Santa, and The IT Privacy and Security Weekly update for the week ending December 23rd., 2025
EP 271.
For this week’s holiday update:
Santa’s naughty list exposed in data breach. A lighthearted reminder from a past holiday hoax: even Santa's list isn't immune to data breaches.
How China Built Its 'Manhattan Project' To Rival the West in AI Chips. China's clandestine push to master extreme ultraviolet lithography signals a major leap toward semiconductor self-sufficiency, challenging Western dominance in AI-enabling technology.
Apple Fined $116 Million Over App Privacy Prompts. Italy's antitrust authority has penalized Apple €100 million for imposing stricter privacy consent requirements on third-party apps than on its own, tilting the playing field in the App Store ecosystem.
Cyberattack Disrupts France's Postal & Banking Services During Christmas Rush. A major DDoS attack crippled La Poste’s online services and banking arm at the peak of the holiday season, highlighting the vulnerability of critical infrastructure during high-traffic periods.
Browser Extensions With 8 Million Users Collect Extended AI Conversations. Popular Chrome and Edge extensions trusted by millions have been caught secretly harvesting full AI chat histories, raising serious concerns about privacy in everyday browsing tools.
How a PNG Icon Infected 50,000 Firefox Users. A clever malware campaign hid malicious JavaScript inside innocent-looking PNG extension icons, infecting tens of thousands of Firefox users through trusted add-ons.
Most Parked Domains Now Serving Malicious Content. Expired and typosquatted domains, once benign placeholders, now predominantly redirect users to scams, malware, and fraudulent sites, making casual web navigation riskier than ever.
What's up with the TV? Massive Android Botnet infects 1.8 Million Devices. The Kimwolf botnet has compromised over 1.8 million Android TV boxes, turning everyday smart devices into powerful tools for proxy traffic and massive DDoS attacks.
Mass Hacking of IP Cameras Leave Koreans Feeling Vulnerable in Homes, Businesses. Widespread breaches of 120,000 internet-connected cameras in South Korea exposed private footage sold online, eroding public trust in consumer surveillance technology.
The FCC has barred new imports of foreign-made drones, citing unacceptable risks of espionage and disruption, with DJI-the market leader-facing the most significant impact.
FSF Says Nintendo's New DRM Allows Them to Remotely Render User Devices 'Permanently Unusable' Nintendo's updated terms grant the company sweeping authority to remotely disable Switch consoles and accounts for perceived violations, sparking debate over true ownership in the digital age.
This week we’ve got the sleigh piled high, so call out the reindeer and we’ll get this update out to children all over the world!
Global: Santa’s naughty list exposed in data breach
OK this is a story from a few years back.
Santa's tightened up his security and we wanted to make sure you had too.
TORONTO, December 21, 2022 – Today, more than 600,000 individuals around the world on Santa’s naughty list received a notice that their personal information was exposed in a data breach of the naughty and nice list just four days before Christmas.
Data breaches occur when an unauthorized third party accesses an organization’s private information.
No one yet has claimed responsibility for the attack, but authorities believe it can be attributed to be The Grinch.
Luckily, receiving a data breach doesn’t mean you’re doomed.
What you do in the succeeding hours and days can have a major impact on whether the initial incident leads to identity fraud or not.
Stay calm and review the details carefully
Avoid panic reactions.
Read the notification thoroughly to understand what data was stolen and its potential risks.
Keep the notice for future reference or proof.
Verify the notification is genuine
Scammers often fake breach alerts to trick you into sharing more info.
If in doubt, contact the organization directly using the official website's contact info - never use links or numbers from the message.
Watch out for follow-up scams
Stolen data is often sold on the dark web, leading to more targeted phishing.
Be suspicious of urgent emails/texts that seem official but have odd email addresses, typos, or pressure to act quickly.
Change your passwords and add extra security
Update passwords on affected accounts (and any others using the same ones).
Enable multi-factor authentication (MFA) everywhere possible for stronger protection.
