Podcasts
CyberWire Daily
Ep 2454
The CyberWire Daily Podcast 12.16.25
Ep 2454 | 12.16.25

Cyber shock to the oil trade.

Show Notes
Transcript

Venezuela’s state oil company blames a cyberattack on the U.S. An Iranian hacker group offers cash bounties for doxing Israelis. Germany’s lower house of parliament suffers a major email outage. South Korea’s e-commerce breach exposes personal information of nearly all of that nation’s adults. Researchers report active exploitation of two critical Fortinet authentication bypass vulnerabilities, and three critical vulnerabilities in the FreePBX VoIP platform. An auto-industry credit reporting agency suffers a data breach. Google is shutting down its dark web reporting service. European law enforcement dismantles a Ukrainian fraud network. Our guest is Christiaan Beek, Senior Director Threat Intelligence & Analytics from Rapid7, discussing how attackers are accelerating exploitation, refining ransomware, and expanding nation-state operations. A Pornhub breach proves the internet never forgets.

Today is Tuesday December 16th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Venezuela’s state oil company blames a cyberattack on the U.S. 

Venezuela’s state oil company, PDVSA, reported a cyberattack on Monday and said operations were unaffected, though multiple sources said key systems remained down and oil cargo deliveries were suspended. PDVSA and the oil ministry blamed the United States, calling the incident part of efforts to seize control of Venezuela’s oil sector. A company source said the disruption stemmed from a ransomware attack detected days earlier, with antivirus efforts crippling administrative systems. Oil production, refining, and domestic distribution continued, but exports were hit, forcing staff to keep handwritten records and halting loading instructions. The incident comes amid rising U.S.-Venezuela tensions, including the recent U.S. seizure of a tanker carrying Venezuelan crude. As a result, exports have fallen sharply, millions of barrels remain stranded offshore, and several tankers have turned back.

An Iranian hacker group offers cash bounties for doxing Israelis. 

An Iran-linked hacker group known as Handala has launched a campaign offering cash bounties for information on more than a dozen Israelis it claims are involved in developing Israel’s Patriot, Arrow, and David’s Sling air defense systems. The group published photos and extensive personal details of engineers and technicians, alongside explicit threats, including references to their families. A $30,000 bounty was offered for information on some targets, with additional lists offering $10,000 rewards. The data has spread widely on Arab media and Telegram, including via Hamas, though its accuracy has not been independently verified. The effort is part of Handala’s broader “RedWanted” doxing campaign, which has targeted nearly 200 Israelis since October. The group is widely assessed to have ties to Iranian intelligence and a history of cyber and leak operations.

Germany’s lower house of parliament suffers a major email outage. 

Germany’s lower house of parliament suffered a major email outage on Monday, leaving lawmakers without access for more than four hours and prompting suspicions of a targeted cyberattack. The disruption coincided with sensitive U.S.-Ukraine discussions hosted in Germany, raising concerns about timing and intent. While technical details remain undisclosed, senior lawmakers have acknowledged an ongoing investigation, according to Reuters citing the Financial Times. The incident highlights persistent cyber risks to government institutions, particularly during periods of heightened geopolitical activity and diplomatic engagement.

South Korea’s e-commerce breach exposes personal information of nearly all of that nation’s adults. 

Coupang, South Korea’s largest e-commerce company and often compared to Amazon, suffered one of the country’s largest data breaches, exposing personal information from up to 34 million user accounts, more than 90 percent of the working-age population. The leak, which went undetected for nearly five months, included names, phone numbers, and residential entry codes, but not credit card or government ID data. Authorities say the alleged perpetrator was a former Coupang software developer who retained internal authentication credentials after leaving the company and accessed systems from overseas. The breach triggered lawsuits, police raids, multiple government investigations, and the resignation of Coupang’s South Korea CEO. Regulators are considering record fines, while public anger has intensified calls for tougher penalties over personal data protection failures.

Researchers report active exploitation of two critical Fortinet authentication bypass vulnerabilities, and three critical vulnerabilities in the FreePBX VoIP platform.

