Threat Intelligence | Breaking Cybersecurity News | The Hacker News

A team of security researchers from Georgia Institute of Technology and Ruhr University Bochum has demonstrated two new side-channel attacks targeting Apple silicon that could be exploited to leak sensitive information from web browsers like Safari and Google Chrome. The attacks have been codenamed Data Speculation Attacks via Load Address Prediction on Apple Silicon ( SLAP ) and Breaking the Apple M3 CPU via False Load Output Predictions ( FLOP ). Apple was notified of the issues in May and September 2024, respectively. The vulnerabilities, like the previously disclosed iLeakage attack, build on Spectre , arising when speculative execution "backfires," leaving traces of mispredictions in the CPU's microarchitectural state and the cache. Speculative execution refers to a performance optimization mechanism in modern processors that are aimed at predicting the control flow the CPU should take and execute instructions along the branch beforehand. In the event of a mi...

Ransomware attacks have reached an unprecedented scale in the healthcare sector, exposing vulnerabilities that put millions at risk. Recently, UnitedHealth revealed that 190 million Americans had their personal and healthcare data stolen during the Change Healthcare ransomware attack, a figure that nearly doubles the previously disclosed total.  This breach shows just how deeply ransomware can infiltrate critical systems, leaving patient trust and care hanging in the balance. One of the groups that targets this already fragile sector is the Interlock ransomware group. Known for their calculated and sophisticated attacks, they focus on hospitals, clinics, and other medical service providers. Interlock Ransomware Group: An Active Threat to Healthcare The Interlock ransomware group is a relatively recent but dangerous player in the world of cybercrime, known for employing double-extortion tactics.  This method involves encrypting a victim's data to disrupt operations and th...

The latest Palo Alto Networks Unit 42 Cloud Threat Report found that sensitive data is found in 66% of cloud storage buckets. This data is vulnerable to ransomware attacks. The SANS Institute recently reported that these attacks can be performed by abusing the cloud provider's storage security controls and default settings. "In just the past few months, I have witnessed two different methods for executing a ransomware attack using nothing but legitimate cloud security features," warns Brandon Evans, security consultant and SANS Certified Instructor. Halcyon disclosed an attack campaign that leveraged one of Amazon S3's native encryption mechanisms, SSE-C, to encrypt each of the target buckets. A few months prior, security consultant Chris Farris demonstrated how attackers could perform a similar attack using a different AWS security feature, KMS keys with external key material, using simple scripts generated by ChatGPT. "Clearly, this topic is top-of-mind for both threat actors and ...

A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework that could allow an authenticated attacker to achieve remote code execution on susceptible instances. The flaw, tracked as CVE-2025-22604, carries a CVSS score of 9.1 out of a maximum of 10.0. "Due to a flaw in the multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response," the project maintainers said in an advisory released this week. "When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), a part of each OID will be used as a key in an array that is used as part of a system command, causing a command execution vulnerability." Successful exploitation of the vulnerability could permit an authenticated user with device management permissions to execute arbitrary code in the server, and steal, edit, or delete sensitive data. CVE-2025-22604 affects all versions of the software prior to and includ...

The advanced persistent threat (APT) group known as UAC-0063 has been observed leveraging legitimate documents obtained by infiltrating one victim to attack another target with the goal of delivering a known malware dubbed HATVIBE. "This research focuses on completing the picture of UAC-0063's operations, particularly documenting their expansion beyond their initial focus on Central Asia, targeting entities such as embassies in multiple European countries, including Germany, the U.K., the Netherlands, Romania, and Georgia," Martin Zugec, technical solutions director at Bitdefender, said in a report shared with The Hacker News. UAC-0063 was first flagged by the Romanian cybersecurity company in May 2023 in connection with a campaign that targeted government entities in Central Asia with a data exfiltration malware known as DownEx (aka STILLARCH). It's suspected to share links with a known Russian state-sponsored actor called APT28. Merely weeks later, the Compu...

