Incident response | Breaking Cybersecurity News | The Hacker News

Microsoft on Sunday released security patches for an actively exploited security flaw in SharePoint and also released details of another vulnerability that it said has been addressed with "more robust protections." The tech giant acknowledged it's "aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update." CVE-2025-53770 (CVSS score: 9.8), as the exploited Vulnerability is tracked, concerns a case of remote code execution that arises due to the deserialization of untrusted data in on-premise versions of Microsoft SharePoint Server. The newly disclosed shortcoming is a spoofing flaw in SharePoint ( CVE-2025-53771 , CVSS score: 6.3). An anonymous researcher has been credited with discovering and reporting the bug. "Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attack...

A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an "active, large-scale" exploitation campaign. The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49704 (CVSS score: 8.8), a code injection and remote code execution bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates. "Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network," Microsoft said in an advisory released on July 19, 2025. The Windows maker further noted that it's preparing and fully testing a comprehensive update to resolve the issue. It credited Viettel Cyber Security for discovering and reporting the flaw through Trend Micro's Zero Day Initiative (ZDI). In a separate alert issued Saturday, Redmond said it's aware of active attacks ta...

Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances. According to a report published by JPCERT/CC today, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 in intrusions observed between December 2024 and July 2025 have weaponized the vulnerabilities to drop MDifyLoader, which is then used to launch Cobalt Strike in memory. CVE-2025-0282 is a critical security flaw in ICS that could permit unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. CVE-2025-22457, patched in April 2025, concerns a stack-based buffer overflow that could be exploited to execute arbitrary code. While both vulnerabilities have been weaponized in the wild as zero-days, previous findings from JPCERT/CC in April have revealed that the first of the two issues had been abused to deliver malware...

AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere; often with a high-privilege API key, OAuth token, or service account that defenders can't easily see. These "invisible" non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. Astrix's Field CTO Jonathan Sander put it bluntly in a recent Hacker News webinar : "One dangerous habit we've had for a long time is trusting application logic to act as the guardrails. That doesn't work when your AI agent is powered by LLMs that don't stop and think when they're about to do something wrong. They just do it." Why AI Agents Redefine Identity Risk Autonomy changes everything: An AI agent can chain multiple API calls and modify data without a human in the loop. If the underlying credential is exposed or overprivileged, each addit...

Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community - all free to import and deploy through the platform's Community Edition. A recent standout is a workflow that handles malware alerts with CrowdStrike, Oomnitza, GitHub, and PagerDuty. Developed by Lucas Cantor at Intercom, the creators of fin.ai , the workflow makes it easier to determine the severity of a security alert and escalate it seamlessly, depending on the device owner's response. "It's a great way to reduce noise and add context to security issues that are added on our endpoints as well," Lucas explains. In this guide, we'll share an overview of the workflow, plus step-by-step instructions for getting it up and running. The problem - lack of integration between security tools  For security teams, responding to malware threats, analyzing their severity, and identifying the device owner so...

If you're evaluating AI-powered SOC platforms, you've likely seen bold claims: faster triage, smarter remediation, and less noise. But under the hood, not all AI is created equal. Many solutions rely on pre-trained AI models that are hardwired for a handful of specific use cases. While that might work for yesterday's SOC, today's reality is different. Modern security operations teams face a sprawling and ever-changing landscape of alerts. From cloud to endpoint, identity to OT, insider threats to phishing, network to DLP, and so many more, the list goes on and is continuously growing. CISOs and SOC managers are rightly skeptical. Can this AI actually handle all of my alerts, or is it just another rules engine in disguise? In this post, we'll examine the divide between two types of AI SOC platforms. Those built on adaptive AI, which learns to triage and respond to any alert type, and those that rely on pre-trained AI, limited to handling predefined use cases only. Understanding t...

Security operations centers (SOCs) are under pressure from both sides: threats are growing more complex and frequent, while security budgets are no longer keeping pace. Today's security leaders are expected to reduce risk and deliver results without relying on larger teams or increased spending. At the same time, SOC inefficiencies are draining resources. Studies show that up to half of all alerts are false positives, with some reports citing false positive rates as high as 99 percent . This means highly trained analysts spend a disproportionate amount of time chasing down harmless activity, wasting effort, increasing fatigue, and raising the chance of missing real threats. In this environment, the business imperative is clear: maximize the impact of every analyst and every dollar by making security operations faster, smarter, and more focused. Enter the Agentic AI SOC Analyst The agentic AI SOC Analyst is a force multiplier that enables organizations to do more with the team an...

Threat intelligence firm GreyNoise is warning of a "notable surge" in scanning activity targeting Progress MOVEit Transfer systems starting May 27, 2025—suggesting that attackers may be preparing for another mass exploitation campaign or probing for unpatched systems. MOVEit Transfer is a popular managed file transfer solution used by businesses and government agencies to share sensitive data securely. Because it often handles high-value information, it has become a favorite target for attackers.  "Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day," the company said . "But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 28." Since then, daily scanner IP volume has remained intermittently elevated between 200 to 300 IPs per day, GreyNoise added, stating it marks a "significant deviation" from usual behavior. As many as 682 unique IPs have been flagged in connection with th...

