Pleased to see y'all back here in 2026! I hope the holidays treated everyone well this year and you're feeling good!
As normal, the new year arrived with a familiar rhythm: a critical database vulnerability under active exploitation, a space agency breach, and a reminder that insider threats can come from the people you trust most. This week also brought fresh evidence that the... 2022 LastPass breach is still paying dividends for Russian cybercriminals three years later.

.\ MongoBleed memory leak under active exploitation—87,000 instances exposed worldwide

MongoDB disclosed CVE-2025-14847 (CVSS 8.7) on December 19, and CISA added it to KEV on December 29 with a January 19, 2026 deadline. Dubbed "MongoBleed," the vulnerability allows unauthenticated attackers to leak sensitive data from MongoDB server memory—including credentials, API keys, session tokens, and PII—by sending malformed zlib-compressed network packets. The flaw affects all MongoDB Server versions from 3.6 through 8.2.2 when zlib compression is enabled, which is the default configuration. Wiz reports 42% of cloud environments contain at least one vulnerable instance, and Censys identified over 87,000 exposed instances globally. A public proof-of-concept exploit has been available since December 26. Upgrade to versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30 immediately. If patching isn't possible, disable zlib compression as a temporary mitigation.

.\ Source shelf: MongoDB Advisory · Wiz Research · Arctic Wolf

.\ European Space Agency confirms breach after hacker offers 200GB of stolen data for sale

The European Space Agency confirmed on December 30 that attackers breached servers outside its corporate network following claims by threat actor "888" on BreachForums. The attacker alleged access to ESA's JIRA and Bitbucket environments for a week, claiming to have exfiltrated 200GB of data including source code, API tokens, access credentials, configuration files, and confidential documents. Screenshots suggest the compromised material may include subsystem requirements for the Ariel exoplanet mission and Airbus spacecraft documentation marked "confidential." ESA stated the affected servers support "unclassified collaborative engineering activities within the scientific community" and emphasized they operate outside the agency's core network. This follows a December 2024 incident where ESA's online shop was compromised with payment-skimming malware. ESA says forensic analysis is ongoing and stakeholders have been notified.

.\ Source shelf: BleepingComputer · SecurityWeek · SpaceNews

.\ Insider threat realized: Two incident responders plead guilty to BlackCat ransomware attacks

Two cybersecurity professionals pleaded guilty on December 30 to conducting BlackCat/ALPHV ransomware attacks while employed at firms hired to help victims. Ryan Goldberg, 40, a former incident response manager at Sygnia, and Kevin Martin, 36, a former ransomware negotiator at DigitalMint, admitted to attacking five U.S. companies between May and November 2023—including three healthcare organizations. The pair worked with an unnamed third co-conspirator (also a DigitalMint employee) who obtained BlackCat affiliate access, paying administrators a 20% cut of ransoms. Demands ranged from $300,000 to $10 million; one medical device company paid approximately $1.27 million. Both face up to 20 years in prison at sentencing on March 12, 2026. "These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks—the very type of crime that they should have been working to stop," said Assistant Attorney General A. Tysen Duva.

.\ Source shelf: DOJ Press Release · BleepingComputer · The Record

.\ LastPass 2022 breach still enabling crypto theft three years later—$35 million traced to Russian actors

TRM Labs published research this week tracing over $35 million in cryptocurrency thefts to the 2022 LastPass breach, with wallet drains continuing through late 2025. Attackers have been systematically cracking weak master passwords from the 30 million encrypted vault backups stolen in the breach, extracting stored crypto seed phrases and private keys. The laundering pipeline shows consistent Russian cybercriminal involvement: $28 million was traced through Wasabi Wallet in late 2024 and early 2025, with funds off-ramped via Cryptex (sanctioned by OFAC in 2024) and Audi6, both Russian exchanges linked to illicit activity. An additional $7 million wave was identified in September 2025. The U.K. ICO fined LastPass £1.2 million in November for inadequate security measures. Security researchers warn that any LastPass user who stored cryptocurrency credentials before August 2022 and hasn't rotated those secrets remains at risk.

.\ Source shelf: TRM Labs · BleepingComputer · The Hacker News

.\ Venezuela's PDVSA hit by ransomware amid U.S. tensions—export operations disrupted

Venezuela's state oil company Petróleos de Venezuela (PDVSA) suffered a ransomware attack in mid-December that disrupted administrative systems and export operations, according to sources cited by Reuters and Bloomberg. While PDVSA claimed operations were unaffected, internal memos instructed staff to shut down computers and disconnect from networks, and sources reported all cargo deliveries were suspended. The company isolated terminals, oilfields, and refineries from its central system and reverted to manual records. PDVSA blamed the attack on U.S. "foreign interests," though no evidence supports this claim—the incident coincided with U.S. seizure of a Venezuelan crude tanker. Sources told Reuters the disruption stemmed from antivirus remediation efforts following a ransomware attack detected days earlier. As of early January, PDVSA's administrative systems reportedly still haven't fully recovered, forcing continued use of written records.

.\ Source shelf: BleepingComputer · The Record · Dark Reading

.\ Also Notable

• Edge device campaign CISA deadlines have passed — WatchGuard Firebox (Dec 26), SonicWall SMA1000 (Dec 24), Cisco AsyncOS (Dec 24), and Fortinet FortiCloud SSO (Dec 23) deadlines are now overdue; treat unpatched devices as compromised.
• Microsoft Teams enabling safety features by default January 12 — New messaging safety features will activate automatically to combat malicious content in Teams conversations.
• New year brings expected national cyber strategy — National Cyber Director Sean Cairncross says a short, action-focused strategy document is coming early 2026; CIRCIA final rule delayed until May 2026.

.\ Ops Bench

MongoBleed should be at the top of your patching queue this week. The combination of unauthenticated exploitation, publicly available PoC code, and 87,000+ exposed instances makes this an active threat. Use MongoDB's guidance to disable zlib compression as a stopgap if immediate patching isn't feasible, and monitor logs for anomalous pre-authentication connection bursts that may indicate exploitation attempts.

.\ Source shelf: MongoDB Security Advisory · CISA KEV

The insider threat case is a reminder for MSPs: your own staff can become the threat. Both defendants had privileged access through their incident response roles. Review access controls for sensitive client environments, implement separation of duties for ransomware negotiations, and ensure logging captures lateral movement even by authorized personnel.

.\ Source shelf: DOJ Announcement

I hope y'all have a great beginning to the new year! Until next week!