data breach | Breaking Cybersecurity News | The Hacker News

When assessing an organization's external attack surface, encryption-related issues (especially SSL misconfigurations) receive special attention . Why? Their widespread use, configuration complexity, and visibility to attackers as well as users make them more likely to be exploited.  This highlights how important your SSL configurations are in maintaining your web application security and minimizing your attack surface. However, research shows that most (53.5%) websites have  inadequate security and that  weak SSL/TLS configuration is amongst the most common application vulnerabilities. Get your SSL configuration right, and you'll enhance your cyber resilience and keep your apps and data safe. Get it wrong, however, and you can increase your organization's attack surface, exposing your business to more cyberattacks. We'll explore the impacts of SSL misconfigurations and explain why they present such a significant attack surface risk. Then, we'll show you how a s...

A new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via Apple iMessage and Rich Communication Services (RCS) for Android. Lucid's unique selling point lies in its weaponizing of legitimate communication platforms to sidestep traditional SMS-based detection mechanisms. "Its scalable, subscription-based model enables cybercriminals to conduct large-scale phishing campaigns to harvest credit card details for financial fraud," Swiss cybersecurity company PRODAFT said in a technical report shared with The Hacker News. "Lucid leverages Apple iMessage and Android's RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates." Lucid is assessed to be the work of a Chinese-speaking hacking crew called the XinXin group (aka Black Technology), with the phishing campaigns mainly targeting Europe, the United Kingdom, an...

Cybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals. "This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation," threat intelligence firm GreyNoise said . The surge is said to have commenced on March 17, 2025, sustaining at nearly 20,000 unique IP addresses per day before dropping off on March 26. At its peak, 23,958 unique IP addresses are estimated to have participated in the activity. Of these, only a smaller subset of 154 IP addresses has been flagged as malicious. The United States and Canada have emerged as the top sources of traffic, followed by Finland, the Netherlands, and Russia. The activity has primarily targeted systems in the United States, the United Kingdom, Ireland, Russia, and Sin...

The threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp . The activity has been attributed to a suspected Russian hacking group called Water Gamayun , which is also known as EncryptHub and LARVA-208. "The threat actor deploys payloads primarily by means of malicious provisioning packages, signed .msi files, and Windows MSC files, using techniques like the IntelliJ runnerw.exe for command execution," Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a follow-up analysis published last week. Water Gamayun has been linked to the active exploitation of CVE-2025-26633 (aka MSC EvilTwin), a vulnerability in the Microsoft Management Console (MMC) framework, to execute malware by means of a rogue Microsoft Console (.msc) file. The attack chains involve the use of provisioning packages (.ppkg), signed Microsoft Windows...

Every week, someone somewhere slips up—and threat actors slip in. A misconfigured setting, an overlooked vulnerability, or a too-convenient cloud tool becomes the perfect entry point. But what happens when the hunters become the hunted? Or when old malware resurfaces with new tricks? Step behind the curtain with us this week as we explore breaches born from routine oversights—and the unexpected cracks they reveal in systems we trust. ⚡ Threat of the Week Google Patches Actively Exploited Chrome 0-Day — Google has addressed a high-severity security flaw in its Chrome browser for Windows that has been exploited by unknown actors as part of a sophisticated attack aimed at Russian entities. The flaw, CVE-2025-2783 (CVSS score: 8.3), is said to have been combined with another exploit to break out of the browser's sandbox and achieve remote code execution. The attacks involved distributing specially crafted links via phishing emails that, when clicked and launched using Chrome, trig...

In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract configuration files, credentials, as well as the history of commands executed on the server. The flaw concerns a "certain misconfiguration in the Data Leak Site (DLS) of BlackLock Ransomware, leading to clearnet IP addresses disclosure related to their network infrastructure behind TOR hidden services (hosting them) and additional service information," the company said . It described the acquired history of commands as one of the biggest operational security (OPSEC) failures of BlackLock ransomware. BlackLock is a rebranded version of another ransomware group known as Eldorado . It has...

