AWS Telemetry Boost, OT Safety Warning, and Urgent Patching
Coverage: 30 Dec 2025 (UTC)
< view all daily briefs >Defensive updates led the day as AWS introduced a simpler path to ingest historical CloudTrail Lake events into CloudWatch for unified analysis, while a new medical advisory from CISA ICSMA detailed a critical Bluetooth authentication flaw in WHILL Model C2 electric wheelchairs and Model F power chairs. Agencies and enterprises also confronted patching priorities around actively exploited MongoDB servers and a SmarterMail file‑upload bug that enables remote code execution, amid a year‑end review of how attackers leveraged Microsoft vulnerabilities at scale.
Telemetry consolidation on AWS
AWS has added a streamlined option to import past CloudTrail Lake events into CloudWatch so security, operational, and compliance telemetry can be analyzed side by side with live logs and metrics. The feature supports console, CLI, and SDK workflows, helping teams script bulk backfills for incident response or onboarding and reduce data fragmentation across services. Because imported records are billed as CloudWatch custom logs, organizations should plan retention, log‑group design, and filters to control cost and maintain query performance; access may also require updated IAM permissions.
Complementing observability, AWS WAF is now available in the Asia Pacific (New Zealand) Region, providing local application‑layer protections with potential latency and data‑handling benefits for New Zealand deployments. Teams can apply consistent rule sets across regions and integrate with CloudFront, load balancers, and Shield to strengthen web defenses.
Advisories and patch imperatives
CISA published an ICS medical advisory describing a critical Bluetooth pairing weakness (CVE-2025-14346, CVSS 9.8) in WHILL Model C2 electric wheelchairs and Model F power chairs that allows unauthenticated pairing and remote control of movement, speed, and configuration. WHILL’s mitigations include speed‑profile protection, blocking unlock commands while in motion, and obfuscating app configuration files. CISA recommends defense‑in‑depth practices for connected control devices and applying vendor updates promptly. No specific in‑the‑wild exploitation was reported to CISA at publication.
Separately, Singapore’s cybersecurity authority alerted operators to a SmarterTools SmarterMail flaw that permits unauthenticated arbitrary file uploads leading to remote code execution. Reported as CVE‑2025‑52691 (CVSS 10.0), affected versions include Build 9406 and earlier; the vendor released a fix in Build 9413, and the alert advises updating to Build 9483 for strongest coverage. Guidance includes immediate patching, limiting exposure of mail services, auditing for suspicious uploads, and validating system integrity. Details are summarized by The Hacker News.
In the database stack, U.S. federal agencies were directed to remediate the MongoBleed vulnerability (CVE‑2025‑14847) after confirmed exploitation. The flaw stems from MongoDB’s handling of zlib‑compressed network packets and can leak sensitive in‑memory data from unpatched servers. Internet scans show tens of thousands of exposed instances; interim guidance includes disabling zlib if patching is delayed. The mandate sets a three‑week deadline, underscoring urgency for discovery, patching, compensating controls, and monitoring, according to BleepingComputer.
Looking across the year, Microsoft patching data compiled by CSO Online highlights 1,246 CVEs addressed in 2025, including 158 critical and 41 zero‑days. Elevation‑of‑privilege issues comprised roughly 38.3% of Patch Tuesday items and RCEs about 30%, with attackers frequently striking soon after releases. The analysis advocates contextual prioritization beyond raw CVSS, using approaches like SSVC to align remediation with exposure and real‑world exploitability.
Stealthy campaigns: rootkits, extensions, and lures
Kaspersky research described a Mustang Panda operation deploying a signed kernel‑mode mini‑filter driver to load an updated ToneShell backdoor against government targets in Asia. The driver, registered at a high altitude to preempt some AV filters, injects user‑mode shellcode and enforces rootkit protections over files, registry keys, and processes, while the in‑memory backdoor communicates over TCP/443 and supports shell access and file operations. The tradecraft raises the bar for detection and emphasizes kernel‑level forensics and live memory analysis, as reported by BleepingComputer. In parallel, a new self‑hosted traffic distribution service dubbed ErrTraffic automates “ClickFix” social engineering by injecting single‑line HTML that triggers fake browser glitches and clipboard‑seeded PowerShell commands. Operators market claimed high conversion rates and map payloads by OS and geography; observed deliveries include Windows info‑stealers, macOS AMOS, and Android trojans, per BleepingComputer. Why it matters: both techniques blend user deception and low‑level evasion to bypass common endpoint defenses.
Data theft via the browser layer also drew attention. Koi Security detailed “Zoom Stealer,” a cluster of 18 Chrome, Firefox, and Edge extensions with roughly 2.2 million users that harvested meeting URLs, IDs, embedded passwords, schedules, and speaker metadata from major platforms. Exfiltration occurred in real time over WebSockets; several extensions remained available as of reporting. The findings underscore the need to review permissions and remove unnecessary add‑ons, according to BleepingComputer. Separately, researchers tracked Silver Fox expanding beyond Chinese‑language targets to Indian users with tax‑themed lures that use NSIS installers and DLL search‑order hijacking to inject the modular ValleyRAT into a hollowed explorer.exe. The campaign employs anti‑analysis checks, disables Windows Update, and configures persistence and Defender exclusions, as covered by The Hacker News.
Breach confirmations and legal actions
The European Space Agency confirmed a breach of a limited number of external servers used for unclassified collaborative engineering work. A threat actor on a hacking forum claimed access to JIRA and Bitbucket for about a week and alleged exfiltration of more than 200GB, including code, CI/CD pipelines, tokens, and Terraform files. ESA initiated forensic analysis, secured potentially affected systems, and notified stakeholders, reports BleepingComputer. The presence of access tokens and credentials, if validated, could pose follow‑on risk beyond the initially affected hosts.
In U.S. court proceedings, two former security professionals pleaded guilty for their roles in BlackCat (ALPHV) ransomware attacks against multiple organizations in 2023. The defendants admitted to a conspiracy to obstruct commerce by extortion and face sentencing in March 2026. The case illustrates the legal exposure and ethical breach when industry insiders participate in extortion operations, according to BleepingComputer.