Oktacron - Cyber Security RSS Feeds History

ManageMyHealth Provides Update on Ongoing Cyberattack Investigation

cyberexpress Jan 05, 2026 Firewall Daily

Manage My Health (MMH) has released a detailed update on the ongoing investigation following a cyberattack that was first reported on 30 December 2025. The ManageMyHealth hack has affected a portion of the organization's user base, prompting urgent responses from MMH, Health New Zealand, and law show more ...

enforcement agencies. In its statement on 5 January 2026, MMH acknowledged the anxiety caused to both healthcare providers and patients. The company described the cyberattack on ManageMyHealth as a form of criminal activity targeting its systems and apologized for any distress caused. MMH confirmed it is coordinating closely with New Zealand Police, Health New Zealand, and other relevant authorities to respond to the incident. “The immediate priority was to secure systems, protect patient data, and verify the accuracy of information before communicating with practices and patients,” MMH stated. The organization emphasized its commitment to transparency and pledged to provide daily updates whenever possible, though it acknowledged that legal and operational constraints can sometimes delay information release. The Deeper Insight into the ManageMyHealth Hack Independent forensic analysis has confirmed that the cyberattack on ManageMyHealth targeted only a specific module within the app, Health Documents, rather than the entire platform. Preliminary investigations indicate that approximately 6–7% of the 1.8 million registered users may have had documents accessed. MMH clarified that there is currently no evidence of core patient database access, modification, destruction of records, or theft of user login credentials. However, the organization continues to work with cybersecurity specialists to verify which documents were affected and to ensure a full understanding of the breach. “We have identified and closed the specific security gaps that allowed unauthorized access,” MMH said in its 3 January 2026 update. Additional safeguards, such as stricter login attempts and strengthened storage for health documents, have been implemented. Users are also encouraged to enable two-factor authentication via supported apps, including Google Authenticator and Microsoft Authenticator, to enhance account security. Coordinated Response to Data Breach at MMH In response to the MMH data breach, the organization has begun communications with general practices, providing secure, confidential lists of affected patients. Notifications to individuals are expected to commence shortly, coordinated with Health New Zealand, General Practice New Zealand (GPNZ), and the relevant Primary Health Organizations (PHOs). MMH has also established measures to prevent further dissemination of sensitive information. Injunction orders have been obtained from the High Court to block third parties from distributing potentially compromised data, and an international monitoring team is actively tracking known leak sites for any illicit publications. “The cyberattack constitutes criminal activity, and any unlawful use of patient data will be pursued through legal action,” the company stated, while refraining from commenting on potential ransom demands, which remain under investigation by the New Zealand Police. Support for Patients and Healthcare Providers To assist those affected, MMH plans to launch a dedicated 0800 helpline and online support desk. The company is working to ensure clear guidance for healthcare providers handling patient inquiries, aiming for consistent and accurate communication across the sector. MMH’s CEO, Vino Ramayah, highlighted the importance of restoring public trust. “We appreciate the patience of patients, practices, and partners while this complex investigation continues. Our priority remains transparency, system security, and appropriate support for all affected parties,” he said. Independent forensic specialists continue to investigate the breach, and MMH has confirmed full cooperation with the Ministry of Health review. The findings are expected to inform improvements not only for MMH but across the broader health sector, reinforcing cybersecurity standards and preparedness against future incidents. While MMH has taken immediate steps to secure its systems and support affected users, the investigation into the data breach at MMH remains ongoing, with updates expected as forensic confirmation and legal processes progress. This is an ongoing story, and The Cyber Express is closely monitoring the situation. We’ll update this post once we have more information on the ManageMyHealth hack or any further information from the company.

