#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

cybersecurity | Breaking Cybersecurity News | The Hacker News

Category — cybersecurity
Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits

Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits

Jan 23, 2025 Firmware Security / Vulnerability
An exhaustive evaluation of three firewall models from Palo Alto Networks has uncovered a host of known security flaws impacting the devices' firmware as well as misconfigured security features. "These weren't obscure, corner-case vulnerabilities," security vendor Eclypsium said in a report shared with The Hacker News. "Instead these were very well-known issues that we wouldn't expect to see even on a consumer-grade laptop. These issues could allow attackers to evade even the most basic integrity protections, such as Secure Boot, and modify device firmware if exploited." The company said it analyzed three firewall appliances from Palo Alto Networks, PA-3260, PA-1410, and PA-415, the first of which officially reached end-of-sale on August 31, 2023. The other two models are fully supported firewall platforms. The list of identified flaws, collectively named PANdora's Box , is as follows - CVE-2020-10713 aka BootHole (Affects PA-3260, PA-14...
Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks

Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks

Jan 23, 2025 Phishing / Malware
Cybersecurity researchers are calling attention to a new malware campaign that leverages fake CAPTCHA verification checks to deliver the infamous Lumma information stealer. "The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world," Leandro Fróes, senior threat research engineer at Netskope Threat Labs, said in a report shared with The Hacker News. "The campaign also spans multiple industries, including healthcare, banking, and marketing, with the telecom industry having the highest number of organizations targeted." The attack chain begins when a victim visits a compromised website, which directs them to a bogus CAPTCHA page that specifically instructs the site visitor to copy and paste a command into the Run prompt in Windows that uses the native mshta.exe binary to download and execute an HTA file from a remote server. It's worth noting...
The $10 Cyber Threat Responsible for the Biggest Breaches of 2024

The $10 Cyber Threat Responsible for the Biggest Breaches of 2024

Jan 16, 2025Identity Protection / SaaS Security
You can tell the story of the current state of stolen credential-based attacks in three numbers: Stolen credentials were the #1 attacker action in 2023/24, and the breach vector for 80% of web app attacks . (Source: Verizon). Cybersecurity budgets grew again in 2024, with organizations now spending almost $1,100 per user (Source: Forrester).  Stolen credentials on criminal forums cost as little as $10 (Source: Verizon). Something doesn't add up. So, what's going on? In this article, we'll cover: What's contributing to the huge rise in account compromises linked to stolen creds and why existing approaches aren't working.  The world of murky intelligence on stolen credentials, and how to cut through the noise to find the true positives. Recommendations for security teams to stop attackers from using stolen creds to achieve account takeover. Stolen credential-based attacks are on the rise There's clear evidence that identity attacks are now the #1 cyber threat f...
New Research: The State of Web Exposure 2025

New Research: The State of Web Exposure 2025

Jan 23, 2025 Website Security / Data Privacy
Are your websites leaking sensitive data? New research reveals that 45% of third-party apps access user info without proper authorization, and 53% of risk exposures in Retail are due to the excessive use of tracking tools. Learn how to uncover and mitigate these hidden threats and risks—download the full report here . New research by web exposure management specialist Reflectiz reveals several alarming findings about the high number of website vulnerabilities organizations across many industries are needlessly exposing themselves to. For instance, one standout statistic from the report is that 45% of third-party applications access sensitive user information without good reason . Although third-party apps may be essential for marketing and functionality purposes, not all of them need access to the kind of personal and financial user information that cybercriminals are hunting for. It's safer to limit apps' access to it on a need-to-know basis. For the report, Reflectiz gathere...
cyber security

2024: A year of identity attacks | Get the new ebook

websitePush SecurityIdentity Security
Identity attacks were the leading cause of breaches in 2024. Learn how tooling and techniques are evolving.
Custom Backdoor Exploiting Magic Packet Vulnerability in Juniper Routers

Custom Backdoor Exploiting Magic Packet Vulnerability in Juniper Routers

Jan 23, 2025 Malware / Enterprise Security
Enterprise-grade Juniper Networks routers have become the target of a custom backdoor as part of a campaign dubbed J-magic . According to the Black Lotus Labs team at Lumen Technologies, the activity is so named for the fact that the backdoor continuously monitors for a "magic packet" sent by the threat actor in TCP traffic.  "J-magic campaign marks the rare occasion of malware designed specifically for JunoOS, which serves a similar market but relies on a different operating system, a variant of FreeBSD," the company said in a report shared with The Hacker News. Evidence gathered by the company shows that the earliest sample of the backdoor dates back to September 2023, with the activity ongoing between mid-2023 and mid-2024. Semiconductor, energy, manufacturing, and information technology (IT) sectors were the most targeted. Infections have been reported across Europe, Asia, and South America, including Argentine, Armenia, Brazil, Chile, Colombia, Indonesi...
Experts Find Shared Codebase Linking Morpheus and HellCat Ransomware Payloads

