The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Threat actors are leveraging an artificial intelligence (AI) powered presentation platform named Gamma in phishing attacks to direct unsuspecting users to spoofed Microsoft login pages. "Attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraudulent Microsoft SharePoint login portal," Abnormal Security researchers Callie Hinman Baron and Piotr Wojtyla said in a Tuesday analysis. The attack chain commences with a phishing email, in some cases sent from legitimate, compromised email accounts, to entice message recipients into opening an embedded PDF document. In reality, the PDF attachment is nothing but a hyperlink that, when clicked, redirects the victim to a presentation hosted on Gamma that prompts them to click on a button to "Review Secure Documents." Doing so takes the user to an intermediate page that impersonates Microsoft and instructs them to complete a Cloudflare Turnstile verification step before accessing...

Introduction Cyber threats targeting supply chains have become a growing concern for businesses across industries. As companies continue to expand their reliance on third-party vendors, cloud-based services, and global logistics networks, cybercriminals are exploiting vulnerabilities within these interconnected systems to launch attacks. By first infiltrating a third-party vendor with undetected security gaps, attackers can establish a foothold, leveraging these weaknesses to penetrate the primary business partners' network. From there, they move laterally through critical systems, ultimately gaining access to sensitive data, financial assets, intellectual property, or even operational controls. Recent high-profile breaches like the 2024 ransomware attack that hit Change Healthcare, one of the world's largest health payment processing companies, demonstrate how attackers disrupted supply chain operations stealing up to 6TB of millions of patients' protected health information (PHI)....

Cybersecurity researchers have unearthed a new controller component associated with a known backdoor called BPFDoor as part of cyber attacks targeting telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt in 2024. "The controller could open a reverse shell," Trend Micro researcher Fernando Mercês said in a technical report published earlier in the week. "This could allow lateral movement, enabling attackers to enter deeper into compromised networks, allowing them to control more systems or gain access to sensitive data. The campaign has been attributed with medium confidence to a threat group it tracks as Earth Bluecrow, which is also known as DecisiveArchitect, Red Dev 18, and Red Menshen. The lower confidence level boils down to the fact that the BPFDoor malware source code was leaked in 2022 , meaning it could also have bee adopted by other hacking groups. BPFDoor is a Linux backdoor that first came to light in...

Intro: Why hack in when you can log in? SaaS applications are the backbone of modern organizations, powering productivity and operational efficiency. But every new app introduces critical security risks through app integrations and multiple users, creating easy access points for threat actors. As a result, SaaS breaches have increased, and according to a May 2024 XM Cyber report, identity and credential misconfigurations caused 80% of security exposures. Subtle signs of a compromise get lost in the noise, and then multi-stage attacks unfold undetected due to siloed solutions. Think of an account takeover in Entra ID, then privilege escalation in GitHub, along with data exfiltration from Slack. Each seems unrelated when viewed in isolation, but in a connected timeline of events, it's a dangerous breach. Wing Security's SaaS platform is a multi-layered solution that combines posture management with real-time identity threat detection and response. This allows organizations to get a ...

Cheap Android smartphones manufactured by Chinese companies have been observed pre-installed with trojanized apps masquerading as WhatsApp and Telegram that contain cryptocurrency clipper functionality as part of a campaign since June 2024. While using malware-laced apps to steal financial information is not a new phenomenon, the new findings from Russian antivirus vendor Doctor Web point to significant escalation where threat actors are directly targeting the supply chain of various Chinese manufacturers to preload brand new devices with malicious apps. "Fraudulent applications were detected directly in the software pre-installed on the phone," the company said . "In this case, the malicious code was added to the WhatsApp messenger." A majority of the compromised devices are said to be low-end phones that mimic well-known premium models from Samsung and Huawei with names like S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra. At least four of the affected mod...

The U.S. government funding for non-profit research giant MITRE to operate and maintain its Common Vulnerabilities and Exposures ( CVE ) program will expire Wednesday, an unprecedented development that could shake up one of the foundational pillars of the global cybersecurity ecosystem. The 25-year-old CVE program is a valuable tool for vulnerability management, offering a de facto standard to identify, define, and catalog publicly disclosed security flaws using CVE IDs. The program has listed over 274,000 CVE records to date. Yosry Barsoum, MITRE's vice president and director of the Center for Securing the Homeland (CSH), said its funding to "develop, operate, and modernize CVE and related programs, such as the Common Weakness Enumeration ( CWE ), will expire." "If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and al...

The China-linked threat actor known as UNC5174 has been attributed to a new campaign that leverages a variant of a known malware dubbed SNOWLIGHT and a new open-source tool called VShell to infect Linux systems. "Threat actors are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of non-state-sponsored and often less technical adversaries (e.g., script kiddies), thereby making attribution even more difficult," Sysdig researcher Alessandra Rizzo said in a report shared with The Hacker News. "This seems to hold especially true for this particular threat actor , who has been under the radar for the last year since being affiliated with the Chinese government." UNC5174, also referred to as Uteus (or Uetus), was previously documented by Google-owned Mandiant as exploiting security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver a C-base...

A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change. The flaw, assigned the CVE identifier CVE-2025-24859 , carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4. "A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes," the project maintainers said in an advisory. "When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable." Successful exploitation of the flaw could enable an attacker to maintain continued access to the application through old sessions even after password changes. It could also enable unfettered access if credentials were compromised. Th...

Everybody knows browser extensions are embedded into nearly every user's daily workflow, from spell checkers to GenAI tools. What most IT and security people don't know is that browser extensions' excessive permissions are a growing risk to organizations. LayerX today announced the release of the Enterprise Browser Extension Security Report 2025 , This report is the first and only report to merge public extension marketplace statistics with real-world enterprise usage telemetry. By doing so, it sheds light on one of the most underestimated threat surfaces in modern cybersecurity: browser extensions. The report reveals several findings that IT and security leaders will find interesting, as they build their plans for H2 2025. This includes information and analysis on how many extensions have risky permissions, which kinds of permissions are given, if extension developers are to be trusted, and more. Below, we bring key statistics from the report. Highlights from the Enterprise Browse...

Cybersecurity researchers have disclosed a malicious package uploaded to the Python Package Index (PyPI) repository that's designed to reroute trading orders placed on the MEXC cryptocurrency exchange to a malicious server and steal tokens. The package, ccxt-mexc-futures, purports to be an extension built on top of a popular Python library named ccxt (short for CryptoCurrency eXchange Trading), which is used to connect and trade with several cryptocurrency exchanges and facilitate payment processing services. The malicious package is no longer available on PyPI, but statistics on pepy.tech shows that it has been downloaded at least 1,065 times . "The authors of the malicious ccxt-mexc-futures package, claim in its README file that it extends the CCXT package to support 'futures' trade on MEXC," JFrog researcher Guy Korolevski said in a report shared with The Hacker News. However, a deeper examination of the library has revealed that it specifically overr...