The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Google has revealed that it will no longer trust digital certificates issued by Chunghwa Telecom and Netlock citing "patterns of concerning behavior observed over the past year." The changes are expected to be introduced in Chrome 139, which is scheduled for public release in early August 2025. The current major version is 137.  The update will affect all Transport Layer Security (TLS) server authentication certificates issued by the two Certificate Authorities (CAs) after July 31, 2025, 11:59:59 p.m. UTC. Certificates issued before that date will not be impacted. Chunghwa Telecom is Taiwan's largest integrated telecom service provider and Netlock is a Hungarian company that offers digital identity, electronic signature, time stamping, and authentication solutions. "Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly di...

Microsoft and CrowdStrike have announced that they are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping. "By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence," Vasu Jakkal, corporate vice president at Microsoft Security, said . The initiative is seen as a way to untangle the menagerie of nicknames that private cybersecurity vendors assign to various hacking groups that are broadly categorized as a nation-state, financially motivated, influence operations, private sector offensive actors, and emerging clusters. For example, the Russian state-sponsored threat actor tracked by Microsoft as Midnight Blizzard (formerly Nobelium) is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, and The Dukes. Likewise, Forest Blizzard (previously Strontium) goes by other monikers such...

Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild. The high-severity flaw is being tracked as CVE-2025-5419 , and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. "Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," reads the description of the bug on the NIST's National Vulnerability Database (NVD). Google credited Clement Lecigne and Benoît Sevens of Google Threat Analysis Group (TAG) with discovering and reporting the flaw on May 27, 2025. It also noted that the issue was addressed the next day by pushing out a configuration change to the Stable version of the browser across all platforms. As is customary, the advisory is light on details regarding the nature of the a...

Detecting leaked credentials is only half the battle. The real challenge—and often the neglected half of the equation—is what happens after detection. New research from GitGuardian's State of Secrets Sprawl 2025 report reveals a disturbing trend: the vast majority of exposed company secrets discovered in public repositories remain valid for years after detection, creating an expanding attack surface that many organizations are failing to address. According to GitGuardian's analysis of exposed secrets across public GitHub repositories, an alarming percentage of credentials detected as far back as 2022 remain valid today: "Detecting a leaked secret is just the first step," says GitGuardian's research team. "The true challenge lies in swift remediation." Why Exposed Secrets Remain Valid This persistent validity suggests two troubling possibilities: either organizations are unaware their credentials have been exposed (a security visibility problem),...

Cybersecurity researchers have discovered a new cryptojacking campaign that's targeting publicly accessible DevOps web servers such as those associated with Docker, Gitea, and HashiCorp Consul and Nomad to illicitly mine cryptocurrencies. Cloud security firm Wiz, which is tracking the activity under the name JINX-0132 , said the attackers are exploiting a wide range of known misconfigurations and vulnerabilities to deliver the miner payload. "Notably, this campaign marks what we believe to be the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector in the wild," researchers Gili Tikochinski, Danielle Aminov, and Merav Bar said in a report shared with The Hacker News. What sets these attacks further stand out is that the bad actors download the necessary tools directly from GitHub repositories rather than using their own infrastructure for staging purposes. The use of off-the-shelf tools is seen as a deliberate attempt to c...

Three security vulnerabilities have been disclosed in preloaded Android applications on smartphones from Ulefone and Krüger&Matz that could enable any app installed on the device to perform a factory reset and encrypt an application. A brief description of the three flaws is as follows - CVE-2024-13915 (CVSS score: 6.9) - A pre-installed "com.pri.factorytest" application on Ulefone and Krüger&Matz smartphones exposes a "com.pri.factorytest.emmc.FactoryResetService" service that allows any installed application to perform a factory reset of the device. CVE-2024-13916 (CVSS score: 6.9) - A pre-installed "com.pri.applock" application on Kruger&Matz smartphones allows a user to encrypt any application using user-provided PIN code or by using biometric data. The app also exposes a "com.android.providers.settings.fingerprint.PriFpShareProvider" content provider's "query()" method that permits any malicious app already ...

Qualcomm has shipped security updates to address three zero-day vulnerabilities that it said have been exploited in limited, targeted attacks in the wild. The flaws in question, which were responsibly disclosed to the company by the Google Android Security team, are listed below - CVE-2025-21479 and CVE-2025-21480 (CVSS score: 8.6) - Two incorrect authorization vulnerabilities in the Graphics component that could result in memory corruption due to unauthorized command execution in GPU microcode while executing a specific sequence of commands CVE-2025-27038 (CVSS score: 7.5) - A use-after-free vulnerability in the Graphics component that could result in memory corruption while rendering graphics using Adreno GPU drivers in Chrome "There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation," Qualcomm said in an advisory. "Patches for the issues affecting the Adreno Grap...

