Daily Cyber Threat Brief: December 18, 2025 (Ep 1029) – Summary

Episode Overview

Theme:
In this fast-paced episode, Gerald (“Jerry”) Auger, Ph.D., leads a lively walkthrough of the day's major cybersecurity news, pulling in his decades of practical GRC and security operations experience. The show aims to equip listeners—from solo operators to aspiring GRC professionals—with real-world context, actionable takeaways, humor, and community insight. The second half features “jawjacking” Q&A with co-host Daniel Lowry, bringing career advice and practical tech talk.

Key Stories & Insights

1. FTC Orders Crypto Platform Nomad to Repay Users After $186 Million Hack

[13:19 - 20:29]

• What happened?
  The FTC is forcing Nomad, a crypto bridge, to repay $37.5 million after a 2022 hack that drained $186 million, due to "inadequately tested code" being pushed to production.

• Key details:

  • Company marketed itself as “security-first.”
  • Customers will get about 30 cents on the dollar, years after the breach.
  • Nomad must improve security and stop misrepresenting its protections.

• Jerry’s take:
  “This $186 million… customers lost about $100 million, total, right? …you’re gonna get 30 cents on your dollar, four years after the incident.” (15:52)
  Jerry critiques both the company’s lax code processes and the slow, partial restitution, warning fintech listeners that “if you f around, you’re gonna find out just like this company did.” (17:31)
  Advice: Use this as a warning in your org: even “subjective” failures in code testing can provoke major regulatory action.

2. React to Shell Vulnerability Used for One-Minute Ransomware Attacks

[20:29 - 26:28]

• What happened?
  Attackers are exploiting an unpatched React to Shell bug, landing ransomware within a minute—disabling protections, deploying Cobalt Strike, encrypting files, and deleting logs, all without lateral movement.

• Insights:

  • Patch alone may not be sufficient due to component dependencies.
  • Critical to understand the actual order of operations: attackers disable defense first, then pull down malware, not the other way around.

• Jerry’s breakdown:
  “There’s no way you detonate ransomware first and then disable security tools. That’s stupid. …First thing you’re doing is disabling security tools—knock the Doberman Pinchers out.” (22:41)
  Clear explanation of lateral movement and root cause, urging listeners not to “YOLO” production code and to audit detections for key attack behaviors.

3. Ukrainian Call Center Fraud Ring Busted

[26:28 - 30:08]

• What:
  European law enforcement dismantled Ukrainian call centers scamming over $11.7 million by posing as police and bank officials.

• Takeaways:

  • Callers were incentivized with a 7% cut (bonuses unfulfilled).
  • Schemes could migrate to other regions.
  • Location near active war zones was meant to deter law enforcement.

• Jerry’s reaction:
  “This is just a modern day racketeering, like mob, you know, scam thing.” (28:14)
  Advice: Remind friends/family that real banks/doctors/police will never request urgent actions via phone or text.

4. French Ministry Email Accounts Breached – Judicial/Police Data Accessed

[30:08 - 35:43]

• What:
  Attackers accessed internal email accounts, confidential files, and wanted persons data for several days; no ransom asked.

• Jerry’s concern:
  Downplays official statements that “no lives were at risk,” arguing impact is not always immediate or obvious:
  “The impact of this attack has not yet been realized or its potential… To say it right after the attack is… poppycock.” (34:23)
  Lesson: Practice robust data governance and proper incident disclosure—don’t make unproven assurances in the early aftermath.

5. Malicious Firefox Extensions Infect 50,000 Users

[40:50 - 47:52]

• What:
  Campaign “Ghost Poster” hid malware in logo images of extensions (VPNs, ad blockers, weather, etc.), deploying user tracking, backdoors, and affiliate hijacks.

• Takeaways:

  • JavaScript runs client-side; extensions can cause deep exploits.
  • 10% execution schedule reduces detection.
  • Mozilla delisted extensions but prior installs remain vulnerable.

• Jerry’s reflection:
  “Given enough time, [threat actors] will do it. …I would love to see a higher standard for browser extension review approval.” (46:34)
  Advice: Only install essential, highly-vetted browser extensions—malicious add-ons are a mounting risk vector.

6. Microsoft Patch Breaks MSMQ on Windows 10

[47:52 - 53:47]

• What:
  December 2025 update broke the Message Queuing System, halting services unless patch is removed (but then systems lose security updates).

• Jerry’s counsel:
  “This is a perfect real-life example where you have to… figure out, what do you do? You can fix the problem and get the technology back up, but then you lose security patches.” (48:30)
  — Importance of risk-based decision making: business-critical functions may need compensating controls if a patch disrupts core ops, while low-value systems can wait.
  Compare with notorious “EternalBlue” situation—use severity and exploitability to decide where to “die on the hill.”

7. ISACA Chosen as Sole Trainer for CMMC Certification

[53:47 - 60:48]

• What:
  DoD appoints ISACA as the exclusive organization to train/certify/credential contractors under the CMMC program.
  Over 200,000 organizations need certification by 2028.

• Jerry’s analysis:
  “Whoever scored this deal for ISACA is definitely given more than Jelly of the Month Club for a Christmas bonus this year. This is bananas, bro.” (54:32)
  Details the “racket” nature of how to become an authorized auditor (C3PAO status hard to obtain and tightly controlled).

• Key Point:
  “There’s going to be an… explosion of GRC people… our day has come!” (56:15)
  — Listeners in GRC: prepare for opportunity, but beware of gatekeeping and high barriers to entry.