Experts Find Shared Codebase Linking Morpheus and HellCat Ransomware Payloads

Jan 23, 2025 Threat Intelligence / Data Breach
An analysis of HellCat and Morpheus ransomware operations has revealed that affiliates associated with the respective cybercrime entities are using identical code for their ransomware payloads. The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by the same submitter towards the end of December 2024. "These two payload samples are identical except for victim specific data and the attacker contact details," security researcher Jim Walter said in a new report shared with The Hacker News. Both HellCat and Morpheus are nascent entrants to the ransomware ecosystem, having emerged in October and December 2024, respectively. A deeper examination of the Morpheus/HellCat payload, a 64-bit portable executable, has revealed that both samples require a path to be specified as an input argument. They are both configured to exclude the \Windows\System32 folder, as well as a hard-coded list of extensions from the encryp...
How to Eliminate Identity-Based Threats

How to Eliminate Identity-Based Threats

Jan 23, 2025 Identity Security / Enterprise Security
Despite significant investments in advanced technologies and employee training programs, credential and user-based attacks remain alarmingly prevalent, accounting for 50-80% of enterprise breaches [1] , [2] . While identity-based attacks continue to dominate as the leading cause of security incidents, the common approach to identity security threats is still threat reduction, implementing layers of controls to reduce risk while accepting that some attacks will succeed. This methodology relies on detection, response, and recovery capabilities to minimize damage after a breach has already occurred, but it does not prevent the possibility of successful attacks.  The good news? Finally, there's a solution that marks a true paradigm shift: with modern authentication technologies, the complete elimination of identity-based threats is now within reach. This groundbreaking advancement moves us beyond the traditional focus on risk reduction, offering organizations a way to fully neutraliz...
SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation

SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation

Jan 23, 2025 Vulnerability / Network Security
SonicWall is alerting customers of a critical security flaw impacting its Secure Mobile Access (SMA) 1000 Series appliances that it said has been likely exploited in the wild as a zero-day. The vulnerability, tracked as CVE-2025-23006 , is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. "Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands," the company said in an advisory. It's worth noting that CVE-2025-23006 does not affect its Firewall and SMA 100 series products. The flaw has been addressed in version 12.4.3-02854 (platform-hotfix). SonicWall also said that it has been notified of "possible active exploitation" by unspecified threat actors, necessitating that customers apply the fixes as soon as p...
QakBot-Linked BC Malware Adds Enhanced Remote Access and Data Gathering Features

QakBot-Linked BC Malware Adds Enhanced Remote Access and Data Gathering Features

Jan 23, 2025 Malware / Threat Intelligence
Cybersecurity researchers have disclosed details of a new BackConnect (BC) malware that has been developed by threat actors linked to the infamous QakBot loader. "BackConnect is a common feature or module utilized by threat actors to maintain persistence and perform tasks," Walmart's Cyber Intelligence team told The Hacker News. "The BackConnect(s) in use were 'DarkVNC' alongside the IcedID BackConnect ( KeyHole )." The company noted that the BC module was found on the same infrastructure that was observed distributing another malware loader called ZLoader, which was recently updated to incorporate a Domain Name System (DNS) tunnel for command-and-control (C2) communications. QakBot, also called QBot and Pinkslipbot, suffered a major operational setback in 2023 after its infrastructure was seized as part of a coordinated law enforcement effort named Duck Hunt. Since then, sporadic campaigns have been uncovered propagating the malware. Origina...
Cisco Fixes Critical Privilege Escalation Flaw in Meeting Management (CVSS 9.9)

Cisco Fixes Critical Privilege Escalation Flaw in Meeting Management (CVSS 9.9)

Jan 23, 2025 Network Security / Vulnerability
Cisco has released software updates to address a critical security flaw impacting Meeting Management that could permit a remote, authenticated attacker to gain administrator privileges on susceptible instances. The vulnerability, tracked as CVE-2025-20156, carries a CVSS score of 9.9 out 10.0. It has been described as a privilege escalation flaw in the REST API of Cisco Meeting Management. "This vulnerability exists because proper authorization is not enforced upon REST API users," the company said in a Wednesday advisory. "An attacker could exploit this vulnerability by sending API requests to a specific endpoint." "A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management." The networking equipment major credited Ben Leonard-Lagarde of Modux for reporting the security shortcoming. It affects the following versions of the product irrespective of device configuratio...
Trump Terminates DHS Advisory Committee Memberships, Disrupting Cybersecurity Review

Trump Terminates DHS Advisory Committee Memberships, Disrupting Cybersecurity Review

Jan 23, 2025 Cybersecurity / National Security
The new Trump administration has terminated all memberships of advisory committees that report to the Department of Homeland Security (DHS).  "In alignment with the Department of Homeland Security's (DHS) commitment to eliminating the misuse of resources and ensuring that DHS activities prioritize our national security, I am directing the termination of all current memberships on advisory committees within DHS, effective immediately," Acting Secretary Benjamine C. Huffman said in a January 20, 2025, memo. "Future committee activities will be focused solely on advancing our critical mission to protect the homeland and support DHS's strategic priorities." This includes members of the Cybersecurity and Infrastructure Security Agency's (CISA) Cyber Safety Review Board (CSRB), which last year issued a scathing report excoriating Microsoft for a "cascade" of avoidable errors that led to its infrastructure being abused by a China-based nation-st...
Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet

Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet

Jan 22, 2025 Vulnerability / Network Security
Threat actors are exploiting an unspecified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet called AIRASHI to carry out distributed denial-of-service (DDoS) attacks. According to QiAnXin XLab, the attacks have leveraged the security flaw since June 2024. Additional details about the shortcomings have been withheld to prevent further abuse. Some of the other flaws weaponized by the distributed denial-of-service (DDoS) botnet include CVE-2013-3307 , CVE-2016-20016 , CVE-2017-5259 , CVE-2018-14558 , CVE-2020-25499 , CVE-2020-8515 , CVE-2022-3573 , CVE-2022-40005 , CVE-2022-44149 , CVE-2023-28771 , as well as those impacting AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT devices. "The operator of AIRASHI has been posting their DDoS capability test results on Telegram," XLab said. "From historical data, it can be observed that the attack capacity of the AIRASHI botnet remains stable around 1-3 Tbps." A majority ...
Discover Hidden Browsing Threats: Free Risk Assessment for GenAI, Identity, Web, and SaaS Risks

Discover Hidden Browsing Threats: Free Risk Assessment for GenAI, Identity, Web, and SaaS Risks

Jan 22, 2025 Risk Assessment / Browser Security
As GenAI tools and SaaS platforms become a staple component in the employee toolkit, the risks associated with data exposure, identity vulnerabilities, and unmonitored browsing behavior have skyrocketed. Forward-thinking security teams are looking for security controls and strategies to address these risks, but they do not always know which risks to prioritize. In some cases, they might have blind spots into the existence of risks. To help, a new complimentary risk assessment is now available. The assessment will be customized for each organization's browsing environment, evaluating their risk and providing actionable insights. Security and IT teams can leverage the assessment to strengthen their security posture, inform their decision-making, evangelize across the organization, and plan next steps. The assessment results in a report that includes a high-level overview of key risks, including insecure use of gen AI, sensitive data leakage risks through the browser, SaaS app usage, ...
President Trump Pardons Silk Road Creator Ross Ulbricht After 11 Years in Prison

President Trump Pardons Silk Road Creator Ross Ulbricht After 11 Years in Prison

Jan 22, 2025 Dark Web / Cryptocurrency
U.S. President Donald Trump on Tuesday granted a "full and unconditional pardon" to Ross Ulbricht, the creator of the infamous Silk Road drug marketplace, after spending more than 11 years behind bars. "I just called the mother of Ross William Ulbricht to let her know that in honor of her and the Libertarian Movement, which supported me so strongly, it was my pleasure to have just signed a full and unconditional pardon of her son, Ross," Trump said in a post shared on Truth Social. "The scum that worked to convict him were some of the same lunatics who were involved in the modern day weaponization of government against me. He was given two life sentences, plus 40 years. Ridiculous!" Launched in February 2011, Silk Road emerged as a major hub on the dark web for illegal drugs and other illicit goods and services. The marketplace generated over $200 million in revenue in its nearly three years of existence, per authorities. It was taken down in Octobe...
PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack

PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack

Jan 22, 2025 Supply Chain Attack / Malware
A previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023, according to new findings from ESET. "The attackers replaced the legitimate installer with one that also deployed the group's signature implant that we have named SlowStepper – a feature-rich backdoor with a toolkit of more than 30 components," ESET researcher Facundo Muñoz said in a technical report shared with The Hacker News. PlushDaemon is assessed to be a China-nexus group that has been operational since at least 2019, targeting individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. Central to its operations is a bespoke backdoor called SlowStepper, which is described as a large toolkit consisting of around 30 modules, programmed in C++, Python, and Go. Another crucial aspect of its attacks is the hijackin...
Oracle Releases January 2025 Patch to Address 318 Flaws Across Major Products

Oracle Releases January 2025 Patch to Address 318 Flaws Across Major Products

Jan 22, 2025 Vulnerability / Enterprise Security
Oracle is urging customers to apply its January 2025 Critical Patch Update (CPU) to address 318 new security vulnerabilities spanning its products and services. The most severe of the flaws is a bug in the Oracle Agile Product Lifecycle Management (PLM) Framework (CVE-2025-21556, CVSS score: 9.9) that could allow an attacker to seize control of susceptible instances. "Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Agile PLM Framework," according to a description of the security hole in the NIST National Vulnerability Database (NVD). It's worth noting that Oracle warned of active exploitation attempts against another flaw in the same product (CVE-2024-21287, CVSS score: 7.5) in November 2024. Both vulnerabilities affect Oracle Agile PLM Framework version 9.3.6. "Customers are strongly advised to apply the January 2025 Critical Patch Update for Oracle Agile PLM Framework as it includes patche...
Expert Insights / Articles Videos
Cybersecurity Resources