Hackers intercepted and monitored the emails of over 103 bank regulators at the Office of the Comptroller of the Currency (OCC) for more than a year, gaining access to highly sensitive financial data. The breach was discovered on February 11, 2025, when Microsoft’s security team alerted the OCC about unusual activities on its network. The The post Hackers Intercepted 100+ Bank Regulators’ Emails for More Than a Year appeared first on Cyber Security News.

Crooks behind some credential-stealing phishing campaigns are trying to increase their success rate by sophisticated targeting. According to researchers at Cofense, instead of blasting out mass messages to a list of email addresses they’ve collected or bought, these threat actors only target addresses that have been verified as active, legitimate, and often high-value. Cofense calls the technique precision-validated phishing, or real-time email validation, and it works like this: When someone who falls for a pitch attempts to access the crook’s phishing page, their email address is checked against the attacker’s database, via JavaScript-based validation scripts on the page, before the fraudulent credential stealing login form is displayed. If the email address entered does not match any from the pre-defined list, the phishing page either returns an error or redirects to a legitimate, benign-looking, page. If the address is confirmed, however, the fake login page that can capture the victim’s credentials is displayed. Problem for defenders The problem facing defenders is the tactic prevents security teams from doing further analysis and investigation, says the report. Automated security crawlers and sandbox environments also struggle to analyze these attacks because they cannot bypass the validation filter, the report adds. Also, the report says, the selective nature of these attacks makes detection through threat intelligence sharing more difficult. Since the phishing pages do not serve malicious content to everyone, some traditional URL scanning tools may fail to flag them as threats. “This undermines traditional blocklisting efforts, requiring organizations to shift toward behavioural analysis and anomaly detection to identify phishing campaigns before they reach end users,” the report says.  ‘A little bit of hype’ David Shipley, head of Canadian-based security awareness training firm Beauceron Security, said “there’s a little bit of hype” in giving the tactic a fancy name for what is in fact spear phishing, although, he admitted, it’s “rapid-fire spear phishing.” The reason, he said, is that “spray-and-pray” mass phishing campaigns today are being detected by email gateways. This is why threat actors have increasingly turned to spear phishing and what he calls “trolling” campaigns, where the goal is to measure who will report a phishing attempt, who will click, and where on the message the target will click. “They’re trying to figure things out ahead of doing something clever,” he said. The report is a reminder to infosec pros that, despite improved defenses, phishing is still a prime tactic of threat actors, Shipley said. “You can have a false sense of security if you’re running a large enterprise and say, ‘We stopped 950,000 phishing emails this month.’ But the 500 that got through could really sink the battleship.” The lesson for CISOs, he added, is to emphasize to employees the importance of reporting suspected phishing emails instead of just deleting them. ‘Hard to defend against’ “This is very difficult to defend against,” said Johannes Ullrich, dean of research at the SANS Institute. “The first step is to restrict JavaScript access. Next, mail servers need to rate limit requests to restrict how often a particular source may use its API. But it is very difficult to find the ‘right’ rate limit.” “The only real solution,” he said, “is to move away from traditional credentials to phishing-safe authentication methods like Passkeys. The goal should be to protect from leaked credentials, not block user account verification.” Attackers verifying e-mail addresses as deliverable, or being associated with specific individuals, is nothing fundamentally new, he added. Initially, attackers used the mail server’s “VRFY” command to verify if an address was deliverable. This still works in a few cases. Next, attackers relied on “non-deliverable receipts,” the bounce messages you may receive if an email address does not exist, to figure out if an email address existed. Both techniques work pretty well to determine if an email address is deliverable, but they do not distinguish whether the address is connected to a human, or if its messages are read.   The next step, Ullrich said, was sending obvious spam, but including an “unsubscribe” link. If a user clicks on the “unsubscribe” link, it confirms that the email was opened and read. So current advice is to not use the unsubscribe link unless you know the organization sending the email, he said. With web mail systems, it is often possible for a threat actor to figure out if a particular account exists by just attempting to log in, he noted. The attacker may get a different response if the account doesn’t exist, versus ‘incorrect password’ for an existing account. For public systems like Gmail or Hotmail, an attacker may also attempt to create a new account, and the system will warn them if a particular username is already taken. “It looks like this campaign added the ability to verify if an email address exists in real time,” he said. “Most webmail systems are built around APIs accessible from JavaScript, and an attacker can use these APIs or create a database of valid email addresses or some middleware to proxy the requests to the email services API in case they restrict JavaScript access.”