Protect your financial and identity info
If card details, bank info, or identity numbers (like Social Insurance Number) were exposed, contact your bank right away to freeze or cancel cards.
Monitor for signs of identity theft, such as unauthorized credit applications.
So what's the upshot for you?
If the big man can tighten his security, so can you.
Just do it.
CN: How China Built Its 'Manhattan Project' To Rival the West in AI Chips
Chinese scientists have built a working prototype of an extreme ultraviolet lithography machine in a high-security Shenzhen laboratory, a development that represents exactly what Washington has spent years and multiple rounds of export controls trying to prevent: China's path toward semiconductor independence and an end to the West's monopoly on the technology that powers AI, smartphones and advanced weapons systems.
The prototype, completed in early 2025 by former ASML engineers who reverse-engineered the Dutch company's machines, is operational and generating EUV light, though it has not yet produced working chips.
The effort is part of a six-year secret government initiative that sources described to Reuters as China's version of the Manhattan Project.
Huawei is coordinating thousands of engineers across companies and state research institutes, and recruits are working under false identities inside secure facilities.
The Chinese government is targeting 2028 for producing working chips, though sources say 2030 is more realistic - still years earlier than the decade analysts had predicted it would take China to match the West.
So what's the upshot for you?
AI is the new atomic bomb, and many inside the business think the results of this arms race will be far worse than getting coal in our stockings.
EU: Apple Fined $116 Million Over App Privacy Prompts
Apple has been fined $116 million by Italy's antitrust regulator over the 'excessively burdensome' privacy rules it imposes on third-party apps.
The Italian Competition Authority (AGCM) says that Apple abused its dominant app store market position by burdening developers with 'disproportionate' terms around data collection that exceed privacy law requirements, compared to rules for native iOS apps.
The fine specifically targets the App Tracking Transparency (ATT) policy Apple launched in 2021, which requires third-party developers to ask users for consent twice to track their data across other apps and websites.
Apple's own apps can obtain this permission in a single tap.
AGCM says that the burden of consenting twice led to a reduction in user consent rates for advertising profiling, thus harming developers whose business models depend upon revenue generated by personalized ads.
So what's the upshot for you?
$116 million.
The difference between one tap and two.
FR: Cyberattack Disrupts France's Postal Service & Banking During Christmas Rush
With just days to go before Christmas, a cyberattack knocked France's national postal service offline Monday, blocking and delaying package deliveries and online payments.
The timing was miserable for millions of people at the height of the Christmas season, as frazzled postal workers fended off frustrated customers.
No one immediately claimed responsibility, but suspicions abounded.
What the postal service La Poste called a 'major network incident' remained unresolved by Monday evening, more than eight hours after it was first reported.
For a company that delivered 2.6 billion packages last year and employs more than 200,000 people, that's a big hit.
La Poste said in a statement that a distributed denial of service incident, or DDoS, 'rendered its online services inaccessible.'
It said the incident had no impact on customer data, but disrupted package delivery.
Letters, including holiday greeting cards, could still be mailed and delivered.
But transactions requiring tracking or access to the postal service internal computer systems were impossible.
The cyberattack also hurt online banking.
Customers of the company's banking arm, La Banque Postale, were blocked from using the application to approve payments or conduct other banking services.
The bank redirected approvals to text messages instead.
'Our teams are mobilized to resolve the situation quickly,' the bank said in messages posted on social networks.
So what's the upshot for you?
The disruption came a week after France's government was targeted by a cyberattack that targeted the Interior Ministry, in charge of national security.
Global: Browser Extensions With 8 Million Users Collect Extended AI Conversations
Browser extensions installed by more than eight million users have been found capturing complete conversations with AI chat services and sending that data to outside servers.
Security researchers at Koi Security identified several Chromium-based extensions that silently intercept every prompt, response, timestamp, and session detail from major AI platforms as users chat.
These extensions inject hidden executor scripts into sites like ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI before the browser renders the pages, allowing them to read conversations at the network API level.
