Latest Interesting Cybersecurity News of the Week Summarised – 29-12-2025

I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. 😱 My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

scroll to the bottom to subscribe to the e-mail newsletter.

1. Darknet AI ‘DIG AI’ Automates Sophisticated Cyberattacks and Illicit Content

Resecurity researchers have uncovered DIG AI, an uncensored AI platform on the Tor network that lets threat actors anonymously generate obfuscated malware, deepfakes, and child sexual abuse material. Its suite of jailbroken models—DIG-Uncensored, DIG-GPT, and DIG-Vision—lowers the barrier to complex attacks ahead of major 2026 events. 

Key Details

• First detected Sept. 29, 2025, with Q4 adoption surge during holiday season
• Models include unrestricted text/code (DIG-Uncensored), jailbroken ChatGPT (DIG-GPT), Stable Diffusion deepfakes (DIG-Vision)
• Generates obfuscated JavaScript backdoors, web shells, illicit drug/explosive instructions, hyperrealistic CSAM
• Operated by “Pitch,” promoted on darknet markets alongside narcotics and stolen data

Read more at Cybersecurity News

2. Spotify’s 300TB Data Leak – The Next Big AI Training Dataset?

Pirate activist group Anna's Archive scraped Spotify's entire music catalog (86 million audio files and 256 million metadata tracks) totaling about 300 terabytes, making it a massive unauthorized data leak with potential implications for AI training and copyright enforcement.

Key Details

• Scrape spans 2007–July 2025, covering 99.6% of Spotify’s streams by listen count
• Metadata covers 256 million tracks; audio files total ~300 TB in OGG formats
• Files prioritized by popularity: high-stream songs in 160 kbit/s, obscure tracks at lower bitrates
• Anna’s Archive is banned in multiple countries for repeated copyright violations

Next Steps

• Enable alerts for bulk download and scraping patterns for your digital assets.
• Strengthen API rate limits and request throttling for your digital asset downloads.

Read more at The Record, Cybersecurity News, The Register

3. Criminals Recruit Company Insiders for $3,000–$15,000 Network Access

Criminals are increasingly offering $3,000 to $15,000 on darknet forums and Telegram to insiders at banks, telecoms, and tech firms for network or data access.  This trend elevates insider risk, as hired employees can disable security controls, exfiltrate sensitive records, and facilitate SIM-swap and ransomware operations.

Key Details

• Payouts range from $3K for one-off access to $15K for telecom SIM-swap support.
• Targets include banks, crypto exchanges (Coinbase, Binance, Kraken), Apple, Samsung, Xiaomi and even U.S. Federal Reserve partners.
• Recruiters advertise on Russian-language darknet forums and encrypted Telegram channels with emotional appeals.
• Some offers propose ongoing schemes (e.g., $1,000/week) for long-term insider cooperation.

Next Steps

• Monitor darknet and Telegram for ads mentioning your brand or systems.
• Review and tighten privileged access controls and session recording.

Read more at Cybersecurity News, Hackread

4. Threat Actors Exploit Microsoft OAuth Device Code Flow for M365 Account Takeovers

The attacks exploit OAuth’s device authorization mechanism, a feature intended to support sign-ins on devices with limited input capabilities, such as smart TVs and IoT hardware. Attackers start a legitimate Microsoft device authorization request and then deceive victims into entering the resulting device code, presenting it as a one-time passcode, on Microsoft’s official verification page.

“The lures typically claim that the device code is an OTP and direct the user to input the code at Microsoft’s verification URL,” the researchers wrote. “Once the user inputs the code, the original token is validated, giving the threat actor access to the targeted M365 account.”

Key Details

• Phishing lures impersonate salary/bonus notifications or security alerts via email, QR codes, and links.
• SquarePhish2 automates the OAuth device grant flow; Graphish uses Azure App Registrations for MitM attacks.
• High-volume group TA2723 and Russia-aligned UNK_AcademicFlare among key threat actors.
• Successful exploits bypass MFA, enable lateral movement, data exfiltration, and potential extortion.

