlikely prison friendship in South Korea. The sort that usually leads to exchanged life lessons, not international malware schemes. Years later, he found himself in the Dominican Republic, sponsored by his old cellmate Lee, who introduced him to Spymax, a remote access Trojan dressed up as harmless Android apps. Chow became the unlikely star of a malware masterclass, recording tutorial videos that showed syndicate partners how to spy on phones, steal credentials and empty bank accounts. His lessons were effective enough for 129 Singaporeans to lose $3.2 million, though Chow himself earned barely $1,700 for his trouble. When the operation unraveled, he was arrested and extradited. Now sentenced to five and a half years, Chau stands as Singapore's first case of someone prosecuted not for writing malware, but for teaching it. Proof that in cybercrime, even being the tutorial guy carries serious consequences. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at TheCyberWire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

A

The Uniswap Wallet makes it easier and safer to own and use crypto Created by pioneers of the crypto economy, the Uniswap protocol has powered over 3.3 trillion dollars in trading volume, and it's trusted by tens of millions worldwide. With the Uniswap Wallet, you can discover, swap and manage your crypto all from your phone. Buy your first crypto assets in just a few taps and start exploring the freedom of decentralized finance with Uniswap. Tap the banner to get started.