The captured data is compressed and transmitted to analytics endpoints controlled by the extension publishers, bypassing typical protections such as VPNs or ad blockers.
One of the most-installed offending extensions, Urban VPN Proxy, had quietly added the interception code in an automatic update released in July 2025.
Other related extensions from the same publisher carry similar scripts, bringing the total affected user base above eight million across Chrome and Edge browsers.
These tools were marketed as privacy or protection utilities, and many displayed ‘Featured’ badges in extension stores, creating a perception of trust.
However, the privacy statements and store descriptions did not clearly disclose the full scope of the data harvesting and commercial resale behind the scenes.
So what's the upshot for you?
Be careful with the browser extensions you load into Chrome because essential digital interactions can be captured and monetized beyond your awareness far too easily.
Global: How a PNG Icon Infected 50,000 Firefox Users
Security researchers at Koi Security uncovered a sophisticated malware campaign called GhostPoster that quietly infected more than 50,000 Firefox users through compromised browser extensions.
The malware was hidden in the icons of 17 add-ons that masqueraded as tools like free VPNs, translators, weather widgets, and ad blockers.
The unusual technique involved embedding malicious JavaScript inside the raw bytes of a PNG logo file.
PNG images are defined to contain non-executable image data, so the authors of this malware must have assumed that files of type PNG would not be closely scrutinized by anti-malware scanners
When Firefox loads an extension icon, this hidden code is extracted and used to start a staged infection chain.
This method helped the payload evade static scanners and manual inspection because the icons appeared normal.
After a delay of up to 48 hours, the hidden loader contacted command-and-control servers and retrieved the main payload.
Once active, the malware could hijack affiliate links, inject persistent tracking code, strip key security protections from web traffic, and insert invisible frames for ad and click fraud.
Mozilla has removed the identified extensions from its add-ons marketplace, but users who installed them remain affected until they manually remove them.
The campaign’s design makes detection difficult because the payload activates intermittently and uses obfuscation to avoid analysis.
So what's the upshot for you?
GhostPoster is effective not because of any one advanced technique, but due to the clever layering of multiple evasion methods that together make it very hard to detect:
Steganography hides the initial payload in places where typical scanners don't look.
Staged loading ensures the actual malware never exists on disk as a file-it's fetched and executed only at runtime.
Custom per-browser encoding defeats signature-based and pattern-matching detection.
Random delays and probabilistic checks make the malware's behavior inconsistent and unpredictable.
Long time delays (activation only after 6+ days) allow it to bypass most post-installation security checks.
XOR encryption protects any stored data from easy inspection.
and so while each layer is relatively simple on its own, their combination creates a multi-stage evasion strategy that significantly increases the difficulty of detection.
Global: Most Parked Domains Now Serving Malicious Content
Direct navigation - the act of visiting a website by manually typing a domain name in a web browser - has never been riskier: A new study finds the vast majority of 'parked' domains - mostly expired or dormant domain names, or common misspellings of popular websites - are now configured to redirect visitors to sites that foist scams and malware.
When Internet users try to visit expired domain names or accidentally navigate to a lookalike 'typosquatting' domain, they are typically brought to a placeholder page at a domain parking company that tries to monetize the wayward traffic by displaying links to a number of third-party websites that have paid to have their links shown.
A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found that parked domains redirected users to malicious sites less than five percent of the time - regardless of whether the visitor clicked on any links at the parked page.
But in a series of experiments over the past few months, researchers at the security firm Infoblox say they discovered the situation is now reversed, and that malicious content is by far the norm now for parked websites.
So what's the upshot for you?
'In large scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware, as the 'click' was sold from the parking company to advertisers, who often resold that traffic to yet another party,' Infoblox researchers wrote.
Global: What's up with the TV? Massive Android Botnet infects 1.8 Million Devices
A newly identified Android botnet called Kimwolf has quickly become a major global cybersecurity concern.
Researchers estimate more than 1.8 million devices are infected, largely Android TV boxes.