Critical IBM API Connect Vulnerability Enables Authentication Bypass

cyberexpress Jan 05, 2026 Cyber News

IBM has released security updates to address a critical IBM API Connect vulnerability that could allow remote attackers to bypass authentication controls and gain unauthorized access to affected applications. The flaw, tracked as CVE-2025-13915, carries a CVSS 3.1 score of 9.8, placing it among the most severe show more ...

vulnerabilities disclosed in recent months. According to IBM, the IBM API Connect vulnerability impacts multiple versions of the platform and stems from an authentication bypass weakness that could be exploited remotely without any user interaction or prior privileges. Organizations running affected versions are being urged to apply fixes immediately to reduce exposure. CVE-2025-13915: IBM API Connect Authentication Bypass Explained The vulnerability has been classified under CWE-305: Authentication Bypass by Primary Weakness, indicating a failure in enforcing authentication checks under certain conditions. IBM said internal testing revealed that the flaw could allow an attacker to circumvent authentication mechanisms entirely. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) highlights the seriousness of the issue. The attack can be carried out over the network, requires low attack complexity, and does not depend on user interaction. If exploited, it could result in a complete compromise of confidentiality, integrity, and availability within the affected IBM API Connect environment. IBM warned that a successful attack could grant unauthorized access to API Connect applications, potentially exposing sensitive data and backend services managed through the platform. Affected IBM API Connect Versions The IBM API Connect vulnerability affects specific versions within the 10.x release series. IBM confirmed that the following product versions are impacted: IBM API Connect V10.0.8.0 through V10.0.8.5 IBM API Connect V10.0.11.0 API Connect is widely deployed in enterprise environments to manage APIs, control developer access, and secure integrations between internal and external services. As a result, vulnerabilities in the platform can have cascading effects across connected systems. IBM Releases Fixes for IBM API Connect Vulnerability To remediate CVE-2025-13915, IBM has issued interim fixes (iFixes) for all affected versions and strongly recommends that customers upgrade without delay. For the 10.0.8.x branch, fixes have been released for each affected sub-version, including 10.0.8.1, 10.0.8.2 (iFix1 and iFix2), 10.0.8.3, 10.0.8.4, and 10.0.8.5. IBM has also provided an interim fix for IBM API Connect V10.0.11.0. IBM emphasized that upgrading to the remediated versions is the most effective way to eliminate the authentication bypass risk associated with this vulnerability. Workarounds and Mitigations for Unpatched Systems For organizations unable to apply the fixes immediately, IBM has outlined a temporary mitigation to reduce risk. Administrators are advised to disable self-service sign-up on the Developer Portal, if that feature is enabled. While this measure does not fully address the IBM API Connect authentication bypass vulnerability, IBM said it can help minimize exposure until patching is completed. The company cautioned that workarounds should only be used as a short-term solution. Why the IBM API Connect Vulnerability Matters Authentication bypass vulnerabilities are particularly dangerous because they undermine one of the most fundamental security controls in enterprise applications. In API-driven environments, such flaws can provide attackers with a direct path to sensitive services, data stores, and internal systems. The vulnerability was published in the National Vulnerability Database (NVD) on December 26, 2025, and last updated on December 31, 2025, with IBM listed as the CNA and source. Given the critical severity rating, security teams are expected to prioritize remediation and review API access logs for any signs of unauthorized activity. Organizations running affected versions of IBM API Connect are urged to assess their deployments immediately and apply the recommended fixes to prevent potential exploitation.

SlowMist Flags Potential Security Risk at HitBTC Exchange

cyberexpress Jan 05, 2026 Firewall Daily

A newly disclosed security warning has drawn attention to potential risks at the HitBTC Exchange after blockchain security firm SlowMist reported identifying a potentially critical vulnerability on the platform. SlowMist revealed the issue in a public post on X (formerly Twitter), after efforts to contact HitBTC show more ...

