data breach | Breaking Cybersecurity News | The Hacker News

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release. Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month , 38 of the disclosed flaws are related to privilege escalation, followed by remote code execution (22), information disclosure (14), and denial-of-service (3). "For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws," Satnam Narang, senior staff research engineer at Tenable, said. "Nearly 50% (47.5%) of all bugs this month are privilege escalation vulnerabilities." The patches are in addition to 12 vulnerabilities addressed in Microsoft's Chromium-based Edge browser since the release of August 2025's Patch Tuesday update, including a securit...

Phishing-as-a-Service (PhaaS) platforms keep evolving, giving attackers faster and cheaper ways to break into corporate accounts. Now, researchers at ANY.RUN has uncovered a new entrant: Salty2FA , a phishing kit designed to bypass multiple two-factor authentication methods and slip past traditional defenses.  Already spotted in campaigns across the US and EU, Salty2FA puts enterprises at risk by targeting industries from finance to energy. Its multi-stage execution chain, evasive infrastructure, and ability to intercept credentials and 2FA codes make it one of the most dangerous PhaaS frameworks seen this year. Why Salty2FA Raises the Stakes for Enterprises Salty2FA's ability to bypass push, SMS, and voice-based 2FA means stolen credentials can lead directly to account takeover. Already aimed at finance, energy, and telecom sectors, the kit turns common phishing emails into high-impact breaches.  Who is Being Targeted? ANY.RUN analysts mapped Salty2FA campaigns and fo...

SAP on Tuesday released security updates to address multiple security flaws, including three critical vulnerabilities in SAP Netweaver that could result in code execution and the upload arbitrary files. The vulnerabilities are listed below - CVE-2025-42944 (CVSS score: 10.0) - A deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to submit a malicious payload to an open port through the RMI-P4 module , resulting in operating system command execution CVE-2025-42922 (CVSS score: 9.9) - An insecure file operations vulnerability in SAP NetWeaver AS Java that could allow an attacker authenticated as a non-administrative user to upload an arbitrary file CVE-2025-42958 (CVSS score: 9.1) - A missing authentication check vulnerability in the SAP NetWeaver application on IBM i-series that could allow highly privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionaliti...

⚠️ One click is all it takes. An engineer spins up an "experimental" AI Agent to test a workflow. A business unit connects to automate reporting. A cloud platform quietly enables a new agent behind the scenes. Individually, they look harmless. But together, they form an invisible swarm of Shadow AI Agents—operating outside security's line of sight, tied to identities you don't even know exist. And here's the uncomfortable truth: every one of them carries infinite risk. Agents impersonating trusted users. Non-human identities with access you didn't approve. Data leaking across boundaries you thought were locked down. This isn't a futuristic threat. It's happening today, across enterprises everywhere. And they're multiplying faster than your governance can catch up. That's why you can't miss our upcoming panel: Shadow AI Agents Exposed. Secure your seat now - Register Here . Why Shadow AI is Exploding From identity providers to PaaS platforms, it takes almost nothing to spin...

It's budget season. Once again, security is being questioned, scrutinized, or deprioritized. If you're a CISO or security leader, you've likely found yourself explaining why your program matters, why a given tool or headcount is essential, and how the next breach is one blind spot away. But these arguments often fall short unless they're framed in a way the board can understand and appreciate. According to a Gartner analysis , 88% of Boards see cybersecurity as a business risk, rather than an IT issue, yet many security leaders still struggle to raise the profile of cybersecurity within the organization. For security issues to resonate amongst the Board you need to speak its language: business continuity, compliance, and cost impact. Below are some strategies to help you frame the conversation, transforming the technical and complex into clear business directives.  Recognize the High Stakes Cyber threats continue to evolve, from ransomware and supply chain attacks to ...

Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. It's currently not known how the digital intruders gained access to the GitHub account. So far, 22 companies have confirmed they were impacted by a supply chain breach. "With this access, the threat actor was able to download content from multiple repositories, add a guest user, and establish workflows," Salesloft said in an updated advisory. The investigation also uncovered reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments. However, it emphasized there is no evidence of any activity beyond limited reconnaissance. In the next phase, the attackers accessed Drift's Amazon Web Services (AWS)...

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it's knowing which risks matter most right now. That's what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the Salesloft–Drift breach, where attackers stole OAuth tokens and accessed Salesforce data from some of the biggest names in tech. It's a sharp reminder of how fragile integrations can become the weak link in enterprise defenses. Alongside this, we'll also walk through several high-risk CVEs under active exploitation, the latest moves by advanced threat actors, and fresh insights on making security workflows smarter, not noisier. Each section is designed to give you the essentials—enough to stay informed and prepared, without getting lost in the noise. ⚡ Threat of the Week Salesloft to Take Drift Of...

