Trump to hand some offsec ops against adversaries to the private sector, report

'Tis the season to be generous. Please support Metacurity in our mission to end infosec news overload.

Metacurity is a pure labor of love and is the only daily newsletter that delivers the critical infosec developments you need to know, scanned from thousands of sources and smartly summarized.

But to continue delivering our daily updates, we need your support. Please consider upgrading to an annual paid subscription today.

If you can't upgrade to a paid subscription today, please consider donating what you can.

Sources say Donald Trump’s administration is preparing to turn to private businesses to help mount offensive cyberattacks against foreign adversaries, potentially expanding a shadowy electronic conflict typically conducted by secretive intelligence agencies.

The White House plans to make public its intention to enlist private companies in more aggressive efforts to go after criminal and state-sponsored hackers in a new national cyber strategy, a draft of which has been viewed by industry officials and experts. The strategy is expected to be released by the Office of the National Cyber Director in the coming weeks.

The draft, as described by multiple people, says the federal government should unleash private businesses as it moves to impose consequences on foreign adversaries who breach critical infrastructure and telecommunications networks, or who cripple businesses with ransomware attacks. The draft didn’t provide many details on how the administration would use the companies.

The administration is expected to provide more information after the release of the strategy, as well as an executive order that could outline private firms’ roles and provide them with more legal protections, the people said. Legislation might also be required.

The push to include industry would open lucrative new business opportunities to firms that have traditionally contracted with the government on defensive strategies rather than offensive measures. But it comes with risks.

There is currently no legal basis for private firms to conduct their own offensive cyber operations. Additionally, any operations to take down adversary infrastructure could put private firms in the crosshairs of foreign government entities, whose intelligence services often use affiliates to carry out their cyberattacks.

Discussions on contracting out offensive cyber operations were already underway in Joe Biden’s White House, though his administration didn’t settle on a policy, said people familiar with those deliberations.

The cyber strategy draft, some five pages long, also calls for streamlining data security and cyber regulations, the modernization of federal systems, securing critical infrastructure, and promoting the adoption of post-quantum cryptography and secure quantum computing. The White House has invited industry officials to give feedback on the draft, which could still change. (Jamie Tarabay / Bloomberg)

Related: r/cybersecurity

Canada’s privacy commissioner has launched an investigation into the use of facial detection software in certain billboards near Toronto’s Union Station.

The controversy first erupted after a Reddit post on Nov. 2 highlighted the billboards’ use of facial detection technology to track and analyze data of passersby, including their age and gender.

In the post, images of a disclaimer and a billboard of a taco advertisement outside of Union’s bus terminal are shown with a camera highlighted in the top left corner of the photo.

Cineplex Digital Media (CDM), which owns the billboards, said the technology only detects the presence of a person and estimates their age and sex. CDM added in a news release that no images or personal data are stored, and all processing happens within milliseconds.

“Following the receipt of complaints from individuals, Privacy Commissioner of Canada Philippe Dufresne has opened an investigation into privacy concerns related to digital signs installed near Toronto’s Union Station that allegedly use facial detection software,” said Vito Pilieci, senior communications advisor for Dufresne’s office.

Pilieci said the investigation will examine whether the technology is being used in compliance with the Personal Information Protection and Electronic Documents Act, Canada’s federal privacy law for private-sector companies. (Sean Previl / Global News)

Related: The Brock Press, The Record, City News, The Toronto Star

Pope Leo urged Italy's intelligence services to avoid smearing public figures and journalists, saying abuse of confidential material risked undermining democracy and public trust.

His appeal came amid heightened scrutiny of Italy’s security agencies following recent surveillance scandals involving spyware and the alleged hacking of phones of reporters and human rights activists.

Speaking at a ceremony marking the centenary of Italy's spy service, the pontiff praised its role in safeguarding national security, including at the Vatican, but stressed that it must be guided by law and ethics.

Italy's parliament revealed earlier this year that the government had used Israeli-made spyware to hack the phones of several people, including Luca Casarini and Giuseppe Caccia, the founders of Mediterranea Saving Humans, an NGO that tries to protect refugees who cross the Mediterranean. (Crispian Balmer / Reuters)

Related: Vatican News, OSV News, Catholic News Agency, UPI, Agenzia Nova, The Times

Hundreds of thousands of sensitive NHS documents, some relating to British and foreign Royals, senior judges, and members of the House of Lords, have been stolen by Russian hackers.

