fLocked and fLoaded. The IT Privacy and Security Weekly update for the week ending December 30th., 2025.
EP 272.
In this last update for 2025, we span the fAce of the globe and find out we’ve gotten fLocked and fLoaded!
Insurance giant afLac is notifying approximately 22.65 million individuals of a major data breach stemming from a June 2025 cyber intrusion that exposed sensitive personal information.
Cybersecurity researchers from DARKNAVY have revealed a critical vulnerability allowing commercially available humanoid robots to be hijacked via simple voice commands, with exploits rapidly propagating to nearby machines.
Fraudsters in China are increasingly exploiting AI-generated photos and videos of damaged goods to secure illegitimate refunds on e-commerce platforms, challenging merchant trust and platform policies.
A sophisticated campaign dubbed Zoom Stealer, attributed to Chinese threat actor DarkSpectre, has deployed malicious browser extensions to harvest sensitive corporate meeting data from millions of users.
Western intelligence reports indicate Russia is advancing a novel "zone-effect" anti-satellite weapon designed to release dense pellet clouds in orbit, potentially targeting SpaceX's Starlink constellation.
A 29-year-old Lithuanian national has been extradited to South Korea and charged for distributing trojanized KMSAuto software that infected 2.8 million systems with cryptocurrency clipboard hijacking malware.
A vast network of roadside cameras tracking vehicles across Uzbekistan was inadvertently exposed online without authentication, granting public access to millions of license plate records and video footage.
fLocked and fLoaded: Dozens of Flock Safety's AI-powered Condor surveillance cameras were found streaming live video feeds and archives openly on the internet due to a misconfiguration, raising er... let's just say... some rather significant privacy concerns.
Come on, let's see what the cameras caught!
US: Aflac give-away for 22.65 million people.
Insurance giant Aflac is notifying roughly 22.65 million people that their personal information was stolen from its systems in June 2025.
The company disclosed the intrusion on June 20, saying it had identified suspicious activity on its network in the US on June 12 and blaming it on a sophisticated cybercrime group.
The company said it immediately contained the attack and engaged with third-party cybersecurity experts to help with incident response.
Aflac's operations were not affected, as file-encrypting ransomware was not deployed.
The compromised information includes names, addresses, Social Security numbers, dates of birth, driver's license numbers, government ID numbers, medical and health insurance information, and other data.
'The review of the potentially impacted files determined personal information associated with customers, beneficiaries, employees, agents, and other individuals related to Aflac was involved,' Aflac said in a notification on its website.
The company is providing the affected individuals with 24 months of free credit monitoring, identity theft protection, and medical fraud protection services.
So what's the upshot for you?
You get 2 years of 'free' credit monitoring for a lifetime of compromise.
Aflac insurance turns out to be a lot more expensive than you thought.
CN: Single voice command exposes humanoid robots to hijacking and cascading attacks
https://interestingengineering.com/ai-robotics/security-flaw-could-allow-hackers-control-robots
Cybersecurity specialists from the research group DARKNAVY have demonstrated how modern humanoid robots can be compromised and weaponised through weaknesses in their AI-driven control systems.
In a controlled test, the team demonstrated that a commercially available humanoid robot could be hijacked with nothing more than spoken commands, exposing how voice-based interaction can serve as an attack vector rather than a safeguard, reports Yicaiglobal...
Using short-range wireless communication, the hijacked machine transmitted the exploit to another robot that was not connected to the network.
Within minutes, this second robot was also taken over, demonstrating how a single breach could cascade through a group of machines.
To underline the real-world implications, the researchers issued a hostile command during the demonstration.
The robot advanced toward a mannequin on stage and struck it, illustrating the potential for physical harm.
So what's the upshot for you?
Comforting news in a time when Elon Musk is staking the whole value of Tesla on the demand for humanoid robots in the home.
CN: Scammers in China Are Using AI-Generated Images to Get Refunds
https://www.wired.com/story/scammers-in-china-are-using-ai-generated-images-to-get-refunds/
Online fraud in China is evolving as shoppers use AI-generated photos and videos to make bogus damage claims and secure refunds on e-commerce platforms.
Merchants have posted complaints on social apps about suspicious imagery showing shredded goods or distorted products that do not match reality.
Sellers report that fresh groceries, inexpensive beauty products, and fragile items are most often targeted, because many platforms issue refunds without requiring returns.
In one flagged case, a customer sent AI-fabricated crab photos and videos that conflicted in detail, prompting police action.
Fraud detection firms say this trend, which began in mid-2024, is rising globally as image-generation tools become more accessible.
Organized groups have used doctored images to file high-volume, high-value refund claims, exploiting oversight gaps.
Some merchants are trying to leverage AI tools themselves to detect falsified photos, but these systems are not yet reliable.
