Podcasts
CyberWire Daily
Ep 2451
The CyberWire Daily Podcast 12.11.25
Ep 2451 | 12.11.25

Weak passwords meet strong motives

Show Notes
Transcript

CISA warns that pro-Russia hacktivist groups are targeting US critical infrastructure. Google patches three new Chrome zero-day vulnerabilities. North Korean actors exploit React2Shell to deploy a new backdoor. Researchers claim Docker Hub secret leakage is now a systemic problem. Attackers exploit an unpatched zero-day in Gogs, the self-hosted Git service. IBM patches more than 100 vulnerabilities across its product line. Storm-0249 abuses endpoint detection and response tools. The DOJ indicts a former Accenture employee for allegedly misleading federal customers about cloud security. Our guest is Kavitha Mariappan, Chief Transformation Officer at Rubrik, talking about understanding & building resilience against identity-driven threats. A malware tutor gets schooled by the law. 

Today is Thursday December 11th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA warns that pro-Russia hacktivist groups are targeting US critical infrastructure. 

The US government is warning that pro-Russia hacktivist groups are targeting US critical infrastructure, attempting to access operational technology systems through poorly secured, internet-facing VNC connections. An advisory from the FBI, CISA, NSA, and international partners identifies four main groups — Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 — which have recently targeted water and wastewater facilities, food and agriculture, and the energy sector. These actors are considered unsophisticated but opportunistic, using brute-force attacks to access human-machine interfaces with weak or default passwords, then modifying device settings, disabling alarms, and causing operational disruptions. Some groups show ties or indirect alignment with Russian state interests, with CARR in particular linked by researchers to the GRU. The DOJ has also announced related indictments. Although current impacts have been limited, authorities warn the activity could escalate. CISA urges OT operators to harden authentication, reduce internet exposure, and strengthen recovery plans.

Global cybersecurity agencies have issued their first unified guidance on using artificial intelligence in critical infrastructure, signaling a shift from theory to practical safeguards. The document warns that AI introduces new safety and reliability risks for operational technology, including model drift and unsafe process changes. Agencies stress that large language models should not make safety decisions. They recommend strong architectural boundaries, push-based data flows, and human oversight. The guidance urges operators to demand transparency from vendors and maintain manual skills as AI adoption expands.

Google patches three new Chrome zero-day vulnerabilities. 

Google has issued patches for three new Chrome zero-day vulnerabilities, including a high-severity flaw already exploited in the wild. The primary zero-day, tracked only as 466192044, has no CVE and remains under coordination, with details withheld until most users update or dependent third-party libraries are fixed. The update also addresses two medium-severity issues: CVE-2025-14372, a use-after-free in Password Manager, and CVE-2025-14373, an inappropriate implementation in the Chrome Toolbar. This marks Chrome’s eighth zero-day exploited in 2025.

North Korean actors exploit React2Shell to deploy a new backdoor.  

North Korea-linked actors are exploiting the React2Shell flaw, CVE-2025-555182, to deploy a new backdoor called EtherRAT, according to Sysdig. React2Shell is a maximum-severity deserialization bug in React Server Components that enables unauthenticated remote code execution and has been widely abused since its Dec. 3 disclosure. Sysdig recovered EtherRAT from a compromised Next.js app and reports traits consistent with Lazarus Group tooling, including similarities to BeaverTail. EtherRAT establishes persistent access and uses the Ethereum blockchain for command-and-control resolution through an “EtherHiding” technique. The backdoor regularly polls its C2, replaces its own code to hinder analysis, and uses multiple Linux persistence mechanisms. Sysdig urges immediate updates to patched React and Next.js versions and checks for EtherRAT’s persistence artifacts and unusual Ethereum RPC traffic.

Researchers claim Docker Hub secret leakage is now a systemic problem. 

Flare’s research into Docker Hub shows that secret leakage is now a systemic problem, not an edge case. In one month of scanning, they found more than 10,000 container images with exposed credentials, affecting over 100 organizations, including a Fortune 500 and a major national bank. Forty-two percent of those images contained five or more secrets, often enough to unlock entire cloud environments, CI/CD pipelines, and databases. AI model keys were the most frequently leaked, with nearly 4,000 exposed, and many secrets came from shadow IT accounts outside corporate monitoring. Even when developers removed exposed secrets from images, 75% failed to revoke the underlying keys. Flare argues that modern breaches increasingly follow a new pattern: attackers do not hack in, they authenticate in, using credentials companies accidentally publish themselves.