Cybersecurity researchers have disclosed 46 new security flaws in products from three solar power system vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids.  The vulnerabilities have been collectively codenamed SUN:DOWN by Forescout Vedere Labs. "The new vulnerabilities can be exploited to execute arbitrary commands on devices or the vendor's cloud, take over accounts, gain a foothold in the vendor's infrastructure, or take control of inverter owners' devices," the company said in a report shared with The Hacker News. Some of the notable flaws identified are listed below - Attackers can upload .aspx files that will be executed by the web server of SMA (sunnyportal[.]com), resulting in remote code execution Unauthenticated attackers can perform username enumeration via the exposed "server.growatt.com/userCenter.do" endpoint Unauthen...

When people think of cybersecurity threats, they often picture external hackers breaking into networks. However, some of the most damaging breaches stem from within organizations. Whether through negligence or malicious intent, insiders can expose your organization to significant cybersecurity risks. According to Verizon's 2024 Data Breach Investigations Report , 57% of companies experience over 20 insider-related security incidents a year, with human error involved in 68% of data breaches. With that, insider attacks result in the highest costs, averaging USD 4.99 million per attack, as per the 2024 Cost of a Data Breach Report by IBM Security.  What are insider threats? An insider threat originates from within an organization – it's the potential for anyone with authorized access to your critical systems to misuse their access, harming your organization. The worst part is that insiders are already within your IT perimeter and are familiar with your internal security prot...

Threat actors are leveraging an e-crime tool called Atlantis AIO Multi-Checker to automate credential stuffing attacks, according to findings from Abnormal Security. Atlantis AIO "has emerged as a powerful weapon in the cybercriminal arsenal, enabling attackers to test millions of stolen credentials in rapid succession," the cybersecurity company said in an analysis. Credential stuffing is a type of cyber attack in which an adversary collects stolen account credentials, typically consisting of lists of usernames or email addresses and passwords, and then uses them to gain unauthorized access to user accounts on unrelated systems through large-scale automated login requests. Such credentials could be obtained from a data breach of a social media service or be acquired from underground forums where they are advertised for sale by other threat actors. Credential stuffing is also different from brute-force attacks, which revolve around cracking passwords, login credential...

A major telecommunications company located in Asia was allegedly breached by Chinese state-sponsored hackers who spent over four years inside its systems, according to a new report from incident response firm Sygnia. The cybersecurity company is tracking the activity under the name Weaver Ant , describing the threat actor as stealthy and highly persistent. The name of the telecom provider was not disclosed. "Using web shells and tunneling, the attackers maintained persistence and facilitated cyber espionage," Sygnia said . "The group behind this intrusion [...] aimed to gain and maintain continuous access to telecommunication providers and facilitate cyber espionage by collecting sensitive information." Oren Biderman, Incident Response and Digital Forensic Team Leader at Sygnia, told The Hacker News that Weaver Ant exploited a misconfiguration in a public-facing application to obtain an initial foothold into the target environment. The attack chain is said to h...

A ransomware-as-a-service (RaaS) operation called VanHelsing has already claimed three victims since it launched on March 7, 2025, demanding ransoms as high as $500,000. "The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. Affiliates keep 80% of the ransom payments, while the core operators earn 20%," Check Point said in a report published over the weekend. "The only rule is not to target the Commonwealth of Independent States (CIS)." As with any affiliate-backed ransomware program, VanHelsing claims to offer the ability to target a wide range of operating systems, including Windows, Linux, BSD, Arm, and ESXi. It also employs what's called the double extortion model of stealing data prior to encryption and threatening to leak the information unless the victim pays up. The RaaS operators have also revealed that the scheme offers a control panel that works "seamlessly" o...

Threat hunters have uncovered a new threat actor named UAT-5918 that has been attacking critical infrastructure entities in Taiwan since at least 2023. "UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting," Cisco Talos researchers Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura said . Besides critical infrastructure, some of the other targeted verticals include information technology, telecommunications, academia, and healthcare. Assessed to be an advanced persistent threat (APT) group looking to establish long-term persistent access in victim environments, UAT-5918 is said to share tactical overlaps with several Chinese hacking crews tracked as Volt Typhoon , Flax Typhoon , Tropic Trooper , Earth Estries , and Dalb...

The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver ( BYOVD ) attack designed to disable anti-malware tools. Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS) called HeartCrypt. "This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors," the company said in a report. The driver in question, "smuol.sys," mimics a legitimate CrowdStrike Falcon driver ("CSAgent.sys"). Dozens of ABYSSWORKER artifacts have been detected on the VirusTotal platform dating from August 8, 2024, to February 25, 2025. All the identified samples are signed using likely stolen, revoked ce...