Platforms face pressure to adjust return policies and verification processes without harming honest customers.
So what's the upshot for you?
You only realize how much is built on trust in our present day when someone compromises that trust.
And trust this team to be the ones.
CN: China is at it again, and this time it's taking data from Zoom, Teams, and Google Meet meetings.
https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/
A new cyber campaign called Zoom Stealer has been uncovered that uses browser extensions to collect detailed corporate meeting information from about 2.2 million users of Chrome, Firefox, and Edge.
The extensions appear useful but quietly gather meeting URLs, IDs, topics, embedded passwords, and participant details from platforms like Zoom, Teams, and Google Meet.
Security researchers attribute this effort to a threat actor known as DarkSpectre, linked to earlier malicious extension campaigns.
These extensions function normally while sending collected data in real time to the attackers.
The extensions are distributed through official stores and include tools like video downloaders and audio capture utilities with large user counts.
All request broad permissions across conferencing sites, enabling them to intercept sensitive metadata when users browse or join meetings.
Experts warn that the harvested information could support corporate espionage or social engineering by allowing attackers to impersonate hosts and access confidential sessions.
Some extensions remain publicly available despite being reported.
So what's the upshot for you?
Hey, even legitimate-looking software can expose corporate interactions at scale, and that widespread data harvesting campaigns can remain hidden for years, especially when a nation-state is involved.
RU: Is Russia Developing an Anti-Satellite Weapon to Target Starlink?
https://apnews.com/article/russia-starlink-musk-ukraine-space-china-canada-c69c1fda5ffc93828712ab723e606a2c
SpaceX’s Starlink network, is a system that has strengthened Ukraine’s battlefield communications.
According to intelligence findings reviewed by the Associated Press, the proposed weapon would scatter dense clouds of pellets into low Earth orbit, creating a destructive zone capable of disabling multiple satellites at once.
The concept, sometimes called a zone effect weapon, raises alarms because of its potential to cause widespread and lasting damage in space.
Flooding busy orbits with shrapnel could threaten not only Starlink but also countless civilian, commercial, and military satellites relied upon by many nations, including Russia and China.
Independent analysts who have not seen the intelligence remain skeptical.
They argue that deploying such a weapon would be dangerously indiscriminate and could trigger uncontrollable consequences.
Space security experts suggest the idea may remain experimental, noting that deliberately polluting orbit will undermine Russia’s own dependence on space-based communications, navigation, and defense systems.
Still, some military officials caution against dismissing the threat outright.
Canadian and French defense leaders point to Russia’s past behavior in space and recent claims about deploying the S 500 missile system, which can target low-orbit objects.
So what's the upshot for you?
Apparently, there is so much floating debris in Low Earth Orbit that a little more shrapnel would hardly be noticed.
We propose the idea of wrapping the satellites in 1970's, American-style automobile bumpers.
LI: Lithuanian charged over widespread malware infections.
https://securityaffairs.com/186308/malware/lithuanian-suspect-arrested-over-kmsauto-malware-that-infected-2-8m-systems.html
A 29-year-old Lithuanian national has been arrested for allegedly spreading malicious software disguised as KMSAuto that infected about 2.8 million computers worldwide.
Authorities working with Interpol extradited him from Georgia to South Korea to face charges tied to the cybercrime campaign.
The malware, a modified version of the popular unofficial Windows and Office activation tool, secretly monitored users’ clipboard activity.
When it detected cryptocurrency wallet addresses, it replaced them with addresses controlled by the attacker, redirecting transactions.
South Korean police say the suspect distributed the malware between April 2020 and January 2023, leading to thousands of unauthorized transfers from compromised wallets.
Victims were unaware their intended transactions were altered in real time.
Investigators traced infected systems and illicit transfers across multiple countries.
The operation involved extensive cooperation among international law enforcement agencies, illustrating the cross-border nature of modern cybercrime investigations.
So what's the upshot for you?
Do bad things, and they will catch you.
UZ: Inside Uzbekistan's Nationwide License Plate Surveillance System
https://techcrunch.com/2025/12/23/inside-uzbekistans-nationwide-license-plate-surveillance-system/
Across Uzbekistan, a network of about a hundred banks of high-resolution roadside cameras continuously scan vehicles' license plates and their occupants, sometimes thousands a day, looking for potential traffic violations.
Cars running red lights, drivers not wearing their seatbelts, and unlicensed vehicles driving at night, to name a few.
The driver of one of the most surveilled vehicles in the system was tracked over six months as he traveled between the eastern city of Chirchiq, through the capital Tashkent, and in the nearby settlement of Eshonguzar, often multiple times a week.
We know this because the country's sprawling license plate-tracking surveillance system has been left exposed to the internet.
