data security | Breaking Cybersecurity News | The Hacker News

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsearch that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-25015 , carries a CVSS score of 9.9 out of a maximum of 10.0. It has been described as a case of prototype pollution. "Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests," the company said in an advisory released Wednesday. Prototype pollution vulnerability is a security flaw that allows attackers to manipulate an application's JavaScript objects and properties, potentially leading to unauthorized data access, privilege escalation, denial-of-service, or remote code execution.  The vulnerability affects all versions of Kibana between 8.15.0 and 8.17.3. It has been addressed in version 8.17.3. That said, in Kibana versions from 8.15.0 and prior to 8.17....

Cybersecurity researchers have uncovered two malicious machine learning (ML) models on Hugging Face that leveraged an unusual technique of "broken" pickle files to evade detection. "The pickle files extracted from the mentioned PyTorch archives revealed the malicious Python content at the beginning of the file," ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News. "In both cases, the malicious payload was a typical platform-aware reverse shell that connects to a hard-coded IP address." The approach has been dubbed nullifAI, as it involves clearcut attempts to sidestep existing safeguards put in place to identify malicious models. The Hugging Face repositories have been listed below - glockr1/ballr7 who-r-u0000/0000000000000000000000000000000000000 It's believed that the models are more of a proof-of-concept (PoC) than an active supply chain attack scenario. The pickle serialization format, used commonly for dis...

In cybersecurity, confidence is a double-edged sword. Organizations often operate under a false sense of security , believing that patched vulnerabilities, up-to-date tools, polished dashboards, and glowing risk scores guarantee safety. The reality is a bit of a different story. In the real world, checking the right boxes doesn't equal being secure. As Sun Tzu warned, "Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat." Two and a half millennia later, the concept still holds: your organization's cybersecurity defenses must be strategically validated under real-world conditions to ensure your business's very survival. Today, more than ever, you need Adversarial Exposure Validation (AEV) , the essential strategy that's still missing from most security frameworks. The Danger of False Confidence Conventional wisdom suggests that if you've patched known bugs, deployed a stack of well-regarded security tools, and passed the nec...

Broadcom has released security updates to patch five security flaws impacting VMware Aria Operations and Aria Operations for Logs, warning customers that attackers could exploit them to gain elevated access or obtain sensitive information. The list of identified flaws, which impact versions 8.x of the software, is below - CVE-2025-22218 (CVSS score: 8.5) - A malicious actor with View Only Admin permissions may be able to read the credentials of a VMware product integrated with VMware Aria Operations for Logs CVE-2025-22219 (CVSS score: 6.8) - A malicious actor with non-administrative privileges may be able to inject a malicious script that may lead to arbitrary operations as admin user via a stored cross-site scripting (XSS) attack CVE-2025-22220 (CVSS score: 4.3) - A malicious actor with non-administrative privileges and network access to Aria Operations for Logs API may be able to perform certain operations in the context of an admin user CVE-2025-22221 (CVSS score: 5.2) ...

Over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia have been observed using artificial intelligence (AI) technology powered by Google to further enable their malicious cyber and information operations. "Threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities," Google Threat Intelligence Group (GTIG) said in a new report. "At present, they primarily use AI for research, troubleshooting code, and creating and localizing content." Government-backed attackers, otherwise known as Advanced Persistent Threat (APT) groups, have sought to use its tools to bolster multiple phases of the attack cycle, including coding and scripting tasks, payload development, gathering information about potential targets, researching publicly known vulnerabilities, and enabling post-compromise activities, such as defense evasion. Describing Iranian APT actors as the "he...

Cybersecurity researchers have disclosed a critical security flaw in the Lightning AI Studio development platform that, if successfully exploited, could have allowed for remote code execution. The vulnerability, rated a CVSS score of 9.4, enables "attackers to potentially execute arbitrary commands with root privileges" by exploiting a hidden URL parameter, application security firm Noma said in a report shared with The Hacker News. "This level of access could hypothetically be leveraged for a range of malicious activities, including the extraction of sensitive keys from targeted accounts," researchers Sasi Levi, Alon Tron, and Gal Moyal said. The issue is embedded in a piece of JavaScript code that could facilitate unfettered access to a victim's development environment, as well as run arbitrary commands on an authenticated target in a privileged context. Noma said it found a hidden parameter called "command" in user-specific URLs – e.g., ...

