Latest Cyber News

A new threat group named Crimson Collective is actively targeting AWS cloud environments for data theft and extortion. The group initiates attacks by finding leaked long-term access keys and then establishes persistence by creating new administrative users. They conduct extensive reconnaissance of the cloud infrastructure before exfiltrating valuable data from services like RDS and EBS by creating and exporting snapshots. After successfully stealing the information, the attackers send an extortion note to the victim, often using the compromised account's own email service. This group's methodology highlights the risks of overly permissive configurations and improper credential management in cloud environments.

Communications equipment manufacturer BK Technologies has disclosed a significant cybersecurity incident that compromised its IT infrastructure. The company revealed that an unauthorized third party gained access to its network in late September and acquired non-public information. This breach potentially exposed sensitive records belonging to current and former employees. BK Technologies has since contained the threat, removed the attackers from its systems, and notified law enforcement. While the investigation continues, the company stated that the incident caused minimal disruption to core business operations and is not expected to have a material financial impact.

Researchers have uncovered a groundbreaking vulnerability named "Mic-E-Mouse" that transforms high-performance computer mice into covert listening devices. The attack exploits sensitive optical sensors to detect minute acoustic vibrations traveling through work surfaces, effectively capturing nearby conversations. Using advanced signal processing and machine learning, attackers can reconstruct intelligible speech from the collected mouse movement data. The exploit can be hidden within legitimate software, such as video games, that require high-frequency mouse input, making it invisible to the average user. This discovery reveals a significant new surveillance threat, turning a common computer peripheral into a sophisticated eavesdropping tool.

Police have uncovered a massive international phone scam that stole millions from hundreds of elderly victims. The organized crime ring operated call centers from several locations, with callers posing as bank officials to deceive targets. Using prepared scripts, the scammers tricked victims into surrendering their online banking credentials, allowing the criminals to drain their accounts. The stolen funds were then laundered through a complex network before being moved out of the country. While numerous suspects have been identified, authorities believe parts of the criminal operation may still be active.

A major healthcare provider is notifying 5,000 patients about a decade-long insider data breach. A former employee improperly accessed electronic health records for ten years before the activity was discovered. The organization delayed notifying patients for four years at the request of law enforcement to avoid impeding an investigation. Compromised information includes names, medical histories, and, in some cases, Social Security numbers. The provider is now offering complimentary credit monitoring services to those affected by the exposure of their most sensitive data.

A critical vulnerability, CVE-2025-61984, has been disclosed in OpenSSH versions before 10.1, enabling remote code execution. The flaw stems from the improper handling of control characters in usernames when used with the `ProxyCommand` directive. An attacker can inject malicious commands by crafting a username with special shell characters and a newline, exploiting how certain shells parse the command string. This issue poses a significant risk for configurations using the `%r` token, such as in some Git submodule setups. Administrators should upgrade OpenSSH immediately or apply mitigations by quoting the username token in their configuration files.

A state-nexus threat actor known as Mustang Panda has launched a sophisticated phishing campaign targeting a specific activist community. The attack uses a decoy executable to trigger an advanced DLL side-loading technique, deploying a malicious DLL that is hidden from the user via special system file attributes. This multi-stage malware, featuring custom loaders named Claimloader and Publoader, establishes persistence through registry keys and scheduled tasks. The campaign leverages creative API abuse for stealthy execution, highlighting the group's evolving tradecraft for espionage. This operation demonstrates how threat actors continuously refine obfuscation methods to bypass security controls.

A new threat report from OpenAI reveals that state-sponsored hackers and cybercriminals are using AI to enhance existing attack methods rather than invent new ones. Government-linked groups have been observed using large language models for reconnaissance, crafting phishing emails, and improving malware development workflows. The report also details how organized scam centers use AI to generate convincing fraudulent content and manage their illicit day-to-day operations. Researchers highlighted the dual-use challenge, where threat actors bypass safety measures by requesting seemingly harmless code that is later assembled for malicious purposes. Despite this misuse, OpenAI notes that its models are used up to three times more often by the public to identify and avoid scams than to create them.

Enterprise software giant Red Hat is being extorted by the ShinyHunters gang following a major data breach. The initial attack, carried out by a group called Crimson Collective, resulted in the theft of sensitive customer engagement reports, samples of which have now been leaked. This extortion effort is being facilitated through a new data leak site operated by ShinyHunters, who have partnered with the original hackers. The site also lists dozens of other major brands being extorted after their Salesforce instances were breached in a widespread campaign. This development marks the public launch of ShinyHunters' 'Extortion-as-a-Service' platform, where they facilitate attacks for other threat actors in exchange for a share of the profits.

A critical zero-day vulnerability, CVE-2025-61882, is being actively exploited in Oracle E-Business Suite, enabling unauthenticated remote code execution. The attack is not a single flaw but a sophisticated chain of at least five vulnerabilities working in concert. It begins with a Server-Side Request Forgery (SSRF) that is escalated using CRLF injection to bypass security controls and manipulate HTTP requests. Attackers then pivot to an internal service, using path traversal to bypass authentication filters and access a vulnerable component. The final stage leverages an unsafe XSL Transformation (XSLT) process to load a malicious stylesheet from an attacker-controlled server, resulting in full system compromise.