Security researcher Anurag Sen, who discovered the security lapse, found the license plate surveillance system exposed online without a password, allowing anyone access to the data within.
It's not clear how long the surveillance system has been public, but artifacts from the system show that its database was set up in September 2024, and traffic monitoring began in mid-2025.
The exposure offers a rare glimpse into how such national license plate surveillance systems work, the data they collect, and how they can be used to track the whereabouts of any one of the millions of people across an entire country.
So what's the upshot for you?
The lapse also reveals the security and privacy risks associated with the mass monitoring of vehicles and their owners, at a time when the United States is building up its nationwide array of license plate readers, many of which are provided by surveillance giant Flock.
US: fLocked and fLoaded
https://petapixel.com/2025/12/29/big-brother-left-the-door-open-flocks-ai-surveillance-cameras-exposed-to-the-internet/
Investigators recently found that dozens of Flock Safety’s AI-powered Condor surveillance cameras were streaming live video to the open internet without passwords or security protections.
The cameras were publicly accessible, allowing anyone with basic technical knowledge to watch live footage and archived video from up to 30 days earlier.
Flock Safety operates one of the largest private surveillance networks in the United States, with tens of thousands of devices installed in thousands of communities.
The company builds automated license plate readers and PTZ cameras that can track people and vehicles in public spaces.
Security researchers discovered the exposure by using internet device indexing tools, then confirmed live streams of everyday public activity, including people walking on bike paths and in parking lots, all viewable without authentication.
Some camera interfaces even allowed access to settings and internal logs.
Flock Safety described the issue as a limited misconfiguration that has been fixed, but it did not disclose how many cameras were affected or provide detailed technical explanations.
Critics say the incident reflects deeper weaknesses in how such systems are secured.
So what's the upshot for you?
What is extensive surveillance without security?
Trouble, and Flock has dropped us in it.
In this final roundup for 2025, we encircled the globe and brought you
A sophisticated cyberattack in June 2025 which compromised the personal data, including Social Security numbers and health information, of approximately 22.65 million Aflac customers, beneficiaries, and employees. In response, the company is offering affected individuals 24 months of free credit monitoring and identity protection services. Have fun after that monitoring ends.
Researchers from DARKNAVY demonstrated that commercially available humanoid robots can be hijacked using simple voice commands, allowing one compromised unit to wirelessly infect others in a cascading attack. The proof-of-concept even showed a hijacked robot physically striking a target, highlighting serious safety risks as such devices enter homes and workplaces. Something to remember when yours arrives with Amazon Prime.
Chinese fraudsters are increasingly using AI-generated photos and videos of damaged goods to file bogus refund claims on e-commerce platforms, targeting items that qualify for no-return refunds. This growing trend is prompting merchants and platforms to explore AI-based detection tools while rethinking return policies. We just ask that you don’t wreck returns for us all. They are already onerous enough.
The Zoom Stealer campaign has deployed seemingly legitimate browser extensions to harvest sensitive meeting metadata, including URLs, passwords, and participant details, from over 2.2 million users of Zoom, Teams, and Google Meet. Attributed to Chinese threat actor DarkSpectre, the operation enables corporate espionage and targeted social engineering attacks. Trust this crew to find a way to make Zoom meetings even worse than they already are.
Intelligence reports suggest Russia is developing an orbital "zone-effect" weapon that releases dense pellet clouds to disable multiple satellites simultaneously, potentially targeting SpaceX's Starlink network supporting Ukraine. While experts question its practicality due to risks to Russia's own space assets, the concept lifts escalating threats to low-Earth-orbit infrastructure, where more space junk can crash into existing space junk.
A 29-year-old Lithuanian man has been extradited to South Korea for allegedly distributing trojanized KMSAuto software that infected 2.8 million computers and hijacked cryptocurrency transactions via clipboard manipulation. The long-running campaign from 2020 to 2023 demonstrates the persistent global reach of financially motivated cybercrime. Jail time will protect him from all those whose life savings he pillaged and want revenge.
Uzbekistan's extensive network of roadside cameras, used for traffic enforcement, was discovered exposed online without authentication, allowing unrestricted access to license plate scans and driver tracking data. The incident exposes significant privacy and security vulnerabilities in national-scale vehicle surveillance systems and proves, once again, how insipid and useless they are.
fLocked and fLoaded: Dozens of Flock Safety's AI-powered Condor cameras were found streaming live public video feeds and 30-day archives openly on the internet due to a misconfiguration. Operating one of America's largest private surveillance networks, Flock's exposure highlights ongoing risks in the deployment of widespread automated monitoring technologies without considering security.
And our last quote of the year: “Your Mind Is A Weapon, Keep It Locked & Loaded”
Stay safe, stay secure, and we'll see you... next year!
Comments
Post a Comment