RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers
Cybersecurity researchers disclosed a persistent nine-month campaign targeting Internet of Things devices and web applications to enroll them into the RondoDox botnet, which has recently weaponized the critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0). The campaign evolved through three phases starting in March 2025, progressing from reconnaissance to daily mass vulnerability probing of WordPress, Drupal, and IoT devices, and ultimately to hourly automated deployment at scale beginning in July. As of late December, approximately 90,300 vulnerable instances remain exposed globally, with attackers deploying cryptocurrency miners, botnet loaders, and Mirai variants while actively terminating competing malware every 45 seconds to maintain control of compromised devices.
Critical IBM API Connect Authentication Bypass Vulnerability Enables Remote Access
IBM disclosed CVE-2025-13915, a critical authentication bypass vulnerability in API Connect with a CVSS score of 9.8 that allows remote attackers to circumvent authentication mechanisms and gain unauthorized application access. The flaw affects API Connect versions 10.0.8.0 through 10.0.8.5 and version 10.0.11.0, requiring no user interaction or special privileges to exploit. IBM strongly urges immediate patching through available interim fixes, while organizations unable to deploy patches should disable self-service sign-up on their Developer Portal as a temporary mitigation to reduce exposure.
700Credit Breach Impacts 5.6 Million Following Web Application Attack
Michigan-based credit reporting service provider 700Credit LLC disclosed that hackers accessed and copied sensitive consumer information tied to dealership customers, affecting approximately 5.6 million people nationwide through a breach of its 700Dealer.com web application platform. The compromised data includes names, addresses, dates of birth, Social Security numbers, bank account details, driver’s license numbers, and government-issued identification numbers, with South Carolina alone reporting over 108,000 affected residents. The company engaged forensic specialists and notified federal authorities while emphasizing that investigators found no evidence of internal network compromise, with the activity confined to the application layer.
Covenant Health Qilin Ransomware Attack Affects 478,188 Patients Across Multiple Facilities
Covenant Health confirmed that the Qilin ransomware gang compromised its IT systems between May 18 and May 26, 2025, ultimately impacting 478,188 individuals across hospitals and healthcare facilities in Maine, Massachusetts, New Hampshire, Pennsylvania, Rhode Island, and Vermont. The threat actors maintained access for eight days before detection, during which they exfiltrated 852 GB of data comprising approximately 1.35 million files including patient names, addresses, Social Security numbers, medical record numbers, health insurance information, and detailed treatment records. Qilin was identified as one of 2025’s most destructive ransomware operations, with researchers tracking over 700 attacks last year and the group claiming responsibility for approximately 40 victims per month.
ManageMyHealth Ransomware Attack Exposes 126,000 Patients in New Zealand
The Kazu ransomware group threatened to leak over 400,000 files stolen from New Zealand’s ManageMyHealth patient portal unless a $60,000 ransom is paid, with the threat actors accelerating their deadline due to the company’s alleged failure to acknowledge users or provide adequate explanations about the breach. Security experts warn that the approximately 126,000 affected individuals could face significant risks of identity theft, financial fraud, and extortion similar to the 2022 Medibank attack in Australia that resulted in hundreds of thousands of real financial crimes. Between 6 and 7 percent of ManageMyHealth’s approximately 1.8 million registered users may have been affected by the compromise.
