The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Safe{Wallet} has revealed that the cybersecurity incident that led to the Bybit $1.5 billion crypto heist is a "highly sophisticated, state-sponsored attack," stating the North Korean threat actors behind the hack took steps to erase traces of the malicious activity in an effort to hamper investigation efforts. The multi-signature (multisig) platform , which has roped in Google Cloud Mandiant to perform a forensic investigation, said the attack is the work of a hacking group dubbed TraderTraitor , which is also known as Jade Sleet, PUKCHONG, and UNC4899 . "The attack involved the compromise of a Safe{Wallet} developer's laptop ('Developer1') and the hijacking of AWS session tokens to bypass multi-factor authentication ('MFA') controls," it said . "This developer was one of the very few personnel that had higher access in order to perform their duties." Further analysis has determined that the threat actors broke into the developer...

Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025. "The attacker has exploited the vulnerability CVE-2024-4577 , a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines," Cisco Talos researcher Chetan Raghuprasad said in a technical report published Thursday. "The attacker utilizes plugins of the publicly available Cobalt Strike kit 'TaoWu' for-post exploitation activities." Targets of the malicious activity encompass companies across technology, telecommunications, entertainment, education, and e-commerce sectors in Japan. It all starts with the threat actors exploiting the CVE-2024-4577 vulnerability to gain initial access and run PowerShell scripts to execute the Cobalt Strike reverse HTTP shellcode payload to grant themselves persistent remote access to the compromised endpoint. Th...

Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsearch that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-25015 , carries a CVSS score of 9.9 out of a maximum of 10.0. It has been described as a case of prototype pollution. "Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests," the company said in an advisory released Wednesday. Prototype pollution vulnerability is a security flaw that allows attackers to manipulate an application's JavaScript objects and properties, potentially leading to unauthorized data access, privilege escalation, denial-of-service, or remote code execution.  The vulnerability affects all versions of Kibana between 8.15.0 and 8.17.3. It has been addressed in version 8.17.3. That said, in Kibana versions from 8.15.0 and prior to 8.17....

The financially motivated threat actor known as EncryptHub has been observed orchestrating sophisticated phishing campaigns to deploy information stealers and ransomware, while also working on a new product called EncryptRAT . "EncryptHub has been observed targeting users of popular applications, by distributing trojanized versions," Outpost24 KrakenLabs said in a new report shared with The Hacker News. "Furthermore, the threat actor has also made use of third-party Pay-Per-Install (PPI) distribution services." The cybersecurity company described the threat actor as a hacking group that makes operational security errors and as someone who incorporates exploits for popular security flaws into their attack campaigns. EncryptHub, also tracked by Swiss cybersecurity company PRODAFT as LARVA-208, is assessed to have become active towards the end of June 2024, relying on a variety of approaches ranging from SMS phishing (smishing) to voice phishing (vishing) in an at...

Cyber threats are growing more sophisticated, and traditional security approaches struggle to keep up. Organizations can no longer rely on periodic assessments or static vulnerability lists to stay secure. Instead, they need a dynamic approach that provides real-time insights into how attackers move through their environment. This is where attack graphs come in. By mapping potential attack paths, they offer a more strategic way to identify and mitigate risk. In this article, we'll explore the benefits, types, and practical applications of attack graphs. Understanding Attack Graphs An attack graph is a visual representation of potential attack paths within a system or network. It maps how an attacker could move through different security weaknesses - misconfigurations, vulnerabilities, and credential exposures, etc. - to reach critical assets. Attack graphs can incorporate data from various sources, continuously update as environments change, and model real-world attack scenarios. ...

The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks witnessing a 42% increase between 2023 and 2024. In the first two months of 2025 alone, the group has claimed over 40 attacks, according to data from the Symantec Threat Hunter Team shared with The Hacker News. The cybersecurity company is tracking the cluster under the name Spearwing. "Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims' data before encrypting networks in order to increase the pressure on victims to pay a ransom," Symantec noted . "If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site." While other ransomware-as-a-service (RaaS) players like RansomHub (aka Greenbottle and Cyclops), Play (aka Balloonfly), and Qilin (aka Agenda, Stinkbug, and Water Galura) have benefite...

