Today’s roundup
IBM warns of critical API Connect auth bypass vulnerability
New ErrTraffic service enables ClickFix attacks via fake browser glitches
European Space Agency confirms breach of "external servers"
Zoom Stealer browser extensions harvest corporate meeting intelligence
US cybersecurity experts plead guilty to BlackCat ransomware attacks
U.S. Treasury Lifts Sanctions on Three Individuals Linked to Intellexa and Predator Spyware
CSA Issues Alert on Critical SmarterMail Bug Allowing Remote Code Execution
MongoBleed (CVE-2025-14847): the US, China, and the EU are among the top exploited GEOs
Mustang Panda deploys ToneShell via signed kernel-mode rootkit driver
Agentic ProbLLMs: Exploiting AI Computer-Use And Coding Agents (39C3 Video + Slides)
Summary
IBM has issued a warning regarding a critical authentication bypass vulnerability in its API Connect enterprise platform, which could allow remote access to applications. Customers are urged to patch immediately.
A new cybercrime service, ErrTraffic, automates "ClickFix" attacks by generating fake browser glitches on compromised websites, luring users into downloading payloads or following malicious instructions.
The European Space Agency (ESA) confirmed a breach of external servers holding unclassified information on collaborative engineering activities.
A new "Zoom Stealer" campaign affects 2.2 million Chrome, Firefox, and Edge users via 18 malicious browser extensions that collect online meeting data including URLs, IDs, topics, and passwords.
Two former employees of cybersecurity incident response companies Sygnia and DigitalMint pleaded guilty to perpetrating BlackCat (ALPHV) ransomware attacks against U.S. organizations in 2023.
The U.S. Treasury's Office of Foreign Assets Control (OFAC) removed three individuals linked to the Intellexa Consortium, developer of Predator spyware, from its specially designated nationals list, reversing a 2024 Biden administration designation.
Singapore's Cyber Security Agency (CSA) warned of a maximum-severity (CVSS 10.0) remote code execution vulnerability (CVE-2025-52691) in SmarterTools SmarterMail email software, stemming from an arbitrary file upload flaw exploitable without authentication.
The critical MongoBleed vulnerability (CVE-2025-14847) in MongoDB servers is actively exploited globally, enabling unauthenticated attackers to remotely leak memory via zlib compression. CISA ordered U.S. federal agencies to patch by January 19, noting widespread exploitation in China, the U.S., and Germany among other regions.
China-linked APT Mustang Panda is deploying its ToneShell backdoor using a signed kernel-mode rootkit driver, ProjectConfiguration.sys. This advanced technique, targeting government entities in Southeast and East Asia, leverages a stolen certificate to install a mini-filter driver that injects ToneShell, protects malicious components, and disables Microsoft Defender's WdFilter, communicating via fake TLS 1.3 headers over TCP port 443.
New security research presented at the 39C3 conference detailed vulnerabilities in agentic AI systems, specifically focusing on the exploitation of AI computer-use and coding agents, showcasing findings from a "Month of AI Bugs."
Want to dig deeper?
Vulnerabilities
Cyber Groups
Malware Families