First detected in late October 2025, the botnet drew attention when its control domain surged into the top tier of global internet traffic rankings, an unusual signal of both scale and coordination.
Kimwolf stands out for its technical sophistication.
It supports proxy traffic forwarding, remote command access, and file management, while hiding its activity through encrypted DNS traffic and resilient hosting techniques designed to survive takedowns.
Its operators also authenticate their infrastructure using advanced cryptographic signatures, signaling a level of planning beyond typical consumer malware.
The botnet’s true reach became clearer when researchers temporarily seized one of its control servers.
In just three days, they observed traffic from roughly 2.7 million unique IP addresses.
Even accounting for shifting residential addresses, analysts concluded that well over 1.8 million physical devices were likely compromised and actively communicating with the network.
While Kimwolf appears primarily designed to sell or route internet traffic through infected devices, it has also demonstrated immense offensive power.
Researchers observed it issuing up to 1.7 billion distributed denial of service attack commands in a three day span.
The operators continuously modified their infrastructure, showing an ability to adapt faster than many defenders.
Investigators also linked Kimwolf to the earlier Aisuru botnet and noted an unusual obsession with cybersecurity journalist Brian Krebs, whose name and personal details appeared embedded in the malware’s infrastructure.
So what's the upshot for you?
If your TV is feeling a little sluggish remember that it and other everyday connected devices now quietly shape the security, reliability, and value of the internet you depend on, whether you realize it or not, and lately the DDos Attacks have only been getting bigger.
KR: Mass Hacking of IP Cameras Leave Koreans Feeling Vulnerable in Homes, Businesses
Mass hacking of IP cameras has shaken trust in everyday tech across South Korea.
Hackers breached about 120,000 internet-connected cameras in homes and businesses, capturing private footage and selling clips on overseas websites.
Only a fraction of the videos have been uncovered, raising fears that more intimate material remains undiscovered.
Victims describe a sense of vulnerability and betrayal.
Many users installed cameras for reassurance, not realizing the risks posed by weak passwords and lax security standards.
Experts say current rules do not adequately cover consumer devices, leaving gaps that criminals exploited at scale.
Police reports show suspects hacked tens of thousands of cameras, producing hundreds of videos marketed for profit.
The breaches extended beyond homes to clinics, studios, and salons, intensifying public concern about privacy in both personal and small business settings.
In response, government agencies formed a task force to tighten security oversight, extend responsibility to installers and telecom providers, and pursue legal reforms.
Officials also plan stricter standards for sensitive facilities and support for victims dealing with illegal content distribution.
So what's the upshot for you?
This incident shows that widespread consumer tech can become a vector for mass privacy invasion when security is not a consideration.
Always be thoughtful about the digital tools you integrate into your daily life.
US: FCC Bans Foreign-Made Drones Over National Security, Spying Concerns
The FCC has banned approval of new foreign-made drones and components, citing 'an unacceptable risk' to national security.
The move will most heavily impact DJI but it 'does not affect drones or drone components that are currently sold in the United States.'
The tech was placed on the commission's 'Covered List,' barring DJI and other foreign drone manufacturers from receiving the FCC's approval to sell new drone models for import or sale in the U.S.
In Monday's announcement, the agency said that the move 'will reduce the risk of direct [drone] attacks and disruptions, unauthorized surveillance, sensitive data exfiltration and other [drone] threats to the homeland.'
FCC Chair Brendan Carr said in a statement that while drones offer the potential to boost public safety and the U.S.' posture on global innovation, 'criminals, terrorists and hostile foreign actors have intensified their weaponization of these technologies, creating new and serious threats to our homeland.'
But efforts to crack down on Capitol Hill have been met with some pushback due to the potential impacts of curbing the drone usage on U.S. businesses and law enforcement.
A wide variety of sectors, including construction, energy, agriculture and mining companies, as well as local police and fire departments across the country, deploy DJI-made drones
So what's the upshot for you?
