data breach | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a new malvertising campaign that's designed to infect victims with a multi-stage malware framework called PS1Bot . "PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and the establishment of persistent system access," Cisco Talos researchers Edmund Brumaghin and Jordyn Dunk said . "PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk." Campaigns distributing the PowerShell and C# malware have been found to be active since early 2025, leveraging malvertising as a propagation vector, with the infection chains executing modules in-memory to minimize forensic trail. PS1Bot is assessed to share ...

Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution.  The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation. "Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access," Zoom said in a security bulletin on Tuesday. The issue, reported by its own Offensive Security team, affects the following products - Zoom Workplace for Windows before version 6.3.10 Zoom Workplace VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12) Zoom Rooms for Windows before version 6.3.10 Zoom Rooms Controller for Windows before version 6.3.10 Zoom Meeting SDK for Windows before version 6.3.10 The disclosure comes as multiple vulnerabiliti...

Cybersecurity researchers have discovered a new campaign that employs a previously undocumented ransomware family called Charon to target the Middle East's public sector and aviation industry. The threat actor behind the activity, according to Trend Micro, exhibited tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and the ability to evade endpoint detection and response (EDR) software. The DLL side-loading techniques resemble those previously documented as part of attacks orchestrated by a China-linked hacking group called Earth Baxia , which was flagged by the cybersecurity company as targeting government entities in Taiwan and the Asia-Pacific region to deliver a backdoor known as EAGLEDOOR following the exploitation of a now-patched security flaw affecting OSGeo GeoServer GeoTools. "The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a...

An ongoing data extortion campaign targeting Salesforce customers may soon turn its attention to financial services and technology service providers, as ShinyHunters and Scattered Spider appear to be working hand in hand, new findings show. "This latest wave of ShinyHunters-attributed attacks reveals a dramatic shift in tactics, moving beyond the group's previous credential theft and database exploitation," ReliaQuest said in a report shared with The Hacker News. These include the use of adoption of tactics that mirror those of Scattered Spider , such as highly-targeted vishing (aka voice phishing ) and social engineering attacks, leveraging apps that masquerade as legitimate tools, employing Okta-themed phishing pages to trick victims into entering credentials during vishing, and VPN obfuscation for data exfiltration. ShinyHunters , which first emerged in 2020, is a financially motivated threat group that has orchestrated a series of data breaches targeting major...

This week, cyber attackers are moving quickly, and businesses need to stay alert. They're finding new weaknesses in popular software and coming up with clever ways to get around security. Even one unpatched flaw could let attackers in, leading to data theft or even taking control of your systems. The clock is ticking—if defenses aren't updated regularly, it could lead to serious damage. The message is clear: don't wait for an attack to happen. Take action now to protect your business. Here's a look at some of the biggest stories in cybersecurity this week: from new flaws in WinRAR and NVIDIA Triton to advanced attack techniques you should know about. Let's get into the details. ⚡ Threat of the Week Trend Micro Warns of Actively Exploited 0-Day — Trend Micro has released temporary mitigations to address critical security flaws in on-premise versions of Apex One Management Console that it said have been exploited in the wild. The vulnerabilities (CVE-2025-54948 and CVE-2025-54987),...

Cybersecurity researchers have discovered over a dozen vulnerabilities in enterprise secure vaults from CyberArk and HashiCorp that, if successfully exploited, can allow remote attackers to crack open corporate identity systems and extract enterprise secrets and tokens from them.  The 14 vulnerabilities, collectively named Vault Fault , affect CyberArk Secrets Manager, Self-Hosted, and Conjur Open Source and HashiCorp Vault, according to a report from an identity security firm Cyata. Following responsible disclosure in May 2025, the flaws have been addressed in the following versions - CyberArk Secrets Manager and Self-Hosted 13.5.1 and 13.6.1 CyberArk Conjur Open Source 1.22.1 HashiCorp Vault Community Edition 1.20.2 or Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24 These include authentication bypasses, impersonation, privilege escalation bugs, code execution pathways, and root token theft. The most severe of the issues allows for remote code execution, allowing a...

When an organization's credentials are leaked, the immediate consequences are rarely visible—but the long-term impact is far-reaching. Far from the cloak-and-dagger tactics seen in fiction, many real-world cyber breaches begin with something deceptively simple: a username and password. According to Verizon's 2025 Data Breach Investigations Report, leaked credentials accounted for 22% of breaches in 2024, outpacing phishing and even software exploitation. That's nearly a quarter of all incidents, initiated not through zero-days or advanced persistent threats, but by logging in through the front door. This quiet and persistent threat has been growing. New data compiled by Cyberint—an external risk management and threat intelligence company recently acquired by Check Point—shows a 160% increase in leaked credentials in 2025 compared to the previous year. The report, titled The Rise of Leaked Credentials , provides a look into not just the volume of these leaks, but how they are exploi...

