Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Elastic Patched CVE-2025-68385 Vulnerability in Kibana - On 18 December 2025, Elastic released patches for CVE-2025-68385, a cross-site scripting (XSS) vulnerability with a severity score of 7.2 affecting Kibana. The issue impacts versions 7.x, 8.0.0–8.19.8, 9.0.0–9.1.8, and 9.2.0–9.2.2, and has been fixed in versions 8.19.9, 9.1.9, and 9.2.3.
The vulnerability allows an authenticated user to inject malicious scripts via a Vega method that bypassed an earlier mitigation, potentially leading to XSS during web page generation. At the time of writing, there have been no reports of active exploitation.
MongoDB Patched CVE-2025-14847 Vulnerability in MongoDB Servers - On 22 December 2025, MongoDB disclosed and patched CVE-2025-14847, a high-severity vulnerability affecting multiple versions of MongoDB and MongoDB Server. The issue impacts MongoDB versions 4.4.0 to 4.4.29, 5.0.0 to 5.0.31, 6.0.0 to 6.0.26, 7.0.0 to 7.0.26, 8.0.0 to 8.0.16, and 8.2.0 to 8.2.3, as well as all versions of MongoDB Server 3.6, 4.0, and 4.2.
The vulnerability arises from the MongoDB Server’s handling of data compression using the zlib library, which can expose uninitialised heap memory. If successfully exploited, an attacker could gain access to sensitive data. MongoDB addressed the issue in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30, and there are currently no reports of active exploitation.
Exploitation for High-Severity Improper Access Control Vulnerability Affecting Microsoft Windows Admin Center (CVE-2025-64669) - On 17 December 2025, Cymulate Research Lab published a technical blog describing the exploitation of CVE-2025-64669, a high-severity improper access control vulnerability affecting Microsoft Windows Admin Center versions 1709 through 1910, as well as other builds up to 2411. Windows Admin Center is a browser-based management tool used to centrally administer Windows servers, PCs, clusters, and related infrastructure. Microsoft addressed the issue on 9 December 2025 with the release of version 2511 as part of the December 2025 Patch Tuesday updates.
The flaw is caused by insecure directory permissions on the C:\ProgramData\WindowsAdminCenter folder, which is writable by standard users despite being used by privileged Windows Admin Center components. This allows a low-privileged local attacker to place malicious content in the directory and have it processed by high-privilege services, leading to execution with elevated rights. Successful exploitation can result in local privilege escalation to SYSTEM or NETWORK SERVICE.
Potential Threats
Threat Actors Abuse OAuth Device Code Flow in Widespread Microsoft 365 Phishing Campaigns - On 18 December 2025, Proofpoint reported that multiple threat actors, including TA272, were conducting large-scale phishing campaigns that abuse the OAuth 2.0 device code authorisation flow to compromise Microsoft 365 accounts. Activity increased significantly from September 2025, with successful attacks resulting in account takeover, data exfiltration, persistence, and potential lateral movement. The campaigns leverage legitimate Microsoft authentication workflows and trusted first‑party applications, and are supported by publicly available phishing tools.
The attack chain begins with phishing emails containing malicious links or QR codes, typically disguised as document shares, salary information, or authentication alerts. Victims are directed to attacker-controlled pages that initiate Microsoft’s legitimate device authorisation process and display a device code, misleadingly presented as an MFA or one-time passcode. When the victim enters the code on Microsoft’s official device login page, the OAuth authorisation is validated and access is granted to the attacker. As this method relies on user-approved OAuth tokens rather than stolen credentials, it bypasses passwords and phishing-resistant MFA, enabling persistent access and further abuse of cloud resources.
Scripted Sparrow Conducts Global BEC Campaigns Using Executive Impersonation and Mule Accounts - On 19 December 2025, Fortra reported that the Scripted Sparrow threat group is conducting large-scale business email compromise (BEC) campaigns. The group impersonates executive coaching firms, sending spoofed email threads to finance teams to request ACH or wire transfers. Fortra linked Scripted Sparrow to 496 confirmed engagements and estimates that millions of emails are sent monthly using free webmail services, attacker-registered domains, and compromised accounts.
The attack begins with phishing emails containing a spoofed conversation between an executive and a fake consultancy. Early messages included PDF attachments with fake invoices and W-9 forms, but newer campaigns often omit these to encourage victims to reply. If the recipient responds, Scripted Sparrow provides mule account details to complete the transfer. Fortra identified infrastructure linked to Nigeria, South Africa, Türkiye, Canada, and the US, and confirmed the use of location spoofing, Telegram for coordination, and over 256 mule accounts and 119 attacker-controlled domains.
