<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Data Breach &#8211; First Hackers News</title>
	<atom:link href="https://firsthackersnews.com/category/data-breach/feed/" rel="self" type="application/rss+xml" />
	<link>https://firsthackersnews.com</link>
	<description>Latest cybersecurity news, real attacks, and practical IOCs—made simple and actionable.</description>
	<lastBuildDate>Tue, 23 Jun 2026 17:28:13 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9.4</generator>

<image>
	<url>https://firsthackersnews.com/wp-content/uploads/2026/03/cropped-FHN_512x512-32x32.png</url>
	<title>Data Breach &#8211; First Hackers News</title>
	<link>https://firsthackersnews.com</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>LastPass Impacted by Klue OAuth Token Breach</title>
		<link>https://firsthackersnews.com/lastpass-data-exposed-klue-supply-chain-attack/</link>
					<comments>https://firsthackersnews.com/lastpass-data-exposed-klue-supply-chain-attack/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Tue, 23 Jun 2026 17:08:40 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Data Breach]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[api security]]></category>
		<category><![CDATA[cloud security]]></category>
		<category><![CDATA[Customer Data Exposure]]></category>
		<category><![CDATA[cyber threats]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Cybersecurity News]]></category>
		<category><![CDATA[data security]]></category>
		<category><![CDATA[Enterprise Security]]></category>
		<category><![CDATA[identity security]]></category>
		<category><![CDATA[Klue]]></category>
		<category><![CDATA[Lastpass]]></category>
		<category><![CDATA[OAuth Security]]></category>
		<category><![CDATA[OAuth Tokens]]></category>
		<category><![CDATA[SaaS Security]]></category>
		<category><![CDATA[Salesforce Security]]></category>
		<category><![CDATA[security incident]]></category>
		<category><![CDATA[supply chain security]]></category>
		<category><![CDATA[Third Party Risk]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11897</guid>

					<description><![CDATA[<p>A security incident involving third-party platform Klue has resulted in unauthorized access to a limited amount of customer</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/lastpass-data-exposed-klue-supply-chain-attack/">LastPass Impacted by Klue OAuth Token Breach</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>A security incident involving third-party platform Klue has resulted in unauthorized access to a limited amount of customer data belonging to LastPass. The breach was not caused by a direct compromise of LastPass systems but instead stemmed from attackers abusing OAuth tokens connected to enterprise integrations. This incident has led to significant concerns about the LastPass Data Exposed.</p>



<p>The incident highlights how cybercriminals are increasingly targeting trusted SaaS providers and business integrations to gain access to downstream organizations.</p>



<h2 class="wp-block-heading"><strong>How the Incident Occurred</strong></h2>



<p>LastPass became aware of the issue after Klue, a competitive intelligence platform that integrates with services such as Salesforce and Gong, disclosed a security incident affecting multiple customers. The implications of the LastPass Data Exposed are being closely monitored.</p>



<p>According to the investigation, attackers obtained OAuth tokens stored by Klue and used them to access connected customer environments. In the case of LastPass, the compromised tokens provided unauthorized access to certain information stored within its Salesforce environment.</p>



<p>Because OAuth tokens are designed to allow trusted applications to access systems without repeatedly requiring user credentials, they can become valuable targets for attackers when exposed or improperly secured.</p>



<p>Importantly, the attack did not require direct access to LastPass infrastructure. Instead, the attackers exploited the trust relationship established through third-party integrations.</p>



<h2 class="wp-block-heading"><strong>What Data Was Accessed?</strong></h2>



<p>LastPass confirmed that the exposure was limited to systems connected to Klue and did not impact its core products or password management platform.</p>



<p>The accessed information included:</p>



<ul class="wp-block-list">
<li>Customer names</li>



<li>Email addresses</li>



<li>Phone numbers</li>



<li>Physical addresses</li>



<li>Customer support records</li>



<li>Sales and business relationship information</li>
</ul>



<p>The company stated that there is no evidence that encrypted password vaults, master passwords, authentication systems, or sensitive credentials were compromised during the incident.</p>



<h2 class="wp-block-heading"><strong>Why This Attack Matters</strong></h2>



<p>While the exposed data is considered standard business information, security experts warn that such information can still be highly valuable to attackers.</p>



<p>Contact information and customer records can be used to:</p>



<ul class="wp-block-list">
<li>Launch targeted phishing campaigns</li>



<li>Conduct social engineering attacks</li>



<li>Impersonate trusted organizations</li>



<li>Attempt credential theft</li>



<li>Gather intelligence for future attacks</li>
</ul>



<p>The incident also demonstrates a growing trend in which threat actors target third-party vendors rather than attacking organizations directly. By compromising a trusted service provider, attackers can potentially gain access to multiple connected environments through a single breach.</p>



<h2 class="wp-block-heading"><strong>LastPass Response</strong></h2>



<p>Following discovery of the incident, LastPass implemented several containment and remediation measures to reduce risk and prevent further unauthorized access.</p>



<p>Actions taken included:</p>



<ul class="wp-block-list">
<li>Revoking and rotating affected OAuth tokens</li>



<li>Disabling employee access to Klue</li>



<li>Launching an investigation with Klue and Salesforce</li>



<li>Notifying law enforcement agencies</li>



<li>Sharing threat intelligence with the security community</li>
</ul>



<p>The company continues to monitor the situation and investigate any potential downstream impact.</p>