A newly disclosed set of security flaws in NVIDIA's Triton Inference Server for Windows and Linux, an open-source platform for running artificial intelligence (AI) models at scale, could be exploited to take over susceptible servers. "When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE)," Wiz researchers Ronen Shustin and Nir Ohfeld said in a report published today. The vulnerabilities are listed below - CVE-2025-23319 (CVSS score: 8.1) - A vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by sending a request CVE-2025-23320 (CVSS score: 7.5) - A vulnerability in the Python backend, where an attacker could cause the shared memory limit to be exceeded by sending a very large request CVE-2025-23334 (CVSS score: 5.9) - A vulnerability in the Python backend, where an attacker could cause an out-of-bounds rea...

Malware isn't just trying to hide anymore—it's trying to belong. We're seeing code that talks like us, logs like us, even documents itself like a helpful teammate. Some threats now look more like developer tools than exploits. Others borrow trust from open-source platforms, or quietly build themselves out of AI-written snippets. It's not just about being malicious—it's about being believable. In this week's cybersecurity recap, we explore how today's threats are becoming more social, more automated, and far too sophisticated for yesterday's instincts to catch. ⚡ Threat of the Week Secret Blizzard Conduct ISP-Level AitM Attacks to Deploy ApolloShadow — Russian cyberspies are abusing local internet service providers' networks to target foreign embassies in Moscow and likely collect intelligence from diplomats' devices. The activity has been attributed to the Russian advanced persistent threat (APT) known as Secret Blizzard (aka Turla). It likely involves using an adversary-...

Some risks don't breach the perimeter—they arrive through signed software, clean resumes, or sanctioned vendors still hiding in plain sight. This week, the clearest threats weren't the loudest—they were the most legitimate-looking. In an environment where identity, trust, and tooling are all interlinked, the strongest attack path is often the one that looks like it belongs. Security teams are now challenged to defend systems not just from intrusions—but from trust itself being turned into a weapon. ⚡ Threat of the Week Microsoft SharePoint Attacks Traced to China — The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread a week after the discovery of the zero-day exploits, with more than 400 organizations globally compromised. The attacks have been attributed to two known Chinese hacking groups tracked as Linen Typhoon (aka APT27), Violet Typhoon (aka APT31), and a suspected China-based threat actor codenamed Storm-2603 t...

The notorious cybercrime group known as Scattered Spider is targeting VMware ESXi hypervisors in attacks targeting retail, airline, and transportation sectors in North America. "The group's core tactics have remained consistent and do not rely on software exploits. Instead, they use a proven playbook centered on phone calls to an IT help desk," Google's Mandiant team said in an extensive analysis. "The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programs. Their attacks are not opportunistic but are precise, campaign-driven operations aimed at an organization's most critical systems and data." Also called 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, the threat actors have a history of conducting advanced social engineering attacks to obtain initial access to victim environments and then adopting a "living-off-the-land" (LotL) approach by manipulating trusted ad...

Even in well-secured environments, attackers are getting in—not with flashy exploits, but by quietly taking advantage of weak settings, outdated encryption, and trusted tools left unprotected. These attacks don't depend on zero-days. They work by staying unnoticed—slipping through the cracks in what we monitor and what we assume is safe. What once looked suspicious now blends in, thanks to modular techniques and automation that copy normal behavior. The real concern? Control isn't just being challenged—it's being quietly taken. This week's updates highlight how default settings, blurred trust boundaries, and exposed infrastructure are turning everyday systems into entry points. ⚡ Threat of the Week Critical SharePoint Zero-Day Actively Exploited (Patch Released Today) — Microsoft has released fixes to address two security flaws in SharePoint Server that have come under active exploitation in the wild to breach dozens of organizations across the world. Details of exploitation emer...

A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an "active, large-scale" exploitation campaign. The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49704 (CVSS score: 8.8), a code injection and remote code execution bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates. "Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network," Microsoft said in an advisory released on July 19, 2025. The Windows maker further noted that it's preparing and fully testing a comprehensive update to resolve the issue. It credited Viettel Cyber Security for discovering and reporting the flaw through Trend Micro's Zero Day Initiative (ZDI). In a separate alert issued Saturday, Redmond said it's aware of active attacks ta...

