threat detection | Breaking Cybersecurity News | The Hacker News

The evolution of cyber threats has forced organizations across all industries to rethink their security strategies. As attackers become more sophisticated — leveraging encryption, living-off-the-land techniques, and lateral movement to evade traditional defenses — security teams are finding more threats wreaking havoc before they can be detected. Even after an attack has been identified, it can be hard for security teams to prove to auditors that they have fully mitigated the issues that allowed the attackers in. Security teams worldwide have prioritized endpoint detection and response (EDR), which has become so effective that threat actors have changed their tactics to avoid attack vectors protected by host-based defenses. These advanced threats are particularly vexing for critical infrastructure providers in financial services , energy and utilities , transportation , and government agencies that may have proprietary systems that cannot be protected by traditional endpoint securi...

Embedded Linux-based Internet of Things (IoT) devices have become the target of a new botnet dubbed PumaBot . Written in Go, the botnet is designed to conduct brute-force attacks against SSH instances to expand in size and scale and deliver additional malware to the infected hosts. "Rather than scanning the internet, the malware retrieves a list of targets from a command-and-control (C2) server and attempts to brute force SSH credentials," Darktrace said in an analysis shared with The Hacker News. "Upon gaining access, it receives remote commands and establishes persistence using system service files." The botnet malware is designed to obtain initial access via successfully brute-forcing SSH credentials across a list of harvested IP addresses with open SSH ports. The list of IP addresses to target is retrieved from an external server ("ssh.ddos-cc[.]org"). As part of its brute-force attempts, the malware also performs various checks to determine if...

From zero-day exploits to large-scale bot attacks — the demand for a powerful, self-hosted, and user-friendly web application security solution has never been greater. SafeLine is currently the most starred open-source Web Application Firewall (WAF) on GitHub, with over 16.4K stars and a rapidly growing global user base. This walkthrough covers what SafeLine is, how it works, and why it's becoming the go-to solution over cloud-based WAFs. What is SafeLine WAF? SafeLine is a self-hosted web application firewall that acts as a reverse proxy, filtering and monitoring HTTP/HTTPS traffic to block malicious requests before they reach your backend web applications. Unlike cloud-based WAFs, SafeLine runs entirely on your own servers—giving you unmatched visibility and data sovereignty. Key Features of SafeLine WAF Comprehensive Attack Prevention SafeLine effectively blocks a wide range of common and advanced web attacks, including SQL injection(SQLi), cross-site scripting (XSS), OS co...

Detecting leaked credentials is only half the battle. The real challenge—and often the neglected half of the equation—is what happens after detection. New research from GitGuardian's State of Secrets Sprawl 2025 report reveals a disturbing trend: the vast majority of exposed company secrets discovered in public repositories remain valid for years after detection, creating an expanding attack surface that many organizations are failing to address. According to GitGuardian's analysis of exposed secrets across public GitHub repositories, an alarming percentage of credentials detected as far back as 2022 remain valid today: "Detecting a leaked secret is just the first step," says GitGuardian's research team. "The true challenge lies in swift remediation." Why Exposed Secrets Remain Valid This persistent validity suggests two troubling possibilities: either organizations are unaware their credentials have been exposed (a security visibility problem),...

Continuous Threat Exposure Management (CTEM) has moved from concept to cornerstone, solidifying its role as a strategic enabler for CISOs. No longer a theoretical framework, CTEM now anchors today's cybersecurity programs by continuously aligning security efforts with real-world risk. At the heart of CTEM is the integration of Adversarial Exposure Validation (AEV), an advanced, offensive methodology powered by proactive security tools including External Attack Surface Management (ASM), autonomous penetration testing and red teaming, and Breach and Attack Simulation (BAS). Together, these AEV tools transform how enterprises proactively identify, validate, and reduce risks, turning threat exposure into a manageable business metric. CTEM reflects a broader evolution in how security leaders measure effectiveness and allocate resources. As board expectations grow and cyber risk becomes inseparable from business risk, CISOs are leveraging CTEM to drive measurable, outcome-based security ...

Modern apps move fast—faster than most security teams can keep up. As businesses rush to build in the cloud, security often lags behind. Teams scan code in isolation, react late to cloud threats, and monitor SOC alerts only after damage is done. Attackers don't wait. They exploit vulnerabilities within hours. Yet most organizations take days to respond to critical cloud alerts. That delay isn't just risky—it's an open door. The problem? Security is split across silos. DevSecOps, CloudSec, and SOC teams all work separately. Their tools don't talk. Their data doesn't sync. And in those gaps, 80% of cloud exposures slip through—exploitable, avoidable, and often invisible until it's too late. This free webinar ," Breaking Down Security Silos: Why Application Security Must Span from Code to Cloud to SOC ," shows you how to fix that. Join Ory Segal, Technical Evangelist at Cortex Cloud (Palo Alto Networks), and discover a practical approach to securing your apps from code to cl...

Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. "Threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents," Qualys security researcher Akshay Thorve said in a technical report. "The attack chain leverages mshta.exe for proxy execution during the initial stage." The latest wave of attacks, as detailed by Qualys, employs tax-related lures to entice users into opening a malicious ZIP archive containing a Windows shortcut (LNK) file, which, in turn, makes use of mshta.exe, a legitimate Microsoft tool used to run HTML Applications (HTA). The binary is used to execute an obfuscated HTA file named "xlab22.hta" hosted on a remote server, which incorporates Visual Basic Script code to download a PowerShell script, a decoy PDF, and another HTA file similar to xlab22.hta called "3...

Imagine this: Your organization completed its annual penetration test in January, earning high marks for security compliance. In February, your development team deployed a routine software update. By April, attackers had already exploited a vulnerability introduced in that February update, gaining access to customer data weeks before being finally detected. This situation isn't theoretical: it plays out repeatedly as organizations realize that point-in-time compliance testing can't protect against vulnerabilities introduced after the assessment. According to Verizons 2025 Data Breach Investigation Report , the exploitation of vulnerabilities rose 34% year-over-year. While compliance frameworks provide important security guidelines, companies need continuous security validation to identify and remediate new vulnerabilities before attackers can exploit them. Here's what you need to know about pen testing to meet compliance standards — and why you should adopt continuous penetratio...

Cisco has released software fixes to address a maximum-severity security flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system. The vulnerability, tracked as CVE-2025-20188 , has been rated 10.0 on the CVSS scoring system. "This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an affected system," the company said in a Wednesday advisory. "An attacker could exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges." That said, in order for the exploitation to be successful, the Out-of-Band AP Image Download feature must be enabled on the device. It's disabled by default. The following products are affected, if they have a vulnerable release running and have the Ou...

Security Operations Center (SOC) teams are facing a fundamentally new challenge — traditional cybersecurity tools are failing to detect advanced adversaries who have become experts at evading endpoint-based defenses and signature-based detection systems. The reality of these "invisible intruders" is driving a significant need for a multi-layered approach to detecting threats, including Network Detection and Response (NDR) solutions.  The invisible intruder problem Imagine your network has been compromised — not today or yesterday, but months ago. Despite your significant investments in security tools running 24/7, an advanced adversary has been quietly moving through your systems, carefully avoiding detection. They've stolen credentials, established backdoors, and exfiltrated sensitive data, all while your dashboards showed nothing but green. This scenario is not hypothetical. The average dwell time for attackers — the period between initial compro...

For over a decade, application security teams have faced a brutal irony: the more advanced the detection tools became, the less useful their results proved to be. As alerts from static analysis tools, scanners, and CVE databases surged, the promise of better security grew more distant. In its place, a new reality took hold—one defined by alert fatigue and overwhelmed teams. According to OX Security's 2025 Application Security Benchmark Report , a staggering 95–98% of AppSec alerts do not require action - and may, in fact, be harming organizations more than helping. Our research, spanning over 101 million security findings across 178 organizations, shines a spotlight on a fundamental inefficiency in modern AppSec operations. Of nearly 570,000 average alerts per organization, just 202 represented true, critical issues. It's a startling conclusion that's hard to ignore: security teams are chasing shadows, wasting time, burning through budgets, and straining relations wit...

Find out how Reco keeps Microsoft 365 Copilot safe by spotting risky prompts, protecting data, managing user access, and identifying threats - all while keeping productivity high. Microsoft 365 Copilot promises to boost productivity by turning natural language prompts into actions. Employees can generate reports, comb through data, or get instant answers just by asking Copilot.  However, alongside this convenience comes serious security concerns. Copilot operates across a company's SaaS apps (from SharePoint to Teams and beyond), which means a careless prompt or a compromised user account could expose troves of sensitive information.  Security experts warn that organizations shouldn't assume default settings will keep them safe. Without proactive controls, every file in your organization could be accessible via Copilot. A malicious actor might use Copilot to discover and exfiltrate confidential data without having to manually search through systems. With the right prom...