Search results for tempest cyber security | Breaking Cybersecurity News | The Hacker News

As enterprises continue to shift their operations to the browser, security teams face a growing set of cyber challenges. In fact, over 80% of security incidents now originate from web applications accessed via Chrome, Edge, Firefox, and other browsers. One particularly fast-evolving adversary, Scattered Spider, has made it their mission to wreak havoc on enterprises by specifically targeting sensitive data on these browsers. Scattered Spider, also referred to as UNC3944, Octo Tempest, or Muddled Libra, has matured over the past two years through precision targeting of human identity and browser environments. This shift differentiates them from other notorious cybergangs like Lazarus Group, Fancy Bear, and REvil. If sensitive information such as your calendar, credentials, or security tokens is alive and well in browser tabs, Scattered Spider is able to acquire them.  In this article, you'll learn details about Scattered Spider's attack methods and how you can stop them in their ...

Microsoft is warning of a new phishing campaign undertaken by an initial access broker that involves using Teams messages as lures to infiltrate corporate networks. The tech giant's Threat Intelligence team is tracking the cluster under the name  Storm-0324 , which is also known by the monikers TA543 and Sagrid. "Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats," the company  said , adding the development marks a shift from using email-based initial infection vectors for initial access. Storm-0324 operates in the cybercriminal economy as a payload distributor, offering a service that allows for the propagation of  various   payloads  using evasive infection chains. This includes a mix of downloaders, banking trojans, ransomware, and modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader. Attack sequences mounte...

Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully patched systems. Cybersecurity company Huntress said it discovered evidence of threat actors exploiting the issue en masse on December 3, 2024. The vulnerability, which impacts Cleo's LexiCom, VLTransfer, and Harmony software, concerns a case of unauthenticated remote code execution. The security hole is tracked as CVE-2024-50623 (CVSS score: 9.8), with Cleo noting that the flaw is the result of an unrestricted file upload that could pave the way for the execution of arbitrary code. The Illinois-based company, which has over 4,200 customers across the world, has since issued another advisory (CVE-2024-55956), warning of a separate "unauthenticated malicious hosts vulnerability that could lead to remote code execution." The development comes after Huntress said the pat...

Even in well-secured environments, attackers are getting in—not with flashy exploits, but by quietly taking advantage of weak settings, outdated encryption, and trusted tools left unprotected. These attacks don't depend on zero-days. They work by staying unnoticed—slipping through the cracks in what we monitor and what we assume is safe. What once looked suspicious now blends in, thanks to modular techniques and automation that copy normal behavior. The real concern? Control isn't just being challenged—it's being quietly taken. This week's updates highlight how default settings, blurred trust boundaries, and exposed infrastructure are turning everyday systems into entry points. ⚡ Threat of the Week Critical SharePoint Zero-Day Actively Exploited (Patch Released Today) — Microsoft has released fixes to address two security flaws in SharePoint Server that have come under active exploitation in the wild to breach dozens of organizations across the world. Details of exploitation emer...

British authorities on Thursday announced the arrest of a 17-year-old male in connection with a cyber attack affecting Transport for London (TfL). "The 17-year-old male was detained on suspicion of Computer Misuse Act offenses in relation to the attack, which was launched on TfL on 1 September," the U.K. National Crime Agency (NCA) said . The teenager, who's from Walsall, is said to have been arrested on September 5, 2024, following an investigation that was launched in the incident's aftermath. The law enforcement agency said the unnamed individual was questioned and subsequently let go on bail. "Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems," Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said. "The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued co...

Cybersecurity never stops—and neither do hackers. While you wrapped up last week, new attacks were already underway. From hidden software bugs to massive DDoS attacks and new ransomware tricks, this week's roundup gives you the biggest security moves to know. Whether you're protecting key systems or locking down cloud apps, these are the updates you need before making your next security decision. Take a quick look to start your week informed and one step ahead. ⚡ Threat of the Week Cisco 0-Day Flaws Under Attack — Cybersecurity agencies warned that threat actors have exploited two security flaws affecting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER. The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection. The activity involves the exploitation of CVE-2025-20362 (CVSS score: 6.5) a...

