Good morning, Security Gang!

As 2025 draws to a close, this week delivered the ultimate accountability reckoning for cybersecurity’s human element—proving definitively that the greatest threats aren’t sophisticated zero-days or nation-state malware, but trust gaps, moral failures, and the desperation that drives otherwise good people to make catastrophic choices.

Two U.S. security professionals who once stood on the defender’s side of the battlefield Ryan Clifford Goldberg and Kevin Tyler Martin pleaded guilty to conspiring with BlackCat/ALPHV ransomware operations, targeting American pharmaceutical companies, engineering firms, and medical device manufacturers, earning $1.27 million from a single ransom payment while now facing 20 years in federal prison.

Meanwhile, the Coupang insider who exfiltrated 33.7 million records attempted a movie-style evidence destruction by smashing their MacBook, sealing it with bricks, and throwing it in a river (the laptop was recovered), while a Coinbase customer support agent in India was arrested for helping cybercriminals steal customer wallet information, and the European Space Agency confirmed 200GB of contractor data stolen by hacker “888” now for sale on breach forums.

On the supply chain front, the Trust Wallet Chrome extension breach expanded to $8.5 million stolen from 2,000+ wallets via the Shai Hulud 2.0 campaign, Condé Nast’s breach grew from 2.3 million to a claimed 40 million records, and the 2022 LastPass breach continues haunting users years later as crypto wallets are still being drained using old vault credentials.

Add in Iran hacking the Israeli Prime Minister’s Chief of Staff, Russia DDoSing France’s postal service during Christmas, Microsoft Azure’s global DNS meltdown, and the revelation that 2025 saw 420 cybersecurity M&A deals totaling $400 billion—including eight deals over $1 billion—and you have a perfect snapshot of an industry reaching critical mass where consolidation, accountability, and the desperate need for community-driven defense models are colliding simultaneously.

Let’s break down the year-end carnage and the glimmers of hope coffee ready, Security Gang, because this is the accountability reckoning.

🕵️ INSIDER THREATS & CRIMINAL JUSTICE

Two U.S. Cybersecurity Experts Plead Guilty to Aiding BlackCat

In one of the most disturbing insider stories of the year, two U.S. security professionals—Ryan Clifford Goldberg (33, Georgia) and Kevin Tyler Martin (28, Texas)—pleaded guilty to conspiring with BlackCat/ALPHV in ransomware campaigns.

Goldberg, a former incident response manager at Signia, and Martin, a Digital Mint ransomware negotiator, used their access and training to breach multiple U.S. firms, including:

• A Maryland pharmaceutical company

• A California engineering firm

• A Tampa medical device manufacturer

The pair demanded ransoms between $300,000 and $10 million, earning $1.27 million from a single payment. Both face up to 20 years in federal prison.

James’s response was powerful: “These guys were on the good side at one point. They were on our side... there’s no amount of money in the world that can bring back your freedom... One’s 33, one’s 28. By the time they get out of prison, they’re going to be in their late 40s, early 50s. Life’s passed them by... You got to work hard. You got to do it the hard way. That’s just life. There’s no shortcut to success.”

Coupang Insider Destroys Laptop to Hide Evidence

In South Korea, Coupang—the e-commerce giant often called “Korea’s Amazon”—continues dealing with fallout from a 33.7 million–user data breach. Authorities confirmed the insider responsible smashed their MacBook, sealed it in a bag with bricks, and threw it in a river to hide evidence.

The bizarre “movie-style” destruction attempt failed—investigators recovered the laptop. Coupang is now issuing $1.18 billion worth of compensation vouchers to affected customers, one of the most expensive breach responses in history.

This story highlights the real-world scale of digital negligence and how insider threats continue to be the hardest to prevent and most costly to clean up.

Coinbase Insider Arrested in India

A Coinbase customer support agent in Hyderabad, India was arrested for helping cybercriminals steal customer information. The agent reportedly assisted attackers by exporting internal records and metadata tied to customer wallets. Coinbase had flagged this in May, and now the perpetrator is in custody.