Attackers exploit an unpatched zero-day in Gogs, the self-hosted Git service. 

Attackers are exploiting an unpatched zero-day in Gogs, the self-hosted Git service, to gain remote code execution and compromise hundreds of Internet-facing servers. The flaw, CVE-2025-8110, abuses a path traversal weakness in the PutContents API, allowing symbolic links to overwrite files outside a repository and revive a previously patched RCE bug. Wiz Research found over 1,400 exposed Gogs servers, with more than 700 showing signs of compromise linked to automated attacks deploying Supershell-based malware. Users should disable open registration and restrict access immediately.

IBM patches more than 100 vulnerabilities across its product line. 

IBM has released security updates addressing more than 100 vulnerabilities across its product line, including several critical flaws largely tied to third-party components. Storage Defender received fixes for six critical bugs in its Data Protect module, while IBM Guardium patched CVE-2025-48913, a Tomcat flaw enabling code execution. Additional critical issues were resolved in Maximo’s form-data library, Edge Data Collector’s Django SQL injection bug, and Instana’s Tomcat, libxml2, and WebKit components. IBM Db2 updates also addressed a critical Corosync flaw. Numerous other products received high- and medium-severity fixes.

Storm-0249 abuses endpoint detection and response tools. 

Storm-0249, an initial access broker, is abusing endpoint detection and response tools and trusted Windows components to stealthily deploy malware and prepare environments for ransomware operators. ReliaQuest analyzed an attack where users were tricked through ClickFix social engineering into executing curl commands that installed a malicious MSI with SYSTEM privileges. The payload sideloaded a rogue DLL through SentinelOne’s legitimate SentinelAgentWorker.exe, allowing persistent, privileged execution that appears benign to security tools. The attacker then used Windows utilities for system profiling and funneled encrypted command-and-control traffic through the trusted EDR process. ReliaQuest notes the profiling aligns with ransomware group requirements and recommends behavior-based monitoring for unsigned DLL loading and tighter controls over curl, PowerShell, and living-off-the-land binaries.

The DOJ indicts a former Accenture employee for allegedly misleading federal customers about cloud security. 

The Justice Department has charged Danielle Hillmer, a former product manager at Accenture Federal Services, with misleading federal customers about the security of a cloud platform intended for government use. According to the indictment, between March 2020 and November 2021 she obstructed auditors and falsely claimed the system met required controls under FedRAMP and the Department of Defense Risk Management Framework. Prosecutors say she hid security gaps, directed others to mask deficiencies during assessments, and provided false information to secure approvals, despite internal warnings that more than 100 controls were missing. Accenture says it self-reported the issue and is cooperating. The case reflects growing federal enforcement against contractors that misrepresent cybersecurity compliance to win or retain government business.

A malware tutor gets schooled by the law. 

Cheoh Hai Beng’s misadventure began with an unlikely prison friendship in South Korea, the sort that usually leads to exchanged life lessons, not international malware schemes. Years later, he found himself in the Dominican Republic, sponsored by his old cellmate Lee, who introduced him to Spymax—a remote-access Trojan dressed up as harmless Android apps. Cheoh became the unwilling star of a malware masterclass, recording tutorial videos that showed syndicate partners how to spy on phones, steal credentials, and empty bank accounts.

His lessons were effective enough for 129 Singaporeans to lose S$3.2 million, though Cheoh himself earned barely US$1,700 for his trouble. When the operation unraveled, he was arrested in Penang and extradited. Now sentenced to five-and-a-half years, Cheoh stands as Singapore’s first case of someone prosecuted not for writing malware, but for teaching it—proof that, in cybercrime, even being the “tutorial guy” carries serious consequences.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.
ADVERTISEMENT
Sponsored by Rubrik
Sponsored by Rubrik

Rubrik’s Identity Resilience solution delivers a comprehensive, hybrid-first approach to securing, monitoring and recovering identity environments. It enables organizations to proactively reduce risk, contain identity-based attacks before they spread, and recover faster, across Active Directory, Entra ID, and beyond. Learn more.