<h2 class="wp-block-heading"><strong>Security Recommendations for Organizations</strong></h2>



<p>The incident serves as a reminder that securing third-party integrations is just as important as protecting internal systems.</p>



<p>Organizations should consider:</p>



<ul class="wp-block-list">
<li>Regularly reviewing third-party SaaS integrations</li>



<li>Rotating OAuth tokens and API credentials</li>



<li>Applying least-privilege access controls</li>



<li>Monitoring API activity for unusual behavior</li>



<li>Reviewing vendor security practices</li>



<li>Implementing continuous detection and monitoring capabilities</li>
</ul>



<p>As businesses become increasingly dependent on interconnected cloud services, attackers are expected to continue targeting trusted integrations and SaaS providers. Strengthening visibility into third-party access and enforcing strict token management practices can help reduce the risk of similar supply chain incidents.</p>



<p>The LastPass-Klue breach demonstrates that even when core systems remain secure, weaknesses in connected services can still expose valuable business data and create opportunities for future attacks.</p>



<p><strong>IoC:</strong></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-left" data-align="left">IOC Type</th><th class="has-text-align-left" data-align="left">Value</th></tr></thead><tbody><tr><td>IP</td><td>138.226.246[.]94</td></tr><tr><td>IP</td><td>94.154.32[.]160</td></tr><tr><td>IP</td><td>159.183.215[.]61</td></tr><tr><td>IP</td><td>159.183.181[.]239</td></tr><tr><td>Domain</td><td>baccarat.com[.]au</td></tr><tr><td>Domain</td><td>robinskitchen.com[.]au</td></tr><tr><td>Domain</td><td>house.com[.]au</td></tr></tbody></table></figure>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/lastpass-data-exposed-klue-supply-chain-attack/">LastPass Impacted by Klue OAuth Token Breach</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/lastpass-data-exposed-klue-supply-chain-attack/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Critical LiteSpeed cPanel Plugin Vulnerability Enables Root Privilege Escalation Attacks</title>
		<link>https://firsthackersnews.com/litespeed-cpanel-root-escalation/</link>
					<comments>https://firsthackersnews.com/litespeed-cpanel-root-escalation/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Tue, 16 Jun 2026 10:37:31 +0000</pubDate>
				<category><![CDATA[AI Expansion]]></category>
		<category><![CDATA[Bank Heist]]></category>
		<category><![CDATA[CISA]]></category>
		<category><![CDATA[Darknet]]></category>
		<category><![CDATA[Data Breach]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Active Exploitation]]></category>
		<category><![CDATA[cPanel]]></category>
		<category><![CDATA[CVE-2026-48172]]></category>
		<category><![CDATA[LiteSpeed]]></category>
		<category><![CDATA[LiteSpeed Vulnerability]]></category>
		<category><![CDATA[privilege escalation]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11834</guid>

					<description><![CDATA[<p>CISA has warned of active exploitation targeting a critical LiteSpeed cPanel plugin vulnerability that enables root privilege escalation. Security teams are urged to patch affected systems immediately to prevent unauthorized access and potential server compromise.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/litespeed-cpanel-root-escalation/">Critical LiteSpeed cPanel Plugin Vulnerability Enables Root Privilege Escalation Attacks</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[


<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting the <strong>LiteSpeed User-End cPanel Plugin</strong> to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation in the wild. Tracked as <strong>CVE-2026-48172</strong>, the flaw allows attackers to escalate privileges and execute arbitrary scripts with <strong>root-level permissions</strong>, potentially leading to full server compromise.</p>



<p>The vulnerability carries a maximum severity rating and impacts organizations running vulnerable versions of the LiteSpeed User-End cPanel Plugin. Because cPanel is widely used across hosting environments, a successful attack could affect multiple websites, customer accounts, databases, and server resources hosted on the same infrastructure.</p>



<h2 class="wp-block-heading">Vulnerability Details</h2>



<h3 class="wp-block-heading">CVE Information</h3>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th>Field</th><th>Details</th></tr></thead><tbody><tr><td>CVE</td><td>CVE-2026-48172</td></tr><tr><td>Severity</td><td>Critical</td></tr><tr><td>CVSS Score</td><td>10.0</td></tr><tr><td>Affected Product</td><td>LiteSpeed User-End cPanel Plugin</td></tr><tr><td>Impact</td><td>Root Privilege Escalation</td></tr><tr><td>Exploitation Status</td><td>Actively Exploited</td></tr><tr><td>Fixed Version</td><td>2.4.5+ (later enhanced in 2.4.7)</td></tr></tbody></table></figure>



<p>The vulnerability stems from an <strong>incorrect privilege assignment</strong> issue within the plugin, enabling authenticated cPanel users or compromised accounts to execute scripts with elevated privileges.</p>



<h2 class="wp-block-heading">Technical Analysis of the Exploit</h2>



<p>Researchers found that attackers can abuse the plugin&#8217;s <strong>lsws.redisAble</strong> functionality to execute arbitrary commands as the root user. In a shared hosting environment, this effectively breaks the isolation between users and grants attackers complete control over the server.</p>



<p>Because many hosting providers rely on LiteSpeed and cPanel for website management, exploitation could allow attackers to:</p>



<ul class="wp-block-list">
<li>Execute arbitrary scripts </li>



<li>Modify server configurations </li>



<li>Access customer data </li>



<li>Create backdoors Deploy malware </li>



<li>Pivot to other hosted accounts</li>
</ul>



<p>Unlike many privilege escalation flaws that require complex attack chains, this vulnerability can be abused by any authenticated cPanel user account, including accounts already compromised through phishing, credential theft, or web application attacks.</p>



