data breach | Breaking Cybersecurity News | The Hacker News

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a new set of cyber attacks targeting Ukrainian institutions with information-stealing malware. The activity is aimed at military formations, law enforcement agencies, and local self-government bodies, particularly those located near Ukraine's eastern border, the agency said. The attacks involve distributing phishing emails containing a macro-enabled Microsoft Excel spreadsheet (XLSM), which, when opened, facilities the deployment of two pieces of malware, a PowerShell script taken from the PSSW100AVB ("Powershell Scripts With 100% AV Bypass") GitHub repository that opens a reverse shell, and a previously undocumented stealer dubbed GIFTEDCROOK. "File names and email subject lines reference relevant and sensitive issues such as demining, administrative fines, UAV production, and compensation for destroyed property," CERT-UA said. "These spreadsheets contain malicious code which, ...

A recently disclosed critical security flaw impacting CrushFTP has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities ( KEV ) catalog after reports emerged of active exploitation in the wild. The vulnerability is a case of authentication bypass that could permit an unauthenticated attacker to take over susceptible instances. It has been fixed in versions 10.8.4 and 11.3.1. "CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise," CISA said in an advisory. The shortcoming has been assigned the CVE identifier CVE-2025-31161 (CVSS score: 9.8). It bears noting that the same vulnerability was previously tracked as CVE-2025-2825 , which has now been marked Rejected in the CVE list. The development comes after th...

Today, every unpatched system, leaked password, and overlooked plugin is a doorway for attackers. Supply chains stretch deep into the code we trust, and malware hides not just in shady apps — but in job offers, hardware, and cloud services we rely on every day. Hackers don't need sophisticated exploits anymore. Sometimes, your credentials and a little social engineering are enough. This week, we trace how simple oversights turn into major breaches — and the silent threats most companies still underestimate. Let's dive in. ⚡ Threat of the Week UNC5221 Exploits New Ivanti Flaw to Drop Malware — The China-nexus cyber espionage group tracked as UNC5221 exploited a now-patched flaw in Ivanti Connect Secure, CVE-2025-22457 (CVSS score: 9.0), to deliver an in-memory dropper called TRAILBLAZE, a passive backdoor codenamed BRUSHFIRE, and the SPAWN malware suite. The vulnerability was originally patched by Ivanti on February 11, 2025, indicating that the threat actors studied the patch a...

Security operations centers (SOCs) are under pressure from both sides: threats are growing more complex and frequent, while security budgets are no longer keeping pace. Today's security leaders are expected to reduce risk and deliver results without relying on larger teams or increased spending. At the same time, SOC inefficiencies are draining resources. Studies show that up to half of all alerts are false positives, with some reports citing false positive rates as high as 99 percent . This means highly trained analysts spend a disproportionate amount of time chasing down harmless activity, wasting effort, increasing fatigue, and raising the chance of missing real threats. In this environment, the business imperative is clear: maximize the impact of every analyst and every dollar by making security operations faster, smarter, and more focused. Enter the Agentic AI SOC Analyst The agentic AI SOC Analyst is a force multiplier that enables organizations to do more with the team an...

A malicious campaign dubbed PoisonSeed is leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases in an attempt to drain victims' digital wallets. "Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack," Silent Push said in an analysis. "As part of the attack, PoisonSeed provides security seed phrases to get potential victims to copy and paste them into new cryptocurrency wallets for future compromising." Targets of PoisonSeed include enterprise organizations and individuals outside the cryptocurrency industry. Crypto companies like Coinbase and Ledger, and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho are among the targeted crypto companies. The activity is assessed to be distinct from two loosely aligned threat actors Scattered Spider and CryptoChameleon , whi...

Ivanti has disclosed details of a now-patched critical security vulnerability impacting its Connect Secure product that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems. "A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution," Ivanti said in an alert released Thursday. The flaw impacts the following products and versions - Ivanti Connect Secure (versions 22.7R2.5 and prior) - Fixed in version 22.7R2.6 (Patch released on February 11, 2025) Pulse Connect Secure (versions 9.1R18.9 and prior) - Fixed in version 22.7R2.6 (Contact Ivanti to migrate as the device has reached end-of-support as of December ...

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data. The campaign, the agency said , involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate services like DropMeFiles and Google Drive. In some instances, the links are embedded within PDF attachments. The digital missives sought to induce a false sense of urgency by claiming that a Ukrainian government agency planned to cut salaries, urging the recipient to click on the link to view the list of affected employees. Visiting these links leads to the download of a Visual Basic Script (VBS) loader that's designed to fetch and execute a PowerShell script capable of harvesting files matching a specific set of extensions and capturing screenshots. The activity, attributed to a threat ...

A maximum severity security vulnerability has been disclosed in Apache Parquet's Java Library that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances. Apache Parquet is a free and open-source columnar data file format that's designed for efficient data processing and retrieval, providing support for complex data, high-performance compression, and encoding schemes. It was first launched in 2013. The vulnerability in question is tracked as CVE-2025-30065 . It carries a CVSS score of 10.0. "Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code," the project maintainers said in an advisory. According to Endor Labs, successful exploitation of the flaw requires tricking a vulnerable system into reading a specially crafted Parquet file to obtain code execution. "This vulnerability can impact data pipelines and analytics systems...

