The Hacker News | #1 Trusted Source for Cybersecurity News

Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the past year. "The attack involves the use of AzureChecker.exe, a Command Line Interface (CLI) tool that is being used by a wide range of threat actors," the Microsoft Threat Intelligence team said in an analysis. The tech giant noted that it observed the binary to connect to an external server named "sac-auth.nodefunction[.]vip" to retrieve an AES-encrypted data that contains a list of password spray targets.  The tool also accepts as input a text file called "accounts.txt" that includes the username and password combinations to be used to carry out the password spray attack. "The threat actor then used the information from both files and posted the credentials to the target tenants for validation," Microsoft said. In one successful instance of account compromise observed by Redm...

Cybersecurity researchers have detailed the activities of an initial access broker (IAB) dubbed ToyMaker that has been observed handing over access to double extortion ransomware gangs like CACTUS . The IAB has been assessed with medium confidence to be a financially motivated threat actor, scanning for vulnerable systems and deploying a custom malware called LAGTOY (aka HOLERUN). "LAGTOY can be used to create reverse shells and execute commands on infected endpoints," Cisco Talos researchers Joey Chen, Asheer Malhotra, Ashley Shen, Vitor Ventura, and Brandon White said . The malware was first documented by Google-owned Mandiant in late March 2023, attributing its use to a threat actor it tracks as UNC961 . The activity cluster is also known by other names such as Gold Melody and Prophet Spider. The threat actor has been observed leveraging a huge arsenal of known security flaws in internet-facing applications to obtain initial access, followed by conducting reconnai...

North Korea-linked threat actors behind the Contagious Interview have set up front companies as a way to distribute malware during the fake hiring process. "In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industry—BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co)—to spread malware via 'job interview lures," Silent Push said in a deep-dive analysis. The activity, the cybersecurity company said, is being used to distribute three different known malware families, BeaverTail, InvisibleFerret , and OtterCookie . Contagious Interview is one of the several job-themed social engineering campaigns orchestrated by North Korea to entice targets into downloading cross-platform malware under the pretext of coding assignment or fixing an issue with their browser when turning on camera during a video assessment. The activity is tracked by the broader cybersecurity...

Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution.  "The exploitation is likely tied to either a previously disclosed vulnerability like CVE-2017-9844 or an unreported remote file inclusion (RFI) issue," ReliaQuest said in a report published this week. The cybersecurity said the possibility of a zero-day stems from the fact that several of the impacted systems were already running the latest patches. The flaw is assessed to be rooted in the "/developmentserver/metadatauploader" endpoint in the NetWeaver environment, enabling unknown threat actors to upload malicious JSP-based web shells in the "servlet_jsp/irj/root/" path for persistent remote access and deliver additional payloads. Put differently, the lightweight JSP web shell is configured to upload unauthorized files, enable entrenched control over the infected hosts, execu...

When we talk about identity in cybersecurity, most people think of usernames, passwords, and the occasional MFA prompt. But lurking beneath the surface is a growing threat that does not involve human credentials at all, as we witness the exponential growth of Non-Human Identities (NHIs).  At the top of mind when NHIs are mentioned, most security teams immediately think of Service Accounts . But NHIs go far beyond that. You've got Service Principals , Snowflake Roles , IAM Roles , and platform-specific constructs from AWS, Azure, GCP, and more. The truth is, NHIs can vary just as widely as the services and environments in your modern tech stack, and managing them means understanding this diversity. The real danger lies in how these identities authenticate. Secrets: The Currency of Machines Non-Human Identities, for the most part, authenticate using secrets : API keys, tokens, certificates, and other credentials that grant access to systems, data, and critical infrastructure. Th...

Cybersecurity researchers have disclosed three security flaws in the Rack Ruby web server interface that, if successfully exploited, could enable attackers to gain unauthorized access to files, inject malicious data, and tamper with logs under certain conditions. The vulnerabilities, flagged by cybersecurity vendor OPSWAT, are listed below - CVE-2025-27610 (CVSS score: 7.5) - A path traversal vulnerability that could be used to gain access to all files under the specified root: directory, assuming an attacker can determine the paths to those files CVE-2025-27111 (CVSS score: 6.9) - An improper neutralization of carriage return line feeds ( CRLF ) sequences and improper output neutralization for logs vulnerability that could be used to manipulate log entries and distort log files CVE-2025-25184 (CVSS score: 5.7) - An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs vulnerability that could be used to manipulate...

