Transcript
A (0:00)
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack with wired, wireless and cellular all in one integrated solution that's built for performance and scale. You can find them at meter.com CST.
B (0:21)
Mongo bleed exploit drops on Christmas Day Rainbow Six Siege hacked billions of credits granted Trust wallet extension hack drains 7 million in cryptocurrency and fake GrubHub emails push 10x Bitcoin scam this is Cybersecurity Today and I'm your host David Shipley. Let's get started. One of the biggest cybersecurity developments over the holidays is a vulnerability in MongoDB, now being tracked as CVE2025 1484.7, commonly referred to as Mongo Bleed. MongoDB disclosed the vulnerability on December 15, warning that it could allow an unauthenticated client to trigger exposure of sensitive memory under certain conditions. But the story escalated on Christmas Day when a proof of concept exploit was posted publicly by an elastic security researcher, significantly lowering the barrier for attackers to test and weaponize the vulnerability. The exploit targets a flaw in MongoDB's Zlib based network message decompression logic, and because that logic is processed before authentication, it allows unauthenticated attackers to trigger the server into returning uninitialized heap memory, potentially exposing sensitive fragments of data in memory. This is a high severity vulnerability with a CVSS score of 8.7, and it impacts a wide range of MongoDB versions, including supported branches and older legacy versions going back to MongoDB 3.6. The risk is highest for organizations that allow MongoDB instances to be reachable over the network, especially those exposed to the Internet, because attackers don't need stolen credentials or user interaction to begin probing public exploit code lowers the barrier even further, making widespread scanning and opportunistic exploitation far more likely. The timing of the POC alone sparked immediate backlash. Over on our sysadmin on Reddit, the mood was basically this is serious, but why drop a working exploit on Christmas Day? MongoDB has already released patch versions for the affected branches, including 8.2.38.0.17.0.286.0.275.0.32 and 4.4.30 if you're using MongoDB. Atlas updates have already been applied automatically, but for self hosted environments it's critical to patch immediately. If patching isn't an option right away, MongoDB recommends a temporary workaround Disable ZLib compression and explore alternatives like Snappy or Zstandard if compression is required. The takeaway here is straightforward. Mongo Bleed is a high severity vulnerability exploit. Code is now public and it affects a wide range of MongoDB deployments. If you run MongoDB, especially anything Internet facing, the priority is clear patch immediately disable zlib compression. If you can't, patch and review network exposure to ensure database access is tightly restricted. Ubisoft's Rainbow six Siege, a hugely popular team based video game, suffered a major breach that allowed attackers to abuse internal systems to ban and unban players, manipulate in game moderation feeds, and most dramatically grant massive amounts of in game currency and cosmetic items to accounts worldwide. Player reports of issues started around December 27th. This reporting comes from Bleeping Computer, which says the incident is backed by multiple player reports and in game screenshots circulating online. According to those reports, attackers were able to display fake ban messages, grant players roughly 2 billion R6 credits and renown, and even unlock cosmetic items including developer only skins. R6 credits are a premium currency sold for real money through Ubisoft, believing computer notes that based on Ubisoft's pricing, where 15,000 R6 credits cost 99.99- the value of 2 billion credits would be roughly $13.3 million worth of in game currency distributed for free. Ubisoft publicly acknowledged the incident on Saturday morning. The official Rainbow six Siege account confirmed they were aware of an issue affecting the game and said teams were working to resolve it. Not long after, Ubisoft intentionally shut down Siege and its in Game marketplace, saying the team needed to focus on resolving the issue. In a later update, Ubisoft said players would not be punished for spending the granted credits, but the company would be rolling back all transactions made since 11am UTC. Ubisoft also said it did not generate the fake banned ticker messages and noted the ticker had already been disabled. At this point, Ubisoft has not released a detailed formal explanation of how the breach occurred and bleeping computer reports. The company has not yet responded to requests for additional technical details. Now there's a second thread developing alongside this incident and it may be related, but it remains unverified. Bleeping Computer reports There are rumors of a broader compromise inside Ubisoft's infrastructure, with some threat actors and online sources claiming access to internal systems beyond Rainbow six Siege. According to Security Research Group, VX Underground threat actors have claimed they breached Ubisoft servers using Mongobleed VX