The job of a SOC analyst has never been easy. Faced with an overwhelming flood of daily alerts, analysts (and sometimes IT teams who are doubling as SecOps) must try and triage thousands of security alerts—often false positives—just to identify a handful of real threats. This relentless, 24/7 work leads to alert fatigue, desensitization, and increased risk of missing critical security incidents. Studies show that 70% of SOC analysts experience severe stress, and 65% consider leaving their jobs within a year . This makes retention a major challenge for security teams, especially in light of the existing shortage of skilled security analysts . On the operational side, analysts spend more time on repetitive, manual tasks like investigating alerts, and resolving and documenting incidents than they do on proactive security measures. Security teams struggle with configuring and maintaining SOAR playbooks as the cyber landscape rapidly changes. To top this all off, tool overload and siloed ...

Curious about the buzz around AI in cybersecurity? Wonder if it's just a shiny new toy in the tech world or a serious game changer? Let's unpack this together in a not-to-be-missed webinar that goes beyond the hype to explore the real impact of AI on cybersecurity. Join Ravid Circus , a seasoned pro in cybersecurity and AI, as we peel back the layers of AI in cybersecurity through a revealing survey of 200 industry insiders. This isn't your average tech talk; it's a down-to-earth, insightful discussion about what AI is actually doing for us today. Why Tune In? Get the Inside Scoop: How are real-world security teams using AI right now? Learn about the genuine perks and the real snags, from data hiccups to transparency troubles. Boost Your Cyber Defenses: Discover which cybersecurity corners AI is revolutionizing the most. It's about pinpointing where AI can really beef up your security measures. Walk Away With a Game Plan: This isn't just about high-level idea...

Every week seems to bring news of another data breach, and it's no surprise why: securing sensitive data has become harder than ever. And it's not just because companies are dealing with orders of magnitude more data. Data flows and user roles are constantly shifting, and data is stored across multiple technologies and cloud environments. Not to mention, compliance requirements are only getting stricter and more elaborate.  The problem is that while the data landscape has evolved rapidly, the usual strategies for securing that data are stuck in the past. Gone are the days when data lived in predictable places, with access controlled by a chosen few. Today, practically every department in the business needs to use customer data, and AI adoption means huge datasets, and a constant flux of permissions, use cases, and tools. Security teams are struggling to implement effective strategies for securing sensitive data, and a new crop of tools, called data security platforms, have appear...

The Indian government has published a draft version of the Digital Personal Data Protection (DPDP) Rules for public consultation. "Data fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent," India's Press Information Bureau (PIB) said in a statement released Sunday. "Citizens are empowered with rights to demand data erasure, appoint digital nominees, and access user-friendly mechanisms to manage their data." The rules, which seek to operationalize the Digital Personal Data Protection Act, 2023, also give citizens greater control over their data, providing them with options for giving informed consent to processing their information, as well as the right to erase with digital platforms and address grievances. Companies operating in India are further required to implement security measures, such as encryption, access control, and data backups, to safeguard personal data, and ensure its c...

The U.S. Department of Justice (DoJ) has issued a final rule carrying out Executive Order (EO) 14117, which prevents mass transfer of citizens' personal data to countries of concern such as China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. "This final rule is a crucial step forward in addressing the extraordinary national security threat posed of our adversaries exploiting Americans' most sensitive personal data," said Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division. "This powerful new national-security program is designed to ensure that Americans' personal data is no longer permitted to be sold to hostile foreign powers, whether through outright purchase or other means of commercial access." Back in February 2024, U.S. President Joe Biden signed an executive order to address the national security risk posed by unauthorized access to Americans' sensitiv...

Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has been fined €251 million (around $263 million) for a 2018 data breach that impacted millions of users in the bloc, in what's the latest financial hit the company has taken for flouting stringent privacy laws. The Irish Data Protection Commission (DPC) said the data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the European Union and European Economic Area (EEA). It's worth noting that initial estimates from the tech giant had pegged the total number of affected accounts at 50 million. The incident, which the social media company disclosed back in September 2018, arose from a bug that was introduced to Facebook's systems in July 2017, allowing unknown threat actors to exploit the "View As" feature that lets a user see their own profile as someone else. This ultimately made it possible to obtain account ac...

