BuzzSec

An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme. "This multi-stage toolset achieves persistent, low-profile espionage by injecting malicious code directly into memory and leveraging DLL sideloading to execute payloads," Bitdefender from The Hacker News https://thehackernews.com/2025/09/chinese-apt-deploys-eggstreme-fileless.html

The Microsoft Store provides a convenient mechanism to install software without needing administrator permissions. The feature is convenient for non-corporate and home users but is unlikely to be acceptable in corporate environments. This is because attackers and malicious employees can use the Microsoft Store to install software that might violate organizational policy.  The post Microsoft Store and WinGet: Security Risks for Corporate Environments appeared first on Black Hills Information Security, Inc. . from Black Hills Information Security, Inc. https://www.blackhillsinfosec.com/microsoft-store-and-winget-security-risks/

Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems. According to an analysis from Jamf Threat Labs, ChillyHell is written in C++ and is developed for Intel architectures. CHILLYHELL is the name assigned to a malware from The Hacker News https://thehackernews.com/2025/09/chillyhell-macos-backdoor-and-zynorrat.html

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release. Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month, 38 of the disclosed flaws are related to from The Hacker News https://thehackernews.com/2025/09/microsoft-fixes-80-flaws-including-smb.html

Apple on Tuesday revealed a new security feature called Memory Integrity Enforcement (MIE) that's built into its newly introduced iPhone models, including iPhone 17 and iPhone Air. MIE, per the tech giant, offers "always-on memory safety protection" across critical attack surfaces such as the kernel and over 70 userland processes without sacrificing device performance by designing its A19 and from The Hacker News https://thehackernews.com/2025/09/apple-iphone-air-and-iphone-17-feature.html

Introduction Managed service providers (MSPs) and managed security service providers (MSSPs) are under increasing pressure to deliver strong cybersecurity outcomes in a landscape marked by rising threats and evolving compliance requirements. At the same time, clients want better protection without managing cybersecurity themselves. Service providers must balance these growing demands with the from The Hacker News https://thehackernews.com/2025/09/the-time-saving-guide-for-service.html

Phishing-as-a-Service (PhaaS) platforms keep evolving, giving attackers faster and cheaper ways to break into corporate accounts. Now, researchers at ANY.RUN has uncovered a new entrant: Salty2FA, a phishing kit designed to bypass multiple two-factor authentication methods and slip past traditional defenses.  Already spotted in campaigns across the US and EU, Salty2FA puts enterprises at from The Hacker News https://thehackernews.com/2025/09/watch-out-for-salty2fa-new-phishing-kit.html

A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud. "RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat," the Dutch mobile from The Hacker News https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.html

A couple of months ago, a new paper demonstrated some new attacks against the Fiat-Shamir transformation. Quanta published a good article that explains the results. This is a pretty exciting paper from a theoretical perspective, but I don’t see it leading to any practical real-world cryptanalysis. The fact that there are some weird circumstances that result in Fiat-Shamir insecurities isn’t new—many dozens of papers have been published about it since 1986. What this new result does is extend this known problem to slightly less weird (but still highly contrived) situations. But it’s a completely different matter to extend these sorts of attacks to “natural” situations. What this result does, though, is make it impossible to provide general proofs of security for Fiat-Shamir. It is the most interesting result in this research area, and demonstrates that we are still far away from fully understanding what is the exact security guarantee provided by the Fiat-Shamir transform. from ...

Cybersecurity researchers have disclosed details of a phishing campaign that delivers a stealthy banking malware-turned-remote access trojan called MostereRAT. The phishing attack incorporates a number of advanced evasion techniques to gain complete control over compromised systems, siphon sensitive data, and extend its functionality by serving secondary plugins, Fortinet FortiGuard Labs said. " from The Hacker News https://thehackernews.com/2025/09/from-mostererat-to-clickfix-new-malware.html

⚠️ One click is all it takes. An engineer spins up an “experimental” AI Agent to test a workflow. A business unit connects to automate reporting. A cloud platform quietly enables a new agent behind the scenes. Individually, they look harmless. But together, they form an invisible swarm of Shadow AI Agents—operating outside security’s line of sight, tied to identities you don’t even know exist. from The Hacker News https://thehackernews.com/2025/09/webinar-shadow-ai-agents-multiply-fast.html