Over 1,000 websites powered by WordPress have been infected with a third-party JavaScript code that injects four separate backdoors. "Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed," c/side researcher Himanshu Anand said in a Wednesday analysis. The malicious JavaScript code has been found to be served via cdn.csyndication[.]com. As of writing, as many as 908 websites contain references to the domain in question. The functions of the four backdoors are explained below - Backdoor 1, which uploads and installs a fake plugin named "Ultra SEO Processor," which is then used to execute attacker-issued commands Backdoor 2, which injects malicious JavaScript into wp-config.php Backdoor 3, which adds an attacker-controlled SSH key to the ~/.ssh/authorized_keys file so as to allow persistent remote access to the machine Backdoor 4, which is designed to execute remote commands and fetches anot...

The U.S. Department of Justice (DoJ) has announced charges against 12 Chinese nationals for their alleged participation in a wide-ranging scheme designed to steal data and suppress free speech and dissent globally. The individuals include two officers of the People's Republic of China's (PRC) Ministry of Public Security (MPS), eight employees of an ostensibly private PRC company, Anxun Information Technology Co. Ltd. (安洵信息技术有限公司) also known as i-Soon , and members of Advanced Persistent Threat 27 ( APT27 , aka Budworm, Bronze Union, Emissary Panda, Lucky Mouse, and Iron Tiger) - Wu Haibo (吴海波), Chief Executive Officer Chen Cheng (陈诚), Chief Operating Officer Wang Zhe (王哲), Sales Director Liang Guodong (梁国栋), Technical Staff Ma Li (马丽), Technical Staff Wang Yan (王堰), Technical Staff Xu Liang (徐梁), Technical Staff Zhou Weiwei (周伟伟), Technical Staff Wang Liyu (王立宇), MPS Officer Sheng Jing (盛晶), MPS Officer Yin Kecheng (尹可成), APT27 actor aka "YKC" Zhou Sh...

The China-linked threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021 has shifted its tactics to target the information technology (IT) supply chain as a means to obtain initial access to corporate networks. That's according to new findings from the Microsoft Threat Intelligence team, which said the Silk Typhoon (formerly Hafnium) hacking group is now targeting IT solutions like remote management tools and cloud applications to obtain a foothold. "After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives," the tech giant said in a report published today. The adversarial collective is assessed to be "well-resourced and technically efficient," swiftly putting to use exploits for zero-day vulnerabil...

USB drive attacks constitute a significant cybersecurity risk, taking advantage of the everyday use of USB devices to deliver malware and circumvent traditional network security measures. These attacks lead to data breaches, financial losses, and operational disruptions, with lasting impacts on an organization's reputation. An example is the Stuxnet worm discovered in 2010, a malware designed to target industrial control systems, specifically Iran's nuclear enrichment facilities. It exploited multiple zero-day vulnerabilities and spread primarily through USB drives, making it one of the first examples of a cyberattack with real-world physical effects. Stuxnet exposed the risks of removable media and raised global awareness of cybersecurity threats to critical infrastructure. How USB drive attacks propagate Attackers use various methods to deliver malicious payloads via USB drives, targeting individuals and organizations.  Drop attacks : Infected USB drives are deliberatel...

The threat actor known as Dark Caracal has been attributed to a campaign that deployed a remote access trojan called Poco RAT in attacks targeting Spanish-speaking targets in Latin America in 2024. The findings come from Russian cybersecurity company Positive Technologies, which described the malware as loaded with a "full suite of espionage features." "It could upload files, capture screenshots, execute commands, and manipulate system processes," researchers Denis Kazakov and Sergey Samokhin said in a technical report published last week. Poco RAT was previously documented by Cofense in July 2024, detailing the phishing attacks aimed at mining, manufacturing, hospitality, and utilities sectors. The infection chains are characterized by the use of finance-themed lures that trigger a multi-step process to deploy the malware. While the campaign was not attributed to any threat at that time, Positive Technologies said it identified tradecraft overlaps with Dar...

Google has announced the rollout of artificial intelligence (AI)-powered scam detection features to secure Android device users and their personal information. "These features specifically target conversational scams, which can often appear initially harmless before evolving into harmful situations," Google said . "And more phone calling scammers are using spoofing techniques to hide their real numbers and pretend to be trusted companies." The company said it has partnered with financial institutions to better understand the nature of scams customers are encountering, thereby allowing it to devise AI models that can flag suspicious patterns and deliver real-time warnings over the course of a conversation without sacrificing user privacy. These models run completely on-device , alerting users in the event of a likely scam. Users then have an option to either dismiss or report and block the sender. The setting is enabled by default and applies only to conversatio...