When assessing an organization's external attack surface, encryption-related issues (especially SSL misconfigurations) receive special attention . Why? Their widespread use, configuration complexity, and visibility to attackers as well as users make them more likely to be exploited.  This highlights how important your SSL configurations are in maintaining your web application security and minimizing your attack surface. However, research shows that most (53.5%) websites have  inadequate security and that  weak SSL/TLS configuration is amongst the most common application vulnerabilities. Get your SSL configuration right, and you'll enhance your cyber resilience and keep your apps and data safe. Get it wrong, however, and you can increase your organization's attack surface, exposing your business to more cyberattacks. We'll explore the impacts of SSL misconfigurations and explain why they present such a significant attack surface risk. Then, we'll show you how a s...

A new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via Apple iMessage and Rich Communication Services (RCS) for Android. Lucid's unique selling point lies in its weaponizing of legitimate communication platforms to sidestep traditional SMS-based detection mechanisms. "Its scalable, subscription-based model enables cybercriminals to conduct large-scale phishing campaigns to harvest credit card details for financial fraud," Swiss cybersecurity company PRODAFT said in a technical report shared with The Hacker News. "Lucid leverages Apple iMessage and Android's RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates." Lucid is assessed to be the work of a Chinese-speaking hacking crew called the XinXin group (aka Black Technology), with the phishing campaigns mainly targeting Europe, the United Kingdom, an...

Cybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals. "This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation," threat intelligence firm GreyNoise said . The surge is said to have commenced on March 17, 2025, sustaining at nearly 20,000 unique IP addresses per day before dropping off on March 26. At its peak, 23,958 unique IP addresses are estimated to have participated in the activity. Of these, only a smaller subset of 154 IP addresses has been flagged as malicious. The United States and Canada have emerged as the top sources of traffic, followed by Finland, the Netherlands, and Russia. The activity has primarily targeted systems in the United States, the United Kingdom, Ireland, Russia, and Sin...

The threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp . The activity has been attributed to a suspected Russian hacking group called Water Gamayun , which is also known as EncryptHub and LARVA-208. "The threat actor deploys payloads primarily by means of malicious provisioning packages, signed .msi files, and Windows MSC files, using techniques like the IntelliJ runnerw.exe for command execution," Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a follow-up analysis published last week. Water Gamayun has been linked to the active exploitation of CVE-2025-26633 (aka MSC EvilTwin), a vulnerability in the Microsoft Management Console (MMC) framework, to execute malware by means of a rogue Microsoft Console (.msc) file. The attack chains involve the use of provisioning packages (.ppkg), signed Microsoft Windows...

Every week, someone somewhere slips up—and threat actors slip in. A misconfigured setting, an overlooked vulnerability, or a too-convenient cloud tool becomes the perfect entry point. But what happens when the hunters become the hunted? Or when old malware resurfaces with new tricks? Step behind the curtain with us this week as we explore breaches born from routine oversights—and the unexpected cracks they reveal in systems we trust. ⚡ Threat of the Week Google Patches Actively Exploited Chrome 0-Day — Google has addressed a high-severity security flaw in its Chrome browser for Windows that has been exploited by unknown actors as part of a sophisticated attack aimed at Russian entities. The flaw, CVE-2025-2783 (CVSS score: 8.3), is said to have been combined with another exploit to break out of the browser's sandbox and achieve remote code execution. The attacks involved distributing specially crafted links via phishing emails that, when clicked and launched using Chrome, trig...

In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract configuration files, credentials, as well as the history of commands executed on the server. The flaw concerns a "certain misconfiguration in the Data Leak Site (DLS) of BlackLock Ransomware, leading to clearnet IP addresses disclosure related to their network infrastructure behind TOR hidden services (hosting them) and additional service information," the company said . It described the acquired history of commands as one of the biggest operational security (OPSEC) failures of BlackLock ransomware. BlackLock is a rebranded version of another ransomware group known as Eldorado . It has...

Cybersecurity researchers have disclosed 46 new security flaws in products from three solar power system vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids.  The vulnerabilities have been collectively codenamed SUN:DOWN by Forescout Vedere Labs. "The new vulnerabilities can be exploited to execute arbitrary commands on devices or the vendor's cloud, take over accounts, gain a foothold in the vendor's infrastructure, or take control of inverter owners' devices," the company said in a report shared with The Hacker News. Some of the notable flaws identified are listed below - Attackers can upload .aspx files that will be executed by the web server of SMA (sunnyportal[.]com), resulting in remote code execution Unauthenticated attackers can perform username enumeration via the exposed "server.growatt.com/userCenter.do" endpoint Unauthen...

When people think of cybersecurity threats, they often picture external hackers breaking into networks. However, some of the most damaging breaches stem from within organizations. Whether through negligence or malicious intent, insiders can expose your organization to significant cybersecurity risks. According to Verizon's 2024 Data Breach Investigations Report , 57% of companies experience over 20 insider-related security incidents a year, with human error involved in 68% of data breaches. With that, insider attacks result in the highest costs, averaging USD 4.99 million per attack, as per the 2024 Cost of a Data Breach Report by IBM Security.  What are insider threats? An insider threat originates from within an organization – it's the potential for anyone with authorized access to your critical systems to misuse their access, harming your organization. The worst part is that insiders are already within your IT perimeter and are familiar with your internal security prot...