The infamous cybercrime group known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its arsenal, Microsoft has revealed. Scattered Spider is the designation given to a threat actor that's known for its sophisticated social engineering schemes to breach targets and establish persistence for follow-on exploitation and data theft. It also has a history of targeting VMWare ESXi servers and deploying BlackCat ransomware. It shares overlaps with activity clusters tracked by the broader cybersecurity community under the monikers Gold Harvest, 0ktapus, Octo Tempest, and UNC3944. Last month, it was reported that a key member of the group was arrested in Spain. RansomHub, which arrived on the scene earlier this February, has been assessed to be a rebrand of another ransomware strain called Knight, according to an analysis from Broadcom-owned Symantec last month. "RansomHub is a ransomware-as-a-service (RaaS) payload used by more and mor...

The notorious cybercrime group known as FIN7 has been observed deploying  Cl0p  (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy  Sangria Tempest . "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network," the company's threat intelligence team  said . "They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware." FIN7  (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.  Active since at least 2012, the group has a  track record  of  targeting  a broad spectrum of organizations spanning so...

Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks. The certificates were "used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware," the Microsoft Threat Intelligence team said in a post shared on X. The tech giant said it disrupted the activity earlier this month after it was detected in late September 2025. In addition to revoking the certificates, its security solutions have been updated to flag the signatures associated with the fake setup files, Oyster backdoor, and Rhysida ransomware. Vanilla Tempest (formerly Storm-0832) is the name given to a financially motivated threat actor also called Vice Society and Vice Spider that's assessed to be active since at least July 2022, delivering various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida over the year...

Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface. This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help preserve trust in an increasingly intelligent threat landscape. How Threat Actors Abuse Microsoft Teams Attackers Abuse Microsoft Teams for Extortion, Social Engineering, and Financial Theft Microsoft detailed the various ways threat actors can abuse its Teams chat software at various stages of the attack chain, even using it to support financial theft through extortion, social engineering, or technical means. " Octo Tempest has used communication apps, including Teams, to send taunting and threatening messages to organizations, defenders, and incident response teams as p...

A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "several" ransomware groups to gain elevated permissions and deploy file-encrypting malware. The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host. "A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD," Broadcom-owned VMware noted in an advisory released in late June 2024. In other words, escalating privileges on ESXi to the administrator was as simple as creating a new AD group named "ESX Admins" and adding any user to it, or renaming any group in the domain to "ESX Admins" and adding a user...

The financially motivated threat actor known as  FIN7  has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of  NetSupport RAT . "The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet," cybersecurity firm eSentire  said  in a report published earlier this week. FIN7 (aka Carbon Spider and Sangria Tempest) is a  persistent e-crime group  that's been active since 2013, initially dabbling in attacks targeting point-of-sale (PoS) devices to steal payment data, before pivoting to breaching large firms via ransomware campaigns. Over the years, the threat actor has refined its tactics and cyber weapon arsenal, adopting  various   custom malware  families such as BIRDWATCH, Carbanak, DICELOADER...

Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft disclosed over the weekend. The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access. "This activity shows Mint Sandstorm's continued ability to  rapidly incorporate [proof-of-concept] exploits  into their operations," Microsoft  said  in a series of tweets. On the other hand, CVE-2023-27350 exploitation activity associated with Mango Sandstorm is said to be on the lower end of the spectrum, with the state-sponsored group "using tools from prior intrusions to connect to their C2 infrastructure." It's worth noting that  Mango Sandstorm  is linked to Iran's Ministry of Intelligence and Security (MOIS) and  Mint Sandstorm  is associated with the Islam...

The threat actors behind the  Rhysida ransomware  engage in opportunistic attacks targeting organizations spanning various industry sectors. The advisory comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). "Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates," the agencies  said . " Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network." First detected in May 2023,  Rhysida  makes use of the time-tested tactic of double extortion, demanding a ransom payment to decrypt vic...

An unknown threat actor has been linked to a cyber attack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat as a precursor to a suspected ransomware attack. "The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure," Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT),  said . The Russian cybersecurity company said the attack, which took place in late March 2023, was in its early stages and involved the use of DroxiDat to profile the system and proxy network traffic using the  SOCKS5 protocol  to and from command-and-control (C2) infrastructure. SystemBC  is a C/C++-based commodity malware and remote administrative tool that was  first seen in 2019 . Its main feature is to set up  SOCKS5 proxies  on victim computers that can then be used by threat actors to tunnel maliciou...