<h2 class="wp-block-heading">Potential Attack Chain</h2>



<ul class="wp-block-list">
<li>Initial Access</li>



<li>Vulnerability Exploitation</li>



<li>Root Access</li>



<li>Post-Exploitation Activities</li>
</ul>



<h2 class="wp-block-heading">Indicator of Compromise (IOC) Detection</h2>



<p>LiteSpeed provided a log analysis command that administrators can use to identify potential exploitation attempts.</p>



<h3 class="wp-block-heading">Detection Command</h3>



<div style="overflow-x:auto; background:#f5f5f5; padding:15px; border-radius:8px;">
<pre><code>grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null</code></pre>
</div>



<h3 class="wp-block-heading">What This Command Does</h3>



<p>The command searches:</p>



<ul class="wp-block-list">
<li><code>/usr/local/cpanel/logs/</code></li>



<li><code>/var/cpanel/logs/</code></li>
</ul>



<p>for suspicious API requests and activity patterns associated with exploitation attempts.</p>



<p>If the command returns <strong>no results</strong>, there may be no evidence of exploitation within the available logs.</p>



<h2 class="wp-block-heading">Why This Vulnerability Matters</h2>



<p>Shared hosting environments depend heavily on privilege separation between users. Once an attacker obtains root access, they can potentially compromise every website and account hosted on the affected server.</p>



<p>The widespread adoption of LiteSpeed across hosting providers significantly increases the potential impact of this vulnerability. A single successful exploitation could expose customer data, website files, SSL certificates, configuration settings, and administrative credentials.</p>



<h2 class="wp-block-heading">Security Recommendations</h2>



<h3 class="wp-block-heading">Update Immediately</h3>



<p>Upgrade to:</p>



<ul class="wp-block-list">
<li>LiteSpeed cPanel Plugin 2.4.7 or later </li>



<li>LiteSpeed WHM Plugin 5.3.1.0 or later</li>
</ul>



<h3 class="wp-block-heading">Review Logs</h3>



<p>Run the IOC detection command and investigate any suspicious results.</p>



<h3 class="wp-block-heading">Audit User Accounts</h3>



<ul class="wp-block-list">
<li>cPanel users </li>



<li>Administrative accounts </li>



<li>Recently created users </li>



<li>Failed login attempts</li>
</ul>



<h3 class="wp-block-heading">Restrict Access</h3>



<ul class="wp-block-list">
<li>Multi-Factor Authentication (MFA)</li>



<li>IP restrictions </li>



<li>Least privilege access controls</li>
</ul>



<p>The active exploitation of <strong>CVE-2026-48172</strong> highlights the risks posed by privilege escalation vulnerabilities in widely deployed hosting software. Since the flaw can allow attackers to obtain <strong>root-level access</strong> from a standard cPanel account, organizations and hosting providers should prioritize patching, review logs for indicators of compromise, and continuously monitor their environments for signs of malicious activity.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/litespeed-cpanel-root-escalation/">Critical LiteSpeed cPanel Plugin Vulnerability Enables Root Privilege Escalation Attacks</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/litespeed-cpanel-root-escalation/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Critical GreatXML Vulnerability Enables Windows BitLocker Bypass via Recovery Partition XML Files</title>
		<link>https://firsthackersnews.com/greatxml-bitlocker-bypass/</link>
					<comments>https://firsthackersnews.com/greatxml-bitlocker-bypass/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Fri, 12 Jun 2026 07:07:04 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[Data Breach]]></category>
		<category><![CDATA[Exploitation]]></category>
		<category><![CDATA[Microsoft]]></category>
		<category><![CDATA[Windows Security]]></category>
		<category><![CDATA[BitLocker Bypass]]></category>
		<category><![CDATA[GreatXML]]></category>
		<category><![CDATA[Recovery Partition]]></category>
		<category><![CDATA[rivilege Escalation]]></category>
		<category><![CDATA[WinRE]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11811</guid>

					<description><![CDATA[<p>A newly disclosed Windows security vulnerability known as GreatXML has raised concerns among cybersecurity professionals. The exploit allows</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/greatxml-bitlocker-bypass/">Critical GreatXML Vulnerability Enables Windows BitLocker Bypass via Recovery Partition XML Files</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p style="font-size:18px">A newly disclosed Windows security vulnerability known as GreatXML has raised concerns among cybersecurity professionals. The exploit allows attackers to potentially bypass Microsoft BitLocker by abusing XML files stored within the Windows Recovery Environment (WinRE) recovery partition. Researchers found that files created by Microsoft Defender Offline Scan can be manipulated to obtain a SYSTEM-level command shell while the device is in recovery mode.</p>



<p style="font-size:18px">The issue is significant because BitLocker is widely used by enterprises and government organizations to protect sensitive data. If exploited successfully, attackers could gain access to encrypted information without requiring the BitLocker recovery key, reducing the effectiveness of one of Windows&#8217; most important security controls.</p>



<h2 class="wp-block-heading">How It Works</h2>



<p style="font-size:18px">The GreatXML exploit reportedly abuses the way Windows Recovery Environment processes configuration files during recovery operations. Researchers observed that specially crafted XML files, including an <strong>unattend.xml</strong> file and modified recovery configuration files, can be placed within the recovery partition.</p>



