Where encryption meets executive muscle.

Trump signs the National Defense Authorization Act for 2026. Danish intelligence officials accuse Russia of orchestrating cyberattacks against critical infrastructure. LongNosedGoblin targets government institutions across Southeast Asia and Japan. A new Android botnet infects nearly two million devices. WatchGuard patches its Firebox firewalls. Amazon blocks more than 1,800 North Korean operatives from joining its workforce. CISA releases nine new Industrial Control Systems advisories. The U.S. Sentencing Commission seeks public input on deepfakes. Prosecutors indict 54 in a large-scale ATM jackpotting conspiracy. Our guest is Nitay Milner, CEO of Orion Security, discussing the issue with data leaking into AI tools, and how CISOs must prioritize DLP. Riot Games finds cheaters hiding in the BIOS. 

Today is Friday December 19th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Trump signs the National Defense Authorization Act for 2026. 

President Donald Trump signed a $901 billion National Defense Authorization Act for 2026 that includes major cybersecurity provisions and passed with bipartisan support. The bill authorizes record defense spending and preserves the long-debated dual-hat leadership of U.S. Cyber Command and the National Security Agency by barring Pentagon funds from weakening the Cyber Command commander’s authority. That provision reinforces a structure Trump previously considered splitting but ultimately abandoned. Trump also nominated Army Lt. Gen. Joshua Rudd to lead both organizations. The NDAA allocates roughly $417 million to Cyber Command for digital operations, other activities, and headquarters maintenance. It mandates secure, encrypted mobile devices for senior Defense Department leaders following inspector general criticism of insecure communications. The bill also requires reviews of foreign-sourced infrastructure components and orders the Pentagon to streamline its cybersecurity requirements.

Danish intelligence officials accuse Russia of orchestrating cyberattacks against critical infrastructure.  

Danish intelligence officials have accused Russia of orchestrating cyberattacks against Denmark’s critical infrastructure as part of a broader hybrid campaign against Western countries. The Danish Defence Intelligence Service said two pro-Russian groups, Z-Pentest and NoName057(16), carried out attacks on water utilities and launched DDoS attacks ahead of local elections, aiming to create insecurity and punish Denmark for supporting Ukraine. Officials said the cyber activity is part of a wider influence effort to undermine Western backing of Kyiv, with elections used to attract public attention. Denmark’s defense minister called the attacks unacceptable and said Russia’s ambassador would be summoned. The warning aligns with broader European concerns, echoed by incidents in Norway and a recent joint advisory from U.S. and European agencies about pro-Russian hacktivist threats to global critical infrastructure.

LongNosedGoblin targets government institutions across Southeast Asia and Japan. 

Researchers have identified a previously unknown, China-aligned hacking group targeting government institutions across Southeast Asia and Japan. The group, dubbed LongNosedGoblin by ESET, has been active since at least September 2023 and was uncovered during an investigation of a Southeast Asian government network. The hackers abused Windows Group Policy, a legitimate administrative tool, to deploy malware and move laterally. Their tools include NosyHistorian, which harvests browser data to identify high-value victims, and NosyDoor, a selective backdoor suggesting carefully chosen targets.

A new Android botnet infects nearly two million devices. 

Researchers warn that a newly identified Android botnet, dubbed Kimwolf, has infected more than 1.8 million devices and can launch massive DDoS attacks. Chinese firm XLab says the botnet mainly targets Android TV set-top boxes and focuses on traffic proxying, but issued over 1.7 billion attack commands in late November. Kimwolf is linked to the TurboMirai-class Aisuru botnet and may have powered recent near-30 terabit-per-second attacks. The malware uses encrypted DNS to evade detection and operates on a globally distributed infrastructure.

WatchGuard patches its Firebox firewalls. 

