The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

ConnectWise has disclosed that it's planning to rotate the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise remote monitoring and management (RMM) executables due to security concerns. The company said it's doing so "due to concerns raised by a third-party researcher about how ScreenConnect handled certain configuration data in earlier versions." While the company did not publicly elaborate on the nature of the problem, it has shed more light in a non-public FAQ accessible only to its customers (and later shared on Reddit ) - The concern stems from ScreenConnect using the ability to store configuration data in an available area of the installer that is not signed but is part of the installer. We are using this ability to pass down configuration information for the connection (between the agent and server) such as the URL where the agent should call back without invalidating the signature. The unsigned area is u...

Cybersecurity researchers have uncovered a new account takeover (ATO) campaign that leverages an open-source penetration testing framework called TeamFiltration to breach Microsoft Entra ID (formerly Azure Active Directory) user accounts. The activity, codenamed UNK_SneakyStrike by Proofpoint, has targeted over 80,000 user accounts across hundreds of organizations' cloud tenants since a surge in login attempts was observed in December 2024, leading to successful account takeovers. "Attackers leverage Microsoft Teams API and Amazon Web Services (AWS) servers located in various geographical regions to launch user-enumeration and password-spraying attempts," the enterprise security company said . "Attackers exploited access to specific resources and native applications, such as Microsoft Teams, OneDrive, Outlook, and others." TeamFiltration, publicly released by researcher Melvin "Flangvik" Langvik, in August 2022 at the DEF CON security conferenc...

Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks. "Recently, attackers have introduced Python script execution alongside these techniques, using cURL requests to fetch and deploy malicious payloads," ReliaQuest said in a report shared with The Hacker News. The development is a sign that the threat actors are continuing to pivot and regroup, despite the Black Basta brand suffering a huge blow and a decline after the public leak of its internal chat logs earlier this February. The cybersecurity company said half of the Teams phishing attacks that were observed between February and May 2025 originated from onmicrosoft[.]com domains, and that breached domains accounted for 42% of the attacks during the same period. The latter is a lot more stealthy and allows threat actors to impersonate legitimate traffi...

Threat intelligence firm GreyNoise has warned of a "coordinated brute-force activity" targeting Apache Tomcat Manager interfaces. The company said it observed a surge in brute-force and login attempts on June 5, 2025, an indication that they could be deliberate efforts to "identify and access exposed Tomcat services at scale." To that end, 295 unique IP addresses have been found to be engaged in brute-force attempts against Tomcat Manager on that date, with all of them classified as malicious. Over the past 24 hours, 188 unique IPs have been recorded, a majority of them located in the United States, the United Kingdom, Germany, the Netherlands, and Singapore. In a similar vein, 298 unique IPs were observed conducting login attempts against Tomcat Manager instances. Of the 246 IP addresses flagged in the last 24 hours, all of them are categorized as malicious and originate from the same locations. Targets of these attempts include the United States, the Uni...

INTERPOL on Wednesday announced the dismantling of more than 20,000 malicious IP addresses or domains that have been linked to 69 information-stealing malware variants. The joint action, codenamed Operation Secure , took place between January and April 2025, and involved law enforcement agencies from 26 countries to identify servers, map physical networks, and execute targeted takedowns. "These coordinated efforts resulted in the takedown of 79 percent of identified suspicious IP addresses," INTERPOL said in a statement. "Participating countries reported the seizure of 41 servers and over 100 GB of data, as well as the arrest of 32 suspects linked to illegal cyber activities." Vietnamese authorities arrested 18 suspects, and confiscated devices, SIM cards, business registration documents, and money worth $11,500. Further house raids have led to the arrest of another 12 people in Sri Lanka and two individuals in Nauru. The Hong Kong Police, per INTERPOL, iden...

In today's cybersecurity landscape, much of the focus is placed on firewalls, antivirus software, and endpoint detection. While these tools are essential, one critical layer often goes overlooked: the Domain Name System (DNS). As the starting point of nearly every online interaction, DNS is not only foundational - it's increasingly a target. When left unsecured, it becomes a single point of failure that can disrupt services, redirect users, or expose sensitive data. Securing it isn't just good practice - it's a necessity. Why DNS Is a Core Part of Internet Infrastructure The Domain Name System, or DNS, functions like the internet's address book. It translates easy-to-remember domain names (like example.com ) into the numerical IP addresses (like 1.2.3.4 ) that computers use to identify each other across networks. Every time a user visits a website, opens an app, or sends an email, a DNS query is triggered in the background to connect that request to the correct server. Without DNS,...

Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations. "Successful exploitation of these vulnerabilities could allow an attacker to access device profiles without authorization through the common web management interface," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory. "Access to the device profile may allow an attacker to perform some remote functions on connected vehicles such as tracking the vehicle location and disconnecting power to the fuel pump where supported." The vulnerabilities, per the agency, affect all versions of the SinoTrack IoT PC Platform. A brief description of the flaws is below - CVE-2025-5484 (CVSS score: 8.3) - Weak authentication to the central SinoTrack device management interface stems from the use of a default password and a username that's an identifier pr...

In today's security landscape, budgets are tight, attack surfaces are sprawling, and new threats emerge daily. Maintaining a strong security posture under these circumstances without a large team or budget can be a real challenge. Yet lean security models are not only possible - they can be highly effective. River Island, one of the UK's leading fashion retailers, offers a powerful case study on how to do more with less. As River Island's InfoSec Officer, Sunil Patel and his small team of three are responsible for securing over 200 stores, an e-commerce platform, a major distribution center, and head offices. With no headcount growth on the horizon, Sunil had to rethink how security could scale effectively. By adopting a lean security model, powered by Intruder's exposure management platform , the team was able to improve visibility, respond faster to threats, and empower others across the business to fix what matters most. Here are five key lessons from thei...

Microsoft has released patches to fix 67 security flaws , including one zero-day bug in Web Distributed Authoring and Versioning (WebDAV) that it said has come under active exploitation in the wild. Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws. The patches are in addition to 13 shortcomings addressed by the company in its Chromium-based Edge browser since the release of last month's Patch Tuesday update . The vulnerability that has been weaponized in real-world attacks concerns a remote code execution in WebDAV ( CVE-2025-33053 , CVSS score: 8.8) that can be triggered by deceiving users into clicking on a specially crafted URL. The tech giant credited Check Point researchers Alexandra Gofman and David Driker for discovering and reporting the bug. It's worth mentioning that CVE-2025-33053 is the first zero-day vulnerab...

Adobe on Tuesday pushed security updates to address a total of 254 security flaws impacting its software products, a majority of which affect Experience Manager (AEM). Of the 254 flaws, 225 reside in AEM, impacting AEM Cloud Service (CS) as well as all versions prior to and including 6.5.22. The issues have been resolved in AEM Cloud Service Release 2025.5 and version 6.5.23. "Successful exploitation of these vulnerabilities could result in arbitrary code execution, privilege escalation, and security feature bypass," Adobe said in an advisory. Almost all the 225 vulnerabilities have been classified as cross-site scripting (XSS) vulnerabilities, specifically a mix of stored XSS and DOM-based XSS, that could be exploited to achieve arbitrary code execution. Adobe has credited security researchers Jim Green (green-jam), Akshay Sharma (anonymous_blackzero), and lpi for discovering and reporting the XSS flaws. The most severe of the flaws patched by the company as part of ...

Cybersecurity researchers have uncovered over 20 configuration-related risks affecting Salesforce Industry Cloud (aka Salesforce Industries ), exposing sensitive data to unauthorized internal and external parties. The weaknesses affect various components like FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. "Low-code platforms such as Salesforce Industry Cloud make building applications easier, but that convenience can come at a cost if security isn't prioritized," Aaron Costello, chief of SaaS Security Research at AppOmni, said in a statement shared with The Hacker News. These misconfigurations, if left unaddressed, could allow cybercriminals and unauthorized to access encrypted confidential data on employees and customers, session data detailing how users have interacted with Salesforce Industry Cloud, credentials for Salesforce and other company systems, and business logic. Following responsible discl...

The financially motivated threat actor known as FIN6 has been observed leveraging fake resumes hosted on Amazon Web Services (AWS) infrastructure to deliver a malware family called More_eggs. "By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware," the DomainTools Investigations (DTI) team said in a report shared with The Hacker News. More_eggs is the work of another cybercrime group called Golden Chickens (aka Venom Spider), which was most recently attributed to new malware families like TerraStealerV2 and TerraLogger. A JavaScript-based backdoor, it's capable of enabling credential theft, system access, and follow-on attacks, including ransomware. One of the malware's known customers is FIN6 (aka Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, and TA4557), an e-crime crew that originally targeted point-of-s...