Daily Cyber Threat Brief – Ep 1032
Host: Ben (DJ Bsec), filling in for Gerald Auger, Ph.D.
Date: December 23, 2025
Podcast: Simply Cyber – Daily Cyber Threat Brief
Overview
This episode delivers a rapid-fire rundown of the top cybersecurity news stories relevant to practitioners, analysts, and business leaders, with Ben offering his direct analysis on the impact and lessons from each incident. Topics include a massive Spotify scraping operation by hacktivists, an old ASUS vulnerability mysteriously surfacing in CISA’s KEV list, DDoS attacks impacting French public services, a sharp rise in phishing schemes targeting holiday shoppers, persistent Android malware in Central Asia, a WhatsApp API supply chain compromise, a major Interpol takedown, and South Korea’s new mobile registration biometric rules.
The episode mixes practical guidance, infosec context, and even some lighthearted Christmas and movie talk during the community Jawjacking segment.
Key Episodes and Timestamps
1. [08:05] Spotify Music Library Scraped by “Hacktivists”
- Summary:
"Anna’s Archive," a known pirate activist group, managed to scrape Spotify’s music library: 256 million rows of track metadata and 86 million audio files, totaling about 300 TB. - Implications:
Ben clarifies the difference between black hats, white hats, and hacktivists: this group self-labels as hacktivists claiming to “preserve humanity’s musical heritage”---a dubious justification for copyright violation. - Spotify’s Response:
Spotify confirmed the breach affected public metadata and some DRM-protected audio. Accounts involved have been shut down and additional protections added. - Ben’s Take:
“Hey, I’m gonna steal all this stuff because of humanity. We need to preserve our knowledge and culture. That’s just crazy.” (09:12)
- Lessons:
This demonstrates the ongoing risks of data scraping even for publicly accessible platforms. Ben questions if Spotify’s mitigations are enough and jokes about someone spinning up their own “mini Spotify.”
2. [12:23] ASUS Live Update—Old Vulnerability Gets New Attention
- Summary:
CISA added an ASUS Live Update supply chain attack (dating back to 2018-2019) to its Known Exploited Vulnerabilities (KEV) list, now tracked as CVE-2025. - Mystery:
Ben notes the oddity: “Why all of a sudden it’s in here, other than...government works very slowly.” (12:59) - Reality:
The affected software has been end-of-life since 2021; no active exploitation reported. - Actions:
Just ensure devices are up to date—if patched, there’s no present risk. - Ben’s Recommendation:
“The moral of the story is you’re patching it. Make sure everything’s patched.” (13:56) “You’re putting out a CVE for something that no longer really exists...these devices are those in all our bins in the corner.” (14:44)
3. [18:40] DDoS Attacks Disrupt France’s Postal and Banking Services
- Summary:
La Poste, France’s national postal service, experienced a suspected DDoS attack, impacting online platforms and mobile apps. Lebanc Postal’s online banking also affected, though core transactions (ATMs, payments) continued. - Ben’s Analysis:
“Another day that ends in y, we have a DDoS attack.” (19:15)
Criticizes lack of DDoS mitigation (Cloudflare, Azure DDoS) for critical services. “Why are these things not behind some type of DDoS system, especially as a government service?” (19:28) - Impacts:
Timing just before Christmas increased disruption. - Technical Note:
Ben explains how CDNs like Cloudflare work to mitigate such attacks (“French endpoint for French users, U.S. endpoint for Americans, etc.”) (21:10)
4. [24:19] Fake Delivery Websites and Holiday Phishing Surge
- Summary:
Holiday season brings an 86% rise in fake delivery phishing sites, with DHL most spoofed; fake USPS scams spike 850%. Attackers use urgency around packages to phish personal and financial data. - Ben’s Security Guidance:
“A new holiday, a new phishing scam.” (25:02)
Emphasizes ongoing user awareness—don’t click links in unexpected texts/emails; mouse-over URLs and verify via vendor websites. - Techniques:
Heavy use of “smishing”—phishing via SMS—exploits users on mobile devices.“They just want someone to click on it. That’s it. They’re looking for one person to be the guinea pig. Don’t make it you.” (27:51)
- FTC Data:
$470 million lost to text message fraud in 2024.
5. [33:12] Android SMS Stealer Malware Hits Uzbekistan
- Summary:
Group IB reports advanced SMS stealer campaigns distributing Android malware, primarily via Telegram, targeting Uzbek users. The malware steals banking credentials/funds and self-propagates through compromised Telegram accounts. - Ben’s Commentary:
“This one’s a little nasty...it’s pretty crazy when we read into this.” (33:50)
Describes how side-loaded APKs grant persistence and wide access—difficult to remove and can turn phones into botnets. - Key Point:
Attack focuses on Android’s openness; iPhones are less susceptible due to stricter app controls. - Caution:
“Put a bookmark on this one and let’s see what happens over the next couple of months.” (37:20)
6. [40:29] Malicious WhatsApp NPM Package “Lotus Bail”
- Summary:
Coy Security finds a malicious NPM package, “Lotus Bail,” impersonating a WhatsApp API library. Over 56,000 downloads; it can steal WhatsApp messages, contacts, and auth tokens, and maintains persistent access even after deletion unless manually revoked. - Ben’s Analysis:
“Good lord. Another one. Fake WhatsApp API package on NPM steals messages, contacts and login tokens. Sounds like another...So we were just doing Telegram, now we’re doing WhatsApp.” (41:10)
- Technical Insight:
The malware:- Functions as advertised, so it passes static code analysis,
- Installs a backdoor via WebSocket wrapper,
- Exfiltrates encrypted data so outgoing traffic looks legitimate.
