The Hacker News | Expert Insights — Index Page

ShinyHunters is a notorious cybercrime group that has resurfaced with a new playbook of SaaS-focused attacks. Known for monetizing stolen data on underground forums since 2020, ShinyHunters has historically breached companies by stealing credentials and databases. Recently, however, they've shifted tactics to aggressive social engineering, mirroring the methodology of the Scattered Spider group. Instead of exploiting software vulnerabilities, ShinyHunters now exploits human trust, targeting the underbelly of third-party SaaS platforms through impersonation and phishing. In mid-2025, a wave of breaches struck companies like Google, Workday, Pandora, Cisco, Chanel, and others, all tied together by one common thread: the attackers leveraged access to these firms' Salesforce CRM or similar cloud systems. Below, we look at what happened in the Google and Workday breaches, examine techniques ShinyHunters used, and demonstrate how a dynamic SaaS security approach (like Reco's) could have...

In early 2025, Russian state-backed threat group Secret Blizzard targeted foreign embassies with a man-in-the-middle (MITM) attack that bypassed MFA. Instead of sending phishing emails or dropping malware, they compromised the root of trust on embassy systems — the mechanism that determines which connections and certificates are trusted. By controlling local internet infrastructure inside Russia, Secret Blizzard: Used that certificate to impersonate legitimate websites without triggering browser warnings. Intercepted "secure" traffic to harvest session tokens, cookies, and credentials — without detection. High-signal takeaway: A root-of-trust compromise undermines all Transport Layer Security (TLS)-based protections, including FIDO-based MFA. Why Traditional MFA and FIDO Fail Against This Attack Seemingly secure MFA assumes secure TLS connections. When TLS is compromised via a rogue root certificate, the browser happily connects to an attacker-controlled endpoint. This break...

AI-powered coding assistants now play a central role in modern software development. Developers use them to speed up tasks, reduce boilerplate snippets, and automate routine code generation. But with that speed comes a dangerous trade-off. The tools designed to accelerate innovation are degrading application security by embedding subtle yet serious vulnerabilities in software. Nearly  half of the code snippets generated by five AI models contained bugs that attackers could exploit, a study showed. A second study confirmed the risk, with nearly one-third of Python snippets and a quarter of JavaScript  snippets produced by GitHub Copilot having security flaws . The problem goes beyond flawed output. AI tools instill a false sense of confidence. Developers using AI assistance not only  wrote significantly less secure code than those who worked unaided, but they also believed their insecure code was safe, a clear sign of automation bias. The Dangerous Simplicity of AI-...

Imagine joining a video call with your CEO, only to find out later the CEO participant was actually an AI-generated fake. Welcome to the new digital battlefield.  Adversarial AI and deepfakes have created an identity attack surface that is not just digital, but is also based on reality itself . These technologies are no longer science fiction or theoretical. They are actively being used to spoof identities, manipulate political perceptions, and circumvent even the best cybersecurity training initiatives. , and circumvent even the best cybersecurity training initiatives.  If your cybersecurity defenses rely solely on human perception, voice recognition, or even visual evidence, you are vulnerable to an attack.  From Cat and Mouse to Machine vs. Machine Cybersecurity has always been a game of cat and mouse. As defenders (mice), we have historically been able to adapt our defenses for phishing, malware , ransomware, and insider threats . Today, we're also strategizing ...

Device and software vulnerabilities pose an increasing risk to modern security. However, patch management is an infamously difficult (and downright Sisyphean) task for IT and security teams, who are faced with an ever-growing list of CVEs to remediate. This task was difficult enough in the days of on-premise environments, but a modern distributed workforce has to contend with all the users, devices, and applications that may exist outside the purview of traditional security solutions, like MDM. Overall, with the ever-growing number of CVEs and the ever-growing sprawl of shadow IT, patch management has become both more urgent and more daunting than ever. IT and security teams need to adopt zero trust methods to ensure that only healthy and patched devices are able to access their critical systems. With the help of SaaS management and employee-remediation tactics, teams can do even more to improve efficacy and support for their company-wide patch management programs.  French philo...

Automated tools give you visibility. Adversarial testing gives you clarity. In Salesforce environments, you need both. The Problem with Checkbox Security in a Platform-Centric World Salesforce has become more than just a CRM—it's the backbone of how many organizations operate. It holds customer data, governs workflows, drives revenue, and connects to dozens of internal and third-party systems. But that complexity is exactly what makes it hard to secure. And too often, security teams rely solely on generic scans or scheduled audits that were never designed to handle the nuance of Salesforce's layered permissions, custom logic, and evolving integrations. The result? A lot of surface-level findings—and a lot of assumptions about what those findings actually mean. Automation Is Essential—But It's Only One Layer There's no question that modern scanning tools play a vital role in Salesforce security. The right platforms can surface deeply nested permissions, cross-object access paths,...

Generative AI has quietly become a part of the SaaS ecosystem that businesses use every day. Platforms like Zoom, Slack, Microsoft 365, and Salesforce now have AI assistants. You can use these tools to do things like write summaries of meetings or perform routine tasks. A recent  survey found that 95% of U.S. businesses now use generative AI. This is a big increase from last year. But this quick growth of AI features is making security leaders worried. Sensitive information could be leaked or used in the wrong way if there aren't enough controls in place. Shadow AI and Its Far-Reaching Risks When employees use AI apps without the knowledge or approval of IT, it creates shadow AI . This is akin to the shadow IT problem of unsanctioned cloud apps, but now with AI services. The unauthorized use of AI platforms can unknowingly expose organizations to data privacy issues, compliance violations, and even disinformation risks. We're already seeing these risks play out. Samsung engin...

The past year has marked a decisive shift in the way Distributed Denial-of-Service (DDoS) attacks operate. DDoS used to mean, simply speaking, the overwhelming of targets with massive amounts of traffic. But now, DDoS attacks have evolved into precision-guided threats – and this transformation can be partly attributed to AI.  The acceleration is measurable. In the first quarter of 2025 alone, DDoS incidents surged by 358 percent compared to the same period in 2024, according to Cloudflare. Even more concerning, the proportion of attacks that caused actual production downtime rose by 53 percent. This is not just a spike. It is a sign that attackers are fundamentally changing how DDoS campaigns are planned, launched, and adapted in real time. The consequences are significant: organizations that rely on legacy DDoS defenses or irregular testing methods are finding themselves exposed, often without knowing it. How Attackers are Enhancing DDoS Attacks DDoS attacks historically reli...

The Perfect Recipe for Endpoint Security Calls for Privilege Control Today's most effective ransomware attacks don't require malware; they require a login. Modern threat actors don't need to break in. They can leverage legitimate identities and their privileges to gain a foothold, then continue to capitalize on them, moving laterally to probe for more opportunities and manipulate vulnerabilities and exploits to spread ransomware and spyware. A vulnerable identity or account tied to an endpoint can quickly become an attacker's ticket to your most valuable assets and controls.  With legitimate identities being used as the initial foothold in more attacks, we're seeing less 'anomalous' activity and far more seemingly normal actions performed by a trusted, privileged user. And attackers are keenly aware of how easily they can 'hide' behind these legitimate user accounts.  This is why Endpoint Detection and Response (EDR) is really only one piece of the endpoint protection puzz...