The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Imagine you're considering a new car for your family. Before making a purchase, you evaluate its safety ratings, fuel efficiency, and reliability. You might even take it for a test drive to ensure it meets your needs. The same approach should be applied to software and hardware products before integrating them into an organization's environment. Just as you wouldn't buy a car without knowing its safety features, you shouldn't deploy software without understanding the risks it introduces. The Rising Threat of Supply Chain Attacks Cybercriminals have recognized that instead of attacking an organization head-on, they can infiltrate through the software supply chain—like slipping counterfeit parts into an assembly line. According to the 2024 Sonatype State of the Software Supply Chain report , attackers are infiltrating open-source ecosystems at an alarming rate, with over 512,847 malicious packages detected last year alone—a 156% increase from the previous year. Traditional sec...

Threat actors have observed the increasingly common ClickFix technique to deliver a remote access trojan named NetSupport RAT since early January 2025. NetSupport RAT, typically propagated via bogus websites and fake browser updates, grants attackers full control over the victim's host, allowing them to monitor the device's screen in real-time, control the keyboard and mouse, upload and download files, and launch and execute malicious commands. Originally known as NetSupport Manager, it was developed as a legitimate remote IT support program, but has since been repurposed by malicious actors to target organizations and capture sensitive information, including screenshots, audio, video, and files. "ClickFix is a technique used by threat actors to inject a fake CAPTCHA webpage on compromised websites, instructing users to follow certain steps to copy and execute malicious PowerShell commands on their host to download and run malware payloads," eSentire said in an...

Source: The Nation A coordinated law enforcement operation has taken down the dark web data leak and negotiation sites associated with the 8Base ransomware gang. Visitors to the data leak site are now greeted with a seizure banner that says: "This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor General in Bamberg." The takedown involved the U.K. National Crime Agency (NCA), the U.S. Federal Bureau of Investigation (FBI), Europol, as well as agencies from Bavaria, Belgium, Czechia, France, Germany, Japan, Romania, Spain, Switzerland, and Thailand. Thai media reports have revealed that four European nationals – two men and two women – were arrested across four different locations on Monday as part of an effort codenamed Operation Phobos Aetor. The identities of the suspects were not disclosed. Authorities are said to have seized more than 40 pieces of evidence, including ...

I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn't have asked for a better kickoff panel: three cybersecurity leaders who don't just talk security, they live it. Let me introduce them. Alex Delay , CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead , Director of Cybersecurity at Avidity Biosciences, brings a forward-thinking security perspective that reflects the innovation behind Avidity's targeted RNA therapeutics. Last but not least, Michael Francess , Director of Cybersecurity Advanced Threat at Wyndham Hotels and Resorts, leads the charge in protecting the franchise. Each brought a unique vantage point to a common challenge: applying Continuous Threat Exposure Management (CTEM) to complex production environments. Gartner made waves in 2023 with a bold prediction: organizations that prioritize CTEM will be three times less likely to be breached by 2026. But here's the kicker -...

Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce websites. Website security company Sucuri said the code, while appearing to be a typical GTM and Google Analytics script used for website analytics and advertising purposes, contains an obfuscated backdoor capable of providing attackers with persistent access. As of writing, as many as three sites have been found to be infected with the GTM identifier (GTM-MLHK2N68) in question, down from six reported by Sucuri. GTM identifier refers to a container that includes the various tracking codes (e.g., Google Analytics, Facebook Pixel) and rules to be triggered when certain conditions are met. Further analysis has revealed that the malware is being loaded from the Magento database table "cms_block.content," with the GTM tag containing an encoded JavaScript payload that acts as a credit card skimmer. "This script was designed to ...

In cybersecurity, the smallest crack can lead to the biggest breaches. A leaked encryption key, an unpatched software bug, or an abandoned cloud storage bucket—each one seems minor until it becomes the entry point for an attack. This week, we've seen cybercriminals turn overlooked weaknesses into major security threats, proving once again that no system is too small to be targeted. The question isn't whether attackers will find a way in—it's whether you'll be prepared when they do. Let's break down what you need to know. ⚡ Threat of the Week Microsoft Warns of Attacks Exploiting ASP.NET Machine Keys — Threat actors are exploiting publicly disclosed ASP.NET machine keys to inject and execute malicious code responsible for launching the Godzilla post-exploitation framework. Microsoft said it has identified over 3,000 publicly disclosed keys that could be used for these types of attacks dubbed ViewState code injection. The company also said it removed key-related artifacts from ...

