Incident response | Breaking Cybersecurity News | The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances to compromise customers of an unnamed utility billing software provider. "This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025," the agency said in an advisory. Earlier this year, SimpleHelp disclosed a set of flaws (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could result in information disclosure, privilege escalation, and remote code execution. The vulnerabilities have since come under repeated exploitation in the wild, including by ransomware groups like DragonForce, to breach targets of interest. Last month, Sophos revealed that a Managed Service Provider's SimpleHelp deployed was accessed by the threat actor using these flaws, and then leveraged it to pivot t...

ConnectWise has disclosed that it's planning to rotate the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise remote monitoring and management (RMM) executables due to security concerns. The company said it's doing so "due to concerns raised by a third-party researcher about how ScreenConnect handled certain configuration data in earlier versions." While the company did not publicly elaborate on the nature of the problem, it has shed more light in a non-public FAQ accessible only to its customers (and later shared on Reddit ) - The concern stems from ScreenConnect using the ability to store configuration data in an available area of the installer that is not signed but is part of the installer. We are using this ability to pass down configuration information for the connection (between the agent and server) such as the URL where the agent should call back without invalidating the signature. The unsigned area is u...

Threat intelligence firm GreyNoise has warned of a "coordinated brute-force activity" targeting Apache Tomcat Manager interfaces. The company said it observed a surge in brute-force and login attempts on June 5, 2025, an indication that they could be deliberate efforts to "identify and access exposed Tomcat services at scale." To that end, 295 unique IP addresses have been found to be engaged in brute-force attempts against Tomcat Manager on that date, with all of them classified as malicious. Over the past 24 hours, 188 unique IPs have been recorded, a majority of them located in the United States, the United Kingdom, Germany, the Netherlands, and Singapore. In a similar vein, 298 unique IPs were observed conducting login attempts against Tomcat Manager instances. Of the 246 IP addresses flagged in the last 24 hours, all of them are categorized as malicious and originate from the same locations. Targets of these attempts include the United States, the Uni...

In today's security landscape, budgets are tight, attack surfaces are sprawling, and new threats emerge daily. Maintaining a strong security posture under these circumstances without a large team or budget can be a real challenge. Yet lean security models are not only possible - they can be highly effective. River Island, one of the UK's leading fashion retailers, offers a powerful case study on how to do more with less. As River Island's InfoSec Officer, Sunil Patel and his small team of three are responsible for securing over 200 stores, an e-commerce platform, a major distribution center, and head offices. With no headcount growth on the horizon, Sunil had to rethink how security could scale effectively. By adopting a lean security model, powered by Intruder's exposure management platform , the team was able to improve visibility, respond faster to threats, and empower others across the business to fix what matters most. Here are five key lessons from thei...

The threat actor known as Rare Werewolf (formerly Rare Wolf) has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States (CIS) countries. "A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developing their own malicious binaries," Kaspersky said . "The malicious functionality of the campaign described in this article is implemented through command files and PowerShell scripts." The intent of the attacks is to establish remote access to compromised hosts, and siphon credentials, and deploy the XMRig cryptocurrency miner. The activity impacted hundreds of Russian users spanning industrial enterprises and engineering schools, with a smaller number of infections also recorded in Belarus and Kazakhstan. Rare Werewolf , also known by the names Librarian Ghouls and Rezet, is the moniker assigned to an advanced persistent threat (APT) group that has a track record of...

The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government. That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis. "Their diverse toolset shows consistent coding patterns across malware families, particularly in system information gathering and string obfuscation," researchers Abdallah Elshinbary, Jonas Wagner, Nick Attfield, and Konstantin Klinger said. Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-APT-17, and TA397, has a history of focusing primarily on South Asian entities , with select intrusions also targeting China, Saudi Arabia, and South America. In December 2024, evidence emerged of the threat actor's targeting of Turkey using malware families such as WmRAT and MiyaRAT, indicating a gradual geographical expansion. Stating that Bitter fr...

Security teams face growing demands with more tools, more data, and higher expectations than ever. Boards approve large security budgets, yet still ask the same question: what is the business getting in return? CISOs respond with reports on controls and vulnerability counts – but executives want to understand risk in terms of financial exposure, operational impact, and avoiding loss. The disconnect has become difficult to ignore. The average cost of a breach has reached $4.88 million, according to recent IBM data . That figure reflects not just incident response but also downtime, lost productivity, customer attrition, and the extended effort required to restore operations and trust. The fallout is rarely confined to security. Security leaders need a model that brings those consequences into view before they surface. A Business Value Assessment (BVA) offers that model. It links exposures to cost, prioritization to return, and prevention to tangible value. This article will explain ...