James observed: “We’re not dealing with bad people — we’re dealing with people underpaid, overworked, and easily manipulated. The new insider threat isn’t espionage — it’s desperation.”

Companies Must:

• Strengthen insider risk programs

• Incentivize ethical reporting

• Educate workers on how to report bribery or coercion attempts safely

• Implement behavioral analytics for privileged user monitoring

Korean Air Confirms Employee Data Compromised in Oracle EBS Breach

Korean Air joined the Oracle E-Business Suite (EBS) breach fallout, confirming that 30,000 employee records were exposed. The intrusion leveraged overprivileged service accounts and reporting jobs, part of a long chain of Oracle EBS exploitation affecting dozens of global enterprises.

This breach’s risk profile is particularly sensitive: flight attendants and pilots are now targets for identity fraud and payroll scams, given their frequent travel patterns.

If you’re managing employee data:

• Segment HR systems from finance and travel apps

• Monitor for payroll reroute attempts

• Implement anomaly detection for unusual HR data exports

European Space Agency Confirms Data Breach After 200GB Hack

The European Space Agency (ESA) confirmed a breach after an attacker named “888” claimed to have stolen 200GB of contractor, partner, and staff data, now being sold on Breach Forums.

ESA says mission systems remain secure thanks to network segmentation, but stolen personal data could enable:

• Spear-phishing campaigns

• Vendor impersonation

• Follow-on supplier access across its ecosystem

James didn’t mince words: “Europe has spent years regulating cyber into a compliance game while ignoring the operational threat. Now the bleeding’s real — and they’re almost out of bandages.”

The agency is conducting forensic investigations and has notified all stakeholders.

🔗 SUPPLY CHAIN ATTACKS & VENDOR COMPROMISES

Trust Wallet $8.5M Theft via Shai Hulud Supply Chain Attack

The Trust Wallet Chrome extension hack, now linked to the Shai Hulud supply chain campaign, has stolen $8.5 million across more than 2,000 crypto wallets.

Researchers found attackers tampered with dependencies inside the Shai Hulud 2.0 module, enabling:

• Malicious signing prompts

• Seed phrase exfiltration

Trust Wallet version 2.68.0 was compromised through a Chrome Web Store API key exploit, bypassing internal security checks. Some stolen assets were frozen, but the majority have already been laundered through decentralized exchanges.

James emphasized: “The supply chain isn’t theoretical anymore — it’s the modern attacker’s playground, and every engineer is part of the security team now.”

Developers Need To:

• Pin dependencies and mirror package registries privately

• Require signed builds and CI reputation checks

• Rotate dev tokens and wallet credentials immediately

• Revoke stale token approvals and store keys offline

EM Editor Supply Chain Attack Targets DevOps

A new supply chain compromise has been discovered targeting EM Editor, a widely used developer text editor. Attackers abused its signed update channel to deliver infostealer malware into developer environments.

If your organization uses EM Editor:

• Restrict update mechanisms to allowlisted URLs

• Run secret scanning and rotate cloud tokens for impacted DevOps boxes

• Perform code-signing reputation checks in EDR tools

U.S. Banks Hit by Marquis Ransomware Vendor Fallout

The Marquis ransomware attack continues to hammer downstream victims—this time Artisans Bank and VeraBank. Both institutions confirmed their customer analytics and communications vendor was breached, exposing names, SSNs, loan records, and account details.

Artisans Bank said 32,344 individuals were directly affected; VeraBank didn’t disclose numbers. Overall impact is estimated between 788,000 and 1.3 million victims.

If you’re in banking:

• Reissue debit cards

• Rehash passwords and reset keys

• Review pending transactions and increase fraud monitoring

• Tighten UEBA and customer behavior analytics

This incident shows how one compromised vendor can ripple through the financial sector.