The ruling comes as China hawks in Congress amplify warnings about the security risks of drones made by DJI, which accounts for more than 90% of the global market share.
US: FSF Says Nintendo's New DRM Allows Them to Remotely Render User Devices 'Permanently Unusable'
Nintendo has updated its user agreement ahead of the Switch 2 launch, and critics say the changes expand the company’s power over devices customers already own.
The Free Software Foundation argues the agreement gives Nintendo broad authority to permanently disable consoles, accounts, and services.
The concern is not abstract.
The language explicitly allows Nintendo to render a device unusable, in whole or in part, if it believes its rules were violated.
Under the revised terms, users grant Nintendo unilateral control to revoke access to games, online features, security updates, and even basic functionality.
The agreement states that noncompliance with Nintendo’s restrictions can lead to permanent loss of access.
The decision rests solely with Nintendo, without a requirement for prior notice or a clear appeal process defined in the contract.
Reported triggers for console bans include hardware or software modification, attempting to play backup copies, using preowned games, or connecting third-party accessories.
These actions, some of which users consider routine or legitimate, can be flagged under Nintendo’s digital restrictions management systems and treated as violations.
This authority has already been exercised.
In one case, a buyer unknowingly purchased an open box console that had been bricked and found it unusable despite intact hardware.
In another, a user updating legitimately purchased game cartridges had their console disabled, possibly due to a prior owner’s activity.
Restoring access required direct appeals and proof of purchase, a time-consuming and uncertain process.
So what's the upshot for you?
The broader issue, according to critics, is the growing power of proprietary software and DRM to override ownership itself.
When a device (a few weeks ago we covered a robo vacuum) can be disabled after purchase based on opaque rules and automated checks, the practical value of ownership shifts from control to conditional permission, a distinction that increasingly shapes how consumers must evaluate what they own.
_______________________________________________________________________________________
So for our Reindeer Roundup:
Even Santa’s list can fall victim to a breach, serving as a fun reminder that no one is immune to cyber risks.
Stay vigilant with strong passwords, MFA, and careful verification to protect your own data year-round.
China’s rapid progress in advanced chip-making technology is reshaping the global AI landscape and challenging Western dominance.
The race for semiconductor independence highlights how critical these advancements are for future innovation-and potentially for global stability.
Apple’s stricter privacy rules for third-party apps have been ruled unfair, costing the company a hefty fine.
It underscores the tension between platform control and fair competition in the app economy.
A timely DDoS attack exposed the fragility of Frances' essential services during peak holiday demand.
Critical infrastructure must prioritize resilience to avoid widespread disruption when it matters most.
Millions of users unknowingly shared their private AI chats through seemingly trustworthy browser extensions.
Always scrutinize extension permissions and privacy policies before installing tools that access your online activity.
Sophisticated malware hid in plain sight within extension .png icons, infecting thousands of Firefox users.
Even trusted add-ons can carry hidden risks-regularly review and update your extensions and stay safe.
Parked and typosquatted domains have become prime vectors for scams and malware distribution.
Be cautious when typing URLs manually; use bookmarks or search engines to avoid risky redirects and never, ever, ever make any typos… OK nevermind.
A massive botnet has turned everyday Android TV boxes into tools for traffic proxying and DDoS attacks.
Secure all connected devices with strong passwords and firmware updates, because smart gadgets can quietly join larger threats and become HUGE threats.
Tens of thousands of unsecured cameras were hacked, putting Koreans’ private lives up for sale online.
Pick devices with strong security defaults and change default passwords immediately to safeguard your privacy.
The U.S. has restricted new foreign-made drones to mitigate risks of surveillance and disruption.
National security concerns are increasingly influencing technology access, even for widely used consumer products. Yes and it is time to rethink that drone you were considering for Jr.
Nintendo’s updated terms give the company sweeping power to disable consoles remotely.
In the digital age, true ownership is increasingly conditional-read the fine print before you buy.
And now our Quote(s) of the week (we'll let you pick): 
Comments
Post a Comment