8. Meta AI to Use Chat Data for Ad Targeting – No Opt-Out

[60:48 - 63:25]

• What:
  Meta changed policy—AI chat interactions now used to customize ads across Facebook, Instagram, WhatsApp, Messenger. No opt-out.

• Why is this risky?

  • Chat conversations may leak sensitive details (health, finances, religion, etc.) to ad profiling.
  • Proxy signals could still reveal private information despite filtering.

• Jerry’s view:
  "This is like what Meta's business model is… I always think of marginalized, exploitable populations when I think of exploiting stuff like this.” (61:42)
  Warning: Users already in vulnerable states could be targeted even more invasively.

Community and Career Insights (Jawjacking with Daniel Lowry)

Format: Rapid-fire Q&A, career coaching, tech troubleshooting, playful banter.

Standout Career Questions

• “Is it worth it to keep Security+ active if I have 5+ years and plan on CISSP?”
  “Right now I’d probably lean toward yes because of how tough the job market is… you want to stay razor sharp ready for the next job.” (66:50)

• Job search advice for new Security+ grads:
  “One of the best things you can do… is know somebody. Build your network.” (72:29)
  Don’t just blast LinkedIn; make meaningful connections.
  Start a study group, join Discords, write blogs—give people a chance to see your knowledge.

• GRC career starter:
  Jerry’s GRC Master Class is recommended by Daniel as a great entry-point for those with limited experience.

• Breaking into AI security:
  Learn the foundations of AI first (try OWASP LLM Top 10, Gandalf), then move into security aspects.

• GRC interview prep:
  Leverage AI for mock interviews, be personable and up to date on current topics—success is often about culture fit and knowledge of recent trends.

Memorable Quotes & Moments

• Crypto scam restitution:
  “You’re going to get 30 cents on your dollar four years after the incident. …it’s just a bad taste in everybody’s mouth.” — Jerry (15:52)
• React ransomware attack sequence:
  “There’s no way you detonate ransomware first and then disable security tools. That’s stupid.” — Jerry (22:41)
• On browser extension threats:
  “Given enough time, [threat actors] will do it. …I would love to see a higher standard for browser extension review approval.” — Jerry (46:34)
• ISACA lands CMMC contract:
  “This is bananas, bro.” — Jerry (54:37)
• Meta AI ad targeting:
  “I always think of marginalized, exploitable populations when I think of exploiting stuff like this.” — Jerry (61:42)
• Job advice from Daniel:
  “Best thing you can do in this market is… knowing people—build your network… that’s going to be your number one option.” — Daniel (72:29)
• On passing certs via training courses:
  “No matter what you do, follow the rabbit trails… supplement what you didn’t get first time through the trough.” — Daniel (77:55)

Timestamps for Key Segments

| Segment | Start | End | |---------------------------------------|----------|----------| | Opening & Community Intro | 00:01 | 13:19 | | Crypto FTC order - Nomad | 13:19 | 20:29 | | React to Shell ransomware | 20:29 | 26:28 | | Ukrainian fraud call centers busted | 26:28 | 30:08 | | French ministry breach | 30:08 | 35:43 | | Meme of the Week | 36:30 | 40:50 | | Malicious Firefox extensions | 40:50 | 47:52 | | Microsoft MSMQ patch breakage | 47:52 | 53:47 | | ISACA and CMMC certification | 53:47 | 60:48 | | Meta AI privacy policy | 60:48 | 63:25 | | Jawjacking Q&A | 65:17 | End |

Notable Community Moments

• Meme of the Week by Haircut Fish (36:30):
  “Future Jerry, one week into vacation”—humorously roasting Jerry’s anticipated Magic card deep-dive during his holiday.
• Solo operator shoutout:
  “You don’t have to be alone because the Simply Cyber community is always here…” (05:44)
• CPE tip:
  Record and screenshot your participation for certification maintenance.
• Support for Cyber Security Cares Telethon:
  Community promoted an annual charity event at 9:30am, bridging professional development with giving back.

Action Items / Takeaways

• For practitioners:
  • Patch React to Shell urgently and hunt for signs of compromise (especially .weax files and odd local processes).
  • Audit browser extensions, restrict installs, and promote secure-by-design browser environments.
  • Discuss business-vs-security trade-offs openly when critical patches impair operations; use compensating controls/monitoring as appropriate.
• For leadership/GRC:
  • Track CMMC 2.0/ISACA changes; certification demand (and barriers) will increase rapidly.
  • Use real-world restitution actions like FTC vs. Nomad as “teachable moments” with dev/leadership teams.
• For everyone:
  • Be vigilant against AI-powered privacy incursions—expect more data monetization from platforms like Meta.
  • Build genuine relationships—career opportunity often comes from strong networks, not just certifications.

In the Hosts’ Own Words

“Every single episode we go through about eight stories and I have no idea what they’re going to be. …I promise…to not only give you the story…but give you additional value so you can utilize it and not have to experience it or learn it on your own the hard way.” — Jerry (03:12)

“Knowing people is going to help you out the most. Just going to throw that—whether it’s good, bad, or indifferent. That is beside the point. The point is, that’s going to be your number one option right there.” — Daniel on job hunting (72:29)

Listen for:

• Expert color commentary on the real-world impact behind headlines.
• Career tips, community humor, practical analogies (from FDIC insurance to Doberman analogies), and authenticity.
• A welcoming, inclusive community vibe—plus the occasional Magic card or bar fight anecdote.

This summary captures all the mission-critical insight and memorable moments from Ep 1029, December 18, 2025. Ideal for cyber practitioners, newcomers, and leaders seeking actionable context—and a daily shot of cyber camaraderie.