The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

A suspected cyber espionage activity cluster that was previously found targeting global government and private sector organizations spanning Africa, Asia, North America, South America, and Oceania has been assessed to be a Chinese state-sponsored threat actor. Recorded Future, which was tracking the activity under the moniker TAG-100 , has now graduated it to a hacking group dubbed RedNovember . It's also tracked by Microsoft as Storm-2077 . "Between June 2024 and July 2025, RedNovember (which overlaps with Storm-2077) targeted perimeter appliances of high-profile organizations globally and used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions," the Mastercard-owned company said in a report shared with The Hacker News. "The group has expanded its targeting remit across government and private sector organizations, including defense and aerospace organizations, space organizations, and law firms." Some of the likely new victims of...

Companies in the legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. have been targeted by a suspected China-nexus cyber espionage group to deliver a known backdoor referred to as BRICKSTORM . The activity, attributed to UNC5221 and closely related, suspected China-nexus threat clusters, is designed to facilitate persistent access to victim organizations for over a year, Mandiant and Google Threat Intelligence Group (GTIG) said in a new report shared with The Hacker News. It's assessed that the objective of BRICKSTORM targeting SaaS providers is to gain access to downstream customer environments or the data SaaS providers host on their customers' behalf, while the targeting of the U.S. legal and technological spheres is likely an attempt to gather information related to national security and international trade, as well as steal intellectual property to advance the development of zero-day exploits. ...

Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks. The critical-rated vulnerabilities in question, discovered by Trend Micro, are listed below - CVE-2025-10643 (CVSS score: 9.1) - An authentication bypass vulnerability that exists within the permissions granted to a storage account token CVE-2025-10644 (CVSS score: 9.4) - An authentication bypass vulnerability that exists within the permissions granted to an SAS token Successful exploitation of the two flaws can allow an attacker to circumvent authentication protection on the system and launch a supply chain attack, ultimately resulting in the execution of arbitrary code on customers' endpoints. Trend Micro researchers Alfredo Oliveira and David Fiser said the AI-powered data repair and photo editing application "contradicted its privacy policy by...

Most businesses don't make it past their fifth birthday - studies show that  roughly 50% of small businesses fail within the first five years. So when  KNP Logistics Group (formerly Knights of Old) celebrated more than a century and a half of operations, it had mastered the art of survival. For 158 years, KNP adapted and endured, building a transport business that operated 500 trucks across the UK. But in June 2025, one easily guessed password brought down the company in a matter of days. The Northamptonshire-based firm  fell victim to the Akira ransomware group after hackers gained access by guessing an employee's weak password. Attackers didn't need a sophisticated phishing campaign or a zero-day exploit - all they needed was a password so simple that cybercriminals could guess it correctly. When basic security fails, everything falls No matter what advanced security mechanisms your organization has in place, everything falls if basic security measures fail. In ...

Cybersecurity researchers have disclosed details of a new malware family dubbed YiBackdoor that has been found to share "significant" source code overlaps with IcedID and Latrodectus . "The exact connection to YiBackdoor is not yet clear, but it may be used in conjunction with Latrodectus and IcedID during attacks," Zscaler ThreatLabz said in a Tuesday report. "YiBackdoor is able to execute arbitrary commands, collect system information, capture screenshots, and deploy plugins that dynamically expand the malware's functionality." The cybersecurity company said it first identified the malware in June 2025, adding it may be serving as a precursor to follow-on exploitation, such as facilitating initial access for ransomware attacks. Only limited deployments of YiBackdoor have been detected to date, indicating it's currently either under development or being tested. Given the similarities between YiBackdoor, IcedID, and Latrodectus, it's b...

Think payment iframes are secure by design? Think again. Sophisticated attackers have quietly evolved malicious overlay techniques to exploit checkout pages and steal credit card data by bypassing the very security policies designed to stop them. Download the complete iframe security guide here .  TL;DR: iframe Security Exposed Payment iframes are being actively exploited by attackers using malicious overlays to skim credit card data. These pixel-perfect fake forms bypass traditional security, as proven by a recent Stripe campaign that has already compromised dozens of merchants. This article explores: Anatomy of the 2024 Stripe skimmer attack. Why old defenses like CSP and X-Frame-Options are failing. Modern attack vectors: overlays, postMessage spoofing, and CSS exfiltration. How third-party scripts in payment iframes create new risks. How the new PCI DSS 4.0.1 rules are forcing merchants to secure the entire page. A six-step defense strategy focusing on real-time mon...

Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS). The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF) that allows attackers to compromise a target system by injecting a specially crafted HTML iframe element. The EC2 IMDS is a crucial component of the AWS cloud environment, offering information about running instances, as well as temporary, short-lived credentials if an identity and access management (IAM) role is associated with the instance. The instance metadata is accessible to any application running on an EC2 instance via a link-local address (169.254.169[.]254). These credentials can then be used to securely interact with other AWS services like S3, RDS, or DynamoDB, permitting applications to authenticate without...

Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors. The vulnerability, tracked as CVE-2025-59689 , carries a CVSS score of 6.1, indicating medium severity. "Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious email containing a specially crafted compressed attachment, allowing potential execution of arbitrary commands as a non-privileged user," Libraesva said in an advisory. "This occurs due to an improper sanitization during the removal of active code from files contained in some compressed archive formats." In a hypothetical attack scenario, an attacker could exploit the flaw by sending an email containing a specially crafted compressed archive, allowing a threat actor to leverage the application's improper sanitization logic to ultimately execute arbitrary shell commands. The shortcoming ...

Cybersecurity researchers have disclosed details of two security vulnerabilities impacting Supermicro Baseboard Management Controller (BMC) firmware that could potentially allow attackers to bypass crucial verification steps and update the system with a specially crafted image. The medium-severity vulnerabilities , both of which stem from improper verification of a cryptographic signature, are listed below - CVE-2025-7937 (CVSS score: 6.6) - A crafted firmware image can bypass the Supermicro BMC firmware verification logic of Root of Trust ( RoT ) 1.0 to update the system firmware by redirecting the program to a fake "fwmap" table in the unsigned region CVE-2025-6198 (CVSS score: 6.4) - A crafted firmware image can bypass the Supermicro BMC firmware verification logic of the Signing Table to update the system firmware by redirecting the program to a fake signing table ("sig_table") in the unsigned region The image validation process carried out during a fi...

Law enforcement authorities in Europe have arrested five suspects in connection with an "elaborate" online investment fraud scheme that stole more than €100 million ($118 million) from over 100 victims in France, Germany, Italy, and Spain. According to Eurojust , the coordinated action saw searches in five places across Spain and Portugal, as well as in Italy, Romania and Bulgaria. Bank accounts and other financial assets associated with the cybercrime ring were frozen. The main perpetrator behind the operation has been accused of large-scale fraud and money laundering by running an online investment platform for several years, tricking unsuspecting individuals into parting with their funds by promising them high returns on investments in various cryptocurrencies. Once the deposits were made, the funds were transferred to bank accounts in Lithuania to launder them. Victims who attempted to withdraw their assets from the platform were asked to pay additional fees, after wh...

The U.S. Secret Service on Tuesday said it took down a network of electronic devices located across the New York tri-state area that were used to threaten U.S. government officials and posed an imminent threat to national security. "This protective intelligence investigation led to the discovery of more than 300 co-located SIM servers and 100,000 SIM cards across multiple sites," the Secret Service said . The devices were concentrated within a 35-mile (56 km) radius of the global meeting of the United Nations General Assembly in New York City. An investigation into the incident has been launched by the Secret Service's Advanced Threat Interdiction Unit. Aside from issuing anonymous telephonic threats, the sophisticated devices could be weaponized to conduct various attacks on the telecommunications infrastructure, including disabling cell phone towers, triggering a denial-of-service, and facilitating encrypted communication between potential threat actors and criminal...

SolarWinds has released hot fixes to address a critical security flaw impacting its Web Help Desk software that, if successfully exploited, could allow attackers to execute arbitrary commands on susceptible systems. The vulnerability, tracked as CVE-2025-26399 (CVSS score: 9.8), has been described as an instance of deserialization of untrusted data that could result in code execution. It affects SolarWinds Web Help Desk 12.8.7 and all previous versions. "SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine," SolarWinds said in an advisory released on September 17, 2025. An anonymous researcher working with the Trend Micro Zero Day Initiative (ZDI) has been credited with discovering and reporting the flaw. SolarWinds said CVE-2025-26399 is a patch bypass for CVE-2024-28988 (CVSS score: 9.8), which, in turn, ...