data breach | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have found that threat actors are setting up deceptive websites hosted on newly registered domains to deliver a known Android malware called SpyNote . These bogus websites masquerade as Google Play Store install pages for apps like the Chrome web browser, indicating an attempt to deceive unsuspecting users into installing the malware instead. "The threat actor utilized a mix of English and Chinese-language delivery sites and included Chinese-language comments within the delivery site code and the malware itself," the DomainTools Investigations (DTI) team said in a report shared with The Hacker News. SpyNote (aka SpyMax) is a remote access trojan long known for its ability to harvest sensitive data from compromised Android devices by abusing accessibility services. In May 2024, the malware was propagated via another bogus site impersonating a legitimate antivirus solution known as Avast. Subsequent analysis by mobile security firm Zimperium h...

A Chinese-affiliated threat actor known for its cyber-attacks in Asia has been observed exploiting a security flaw in security software from ESET to deliver a previously undocumented malware codenamed TCESB . "Previously unseen in ToddyCat attacks, [TCESB] is designed to stealthily execute payloads in circumvention of protection and monitoring tools installed on the device," Kaspersky said in an analysis published this week. ToddyCat is the name given to a threat activity cluster that has targeted several entities in Asia, with attacks dating all the way back to at least December 2020. Last year, the Russian cybersecurity vendor detailed the hacking group's use of various tools to maintain persistent access to compromised environments and harvest data on an "industrial scale" from organizations located in the Asia-Pacific region. Kaspersky said its investigation into ToddyCat-related incidents in early 2024 unearthed a suspicious DLL file ("version...

GitGuardian's State of Secrets Sprawl report for 2025 reveals the alarming scale of secrets exposure in modern software environments. Driving this is the rapid growth of non-human identities (NHIs), which have been outnumbering human users for years. We need to get ahead of it and prepare security measures and governance for these machine identities as they continue to be deployed, creating an unprecedented level of security risk. This report reveals an astounding 23.77 million new secrets were leaked on GitHub in 2024 alone. This is a 25% surge from the previous year. This dramatic increase highlights how the proliferation of non-human identities (NHIs), such as service accounts, microservices, and AI agents, are rapidly expanding the attack surface for threat actors. The Non-Human Identity Crisis NHI secrets, including API keys, service accounts, and Kubernetes workers, now outnumber human identities by at least 45-to-1 in DevOps environments. These machine-based credentials...

Microsoft has revealed that a now-patched security flaw impacting the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets. "The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," the tech giant said . The vulnerability in question is CVE-2025-29824, a privilege escalation bug in CLFS that could be exploited to achieve SYSTEM privileges. It was fixed by Redmond as part of its Patch Tuesday update for April 2025. Microsoft is tracking the activity and the post-compromise exploitation of CVE-2025-29824 under the moniker Storm-2460, with the threat actors also leveraging a malware named PipeMagic to deliver the exploit as well as ransomware payloads. The exact initial access vector used in the attacks is currently not known. However, the threa...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Gladinet CentreStack to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2025-30406 (CVSS score: 9.0), concerns a case of a hard-coded cryptographic key that could be abused to achieve remote code execution. It has been addressed in version 16.4.10315.56368 released on April 3, 2025. "Gladinet CentreStack contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification," CISA said. "Successful exploitation allows an attacker to forge ViewState payloads for server-side deserialization, allowing for remote code execution." Specifically, the shortcoming is rooted in the use of a hard-code "machineKey" in the IIS web.config file, which enables threat actors with knowl...

Adobe has released security updates to fix a fresh set of security flaws, including multiple critical-severity bugs in ColdFusion versions 2025, 2023 and 2021 that could result in arbitrary file read and code execution. Of the 30 flaws in the product, 11 are rated Critical in severity - CVE-2025-24446 (CVSS score: 9.1) - An improper input validation vulnerability that could result in an arbitrary file system read CVE-2025-24447 (CVSS score: 9.1) - A deserialization of untrusted data vulnerability that could result in arbitrary code execution CVE-2025-30281 (CVSS score: 9.1) - An improper access control vulnerability that could result in an arbitrary file system read CVE-2025-30282 (CVSS score: 9.1) - An improper authentication vulnerability that could result in arbitrary code execution CVE-2025-30284 (CVSS score: 8.0) - A deserialization of untrusted data vulnerability that could result in arbitrary code execution CVE-2025-30285 (CVSS score: 8.0) - A deserialization of ...

Threat actors have been observed distributing malicious payloads such as cryptocurrency miner and clipper malware via SourceForge , a popular software hosting service, under the guise of cracked versions of legitimate applications like Microsoft Office. "One such project, officepackage, on the main website sourceforge.net, appears harmless enough, containing Microsoft Office add-ins copied from a legitimate GitHub project," Kaspersky said in a report published today. "The description and contents of officepackage provided below were also taken from GitHub." While every project created on sourceforge.net gets assigned a "<project>.sourceforge.io" domain name, the Russian cybersecurity company found that the domain for officepackage, "officepackage.sourceforge[.]io," displays a long list of Microsoft Office applications and corresponding links to download them in Russian. On top of that, hovering over the download button reveals a seemi...

