The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Threat hunters have uncovered a new threat actor named UAT-5918 that has been attacking critical infrastructure entities in Taiwan since at least 2023. "UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim environments for information theft and credential harvesting," Cisco Talos researchers Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura said . Besides critical infrastructure, some of the other targeted verticals include information technology, telecommunications, academia, and healthcare. Assessed to be an advanced persistent threat (APT) group looking to establish long-term persistent access in victim environments, UAT-5918 is said to share tactical overlaps with several Chinese hacking crews tracked as Volt Typhoon , Flax Typhoon , Tropic Trooper , Earth Estries , and Dalb...

The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver ( BYOVD ) attack designed to disable anti-malware tools. Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS) called HeartCrypt. "This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors," the company said in a report. The driver in question, "smuol.sys," mimics a legitimate CrowdStrike Falcon driver ("CSAgent.sys"). Dozens of ABYSSWORKER artifacts have been detected on the VirusTotal platform dating from August 8, 2024, to February 25, 2025. All the identified samples are signed using likely stolen, revoked ce...

The China-linked advanced persistent threat (APT) group known as Aquatic Panda has been linked to a "global espionage campaign" that took place in 2022 targeting seven organizations. These entities include governments, Catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States. The activity, which took place over a period of 10 months between January and October 2022, has been codenamed Operation FishMedley by ESET. "Operators used implants – such as ShadowPad, SodaMaster, and Spyder – that are common or exclusive to China-aligned threat actors," security researcher Matthieu Faou said in an analysis. Aquatic Panda , also called Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel, is a cyber espionage group from China that's known to be active since at least 2019. The Slovakian cybersecurity company is tracking the hacking crew under the name FishMonger. Sai...

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.  A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.  All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access. Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource t...

After conducting over 10,000 automated internal network penetration tests last year, vPenTest has uncovered a troubling reality that many businesses still have critical security gaps that attackers can easily exploit. Organizations often assume that firewalls, endpoint protection, and SIEMs are enough to keep them secure. But how effective are these defenses when put to the test? That's where vPenTest , Vonahi Security's automated network pentesting platform, comes in. Designed to simulate real-world attack scenarios, vPenTest helps organizations find exploitable vulnerabilities before cybercriminals can. These aren't complex, zero-day exploits. They're misconfigurations, weak passwords, and unpatched vulnerabilities that attackers routinely exploit to gain access, move laterally, and escalate privileges within networks. Here's how these risks break down: 50% stem from misconfigurations – Default settings, weak access controls, and overlooked security policies. 30% are due to m...

Two known threat activity clusters codenamed Head Mare and Twelve have likely joined forces to target Russian entities, new findings from Kaspersky reveal. "Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents," the company said . "This suggests potential collaboration and joint campaigns between the two groups." Both Head Mare and Twelve were previously documented by Kaspersky in September 2024, with the former leveraging a now-patched vulnerability in WinRAR (CVE-2023-38831) to obtain initial access and deliver malware and in some cases, even deploy ransomware families like LockBit for Windows and Babuk for Linux (ESXi) in exchange for a ransom. Twelve, on the other hand, has been observed staging destructive attacks, taking advantage of various publicly available tools to encrypt victims' data and irrevocably d...

Two now-patched security flaws impacting Cisco Smart Licensing Utility are seeing active exploitation attempts, according to SANS Internet Storm Center . The two critical-rated vulnerabilities in question are listed below -  CVE-2024-20439 (CVSS score: 9.8) - The presence of an undocumented static user credential for an administrative account that an attacker could exploit to log in to an affected system CVE-2024-20440 (CVSS score: 9.8) - A vulnerability arising due to an excessively verbose debug log file that an attacker could exploit to access such files by means of a crafted HTTP request and obtain credentials that can be used to access the API Successful exploitation of the flaws could enable an attacker to log in to the affected system with administrative privileges, and obtain log files that contain sensitive data, including credentials that can be used to access the API. That said, the vulnerabilities are only exploitable in scenarios where the utility is active...