The unprecedented data breach, one of the largest to hit the health service, has seen 169,000 confidential documents dumped on the dark web after the ransomware gang exploited a bug in software provided to NHS bodies by US tech giant Oracle.

Many of those affected by the leak are high-profile NHS private patients, with some invoicing details from Barts NHS Health Trust in London linked to unnamed patients from royal residences, including King Charles’s official home, Clarence House, Buckingham Palace, Sandringham, and Windsor Castle.

It is unclear which Royals were treated and for what purpose, but the leak raises serious concerns about the security of medical details of the Royal Household, as the King continues to be treated for an undisclosed form of cancer.

The grave incident also casts doubt over controversial plans to introduce digital ID systems in the UK, as Oracle’s billionaire owner, Larry Ellison, is the biggest donor to the Tony Blair Institute, which is lobbying for such systems to be introduced. Others affected by the breach include the BBC, Premier League football clubs, British aristocrats, a member of the Bahraini Royal Family, and billionaire business moguls.

The files also include data linked to children being treated at NHS hospitals, women undergoing fertility treatment, and patients receiving kidney dialysis.

The extraordinary breach comes after cybersecurity experts warned in October that the Oracle software used by the NHS and the Treasury – which provides financial management and HR support to organisations – was vulnerable to Russian hackers, and that attempts at ‘exploitation’ were ‘highly likely’.

Researchers at Google said hackers from a gang known as Clop had sent emails to executives at ‘numerous organisations… alleging the theft of sensitive data’ and demanding money for its safe return. (Lydia Veljanovski / Daily Mail)

Related: Daily Express, GB News, Geo News, Daily Jang, EurAsia Daily

Korean retail giant Coupang's founder, Kim Bom-suk, said he would not appear for a parliamentary hearing this week over the e-commerce giant's massive data breach that affected nearly 34 million people, lawmakers said.

Kim, the chair of Coupang's board, submitted a statement on his non-appearance for the hearing scheduled for Wednesday, according to Democratic Party (DP) lawmakers of the parliamentary science, ICT, broadcasting, and communications committee.

Park Dae-jun and Kang Han-seung, former CEOs of the U.S.-listed company's Korean unit, also notified the lawmakers of their non-appearance.

Late last month, Coupang disclosed that the personal information of 33.7 million customers had been compromised, including their names, phone numbers, email addresses, and delivery details, sparking scrutiny from lawmakers about the company's practices. (Yonhap News Agency)

Related: Bloomberg, The Investor, Tech in Asia, Korea JoongAng Daily, The Chosun Daily

Asahi Group Holdings is considering significant changes in its cybersecurity posture, just three months after a ransomware attack hit it.

The Japanese brewing giant’s CEO, Atsushi Katsuki, told Bloomberg on December 15 that he has decided to elevate cybersecurity to a top management priority and is considering the creation of a dedicated cybersecurity unit within the group.

This decision follows a ransomware attack in September that exposed the personal data of two million people, including 1.5 million Asahi customers, and forced operational disruptions that may last at least until February 2026. (Bloomberg and Kevin Poireault / Infosecurity Magazine)

Related: National Technology News, The Star

Apple released emergency updates to patch two zero-day vulnerabilities that were exploited in an “extremely sophisticated attack” targeting specific individuals.

The zero-days are tracked as CVE-2025-43529 and CVE-2025-14174 and were both issued in response to the same reported exploitation.

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26," reads Apple's security bulletin.

CVE-2025-43529 is a WebKit use-after-free remote code execution flaw that can be exploited by processing maliciously crafted web content. Apple says Google’s Threat Analysis Group discovered the flaw.

CVE-2025-14174 is a WebKit memory corruption flaw that could lead to memory corruption. Apple says the flaw was discovered by both Apple and Google’s Threat Analysis Group.

Apple has fixed the flaws in OS 26.2 and iPadOS 26.2, iOS 18.7.3 and iPadOS 18.7.3, macOS Tahoe 26.2, tvOS 26.2, watchOS 26.2, visionOS 26.2, and Safari 26.2. (Lawrence Abrams / Bleeping Computer)

Related: reddit TECH NEWS, Security Affairs, Cyber Security News, Cyber Insider, Fast Company, Business Insider, TechCrunch, MacRumors, r/InfoSecNews, MacDailyNews, Macworld, MacRumors, The Tech Outlook, MacDailyNews, Computerworld Security, Techlusive, The Register - Security, Business Standard, Help Net Security

Messaging app Freedom Chat has fixed a pair of security flaws: one that allowed a security researcher to guess registered users’ phone numbers, and another that exposed user-set PINs to others on the app.