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a new set of cyber attacks targeting Ukrainian institutions with information-stealing malware. The activity is aimed at military formations, law enforcement agencies, and local self-government bodies, particularly those located near Ukraine's eastern border, the agency said. The attacks involve distributing phishing emails containing a macro-enabled Microsoft Excel spreadsheet (XLSM), which, when opened, facilities the deployment of two pieces of malware, a PowerShell script taken from the PSSW100AVB ("Powershell Scripts With 100% AV Bypass") GitHub repository that opens a reverse shell, and a previously undocumented stealer dubbed GIFTEDCROOK. "File names and email subject lines reference relevant and sensitive issues such as demining, administrative fines, UAV production, and compensation for destroyed property," CERT-UA said. "These spreadsheets contain malicious code which, ...

A recently disclosed critical security flaw impacting CrushFTP has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities ( KEV ) catalog after reports emerged of active exploitation in the wild. The vulnerability is a case of authentication bypass that could permit an unauthenticated attacker to take over susceptible instances. It has been fixed in versions 10.8.4 and 11.3.1. "CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise," CISA said in an advisory. The shortcoming has been assigned the CVE identifier CVE-2025-31161 (CVSS score: 9.8). It bears noting that the same vulnerability was previously tracked as CVE-2025-2825 , which has now been marked Rejected in the CVE list. The development comes after th...

Today, every unpatched system, leaked password, and overlooked plugin is a doorway for attackers. Supply chains stretch deep into the code we trust, and malware hides not just in shady apps — but in job offers, hardware, and cloud services we rely on every day. Hackers don't need sophisticated exploits anymore. Sometimes, your credentials and a little social engineering are enough. This week, we trace how simple oversights turn into major breaches — and the silent threats most companies still underestimate. Let's dive in. ⚡ Threat of the Week UNC5221 Exploits New Ivanti Flaw to Drop Malware — The China-nexus cyber espionage group tracked as UNC5221 exploited a now-patched flaw in Ivanti Connect Secure, CVE-2025-22457 (CVSS score: 9.0), to deliver an in-memory dropper called TRAILBLAZE, a passive backdoor codenamed BRUSHFIRE, and the SPAWN malware suite. The vulnerability was originally patched by Ivanti on February 11, 2025, indicating that the threat actors studied the patch a...

A malicious campaign dubbed PoisonSeed is leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases in an attempt to drain victims' digital wallets. "Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack," Silent Push said in an analysis. "As part of the attack, PoisonSeed provides security seed phrases to get potential victims to copy and paste them into new cryptocurrency wallets for future compromising." Targets of PoisonSeed include enterprise organizations and individuals outside the cryptocurrency industry. Crypto companies like Coinbase and Ledger, and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho are among the targeted crypto companies. The activity is assessed to be distinct from two loosely aligned threat actors Scattered Spider and CryptoChameleon , whi...

Ivanti has disclosed details of a now-patched critical security vulnerability impacting its Connect Secure product that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems. "A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution," Ivanti said in an alert released Thursday. The flaw impacts the following products and versions - Ivanti Connect Secure (versions 22.7R2.5 and prior) - Fixed in version 22.7R2.6 (Patch released on February 11, 2025) Pulse Connect Secure (versions 9.1R18.9 and prior) - Fixed in version 22.7R2.6 (Contact Ivanti to migrate as the device has reached end-of-support as of December ...

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data. The campaign, the agency said , involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate services like DropMeFiles and Google Drive. In some instances, the links are embedded within PDF attachments. The digital missives sought to induce a false sense of urgency by claiming that a Ukrainian government agency planned to cut salaries, urging the recipient to click on the link to view the list of affected employees. Visiting these links leads to the download of a Visual Basic Script (VBS) loader that's designed to fetch and execute a PowerShell script capable of harvesting files matching a specific set of extensions and capturing screenshots. The activity, attributed to a threat ...

A maximum severity security vulnerability has been disclosed in Apache Parquet's Java Library that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances. Apache Parquet is a free and open-source columnar data file format that's designed for efficient data processing and retrieval, providing support for complex data, high-performance compression, and encoding schemes. It was first launched in 2013. The vulnerability in question is tracked as CVE-2025-30065 . It carries a CVSS score of 10.0. "Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code," the project maintainers said in an advisory. According to Endor Labs, successful exploitation of the flaw requires tricking a vulnerable system into reading a specially crafted Parquet file to obtain code execution. "This vulnerability can impact data pipelines and analytics systems...