<p style="font-size:18px">When the affected system enters Recovery Mode, these files are processed automatically. Instead of loading the expected recovery interface, the manipulated configuration may trigger a command shell running with elevated SYSTEM privileges, granting access to the unlocked BitLocker-protected volume. The exploit appears to leverage trusted recovery mechanisms rather than traditional memory corruption or kernel vulnerabilities.</p>



<h3 class="wp-block-heading" style="font-size:24px">The Attack Chain Can Involve</h3>



<h4 class="wp-block-heading" style="font-size:20px">1. Initial Device Access </h4>



<ul class="wp-block-list">
<li style="font-size:18px">Physical access to a workstation or laptop.</li>



<li style="font-size:18px">Administrative access obtained through another compromise.</li>
</ul>



<h4 class="wp-block-heading" style="font-size:20px">2. Recovery Partition Modification</h4>



<ul class="wp-block-list">
<li>Placement of malicious XML files within the recovery partition.</li>



<li style="font-size:18px">Modification of recovery configuration settings.</li>
</ul>



<h4 class="wp-block-heading" style="font-size:20px">3. Privilege Escalation</h4>



<ul class="wp-block-list">
<li style="font-size:18px">Launch of a SYSTEM-level command shell.</li>



<li style="font-size:18px">Access to BitLocker-protected storage.</li>
</ul>



<h4 class="wp-block-heading" style="font-size:20px">4. Data Access and Collection</h4>



<ul class="wp-block-list">
<li style="font-size:18px">Viewing sensitive files.</li>



<li style="font-size:18px">Extraction of credentials and corporate information.</li>



<li style="font-size:18px">Offline forensic evasion activities.</li>
</ul>



<h2 class="wp-block-heading">Multiple Other Methods Threat Actors May Use</h2>



<p style="font-size:18px">Although GreatXML focuses on recovery partition XML files, attackers frequently target BitLocker through additional techniques, including:</p>



<ul class="wp-block-list">
<li style="font-size:18px">indows Recovery Environment abuse</li>



<li style="font-size:18px">Boot Manager manipulation</li>



<li>Privilege escalation vulnerabilities</li>



<li style="font-size:18px">Offline disk analysis after system theft</li>
</ul>



<p style="font-size:18px">Modern attackers often combine multiple vulnerabilities to increase the likelihood of success and evade detection.</p>



<h2 class="wp-block-heading">Why Legacy Components Remain a Risk</h2>



<p style="font-size:18px">Many organizations focus heavily on operating system patching and endpoint detection while overlooking legacy recovery components and boot infrastructure. Recovery partitions, WinRE configurations, deployment scripts, unattended setup files, and offline maintenance tools often receive less monitoring than standard system files.</p>



<p style="font-size:18px">Attackers increasingly target these trusted components because they operate outside traditional security controls. Since recovery environments are designed to help administrators regain access to systems, they frequently possess elevated privileges and trusted execution paths. When abused, these features can become powerful attack vectors.</p>



<figure class="wp-block-image aligncenter size-large"><img fetchpriority="high" decoding="async" width="1024" height="683" src="https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-12-2026-12_04_20-PM-1024x683.png" alt="" class="wp-image-11814" srcset="https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-12-2026-12_04_20-PM-300x200.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-12-2026-12_04_20-PM-768x512.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-12-2026-12_04_20-PM-1024x683.png 1024w, https://firsthackersnews.com/wp-content/uploads/2026/06/ChatGPT-Image-Jun-12-2026-12_04_20-PM.png 1536w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<h2 class="wp-block-heading">Security Experts Recommend That Organizations</h2>



<p style="font-size:18px">To reduce exposure to GreatXML and similar recovery-environment attacks, security teams should:</p>



<h3 class="wp-block-heading">Harden BitLocker Deployments</h3>



<ul class="wp-block-list">
<li>Enable TPM + PIN authentication.</li>



<li>Enforce strong recovery key management.</li>



<li style="font-size:18px">Monitor BitLocker policy compliance.</li>
</ul>



<h3 class="wp-block-heading">Secure Recovery Environments</h3>



<ul class="wp-block-list">
<li>Restrict unauthorized access to WinRE.</li>



<li style="font-size:18px">Monitor changes to recovery partitions.</li>



<li style="font-size:18px">Audit recovery-related files and configurations.</li>
</ul>



<h3 class="wp-block-heading">Maintain Patch Management</h3>



<ul class="wp-block-list">
<li>Apply Microsoft security updates promptly.</li>



<li>Track new advisories related to BitLocker, WinRE, and Defender Offline Scan.</li>



<li style="font-size:18px">Review recovery partition configurations after major updates.</li>
</ul>



<p class="has-text-align-left" style="font-size:18px">The GreatXML vulnerability serves as a reminder that encryption alone does not guarantee complete protection. Recovery environments, boot processes, and trusted system components can become attractive targets for attackers seeking to bypass traditional security controls. Organizations should adopt a layered security strategy that includes BitLocker hardening, recovery environment monitoring, physical security controls, and continuous threat detection to reduce the risk of compromise.</p>