It’s budget season. Once again, security is being questioned, scrutinized, or deprioritized. If you're a CISO or security leader, you've likely found yourself explaining why your program matters, why a given tool or headcount is essential, and how the next breach is one blind spot away. But these arguments often fall short unless they're framed in a way the board can understand and appreciate. from The Hacker News https://thehackernews.com/2025/09/how-leading-cisos-are-getting-budget.html

Multiple npm packages have been compromised as part of a software supply chain attack after a maintainer's account was compromised in a phishing attack. The attack targeted Josh Junon (aka Qix), who received an email message that mimicked npm ("support@npmjs[.]help"), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on from The Hacker News https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html

Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. So far, 22 companies have confirmed they were impacted by a supply chain breach. "With from The Hacker News https://thehackernews.com/2025/09/github-account-compromise-led-to.html

Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing from The Hacker News https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html

Just a few months after Elon Musk’s retreat from his unofficial role leading the Department of Government Efficiency (DOGE), we have a clearer picture of his vision of government powered by artificial intelligence, and it has a lot more to do with consolidating power than benefitting the public. Even so, we must not lose sight of the fact that a different administration could wield the same technology to advance a more positive future for AI in government. To most on the American left, the DOGE end game is a dystopic vision of a government run by machines that benefits an elite few at the expense of the people. It includes AI rewriting government rules on a massive scale, salary-free bots replacing human functions and nonpartisan civil service forced to adopt an alarmingly racist and antisemitic Grok AI chatbot built by Musk in his own image . And yet despite Musk’s proclamations about driving efficiency, little cost savings have materialized and few successful examples of automat...

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts. This week, one story stands out above the rest: the from The Hacker News https://thehackernews.com/2025/09/weekly-recap-drift-breach-chaos-zero.html

When Attackers Get Hired: Today’s New Identity Crisis What if the star engineer you just hired isn’t actually an employee, but an attacker in disguise? This isn’t phishing; it’s infiltration by onboarding. Meet “Jordan from Colorado,” who has a strong resume, convincing references, a clean background check, even a digital footprint that checks out. On day one, Jordan logs into email and attends from The Hacker News https://thehackernews.com/2025/09/you-didnt-get-phished-you-onboarded.html

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. "The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity from The Hacker News https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html

I am pleased to announce the imminent publication of my latest book, Rewiring Democracy: How AI will Transform our Politics, Government, and Citizenship : coauthored with Nathan Sanders , and published by MIT Press on October 21. Rewriting Democracy looks beyond common tropes like deepfakes to examine how AI technologies will affect democracy in five broad areas: politics, legislating, administration, the judiciary, and citizenship. There is a lot to unpack here, both positive and negative. We do talk about AI’s possible role in both democratic backsliding or restoring democracies, but the fundamental focus of the book is on present and future uses of AIs within functioning democracies. (And there is a lot going on, in both national and local governments around the world.) And, yes, we talk about AI-driven propaganda and artificial conversation. Some of what we write about is happening now, but much of what we write about is speculation. In general, we take an optimistic view of AI’...

I occasionally get human risk management (HRM) administrators asking me to help them with ideas of “contests” to better educate their end-users. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/advanced-educational-competition-ask-your-employees-to-submit-their-best-phishing

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity. "Sitecore Experience Manager (XM), Experience from The Hacker News https://thehackernews.com/2025/09/cisa-orders-immediate-patch-of-critical.html

Researchers at Stripe warn of a wave of spear phishing attacks targeting C-suite employees and senior leadership across a wide range of industries. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/warning-new-spear-phishing-campaign-targets-executives

The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT. "Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell," Recorded Future Insikt Group from The Hacker News https://thehackernews.com/2025/09/tag-150-develops-castlerat-in-python.html

A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild. The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month. "SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module from The Hacker News https://thehackernews.com/2025/09/sap-s4hana-critical-vulnerability-cve.html

The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries. NotDoor "is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word," S2 Grupo's LAB52 threat intelligence team said. "When such an email is from The Hacker News https://thehackernews.com/2025/09/russian-apt28-deploys-notdoor-outlook.html

