Daily Brief

IBM has issued a critical alert for a vulnerability in its API Connect platform, identified as CVE-2025-13915, with a severity rating of 9.8 out of 10. The flaw enables attackers to bypass authentication, potentially allowing unauthorized remote access to applications, affecting sectors such as banking, healthcare, and telecommunications. API Connect versions 10.0.11.0 and 10.0.8.0 through 10.0.8.5 are impacted, necessitating urgent patching to prevent exploitation. IBM advises administrators to upgrade to the latest release and offers mitigation steps for those unable to deploy updates immediately. The vulnerability allows low-complexity attacks without user interaction, posing a significant risk to affected systems. Detailed patch instructions are available for VMware, OCP, and Kubernetes environments to aid in securing installations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has previously flagged IBM vulnerabilities as actively exploited, highlighting the need for prompt action.

Disney agreed to a $10 million settlement following allegations of violating the Children's Online Privacy Protection Act (COPPA) by mislabeling videos, leading to unauthorized data collection. The U.S. Justice Department, prompted by an FTC referral, claimed Disney mislabeled kid-directed YouTube videos, allowing personal data collection for targeted advertising. Since 2019, content creators must mark videos as "Made for Kids" (MFK) to prevent personal data collection from children under 13, a requirement Disney allegedly failed to meet. Despite YouTube's 2020 label correction for over 300 Disney videos, Disney reportedly continued to mislabel content, collecting data and benefiting from associated advertising revenues. The settlement mandates Disney to notify parents before collecting children's data and ensure proper video labeling to prevent future data privacy infringements. This case underscores ongoing regulatory scrutiny over data privacy practices, particularly concerning children's online activities, with significant financial and reputational implications for companies. The FTC's recent findings reveal the broader issue of video streaming and social media companies profiting from data collected via surveillance of minors.

The U.S. Treasury's OFAC has lifted sanctions on three individuals associated with Intellexa, the company behind Predator spyware, without disclosing the reasons for this decision. These individuals, previously sanctioned in 2024, were involved in the development, operation, and distribution of the Predator spyware, raising questions about ongoing oversight. Intellexa's Predator spyware, similar to NSO Group's Pegasus, is marketed for counterterrorism but has been used against journalists, activists, and politicians, sparking human rights concerns. Recent reports indicate Predator's continued use, despite increased scrutiny and international regulatory efforts aimed at curbing misuse of such surveillance tools. The removal of sanctions could signal to other actors that financial influence might mitigate consequences for activities threatening U.S. interests and citizens. The situation underscores the need for robust international frameworks to manage the ethical development and deployment of commercial spyware technologies. Recorded Future's investigation notes rising competition and secrecy in the spyware market, increasing risks of corruption and insider threats.

Hong Kong Monetary Authority launched "Money Safe" accounts requiring in-person verification to access funds, aiming to curb rising scam incidents affecting customer bank accounts. The initiative mandates all local banks to offer these accounts, with compliance required by December 31st, 2024; digital banks must conduct ID checks at their offices. Customers can only transfer or withdraw funds after a face-to-face anti-scam verification process, designed to help them assess potential scam risks. Banks have started implementing these accounts, adding features like in-app creation, and promoting their effectiveness in enhancing security. The Hong Kong government plans to support the initiative with advertising campaigns, encouraging residents to use these accounts for unspent cash. The financial services sector, crucial to Hong Kong's GDP, is a government priority, given its strategic role in facilitating trade with China. Hong Kong's government regularly issues warnings about cyber threats, and "Money Safe" accounts aim to reduce the effectiveness of phishing and fake banking website attacks.

Two cybersecurity experts, Ryan Clifford Goldberg and Kevin Tyler Martin, admitted to conducting ransomware attacks as affiliates of the ALPHV BlackCat group. The pair, alongside an unnamed accomplice, targeted five US-based companies, including a medical device firm and a pharmaceutical company, between May and November 2023. The group agreed to pay ALPHV administrators 20% of any ransom collected, utilizing their cybersecurity skills to deploy ransomware and extort victims. A medical device company paid approximately $1.2 million in bitcoin, which the perpetrators attempted to launder. Sentencing for Goldberg and Martin is scheduled for March, with potential prison terms of up to 20 years each. This case underscores the risk of insider threats, where trusted professionals exploit their expertise for criminal activities. ALPHV, known for a significant 2024 attack on Change Healthcare, briefly disappeared after FBI intervention but may resurface with new tactics.