If this had been a security drill, someone would've said it went too far. But it wasn't a drill—it was real. The access? Everything looked normal. The tools? Easy to find. The detection? Came too late. This is how attacks happen now—quiet, convincing, and fast. Defenders aren't just chasing hackers anymore—they're struggling to trust what their systems are telling them. The problem isn't too few alerts. It's too many, with no clear meaning. One thing is clear: if your defense still waits for obvious signs, you're not protecting anything. You're just watching it happen. This recap highlights the moments that mattered—and why they're worth your attention. ⚡ Threat of the Week APT41 Exploits Google Calendar for Command-and-Control — The Chinese state-sponsored threat actor known as APT41 deployed a malware called TOUGHPROGRESS that uses Google Calendar for command-and-control (C2). Google said it observed the spear-phishing attacks in October 2024 and that the malware was hosted on...

The evolution of cyber threats has forced organizations across all industries to rethink their security strategies. As attackers become more sophisticated — leveraging encryption, living-off-the-land techniques, and lateral movement to evade traditional defenses — security teams are finding more threats wreaking havoc before they can be detected. Even after an attack has been identified, it can be hard for security teams to prove to auditors that they have fully mitigated the issues that allowed the attackers in. Security teams worldwide have prioritized endpoint detection and response (EDR), which has become so effective that threat actors have changed their tactics to avoid attack vectors protected by host-based defenses. These advanced threats are particularly vexing for critical infrastructure providers in financial services , energy and utilities , transportation , and government agencies that may have proprietary systems that cannot be protected by traditional endpoint securi...

Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia.  "In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate wireguard-based remote access tool on the victim's computer," Trellix researcher Srini Seethapathy said in an analysis. The activity, first detected by the cybersecurity company in mid-May 2025, has not been attributed to a known threat actor or group. The starting point of the attack is a phishing email that impersonates a recruiter from Rothschild & Co. and claims to offer a "strategic opportunity" with the company. The email is designed to entice the recipients into opening a purported PDF attachment that, in reality, is a phishin...

Two information disclosure flaws have been identified in apport and systemd-coredump , the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU). Tracked as CVE-2025-5054 and CVE-2025-4598 , both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. "These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump," Saeed Abbasi, manager of product at Qualys TRU, said . A brief description of the two flaws is below - CVE-2025-5054 (CVSS score: 4.7) - A race condition in Canonical apport package up to and including 2.32.0 that allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces CVE-2025-4598 (CVSS score: 4.7) - A race condition i...

A multinational law enforcement operation has resulted in the takedown of an online cybercrime syndicate that offered services to threat actors to ensure that their malicious software stayed undetected from security software. To that effect, the U.S. Department of Justice (DoJ) said it seized four domains and their associated server facilitated the crypting service on May 27, 2025, in partnership with Dutch and Finnish authorities. These include AvCheck[.]net, Cryptor[.]biz, Cryptor[.]live, and Crypt[.]guru, all of which now display a seizure notice. Other countries that participated in the effort include France, Germany, Denmark, Portugal, and Ukraine. "Crypting is the process of using software to make malware difficult for antivirus programs to detect," the DoJ said . "The seized domains offered services to cybercriminals, including counter-antivirus (CAV) tools. When used together, CAV and crypting services allow criminals to obfuscate malware, making it undetecta...

A new malware campaign is distributing a novel Rust-based information stealer dubbed EDDIESTEALER using the popular ClickFix social engineering tactic initiated via fake CAPTCHA verification pages. "This campaign leverages deceptive CAPTCHA verification pages that trick users into executing a malicious PowerShell script, which ultimately deploys the infostealer, harvesting sensitive data such as credentials, browser information, and cryptocurrency wallet details," Elastic Security Labs researcher Jia Yu Chan said in an analysis. The attack chains begin with threat actors compromising legitimate websites with malicious JavaScript payloads that serve bogus CAPTCHA check pages, which prompt site visitors to "prove you are not [a] robot" by following a three-step process, a prevalent tactic called ClickFix . This involves instructing the potential victim to open the Windows Run dialog prompt, paste an already copied command into the "verification window"...