<p></p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/greatxml-bitlocker-bypass/">Critical GreatXML Vulnerability Enables Windows BitLocker Bypass via Recovery Partition XML Files</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/greatxml-bitlocker-bypass/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Trellix Confirms Source Code Repository Breach</title>
		<link>https://firsthackersnews.com/trellix-security-breach/</link>
					<comments>https://firsthackersnews.com/trellix-security-breach/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Sun, 03 May 2026 21:09:42 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Data Breach]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[#BlueTeam]]></category>
		<category><![CDATA[#CyberSecurity]]></category>
		<category><![CDATA[#CyberThreats]]></category>
		<category><![CDATA[#DataBreach]]></category>
		<category><![CDATA[#DigitalSecurity]]></category>
		<category><![CDATA[#EnterpriseSecurity]]></category>
		<category><![CDATA[#infosec]]></category>
		<category><![CDATA[#MalwareAnalysis]]></category>
		<category><![CDATA[#SecurityAwareness]]></category>
		<category><![CDATA[#SecurityBreach]]></category>
		<category><![CDATA[#securityincident]]></category>
		<category><![CDATA[#SOC]]></category>
		<category><![CDATA[#ThreatIntelligence]]></category>
		<category><![CDATA[#Trellix]]></category>
		<category><![CDATA[#XDR]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11686</guid>

					<description><![CDATA[<p>Cybersecurity firm Trellix has disclosed that attackers gained unauthorized access to a portion of its internal source code</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/trellix-security-breach/">Trellix Confirms Source Code Repository Breach</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Cybersecurity firm Trellix has disclosed that attackers gained unauthorized access to a portion of its internal source code repository. The company identified the activity and quickly initiated an incident response, bringing in external forensic experts and notifying law enforcement.</p>



<p>Source code environments are considered high-value targets because they reveal the inner workings of security products. Even limited access can give attackers insights into detection logic, configurations, or potential weaknesses that could be studied for future exploitation or used in supply chain-style attacks.</p>



<h2 class="wp-block-heading"><strong>Investigation Findings and Potential Risks</strong></h2>



<p>Trellix has stated that the breach appears contained and, at this stage, there is no evidence of direct impact on customers or product integrity.</p>



<p>Key findings so far include:</p>



<ul class="wp-block-list">
<li>No compromise of the build, release, or update pipeline</li>



<li>No signs of malicious code being inserted into products</li>



<li>No evidence of active exploitation using the accessed data</li>
</ul>



<p>However, the nature of source code exposure still raises concerns. Attackers could analyze the code offline to identify vulnerabilities, reverse-engineer protections, or develop evasion techniques against Trellix security tools.</p>



<p>The company is continuing a detailed forensic review to understand how the access occurred, what data was viewed or copied, and whether any long-term risks remain. Strengthening internal controls, access monitoring, and repository protections is likely part of the ongoing response.</p>



<p>This incident reflects a broader trend where attackers target software vendors instead of end users, aiming to gain leverage through trusted platforms. Similar breaches involving Microsoft, Okta, and LastPass show how valuable internal systems have become as entry points.</p>



<p>Trellix has committed to transparency and plans to release more technical details once the investigation is complete, helping the wider security community understand and defend against similar threats.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/trellix-security-breach/">Trellix Confirms Source Code Repository Breach</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/trellix-security-breach/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Starbucks Data Breach Exposes User Information</title>
		<link>https://firsthackersnews.com/starbucks-data-breach-employee-data-exposed/</link>
					<comments>https://firsthackersnews.com/starbucks-data-breach-employee-data-exposed/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 16 Mar 2026 06:39:55 +0000</pubDate>
				<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Data Breach]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[#corporatesecurity]]></category>
		<category><![CDATA[#credentialharvesting]]></category>
		<category><![CDATA[#CyberAttack]]></category>
		<category><![CDATA[#CyberAwareness]]></category>
		<category><![CDATA[#CyberRisk]]></category>
		<category><![CDATA[#CyberSecurity]]></category>
		<category><![CDATA[#CyberThreats]]></category>
		<category><![CDATA[#DataBreach]]></category>
		<category><![CDATA[#datasecurity]]></category>
		<category><![CDATA[#EnterpriseSecurity]]></category>
		<category><![CDATA[#identitytheftrisk]]></category>
		<category><![CDATA[#InformationSecurity]]></category>
		<category><![CDATA[#infosec]]></category>
		<category><![CDATA[#NetworkSecurity]]></category>
		<category><![CDATA[#PhishingAttack]]></category>
		<category><![CDATA[#SecurityBreach]]></category>
		<category><![CDATA[#securityincident]]></category>
		<category><![CDATA[#starbucksdatabreach]]></category>
		<category><![CDATA[#starbuckssecuritybreach]]></category>
		<category><![CDATA[#ThreatIntelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11461</guid>

					<description><![CDATA[<p>Starbucks Data Breach has exposed the personal and financial information of 889 individuals after attackers gained unauthorized access</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/starbucks-data-breach-employee-data-exposed/">Starbucks Data Breach Exposes User Information</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Starbucks Data Breach has exposed the personal and financial information of 889 individuals after attackers gained unauthorized access to the company’s internal employee platform.</p>



<p>Although the number of affected individuals is small compared to Starbucks’ global workforce, the type of information involved makes the incident serious. Exposure of employment and financial records could increase the risk of identity theft for those impacted.</p>



<h2 class="wp-block-heading"><strong>Attack Timeline and Investigation</strong></h2>



<p>According to a breach notification filed with the Office of the Maine Attorney General on March 10, 2026, the incident involved accounts connected to the Starbucks Partner Central system. This platform allows employees to access payroll details, benefits information, and other work-related records.</p>