Underground claims. Multiple potentially unrelated threat groups may be involved with claims ranging from manipulating Siege services to pivoting into internal git repositories and stealing source code, to even stealing Ubisoft user data in an extortion attempt. But Bleeping Computer is clear. None of these claims have been independently verified, including whether Mongobleed was actively exploited, whether internal source code was accessed, or whether customer data was stolen. So here's what we know and what we don't. As of this morning, Ubisoft has confirmed abuse inside Rainbow six Siege, including currency and moderation manipulation, and the company has taken the game and the marketplace offline while it works on remediation and rollback. As for the claims of a larger breach involving Mongo Bleed and broader Ubisoft infrastructure compromise, those claims remain unconfirmed, and there's currently no public evidence to support them beyond what threat actors and third parties are alleging. Now to a major supply chain security incident in the cryptocurrency space, also during the holidays. Trust Wallet, a self custody mobile crypto wallet, has confirmed that a compromised update to its Chrome browser extension led to at least $7 million in stolen cryptocurrency after users reported their wallets drained shortly after interacting with the extension. Bleeping Computer says the compromised update was released on December 24, and within hours users began posting online that funds had disappeared. Trust Wallet Release Extension version 68.0 shortly before the wallet drain reports began. A Fixed update, version 2.69, appeared shortly afterward. Security researchers found suspicious logic Inside a bundled JavaScript file named 4482js, which appeared to exfiltrate sensitive wallet data to an external server at API Metrics Trusted Wallet, a domain registered only days earlier. Researchers said it looked like analytics but would trigger when a seed phrase was imported, which is effectively a master key granting full control of a wallet. Trust Wallet has confirmed the incident and advised users to update immediately to version 2.69. Changpeng Zhao, also known as CZ, founder of Binance, the largest cryptocurrency exchange in the world, posted that roughly 7 million has been affected so far and said that Trust Wallet will cover losses. Binance acquired Trust wallet in 2018. Attackers immediately doubled down with a phishing campaign. Domains like Fix TrustWallet.com impersonated Trust Wallet's branding and claimed to fix the issue, but instead prompted victims to enter their recovery seed phrase, allowing attackers to drain more wallets instantly. The guidance here is clear Verify that if you use this extension, it is updated to 2.69, and if a seed phrase may have been exposed, treat it as permanently unsafe, create a new wallet and move remaining funds immediately. And finally, a holiday themed crypto scam that looks like it came from a legitimate source. Grubhub users, particularly merchant partners, received fraudulent messages that appeared to come from a real grubhub email subdomain promising a tenfold bitcoin payout in return for sending cryptocurrency to a specified wallet. The emails claim to be part of a so called holiday crypto promotion and came from an address on the b.grubhub.com domain, a legitimate subdomain Grubhub uses to communicate with its merchant partners and restaurants. The scam email told recipients there were 30 minutes left and promised GrubHub will 10x any Bitcoin sent to this address. For example, it claimed if you sent 1000 you would get back 10,000. This is a classic crypto reward scam victims are lured into sending funds with the false promise of receiving more background. Once the bitcoin is sent, it's gone. Some recipients speculated the emails could be tied to a DNS takeover or related infrastructure compromise which could allow messages to pass authenticity checks, but bleeping computer notes. GrubHub has not provided details on how this happened. In a statement, grubhub said it investigated, contained the issue and is taking steps to ensure it doesn't happen again. In case you're wondering, I did say last Monday would be the last regular news episode for the year and I won't be making that mistake again. Jim and I had a plan in place in case news broke over the holidays and I was hoping we would all get a well deserved break. But it wasn't to be. We will be keeping an eye on the news over the New Year's holidays and if we need more episodes, particularly if Mongo Bleed takes off, if it was behind the Ubisoft breach and more, we will be back. I've been your host David Shipley. I'll be back for sure for our regular episode on January 5th. Jim Love will return in the New year. Thanks for listening. I hope all of you out there had a well deserved break and enjoyed time with friends, family and loved ones. By the way, this year is ending. We're going to need as much rest and reset as we can get heading into 2026. If you enjoy the show, please tell others consider leaving a review and remember to like and subscribe. We'd love to reach even more people and we continue to need your help. Thanks for listening.