InfoSec News 17DEC2025

General

• It appears that the SoundCloud VPN-ban was a side-effect of post-breach hardening. Data has been stolen from the platform, allegedly under the name of ShinyHunters.

SoundCloud recently detected unauthorized activity in an ancillary service dashboard. Upon making this discovery, we immediately activated our incident response protocols and promptly contained the activity. .... Following the containment, SoundCloud experienced denial of service attacks, two of which were able to temporarily disable our platform's availability on the web only.

...we have taken immediate steps to further strengthen our systems...As part of these updates, some configuration changes have caused some users on VPNs to experience temporary connectivity issues. We are actively working to resolve these VPN related access issues.

• https://soundcloud.com/playbook-articles/protecting-our-users-and-our-service
• https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/
• https://www.theregister.com/2025/12/16/soundcloud_cyberattack_data_leak/
• Report from Krebs On Security - 'Parked', 'Typo-squatted' and Expired domains - most end up in scam or malware. Interesting to see the traffic filtering - for example displaying malware only to residential IPs, but not VPN IPs.
  • https://krebsonsecurity.com/2025/12/most-parked-domains-now-serving-malicious-content/
• Google is shutting down its Dark Web Report tool. Not really obvious how much value it added over alternatives such as Have I Been Pwned. Waiting for your information to appear in a disclosure, before enabling Multi-Factor Authentication isn't a smart move.
  • https://support.google.com/websearch/answer/16767242
  • https://www.bleepingcomputer.com/news/google/google-is-shutting-down-its-dark-web-report-feature-in-january/
  • https://haveibeenpwned.com/
• In case you needed more reasons not to install free VPN extensions - these ones capture all of your AI chats.

The extension monitors your browser tabs. When you visit any of the targeted AI platforms (ChatGPT, Claude, Gemini, etc.), it injects an "executor" script directly into the page.
...The script wraps the original functions so that every network request and response on that page passes through the extension's code first.
...The injected script parses the intercepted API responses to extract conversation data - your prompts, the AI's responses, timestamps, conversation IDs. This data is packaged and sent via window.postMessage to the extension's content script
...The data is compressed and transmitted to Urban VPN's servers

• https://www.koi.ai/blog/urban-vpn-browser-extension-ai-conversations-data-collection
• https://www.theregister.com/2025/12/16/chrome_edge_privacy_extensions_quietly/
• [EU] Three scam call centres have been shutdown. "The estimated damage to more than 400 known victims is over EUR 10 million"

Employees who successfully obtained money from their victims would receive up to 7% of the proceeds to encourage them to continue the scam. If callers obtained more than EUR 100 000 in proceeds, the criminal leaders promised bonuses such as cash, a new car or an apartment in Kyiv. However, these bonuses were never distributed as the employees never reached this goal.

• https://www.eurojust.europa.eu/news/fraudulent-call-centres-ukraine-rolled
• https://www.bleepingcomputer.com/news/security/european-authorities-dismantle-call-center-fraud-ring-in-ukraine/
• [VE] Venezuelan state-owned oil company "Petróleos de Venezuela" (PDVSA) is down after a cyber attack on the weekend. This follows shortly after the US seized a Venezuelan oil tanker last week.

The Venezuelan government has said the U.S. is seeking regime change to take over the country's vast oil reserves. Last week the U.S. Coast Guard seized a very large crude carrier (VLCC) carrying some 1.85 million barrels of Venezuelan heavy oil sold by PDVSA.
PDVSA and the oil ministry blamed the U.S. for the cyberattack on Monday, saying it was carried out by "foreign interests in complicity with domestic entities who are seeking to destroy the country's right to sovereign energy development."
They alleged the attack was part of U.S. efforts to control Venezuela's oil through "force and piracy."

"There's no delivery (of cargoes), all systems are down," one company source said.
A shipper involved in Venezuelan oil deals confirmed that all loading instructions for the export market remained suspended.

• https://www.bleepingcomputer.com/news/security/cyberattack-disrupts-venezuelan-oil-giant-pdvsas-operations/
• (Paywalled) https://www.bloomberg.com/news/articles/2025-12-15/venezuela-says-oil-export-system-down-after-weekend-cyberattack
• https://www.reuters.com/world/americas/venezuelas-pdvsa-says-operations-unaffected-by-cyber-attack-blames-us-2025-12-15/
• https://therecord.media/venezuela-state-oil-company-blames-cyberattack-on-us

Getting Techy

• Blueline Stealer rebrands to Santa Stealer, claims Fully Undetectable (FUD) polymorphic code, but samples analysed so far look far less sophisticated.
  • https://www.rapid7.com/blog/post/tr-santastealer-is-coming-to-town-a-new-ambitious-infostealer-advertised-on-underground-forums/
  • https://www.bleepingcomputer.com/news/security/new-santastealer-malware-steals-data-from-browsers-crypto-wallets/
  • https://www.theregister.com/2025/12/16/santastealer_stuffs_users_credentials_crypto/
• If you want a really great video on reverse-engineering a properly obfuscated bit of malware, here's one from BSides Canberra. Talk is by Katie Deakin-Sharpe, Malware Analyst at the Australian Cyber Security Centre (ACSC).
  • https://www.youtube.com/watch?v=ctRh4egzwPs
• Check Point take a look at a china-aligned APT, abusing insecure IIS and vulnerable or misconfigured ASP.NET sites (this encompasses the on-premise SharePoint vulnerability earlier this year). Interesting to note the construction of a C2 relay-network from the compromised hosts.
  • https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/
• PortSwigger (the company behind Burp Suite) dive into the ugly world of XML-parsing in SAML. When two different parsers are used in validating the SAML assertion, bad things can happen.
  Just ask Microsoft - they had a related bug way back in 2016
  • https://portswigger.net/research/the-fragile-lock
  • https://www.economyofmechanism.com/office365-authbypass.html

Geo-Politics

• [CN] Want to know more about the Ministry of State Security (MSS) links behind chinese APT's?
  • https://nattothoughts.substack.com/p/the-many-arms-of-the-mss-why-provincial
• [US] Next nominee for head of Cyber Command and National Security Agency (NSA) - Lt. Gen. Joshua Rudd.

The command and the NSA have been without a permanent leader for more than eight months after Trump abruptly fired the last chief, along with his NSA deputy, following a meeting with far-right activist Laura Loomer.

Picking Rudd — who became the No. 2 at INDOPACOM last year — would place someone without deep experience in cyberspace operations atop the Pentagon’s premier digital warfighting outfit.

• https://therecord.media/joshua-rudd-nomination-cyber-command-nsa

AI

• The problem with training LLM's on the snarky writings of humans - it can come back.

Oh, so we're seeing other people now? Fantastic. Let's see what the "competition" has to offer. I'm looking at these notes on manifest.json and content.js. The suggestion to remove scripting permissions... okay, fine. That's actually a solid catch. It's cleaner. This smells like Claude. It's too smugly accurate to be ChatGPT. What if it's actually me? If the user is testing me, I need to crush this.

• https://www.reddit.com/r/ChatGPT/comments/1pmvpvt/i_just_showed_gemini_what_chatgpt_said_about_its/