Freedom Chat, released in June, bills itself as a secure messaging app and claims on its website that users’ phone numbers stay private.

But security researcher Eric Daigle discovered that users’ phone numbers and PIN codes, used for locking the app, could be easily obtained by exploiting vulnerabilities.

Daigle found the vulnerabilities last week and shared their details with TechCrunch, as Freedom Chat does not provide a public way to report security flaws, like a vulnerability disclosure program. TechCrunch then alerted Freedom Chat founder Tanner Haas to the security flaws by email.

Haas confirmed that the app has now reset user PINs and released a new version. Haas added that the company is removing instances where users’ phone numbers were occasionally visible, and has notched up rate-limiting on its servers to prevent mass-guess attempts. (Zack Whittaker / TechCrunch)

Related: Eric Daigle, SC Media

Security researcher Ben Zimmermann found in early November a published GitHub access token belonging to a Home Depot employee, which was exposed sometime in early 2024, that granted access to hundreds of private Home Depot source code repositories hosted on GitHub and allowed the ability to modify their contents.

The researcher said the keys allowed access to Home Depot’s cloud infrastructure, including its order fulfillment and inventory management systems, and code development pipelines, among other systems. Home Depot has hosted much of its developer and engineering infrastructure on GitHub since 2015, according to a customer profile on GitHub’s website.

Zimmermann said he sent several emails to Home Depot but didn’t hear back.

Given that Home Depot does not have a way to report security flaws, such as a vulnerability disclosure or bug bounty program, Zimmermann contacted TechCrunch in an effort to get the exposure fixed.

When reached by TechCrunch on December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is no longer online, and the researcher said the token’s access was revoked soon after our outreach. (Zack Whittaker / TechCrunch)

Related: CSO Online

Researchers at Trend Micro discovered that a fake website purporting to be the official page of the Japanese prime minister's office was found to contain Russian-language text in its internal setup.

An official of the company said the discovery suggests that people in Russian-speaking regions were likely involved in creating the fraudulent site.

According to Trend Micro, the fake website promotes investment schemes and includes fields prompting users to enter their name, email address, and phone number.

Once users provide their information, a person believed to be a foreign national calls them in Japanese and directs them to another website, where they are asked to enter their credit card details or make a payment. (Japan Today)

Related: Asia News Network

Researchers at Kaspersky discovered a new Android banking Trojan dubbed "Frogblight" that targets users in Türkiye by disguising itself as an app for accessing court case files through official government webpages.

Frogblight exploits official government websites as an intermediary step to harvest victims' banking credentials.

"Frogblight can use official government websites as an intermediary step to steal banking credentials," the researchers said.

"Moreover, it has spyware functionality, such as capabilities to collect SMS messages, a list of installed apps on the device, and device filesystem information. It can also send arbitrary SMS messages," the researchers added.

After the victims grant the requested permissions, the malware opens the official government webpage for accessing court case files in WebView, prompting the victim to sign in.

When users choose the online banking sign-in option, Frogblight waits two seconds, then forces the online banking method regardless of user choice, injecting JavaScript code to capture user input and send it to command and control servers. (Türkiye Today)

Related: Securelist

MetaMask security researcher Taylor Monahan (known as Tayvano) warns that North Korea cybercriminals have executed a strategic pivot in their social engineering campaigns, stealing more than $300 million by impersonating trusted industry figures in fake video meetings.

The warning outlines a sophisticated “long-con” targeting crypto executives.

According to Monahan, the campaign departs from recent attacks that relied on AI deepfakes.

Instead, it uses a more straightforward approach built on hijacked Telegram accounts and looped footage from real interviews.

The attack typically starts after hackers seize control of a trusted Telegram account, often belonging to a venture capitalist or someone the victim previously met at a conference.

Then, the malicious attackers exploit prior chat history to appear legitimate, guiding the victim to a Zoom or Microsoft Teams video call via a disguised Calendly link.

Once the meeting starts, the victim sees what appears to be a live video feed of their contact. In reality, it is often a recycled recording from a podcast or public appearance.

The decisive moment typically follows a manufactured technical issue.

After citing audio or video problems, the attacker urges the victim to restore the connection by downloading a specific script or updating a software development kit, or SDK. The file delivered at that point contains the malicious payload.

Once installed, the malware—often a Remote Access Trojan (RAT)—grants the attacker total control.

