CyberWire Daily: "When Preview Pane Becomes Preview Pain"

Date: December 10, 2025
Host: Dave Bittner (A)
Guest: Dick O’Brien, Principal Intelligence Analyst, Symantec & Carbon Black Threat Hunter Team (B)

Episode Overview

This episode delivers a brisk roundup of the latest cyber threats and enforcement actions, with a special focus on a renewed phishing campaign leveraging fake party invitations. The featured guest, Dick O’Brien, dives deep into the evolution and technical nuances of these attacks, particularly the abuse of legitimate remote monitoring tools. The episode wraps with a satirical look at the Pentagon’s launch of an “AI-powered” chatbot for internal use.

Key News & Analysis

Microsoft December Patch Tuesday (03:13)

• 57 vulnerabilities patched, 30 of them labeled critical.
  • Only one is actively exploited: A use-after-free flaw in the Windows Cloud Files Mini Filter driver (allows privilege escalation).
  • Other notable fixes:
    • Mini Filter driver bug of similar severity.
    • Public command injection vulnerabilities in JetBrains Copilot and PowerShell.
    • 13 Office vulnerabilities: Two high-severity RCEs via the preview pane.
    • Adobe: Nearly 140 fixes, spanning ColdFusion and Experience Manager, mostly RCE, XSS, and component vulnerabilities.
    • Major industrial vendors (Siemens, Schneider Electric, Rockwell, Phoenix Contact) issued advisories.
    • Google Gemini Enterprise: Patched a prompt injection allowing hidden instructions for automated data exfiltration.
    • Fortinet: 18 vulnerabilities, including auth bypass in Fortacloud SSO login.
• Notable Quote:

  “Microsoft says it has seen in-the-wild activity but has not shared attack details.” (03:25)

International Prosecutions Update (04:59)

• Houston Man Smuggled Nvidia Chips to China:
  • Allen Ho Hsu pleaded guilty to illegally exporting $160 million worth of H100 and H200 GPUs to China, falsifying shipping documents, and moving $50M in payments. Linked to “Operation Gatekeeper.”
• Ukrainian Charged for Targeting Critical U.S. Infrastructure:
  • Victoria Dubronova, allegedly tied to Noname, O5 716, and “Cyber Army of Russia Reborn” groups, accused of attacks on water, election, and nuclear systems.
  • Noname ran state-sanctioned DDoS (DDoSia tool); CARR conducted hundreds worldwide, including causing an ammonia leak at a LA facility.
  • Dubronova pleaded not guilty.
• Atlanta Activist Indicted for Phone Wipe:
  • Samuel Tunick charged with deleting data from his phone ahead of a CBP search.
  • Notable as such device-wiping charges at ports of entry are rare.
  • Raises questions on digital privacy at borders.

Power Sector Cyber Readiness (07:33)

• Cyber threats in energy sector doubled in two years.
  • Only 36% of surveyed entities regularly test cyber measures.
  • Top risks: supply chain exposure, smart meters, IT/OT convergence, human error.
• Expert Note:

  "The power sector’s rapid digital transformation is boosting efficiency, yet cyberattacks are growing faster than utilities can respond." (07:34)

Spiderman Phishing Kit Emerges (08:29)

• New “Spiderman” phishing kit propagating on the dark web:
  • Mimics dozens of European banks and crypto platforms.
  • Collects credentials and additional sensitive data in real time (e.g., credit cards, OTPs).
  • 750+ members on the seller’s forum.
  • Built-in geo-blocking and anti-detection features.
• Prediction: Facilitates broader, more efficient real-time financial fraud campaigns across Europe.

Healthcare Breaches (09:28)

• 520,000+ records exposed in Vitus Hospice Services and Tricentury Eye Care hacks.
  • Intrusions exploited vendor accounts and network vulnerabilities.
  • Data included personal, medical, and insurance details.
  • Both organizations implemented enhanced security and notified authorities.

Interview: Dick O’Brien on the “Party Invite” Phishing Campaign (13:06–21:05)

The Campaign’s Novelty (13:30)

• Attackers reviving old tactics: Themed phishing lures tied to holidays/events (absent for nearly a decade).

• Typically, recent phishing masquerades as routine business (receipts, invoices, tax, meetings).