LastPass 2022 Breach Still Haunting Users

The 2022 LastPass breach continues to cause secondary compromises years later. Attackers are still mining stolen vault metadata and URLs, especially from users who never rotated their master passwords or API keys.

Blockchain analysis shows crypto wallets drained using credentials tied to old LastPass vaults, with activity traced to Russian exchange infrastructure.

CISOs and users must:

• Treat password vaults as living assets

• Rotate master keys regularly

• Enforce phishing-resistant MFA

• If it’s been more than six months since your last vault update, assume compromise and start fresh

🚨 MAJOR DATA BREACHES

Condé Nast Breach Expands: 40 Million Records Claimed

Just a day after the Wired leak that exposed 2.3 million users, a hacker calling themselves “Lovely” is claiming to have stolen 40 million Condé Nast records, including Wired user data.

While this isn’t catastrophic on its own, the risk here is credential stuffing and ad platform hijacks.

James recalled: “When I was in banking, this kind of leak would trigger an instant cross-check with our customer base. If we found overlap, we’d reset passwords and notify clients immediately. That’s how you turn a breach into a business resilience story.”

For CISOs:

• Cross-reference breach data with your user base

• Force password resets where overlap exists

• Monitor for account takeovers and advertising fraud

• Block reused passwords and enforce MFA, ideally FIDO2 phishing-resistant authentication

Wired Confirms 2.3 Million Accounts Leaked

Condé Nast’s Wired magazine confirmed a 2.3 million–record database leak, exposing email addresses, hashed passwords, and user metadata. The attackers posted the data online for sale after breaching an outdated user authentication API.

While Wired accounts don’t offer much financial value, attackers target media platforms to perform credential stuffing and reused-password attacks elsewhere.

James’s advice: “These attacks don’t go after your Wired subscription — they go after your lazy password hygiene.”

🎯 NATION-STATE OPERATIONS & GEOPOLITICAL THREATS

Iran-Aligned Group Claims Hack of Israeli PM’s Chief of Staff

An Iranian-aligned threat group known as Handala has claimed responsibility for hacking the phone of Tzahi Braverman, Chief of Staff to Israeli Prime Minister Benjamin Netanyahu. They allegedly stole messages, encrypted communications, and photos, suggesting potential corruption and political misconduct.

While the evidence is still unverified, this hack falls squarely within Iran’s long-term disinformation playbook—aiming to undermine political confidence in Israel during a delicate geopolitical moment.

James noted: “Cyber isn’t just part of geopolitics — it’s the new front line. And this front line doesn’t sleep.”

He continued: “You’re not tuning in for the geopolitical side of this, but the geopolitical side of this is driven by the cyber side of this. And cyber is just part of that geopolitical battle. And sometimes we get caught in the crossfire, in the crosshairs of this battle between these two nations as practitioners. Our businesses do. Our supply chain does.”

This attack mirrors Handala’s earlier breaches of former Israeli Prime Minister Naftali Bennett’s phone, part of an escalating Iran–Israel shadow cyberwar that continues despite ceasefires in Gaza.

Russia Launches DDoS Attack on France’s Postal Service

Pro-Russian hacktivists launched a coordinated DDoS attack on France’s La Poste postal and banking services over the Christmas weekend. The attack, targeting public-facing portals, caused nationwide disruptions during one of the busiest mailing periods of the year.

The campaign was more symbolic than destructive, serving as a reminder that Russia’s hybrid cyber warfare extends far beyond Ukraine—it’s now about eroding European morale through disruption and frustration.

China’s Evasive Panda Using DNS for Command and Control

Researchers uncovered a new Evasive Panda campaign abusing DNS tunneling for stealthy command-and-control operations. By hiding payloads inside DNS TXT records and mimicking legitimate resolution traffic, the APT can exfiltrate data without triggering firewalls.

The technique uses domain fronting patterns and PowerShell scripts to persist.