Given Okta's role as a critical part of identity infrastructure, strengthening Okta security is essential. This article covers six key Okta security settings that provide a strong starting point, along with recommendations for implementing continuous monitoring of your Okta security posture. With over 18,000 customers, Okta serves as the cornerstone of identity governance and security for organizations worldwide. However, this prominence has made it a prime target for cybercriminals who seek access to valuable corporate identities, applications, and sensitive data. Recently, Okta warned its customers of an increase in phishing social engineering attempts to impersonate Okta support personnel. Given Okta's role as a critical part of identity infrastructure, strengthening Okta security is essential. This article covers six key Okta security settings that provide a strong starting point, along with how continuous monitoring of your Okta security posture helps you avoid miscon...

Threat actors have been observed targeting Internet Information Services (IIS) servers in Asia as part of a search engine optimization (SEO) manipulation campaign designed to install BadIIS malware. "It is likely that the campaign is financially motivated since redirecting users to illegal gambling websites shows that attackers deploy BadIIS for profit," Trend Micro researchers Ted Lee and Lenart Bermejo said in an analysis published last week, Targets of the campaign include IIS servers located in India, Thailand, Vietnam, Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil. These servers are associated with government, universities, technology companies, and telecommunications sectors. Requests to the compromised servers can then be served altered content from attackers, ranging from redirections to gambling sites to connecting to rogue servers that host malware or credential harvesting pages. It's suspected that the activity is the work of a Chinese-s...

Zimbra has released software updates to address critical security flaws in its Collaboration software that, if successfully exploited, could result in information disclosure under certain conditions. The vulnerability, tracked as CVE-2025-25064 , carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as an SQL injection bug in the ZimbraSync Service SOAP endpoint affecting versions prior to 10.0.12 and 10.1.4. Stemming from a lack of adequate sanitization of a user-supplied parameter, the shortcoming could be weaponized by authenticated attackers to inject arbitrary SQL queries that could retrieve email metadata by "manipulating a specific parameter in the request." Zimbra also said it addressed another critical vulnerability related to stored cross-site scripting (XSS) in the Zimbra Classic Web Client. The flaw is yet to be assigned a CVE identifier. "The fix strengthens input sanitization and enhances security," the company said in an a...

Threat actors have been observed exploiting multiple security flaws in various software products, including Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore, to drop reverse shells and web shells, and maintain persistent remote access to compromised systems. The zero-day exploitation of security flaws in VeraCore has been attributed to a threat actor known as XE Group , a cybercrime group likely of Vietnamese origin that's known to be active since at least 2010. "XE Group transitioned from credit card skimming to targeted information theft, marking a significant shift in their operational priorities," cybersecurity firm Intezer said in a report published in collaboration with Solis Security. "Their attacks now target supply chains in the manufacturing and distribution sectors, leveraging new vulnerabilities and advanced tactics." The vulnerabilities in question are listed below - CVE-2024-57968 (CVSS score: 9.9) - An unrestricted upload of f...

Cybersecurity researchers have uncovered two malicious machine learning (ML) models on Hugging Face that leveraged an unusual technique of "broken" pickle files to evade detection. "The pickle files extracted from the mentioned PyTorch archives revealed the malicious Python content at the beginning of the file," ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News. "In both cases, the malicious payload was a typical platform-aware reverse shell that connects to a hard-coded IP address." The approach has been dubbed nullifAI, as it involves clearcut attempts to sidestep existing safeguards put in place to identify malicious models. The Hugging Face repositories have been listed below - glockr1/ballr7 who-r-u0000/0000000000000000000000000000000000000 It's believed that the models are more of a proof-of-concept (PoC) than an active supply chain attack scenario. The pickle serialization format, used commonly for dis...

A new audit of DeepSeek's mobile app for the Apple iOS operating system has found glaring security issues, the foremost being that it sends sensitive data over the internet sans any encryption, exposing it to interception and manipulation attacks. The assessment comes from NowSecure, which also found that the app fails to adhere to best security practices and that it collects extensive user and device data. "The DeepSeek iOS app sends some mobile app registration and device data over the Internet without encryption," the company said . "This exposes any data in the internet traffic to both passive and active attacks." The teardown also revealed several implementation weaknesses when it comes to applying encryption on user data. This includes the use of an insecure symmetric encryption algorithm ( 3DES ), a hard-coded encryption key, and the reuse of initialization vectors . What's more, the data is sent to servers that are managed by a cloud compute a...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0994 (CVSS v4 score: 8.6), a deserialization of untrusted data bug that could permit an attacker to conduct remote code execution. "This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server," CISA said in an advisory dated February 6, 2025. The flaw affects the following versions - Cityworks (All versions prior to 15.8.9) Cityworks with office companion (All versions prior to 23.10) While Trimble has released patches to address the security defect as of January 29, 2025, CISA has warned that it is being weaponized in real-world attacks. The Colorado-headquartered company also noted that it has received reports o...