through direct messages reportedly went unanswered. According to the blockchain security firm, responsible disclosure protocols were followed before the public warning, but the absence of acknowledgment left researchers with limited options to ensure user safety. In its official statement, SlowMist wrote, “We have identified a potential critical vulnerability and reached out via DM in advance under responsible disclosure, but have not yet received a response. Please contact us promptly to coordinate next steps.” Although no technical details were released to prevent misuse, SlowMist stressed that the vulnerability could pose serious risks to both user funds and sensitive data held on the HitBTC Exchange. HitBTC Exchange and Ongoing Cryptocurrency Security Concerns Founded in 2013, HitBTC Exchange is one of the oldest cryptocurrency trading platforms still in operation. Registered in the British Virgin Islands, the exchange offers access to more than 250 cryptocurrencies and over 800 trading pairs. Recent figures show that HitBTC processed more than $110 million in trading volume within 24 hours. Despite its long-standing presence, the platform has faced criticism in recent years related to transparency, customer support responsiveness, and communication practices. The current incident has intensified those concerns, especially since similar situations have occurred elsewhere in the cryptocurrency sector. The warning involving HitBTC marks at least the third instance in recent weeks where SlowMist publicly disclosed vulnerability concerns after failing to establish contact with an exchange. In December, the firm issued comparable notices to Seychelles-registered Azbit and Turkey-based ICRYPEX Global, both of which reportedly did not respond despite managing daily trading activity. Data Shows Rising Impact of Cryptocurrency Attacks The unfolding situation reflects broader security trends affecting the cryptocurrency ecosystem. According to SlowMist’s 2025 annual security report, approximately 200 blockchain-related security incidents occurred during the year, resulting in estimated losses of $2.935 billion. While the number of incidents declined compared to 2024, the total financial impact increased by 46%, indicating more targeted and high-impact attacks. Exchange-related incidents numbered only 12 in 2025 but accounted for losses totaling $1.809 billion. In contrast, decentralized finance (DeFi) protocols experienced 126 incidents, leading to $649 million in losses. Supporting this data, blockchain security firm CertiK reported that $117.8 million was lost to cryptocurrency exploits in December 2025 alone. SlowMist continues to play an important role in monitoring and mitigating these threats. During 2025, the firm helped freeze or recover approximately $19.29 million in stolen assets using its threat intelligence network and MistTrack analysis platform. Across 18 major incidents, around $387 million of $1.957 billion in stolen funds was recovered, representing a recovery rate of 13.2%.

European Space Agency Confirms Cybersecurity Breach on External Servers

cyberexpress Jan 05, 2026 Cyber News

The European Space Agency (ESA) has confirmed a cybersecurity breach involving servers located outside its corporate network. This confirmation comes following threat actor claim that they had compromised ESA systems and stolen a large volume of internal data. While ESA maintains that only unclassified information was show more ...

affected. In an official statement shared on social media, the European Space Agency said it is aware of the cybersecurity issue and has already launched a forensic security investigation, which remains ongoing. According to ESA, preliminary findings indicate that only a very small number of external servers were impacted. “These servers support unclassified collaborative engineering activities within the scientific community,” ESA stated, emphasizing that the affected infrastructure does not belong to its internal corporate network. The agency added that containment measures have been implemented to secure potentially affected devices and that all relevant stakeholders have been informed. [caption id="attachment_108221" align="aligncenter" width="620"] Source: ESA Twitter Handle[/caption] ESA said it will provide further updates as additional details become available. Threat Actor Claims Data Theft The confirmation follows claims posted on BreachForums and DarkForums, where a hacker using the alias “888” alleges responsibility for the cybersecurity breach. According to the posts, the attack occurred on December 18, 2025, and resulted in the full exfiltration of internal ESA development assets. The threat actor claims to have stolen over 200 GB of data, including private Bitbucket repositories, source code, CI/CD pipelines, API tokens, access tokens, configuration files, Terraform files, SQL files, confidential documents, and hardcoded credentials. “I’ve been connecting to some of their services for about a week now and have stolen over 200GB of data, including dumping all their private Bitbucket repositories,” the actor wrote in one forum post. The stolen data is reportedly being offered as a one-time sale, with payment requested exclusively in Monero (XMR), a cryptocurrency commonly associated with underground cybercrime marketplaces. [caption id="attachment_108222" align="aligncenter" width="832"] Source: Data Breach Fourm[/caption] ESA has not verified the authenticity or scope of the claims made by the threat actor. So far, ESA has not disclosed which specific external servers were compromised or whether any credentials or development assets referenced by the threat actor were confirmed to be exposed. Founded 50 years ago and headquartered in Paris, the European Space Agency is an intergovernmental organization that coordinates space activities across 23 member states. Given ESA’s role in space exploration, satellite systems, and scientific research, cybersecurity incidents involving the agency carry heightened strategic and reputational significance. Previous European Space Agency Cybersecurity Incidents This is not the first cybersecurity breach involving ESA in recent years. In December 2024, the agency’s official web shop was compromised after attackers injected malicious JavaScript code designed to steal customer information and payment card data during checkout. That incident raised concerns around third-party systems and external-facing infrastructure, an issue that appears relevant again in the current breach involving non-corporate servers. What Happens Next While ESA insists the compromised systems hosted only unclassified data, the ongoing forensic investigation will be critical in determining the true scope and impact of the breach. As threat actors continue to publish claims on hacking forums, the incident highlights the growing cybersecurity risks facing large scientific and governmental organizations that rely heavily on collaborative and distributed digital environments. ESA has said further updates will be shared once more information becomes available.

