In today’s cybersecurity news…
‘DroidLock’ malware demands ransom
Researchers at Zimperium say a new Android strain called DroidLock is hitting Spanish-speaking users through phishing sites pushing fake apps. Once installed, it can change a device’s PIN, lock the screen with a ransom note, wipe data, record the screen, and block interaction with a fake update screen. The malware doesn’t encrypt files, but it effectively bricks the phone unless victims pay. (The Record)
Google fixes secret Chrome 0-day
Google pushed an emergency Chrome update to fix its eighth zero-day of 2025, a high-severity bug with no CVE or technical details yet disclosed. The flaw is already being exploited, so users on Windows, macOS and Linux should update to new versions immediately. The patch also includes fixes for two medium-severity issues in Password Manager and Toolbar. (The Register)
UK fines LastPass over 2022 breach
The UK’s Information Commissioner’s Office (ICO) fined LastPass £1.2 million for the 2022 breach that exposed personal data and encrypted vaults for up to 1.6 million UK users. Regulators say a compromise of an employee’s personal device let an attacker steal master credentials and cloud backup keys, leading to the theft of customer vault data stored with GoTo. Vaults are still encrypted, but weak master passwords could still be cracked, with some already exploited in crypto theft. (BleepingComputer)
Doxers posing as cops trick tech firms
Wired reports that a doxing crew is impersonating US police to trick major tech companies into handing over private user data through fake emergency requests. The group forges subpoenas, spoofs law-enforcement email domains, and uses compromised officer accounts, extracting names, addresses, phone numbers, and more from companies including Apple, Amazon, Charter, and Rumble. The hackers say they’ve pulled off up to 500 requests and even recruited a real deputy to help, exploiting a long-known weakness in email-based emergency data requests that many companies still rely on. (Wired)
Huge thanks to our sponsor, Adaptive Security
OpenAI enhances defensive models
OpenAI reports that GPT-5.1-Codex-Max shows a jump in CTF challenge performance from 27% in August to 76% in November, raising concerns that future models could help with tasks like intrusion operations or zero-day exploit development. OpenAI is layering safeguards including access controls, monitoring, red teaming, and training models toward defensive uses. Programs like Aardvark, which scans code and proposes patches, and a Frontier Risk Council are meant to strengthen defensive AI and ecosystem-wide threat mitigation while coordinating with global experts. (Infosecurity Magazine)
Docker images spray live cloud creds
Canadian cybersecurity firm Flare says Docker Hub has become a major leak point for live cloud credentials. In an analysis of images uploaded in November, Flare found more than 10,000 public containers exposing active secrets from more than 100 organizations. Many images contained multiple production-level keys spanning cloud services, CI/CD systems, and AI platforms, often uploaded from unmanaged “shadow IT” accounts. Flare also found that most revoked-in-image secrets were still active, urging teams to move to proper secrets management and pre-publish scanning. (The Register)
Hackers exploit cryptographic flaw
Hackers are exploiting a cryptographic flaw in Gladinet’s CentreStack and Triofox, allowing remote code execution. The issue stems from hardcoded AES keys in the software, letting attackers decrypt access tickets or forge their own to access files. Once obtained, the machineKey in the web.config file can be used to trigger RCE via a ViewState deserialization flaw. At least nine organizations across sectors including healthcare and tech have been targeted. Gladinet urges users to update, rotate machine keys, and check logs for indicators of compromise. (BleepingComputer)
Russian hackers debut simple ransomware
CyberVolk, a pro-Russian hacktivist group, has relaunched its ransomware-as-a-service, VolkLocker, using Telegram for automation and management. The ransomware targets Windows and Linux systems, escalating privileges and encrypting files. But operators hardcoded the master encryption key in the malware and left it in plaintext in the %TEMP% folder, letting victims potentially recover files without paying. The group’s reliance on Telegram reflects a trend of lowering technical barriers for affiliates.