Daily Brief

European countries are collaborating on the GAIA-X project to reduce reliance on US cloud giants like AWS, Microsoft, and Google, aiming for digital sovereignty. GAIA-X, backed by the European Commission, seeks to foster a unified digital infrastructure, enabling local providers to compete with international tech leaders. The initiative involves creating "data spaces" for secure data exchange among industries such as aviation and nuclear, with over 150 projects underway. Achieving full digital sovereignty requires service providers to be headquartered in Europe, a challenge given the dominance of US tech firms. European governments are encouraged to support local IT providers through service contracts rather than subsidies to build competitive digital champions. The GAIA-X framework is being adopted globally, with interest from countries like Japan and Brazil, although the UK has shown limited engagement. The initiative faces challenges, including the need for political backing and strategic decision-making to accelerate progress and unify efforts across Europe. The presence of US and Chinese tech firms in GAIA-X working groups raises questions about compliance with European sovereignty standards.

A critical vulnerability, CVE-2025-14847, affecting MongoDB servers is actively exploited, with over 87,000 instances at risk globally, particularly in the U.S., China, and Germany. The flaw, termed MongoBleed, allows unauthenticated attackers to leak sensitive data from server memory by exploiting zlib compression in MongoDB's default configuration. Attackers can extract user information, passwords, and API keys by sending malformed network packets, posing significant risks to exposed MongoDB servers. The vulnerability affects cloud environments extensively, with 42% having at least one vulnerable MongoDB instance, impacting both internet-exposed and internal resources. MongoDB has released patches for versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30; MongoDB Atlas has also been patched to mitigate this threat. Temporary mitigation strategies include disabling zlib compression and restricting network exposure of MongoDB servers, alongside vigilant monitoring for unusual pre-authentication connections. Organizations are urged to apply the latest updates promptly to secure their systems against this vulnerability and prevent potential data breaches.

Recent breaches, including compromised Ultralytics AI library and ChatGPT vulnerabilities, reveal gaps in traditional security frameworks against AI-specific threats. Traditional frameworks like NIST CSF and ISO 27001 fail to address AI attack vectors such as prompt injection and model poisoning. Organizations affected had comprehensive security programs, yet these frameworks did not anticipate AI's unique attack surfaces. AI-specific attacks, including supply chain compromises and semantic data leaks, bypass traditional controls, requiring new security approaches. IBM reports indicate prolonged detection times for AI breaches, exacerbating the risk due to lack of established indicators of compromise. The EU AI Act and NIST's AI Risk Management Framework signal increasing regulatory pressure to address AI vulnerabilities. Organizations are urged to conduct AI-specific risk assessments and implement controls beyond current framework requirements to mitigate evolving threats.

Coupang, a leading Korean e-tailer, reported a data breach involving unauthorized access to 33 million customer records by a former employee. The breach affected over half of South Korea's population, but the company asserts the impact was limited to approximately 3,000 accounts with detailed data accessed. The former employee allegedly used a stolen security key to access customer order histories and building access codes, primarily using a PC and a MacBook Air. In a bid to destroy evidence, the accused threw a MacBook into a river, but investigators retrieved it and confirmed its link to the suspect through its serial number. Coupang collaborated with Mandiant, Palo Alto Networks, and Ernst & Young for a thorough forensic investigation, which corroborated the suspect's sworn statements. To mitigate customer dissatisfaction, Coupang is issuing ₩50,000 vouchers to the affected customers, resulting in an estimated $1.17 billion expense. The South Korean government has initiated an inquiry into Coupang's operations, potentially leading to significant fines following the precedent set by a similar incident at SK Telecom.

A critical vulnerability, MongoBleed (CVE-2025-14847), impacts multiple MongoDB versions, with over 87,000 servers exposed globally, posing significant data security risks. The flaw allows attackers to extract sensitive data, including credentials and API keys, without needing authentication, due to improper handling of network packets. Public exploit code is available, enabling attackers to target vulnerable MongoDB instances using only an IP address, increasing the threat landscape. MongoDB has released patches for affected versions, urging immediate updates to mitigate the risk of exploitation. Security experts recommend not only patching but also monitoring for signs of compromise, using tools like the MongoBleed Detector for enhanced detection. Organizations using MongoDB Atlas received automatic patches, while self-hosted instances require manual updates or disabling of zlib compression for protection. The vulnerability affects MongoDB versions dating back to 2017, highlighting the need for regular updates and vigilant security practices.