New research has uncovered continued risk from a known security weakness in Microsoft's Entra ID , potentially enabling malicious actors to achieve account takeovers in susceptible software-as-a-service (SaaS) applications. Identity security company Semperis, in an analysis of 104 SaaS applications, found nine of them to be vulnerable to Entra ID cross-tenant nOAuth abuse. First disclosed by Descope in June 2023, nOAuth refers to a weakness in how SaaS applications implement OpenID Connect ( OIDC ), which refers to an authentication layer built atop OAuth to verify a user's identity. The authentication implementation flaw essentially allows a bad actor to change the mail attribute in the Entra ID account to that of a victim's and take advantage of the app's "Log in with Microsoft" feature to hijack that account. The attack is trivial, but it also works because Entra ID permits users to have an unverified email address, opening the door to user imperson...

Cybersecurity researchers have detailed two novel methods that can be used to disrupt cryptocurrency mining botnets. The methods take advantage of the design of various common mining topologies in order to shut down the mining process , Akamai said in a new report published today. "We developed two techniques by leveraging the mining topologies and pool policies that enable us to reduce a cryptominer botnet's effectiveness to the point of completely shutting it down, which forces the attacker to make radical changes to their infrastructure or even abandon the entire campaign," security researcher Maor Dahan said . The techniques, the web infrastructure company said, hinge on exploiting the Stratum mining protocol such that it causes an attacker's mining proxy or wallet to be banned, effectively disrupting the operation. The first of the two approaches, dubbed bad shares, entails banning the mining proxy from the network, which, in turn, results in the shutdow...

It sure is a hard time to be a SOC analyst. Every day, they are expected to solve high-consequence problems with half the data and twice the pressure. Analysts are overwhelmed—not just by threats, but by the systems and processes in place that are meant to help them respond. Tooling is fragmented. Workflows are heavy. Context lives in five places, and alerts never slow down. What started as a fast-paced, high-impact role has, for many analysts, become a repetitive loop of alert triage and data wrangling that offers little room for strategy or growth.  Most SOC teams also run lean. Last year, our annual SANS SOC Survey found that a majority of SOCs only consist of just 2–10 full-time analysts , a number unchanged since the survey began tracking in 2017. Meanwhile, the scope of coverage has exploded, ranging from on-prem infrastructure to cloud environments, remote endpoints, SaaS platforms, and beyond. Compounded at scale, this has led to systemic burnout across SOC environment...

Hackers never sleep, so why should enterprise defenses? Threat actors prefer to target businesses during off-hours. That's when they can count on fewer security personnel monitoring systems, delaying response and remediation. When retail giant Marks & Spencer experienced a security event over Easter weekend, they were forced to shut down their online operations, which account for approximately a third of the retailer's clothing and home sales. As most staff are away during off-hours and holidays, it takes time to assemble an incident response team and initiate countermeasures. This gives attackers more time to move laterally within the network and wreak havoc before the security team reacts. While not every organization may be ready to staff an in-house team around the clock, building a 24/7 SOC remains one of the most robust and proactive ways to protect against off-hours attacks. In the rest of this post, we'll explore why 24/7 vigilance is so important, the challenges ...

Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions. The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0. "A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user," the company said in an advisory. CVE-2025-23121 impacts all earlier version 12 builds, including 12.3.1.1139. It has been addressed in version 12.3.2 (build 12.3.2.3617). Security researchers at CODE WHITE GmbH and watchTowr have been credited with discovering and reporting the vulnerability. Cybersecurity company Rapid7 noted that the update likely addresses concerns shared by CODE WHITE in late March 2025 that the patch put in place to plug a similar hole ( CVE-2025-23120 , CVSS score: 9.9) could be bypassed. Also addressed by Veeam is another flaw in the same product (CVE-2025...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday disclosed that ransomware actors are targeting unpatched SimpleHelp Remote Monitoring and Management (RMM) instances to compromise customers of an unnamed utility billing software provider. "This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025," the agency said in an advisory. Earlier this year, SimpleHelp disclosed a set of flaws (CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726) that could result in information disclosure, privilege escalation, and remote code execution. The vulnerabilities have since come under repeated exploitation in the wild, including by ransomware groups like DragonForce, to breach targets of interest. Last month, Sophos revealed that a Managed Service Provider's SimpleHelp deployed was accessed by the threat actor using these flaws, and then leveraged it to pivot t...

ConnectWise has disclosed that it's planning to rotate the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise remote monitoring and management (RMM) executables due to security concerns. The company said it's doing so "due to concerns raised by a third-party researcher about how ScreenConnect handled certain configuration data in earlier versions." While the company did not publicly elaborate on the nature of the problem, it has shed more light in a non-public FAQ accessible only to its customers (and later shared on Reddit ) - The concern stems from ScreenConnect using the ability to store configuration data in an available area of the installer that is not signed but is part of the installer. We are using this ability to pass down configuration information for the connection (between the agent and server) such as the URL where the agent should call back without invalidating the signature. The unsigned area is u...

Threat intelligence firm GreyNoise has warned of a "coordinated brute-force activity" targeting Apache Tomcat Manager interfaces. The company said it observed a surge in brute-force and login attempts on June 5, 2025, an indication that they could be deliberate efforts to "identify and access exposed Tomcat services at scale." To that end, 295 unique IP addresses have been found to be engaged in brute-force attempts against Tomcat Manager on that date, with all of them classified as malicious. Over the past 24 hours, 188 unique IPs have been recorded, a majority of them located in the United States, the United Kingdom, Germany, the Netherlands, and Singapore. In a similar vein, 298 unique IPs were observed conducting login attempts against Tomcat Manager instances. Of the 246 IP addresses flagged in the last 24 hours, all of them are categorized as malicious and originate from the same locations. Targets of these attempts include the United States, the Uni...