Cybersecurity researchers are warning that a critical zero-day vulnerability impacting Zyxel CPE Series devices is seeing active exploitation attempts in the wild. "Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration," GreyNoise researcher Glenn Thorpe said in an alert published Tuesday. The vulnerability in question is CVE-2024-40891, a critical command injection vulnerability that has neither been publicly disclosed nor patched. The existence of the bug was first reported by VulnCheck in July 2024. Statistics gathered by the threat intelligence firm show that attack attempts have originated from dozens of IP addresses , with a majority of them located in Taiwan. According to Censys, there are more than 1,500 vulnerable devices online. "CVE-2024-40891 is very similar to CVE-2024-40890, with the main difference being that the former is Teln...

Cybersecurity researchers have found that ransomware attacks targeting ESXi systems are also leveraging the access to repurpose the appliances as a conduit to tunnel traffic to command-and-control (C2) infrastructure and stay under the radar. "ESXi appliances, which are unmonitored, are increasingly exploited as a persistence mechanism and gateway to access corporate networks widely," Sygnia researchers Aaron (Zhongyuan) Hau and Ren Jie Yow said in a report published last week. "Threat actors use these platforms by adopting 'living-off-the-land' techniques and using native tools like SSH to establish a SOCKS tunnel between their C2 servers and the compromised environment." In doing so, the idea is to blend into legitimate traffic and establish long-term persistence on the compromised network with little-to-no detection by security controls. The cybersecurity company said in many of its incident response engagements, ESXi systems were compromised eit...

A previously unknown threat actor has been observed copying the tradecraft associated with the Kremlin-aligned Gamaredon hacking group in its cyber attacks targeting Russian-speaking entities. The campaign has been attributed to a threat cluster dubbed GamaCopy , which is assessed to share overlaps with another hacking group named Core Werewolf , also tracked as Awaken Likho and PseudoGamaredon. According to the Knownsec 404 Advanced Threat Intelligence team, the attacks leverage content related to military facilities as lures to drop UltraVNC, allowing threat actors to remotely access the compromised hosts. "The TTP (Tactics, Techniques, and Procedures) of this organization imitates that of the Gamaredon organization which conducts attacks against Ukraine," the company said in a report published last week. The disclosure arrives nearly four months after Kaspersky revealed that Russian government agencies and industrial entities have been the target of Core Werewolf, ...

Threat hunters have detailed an ongoing campaign that leverages a malware loader called MintsLoader to distribute secondary payloads such as the StealC information stealer and a legitimate open-source network computing platform called BOINC . "MintsLoader is a PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file," cybersecurity firm eSentire said in an analysis. The campaign has targeted electricity, oil and gas, and the legal services sectors in the United States and Europe, per the company, which detected the activity in early January 2025. The development comes amid a spike in malicious campaigns that are abusing fake CAPTCHA verification prompts to trick users into copying and executing PowerShell scripts to get around the checks, a technique that has come to be known ClickFix and KongTuke. "KongTuke involves an injected script that currently causes associated websites to displa...

An exhaustive evaluation of three firewall models from Palo Alto Networks has uncovered a host of known security flaws impacting the devices' firmware as well as misconfigured security features. "These weren't obscure, corner-case vulnerabilities," security vendor Eclypsium said in a report shared with The Hacker News. "Instead these were very well-known issues that we wouldn't expect to see even on a consumer-grade laptop. These issues could allow attackers to evade even the most basic integrity protections, such as Secure Boot, and modify device firmware if exploited." The company said it analyzed three firewall appliances from Palo Alto Networks, PA-3260, PA-1410, and PA-415, the first of which officially reached end-of-sale on August 31, 2023. The other two models are fully supported firewall platforms. The list of identified flaws, collectively named PANdora's Box , is as follows - CVE-2020-10713 aka BootHole (Affects PA-3260, PA-14...