The problem is simple: all breaches start with initial access, and initial access comes down to two primary attack vectors – credentials and devices. This is not news; every report you can find on the threat landscape depicts the same picture.  The solution is more complex. For this article, we'll focus on the device threat vector. The risk they pose is significant, which is why device management tools like Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) are essential components of an organization's security infrastructure. However, relying solely on these tools to manage device risk actually creates a false sense of security. Instead of the blunt tools of device management, organizations are looking for solutions that deliver device trust . Device trust provides a comprehensive, risk-based approach to device security enforcement, closing the large gaps left behind by traditional device management solutions. Here are 5 of those limitations and how to ov...

Cybersecurity researchers are warning about a new malware called DslogdRAT that's installed following the exploitation of a now-patched security flaw in Ivanti Connect Secure (ICS). The malware, along with a web shell, were "installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024," JPCERT/CC researcher Yuma Masubuchi said in a report published Thursday. CVE-2025-0282 refers to a critical security flaw in ICS that could allow unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. However, the shortcoming has been exploited as a zero-day by a China-nexus cyber espionage group dubbed UNC5337 to deliver the SPAWN ecosystem of malware, as well as other tools like DRYHOOK and PHASEJAM. The deployment of the latter two malware strains has not been attributed to any known threat actor. Since then, both JPCERT/CC and the U.S. Cybersecurity and Infrastr...

At least six organizations in South Korea have been targeted by the prolific North Korea-linked Lazarus Group as part of a campaign dubbed Operation SyncHole . The activity targeted South Korea's software, IT, financial, semiconductor manufacturing, and telecommunications industries, according to a report from Kaspersky published today. The earliest evidence of compromise was first detected in November 2024. The campaign involved a "sophisticated combination of a watering hole strategy and vulnerability exploitation within South Korean software," security researchers Sojun Ryu and Vasily Berdnikov said . "A one-day vulnerability in Innorix Agent was also used for lateral movement." The attacks have been observed paving the way for variants of known Lazarus tools such as ThreatNeedle , AGAMEMNON , wAgent , SIGNBT , and COPPERHEDGE . What makes these intrusions particularly effective is the likely exploitation of a security vulnerability in Cross EX, a legi...

Cybersecurity researchers have demonstrated a proof-of-concept (PoC) rootkit dubbed Curing that leverages a Linux asynchronous I/O mechanism called io_uring to bypass traditional system call monitoring. This causes a "major blind spot in Linux runtime security tools," ARMO said. "This mechanism allows a user application to perform various actions without using system calls," the company said in a report shared with The Hacker News. "As a result, security tools relying on system call monitoring are blind' to rootkits working solely on io_uring." io_uring, first introduced in Linux kernel version 5.1 in March 2019, is a Linux kernel system call interface that employs two circular buffers called a submission queue (SQ) and a completion queue (CQ) between the kernel and an application (i.e., user space) to track the submission and completion of I/O requests in an asynchronous manner. The rootkit devised by ARMO facilitates communication between ...

The Evolving Healthcare Cybersecurity Landscape   Healthcare organizations face unprecedented cybersecurity challenges in 2025. With operational technology (OT) environments increasingly targeted and the convergence of IT and medical systems creating an expanded attack surface, traditional security approaches are proving inadequate. According to recent statistics, the healthcare sector experienced a record-breaking year for data breaches in 2024, with over 133 million patient records exposed. The average cost of a healthcare data breach has now reached $11 million, making it the most expensive industry for breaches.  What's changed dramatically is the focus of attackers. No longer content with merely extracting patient records, cybercriminals are now targeting the actual devices that deliver patient care. The stakes have never been higher, with ransomware now representing 71% of all attacks against healthcare organizations and causing an average downtime of 11 days per inc...