New York's mayor-elect Zohran Mamdani has prohibited Raspberry Pi devices at his inauguration block party, listing them among other banned items like explosives and drones. The decision aims to mitigate potential security risks posed by the device's capabilities, despite its widespread use in educational and artistic contexts. Raspberry Pi, a single-board computer, can be used for various applications, including tasks that could disrupt event security or privacy. The Flipper Zero, another banned device, is noted for its potential misuse in cloning access cards and interfering with wireless communications. Critics argue that banning Raspberry Pi is ineffective, as smartphones can be similarly programmed for malicious activities. The move reflects growing concerns about the misuse of easily accessible technology at public events, prompting discussions on balancing security with technological innovation. Adafruit, a maker community, expressed disappointment, suggesting the ban unfairly tarnishes the Raspberry Pi's reputation.

ErrTraffic is a new cybercrime tool enabling automated ClickFix attacks by simulating browser glitches to deceive users into executing harmful commands. Promoted on Russian-speaking forums, ErrTraffic is sold for $800, appealing to cybercriminals with its high conversion rates and user-friendly interface. Attackers must control or compromise a website to deploy ErrTraffic, which uses geolocation and OS fingerprinting to target specific users. The tool modifies a webpage’s DOM to display issues like fake Chrome updates or corrupted text, prompting victims to download malware-laden "solutions." Payloads delivered via ErrTraffic include Lumma and Vidar info-stealers on Windows, Cerberus trojan on Android, and AMOS on macOS. ErrTraffic excludes CIS countries from targeting, suggesting a possible origin linked to its developer's location. Harvested data is often sold on darknet markets or used to further propagate ErrTraffic, expanding its reach and impact.

A severe vulnerability in MongoDB Server, CVE-2025-14847, is actively exploited, threatening data confidentiality across numerous deployments. Dubbed "MongoBleed," the flaw allows unauthenticated remote attackers to read uninitialized heap memory, potentially exposing sensitive data like passwords and API keys. The vulnerability arises from mismatched length fields in zlib-compressed protocol headers, allowing attackers to exploit the network transport layer of MongoDB. MongoDB has released patches to address the issue, urging immediate upgrades or disabling zlib compression as a temporary measure. The US Cybersecurity and Infrastructure Security Agency (CISA) has added MongoBleed to its catalog of known exploited vulnerabilities, highlighting its significant risk. Internet-exposed and privately accessible MongoDB Servers are vulnerable, with attackers potentially leveraging lateral movement to access private servers. Organizations are advised to prioritize patching and review their exposure to prevent unauthorized data access and potential breaches.

The Cyber Security Agency of Singapore issued a warning about a critical flaw in SmarterTools SmarterMail software, allowing potential remote code execution through arbitrary file uploads. Identified as CVE-2025-52691, the vulnerability holds a CVSS score of 10.0, indicating maximum severity due to its potential impact. The flaw allows unauthenticated attackers to upload malicious files, which could be executed as code, posing significant security risks to affected systems. SmarterMail, a competitor to Microsoft Exchange, is widely used by web hosting providers, increasing the potential impact of this vulnerability. The issue affects SmarterMail versions up to Build 9406, with a patch released in Build 9413 on October 9, 2025, and further updates available as of December 18, 2025. The vulnerability was discovered by Chua Meng Han from CSIT, and no active exploitation has been reported; users are urged to update to the latest software version. Organizations utilizing SmarterMail should prioritize applying the latest security updates to mitigate potential exploitation and safeguard their systems.

The European Space Agency (ESA) confirmed a breach of external servers, reportedly affecting unclassified collaborative engineering data. Attackers claimed access to ESA's JIRA and Bitbucket servers for a week, leaking screenshots as evidence on BreachForums. ESA has initiated a forensic security analysis and implemented measures to secure potentially affected devices. The breach allegedly involved the theft of over 200GB of data, including source code, API tokens, and confidential documents. ESA has notified all relevant stakeholders and is providing ongoing updates as more information becomes available. This incident follows a previous breach of ESA's systems, highlighting ongoing cybersecurity challenges for the agency. The breach underscores the importance of robust security measures for protecting sensitive engineering and scientific data.