An analysis of HellCat and Morpheus ransomware operations has revealed that affiliates associated with the respective cybercrime entities are using identical code for their ransomware payloads. The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by the same submitter towards the end of December 2024. "These two payload samples are identical except for victim specific data and the attacker contact details," security researcher Jim Walter said in a new report shared with The Hacker News. Both HellCat and Morpheus are nascent entrants to the ransomware ecosystem, having emerged in October and December 2024, respectively. A deeper examination of the Morpheus/HellCat payload, a 64-bit portable executable, has revealed that both samples require a path to be specified as an input argument. They are both configured to exclude the \Windows\System32 folder, as well as a hard-coded list of extensions from the encryp...

SonicWall is alerting customers of a critical security flaw impacting its Secure Mobile Access (SMA) 1000 Series appliances that it said has been likely exploited in the wild as a zero-day. The vulnerability, tracked as CVE-2025-23006 , is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. "Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands," the company said in an advisory. It's worth noting that CVE-2025-23006 does not affect its Firewall and SMA 100 series products. The flaw has been addressed in version 12.4.3-02854 (platform-hotfix). SonicWall also said that it has been notified of "possible active exploitation" by unspecified threat actors, necessitating that customers apply the fixes as soon as p...

Cybersecurity researchers have disclosed details of a new BackConnect (BC) malware that has been developed by threat actors linked to the infamous QakBot loader. "BackConnect is a common feature or module utilized by threat actors to maintain persistence and perform tasks," Walmart's Cyber Intelligence team told The Hacker News. "The BackConnect(s) in use were 'DarkVNC' alongside the IcedID BackConnect ( KeyHole )." The company noted that the BC module was found on the same infrastructure that was observed distributing another malware loader called ZLoader, which was recently updated to incorporate a Domain Name System (DNS) tunnel for command-and-control (C2) communications. QakBot, also called QBot and Pinkslipbot, suffered a major operational setback in 2023 after its infrastructure was seized as part of a coordinated law enforcement effort named Duck Hunt. Since then, sporadic campaigns have been uncovered propagating the malware. Origina...

Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks. "This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," the tech giant's cloud division said in its 11th Threat Horizons Report . TRIPLESTRENGTH engages in a trifecta of malicious attacks, including illicit cryptocurrency mining, ransomware and extortion, and advertising access to various cloud platforms, such as Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean, to other threat actors. Initial access to target cloud instances is facilitated by means of stolen credentials and cookies, some of which originate from Raccoon information stealer infection logs. The hijacked environments are then abused to create compute resources for mining cryp...

Threat actors are exploiting an unspecified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet called AIRASHI to carry out distributed denial-of-service (DDoS) attacks. According to QiAnXin XLab, the attacks have leveraged the security flaw since June 2024. Additional details about the shortcomings have been withheld to prevent further abuse. Some of the other flaws weaponized by the distributed denial-of-service (DDoS) botnet include CVE-2013-3307 , CVE-2016-20016 , CVE-2017-5259 , CVE-2018-14558 , CVE-2020-25499 , CVE-2020-8515 , CVE-2022-3573 , CVE-2022-40005 , CVE-2022-44149 , CVE-2023-28771 , as well as those impacting AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT devices. "The operator of AIRASHI has been posting their DDoS capability test results on Telegram," XLab said. "From historical data, it can be observed that the attack capacity of the AIRASHI botnet remains stable around 1-3 Tbps." A majority ...

Cybersecurity researchers have detailed a new adversary-in-the-middle (AitM) phishing kit that's capable of Microsoft 365 accounts with an aim to steal credentials and two-factor authentication (2FA) codes since at least October 2024. The nascent phishing kit has been dubbed Sneaky 2FA by French cybersecurity company Sekoia, which detected it in the wild in December. Nearly 100 domains hosting Sneaky 2FA phishing pages have been identified as of this month, suggesting moderate adoption by threat actors. "This kit is being sold as phishing-as-a-service (PhaaS) by the cybercrime service 'Sneaky Log,' which operates through a fully-featured bot on Telegram," the company said in an analysis. "Customers reportedly receive access to a licensed obfuscated version of the source code and deploy it independently." Phishing campaigns have been observed sending payment receipt-related emails to entice recipients into opening bogus PDF documents containing QR co...