Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics

Microsoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild. "Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies,"...

South Korea Suspends DeepSeek AI Downloads Over Privacy Violations

South Korea has formally suspended new downloads of Chinese artificial intelligence AI chatbot DeepSeek in the country until the service makes changes to its mobile apps to comply with data protection regulations. Downloads have been paused as of February 15, 2025, 6:00 p.m. local time, the...

CISO's Expert Guide To CTEM And Why It Matters

Cyber threats evolve—has your defense strategy kept up? A new free guide available here explains why Continuous Threat Exposure Management CTEM is the smart approach for proactive cybersecurity. This concise report makes a clear business case for why CTEM's comprehensive approach is the best...

⚡ THN Weekly Recap: Google Secrets Stolen, Windows Hack, New Crypto Scams and More

Welcome to this week's Cybersecurity News Recap. Discover how cyber attackers are using clever tricks like fake codes and sneaky emails to gain access to sensitive data. We cover everything from device code phishing to cloud exploits, breaking down the technical details into simple, easy-to-follo...

New Golang-Based Backdoor Uses Telegram Bot API for Evasive C2 Operations

Cybersecurity researchers have shed light on a new Golang-based backdoor that uses Telegram as a mechanism for command-and-control C2 communications. Netskope Threat Labs, which detailed the functions of the malware, described it as possibly of Russian origin. "The malware is compiled in Golang a...

Android's New Feature Blocks Fraudsters from Sideloading Apps During Calls

Google is working on a new security feature for Android that blocks device owners from changing sensitive settings when a phone call is in progress. Specifically, the in-call anti-scammer protections include preventing users from turning on settings to install apps from unknown sources and granti...

New "whoAMI" Attack Exploits AWS AMI Name Confusion for Remote Code Execution

Cybersecurity researchers have disclosed a new type of name confusion attack called whoAMI that allows anyone who publishes an Amazon Machine Image AMI with a specific name to gain code execution within the Amazon Web Services AWS account. "If executed at scale, this attack could be used to gain...

Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks

The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers. The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by...

AI-Powered Social Engineering: Ancillary Tools and Techniques

Social engineering is advancing fast, at the speed of generative AI. This is offering bad actors multiple new tools and techniques for researching, scoping, and exploiting organizations. In a recent communication, the FBI pointed out: 'As technology continues to evolve, so do cybercriminals'...

Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts

Microsoft is calling attention to an emerging threat cluster it calls Storm-2372 that has been attributed to a new set of cyber attacks aimed at a variety of sectors since August 2024. The attacks have targeted government, non-governmental organizations NGOs, information technology IT services an...

RansomHub Becomes 2024's Top Ransomware Group, Hitting 600+ Organizations Globally

The threat actors behind the RansomHub ransomware-as-a-service RaaS scheme have been observed leveraging now-patched security flaws in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to a victim network's domain controller as part of their...

PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks

Threat actors who were behind the exploitation of a zero-day vulnerability in BeyondTrust Privileged Remote Access PRA and Remote Support RS products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL, according to findings from Rapid7. The vulnerability,...

Hackers Use CAPTCHA Trick on Webflow CDN PDFs to Bypass Security Scanners

A widespread phishing campaign has been observed leveraging bogus PDF documents hosted on the Webflow content delivery network CDN with an aim to steal credit card information and commit financial fraud. "The attacker targets victims searching for documents on search engines, resulting in access ...

North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks

A nation-state threat actor with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency sectors. The attack campaign, dubbed DEEPDRIVE by Securonix, has been attributed to a hacking group known as Kimsuky, which is also tracked...

Fast Deployments, Secure Code: Watch this Learn to Sync Dev and Sec Teams

Ever felt like your team is stuck in a constant battle? Developers rush to add new features, while security folks worry about vulnerabilities. What if you could bring both sides together without sacrificing one for the other? We invite you to our upcoming webinar, "Opening the Fast Lane for Secur...

RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset

An RA World ransomware attack in November 2024 targeting an unnamed Asian software and services company involved the use of a malicious tool exclusively used by China-based cyber espionage groups, raising the possibility that the threat actor may be moonlighting as a ransomware player in an...

AI and Security - A New Puzzle to Figure Out

AI is everywhere now, transforming how businesses operate and how users engage with apps, devices, and services. A lot of applications now have some Artificial Intelligence inside, whether supporting a chat interface, intelligently analyzing data or matching user preferences. No question AI...