Next Steps

• Create Conditional Access policies to block or restrict device code flows.
• Allow only compliant or registered devices for device code authentication.
• Train users to verify code prompts and avoid entering codes from unsolicited requests.

Read more at Cybersecurity News, CSO Online

5. Waymo Robotaxis Freeze During San Francisco Power Outage, Exposing Infrastructure Dependency

A widespread blackout in San Francisco knocked out traffic lights and left Waymo’s autonomous taxis stalled at intersections, prompting a temporary service suspension.  The incident highlighted a critical weakness: the vehicles’ reliance on live signal data and mapped scenarios, which failed during the outage.  Waymo has since pushed a software update to teach its fleet to recognize dark signals as four-way stops and safely pull over.

Key Details

• Outage affected over 130,000 homes and disabled major traffic signals on Dec. 20–21.
• Waymo cars halted when unable to detect traffic lights, adding to citywide gridlock.
• Update trains vehicles to treat blank lights as four-way stops and request remote backup only when needed.
• Service in San Francisco resumed by Dec. 21 evening; expansion ambitions now face scrutiny.

Next Steps

• Define clear fallback behaviors for AI when some signals like infrastructure data is missing

Read more at SiliconANGLE, SiliconANGLE, Security Affairs

6. RansomHouse Upgrades to Multi-layer Dual-key Encryption

RansomHouse, previously focused mainly on data extortion, has expanded into full ransomware attacks that combine data theft with system encryption. The group now uses a two-key encryption model, making decryption significantly harder without attacker cooperation. This enables classic double extortion: victims are pressured both to restore encrypted systems and to prevent stolen data from being leaked. The updated encryption approach marks a shift toward more technically sophisticated ransomware operations. 

Key Details

• Multi-layer model employs a 32-byte primary and 8-byte secondary key
• Specifically targets ESXi files and backups, appending “.e.mario”
• Double-extortion RaaS has listed at least 123 victims across sectors
• Modular attack chain uses MrAgent for deployment, persistence and leaks

Next Steps

• Scan for “.e.mario” files on all VMware ESXi hosts
• Make sure your security controls address both data encryption and data leak risks.

Read more at CSO Online

7. ServiceNow to Acquire Armis for $7.75 Billion, Expanding Cyber-Exposure Management

ServiceNow has agreed to buy Armis for $7.75 billion in cash to integrate agentless discovery and continuous risk management for IT, OT, medical, and IoT assets into its Now Platform and AI Control Tower. The deal, expected to close in H2 2026, will more than triple ServiceNow’s security and risk market opportunity by enabling real-time vulnerability prioritization and automated remediation within existing workflows.

Key Details

• Armis generates over $340 million in ARR with >50% year-over-year growth.
• Agentless “Centrix” platform discovers unmanaged devices in IT/OT/IoT/medical environments.
• ServiceNow passed $1 billion in security ARR in Q3 2025 and expects to triple its market scope.
• Transaction subject to regulatory approval, closing targeted for second half of 2026.

Read more at SecurityWeek, CyberScoop, SiliconANGLE, Dark Reading, CSO Online

8. University of Phoenix Data Breach Exposes Sensitive Records of 3.5M Individuals

In December, the University of Phoenix disclosed that a zero-day exploit in its Oracle E-Business Suite by the Clop ransomware gang resulted in the theft of personal and financial records belonging to 3,489,274 students, staff and suppliers. 

Key Details

• Clop exploited CVE-2025-61882 to breach UoPX systems between Aug. 13–22, 2025, detected Nov. 21.
• Exfiltrated data: full names, contact details, dates of birth, Social Security numbers, bank account and routing numbers.
• UoPX is offering 12 months of credit monitoring, dark-web surveillance and a $1 million fraud reimbursement policy.
• Other victims of the same Oracle EBS campaign include Harvard, UPenn, Dartmouth and several enterprises.