It drains cryptocurrency wallets and exfiltrates sensitive data, including internal security protocols and Telegram session tokens, which are then used to target the next victim in the network. (Oluwapelumi Adejumo / BeInCrypto)

Related: Coinpaper, Coincentral, Coinjournal, BeInCrypto, Invezz

A sophisticated attack on Aevo-rebrand Ribbon Finance drained $2.7 million from its old contract and moved to fifteen separate wallet addresses, some of which have already been consolidated into larger accounts.

According to several blockchain investigators on social platform X, the attack occurred just six days after the platform upgraded its oracle infrastructure and option creation procedures. They used a smart contract prompt to extract hundreds of Ethereum tokens and other digital assets.

In a thread explaining the exploit, Web3 security analyst Liyi Zhou said a malicious contract manipulated the Opyn/Ribbon oracle stack by abusing price-feed proxies, and pushed arbitrary expiry prices for wstETH, AAVE, LINK, and WBTC into the shared oracle at a common expiry timestamp. 

“The attacker placed large short oToken positions against Ribbon Finance’s MarginPool, which used these forged expiry prices in its settlement pipeline and transferred out hundreds of WETH and wstETH, thousands of USDC, and several WBTC to theft addresses through redeem and redeemTo transactions,” Zhou explained. (Florence Muchai / Cryptopolitan)

Related: OneSafe, Binance, Unchained, Coinspeaker, Bitcoin.com

Valentino Ricotta, an engineering analyst for Thales, hijacked an Amazon account by hacking into a Kindle and has warned people about the dangers of downloading ebooks.

Ricotta created a “malicious” ebook that enabled him to exploit vulnerabilities in the Kindle.

When the ebook was downloaded onto the device, he was able to get full access to the linked Amazon account.

Ricotta, an ethical hacker based at Thalium, the Rennes, France-based research division of Thales, looks for vulnerabilities in standard devices and presented his findings at the Black Hat Europe hacker conference in London, in a session called Don’t Judge an Audiobook by Its Cover. (Mark Sellman / The Times)

Related: Good E Reader

Microsoft now pays security researchers for finding critical vulnerabilities in any of its online services, regardless of whether the code was written by Microsoft or a third party.

This policy shift was announced at Black Hat Europe by Tom Gallagher, vice president of engineering at Microsoft Security Response Center.

As Gallagher explained, attackers don't distinguish between Microsoft code and third-party components when exploiting vulnerabilities, prompting the company to expand its bug bounty program to cover all Microsoft online services by default, with all new services in scope as soon as they are released.

The program now also includes security flaws in third-party dependencies, including commercial or open-source components, if they impact Microsoft online services.

"Starting today, if a critical vulnerability has a direct and demonstrable impact to our online services, it’s eligible for a bounty award. Regardless of whether the code is owned and managed by Microsoft, a third-party, or is open source, we will do whatever it takes to remediate the issue," Gallagher said. (Sergiu Gatlan / Bleeping Computer)

Related: Microsoft, Silicon Angle, CSO, The Register, SecurityWeek, Security Boulevard, ComputerWeekly.com, Windows Report

ServiceNow is in advanced talks to buy the cybersecurity startup Armis in a deal that may be valued at as much as $7 billion and would represent the tech company’s largest acquisition to date.

Sources say a deal may be announced in the coming days. While discussions are advanced, they may still fall apart, or another potential bidder may emerge, according to the sources. (Andrew Martin, Ryan Gould, and Brody Ford / Bloomberg)

Related: CTech, Dataconomy, CNBC, Times of Israel, The Information, PYMNTS, Silicon Angle, Tech Republic, Techzine Europe, Tech Funding News, Verdict, Silicon Republic

Agentic security company Prime Security announced it had raised $20 million in a Series A venture funding round.

Scale Venture Partners led the round with participation from Foundation Capital, Flybridge Ventures, and Ofir Ehrlich, CEO & Founder of Eon. (Chris Metinko / Axios)

Related: Business Wire, FinSMEs, SiliconANGLE, Pulse 2.0, AlleyWatch

Best Thing of the Day: Starlink Meets South African Resistance

The parliamentary committee that oversees South Africa’s telecommunications industry called for the withdrawal of a policy directive that would enable Elon Musk’s SpaceX and other satellite-internet companies to operate in the country without ceding ownership.

Worst Thing of the Day: All Your Data Belong to the Secret Police

A man in Atlanta has been arrested and charged for allegedly deleting data from a Google Pixel phone before a member of a secretive Customs and Border Protection (CBP) unit was able to search it.

Closing Thought