WatchGuard has issued an urgent warning for customers to patch a critical, actively exploited remote code execution vulnerability affecting its Firebox firewalls. The flaw, tracked as CVE-2025-14733, impacts devices running multiple versions of Fireware OS and allows unauthenticated attackers to execute malicious code remotely through low-complexity attacks. While exploitation requires IKEv2 VPN configurations, WatchGuard cautioned that devices may remain vulnerable even after certain VPN settings are removed. The company said it has observed active exploitation in the wild and released indicators of compromise, urging affected users to rotate credentials if compromise is suspected. Temporary mitigations are available for organizations unable to patch immediately. The advisory follows a pattern of similar WatchGuard firewall vulnerabilities that were widely exploited and later flagged by CISA.

Amazon blocks more than 1,800 North Korean operatives from joining its workforce. 

Amazon says it has blocked more than 1,800 suspected North Korean operatives from joining its workforce since April 2024, underscoring how widespread the so-called fake IT worker scam has become. Chief Security Officer Steve Schmidt said applications linked to North Korea rose 27 percent quarter over quarter this year. The scheme involves real developers using stolen or fabricated identities, AI-generated resumes, and even deepfakes to secure remote jobs, then funneling wages back to the regime. Some attackers also steal sensitive data or extort employers. Amazon uses AI screening and human verification to detect the fraud, but Schmidt warned tactics are evolving, including hijacked LinkedIn accounts and U.S.-based “laptop farms” that disguise overseas workers as domestic employees.

CISA releases nine new Industrial Control Systems advisories. 

CISA has released nine new Industrial Control Systems advisories covering security vulnerabilities across a wide range of widely used operational technology products. The advisories address systems from major vendors including Inductive Automation, Schneider Electric, National Instruments, Mitsubishi Electric, Siemens, Advantech, Rockwell Automation, and Axis Communications. Affected products range from SCADA platforms and distributed control systems to industrial networking stacks and camera management software. CISA urged asset owners, operators, and administrators to review the advisories for detailed technical information and recommended mitigations to reduce risk in industrial and critical infrastructure environments.

The U.S. Sentencing Commission seeks public input on deepfakes. 

The U.S. Sentencing Commission is proposing preliminary sentencing guidelines under the Take It Down Act, a bipartisan law passed earlier this year to combat nonconsensual deepfake pornography. The law makes it a federal crime to distribute real or AI-generated intimate imagery without consent and requires platforms to remove reported content within 48 hours, with enforcement authority given to the Federal Trade Commission. It outlines prison sentences of up to two years for deepfaking adults and up to three years for minors, with the commission now refining penalties by offense type. Proposed updates clarify definitions tied to online services and intent, including abuse or sexual exploitation. The commission is seeking public comment on the guidelines through February 16, 2026, as concern grows over increasingly realistic AI-generated media.

Prosecutors indict 54 in a large-scale ATM jackpotting conspiracy. 

U.S. prosecutors have indicted 54 individuals for their alleged roles in a large-scale ATM jackpotting conspiracy involving malware and coordinated cash theft. A federal grand jury in Nebraska returned two indictments, one in October charging 32 people and another in December charging 22 more. Authorities allege the scheme used Ploutus malware to force ATMs to dispense cash, resulting in losses of about $40.7 million as of August 2025. The indictment links the activity to Tren de Aragua, a Venezuelan criminal syndicate designated as a foreign terrorist organization, accusing it of laundering proceeds to fund broader criminal operations. Investigators say the group conducted surveillance, physically accessed ATMs to install malware, and used techniques designed to evade detection and obscure evidence. If convicted, defendants face sentences ranging from decades to life in prison.

Riot Games finds cheaters hiding in the BIOS. 

Riot Games has discovered that some recent motherboards were quietly letting cheaters slip past the velvet rope. A flaw in BIOS firmware from vendors including Asrock, Asus, Gigabyte, and MSI meant certain DMA-based cheats could operate invisibly, bypassing protections meant to keep games fair. Riot says the issue undermined IOMMU defenses that looked awake but were not fully on the job, like a nightclub bouncer dozing off mid-shift. The fix is less glamorous than a ban wave but more effective. Motherboard makers have released BIOS updates, and Riot’s Vanguard anti-cheat may now insist players install them before launching Valorant. Riot calls it a necessary escalation in the hardware cheat arms race, one that shuts down a whole category of previously untouchable tricks and makes cheating a lot more expensive.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.