TL;DR

• [Vulnerabilities] MongoDB “MongoBleed” (CVE-2025-14847) added to CISA KEV; unauth pre-auth heap leak, active exploitation; patch or disable zlib and reduce exposure.
• [Ransomware / Critical Infrastructure] Romania’s water authority (BitLocker) and largest coal producer (Gentlemen) hit; IT disruption with OT resilience underscores segmentation and backup gaps.
• [Threat Actors / Espionage] China-linked Evasive Panda poisoning DNS and abusing fake updates to deliver MgBot via multi-stage loaders; harden DNS/update paths and add kernel/memory telemetry.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

• [Vulnerabilities] MongoDB “MongoBleed” (CVE-2025-14847) added to CISA KEV; unauth pre-auth memory leak, active exploitation, broad internet exposure.

• [Ransomware / Critical Infrastructure] Consecutive BitLocker/Gentlemen ransomware hits on Romania’s water authority and largest coal power producer highlight IT–OT gaps.

• [Data Breach] Aflac confirms June 2025 intrusion exposed data of ~22.65M individuals; long-tail risk to identity and fraud ecosystems.

• [Threat Actors / Espionage] China-linked Evasive Panda runs multi-year DNS-poisoning campaign delivering MgBot via poisoned software updates (Türkiye, China, India).

MongoBleed (CVE-2025-14847) actively exploited, in CISA KEV

• CISA added CVE-2025-14847 to the Known Exploited Vulnerabilities catalog on 2025-12-29, requiring US federal agencies to remediate by 2026-01-19.
• KEV description: improper handling of length parameter inconsistency in MongoDB Server zlib-compressed protocol headers allows unauthenticated clients to read uninitialized heap memory.
• Wiz research:
  • Affects MongoDB 8.2.0–8.2.2, 8.0.0–8.0.16, 7.0.0–7.0.27, 6.0.0–6.0.26, 5.0.0–5.0.31, 4.4.0–4.4.29, plus all 4.2/4.0/3.6.
  • Working PoC available since 2025-12-26; exploitation in the wild confirmed.
  • Censys observed ~87k potentially vulnerable internet-exposed MongoDB instances; Wiz sees ~42% of cloud environments with at least one vulnerable instance.
• Recommended actions:
  • Upgrade to patched versions (8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, 4.4.30) or disable zlib compression.
  • Reduce direct exposure of MongoDB; monitor for anomalous pre-auth connections and use emerging detection tooling.

Ransomware hits Romania’s water authority and coal power producer

• Romanian National Water Authority (Administrația Națională Apele Române):
  • DNSC and the authority report ~1,000 systems impacted across 10/11 regional offices.
  • Systems affected: GIS servers, DB, email/web, Windows workstations, DNS; OT and hydrotechnical operations unaffected.
  • Attackers abused built-in Windows BitLocker to encrypt systems and left a seven-day ransom demand.
  • Operations continue via dispatch centers using phone/radio; flood protection/forecasting not impacted.
• Oltenia Energy Complex (Complexul Energetic Oltenia), Romania’s largest coal-based energy producer:
  • Gentlemen ransomware attack on 2025-12-26 took down IT infrastructure.
  • Company states encrypted documents and made ERP, document management, email, and website unavailable, but did not jeopardize the national energy system.
  • Recovery efforts rely on backups; incident reported to National Cyber Security Directorate, Ministry of Energy, and DIICOT (cybercrime prosecutors).
• Trend: increasing use of native encryption (BitLocker) and new ransomware crews (Gentlemen) against European critical infrastructure, while core OT is resilient but business IT is highly exposed.

Aflac: June 2025 cyber incident exposed data of ~22.65M individuals

• Aflac’s 2025-12-19 update:
  • June 2025 incident involved suspicious activity on a limited number of systems.
  • Contained within hours; no ransomware; operations remained online.
  • Detailed file review shows personal information for ~22.65M individuals involved.
• Impacted data:
  • Personal and health-related information associated with customers, beneficiaries, employees, and agents (per company and follow-on media summaries).
• Response:
  • Accounts potentially impacted were secured; passwords reset and monitoring increased.
  • Notifications and support resources are being provided to affected individuals.
• Sector signal: large-scale data exposure at an insurance giant amid a year of social-engineering and data-theft campaigns against insurers; raises long-term fraud and privacy risk.

Evasive Panda APT: DNS poisoning + fake updates to deliver MgBot

• Kaspersky reports a long-running Evasive Panda (aka Bronze Highland/Daggerfly/StormBamboo) espionage campaign:
  • Active from Nov 2022 to Nov 2024; victims in Türkiye, China, India, some compromised >1 year.
• TTPs:
  • Fake “updates” for popular Windows apps (SohuVA, iQIYI Video, IObit Smart Defrag, Tencent QQ).
  • Adversary-in-the-middle DNS poisoning to redirect update traffic to attacker infrastructure; second-stage shellcode masquerades as PNG fetched from dictionary[.]com via poisoned DNS.
  • Complex multi-stage loader chain:
    • Initial C++ loader → XOR+LZMA config decryption.
    • In-memory shellcode, use of DPAPI and RC5 hybrid crypto to tie payloads to specific victims.
    • DLL sideloading via an old signed executable and in-memory MgBot injection into svchost.exe.
• Payload:
  • Updated MgBot implant with modular espionage features (keylogging, file theft, command execution) and multiple hardcoded C2 IPs for redundancy.
• Strategic takeaway: highly targeted, infrastructure-level tampering (DNS/update channels) that bypasses user interaction and traditional email/web filtering, emphasizing the need for DNS integrity checks and update-path hardening.

References

• (2025-12-29) CISA Adds One Known Exploited Vulnerability to Catalog

• (2025-12-29) Known Exploited Vulnerabilities Catalog – CVE-2025-14847 Entry

• (2025-12-28) MongoBleed (CVE-2025-14847) exploited in the wild: everything you need to know

• (2025-12-22) Romanian water authority hit by ransomware attack over weekend

• (2025-12-29) Romanian energy provider hit by Gentlemen ransomware attack

• (2025-12-19) Aflac updates June 2025 security incident

• (2025-12-24) Kaspersky uncovers new targeted attacks by Evasive Panda aimed at Türkiye, China, and India

• (2025-12-23) Evasive Panda APT poisons DNS requests to deliver MgBot

Suggested Pivots

How exposed are our direct and third-party services to MongoDB and similar pre-auth memory disclosure flaws like MongoBleed?

• Why: Connects a headline vuln to real asset and supply-chain exposure, including embedded MongoDB in vendor platforms.
• What to expect: An inventory of MongoDB usage, compensating controls, and candidate detections for exploitation attempts at network and application layers.

What do the Romanian water and energy ransomware incidents reveal about typical IT/OT segmentation and recovery patterns in critical infrastructure?

• Why: Helps anticipate operational vs IT impact and realistic recovery timelines if similar attacks hit our sector.
• What to expect: A comparison of architectures, failover methods, and playbooks that preserved OT while IT was degraded.

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Emerging Stories