<p>Investigations showed that attackers first gained access on January 19, 2026. Suspicious activity was detected on February 6, and the company fully removed the attackers from its systems by February 11.</p>



<p>Security experts later determined that the attackers used credential harvesting techniques. Employees were directed to fake websites that closely resembled the official Starbucks Partner Central login page. When users entered their credentials on these phishing pages, the attackers captured the login information and used it to access employee accounts.</p>



<p>Because these accounts contained payroll and employment records, the attackers were able to view several types of sensitive personal data, including</p>



<ul class="wp-block-list">
<li>Full names and dates of birth</li>



<li>Social Security numbers</li>



<li>Bank account and routing numbers linked to direct deposits</li>
</ul>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong><a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noopener">Linkedin</a>,<a href="https://www.instagram.com/firsthackersnews/" target="_blank" rel="noreferrer noopener">&nbsp;Instagram</a>,&nbsp;<a href="https://www.facebook.com/FirsthackerNews" target="_blank" rel="noreferrer noopener">Facebook</a></strong>&nbsp;to get the latest security news!</strong></p>
</blockquote>



<p>After discovering the breach, Starbucks immediately blocked unauthorized access, notified law enforcement authorities, and strengthened security measures for the employee portal.</p>



<p>The company is also offering 24 months of identity theft protection and credit monitoring services through Experian to help protect the affected individuals.</p>



<p>This incident follows previous cybersecurity challenges faced by the company. In November 2024, Starbucks experienced operational disruptions after a ransomware attack targeted Blue Yonder, a third-party provider used for supply chain and scheduling systems.</p>



<p>Earlier in September 2022, Starbucks’ Singapore operations experienced a major breach that exposed the personal information of more than 219,000 customers after a vendor’s system was compromised.</p>



<p>The latest incident highlights how phishing attacks and stolen credentials continue to be a common method used by cybercriminals to gain access to corporate system</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/starbucks-data-breach-employee-data-exposed/">Starbucks Data Breach Exposes User Information</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/starbucks-data-breach-employee-data-exposed/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>PayPal Data Exposure: Six Months of User Information Leaked Online</title>
		<link>https://firsthackersnews.com/paypal-working-capital-data-exposure-2025/</link>
					<comments>https://firsthackersnews.com/paypal-working-capital-data-exposure-2025/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Sat, 21 Feb 2026 05:50:39 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Data Breach]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[#AccountSecurity]]></category>
		<category><![CDATA[#CISO]]></category>
		<category><![CDATA[#Compliance]]></category>
		<category><![CDATA[#CyberAttack]]></category>
		<category><![CDATA[#CyberRisk]]></category>
		<category><![CDATA[#CyberSecurityAwareness]]></category>
		<category><![CDATA[#DataPrivacy]]></category>
		<category><![CDATA[#DigitalTrust]]></category>
		<category><![CDATA[#EnterpriseSecurity]]></category>
		<category><![CDATA[#FintechSecurity]]></category>
		<category><![CDATA[#FraudPrevention]]></category>
		<category><![CDATA[#InformationSecurity]]></category>
		<category><![CDATA[#OnlineSafety]]></category>
		<category><![CDATA[#PrivacyMatters]]></category>
		<category><![CDATA[#RiskAssessment]]></category>
		<category><![CDATA[#SecurityLeadership]]></category>
		<category><![CDATA[#SecurityNews]]></category>
		<category><![CDATA[#SecurityStrategy]]></category>
		<category><![CDATA[#ThreatIntelligence]]></category>
		<category><![CDATA[#VulnerabilityManagement]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security update]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11221</guid>

					<description><![CDATA[<p>Software Error in Business Loan Application PayPal has notified a small group of customers about a cybersecurity incident</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/paypal-working-capital-data-exposure-2025/">PayPal Data Exposure: Six Months of User Information Leaked Online</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<h3 class="wp-block-heading">Software Error in Business Loan Application</h3>



<p>PayPal has notified a small group of customers about a cybersecurity incident that exposed personal data for almost six months. The issue was traced to a software error in its PayPal Working Capital (PPWC) loan application system, which provides funding to small businesses based on their PayPal sales history.</p>



<p>The exposure occurred between July 1, 2025, and December 13, 2025. PayPal detected the issue on December 12 and reversed the faulty code the following day.</p>



<p><strong>The affected data included:</strong></p>



<ul class="wp-block-list">
<li>Name</li>



<li>Email address</li>



<li>Phone number</li>



<li>Business address</li>



<li>Social Security number (SSN)</li>



<li>Date of birth</li>
</ul>



<p>Because SSNs and birth dates were involved, the risk of identity theft and fraud is significantly higher. PayPal stated that the notification was not delayed due to any law enforcement investigation.</p>



<h2 class="wp-block-heading">Company Response and Customer Guidance</h2>



<p>After discovering the issue, PayPal removed unauthorized access, fixed the code error, and strengthened internal security controls. Passwords for affected accounts were reset, and customers will be prompted to create new ones if they have not already done so. Refunds were issued to the few users who reported unauthorized transactions.</p>



<p>The company is offering two years of free three-bureau credit monitoring and identity restoration services through Equifax. Affected customers must enroll by June 30, 2026.</p>



<p>PayPal advises impacted users to review account activity and credit reports carefully, enroll in the credit monitoring service, and stay alert for phishing attempts. The company reminds customers it will never request passwords, one-time codes, or authentication details via email, phone, or text. Using strong, unique passwords and enabling multi-factor authentication are strongly recommended.</p>