  Quote:

  “We would always see phishing campaigns built around current events, and it’s kind of died off. So it’s unusual or interesting to see attackers take up this tactic again.” – Dick O’Brien (13:31)

Anatomy of the Attack (14:45)

• The Lure:

  • Simple, short emails with a link promising more info/download (the party “invite”).
  • Clicking starts the malicious chain: First, a trojan installer is dropped, which then deploys additional attack tools.
  • Notable tactic: Use of legitimate remote management (RMM) tools to maintain control.

  Quote:

  “The main goal is to get you to click on a link...that’s when the party starts from the attacker’s perspective.” – Dick O’Brien (14:51)

Remote Management Tools as Backdoors (15:27–16:27)

• RMM tools are attractive to attackers because:

  • They are used for valid network management.
  • When attacker-controlled, they serve as effective backdoors: install new tools, exfiltrate data, and mask traffic with encryption.

• Notable: Attackers install multiple RMM tools on a single compromised system — a tactic possibly motivated by redundancy or evasion.

  Quote:

  “These tools...have a lot of legitimate use cases...But from an attacker perspective, they’re effectively a backdoor.” – Dick O’Brien (15:46)

Attackers’ Motives & Targets (16:27–18:03)

• Main goal: Achieve persistence and sell access (“access brokers”) to other criminal groups (e.g., ransomware).

• Targets: Largely broad and opportunistic (“scattershot”), hoping to find big fish.

  Quote:

  “They’re casting a wide net, and then...hope they will turn over some interesting victims.” – Dick O’Brien (17:39)

Defense Recommendations (18:48–19:44)

• Organizations using RMMs:

  • Audit what’s running; unsanctioned RMM tools should be purged.
  • Multiple RMM installs = major red flag.
  • Act quickly if unauthorized tools are found.

  Quote:

  “Anything that is not a sanctioned tool within your organization should be gone.” – Dick O’Brien (19:02)

New Tactics in Tool Use (19:50–20:49)

• Attackers deploy several RMM tools over time, in intervals:

  • Possibly due to expiring free trials, but more likely to ensure persistence (redundancy).
  • When one tool is removed, another remains.

  Quote:

  “If one is detected and deleted, they’re going to have something to fall back on...” – Dick O’Brien (20:51)

Pentagon’s New “Killer Chatbot” Announcement (21:27)

• Sec. of War Pete Hegseth introduced “Genai Mil” with dramatic flair, likening it to a weapons rollout.

  • In effect, it’s a repurposed Google Gemini chatbot mostly handling spreadsheets and document formatting.
  • Pentagon touts this as a leap in military lethality and U.S. “Manifest Destiny” in AI.
  • Satirical Note:
    • Despite promises to 3 million users, platform was down at launch, “the first recorded instance of a battlefield AI retreating before it ever deployed.”

  Memorable Quote:

  “Office automation as an existential race for global dominance...formatting documents at unprecedented speed will somehow make the US Military more lethal than ever.” (21:31)

Key Timestamps

• [03:13]: Patch Tuesday Rundown
• [04:59]: Federal Prosecutions (Nvidia smuggling, Russian-linked attacks, phone-wiping case)
• [07:33]: Power Sector Threats
• [08:29]: New “Spiderman” Phishing Kit
• [09:28]: Healthcare Breaches
• [13:06]: Interview: Dick O’Brien
  • [13:30]: Significance of new phishing lures
  • [14:45]: Attack mechanics
  • [15:27]: Use of RMM tools
  • [16:27]: Attacker motivations
  • [18:48]: Security recommendations
  • [19:50]: Rotating multiple RMM tool usage
• [21:27]: Pentagon “killer chatbot” segment

Notable Quotes

• “We would always see phishing campaigns built around current events, and it’s kind of died off. So it’s unusual or interesting to see attackers take up this tactic again.” – Dick O’Brien (13:31)
• “The main goal is to get you to click on a link...that’s when the party starts from the attacker’s perspective.” – Dick O’Brien (14:51)
• “These tools...have a lot of legitimate use cases...But from an attacker perspective, they’re effectively a backdoor.” – Dick O’Brien (15:46)
• “Anything that is not a sanctioned tool within your organization should be gone.” – Dick O’Brien (19:02)
• “Office automation as an existential race for global dominance...formatting documents at unprecedented speed will somehow make the US Military more lethal than ever.” – Host (21:31)

Tone & Style

The episode combines clear, informative security news analysis with expert commentary that is practical but conversational. The host’s quips and dry satire—particularly regarding the Pentagon’s “killer chatbot”—lend the show both authority and levity.