Palo Alto Networks Patches Authentication Bypass Exploit in PAN-OS Software

Palo Alto Networks has addressed a high-severity security flaw in its PAN-OS software that could result in an authentication bypass. The vulnerability, tracked as CVE-2025-0108 , carries a CVSS score of 7.8 out of 10.0. The score, however, drops to 5.1 if access to the management interface is...

FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux

Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts. The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster i...

Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries

A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe. "This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enabl...

Researchers Find New Exploit Bypassing Patched NVIDIA Container Toolkit Vulnerability

Cybersecurity researchers have discovered a bypass for a now-patched security vulnerability in the NVIDIA Container Toolkit that could be exploited to break out of a container's isolation protections and gain complete access to the underlying host. The new vulnerability is being tracked as...

How to Steer AI Adoption: A CISO Guide

CISOs are finding themselves more involved in AI teams, often leading the cross-functional effort and AI strategy. But there aren't many resources to guide them on what their role should look like or what they should bring to these meetings. We've pulled together a framework for security leaders ...

North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack

The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code provided by them. "To execute this tactic, the threat actor masquerades a...

Microsoft's Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation

Microsoft on Tuesday released fixes for 63 security flaws impacting its software products, including two vulnerabilities that it said has come under active exploitation in the wild. Of the 63 vulnerabilities, three are rated Critical, 57 are rated Important, one is rated Moderate, and two are rat...

Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now

Ivanti has released security updates to address multiple security flaws impacting Connect Secure ICS, Policy Secure IPS, and Cloud Services Application CSA that could be exploited to achieve arbitrary code execution. The list of vulnerabilities is below - CVE-2024-38657 CVSS score: 9.1 - External...

Google Confirms Android SafetyCore Enables AI-Powered On-Device Content Classification

Google has stepped in to clarify that a newly introduced Android System SafetyCore app does not perform any client-side scanning of content. "Android provides many on-device protections that safeguard users against threats like malware, messaging spam and abuse protections, and phone scam...

4 Ways to Keep MFA From Becoming too Much of a Good Thing

Multi-factor authentication MFA has quickly become the standard for securing business accounts. Once a niche security measure, adoption is on the rise across industries. But while it's undeniably effective at keeping bad actors out, the implementation of MFA solutions can be a tangled mess of...

Progress Software Patches High-Severity LoadMaster Flaws Affecting Multiple Versions

Progress Software has addressed multiple high-severity security flaws in its LoadMaster software that could be exploited by malicious actors to execute arbitrary system commands or download any file from the system. Kemp LoadMaster is a high-performance application delivery controller ADC and loa...

Gcore DDoS Radar Reveals 56% YoY Increase in DDoS Attacks

Gcore's latest DDoS Radar report analyzes attack data from Q3–Q4 2024, revealing a 56% YoY rise in the total number of DDoS attacks with the largest attack peaking at a record 2 Tbps. The financial services sector saw the most dramatic increase, with a 117% rise in attacks, while gaming remained...

Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update

Apple on Monday released out-of-band security updates to address a security flaw in iOS and iPadOS that it said has been exploited in the wild. Assigned the CVE identifier CVE-2025-24200 CVSS score: 4.6, the vulnerability has been described as an authorization issue that could make it possible fo...

Protecting Your Software Supply Chain: Assessing the Risks Before Deployment

Imagine you're considering a new car for your family. Before making a purchase, you evaluate its safety ratings, fuel efficiency, and reliability. You might even take it for a test drive to ensure it meets your needs. The same approach should be applied to software and hardware products before...

Threat Actors Exploit ClickFix to Deploy NetSupport RAT in Latest Cyber Attacks

Threat actors have observed the increasingly common ClickFix technique to deliver a remote access trojan named NetSupport RAT since early January 2025. NetSupport RAT, typically propagated via bogus websites and fake browser updates, grants attackers full control over the victim's host, allowing...

FBI, Europol, and NCA Take Down 8Base Ransomware Data Leak and Negotiation Sites

--- Source: The Nation A coordinated law enforcement operation has taken down the dark web data leak and negotiation sites associated with the 8Base ransomware gang. Visitors to the data leak site are now greeted with a seizure banner that says: "This hidden site and the criminal content have bee...

Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores

Threat actors have been observed leveraging Google Tag Manager GTM to deliver credit card skimmer malware targeting Magento-based e-commerce websites. Website security company Sucuri said the code, while appearing to be a typical GTM and Google Analytics script used for website analytics and...

⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [10 February]

In cybersecurity, the smallest crack can lead to the biggest breaches. A leaked encryption key, an unpatched software bug, or an abandoned cloud storage bucket—each one seems minor until it becomes the entry point for an attack. This week, we've seen cybercriminals turn overlooked weaknesses into...

Don't Overlook These 6 Critical Okta Security Configurations

Given Okta's role as a critical part of identity infrastructure, strengthening Okta security is essential. This article covers six key Okta security settings that provide a strong starting point, along with recommendations for implementing continuous monitoring of your Okta security posture. With...

DragonRank Exploits IIS Servers with BadIIS Malware for SEO Fraud and Gambling Redirects

Threat actors have been observed targeting Internet Information Services IIS servers in Asia as part of a search engine optimization SEO manipulation campaign designed to install BadIIS malware. "It is likely that the campaign is financially motivated since redirecting users to illegal gambling...

Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities

Zimbra has released software updates to address critical security flaws in its Collaboration software that, if successfully exploited, could result in information disclosure under certain conditions. The vulnerability, tracked as CVE-2025-25064, carries a CVSS score of 9.8 out of a maximum of 10....

XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells

Threat actors have been observed exploiting multiple security flaws in various software products, including Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore, to drop reverse shells and web shells, and maintain persistent remote access to compromised systems. The zero-day exploitation o...

Malicious ML Models on Hugging Face Leverage Broken Pickle Format to Evade Detection

Cybersecurity researchers have uncovered two malicious machine learning ML models on Hugging Face that leveraged an unusual technique of "broken" pickle files to evade detection. "The pickle files extracted from the mentioned PyTorch archives revealed the malicious Python content at the beginning...

DeepSeek App Transmits Sensitive User and Device Data Without Encryption

A new audit of DeepSeek's mobile app for the Apple iOS operating system has found glaring security issues, the foremost being that it sends sensitive data over the internet sans any encryption, exposing it to interception and manipulation attacks. The assessment comes from NowSecure, which also...

CISA Warns of Active Exploits Targeting Trimble Cityworks Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency CISA has warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0994 CVSS v4 score: 8.6, a deserialization of...

AI-Powered Social Engineering: Reinvented Threats

The foundations for social engineering attacks – manipulating humans – might not have changed much over the years. It's the vectors – how these techniques are deployed – that are evolving. And like most industries these days, AI is accelerating its evolution. This article explores how these chang...

Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks

Microsoft is warning of an insecure practice wherein software developers are incorporating publicly disclosed ASP.NET machine keys from publicly accessible resources, thereby putting their applications in attackers' pathway. The tech giant's threat intelligence team said it observed limited...

India's RBI Introduces Exclusive "bank.in" Domain to Combat Digital Banking Fraud

India's central bank, the Reserve Bank of India RBI, said it's introducing an exclusive "bank.in" internet domain for banks in the country to combat digital financial fraud. "This initiative aims to reduce cyber security threats and malicious activities like phishing; and, streamline secure...

Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware

Threat actors have been observed exploiting recently disclosed security flaws in SimpleHelp's Remote Monitoring and Management RMM software as a precursor for what appears to be a ransomware attack. The intrusion leveraged the now-patched vulnerabilities to gain initial access and maintain...

Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking

Bogus websites advertising Google Chrome have been used to distribute malicious installers for a remote access trojan called ValleyRAT. The malware, first detected in 2023, is attributed to a threat actor tracked as Silver Fox, with prior attack campaigns primarily targeting Chinese-speaking...

Ransomware Extortion Drops to $813.5M in 2024, Down from $1.25B in 2023

Ransomware attacks netted cybercrime groups a total of $813.5 million in 2024, a decline from $1.25 billion in 2023. The total amount extorted during the first half of 2024 stood at $459.8 million, blockchain intelligence firm Chainalysis said, adding payment activity slumped after July 2024 by...

SparkCat Malware Uses OCR to Extract Crypto Wallet Recovery Phrases from Images

A new malware campaign dubbed SparkCat has leveraged a suit of bogus apps on both Apple's and Google's respective app stores to steal victims' mnemonic phrases associated with cryptocurrency wallets. The attacks leverage an optical character recognition OCR model to exfiltrate select images...

The Evolving Role of PAM in Cybersecurity Leadership Agendas for 2025

Privileged Access Management PAM has emerged as a cornerstone of modern cybersecurity strategies, shifting from a technical necessity to a critical pillar in leadership agendas. With the PAM market projected to reach $42.96 billion by 2037 according to Research Nester, organizations invest heavil...