Romanian Waters Ransomware Attack

**Cybersecurity Roundup: Major Breaches, Ransomware, and Critical Vulnerabilities (Week of December 29)** The past week saw a surge in cyberattacks targeting critical infrastructure, financial services, and high-profile organizations, alongside the disclosure of severe vulnerabilities in widely used software. **Major Breaches and Attacks** Romania’s national water management authority, *Romanian Waters*, fell victim to a ransomware attack encrypting nearly 1,000 systems across its national and regional offices. While operational technology controlling water infrastructure remained unaffected, the incident disrupted geographic information systems, databases, email, and web servers. No data leakage was reported. France’s postal service, *La Poste*, experienced a cyberattack disrupting online parcel tracking, mail distribution, and banking services for *La Banque Postale* customers. The pro-Russian hacktivist group *NoName057(16)* claimed responsibility, though no evidence of data compromise emerged. Insurance giant *Aflac* confirmed a June data breach exposing sensitive files—including insurance claims, health data, and Social Security numbers—of 22.7 million U.S. individuals. The attack was attributed to the *Scattered Spider* threat group. Nissan disclosed a breach affecting 21,000 customers after unauthorized access to *Red Hat* data servers exposed personal details (names, addresses, emails, and sales data). The *Crimson Collective* claimed the initial breach, with *ShinyHunters* later leaking samples of the stolen data. *Trust Wallet*, a non-custodial cryptocurrency wallet, reported a compromised Chrome extension update (version 2.68.0) that exfiltrated seed phrases to a malicious domain, resulting in at least $7 million in losses. Ubisoft’s *Rainbow Six Siege* suffered an attack where threat actors manipulated internal systems to distribute $13.33 million in in-game currency, unlock restricted cosmetics, and bypass bans. *Baker University* confirmed a breach exposing sensitive data—including Social Security numbers, financial details, and medical records—of 53,624 students, alumni, and staff. **Critical Vulnerabilities** A high-severity flaw (*CVE-2025-14847*, "MongoBleed") in *MongoDB Server* (versions 4.0–8.2.3) allows unauthenticated attackers to exploit a zlib implementation flaw, potentially accessing uninitialized heap memory and executing arbitrary code. A critical serialization injection vulnerability (*CVE-2025-68664*, CVSS 9.3) in *LangChain Core* enables attackers to extract secrets, inject prompts, or execute arbitrary code via unescaped user-controlled dictionaries. A buffer overflow vulnerability (*CVE-2025-68615*, CVSS 9.8) in *Net-SNMP’s snmptrapd* daemon permits remote code execution or service crashes via specially crafted packets. Patches are available in versions 5.9.5 and 5.10.pre2. **Threat Intelligence** A phishing campaign abused *Google Cloud Application Integration* to send 9,000 spoofed Google notification emails, redirecting victims to a Microsoft-themed credential-harvesting site. Targets included manufacturing, technology, and finance sectors across the U.S., Asia-Pacific, and Europe. Researchers uncovered a two-year *Evasive Panda* campaign using DNS poisoning to deliver *MgBot* malware via fake updaters. The attack employed multi-stage shellcode, hybrid encryption, and DLL sideloading, with persistence achieved through signed system processes and hardcoded C2 servers.