CISA Known Exploited Vulnerabilities Soared 20% in 2025

cyberexpress Jan 05, 2026 Cyber News

After stabilizing in 2024, the growth of known exploited vulnerabilities accelerated in 2025. That was one conclusion from Cyble’s analysis of CISA’s Known Exploited Vulnerability (KEV) catalog data from 2025. After growing at roughly 21% in 2023, with 187 vulnerabilities added to the CISA KEV catalog that year, show more ...

growth slowed to about 17% in 2024, with 185 vulnerabilities added. Growth in exploited vulnerabilities reaccelerated in 2025, with 245 vulnerabilities added to the KEV database, for a roughly 20% growth rate. The KEV catalog ended 2025 with 1,484 software and hardware flaws at high risk of attack. The 245 flaws added in 2025 is also more than 30% above the trend of 185 to 187 vulnerabilities added the previous two years. Cyble also examined vulnerabilities exploited by ransomware groups, the vendors and projects with the most KEV additions (and several that actually improved), and the most common exploited software weaknesses (CWEs). Older Vulnerabilities Added to CISA KEV Also Grew Older vulnerabilities added to the CISA KEV catalog also grew in 2025, Cyble said. After adding an average of 65 older vulnerabilities to the KEV catalog in 2023 and 2024, CISA added 94 vulnerabilities from 2024 and earlier to the catalog in 2025, an increase of nearly 45% from the 2023-2024 average. The oldest vulnerability added to the KEV catalog last year was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. The oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups, Cyble said. CISA removed at least one vulnerability from the KEV catalog in 2025. CVE-2025-6264 is a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had “insufficient evidence of exploitation,” Cyble noted. Vulnerabilities Targeted in Ransomware Attacks CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups, Cyble said. Those vulnerabilities include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities targeted by the CL0P ransomware group. Vendors with multiple vulnerabilities targeted by ransomware groups included Fortinet, Ivanti, Microsoft, Mitel, Oracle and SonicWall. Projects and Vendors with the Most Exploited Vulnerabilities Microsoft once again led all vendors and projects in CISA KEV additions in 2025, with 39 vulnerabilities added to the database, up from 36 in 2024. Apple, Cisco, Google Chromium. Ivanti and Linux each had 7-9 vulnerabilities added to the KEV catalog. Several vendors and projects actually improved in 2025, with fewer vulnerabilities added than they had in 2024, “suggesting improved security controls,” Cyble said. Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware were among those that saw a decline in KEV vulnerabilities. Most Common Software Weaknesses Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were “particularly prominent among the 2025 KEV additions,” Cyble said, noting that the list is similar to the 2024 list. The most common CWEs in the 2025 CISA KEV additions were: CWE-78 – OS Command Injection – accounted for 18 of the 245 vulnerabilities. CWE-502 – Deserialization of Untrusted Data – was a factor in 14 of the vulnerabilities. CWE-22 – Path Traversal – appeared 13 times. CWE-416 – Use After Free – was a flaw in 11 of the vulnerabilities. CWE-787 – Out-of-bounds Write – accounted for 10 of the vulnerabilities. CWE-79 – Cross-site Scripting – appeared 7 times. CWE-94 (Code Injection) and CWE-287 (Improper Authentication) appeared 6 times each.

