The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Japan's National Police Agency (NPA) and National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) accused a China-linked threat actor named MirrorFace of orchestrating a persistent attack campaign targeting organizations, businesses, and individuals in the country since 2019. The primary objective of the attack campaign is to steal information related to Japan's national security and advanced technology, the agencies said . MirrorFace, also tracked as Earth Kasha, is assessed to be a sub-group within APT10. It has a track record of systematically striking Japanese entities, often leveraging tools like ANEL, LODEINFO, and NOOPDOOR (aka HiddenFace). Last month, Trend Micro revealed details of a spear-phishing campaign that targeted individuals and organizations in Japan with an aim to deliver ANEL and NOOPDOOR . Other campaigns observed in recent years have also been directed against Taiwan and India. According to NPA and NCSC, attacks mounted by Mirro...

Ransomware isn't slowing down—it's getting smarter. Encryption, designed to keep our online lives secure, is now being weaponized by cybercriminals to hide malware, steal data, and avoid detection. The result? A 10.3% surge in encrypted attacks over the past year and some of the most shocking ransom payouts in history, including a $75 million ransom in 2024. Are you prepared to fight back? Join Emily Laufer , Director of Product Marketing at Zscaler, for an eye-opening session, " Preparing for Ransomware and Encrypted Attacks in 2025 " filled with practical insights and cutting-edge strategies to outsmart these evolving threats. What You'll Learn: ThreatLabz Insights: Get the latest findings from Zscaler's experts on ransomware and encrypted attacks, including the trends making the biggest impact. 2025 Predictions: Find out how ransomware groups are refining their tactics to stay one step ahead—and what you can do to stop them. Encrypted DNS Attacks: Learn how cyb...

Threat actors are attempting to take advantage of a recently disclosed security flaw impacting GFI KerioControl firewalls that, if successfully exploited, could allow malicious actors to achieve remote code execution (RCE). The vulnerability in question, CVE-2024-52875 , refers to a carriage return line feed ( CRLF ) injection attack, paving the way for HTTP response splitting , which could then lead to a cross-site scripting (XSS) flaw. Successful exploitation of the 1-click RCE flaw permits an attacker to inject malicious inputs into HTTP response headers by introducing carriage return (\r) and line feed (\n) characters.  The flaw impacts KerioControl versions 9.2.5 through 9.4.5, according to security researcher Egidio Romano, who discovered and reported the flaw in early November 2024. The HTTP response splitting flaws have been uncovered in the following URI paths - /nonauth/addCertException.cs /nonauth/guestConfirm.cs /nonauth/expiration.cs "User input passed ...

Ivanti is warning that a critical security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has come under active exploitation in the wild beginning mid-December 2024. The security vulnerability in question is CVE-2025-0282 (CVSS score: 9.0), a stack-based buffer overflow that affects Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3. "Successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution," Ivanti said in an advisory . "Threat actor activity was identified by the Integrity Checker Tool (ICT) on the same day it occurred, enabling Ivanti to respond promptly and rapidly develop a fix." Also patched by the company is another high-severity flaw (CVE-2025-0283, CVSS score: 7.0) that allows a locally authenticated attacker to escalate their privileges. The vulnerabilities, addressed in version 22.7R2.5, imp...

The European General Court on Wednesday fined the European Commission, the primary executive arm of the European Union responsible for proposing and enforcing laws for member states, for violating the bloc's own data privacy regulations. The development marks the first time the Commission has been held liable for infringing stringent data protection laws in the region. The court determined that a "sufficiently serious breach" was committed by transferring a German citizen's personal data, including their IP address and web browser metadata, to Meta's servers in the United States when visiting the now-inactive futureu.europa[.]eu website in March 2022. The individual registered for one of the events on the site by using the Commission's login service, which included an option to sign in using a Facebook account. "By means of the 'Sign in with Facebook' hyperlink displayed on the E.U. Login webpage, the Commission created the conditions for t...

Cybersecurity researchers have found that bad actors are continuing to have success by spoofing sender email addresses as part of various malspam campaigns. Faking the sender address of an email is widely seen as an attempt to make the digital missive more legitimate and get past security mechanisms that could otherwise flag it as malicious. While there are safeguards such as DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF) that can be used to prevent spammers from spoofing well-known domains, such measures have increasingly led them to leverage old, neglected domains in their operations. In doing so, the email messages are likely to bypass security checks that rely on the domain age as a means to identify spam. DNS threat intelligence firm Infoblox, in a new analysis shared with The Hacker News, discovered that threat actors, including Muddling Meerkat and others, have abused some of it...

Cybersecurity researchers have shed light on a new remote access trojan called NonEuclid that allows bad actors to remotely control compromised Windows systems. "The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques," Cyfirma said in a technical analysis published last week. "It employs various mechanisms, including antivirus bypass, privilege escalation, anti-detection, and ransomware encryption targeting critical files." NonEuclid has been advertised in underground forums since at least late November 2024, with tutorials and discussions about the malware discovered on popular platforms like Discord and YouTube. This points to a concerted effort to distribute the malware as a crimeware solution. At its core, the RAT commences with an initialization phase for a client application, after which it performs a series of checks to evade detection prior to s...

2024 had its fair share of high-profile cyber attacks, with companies as big as Dell and TicketMaster falling victim to data breaches and other infrastructure compromises. In 2025, this trend will continue. So, to be prepared for any kind of malware attack, every organization needs to know its cyber enemy in advance. Here are 5 common malware families that you can start preparing to counter right now. Lumma Lumma is a widely available malware designed to steal sensitive information. It has been openly sold on the Dark Web since 2022. This malware can effectively collect and exfiltrate data from targeted applications, including login credentials, financial information, and personal details. Lumma is regularly updated to enhance its capabilities. It can log detailed information from compromised systems, such as browsing history and cryptocurrency wallet data. It can be used to install other malicious software on infected devices. In 2024, Lumma was distributed through various methods...

A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks. The botnet maintains approximately 15,000 daily active IP addresses, with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States. Exploiting an arsenal of over 20 known security vulnerabilities and weak Telnet credentials for initial access, the malware is known to have been active since February 2024. The botnet has been dubbed "gayfemboy" in reference to the offensive term present in the source code. QiAnXin XLab said it observed the malware leveraging a zero-day vulnerability in industrial routers manufactured by China-based Four-Faith to deliver the artifacts as early as November 9, 2024. The vulnerability in question is CVE-2024-12856 (CVSS score: 7.2), which refers to an operating system (OS) command injectio...