The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Fortra on Thursday revealed the results of its investigation into CVE-2025-10035 , a critical security flaw in GoAnywhere Managed File Transfer (MFT) that's assessed to have come under active exploitation since at least September 11, 2025. The company said it began its investigation on September 11 following a "potential vulnerability" reported by a customer, uncovering "potentially suspicious activity" related to the flaw.  That same day, Fortra said it contacted on-premises customers who were identified as having their GoAnywhere admin console accessible to the public internet and that it notified law enforcement authorities about the incident. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x of the software was made available the next day, with full releases incorporating the patch – versions 7.6.3 and 7.8.4 – made available on September 15. Three days later, a CVE for the vulnerability was formally published, it added. "The scope of the risk of this...

The SOC of 2026 will no longer be a human-only battlefield. As organizations scale and threats evolve in sophistication and velocity, a new generation of AI-powered agents is reshaping how Security Operations Centers (SOCs) detect, respond, and adapt. But not all AI SOC platforms are created equal. From prompt-dependent copilots to autonomous, multi-agent systems, the current market offers everything from smart assistants to force-multiplying automation. While adoption is still early— estimated at 1–5% penetration according to Gartner —the shift is undeniable. SOC teams must now ask a fundamental question: What type of AI belongs in my security stack? The Limits of Traditional SOC Automation Despite promises from legacy SOAR platforms and rule-based SIEM enhancements, many security leaders still face the same core challenges: Analyst alert fatigue from redundant low-fidelity triage tasks Manual context correlation across disparate tools and logs Disjointed and static detect...

Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign. The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy companies across the world, according to Socket. "While the packages' randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure," security researcher Kush Pandya said . The packages have been found to use npm's public registry and unpkg.com's CDN to host redirect scripts that route victims to credential harvesting pages. Some aspects of the campaign were first flagged by Safety's Paul McCarty late last month. Specificall...

Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products. The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and including 16.7.10368.56560. Huntress said it first detected the activity on September 27, 2025, uncovering that three of its customers have been impacted so far. It's worth noting that both applications were previously affected by CVE-2025-30406 (CVSS score: 9.0), a case of hard-coded machine key that could allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability. The vulnerability has since come under active exploitation. CVE-2025-11371, per Huntress, "allowed a threat actor to retrieve the machine key from the application Web.config fil...

Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025 , Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday. "We're still assessing the scope of this incident , but we believe it affected dozens of organizations," John Hultquist, chief analyst of GTIG at Google Cloud, said in a statement shared with The Hacker News. "Some historic Cl0p data extortion campaigns have had hundreds of victims. Unfortunately, large-scale zero-day campaigns like this are becoming a regular feature of cybercrime." The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashioned together multiple distinct vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to breach target networks and exfiltrate sensitive data. Google said it found evidence of ...

A China-aligned threat actor codenamed UTA0388 has been attributed to a series of spear-phishing campaigns targeting North America, Asia, and Europe that are designed to deliver a Go-based implant known as GOVERSHELL . "The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations," Volexity said in a Wednesday report. "The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload." Since then, the threat actor behind the attacks is said to have leveraged different lures and fictional identities, spanning several languages, including English, Chinese, Japanese, French, and German. Early iterations of the campaigns have been found to embed links to phishing content either hosted on a cloud-based service or their own infrastruc...

A rapidly evolving Android spyware campaign called ClayRat has targeted users in Russia using a mix of Telegram channels and lookalike phishing websites by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube as lures to install them. "Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front camera; and even send SMS messages or place calls directly from the victim's device," Zimperium researcher Vishnu Pratapagiri said in a report shared with The Hacker News. The malware is also designed to propagate itself by sending malicious links to every contact in the victim's phone book, indicating aggressive tactics on the part of the attackers to leverage compromised devices as a distribution vector. The mobile security company said it has detected no less than 600 samples and 50 droppers over the last 90 days, with each successive iteration incorporating new layers of o...

SonicWall on Wednesday disclosed that an unauthorized party accessed firewall configuration backup files for all customers who have used the cloud backup service. "The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks," the company said . It also noted that it's working to notify all partners and customers, adding it has released tools to assist with device assessment and remediation. The company is also urging users to log in and check for their devices. The development comes a couple of weeks after SonicWall urged customers to perform a credential reset after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts. The list of impacted devices available on the MySonicWall portal has been assigned a priority level to help customers prioritize remediation efforts. The labels are as follows - Active –...

Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface. This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help preserve trust in an increasingly intelligent threat landscape. How Threat Actors Abuse Microsoft Teams Attackers Abuse Microsoft Teams for Extortion, Social Engineering, and Financial Theft Microsoft detailed the various ways threat actors can abuse its Teams chat software at various stages of the attack chain, even using it to support financial theft through extortion, social engineering, or technical means. " Octo Tempest has used communication apps, including Teams, to send taunting and threatening messages to organizations, defenders, and incident response teams as p...

Token theft is a leading cause of SaaS breaches. Discover why OAuth and API tokens are often overlooked and how security teams can strengthen token hygiene to prevent attacks. Most companies in 2025 rely on a whole range of software-as-a-service (SaaS) applications to run their operations. However, the security of these applications depends on small pieces of data called tokens. Tokens, like OAuth access tokens, API keys, and session tokens, work like keys to these applications. If a cybercriminal gets hold of one, they can access relevant systems without much trouble. Recent security breaches have shown that just one stolen token can bypass multi-factor authentication (MFA) and other security measures. Instead of exploiting vulnerabilities directly, attackers are leveraging token theft. It's a security concern that ties into the broader issue of SaaS sprawl and the difficulty of monitoring countless third-party integrations. Recent Breaches Involving Token Theft A lot of real-wo...

Russian hackers' adoption of artificial intelligence (AI) in cyber attacks against Ukraine has reached a new level in the first half of 2025 (H1 2025), the country's State Service for Special Communications and Information Protection (SSSCIP) said. "Hackers now employ it not only to generate phishing messages, but some of the malware samples we have analyzed show clear signs of being generated with AI – and attackers are certainly not going to stop there," the agency said in a report published Wednesday. SSSCIP said 3,018 cyber incidents were recorded during the time period, up from 2,575 in the second half of 2024 (H2 2024). Local authorities and military entities witnessed an increase in attacks compared to H2 2024, while those targeting government and energy sectors declined. One notable attack observed involved UAC-0219's use of malware called WRECKSTEEL in attacks aimed at state administration bodies and critical infrastructure facilities in the country...

Threat actors are actively exploiting a critical security flaw impacting the Service Finder WordPress theme that makes it possible to gain unauthorized access to any account, including administrators, and take control of susceptible sites. The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS score: 9.8), affects the Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. It was discovered by a researcher who goes by the name Foxyyy. "This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site, including accounts with the 'administrator' role," Wordfence researcher István Márton said . The problem, at its core, is a case of privilege escalation stemming from authentication bypass due to the plugin not adequately validating a user's cookie value before logging them in through an account switching function (service_finder_switch_back()). As a result, an unauthenticate...

Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites. "Site visitors get injected content that was drive-by malware like fake Cloudflare verification," Sucuri researcher Puja Srivastava said in an analysis published last week. The website security company said it began an investigation after one of its customer's WordPress sites served suspicious third-party JavaScript to site visitors, ultimately finding that the attackers introduced malicious modifications to a theme-related file ("functions.php"). The code inserted into "functions.php" incorporates references to Google Ads, likely in an attempt to evade detection. But, in reality, it functions as a remote loader by sending an HTTP POST request to the domain "brazilc[.]com," which, in turn, responds with a dynamic payload that includes two component...