Cyber Threat Weekly – #109

The week of December 22^nd through December 28^th, roughly 175 cyber news articles were reviewed. A very light week in cyber threat trends and adversarial behavior news.  Been thinkin about how small businesses are disproportionately targeted by cyber criminals.

According to a CrowdStrike survey, micro-businesses with fewer than 25 employees that suffered an incident, 29% reported a ransomware attack.  Depending on which report you look at, around 43% of all cyberattacks target small businesses.  Often a part of our supply chain, we are only as strong as our weakest link.

Let’s start with actively exploited MongoBleed bug.  Coding with AI, things to think about.  Malicious Node Package Manager (NPM) package compromises What’sApp.

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

VPN gateways from all vendors are under constant attack.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – December 22^nd to December 28^th:

CVE-2023-52163 – Digiever DS-2105 Pro Missing Authorization Vulnerability:
Could allow for command injection via time_tzsetup.cgi.

Critical MongoBleed Bug Actively Exploited

Tracked as CVE-2025-14847, there are a public exploit and technical details available.  Kevin Beaumont validated the exploit, it’s simple, just supply an IP address and it finds credentials and secrets in memory.  Was nice of security researchers to drop the exploit and technical details right at Christmas.

https://www.bleepingcomputer.com/news/security/exploited-mongobleed-flaw-leaks-mongodb-secrets-87k-servers-exposed/

https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/#technical_analysis

https://doublepulsar.com/merry-christmas-day-have-a-mongodb-security-incident-9537f54289eb

https://www.wiz.io/blog/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb

https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847

https://github.com/Neo23x0/mongobleed-detector

AI Coding, AI Agents, and Security

While not adversarial in nature, with AI dominating most conversations, it’s important to keep up with testing and security thought processes.  According to surveys, the majority of coders use AI in their code generation.  There are strides being made with agents that find and fix vulnerabilities.  It’s going to be an interesting 2026.

https://www.darkreading.com/application-security/coders-adopt-ai-agents-security-pitfalls-lurk-2026

https://baxbench.com/

Malicious NPM Package Compromise What’sApp Accounts

The package poses as a legit What’sApp API library project and actually works as intended.  By wrapping the legit WebSocket client, every message flows through the malware socket.  It captures credentials, intercepts messages, and exfils the data.

https://www.bleepingcomputer.com/news/security/malicious-npm-package-steals-whatsapp-accounts-and-messages/

https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages