Latest Cyber News

Elastic has released security updates addressing five vulnerabilities in its Kibana and Elasticsearch components, including three critical Cross-Site Scripting (XSS) issues. These flaws could allow attackers to execute arbitrary scripts, leading to data theft and session hijacking. Other fixed vulnerabilities include a sensitive information disclosure in Elasticsearch audit logs and a credential leak in the Kibana CrowdStrike Connector. The issues affect multiple versions, with some flaws allowing credential exposure across different workspaces. Users are strongly urged to upgrade to the latest patched versions immediately to mitigate these risks.

A hacker collective has launched an extortion portal following a massive supply chain attack that compromised Salesforce data from hundreds of companies. The attackers exploited a third-party integration provider, stealing OAuth tokens to gain widespread access to customer information. This sophisticated campaign combined social engineering and the abuse of stolen API tokens to exfiltrate sensitive business data at scale. The new portal now lists victims and threatens to publish their stolen data unless a ransom is paid. The incident serves as a stark reminder of the critical need for robust API security, token management, and vigilant third-party risk assessment.

A critical vulnerability in SillyTavern, a popular web UI for AI models, allows attackers to gain complete remote control over user instances. The flaw, identified as a DNS rebinding issue, enables a malicious website to bypass browser security policies and access the locally hosted application. By tricking a user into visiting a crafted webpage, an attacker can read private chats, install malicious extensions, and inject arbitrary HTML for phishing attacks. Developers have patched the vulnerability in version 1.13.4 by adding a host whitelist feature. However, this protection is disabled by default, requiring users to manually enable the new security setting to secure their installations.

A cybercrime collective has initiated an unusual crowdsourced extortion campaign, offering Bitcoin rewards to anyone who helps pressure their alleged victims. The group encourages followers to email and harass senior executives at targeted companies, demanding ransom payments to prevent data from being published on their new leak site. While the criminals claim to have breached a major CRM provider, the company asserts its platform was not compromised, attributing the incident to a vulnerable third-party integration. This novel tactic of outsourcing harassment comes amid doubts about the group's credibility, fueled by poor grammar in their communications and a recent, short-lived announcement of their retirement. The group's claims remain unsubstantiated as they attempt this new method to coerce payments from dozens of listed organizations.

A comprehensive study of 800 free mobile VPN apps has uncovered widespread security and privacy risks, revealing that many fail to protect user data. Researchers found numerous applications leaking personal information, using outdated code vulnerable to major exploits like the Heartbleed bug, and susceptible to man-in-the-middle attacks. Many of these apps also request excessive and dangerous permissions, such as constant location tracking or access to system logs, far beyond their core function. Furthermore, a significant number of the apps lack transparency, failing to properly disclose their data handling practices to users. For organizations with bring-your-own-device policies, these flawed VPNs represent a critical weak link that can expose sensitive enterprise data.

Oracle has released an emergency patch for a critical zero-day vulnerability in its E-Business Suite software. The flaw, tracked as CVE-2025-61882, allows attackers to exploit systems remotely without needing a username or password. The prolific hacking group Clop is actively abusing this vulnerability in a mass exploitation campaign to steal sensitive corporate data. Following the data theft, the attackers are sending extortion emails to corporate executives, demanding payment to prevent their personal information from being published online. Oracle is urging all customers to apply the update immediately to protect against these ongoing data theft and extortion attacks.

A sophisticated spear-phishing campaign is targeting governmental and aviation sectors in one region using the PlugX malware family. The attack begins with emails leading to a fake verification page, which then delivers a malicious archive containing a Windows shortcut file. This shortcut triggers a multi-stage infection process involving PowerShell scripts and DLL sideloading to execute the final payload. While a decoy document is displayed to the victim, the malware establishes a connection to a command-and-control server for espionage purposes. The tactics, including the use of cloud-hosted infrastructure and specific malware tools, strongly link the campaign to state-sponsored threat actors.

The state-sponsored threat actor SideWinder has launched a widespread cyber-espionage campaign dubbed "Operation SouthNet." The operation targets government, defense, and maritime entities across multiple nations using a vast network of phishing websites. Attackers leverage free hosting platforms to quickly deploy fake webmail login portals, tricking victims into revealing sensitive credentials. Lure documents are themed around official government business, defense procurement, and diplomatic events to increase their legitimacy. This campaign demonstrates the group's adaptive tactics, including infrastructure recycling and a growing focus on maritime intelligence gathering.

A new, sophisticated ransomware strain named Yurei has emerged, built in the Go language for rapid and stealthy attacks. It employs a double-extortion model, encrypting files with the ".Yurei" extension while threatening to leak stolen data. The malware is designed to be irreversible, disabling recovery options by deleting shadow copies, system backups, and event logs. Yurei spreads laterally across networks using SMB shares and removable drives, and it executes robust anti-forensic routines to erase all traces of its activity. Researchers note its code is derived from an open-source project but has been enhanced for greater speed and stealth, making it a professional-grade threat.

A cybercrime group is actively exploiting a critical zero-day vulnerability in Fortra's GoAnywhere MFT software to deploy Medusa ransomware. Tracked as CVE-2025-10035, the maximum-severity flaw allows for remote code execution and was leveraged in attacks before a patch was available. Attackers gain initial access through the vulnerability, then use remote management tools for persistence and move laterally across networks. The group exfiltrates data before deploying the ransomware payload to encrypt victim files, impacting numerous critical infrastructure organizations. Security experts urge administrators to immediately upgrade to the latest patched version and inspect system logs for signs of compromise.