Cybersecurity researchers have disclosed multiple security flaws impacting open-source machine learning (ML) tools and frameworks such as MLflow, H2O, PyTorch, and MLeap that could pave the way for code execution. The vulnerabilities, discovered by JFrog, are part of a broader collection of 22 security shortcomings the supply chain security company first disclosed last month. Unlike the first set that involved flaws on the server-side, the newly detailed ones allow exploitation of ML clients and reside in libraries that handle safe model formats like Safetensors . "Hijacking an ML client in an organization can allow the attackers to perform extensive lateral movement within the organization," the company said . "An ML client is very likely to have access to important ML services such as ML Model Registries or MLOps Pipelines." This, in turn, could expose sensitive information such as model registry credentials, effectively permitting a malicious actor to back...

The China-aligned advanced persistent threat (APT) actor known as Gelsemium has been observed using a new Linux backdoor dubbed WolfsBane as part of cyber attacks likely targeting East and Southeast Asia. That's according to findings from cybersecurity firm ESET based on multiple Linux samples uploaded to the VirusTotal platform from Taiwan, the Philippines, and Singapore in March 2023. WolfsBane has been assessed to be a Linux version of the threat actor's Gelsevirine backdoor, a Windows malware put to use as far back as 2014. Also discovered by the company is another previously undocumented implant named FireWood that's connected to a different malware toolset known as Project Wood . FireWood has been attributed to Gelsemium with low confidence, given the possibility that it could be shared by multiple China-linked hacking crews. "The goal of the backdoors and tools discovered is cyber espionage targeting sensitive data such as system information, user crede...

Now-patched security flaws impacting Progress Kemp LoadMaster and VMware vCenter Server have come under active exploitation in the wild, it has emerged. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added CVE-2024-1212 (CVSS score: 10.0), a maximum-severity security vulnerability in Progress Kemp LoadMaster to its Known Exploited Vulnerabilities ( KEV ) catalog. It was addressed by Progress Software back in February 2024 . "Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution," the agency said. Rhino Security Labs, which discovered and reported the flaw, said successful exploitation enables command execution on LoadMaster should an attacker have access to the administrator web user interface, granting them full access to the load balancer. CISA's addition of ...

INTERPOL on Tuesday said it took down more than 22,000 malicious servers linked to various cyber threats as part of a global operation. Dubbed Operation Synergia II, the coordinated effort ran from April 1 to August 31, 2024, targeting phishing, ransomware, and information stealer infrastructure. "Of the approximately 30,000 suspicious IP addresses identified, 76 per cent were taken down and 59 servers were seized," INTERPOL said . "Additionally, 43 electronic devices, including laptops, mobile phones and hard disks were seized." The actions also led to the arrest of 41 individuals, with 65 others still under investigation. Some of the other key outcomes across countries are listed below - Takedown of more than 1,037 servers by Hong Kong police Seizure of a server and the identification of 93 individuals with links to illegal cyber activities in Mongolia Disruption of 291 servers in Macau Identification of 11 individuals with links to malicious servers and...

Taiwanese network-attached storage (NAS) appliance maker Synology has addressed a critical security flaw impacting DiskStation and BeePhotos that could lead to remote code execution. Tracked as CVE-2024-10443 and dubbed RISK:STATION by Midnight Blue, the zero-day flaw was demonstrated at the Pwn2Own Ireland 2024 hacking contest by security researcher Rick de Jager. RISK:STATION is an "unauthenticated zero-click vulnerability allowing attackers to obtain root-level code execution on the popular Synology DiskStation and BeeStation NAS devices, affecting millions of devices," the Dutch company said . The zero-click nature of the vulnerability means it does not require any user interaction to trigger the exploitation, thereby allowing attackers to gain access to the devices to steal sensitive data and plant additional malware. The flaw impacts the following versions - BeePhotos for BeeStation OS 1.0 (Upgrade to 1.0.2-10026 or above) BeePhotos for BeeStation OS 1.1 (Upgr...

Microsoft is further delaying the release of its controversial Recall feature for Windows Copilot+ PCs, stating it's taking the time to improve the experience. The development was first reported by The Verge. The artificial intelligence-powered tool was initially slated for a preview release starting in October. "We are committed to delivering a secure and trusted experience with Recall," the company said in an updated statement released Thursday. "To ensure we deliver on these important updates, we're taking additional time to refine the experience before previewing it with Windows Insiders. Originally planned for October, Recall will now be available for preview with Windows Insiders on Copilot+ PCs by December" Microsoft unveiled Recall earlier this May, describing it as a way for users to explore a "visual timeline" of their screens over time and help find things from apps, websites, images, and documents. The search experience was meant...