Defenders Should:

• Enable DNS logging

• Block newly observed domains

• Alert on high-entropy TXT queries

Mustang Panda Deploys Kernel-Mode Rootkit

China-linked Mustang Panda is using a new kernel-mode rootkit to evade EDR detection and persist on high-value systems. The malware targets government and NGO networks across Southeast Asia and Europe, abusing unsigned kernel drivers to hide command execution.

To Mitigate:

• Enforce driver signing policies

• Monitor for unusual kernel driver loads

• Isolate high-risk users such as diplomats or policy analysts

Georgia Arrests Ex–Spy Chief for Fraud Protection Scandal

The Republic of Georgia arrested former spy chief Grigol Liluashvili, who allegedly took $1.4 million in bribes to ignore scam call center operations near his own agency’s office.

These “industrialized fraud hubs” ran voice phishing, crypto investment scams, and global laundering networks defrauding victims of $35 million since 2022.

The scandal underscores how corruption enables cybercrime, especially in post-Soviet states where law enforcement and criminal enterprises often blur together.

🔥 CRITICAL VULNERABILITIES & ZERO-DAYS

MongoDB Zero-Day Actively Exploited

A new MongoDB zero-day (CVE-2025-14847) is being actively exploited in the wild. The bug allows unauthenticated memory disclosure via mishandled zlib compression.

Patch immediately—or if you can’t, disable zlib and switch to Snappy or ZSTD. Versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30 contain the fix.

This follows a trend of attackers targeting open-source components embedded in enterprise stacks, exploiting slow patch cycles right before holidays.

Critical SNMP Trap Vulnerability in Infrastructure Devices

A critical Net-SNMP flaw (CVE-2025-68615) is putting enterprise monitoring systems at risk. The bug allows remote code execution through crafted SNMP trap packets.

If your environment still uses SNMP:

• Patch immediately

• Bind SNMP TrapD to management VLANs only

• Restrict trap sources to known IPs

Otherwise, your monitoring tool could become your attack vector.

IBM Patches Critical API Connect Authentication Bypass

IBM issued a fix for a 9.8 CVSS authentication bypass flaw (CVE-2025-13915) in API Connect and DataPower, allowing attackers to gain tenant-level admin access.

Admins Should:

• Patch immediately to the latest versions

• Remove public admin interfaces

• Rotate API tokens and monitor for new admin accounts

Threat actors are already advertising exploit code, so this one’s not optional—patch before New Year’s champagne pops.

☁️ INFRASTRUCTURE & CLOUD FAILURES

Microsoft Azure Global Outage Caused by DNS Meltdown

Azure suffered a global DNS outage, impacting compute, SaaS, and telecom services across Europe and the Middle East—even causing temporary blackouts for Israeli telecoms Partner and HOT.

The downtime lasted roughly two and a half hours, with recovery slowed by cascading DNS resolution loops.

James said it bluntly: “DNS is the Achilles’ heel of the cloud, and now AI workloads are adding weight to an infrastructure already at its breaking point.”

The outage highlights the fragility of centralized DNS and the need for:

• Geo-distributed fallback resolvers

• AI-aware load management

🤖 AI & EMERGING THREATS

Microsoft Copilot Misconfigurations Lead to Data Exposure

Attackers are exploiting misconfigured Microsoft Copilot Studio “connected agents”, allowing prompt injection and SaaS data exfiltration through over-trusted connectors.

Each connector must be treated as a production environment:

• Scope access tightly

• Use short-lived tokens

• Enable egress logging

AI-Enhanced Cryptors Evade Detection

New AI-assisted polymorphic cryptors are hitting the dark web, mutating payloads in real-time to evade antivirus signatures and sandbox analysis.