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. "The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments," security researcher Subhajeet Singha said . The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named "KazMunayGaz_Viewer." The email, per the cybersecurity compa...

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild. The vulnerability , tracked as CVE-2025-53690 , carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity. "Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said . "This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution." Google-owned Mandiant, which discovered the active ViewState deserialization attack, said the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team ...

The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT . "Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell," Recorded Future Insikt Group said . The cybersecurity company is tracking the threat actor behind the malware families as TAG-150. Believed to be active since at least March 2025, CastleLoader et al are seen as initial access vectors for a wide range of secondary payloads, including remote access trojans, information stealers, and even other loaders. CastleLoader (aka CastleBot) was first documented by Swiss cybersecurity company PRODAFT in July 2025, as having been put to use in various campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader. A subsequent anal...

A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild. The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month. "SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC," according to a description of the flaw in the NIST National Vulnerability Database (NVD). "This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. Successful exploration of the defect could result in a full system compromise of the SAP environment, subverting the confidentiality, integrity, and availability of the system. In short, it can permit attackers to modify the SAP database, create superuser accounts with SAP_ALL privileges, download password hashes, and alter business processes. SecurityBri...

Cybersecurity researchers have lifted the lid on a previously undocumented threat cluster dubbed GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam. The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module codenamed Gamshen. The threat actor is believed to be active since at least August 2024. "While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website," ESET researcher Fernando Tavella said in a report shared with The Hacker News. "Even though Gamshen only modifies the response when the request comes from Googlebot – i.e., it does not serve malicious content or otherwise affect regular visitors of the ...

Cybersecurity researchers have flagged a new technique that cybercriminals have adopted to bypass social media platform X's malvertising protections and propagate malicious links using its artificial intelligence (AI) assistant Grok. The findings were highlighted by Nati Tal, head of Guardio Labs, in a series of posts on X. The technique has been codenamed Grokking. The approach is designed to get around restrictions imposed by X in Promoted Ads that allow users to only include text, images, or videos, and subsequently amplify them to a broader audience, attracting hundreds of thousands of impressions through paid promotion. To achieve this, malvertisers have been found to run video card-promoted posts with adult content as bait, with the spurious link hidden in the "From:" metadata field below the video player by taking advantage of the fact that it's not scanned by the social media platform. It's worth mentioning here that the "From:" field is t...

Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws. HexStrike AI, according to its website , is pitched as an AI‑driven security platform to automate reconnaissance and vulnerability discovery with an aim to accelerate authorized red teaming operations, bug bounty hunting, and capture the flag (CTF) challenges. Per information shared on its GitHub repository, the open-source platform integrates with over 150 security tools to facilitate network reconnaissance, web application security testing, reverse engineering, and cloud security. It also supports dozens of specialized AI agents that are fine-tuned for vulnerability intelligence, exploit development, attack chain discovery, and error handling. But according to a report from Check Point, threat actors are trying their hands on the tool to gain an adversarial advantage, attempting to weaponize the tool to ...

In January 2025, cybersecurity experts at Wiz Research found that Chinese AI specialist DeepSeek had suffered a data leak, putting more than 1 million sensitive log streams at risk. According to the Wiz Research team, they identified a publicly accessible ClickHouse database belonging to DeepSeek. This allowed "full control over database operations, including the ability to access internal data", Wiz Research stated, with more than a million lines of log streams involved, containing chat history, secret keys and more. Wiz immediately reported the issue to DeepSeek, which quickly secured the exposure. Still, the incident underscored the danger of data leakage. Intentional or unintentional? Data leakage is a broad concept, covering a range of scenarios. As IBM notes, the term in general refers to a scenario where "sensitive information is unintentionally exposed to unauthorized parties" .  It could be intentional or unintentional. On the intentional side...

Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks. The vulnerabilities are listed below - CVE-2025-38352 (CVSS score: 7.4) - A privilege escalation flaw in the Linux Kernel component  CVE-2025-48543 (CVSS score: N/A) - A privilege escalation flaw in the Android Runtime component Google said both vulnerabilities could lead to local escalation of privilege with no additional execution privileges needed. It also noted that no user interaction is required for exploitation. The tech giant did not reveal how the issues have been weaponized in real-world attacks and if they are being put to use in tandem, but acknowledged there are indications of "limited, targeted exploitation." Benoît Sevens of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the upstream Lin...

An Iran-nexus group has been linked to a "coordinated" and "multi-wave" spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world. The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice . "Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication," the company said . "Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension." The attack chains involve the use of spear-phishing emails with themes related to geopolitical tensions between Iran and Israel to send a malicious Microsoft Word that, when opened, urges recipients to "Enable Content" in order to execute an embedded Visual Basic for Application...