Analysis of New Botnet Called Udados - On 17 December 2025, cybersecurity firm ANY.RUN reported on a newly identified botnet named Udados, which primarily targets organisations in the technology and telecommunications sectors. According to the report, infection begins when a compromised system establishes outbound communication with a command-and-control server and sends structured JSON beacon data. This information includes a unique identifier, task status and identifiers, bot version, privilege level, DNS beacon source, and detailed system metadata.
The command-and-control infrastructure is hosted within the AS214943 RAILNET network and, after receiving host telemetry, issues instructions defining execution identifiers, attack duration, and thread counts. These instructions can trigger specific attack modules, such as HTTP POST flooding, with the server supplying Base64-encoded payload data. The infected host then uses this data to generate malicious HTTP POST requests directed at designated victim domains.
General News
Spotify disables accounts after open-source group scrapes 86 million songs from platform - On Monday, Spotify responded to Anna’s Archive publishing files over the weekend containing 86 million tracks scraped from its platform. Anna’s Archive, which describes itself as the “largest truly open library in human history,” released a database of metadata and songs after discovering a method to scrape Spotify at scale. Spotify stated it had identified and disabled the user accounts responsible and implemented safeguards against such anti-copyright activities. The company emphasised that the incident was not a hack of its systems, as the scraping relied on user accounts set up by a third party and violated Spotify’s terms of service.
Anna’s Archive described the release as an effort to preserve musical heritage, compiling nearly 300 terabytes of data covering 86 million music files and metadata for 256 million tracks, representing nearly all Spotify listens from 2007 to July 2025. The organisation highlighted trends in streaming data and said it aims to protect music from destruction due to disasters, wars, or budget cuts. Banned in several countries for copyright violations, Anna’s Archive was founded after the 2022 shutdown of Z-Library and aggregates content from multiple free online libraries. Copyright holders have repeatedly pursued legal action, and Google has removed hundreds of millions of links to the site following publisher takedown requests.
UK confirms Foreign Office hacked - On Friday, the British government confirmed that data held on a Foreign Office system was compromised in a cyber incident earlier this year, though it said the risk to individuals was “low.” The Sun had reported the attack, attributing it to the China-based group Storm-1849, claiming tens of thousands of visa details may have been accessed. The government, however, did not confirm the actor or method of access. Trade Minister Sir Chris Bryant said the incident was discovered in October, described it as a “technical issue” at one of the sites, and stated that the vulnerability was quickly closed, posing minimal risk to individuals.
The government has historically been cautious in attributing cyberattacks, following intelligence rules introduced after the Butler Review. While it has publicly attributed some malicious activity to China in recent years and sanctioned companies linked to cyber operations, officials are keen to avoid speculation regarding this incident. The disclosure comes amid a wider political debate over China’s influence in the UK, including plans for a “super embassy” in London. Shadow Foreign Secretary Priti Patel criticised the government for not protecting the country from foreign interference, highlighting tensions over national security and foreign policy.
Data Exposure of 4.3B LinkedIn-Style Records Increases Risk of Social Engineering and Identity Theft-Based Campaigns - On 16 December 2025, TechRepublic reported that a third-party organisation had inadvertently left a 16.14 TB MongoDB database publicly accessible, exposing roughly 4.3 billion records derived from LinkedIn. The data included extensive personally identifiable and professional information such as full names, email addresses, phone numbers, LinkedIn profile URLs, job titles, career histories, education, skills, geographic locations, profile photographs, links to other social media accounts, and enrichment metadata like email confidence scores and Apollo identifiers. The database contained nine structured collections, with at least three—profiles, unique_profiles, and people—holding sensitive records, one of which included over 732 million unique entries, many with profile images.