Expect:

• Lower detection rates

• Heavier abuse of living-off-the-land binaries like rundll32, WScript, and PowerShell mesh injections

Defenders should pivot to:

• Behavioral detection

• Macro blocking

• Automated sandbox detonations

💼 MERGERS & ACQUISITIONS

2025: The Year of Billion-Dollar Cybersecurity M&A

2025 set a record for cybersecurity acquisitions, with 420 M&A deals totaling over $400 billion. Eight deals surpassed the $1 billion mark, including:

• Google buying Wiz for $32B

• Palo Alto Networks acquiring CyberArk for $25B and Chronosphere for $3.3B

• ServiceNow buying Armis for $7.75B

• Visa acquiring Armor for $1B

• Francisco Partners acquiring Jamf for $2.2B

• Proofpoint acquiring Hornet Security for $1.8B

James wrapped it up: “The cybersecurity industry has officially consolidated. 2026 won’t be about tools — it’ll be about trust.”

🏛️ REGULATORY & LEGAL DEVELOPMENTS

Disney Fined $10 Million for COPPA Violations

Disney agreed to a $10 million civil penalty for violating the Children’s Online Privacy Protection Act (COPPA), after being found collecting data from child-directed apps for targeted advertising.

The FTC case underscores how compliance gaps can become brand killers—especially when kids’ data is involved.

If you operate child-facing products:

• Review consent workflows

• Ensure data labeling and ad targeting align with COPPA requirements

France Fines Company €1.7M for Privacy Failures

France fined NextPublica €1.7 million for failing to fix known vulnerabilities before a major breach. The fine underscores how GDPR liability doesn’t end with disclosure—regulators now assess the maturity of your security program at the time of the breach.

U.S. Treasury Removes Spyware Vendor Intelexa from Sanctions List

The Trump administration’s Treasury Department officially removed Intelexa and two executives from the sanctions list, reversing a 2024 decision made under President Biden.

Intelexa, creator of the Predator spyware platform, was previously sanctioned alongside individuals tied to surveillance operations in Congo, Angola, and Madagascar.

Critics argue the removal signals renewed acceptance of offensive cyber tools for state use, while defenders see it as pragmatic realignment.

James noted: “Spyware saves lives when used responsibly. The problem isn’t the tech — it’s who holds the leash.”

Lithuanian Hacker Extradited for KMS Malware

A Lithuanian national has been extradited from Georgia to South Korea for operating the KMSAuto malware, which infected 2.8 million systems and stole crypto wallet credentials.

This marks another Interpol success story, proving how international collaboration can track down long-running cybercriminals. KMSAuto masqueraded as a Windows activator, then executed clipboard hijacks to reroute cryptocurrency transactions.

SOC teams should:

• Block PUP and activator categories in proxies

• Hunt for KMSAuto registry artifacts

✨ COMMUNITY SECURITY & HOPE

Volunteer MSSP Protects Rural U.S. Water Utilities

A grassroots initiative is helping rural water utilities in the U.S. strengthen their defenses through volunteer-run MSSP programs. The effort, led by DEFCON contributors like Tara Wheeler, pairs white-hat professionals with underfunded municipalities in Arizona, Utah, Oregon, and Vermont, offering:

• 24/7 detection

• Segmented access

• Incident playbooks

James emphasized: “This is cybersecurity at its best — community over commerce.”

These volunteer models could become essential blueprints for defending critical infrastructure sectors that lack full-time SOCs or funding.

Leave a comment

✅ YOUR COMPREHENSIVE ACTION LIST

IMMEDIATE CRITICAL PATCHING:

1. 💾 MongoDB - Patch CVE-2025-14847 or disable zlib compression

2. 🔌 SNMP - Patch CVE-2025-68615; bind to management VLANs only

3. 🔐 IBM API Connect - Patch CVE-2025-13915; rotate tokens

INSIDER THREAT & ACCESS CONTROL:

• 🕵️ Implement behavioral analytics - For privileged user monitoring

• 🔐 Strengthen insider risk programs - Incentivize ethical reporting

• 📊 Audit insider access - Especially in sensitive or regulated environments

• 🚨 Monitor for data exfiltration - Unusual bulk exports or downloads

• 👤 Educate on coercion reporting - Safe channels for reporting bribery attempts

SUPPLY CHAIN SECURITY:

• 🪙 Revoke Trust Wallet extension permissions - Educate users on seed safety

• 📦 Pin dependencies - Mirror package registries privately

• 🔐 Require signed builds - CI reputation checks

• 🔑 Rotate dev tokens and wallet credentials - Immediately

• 💻 Harden DevOps update mechanisms - Restrict to allowlisted URLs

• 🧑‍💻 Enable secret scanning - For impacted DevOps boxes

BREACH RESPONSE & MONITORING:

• 🔑 Cross-match Condé Nast/Wired breach data - With internal users

• 🏦 Audit vendor access pipelines - For financial services platforms

• 🛰️ Segment mission and contractor systems - Limit breach fallout (ESA lesson)

• ✈️ Korean Air Oracle EBS - Monitor for payroll reroute attempts

• 💳 U.S. banks - Reissue debit cards; increase fraud monitoring

PASSWORD & CREDENTIAL MANAGEMENT:

• 🔐 Force password resets - Where Condé Nast/Wired overlap exists

• 🔒 Rotate vault keys - Reissue API tokens for LastPass users

• 🚫 Block reused passwords - Enforce FIDO2 phishing-resistant MFA

• 📊 Treat vaults as living assets - Regular rotation and audits

NATION-STATE DEFENSE:

• 🌐 Enable DNS logging - Block newly observed domains; alert on high-entropy TXT queries

• 🇮🇱 Monitor geopolitical risk surfaces - Iran–Israel conflict implications

• 🇷🇺 Prepare for DDoS - Essential services need redundancy and thresholds

• 🐼 Enforce driver signing policies - Monitor for unusual kernel driver loads (Mustang Panda)

🧠 JAMES AZAR’S CISO TAKE

This week’s stories drive home the ultimate truth that will define cybersecurity in 2026 and beyond: the biggest vulnerabilities aren’t zero-days or sophisticated malware—they’re human trust gaps, moral failures, and the desperation that drives otherwise good people to make catastrophic choices.

The second defining message from this week is that 2026 will be the year of hard accountability where proof replaces promises, and maturity gets measured by resilience rather than frameworks. When Disney pays $10 million for COPPA violations, when France fines NextPublica €1.7 million not just for the breach but for failing to fix known vulnerabilities beforehand, when the European Space Agency gets 200GB stolen and admits their regulatory compliance game ignored operational threats, and when a global Azure DNS outage proves that centralized cloud infrastructure is one misconfiguration away from systemic failure the message is unmistakable: our industry has matured past the point where good intentions and compliance checkboxes provide cover for operational negligence.

The $400 billion in M&A consolidation means 2026 won’t be about which tools you buy—it’ll be about whether those tools actually work when everything breaks, whether your vendors can be trusted when they’re breached, and whether your people can resist the temptation to sell access when desperation knocks. From Iran hacking Israeli leadership to Russia disrupting French postal services to China tunneling through DNS for stealthy exfiltration, the geopolitical cyber war isn’t slowing down—it’s accelerating.

And for those two former security pros now facing two decades in prison, their story should serve as the ultimate cautionary tale: there are no shortcuts to success, no amount of money can buy back your freedom, and when you betray the profession that trained you, life doesn’t just pass you by—it locks you away while everyone else moves forward. The accountability era has arrived, and it’s unforgiving.

The accountability era has arrived. 2026 demands proof, not promises. Resilience, not perfection. Community, not just consolidation. And for those who betray the profession justice, not mercy.

Stay sharp, stay accountable, support community defenders, and as always, stay cyber safe, Security Gang!

Thanks for tuning in. We’ll be back Monday at 9 AM Eastern Live with all the latest. Have a safe and Happy New Year!