Cybersecurity researchers have lifted the lid on a previously undocumented threat cluster dubbed GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam. The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module from The Hacker News https://thehackernews.com/2025/09/ghostredirector-hacks-65-windows.html

A super common voice phone call phishing scam (i.e., vishing) is when the scammer calls you and pretends to be a law enforcement official with a warrant for your arrest for not answering a court jury duty summons. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/a-warrant-is-out-for-your-arrest

Threat actors can now use AI tools to automate entire attack operations, according to a new report from Anthropic. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/report-ai-can-now-automate-entire-attack-chains

Many years ago, a friend of mine worked as a security director at a firm and had what they called an “audit box.” It was a pre-prepared box filled with policies, network diagrams, security controls and checkboxes. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/beyond-the-audit-box-building-security-that-works-in-the-real-world

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, noting that there is evidence of them being exploited in the wild. The vulnerabilities in question are listed below - CVE-2023-50224 (CVSS score: 6.5) - An authentication bypass by spoofing vulnerability from The Hacker News https://thehackernews.com/2025/09/cisa-flags-tp-link-router-flaws-cve.html

Anthropic reports on a Claude user: We recently disrupted a sophisticated cybercriminal that used Claude Code to commit large-scale theft and extortion of personal data. The actor targeted at least 17 distinct organizations, including in healthcare, the emergency services, and government and religious institutions. Rather than encrypt the stolen information with traditional ransomware, the actor threatened to expose the data publicly in order to attempt to extort victims into paying ransoms that sometimes exceeded $500,000. The actor used AI to what we believe is an unprecedented degree. Claude Code was used to automate reconnaissance, harvesting victims’ credentials, and penetrating networks. Claude was allowed to make both tactical and strategic decisions, such as deciding which data to exfiltrate, and how to craft psychologically targeted extortion demands. Claude analyzed the exfiltrated financial data to determine appropriate ransom amounts, and generated visually alarming ran...

from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cyberheistnews-vol-15-35-watch-out-hackers-now-use-ai-to-write-better-phish

Whether it's forgotten temporary files, installation artifacts, READMEs, or even simple image files--default content on web servers can turn into a boon for attackers. In the most innocent of cases, these types of content can let attackers know more about the tech stack of the environment, and in the worst case scenario can lead to exploitation. The post Default Web Content appeared first on Black Hills Information Security, Inc. . from Black Hills Information Security, Inc. https://www.blackhillsinfosec.com/default-web-content/

Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks. The vulnerabilities are listed below - CVE-2025-38352 (CVSS score: 7.4) - A privilege escalation flaw in the Linux Kernel component  CVE-2025-48543 (CVSS score: N/A) - A from The Hacker News https://thehackernews.com/2025/09/android-security-alert-google-patches.html

Really good research on practical attacks against LLM agents. “ Invitation Is All You Need! Promptware Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous ” Abstract: The growing integration of LLMs into applications has introduced new security risks, notably known as Promptware­—maliciously engineered prompts designed to manipulate LLMs to compromise the CIA triad of these applications. While prior research warned about a potential shift in the threat landscape for LLM-powered applications, the risk posed by Promptware is frequently perceived as low. In this paper, we investigate the risk Promptware poses to users of Gemini-powered assistants (web application, mobile application, and Google Assistant). We propose a novel Threat Analysis and Risk Assessment (TARA) framework to assess Promptware risks for end users. Our analysis focuses on a new variant of Promptware called Targeted Promptware Attacks, which leverage indirect prompt injection via common...

An Iran-nexus group has been linked to a "coordinated" and "multi-wave" spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world. The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice. "Emails were sent to from The Hacker News https://thehackernews.com/2025/09/iranian-hackers-exploit-100-embassy.html

Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). "Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps," the web infrastructure and security company said in a post on X. " from The Hacker News https://thehackernews.com/2025/09/cloudflare-blocks-record-breaking-115.html

Check out the August updates in Compliance Plus so you can stay on top of featured compliance training content. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/your-knowbe4-compliance-plus-fresh-content-updates-from-august-2025

The Harsh Truths of AI Adoption MITs State of AI in Business report revealed that while 40% of organizations have purchased enterprise LLM subscriptions, over 90% of employees are actively using AI tools in their daily work. Similarly, research from Harmonic Security found that 45.4% of sensitive AI interactions are coming from personal email accounts, where employees are bypassing corporate from The Hacker News https://thehackernews.com/2025/09/shadow-ai-discovery-critical-part-of.html

Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. The activity originated from a Ukraine-based autonomous system FDN3 (AS211736), per French cybersecurity company Intrinsec. "We believe with a high level of confidence that FDN3 is part of a wider abusive from The Hacker News https://thehackernews.com/2025/09/ukrainian-network-fdn3-launches-massive.html

In the early 1960s, National Security Agency cryptanalyst and cryptanalysis instructor Lambros D. Callimahos coined the term “Stethoscope” to describe a diagnostic computer program used to unravel the internal structure of pre-computer ciphertexts. The term appears in the newly declassified September 1965 document Cryptanalytic Diagnosis with the Aid of a Computer , which compiled 147 listings from this tool for Callimahos’s course , CA-400: NSA Intensive Study Program in General Cryptanalysis . The listings in the report are printouts from the Stethoscope program, run on the NSA’s Bogart computer, showing statistical and structural data extracted from encrypted messages, but the encrypted messages themselves are not included. They were used in NSA training programs to teach analysts how to interpret ciphertext behavior without seeing the original message. The listings include elements such as frequency tables, index of coincidence, periodicity tests, bigram/trigram analysis, and col...

The threat actor known as Silver Fox has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disarming security solutions installed on compromised hosts. The vulnerable driver in question is "amsdk.sys" (version 1.0.600), a 64-bit, validly signed Windows kernel device driver from The Hacker News https://thehackernews.com/2025/09/silver-fox-exploits-microsoft-signed.html

Cybersecurity researchers have discovered a malicious npm package that comes with stealthy features to inject malicious code into desktop apps for cryptocurrency wallets like Atomic and Exodus on Windows systems. The package, named nodejs-smtp, impersonates the legitimate email library nodemailer with an identical tagline, page styling, and README descriptions, attracting a total of 347 from The Hacker News https://thehackernews.com/2025/09/malicious-npm-package-nodejs-smtp.html

The recent mass-theft of authentication tokens from Salesloft , whose AI chatbot is used by a broad swath of corporate America to convert customer interaction into Salesforce leads, has left many companies racing to invalidate the stolen credentials before hackers can exploit them. Now Google warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid authentication tokens for hundreds of online services that customers can integrate with Salesloft, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI. Salesloft says its products are trusted by 5,000+ customers. Some of the bigger names are visible on the company’s homepage. Salesloft disclosed on August 20 that, “Today, we detected a security issue in the Drift application,” referring to the technology that powers an AI chatbot used by so many corporate websites. The alert urged customers to re-authenticate the connection between the Drift and Salesforce apps ...

Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware. These campaigns are propagated via dropper apps masquerading as government or banking apps in India and other parts of Asia, ThreatFabric said in a report from The Hacker News https://thehackernews.com/2025/09/android-droppers-now-deliver-sms.html

Cybersecurity today is less about single attacks and more about chains of small weaknesses that connect into big risks. One overlooked update, one misused account, or one hidden tool in the wrong hands can be enough to open the door. The news this week shows how attackers are mixing methods—combining stolen access, unpatched software, and clever tricks to move from small entry points to large from The Hacker News https://thehackernews.com/2025/09/weekly-recap-whatsapp-0-day-docker-bug.html

As enterprises continue to shift their operations to the browser, security teams face a growing set of cyber challenges. In fact, over 80% of security incidents now originate from web applications accessed via Chrome, Edge, Firefox, and other browsers. One particularly fast-evolving adversary, Scattered Spider, has made it their mission to wreak havoc on enterprises by specifically targeting from The Hacker News https://thehackernews.com/2025/09/when-browsers-become-attack-surface.html

Cybersecurity researchers have discovered a new phishing campaign undertaken by the North Korea-linked hacking group called ScarCruft (aka APT37) to deliver a malware known as RokRAT. The activity has been codenamed Operation HanKook Phantom by Seqrite Labs, stating the attacks appear to target individuals associated with the National Intelligence Research Association, including academic figures from The Hacker News https://thehackernews.com/2025/09/scarcruft-uses-rokrat-malware-in.html