Arctic Wolf reports active exploitation of two critical Fortinet authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, beginning December 12, 2025. The flaws allow unauthenticated SSO logins via crafted SAML messages when FortiCloud SSO is enabled, leading to admin access and configuration exfiltration on FortiGate devices. Affected products include FortiOS, FortiProxy, FortiWeb, and FortiSwitchManager. Arctic Wolf advises resetting credentials, restricting management interface access, and upgrading immediately to patched versions, noting FortiCloud SSO may be enabled during device registration despite being disabled by default.

Researchers at Horizon3.ai disclosed three critical vulnerabilities in the FreePBX VoIP platform that could be chained to fully compromise affected systems. The most severe, CVE-2025-66039, allows authentication bypass when a nondefault “webserver” authentication setting is enabled. Additional flaws include SQL injection and arbitrary file upload vulnerabilities that enable database access and remote code execution. While some issues were exploited in the wild, FreePBX has released patches across versions 16 and 17. Organizations are urged to update immediately and ensure authentication settings remain on the default “usermanager” option.

An auto-industry credit reporting agency suffers a data breach. 

700Credit, a major credit reporting and identity verification provider for the North American automotive industry, disclosed a data breach affecting more than 5.8 million individuals. The incident was discovered on October 25, 2025, and traced to a compromised third-party API tied to the company’s web application. Attackers accessed data collected from automotive dealers between May and October 2025, including names, addresses, dates of birth, and Social Security numbers. The breach impacted the 700Dealer.com application layer, but the company says its internal network and operations were unaffected. 700Credit reports no evidence so far of identity theft or data misuse and is notifying affected individuals. 

Google is shutting down its dark web reporting service. 

Google will shut down its dark web report feature on February 16, 2026, ending a service launched about 18 months ago to help users monitor stolen personal data. The tool will stop scanning for new breaches on January 16, with all stored data deleted a month later. Google acknowledged that while the feature alerted users when information like emails, phone numbers, or Social Security numbers appeared in breach dumps, it failed to offer clear, actionable guidance on what to do next. User feedback, including complaints on Reddit, highlighted the lack of specificity about which accounts were at risk. Google says it will instead focus on existing security tools such as Security Checkup, Password Manager, and Password Checkup, which provide more practical steps for protecting accounts.

European law enforcement dismantles a Ukrainian fraud network. 

European law enforcement agencies have dismantled a large fraud network operating call centers in Ukraine that scammed victims across Europe out of more than €10 million. Authorities from several countries, supported by Eurojust, arrested 12 suspects and carried out 72 searches in Dnipro, Ivano-Frankivsk, and Kyiv, seizing vehicles, weapons, cash, computers, and forged identification. The network ran multiple call centers employing around 100 people and targeted more than 400 victims through bank and police impersonation scams, remote access fraud, and in-person cash collection. Employees were paid commissions of up to 7 percent, with promised bonuses that were never delivered. Officials say the operation highlights the continued scale of organized call center fraud across Europe.

A Pornhub breach proves the internet never forgets. 

PornHub says data linked to its Premium members was exposed. The incident traces back not to PornHub itself, but to a breach at analytics firm Mixpanel, a vendor PornHub says it stopped using in 2021. Attackers linked to the ShinyHunters extortion group allegedly accessed Mixpanel via an SMS phishing attack and stole roughly 94 gigabytes of historical analytics data. That data reportedly includes email addresses, viewing activity, search terms, video titles, locations, and timestamps. ShinyHunters is now extorting affected companies, raising awkward questions about why such intimate data was retained for years.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com. 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.
ADVERTISEMENT
Sponsored by Rapid7
Sponsored by Rapid7

Rapid7’s comprehensive security solutions help more than 11,000 global customers unite cloud risk management and threat detection to reduce attack surfaces and eliminate threats with speed and precision. For more information, visit our website, check out our blog, or follow us on LinkedIn or X.

Rapid 7
Rapid 7

Discover the key insights shaping today’s cybersecurity reality in Rapid7’s Q3 2025 Threat Landscape Report. Explore the surge in AI-driven attacks, faster vulnerability exploitation, and the expanding impact of ransomware groups across critical industries. This data-rich analysis highlights the most urgent risks and the steps defenders can take to stay ahead. Get the intelligence your team needs to prepare for what’s coming next.