YouTube videos promoting game cheats are being used to deliver a previously undocumented stealer malware called Arcane likely targeting Russian-speaking users. "What's intriguing about this malware is how much it collects," Kaspersky said in an analysis. "It grabs account information from VPN and gaming clients, and all kinds of network utilities like ngrok, Playit, Cyberduck, FileZilla, and DynDNS." The attack chains involve sharing links to a password-protected archive on YouTube videos, which, when opened, unpacks a start.bat batch file that's responsible for retrieving another archive file via PowerShell. The batch file then utilizes PowerShell to launch two executables embedded within the newly downloaded archive, while also disabling Windows SmartScreen protections and every drive root folder to SmartScreen filter exceptions. Of the two binaries, one is a cryptocurrency miner and the other is a stealer dubbed VGS that's a variant of the Phe...

Veeam has released security updates to address a critical security flaw impacting its Backup & Replication software that could lead to remote code execution. The vulnerability, tracked as CVE-2025-23120 , carries a CVSS score of 9.9 out of 10.0. It affects 12.3.0.310 and all earlier version 12 builds. "A vulnerability allowing remote code execution (RCE) by authenticated domain users," the company said in an advisory released Wednesday. Security researcher Piotr Bazydlo of watchTowr has been credited with discovering and reporting the flaw, which has been resolved in version 12.3.1 (build 12.3.1.1139). According to Bazydlo and researcher Sina Kheirkhah, CVE-2025-23120 stems from Veeam's inconsistent handling of deserialization mechanism, causing an allowlisted class that can be deserialized to pave the way for an inner deserialization that implements a blocklist-based approach to prevent deserialization of data deemed risky by the company. This also means that ...

Cybersecurity isn't just another checkbox on your business agenda. It's a fundamental pillar of survival. As organizations increasingly migrate their operations to the cloud, understanding how to protect your digital assets becomes crucial. The shared responsibility model , exemplified through Microsoft 365's approach, offers a framework for comprehending and implementing effective cybersecurity measures.  The Essence of Shared Responsibility  Think of cloud security like a well-maintained building: the property manager handles structural integrity and common areas, while tenants secure their individual units. Similarly, the shared responsibility model creates a clear division of security duties between cloud providers and their users. This partnership approach ensures comprehensive protection through clearly defined roles and responsibilities.  What Your Cloud Provider Handles  Microsoft maintains comprehensive responsibility for securing the foundational eleme...

The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. Paragon, founded in 2019 by Ehud Barak and Ehud Schneorson, is the maker of a surveillance tool called Graphite that's capable of harvesting sensitive data from instant messaging applications on a device. The interdisciplinary lab said it identified the six governments as "suspected Paragon deployments" after mapping the server infrastructure suspected to be associated with the spyware. The development comes nearly two months after Meta-owned WhatsApp said it notified around 90 journalists and civil society members that it said were targeted by Graphite. The attacks were disrupted in December 2024. Targets of these attacks included individuals spread across over two dozen countries, including several in Europe such as Belgium, Greece, Latvia, Lithuania, Austria,...

Regulatory compliance is no longer just a concern for large enterprises. Small and mid-sized businesses (SMBs) are increasingly subject to strict data protection and security regulations, such as HIPAA, PCI-DSS, CMMC, GDPR, and the FTC Safeguards Rule. However, many SMBs struggle to maintain compliance due to limited IT resources, evolving regulatory requirements, and complex security challenges. Recent data shows there are approximately 33.3 million SMBs in the U.S., and 60% or more are not fully compliant with at least one regulatory standard. That means nearly 20 million SMBs could be at risk of fines, security breaches, and reputational damage. For Managed Service Providers (MSPs), this presents a huge opportunity to expand your service offerings by providing continuous compliance monitoring—helping your clients stay compliant while strengthening their own business. The Role of Continuous Compliance Monitoring Traditional compliance audits have been conducted periodically—ofte...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting NAKIVO Backup & Replication software to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2024-48248 (CVSS score: 8.6), an absolute path traversal bug that could allow an unauthenticated attacker to read files on the target host, including sensitive ones such as "/etc/shadow" via the endpoint "/c/router." It affects all versions of the software prior to version 10.11.3.86570. "NAKIVO Backup and Replication contains an absolute path traversal vulnerability that enables an attacker to read arbitrary files," CISA said in an advisory. Successful exploitation of the shortcoming could allow an adversary to read sensitive data, including configuration files, backups, and credentials, which could then act as a stepping stone for further compromises. There are cu...