- Practical Advice:
“If you are using WhatsApp, go and look at your settings and find out if there’s devices connected to it that you have no clue about.” (44:50)
- Broader Concern:
Highlights the growing risk of third-party packages in the supply chain—traditional security tools and reputation scores fail when malware is concealed in functional code.“Supply chain attacks are not slowing down. They’re getting better. And that is, for me, the crux of everything…” (46:22)
7. [51:54] INTERPOL’s Operation Sentinel: Major Ransomware Busts
- Summary:
Operation Sentinel—law enforcement effort in Africa, took down 6,000 malicious links, decrypted six ransomware strains, arrested 574 individuals, recovered $3M, disrupted over $20M in fraudulent operations. - Ben’s Take:
“Interpol coordinated an initiative...that led to the arrest of 574 individuals. And they recovered about $3 million linked to business email compromise, extortion, and ransomware...even better...they were able to decrypt six distinct ransomware variants. That in itself is amazing.” (52:37)
- International Collaboration:
Trend Micro, Shadowserver, and more aided the investigation. - Encouragement:
“That, that right there...kind of gives you a little bit of hope...Interpol is in the back going, Don’t worry, we got you.” (54:37)
8. [56:58] South Korea Requiring Facial Recognition for Mobile Registration
- Summary:
After a massive SIM data breach at SK Telecom, South Korea will require facial recognition to register new mobile phone numbers—intended to fight identity theft and phone-based scams. - Privacy Debate:
Ben weighs pros (tying numbers to real identities, reducing fraud) against cons (privacy, intrusion, “Demolition Man”/social credit dystopia).“Not sure how I feel about this...it's kind of like impeding on privacy. Right. Because now...you’re scanning my face...” (57:34) “This is great...if you send me a bad message, I want you to get got. But I also know that I’m not a bad person...so why do you need my face?” (63:08)
Notable Quotes & Moments
- On Hacktivist Justification:
“Hey, I’m gonna steal all this stuff because of humanity. We need to preserve our knowledge and culture. That’s just crazy.” – Ben, (09:12) - On the Persistence of DDoS:
“Another day that ends in y, we have a DDoS attack.” – Ben, (19:15) - On Holiday Phishing:
“A new holiday, a new phishing scam.” – Ben, (25:02) - On Supply Chain Threats:
“Supply chains, supply chain attacks are not slowing down. They’re getting better. And that is, for me, the crux of everything...” – Ben, (46:22) - On Static Analysis Blindspots:
“Traditional security doesn’t catch this, right? But static analysis sees the working WhatsApp code and approves it...The malware hides in the gap between: the code works and the code only does what it claims.” – Ben, (47:57) - On Burnout in Cybersecurity:
“The best advice I can give you on burnout is you have to figure out how to disassociate with everything...get away from the stuff, walk away from the computer, go outside, touch grass...Burnout is not good for your health at all.” – Ben, (68:54)
Community Q&A & Jawjacking [63:08+]
- Open conversation around privacy, mass surveillance (Flock cameras, facial recognition, social credit), the impact of surveillance tech, and balancing security v. privacy.
- Shared tips for handling burnout and stress in security roles.
- End-of-show pivot to holiday and Christmas movie traditions (Home Alone, Elf, Christmas Story, etc.), with good-natured chat banter.
- Memorable line on privacy:
“Do you want to prioritize privacy or do you want to prioritize security? In all reality, that’s the question we as practitioners ask every day.” (73:44)
Summary Table of Stories (with Start Times)
| Story | Summary | Key Lessons | Timestamp | |-------|---------|-------------|-----------| | Spotify scraped | Pirate group steals 256M metadata rows, 86M audio files | Data scraping risks, hacktivism justification | 08:05 | | ASUS CVE | Old vulnerability added to KEV | Patch your legacy stuff, don’t assume old bugs don’t matter | 12:23 | | France DDoS | Postal/banking DDoS outages | Importance of DDoS protection, CDN role | 18:40 | | Fake Delivery Phishing | 86% spike during holidays | User awareness is critical; phishing tactics evolve | 24:19 | | Uzbek Android Malware | SMS Stealers via Telegram | Risks with APK/sideloading, Android vs iPhone, propagates via contacts | 33:12 | | WhatsApp NPM malware | 56K+ downloads of malicious “Lotus Bail” API | Supply chain/integrity risks, static analysis limits | 40:29 | | Interpol Sentinel | 574 arrests, $3m recovered, ransomware decrypts | Success of multinational initiatives | 51:54 | | South Korea Mobile/Biometrics | Facial recognition for SIM registration | Security/privacy balance, response to big breach | 56:58 |
Tone and Approach
Ben’s tone is frank, collegial, slightly irreverent, and highly practical—he doesn’t sugarcoat story implications and mixes in humor (especially for dubious hacktivist claims or “yet another DDoS”). He wants listeners to learn applicable lessons (“bookmark this one for the future,” “always patch,” “check your accounts for abnormal devices”). The community focus is on encouraging practitioners to keep improving while not being afraid to admit what they don’t know.
Actionable Takeaways
- Always patch and retire unsupported devices.
- Educate users repeatedly about phishing—especially around holidays.
- Monitor for suspicious devices linked to key communication apps.
- Evaluate third-party packages before integrating them—don’t trust high downloads or basic scans alone.
- Privacy and security are in tension—be clear about organizational and personal priorities.
- Handle burnout by unplugging and reconnecting with the offline world.
For Next Time
Ben will return for the Christmas Eve episode, with more news and a potential “virtual snowball fight” for the community. Daniel Lowry steps in next week as Ben returns to work.
End of summary. For full actionable context, see specific timestamps above.