<p>Although PayPal described the number of affected customers as small, prolonged exposure of Social Security numbers and dates of birth presents serious identity fraud risks. The company has not released further public details beyond direct notifications to affected users.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>&#x200d;Follow Us on:<strong> <a href="https://www.linkedin.com/in/firsthackers-news/" target="_blank" rel="noopener">Linkedin</a>,<a href="https://www.instagram.com/firsthackersnews/" target="_blank" rel="noreferrer noopener"> Instagram</a>, <a href="https://www.facebook.com/FirsthackerNews" target="_blank" rel="noreferrer noopener">Facebook</a></strong> to get the latest security news!</strong></p>
</blockquote>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/paypal-working-capital-data-exposure-2025/">PayPal Data Exposure: Six Months of User Information Leaked Online</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/paypal-working-capital-data-exposure-2025/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Cisco Unified Communications Zero-Day RCE Enables Root Access</title>
		<link>https://firsthackersnews.com/cisco-3/</link>
					<comments>https://firsthackersnews.com/cisco-3/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 22 Jan 2026 07:29:16 +0000</pubDate>
				<category><![CDATA[cisco]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Zero Day Attack]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security fix]]></category>
		<category><![CDATA[security flaw]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[security vulnerability]]></category>
		<category><![CDATA[Zero0day]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11027</guid>

					<description><![CDATA[<p>Cisco has issued an urgent security alert after identifying a previously unknown remote code execution flaw being exploited</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/cisco-3/">Cisco Unified Communications Zero-Day RCE Enables Root Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Cisco has issued an urgent security alert after identifying a <strong>previously unknown remote code execution flaw</strong> being exploited against its Unified Communications platforms. The vulnerability, tracked as <strong>CVE-2026-20045</strong>, enables attackers to compromise systems <strong>without authentication</strong> and ultimately obtain <strong>root-level control</strong>.</p>



<p>Cisco’s security response team has confirmed real-world attacks and advises customers to take immediate action.</p>



<h2 class="wp-block-heading"><strong>How the Attack Works</strong></h2>



<p>The issue originates in the web-based management interface, where <strong>HTTP request input is not properly validated</strong>.</p>



<p>Attackers can exploit this weakness by:</p>



<ul class="wp-block-list">
<li>Sending crafted HTTP requests to the management endpoint</li>



<li>Bypassing authentication controls</li>



<li>Executing commands on the operating system</li>



<li>Escalating privileges to full root access</li>
</ul>



<p>Because the flaw allows complete system takeover, Cisco classified it as <strong>Critical</strong>, prioritizing impact over traditional scoring metrics.</p>



<h2 class="wp-block-heading"><strong>Impacted Cisco Products</strong></h2>



<p>Cisco confirmed the following products are affected, independent of configuration:</p>



<figure class="wp-block-table"><table><thead><tr><th>Product</th><th>Tracking ID</th></tr></thead><tbody><tr><td>Unified Communications Manager</td><td>CSCwr21851</td></tr><tr><td>Unified CM SME</td><td>CSCwr21851</td></tr><tr><td>Unified CM IM &amp; Presence</td><td>CSCwr29216</td></tr><tr><td>Unity Connection</td><td>CSCwr29208</td></tr><tr><td>Webex Calling (Dedicated Instance)</td><td>CSCwr21851</td></tr></tbody></table></figure>



<p>Other Cisco UC components, including Contact Center-related platforms, are confirmed <strong>not vulnerable</strong>.</p>



<h2 class="wp-block-heading"><strong>Software Updates and Fix Availability</strong></h2>



<p>Cisco has released fixes for supported versions. Only the releases listed below are validated by Cisco PSIRT.</p>



<h3 class="wp-block-heading">Unified CM, IM&amp;P, SME, Webex Calling</h3>



<figure class="wp-block-table"><table><thead><tr><th>Version Stream</th><th>Fixed Release</th></tr></thead><tbody><tr><td>12.5</td><td>Upgrade required</td></tr><tr><td>14</td><td>14SU5 or patched 14SU4</td></tr><tr><td>15</td><td>15SU4 (March 2026) or interim patches</td></tr></tbody></table></figure>



<h3 class="wp-block-heading">Unity Connection</h3>



<figure class="wp-block-table"><table><thead><tr><th>Version Stream</th><th>Fixed Release</th></tr></thead><tbody><tr><td>12.5</td><td>Upgrade required</td></tr><tr><td>14</td><td>14SU5 or patched 14SU4</td></tr><tr><td>15</td><td>15SU4 (March 2026) or 15SU3</td></tr></tbody></table></figure>



<p>Cisco has observed attackers targeting unpatched deployments, likely using automated discovery techniques to locate exposed management interfaces. Environments supporting enterprise voice and collaboration services are particularly attractive targets.</p>



<p>The vulnerability has also been added to <strong>CISA’s Known Exploited Vulnerabilities catalog</strong>, increasing compliance pressure for affected organizations.</p>



<h2 class="wp-block-heading"><strong>What Cisco Recommends</strong></h2>



<p>Organizations should take the following steps immediately:</p>



<ul class="wp-block-list">
<li>Apply Cisco security updates or upgrade to fixed releases</li>