ConnectWise, the developer of remote access and support software ScreenConnect, has disclosed that it was the victim of a cyber attack that it said was likely perpetrated by a nation-state threat actor. "ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation-state actor, which affected a very small number of ScreenConnect customers," the company said in a brief advisory on May 28, 2025. The company said it has engaged the services of Google Mandiant to conduct a forensic probe into the incident and that it has notified all affected customers. The incident was first reported by CRN. However, it did not reveal the exact number of customers who were impacted by the hack, when it happened, or the identity of the threat actor behind it. It's worth noting that the company, in late April 2025, patched CVE-2025-3935 (CVSS score: 8.1), a high-severity vulnerability in ScreenConnect versions 25.2.3 and ea...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday revealed that Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," the agency said . "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." CISA further noted that the activity may be part of a broader campaign targeting various software-as-a-service (SaaS) providers' cloud infrastructures with default configurations and elevated permissions. The advisory comes weeks after Commvault revealed that Microsoft notified the company in February 2025 of unauthorized activity by a nation-state threat actor within its Azure environment. The incident led to th...

Modern apps move fast—faster than most security teams can keep up. As businesses rush to build in the cloud, security often lags behind. Teams scan code in isolation, react late to cloud threats, and monitor SOC alerts only after damage is done. Attackers don't wait. They exploit vulnerabilities within hours. Yet most organizations take days to respond to critical cloud alerts. That delay isn't just risky—it's an open door. The problem? Security is split across silos. DevSecOps, CloudSec, and SOC teams all work separately. Their tools don't talk. Their data doesn't sync. And in those gaps, 80% of cloud exposures slip through—exploitable, avoidable, and often invisible until it's too late. This free webinar ," Breaking Down Security Silos: Why Application Security Must Span from Code to Cloud to SOC ," shows you how to fix that. Join Ory Segal, Technical Evangelist at Cortex Cloud (Palo Alto Networks), and discover a practical approach to securing your apps from code to cl...

Organizations across industries are experiencing significant escalations in cyberattacks, particularly targeting critical infrastructure providers and cloud-based enterprises. Verizon's recently released 2025 Data Breach Investigations Report found an 18% YoY increase in confirmed breaches, with the exploitation of vulnerabilities as an initial access step growing by 34%.  As attacks rise in volume and impact, many organizations turn to security tools and compliance standards as their first line of defense. While both are important and necessary components to mitigating cyber risk, they alone are not a silver bullet solution. Effective security requires people, process, and technology, but people must serve as the primary drivers. Your tools and checklists are only as strong as the practitioners implementing them at scale.  This heightens the importance of investing in offensive operations training across every role in the security function. Too often, offensive operation...

Threat actors with ties to the Qilin ransomware family have leveraged malware known as SmokeLoader along with a previously undocumented .NET compiled loader codenamed NETXLOADER as part of a campaign observed in November 2024. "NETXLOADER is a new .NET-based loader that plays a critical role in cyber attacks," Trend Micro researchers Jacob Santos, Raymart Yambot, John Rainier Navato, Sarah Pearl Camiling, and Neljorn Nathaniel Aguas said in a Wednesday analysis. "While hidden, it stealthily deploys additional malicious payloads, such as Agenda ransomware and SmokeLoader. Protected by .NET Reactor 6, NETXLOADER is difficult to analyze." Qilin , also called Agenda, has been an active ransomware threat since it surfaced in the threat landscape in July 2022. Last year, cybersecurity company Halcyon discovered an improved version of the ransomware that it named Qilin.B. Recent data shared by Group-IB shows that disclosures on Qilin's data leak site have mo...

The U.S. government funding for non-profit research giant MITRE to operate and maintain its Common Vulnerabilities and Exposures ( CVE ) program will expire Wednesday, an unprecedented development that could shake up one of the foundational pillars of the global cybersecurity ecosystem. The 25-year-old CVE program is a valuable tool for vulnerability management, offering a de facto standard to identify, define, and catalog publicly disclosed security flaws using CVE IDs. The program has listed over 274,000 CVE records to date. Yosry Barsoum, MITRE's vice president and director of the Center for Securing the Homeland (CSH), said its funding to "develop, operate, and modernize CVE and related programs, such as the Common Weakness Enumeration ( CWE ), will expire." "If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and al...

Microsoft has revealed that a now-patched security flaw impacting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets. "The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," the tech giant said . The vulnerability in question is CVE-2025-29824, a privilege escalation bug in CLFS that could be exploited to achieve SYSTEM privileges. It was fixed by Redmond as part of its Patch Tuesday update for April 2025. Microsoft is tracking the activity and the post-compromise exploitation of CVE-2025-29824 under the moniker Storm-2460, with the threat actors also leveraging a malware named PipeMagic to deliver the exploit as well as ransomware payloads. The exact initial access vector used in the attacks is currently not known. However, the threa...