A hacker named "Lovely" claims to have breached Condé Nast, leaking a database with over 2.3 million WIRED subscriber records on a hacking forum. The hacker threatens to release an additional 40 million records from other Condé Nast properties, citing the company's alleged negligence in addressing vulnerabilities. The leaked database includes unique email addresses, internal IDs, and optional personal data like names, addresses, and phone numbers, with varying completeness. BleepingComputer confirmed the legitimacy of the dataset by validating 20 subscriber records, while Hudson Rock verified it using infostealer logs. The database has been added to Have I Been Pwned, enabling users to check if their email addresses were compromised in the breach. Condé Nast has yet to confirm the breach, despite attempts by BleepingComputer to obtain a response regarding the incident. The hacker initially posed as a security researcher seeking to responsibly disclose vulnerabilities but later resorted to leaking the data after receiving no response. This incident underscores the importance of timely vulnerability management and the risks of inadequate communication with security researchers.

The past year witnessed cybercrime incidents resulting in severe human impacts, including the first confirmed ransomware-related death linked to a 2024 attack on Synnovis, affecting London hospitals. Kido International experienced a breach where personal data of preschoolers was leaked, sparking outrage and condemnation from both the public and rival cybercriminal groups. A significant ransomware attack on Jaguar Land Rover disrupted operations for five weeks, costing over £2 billion and affecting the UK economy and supply chains. CrowdStrike reported a rise in "violence as a service" tied to cryptocurrency thefts, with incidents of physical harm and extortion increasingly common in Europe. The FBI warned of AI-enhanced virtual kidnappings, where deepfake technology is used to fabricate ransom scenarios, leading to financial losses and emotional distress for victims. A ransomware attack on Crisis24 disrupted the CodeRED emergency alert system, highlighting the potential for cyber incidents to impact critical infrastructure and public safety. Europol's Taskforce GRIMM arrested 193 individuals involved in cybercrime-related violence, underscoring the growing intersection of digital and physical threats.

Ubisoft's Rainbow Six Siege experienced a breach, allowing attackers to manipulate in-game systems, including banning, unbanning, and distributing in-game currency and items. The breach resulted in the unauthorized distribution of approximately 2 billion R6 Credits, valued at $13.33 million, significantly impacting the game's economy. Ubisoft confirmed the incident via social media and temporarily shut down the game and its Marketplace to address the issue, aiming to restore normal operations. Players who spent the granted credits will not face penalties, but Ubisoft plans to roll back all transactions made after the breach. Unverified reports suggest the breach may have exploited a MongoDB vulnerability, CVE-2025-14847, though this remains unconfirmed by Ubisoft. The incident raises concerns about potential larger breaches within Ubisoft's infrastructure, though no evidence of further exploitation or data theft has been confirmed. Ubisoft's response includes disabling the ban ticker and working towards a full restoration of services, but further details on breach specifics remain undisclosed.

A critical vulnerability in MongoDB, identified as CVE-2025-14847, allows unauthenticated attackers to read uninitialized heap memory, posing a significant security risk. The flaw stems from improper handling of length parameter inconsistencies in Zlib compressed protocol headers, impacting several MongoDB versions. Affected versions include MongoDB 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30; users are urged to upgrade to these fixed versions immediately. If upgrading is not feasible, disabling zlib compression is recommended to mitigate potential exploitation, using alternative compressors like snappy or zstd. The vulnerability could lead to unauthorized disclosure of sensitive in-memory data, aiding attackers in further exploiting affected systems. Organizations are advised to prioritize patching and review their MongoDB configurations to prevent potential data breaches and maintain data integrity.

Grubhub users received fraudulent emails promising a tenfold return on Bitcoin transfers, using legitimate company subdomains to appear authentic. Emails originated from 'b.grubhub.com', a legitimate subdomain, misleading recipients into believing the scam was official. The scam emails, sent from addresses like 'merry-christmast@b.grubhub.com', falsely promoted a 'Holiday Crypto Promotion'. Speculation arose about a potential DNS takeover, enabling attackers to send emails that passed authenticity checks. Grubhub has isolated the issue and is implementing measures to prevent future unauthorized communications. Earlier in the year, Grubhub experienced a separate data breach involving unauthorized access to customer and partner information. The incident highlights the ongoing risks of phishing and social engineering tactics in exploiting trusted communication channels.