Cybersecurity researchers have shed light on a new ransomware-as-a-service (RaaS) operation called GLOBAL GROUP that has targeted a wide range of sectors in Australia, Brazil, Europe, and the United States since its emergence in early June 2025. GLOBAL GROUP was "promoted on the Ramp4u forum by the threat actor known as '$$$,'" EclecticIQ researcher Arda Büyükkaya said . "The same actor controls the BlackLock RaaS and previously managed Mamona ransomware operations." It's believed that GLOBAL GROUP is a rebranding of BlackLock after the latter's data leak site was defaced by the DragonForce ransomware cartel back in March. It's worth mentioning that BlackLock in itself is a rebrand of another RaaS scheme known as Eldorado. The financially motivated group has been found to lean heavily on initial access brokers (IABs) to deploy the ransomware by weaponizing access to vulnerable edge appliances from Cisco, Fortinet, and Palo Alto Networks. Al...

While phishing and ransomware dominate headlines, another critical risk quietly persists across most enterprises: exposed Git repositories leaking sensitive data. A risk that silently creates shadow access into core systems Git is the backbone of modern software development, hosting millions of repositories and serving thousands of organizations worldwide. Yet, amid the daily hustle of shipping code, developers may inadvertently leave behind API keys, tokens, or passwords in configuration files and code files, effectively handing attackers the keys to the kingdom. This isn't just about poor hygiene; it's a systemic and growing supply chain risk. As cyber threats become more sophisticated, so do compliance requirements. Security frameworks like NIS2, SOC2, and ISO 27001 now demand proof that software delivery pipelines are hardened and third-party risk is controlled. The message is clear: securing your Git repositories is no longer optional, it's essential. Below, we look at the ris...

In cybersecurity, precision matters—and there's little room for error. A small mistake, missed setting, or quiet misconfiguration can quickly lead to much bigger problems. The signs we're seeing this week highlight deeper issues behind what might look like routine incidents: outdated tools, slow response to risks, and the ongoing gap between compliance and real security. For anyone responsible for protecting systems, the key isn't just reacting to alerts—it's recognizing the larger patterns and hidden weak spots they reveal. Here's a breakdown of what's unfolding across the cybersecurity world this week. ⚡ Threat of the Week NCA Arrests for Alleged Scattered Spider Members — The U.K. National Crime Agency (NCA) announced that four people have been arrested in connection with cyber attacks targeting major retailers Marks & Spencer, Co-op, and Harrods. The arrested individuals include two men aged 19, a third aged 17, and a 20-year-old woman. They were apprehended in the West...

Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks. The issues impact the Kigen eUICC card. According to the Irish company's website, more than two billion SIMs in IoT devices have been enabled as of December 2020. The findings come from Security Explorations, a research lab of AG Security Research company. Kigen awarded the company a $30,000 bounty for their report. An eSIM, or embedded SIM, is a digital SIM card that's embedded directly into a device as software installed onto an Embedded Universal Integrated Circuit Card (eUICC) chip. eSIMs allow users to activate a cellular plan from a carrier without the need for a physical SIM card. eUICC software offers the ability to change operator profiles, remote provisioning, and management of SIM profiles. "The eUICC card makes it possible to install the so-called eSIM profiles into the target chi...

The U.K. National Crime Agency (NCA) on Thursday announced that four people have been arrested in connection with cyber attacks targeting major retailers Marks & Spencer, Co-op, and Harrods. The arrested individuals include two men aged 19, a third aged 17, and a 20-year-old woman. They were apprehended in the West Midlands and London on suspicion of Computer Misuse Act offenses, blackmail, money laundering, and participating in the activities of an organized crime group. All four suspects were arrested from their homes and their electronic devices have been seized for further forensic analysis. Their names were not disclosed. "Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency's highest priorities," Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said in a statement. "Today's arrests are a significant step in that investigation ...

From overprivileged admin roles to long-forgotten vendor tokens, these attackers are slipping through the cracks of trust and access. Here's how five retail breaches unfolded, and what they reveal about... In recent months, major retailers like Adidas, The North Face, Dior, Victoria's Secret, Cartier, Marks & Spencer, and Co‑op have all been breached. These attacks weren't sophisticated malware or zero-day exploits. They were identity-driven, exploiting overprivileged access and unmonitored service accounts, and used the human layer through tactics like social engineering. Attackers didn't need to break in. They logged in. They moved through SaaS apps unnoticed, often using real credentials and legitimate sessions. And while most retailers didn't share all the technical details, the patterns are clear and recurring.  Here's a breakdown of the five recent high-profile breaches in retail: 1. Adidas: Exploiting third-party trust Adidas confirmed a data breach caused by an ...