Google has unveiled Firebase Studio, a groundbreaking cloud-based platform designed to streamline the creation of full-stack AI applications. This innovative tool integrates the power of Gemini AI with existing Firebase services, offering developers an end-to-end solution to prototype, build, test, and deploy applications with unprecedented speed and efficiency. Key Features of Firebase Studio Firebase Studio The post Google Released AI-powered Firebase Studio to Accelerate Build, Test, & Deployment appeared first on Cyber Security News.

A review of the emails involved in the breach is still ongoing, but what has been discovered is enough for the Treasury Department to label it a “major cyber incident.”

A critical vulnerability in the USB-audio driver, which could lead to out-of-bounds memory reads, has been addressed by a recent patch to the Linux kernel, authored by Takashi Iwai of SUSE. The USB-audio driver in the Linux kernel has an out-of-bounds access vulnerability that possibly enables an attacker with physical access to the system to The post Linux USB Audio Driver Vulnerability Let Attackers Execute Arbitrary Code Via Malicious USB Device appeared first on Cyber Security News.

Attacks on a critical authentication bypass flaw in CrushFTP’s file transfer product continue this week after duplicate CVEs sparked confusion.

Cybersecurity and policy experts worry that if tariffs give way to a global recession, organizations will reduce their spending on cybersecurity.

The database company said its Oracle Cloud Infrastructure (OCI) was not involved in the breach. And at least one law firm seeking damages is already on the case.

Threat actors are trolling online forums and spreading malicious apps to target Uyghurs, Taiwanese, Tibetans, and other individuals aligned with interests that China sees as a threat to its authority.

Google has launched a new enterprise security platform called Google Unified Security that combines the company’s visibility, threat detection, and incident response capabilities and makes it available across networks, endpoints, cloud infrastructure, and apps. The platform combines threat intelligence from internal and third-party sources with expertise from Google’s Mandiant incident response arm and new AI-powered agents that can automatically triage and investigate alerts. “Google Unified Security brings together what we are best at — scale, search, analytics — and applies it to security use cases,” Brian Roddy, VP of cloud security at Google Cloud, said during a press briefing attended by CSO. “It offers unmatched threat visibility, cloud security, the most trusted browser, and Mandiant expertise all in one converged security suite powered by Gemini AI and, of course, running on Google’s planet-scale infrastructure.” The goal, according to Roddy, is to enable organizations to better respond to security challenges brought by increasingly complex IT infrastructures that are targeted with sophisticated attacks by both cybercriminal groups and state-sponsored threat actors. The platform also allows integration with existing security tools, aiming to solve rather than add to the security data fragmentation problem generated by the multitude of tools that organizations and security teams already use. Agentic AI on the horizon Google is determined to leverage its Gemini AI model to create agents that can automate certain security functions to free up resources for security teams. One example is an upcoming agent in Google Security Operations, the company’s existing SecOps platform, that will triage alerts and perform investigations automatically. This agent, which will become available for preview during the second quarter, is capable of understanding an alert’s context by gathering relevant information, and then provides a verdict that can be reviewed by analysts along with a history of the agent’s decision-making process. Another AI-powered agent that will be added to Google Threat Intelligence, also during Q2, will perform malware analysis with the goal of determining whether a piece of code is malicious. The agent is capable of executing scripts safely in order to de-obfuscate them. Google Security Operations now also provides a new Mandiant Threat Defense service that extends the size of enterprise security teams with Mandiant experts who can use AI-assisted techniques to hunt for and respond to threats in customer environments. If a security incident is discovered, customers can use a new Mandiant Retainer service to quickly retain incident response services on demand with pre-negotiated terms and two-hour response times. Cloud security enhancements The Google Cloud Platform (GCP) Security Command Center will gain new capabilities for protecting cloud workloads, especially those related to AI model use. Model Armor, a feature that’s part of GCP’s existing AI Protection service, will allow customers to apply content safety and security controls to prompts that are sent to self-hosted AI models, either on GCP or across multiple clouds. A Data Security Posture Management (DSPM) capability that will become available for preview in June will allow for the discovery, security, and management of sensitive data, including data sets used to train AI models. “DSPM can help discover and classify sensitive data, apply data security and compliance controls, monitor for violations, and enforce access, flow, retention, and protection directly in Google Cloud data analytics and AI products,” the company said. Also in June, the Security Command Center will get a new Compliance Manager feature through which customers can define policies, control configurations and monitor enforcement to maintain and prove data compliance to auditors. The Google Compute Engine and Google Kubernetes Engine will get new Security Risk dashboards that will provide information on vulnerabilities and security findings directly in the product consoles. And new third-party integration with Snyk’s developer security platform will help development teams identify vulnerabilities in their code. Google Cloud will also get new integrations with network security vendors to protect Google Cloud workloads, as well as new features and capabilities related to network security. Among these are: DNS Armor, a feature to detect DNS-based threats built in collaboration with Infoblox Threat Defense; inline data loss protection for Secure Web Proxy (SWP) via integrations with Google’s Sensitive Data Protection and Symantec DLP; and L7 domain filtering capabilities for Google’s Cloud NGFW Enterprise. Endpoint protection On the endpoint protection side, Google relies heavily on the Chrome Enterprise browser and its paid Chrome Enterprise Premium service, which provides real-time malware and phishing protection while surfing the web, malware deep scanning on the endpoint, data loss prevention, URL filtering, user behavior insights, and more. New capabilities for this service include the ability for organizations to configure their own branding and corporate assets to help identify phishing attempts on internal domains, as well as a new data masking feature that completes the DLP capabilities along with watermarking, screenshot blocking, and controls for copy, paste, upload, download, and printing. “Foundationally, Google Unified Security integrates first- and third-party security telemetry into our data fabric for comprehensive visibility, searchability, and detection using our SecOps platform. It automatically enriches security data with the latest Google threat intelligence, driving better prioritization and identifying gaps. It performs security validation to proactively test and validate the effectiveness of security controls. It unifies response workflows across cloud, SaaS, and on-prem use cases to optimize resources. And it allows customers to bring in Mandiant threat hunters and consultants on demand to augment their team where they need it,” Roddy said.