Trust Wallet confirmed a security breach in its Chrome extension, leading to $7 million in stolen cryptocurrency, impacting users who updated on December 24. Binance's Changpeng Zhao assured affected users that Trust Wallet would compensate for the losses, maintaining user funds' safety. The breach involved malicious code in version 2.68.0, exfiltrating sensitive wallet data to an external server under the guise of analytics. Security researchers identified a suspicious domain, metrics-trustwallet[.]com, linked to the data exfiltration, registered days before the incident. A phishing campaign simultaneously targeted users, directing them to a fake domain, fix-trustwallet[.]com, to steal wallet recovery phrases. Trust Wallet advised users to upgrade to version 2.69 and provided a step-by-step guide to ensure wallet security. Users are urged to move funds to new wallets with fresh seed phrases and treat compromised recovery phrases as unsafe.

Organizations are adapting tabletop exercises to address AI-enhanced threats, focusing on rapid response and containment of cyberattacks in an AI-driven landscape. Cybersecurity leaders emphasize the importance of these exercises in testing organizational resilience, simulating scenarios where AI accelerates vulnerability exploitation. AI is increasingly used by threat actors for crafting phishing emails, conducting reconnaissance, and exploiting vulnerabilities at unprecedented speed and scale. Enterprises are advised to incorporate AI in developing realistic scenarios, measuring outcomes, and ensuring AI systems are secure against potential data breaches. Experts recommend involving C-suite and technical teams in exercises, emphasizing the need for executive decisions in AI-powered attack scenarios. Incorporating analog methods, such as out-of-band verification, is advised to counter AI-generated threats like deepfakes, ensuring robust process over reliance on technology. Regular tabletop exercises, tailored to specific organizational needs, are crucial for maintaining preparedness against evolving cyber threats, with at least semiannual participation from senior leadership.

Trust Wallet's Chrome extension version 2.68 contained malicious code, leading to a $7 million cryptocurrency theft affecting approximately one million users. Users are urged to update to version 2.69 immediately to prevent further exploitation and ensure security. The malicious code extracted mnemonic phrases from wallets, sending them to an attacker's server, facilitating unauthorized access to user funds. The stolen assets include $3 million in Bitcoin and Ethereum, with funds laundered through centralized exchanges and cross-chain bridges. Trust Wallet is prioritizing user support and has committed to refunding affected users, while advising caution against unofficial communications. The incident originated from internal codebase tampering, potentially by an insider, rather than an external dependency compromise. Speculation exists about potential nation-state involvement, with attackers possibly gaining control over developer devices or deployment permissions. The breach highlights the critical need for robust internal security measures and vigilant monitoring of codebase integrity.

Remedio CEO Tal Kollender emphasizes the importance of adopting a hacker mindset to effectively counter cyber threats, leveraging her own experience in video game hacking as a foundation. The company, formerly known as Gytpol, recently secured $65 million in funding, achieving a $300 million valuation, with clients including Colgate-Palmolive and Kraft Heinz. Remedio employs AI technology to identify and automatically remediate vulnerabilities, misconfigurations, and compliance gaps across corporate networks, aiming to minimize business disruptions. Kollender's approach stems from her experience in the Israeli Air Force's Cyber Security-Systems Division and her work as a system security architect at Dell EMC. As cybercriminals increasingly utilize AI for malicious activities, Kollender stresses the necessity for defenders to match this pace and sophistication in their cybersecurity strategies. The AI-driven battle between defenders and attackers has intensified, with intrusions now occurring in weeks or days, highlighting the urgent need for advanced defensive measures. Kollender's philosophy is rooted in curiosity and innovative problem-solving, advocating for unconventional methods to achieve cybersecurity objectives.

Evasive Panda, a China-linked APT group, executed a sophisticated cyber espionage campaign targeting Türkiye, China, and India using DNS poisoning to deliver MgBot malware. The campaign, active from November 2022 to November 2024, involved adversary-in-the-middle attacks to manipulate DNS responses and deploy malicious software updates. Attackers used DNS poisoning to redirect legitimate software update requests to attacker-controlled servers, compromising applications like SohuVA, Tencent QQ, and iQIYI Video. The operation employed a multi-stage malware deployment process, utilizing encrypted shellcode and custom encryption algorithms to evade detection and analysis. Evasive Panda's tactics include leveraging compromised ISPs or network devices to alter DNS responses, targeting specific operating systems for tailored attacks. The MgBot malware, once deployed, can perform extensive data harvesting, including keystroke logging, audio recording, and credential theft, ensuring prolonged system infiltration. This campaign underscores the persistent threat posed by state-sponsored actors employing advanced techniques to achieve long-term espionage objectives.