Read more at BleepingComputer, SiliconANGLE, CybersecurityNews.com, SecurityWeek

9. MacSync Stealer Uses Signed Swift App to Evade macOS Gatekeeper

A new variant of MacSync Stealer delivers its payload via a notarized, code-signed Swift application  disguised as a messaging installer, allowing it to bypass Gatekeeper without direct terminal interaction and silently harvest enterprise credentials.

Key Details

• The dropper is packaged as a signed Swift app inside a DMG named “zk-call-messenger-installer-3.9.2-lts.dmg.”
• It performs environment checks, Gatekeeper evasion, and retrieves an encoded script via curl using –fL and –sS flags.
• MacSync Stealer combines data-stealing and Go-based backdoor features, targeting credentials, API keys, and wallets.
• Operators inflated the DMG to 25.5 MB by embedding unrelated PDFs to mask malicious content.

Next Steps

• Reduce reliance on Gatekeeper alone by enforcing additional controls (e.g., allowlisting/managed app catalogs) for Macs, since notarization can be abused until detections and revocations occur .
• Tighten policies around first-run applications and limit installation paths to approved mechanisms (MDM/self-service portals) to prevent “ordinary-looking utility URL” installs from becoming routine .
• Ensure security tooling/MDM can alert on newly observed developer certificates and newly notarized binaries seen in the environment, then fast-track review/containment .

Read more at SecurityWeek, The Hacker News, CSO Online

10. Operation Sentinel: 574 Arrested, $3M Recovered, Six Ransomware Strains Decrypted Across Africa

Interpol’s Operation Sentinel, conducted from October 27 to November 27, involved 19 African countries in a coordinated effort against business email compromise, digital extortion, and ransomware.
The initiative led to 574 arrests, the seizure of $3 million, the takedown of over 6,000 malicious links, and the decryption of six distinct ransomware variants tied to more than $21 million in losses.

Key Details

• Senegal: Blocked a $7.9 million BEC transfer targeting a petroleum company by freezing destination accounts.
• Ghana: Developed a decryption tool to recover 30 TB of 100 TB encrypted, arrested multiple suspects after a $120,000 loss.
• Ghana/Nigeria: Dismantled a fast-food brand spoofing scam that defrauded 200+ victims of over $400,000; 10 suspects arrested.
• Benin: Arrested 106 individuals, removed 43 malicious domains, and shut down 4,318 scam-linked social media accounts.
• Cameroon: Traced a phishing-compromised vehicle sales server and executed an emergency bank freeze within hours.

Read more at Bleeping Computer, SecurityWeek, The Hacker News, Dark Reading

11. Italy Fines Apple €98.6M Over Double-Consent Requirement in iOS ATT Framework

Italy’s competition authority has fined Apple about €98.6 million  over how Apple’s App Tracking Transparency (ATT) regime is applied on iOS and in the App Store. The core complaint is not that ATT exists, but that its design and Apple’s related rules allegedly create an uneven playing field: many third‑party apps end up showing Apple’s ATT prompt and then also needing an additional GDPR-style advertising consent flow (a “second banner/prompt”), while Apple’s own services are viewed as facing less friction or different treatment for comparable advertising/tracking outcomes.

What Italy appears to be looking for is a remedy that preserves meaningful user privacy but removes this alleged asymmetry and “double consent” burden on rivals. One plausible direction is a more unified consent setup where developers must declare (in a standardized, enforceable way) their tracking/ads purposes and partners, the user makes the choice once, and that choice becomes a reusable consent/permission signal the app can honor—reducing repeat prompts without requiring Apple to share Apple-held user data with developers.

Key Details

• The AGCM investigation began in May 2023 and involved EU competition and privacy regulators.
• Apple’s own apps bypass the double-consent requirement, while third-party developers must display both ATT and GDPR-compliant banners.
• Regulators noted ATT could boost Apple’s App Store commissions and advertising revenue at competitors’ expense.
• Apple has appealed the ruling

Read more at SiliconANGLE, SecurityWeek, The Hacker News, Bleeping Computer

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.