The dataset appeared highly organised, consistent across collections, and recently enriched, suggesting it had been collected through automated processes. Researchers warned that such an exposure could facilitate phishing, fraud, impersonation, and enterprise reconnaissance campaigns. The incident was traced to a misconfigured MongoDB instance that lacked authentication, reportedly caused by human error rather than a deliberate intrusion.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CL0P Ransomware Group | ● High | → | ● High | ● 82 | → | ● 81 | ● 49 | → | ● 49 |
| ForumTroll | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 30 |
| Obscura Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
|
Nitrogen Ransomware Group |
● Basic | → | ● Basic | ● 30 | → | ● 25 | ● 49 | → | ● 49 |
| Embargo Ransomware Group | ● Basic | → | ● Basic | ● 30 | → | ● 30 | ● 46 | → | ● 41 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | |||||
|---|---|---|---|---|---|---|---|---|
| Lynx Ransomware Group | ▲ | Anubis Ransomware | ▲ | CVE-2025-68613 | ▲ |
Western Europe |
▲ | |
|
Russian Hackers |
▲ |
OAuth Phishing |
▲ | CVE-2025-55182 (React2Shell) | ▲ |
France |
▲ | |
|
NoName057 (16) |
▲ | DDoS | ▲ | CVE-2025-38352 | ▲ |
Bank of America |
▲ | |
| Scattered Spider | ▲ |
TA0009 (Collection) |
▲ | CVE-2025-14733 | ▲ | Spotify | ▲ | |
|
SiegedSec |
▲ |
Remote Code Execution |
▲ |
CVE-2025-20393 |
▲ |
Nissan Motor |
▲ | |
Prominent Information Security Events
Threat Actors Abuse OAuth Device Code Flow in Widespread Microsoft 365 Phishing Campaigns
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 196[.]251[.]80[.]184
IOC: URL - docifytoday[.]com
On 18 December 2025, Proofpoint reported that multiple threat actors, including TA272, were running widespread phishing campaigns abusing the OAuth 2.0 device code authorisation flow to compromise Microsoft 365 accounts. The company observed a sharp rise in this activity from September 2025 onwards, with successful intrusions resulting in account takeover, data exfiltration, persistence within cloud environments, and in some cases potential lateral movement. The campaigns rely on legitimate Microsoft authentication mechanisms and trusted first-party applications, lowering suspicion and increasing their success rate, and are supported by readily available phishing toolkits.
The attack chain typically begins with phishing emails that contain a malicious link or QR code, often disguised as a document share, salary information, or an authentication request. When a victim follows the link, they are redirected to an attacker-controlled webpage that initiates Microsoft’s legitimate device authorisation process. The page displays a device code, misleadingly presented as a multi-factor authentication code or one-time passcode, and instructs the victim to enter it at Microsoft’s official device login page.
Once the victim submits the code, the OAuth authorisation is completed and access is granted to the attacker’s application, effectively handing control of the Microsoft 365 account to the threat actor. Because this technique relies on user-approved OAuth tokens rather than stolen usernames and passwords, it bypasses both traditional authentication controls and phishing-resistant MFA. This enables attackers to maintain persistent access and carry out follow-on activities, including further data theft and abuse of cloud-based resources.
Analysis of New Botnet Called Udados
Source: Insikt Group | Validated Intelligence Event
IOC: IP - 178[.]16[.]54[.]87
IOC: Hash - 7e2350cda89ffedc7bd060962533ff1591424cd2aa19cd0bef219ebd576566bb
On 17 December 2025, cybersecurity firm ANY.RUN disclosed details of a newly identified botnet dubbed Udados, which primarily targets organisations in the technology and telecommunications sectors. The botnet is designed to establish outbound communication from infected hosts to a command-and-control (C2) server shortly after compromise. During this initial contact, the malware sends structured JSON beacon data containing a unique identifier, task execution status, bot version, privilege level, DNS beacon source, and extensive system information about the infected machine.
This telemetry allows the C2 server to profile compromised hosts and manage them centrally. The C2 infrastructure has been observed operating within the AS214943 RAILNET network, hosted at a specific IP address. Once the server receives beacon data, it responds with instructions that define execution parameters such as an execution identifier, attack duration, and thread count, enabling tailored tasking of each infected system.
Among the supported commands is “! httppost”, which activates an HTTP POST flooding module used for denial-of-service activity. The C2 server supplies Base64-encoded data that is decoded by the infected host and used as the body of malicious HTTP POST requests. These requests are then sent to designated victim domains, demonstrating Udados’s capability to conduct coordinated, high-volume network attacks using compromised systems under centralised control.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-68385 (Elastic): This vulnerability can be addressed by updating Elastic to at least version 8.19.9, 9.1.9 or 9.2.3.
- CVE-2025-14847 (MongoDB): If successfully exploited, an attacker could gain access to sensitive data, therefore we recommend patching this vulnerability to a non-compromised version such as 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32 or 4.4.30.
- CVE-2025-64669 (Microsoft Windows Admin Center): This issue was addressed on 9 December 2025 with the release of version 2511.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.