Research has discovered a recent version of Neptune RAT, which is spreading and stealing credentials. 

VMware has released critical security updates to address 47 vulnerabilities across multiple VMware Tanzu Greenplum products, including 29 issues in VMware Tanzu Greenplum Backup and Restore and 18 bugs in various components of VMware Tanzu Greenplum.  The security advisories, published on April 7, 2025, include patches for vulnerabilities with CVSS scores as high as 9.8, The post VMware Patches Multiple 47 Vulnerabilities VMware Tanzu Greenplum Backup & Components appeared first on Cyber Security News.

Microsoft has disclosed a significant security vulnerability in Active Directory Domain Services that could allow attackers to elevate their privileges to the system level, potentially gaining complete control over affected systems.  The vulnerability tracked as CVE-2025-29810, was patched as part of Microsoft’s April 2025 Patch Tuesday security update cycle.  Security researchers classify the flaw as The post Windows Active Directory Domain Vulnerability Let Attackers Escalate Privileges appeared first on Cyber Security News.

A sophisticated ransomware strain known as Hellcat has emerged as a formidable threat in the cybersecurity landscape since its first appearance in mid-2024. The malware has rapidly evolved its capabilities, specifically targeting critical sectors including government agencies, educational institutions, and energy infrastructure. This group doesn’t merely encrypt data; they weaponize psychological tactics and exploit previously The post Hellcat Ransomware Updated It’s Arsenal to Attack Government, Education, and Energy Sectors appeared first on Cyber Security News.

Adobe has released a comprehensive set of security updates addressing multiple vulnerabilities across twelve of its products.  The patches, all released on April 8, 2025, aim to resolve critical, important, and moderate security flaws that could potentially expose users to various cyber threats, including arbitrary code execution, privilege escalation, and application denial-of-service attacks. Significant Vulnerabilities The post Adobe Security Update – Patch for Multiple Vulnerabilities Across Products appeared first on Cyber Security News.

Microsoft has confirmed a global outage affecting the Exchange Admin Center (EAC), leaving administrators unable to access critical management tools. The issue, which has been designated as a critical service incident under ID EX1051697, is causing widespread disruptions across organizations relying on Exchange Online. Administrators attempting to log in to the EAC are encountering an The post Microsoft Exchange Admin Center Down Globally appeared first on Cyber Security News.

Lovable, a generative artificial intelligence (AI) powered platform that allows for creating full-stack web applications using text-based prompts, has been found to be the most susceptible to jailbreak attacks, allowing novice and aspiring cybercrooks to set up lookalike credential harvesting pages. “As a purpose-built tool for creating and deploying web apps, its capabilities line up perfectly