A cyber campaign named Zoom Stealer affects 2.2 million users across Chrome, Firefox, and Edge through 18 browser extensions. The extensions collect sensitive meeting data, including URLs, IDs, topics, and embedded passwords, posing a risk of corporate espionage. The threat actor, DarkSpectre, is linked to China, previously known for campaigns like GhostPoster and ShadyPanda. DarkSpectre's infrastructure uses Alibaba Cloud and other Chinese indicators, suggesting a clearer attribution to China-based operations. Data exfiltration occurs in real-time as users interact with video-conferencing platforms, potentially enabling large-scale impersonation attacks. Despite being reported, many of these extensions remain available on platforms like the Chrome Web Store, necessitating user vigilance. Organizations are advised to review and limit extension permissions to mitigate risks associated with malicious browser extensions.

Two former cybersecurity professionals from Sygnia and DigitalMint have admitted guilt in orchestrating BlackCat ransomware attacks on U.S. companies throughout 2023. Ryan Clifford Goldberg and Kevin Tyler Martin face up to 20 years in prison, with sentencing scheduled for March 2026. The pair, alongside an unnamed accomplice, targeted various sectors, including pharmaceuticals and healthcare, demanding ransoms from $300,000 to $10 million. Despite large ransom demands, only $1.27 million was paid by a Tampa medical device company after its servers were encrypted. The FBI intervened by creating a decryption tool after accessing BlackCat's servers, revealing the group had collected over $300 million from more than 1,000 victims. The Justice Department continues to investigate related cases, although connections to other incidents remain unclear. A joint advisory from the FBI, CISA, and HHS warns that BlackCat affiliates are increasingly targeting U.S. healthcare organizations.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed federal agencies to address the MongoBleed vulnerability, CVE-2025-14847, which is actively being exploited. This flaw, affecting MongoDB Server's data compression process, allows unauthenticated access to sensitive data through low-complexity attacks. A proof-of-concept exploit by Elastic's Joe Desimone demonstrates the vulnerability's capacity to leak sensitive memory data from unpatched systems. Shadowserver identified over 74,000 potentially vulnerable MongoDB instances online, while Censys tracks over 87,000 IP addresses running unpatched versions. CISA has set a January 19, 2026 deadline for Federal Civilian Executive Branch agencies to patch their systems, emphasizing the risk to federal operations. Agencies unable to patch immediately are advised to disable zlib compression or use the MongoBleed Detector to identify vulnerable servers. MongoDB's widespread use across industries, including Fortune 500 companies, underscores the critical nature of addressing this vulnerability promptly.

Silver Fox, a cybercrime group from China, is targeting Indian users with tax-themed phishing emails to distribute ValleyRAT malware. The attack leverages DLL hijacking and a modular remote access trojan to ensure persistence and evade detection. Phishing emails impersonate India's Income Tax Department, leading recipients to download malicious files from a compromised domain. The infection chain involves sideloading a rogue DLL that disables Windows Update and facilitates malware deployment. ValleyRAT's plugin architecture supports keylogging, credential harvesting, and defense evasion, enabling tailored surveillance. Silver Fox also uses SEO poisoning to distribute malware via fake sites mimicking popular applications like Microsoft Teams and VPNs. The campaign has affected users in China, the U.S., Asia-Pacific, Europe, and North America, indicating a broad and strategic targeting effort. Recent findings suggest Silver Fox may be conducting false flag operations to complicate attribution, mimicking Russian threat actors.

Many Security Operations Centers (SOCs) struggle to operationalize AI, with 40% using AI without defined integration and 42% relying on uncustomized tools, leading to inconsistent results. AI can significantly enhance SOC capabilities when applied to well-defined tasks, improving detection engineering, threat hunting, software development, automation, and reporting. Detection engineering benefits from AI when used for specific tasks, such as analyzing packet streams for DNS reconstruction, providing high-fidelity alerts based on precise criteria. AI accelerates threat hunting by supporting exploratory analysis, allowing analysts to test hypotheses and identify unusual patterns without replacing human judgment. In software development, AI aids in drafting and refining code, but analysts must ensure accuracy and understand the operational impact of AI-generated scripts. AI reshapes automation and orchestration by drafting workflow scaffolding, but human oversight remains crucial to decide when and how automated actions are executed. AI enhances reporting by standardizing structure and clarity, enabling faster trend recognition and decision-making by leadership, while freeing analysts from repetitive tasks. Successful AI integration requires clear expectations, ongoing validation, and accountability from analysts to protect information systems effectively.