Crimson Collective Claims Breach of U.S. Fiber Broadband Provider Brightspeed

cyberexpress Jan 05, 2026 Cyber News

The hacking group Crimson Collective claims to have obtained the personal data of more than a million residential customers of U.S. fiber broadband provider Brightspeed. In a January 4 Telegram post, the group behind a Red Hat GitLab breach last year claimed to possess “over 1m+ residential user PII's,” or show more ...

personally identifiable information. Crimson Collective said it would release a data sample on January 5 to give Brightspeed “some time first to answer to us.” It is not known what if any communications occurred between the company and the hacker group, but Crimson Collective made good on that threat and released the data sample today. Crimson Collective Details Brightspeed Claims Crimson Collective claims to possess a wide range of data on Brightspeed customers, including: Customer account master records containing names, email addresses, phone numbers, billing and service addresses, and account status Network type, consent flags, billing system, service instance, network assignment, and site IDs Address qualification responses with address IDs, full postal addresses, latitude and longitude coordinates, qualification status (fiber/copper/4G), maximum bandwidth, drop length, wire center, marketing profile codes, and eligibility flags User-level account details keyed by session/user IDs, “overlapping with PII including names, emails, phones, service addresses, account numbers, status, communication preferences, and suspend reasons” Payment history, including payment IDs, dates, amounts, invoice numbers, card types and masked payment card numbers (last 4 digits), gateways, and status Payment methods per account, including default payment method IDs, gateways, masked credit card numbers, expiry dates, bank identification numbers (BINs), holder names and addresses, status flags (Active/Declined), and created/updated timestamps Appointment and order records by billing account, including order numbers, status, appointment windows, dispatch and technician information, and install types. Potential Risk for Brightspeed Users In an email exchange with The Cyber Express, a Crimson Collective spokesperson noted that while the data doesn’t include password or credit card data that could put users at imminent risk of breach or theft, the group said that “Every PII is important, with all this data people can easily start big sophisticated phishing campaigns or even get access to specific people's infrastructure.” Asked if the group has established persistent access to Brightspeed’s environment, the spokesperson replied, “Cannot disclose this.” The Cyber Express also reached out to Brightspeed for comment and will update this article with any response. However, the company reportedly told Security Week that it is “currently investigating reports of a cybersecurity event. As we learn more, we will keep our customers, employees and authorities informed. We take the security of our networks and protection of our customers’ and employees’ information seriously and are rigorous in securing our networks and monitoring threats.”

CISOs Face A Tighter Insurance Market in 2026

darkreading Jan 05, 2026 Feed

Critical 'MongoBleed' Bug Under Active Attack, Patch Now

darkreading Jan 05, 2026 Feed

A memory leak security vulnerability allows unauthenticated attackers to extract passwords and tokens from MongoDB servers.

US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity

darkreading Jan 05, 2026 Feed

Two US citizens pleaded guilty to working as ALPHV/BlackCat ransomware affiliates in 2023, and both were previously employed by prominent security firms.

RondoDox Botnet Expands Scope With React2Shell Exploitation

darkreading Jan 05, 2026 Feed

Recent attacks are targeting Next.js servers and pose a significant threat of cryptomining, botnet payloads, and other malicious activity to IoT networks and enterprises.

Cyberattack forces British high school to close

cyware Jan 05, 2026 News

A cyberattack has forced a high school in central England to remain closed following the Christmas holidays.

EU looking ‘very seriously’ at taking action against X over Grok

cyware Jan 05, 2026 News

The European Commission is looking “very seriously” into taking action against the social media platform X following an incident in which its artificial intelligence tool Grok was used to create sexual images of a minor.

Russian hackers target European hospitality industry with ‘blue screen of death’ malware

cyware Jan 05, 2026 Cybercrime

The scheme starts with a fake reservation cancellation that impersonates a popular booking site, and eventually prompts victims with an error message and “Blue Screen of Death” page.