<li>Restrict access to management interfaces using network controls</li>



<li>Monitor HTTP activity for abnormal request patterns</li>



<li>Investigate systems for indicators of compromise</li>
</ul>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/cisco-3/">Cisco Unified Communications Zero-Day RCE Enables Root Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/cisco-3/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>𝗖𝗶𝘀𝗰𝗼 𝗔𝘀𝘆𝗻𝗰𝗢𝗦 𝟬-𝗗𝗮𝘆 𝗨𝗻𝗱𝗲𝗿 𝗔𝗰𝘁𝗶𝘃𝗲 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻</title>
		<link>https://firsthackersnews.com/%f0%9d%97%96%f0%9d%97%b6%f0%9d%98%80%f0%9d%97%b0%f0%9d%97%bc-%f0%9d%97%94%f0%9d%98%80%f0%9d%98%86%f0%9d%97%bb%f0%9d%97%b0%f0%9d%97%a2%f0%9d%97%a6/</link>
					<comments>https://firsthackersnews.com/%f0%9d%97%96%f0%9d%97%b6%f0%9d%98%80%f0%9d%97%b0%f0%9d%97%bc-%f0%9d%97%94%f0%9d%98%80%f0%9d%98%86%f0%9d%97%bb%f0%9d%97%b0%f0%9d%97%a2%f0%9d%97%a6/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 18 Dec 2025 06:27:37 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cisco]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Mobile Security]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Campaign]]></category>
		<category><![CDATA[cisco asyncos]]></category>
		<category><![CDATA[secure email gateway]]></category>
		<category><![CDATA[security advisory]]></category>
		<category><![CDATA[security fix]]></category>
		<category><![CDATA[security flaw]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[vulnerability impact]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=10830</guid>

					<description><![CDATA[<p>An active zero-day exploit in Cisco AsyncOS is being used to target Secure Email Gateway and Secure Email</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/%f0%9d%97%96%f0%9d%97%b6%f0%9d%98%80%f0%9d%97%b0%f0%9d%97%bc-%f0%9d%97%94%f0%9d%98%80%f0%9d%98%86%f0%9d%97%bb%f0%9d%97%b0%f0%9d%97%a2%f0%9d%97%a6/">𝗖𝗶𝘀𝗰𝗼 𝗔𝘀𝘆𝗻𝗰𝗢𝗦 𝟬-𝗗𝗮𝘆 𝗨𝗻𝗱𝗲𝗿 𝗔𝗰𝘁𝗶𝘃𝗲 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>An active zero-day exploit in Cisco AsyncOS is being used to target Secure Email Gateway and Secure Email &amp; Web Manager appliances. </p>



<p>The campaign, active since late November 2025 and disclosed on December 10, lets attackers run system-level commands and install a persistent Python backdoor called <strong>AquaShell</strong>.</p>



<p>Cisco Talos links the activity to UAT-9686, a China-nexus APT with overlaps to groups like APT41 and UNC5174. AquaShell uses stealthy persistence methods commonly seen in advanced Chinese threat groups.</p>



<p>The attackers compromise appliances with non-standard configurations. They insert AquaShell into <strong>index.py</strong>, where it quietly waits for unauthenticated POST requests, decodes the payload, and executes shell commands.</p>



<p>After gaining access, the threat actors deploy extra tools:<br>• <strong>AquaTunnel</strong> – a Go-based reverse SSH tunnel<br>• <strong>Chisel</strong> – for tunneling TCP/UDP traffic<br>• <strong>AquaPurge</strong> – a log-cleaning script to hide activity</p>



<p>The Secure Email &amp; Web Manager, which oversees email filtering and policies, makes this a high-impact target.</p>



<p>Cisco urges customers to check the advisory for IOCs and apply remediation immediately.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/%f0%9d%97%96%f0%9d%97%b6%f0%9d%98%80%f0%9d%97%b0%f0%9d%97%bc-%f0%9d%97%94%f0%9d%98%80%f0%9d%98%86%f0%9d%97%bb%f0%9d%97%b0%f0%9d%97%a2%f0%9d%97%a6/">𝗖𝗶𝘀𝗰𝗼 𝗔𝘀𝘆𝗻𝗰𝗢𝗦 𝟬-𝗗𝗮𝘆 𝗨𝗻𝗱𝗲𝗿 𝗔𝗰𝘁𝗶𝘃𝗲 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/%f0%9d%97%96%f0%9d%97%b6%f0%9d%98%80%f0%9d%97%b0%f0%9d%97%bc-%f0%9d%97%94%f0%9d%98%80%f0%9d%98%86%f0%9d%97%bb%f0%9d%97%b0%f0%9d%97%a2%f0%9d%97%a6/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Critical Oracle EBS Vulnerability CVE-2025-61882 Actively Exploited by Cl0p Ransomware Group</title>
		<link>https://firsthackersnews.com/clop-exploits-oracle-ebs-cve-2025-61882-remote-code-execution/</link>
					<comments>https://firsthackersnews.com/clop-exploits-oracle-ebs-cve-2025-61882-remote-code-execution/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Tue, 07 Oct 2025 09:33:42 +0000</pubDate>
				<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Data Breach]]></category>
		<category><![CDATA[Ransomware]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Threat Intelligence]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Zero Day Attack]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=10523</guid>

					<description><![CDATA[<p>A critical security flaw in Oracle E-Business Suite (EBS) is being actively exploited by the Cl0p ransomware group,</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/clop-exploits-oracle-ebs-cve-2025-61882-remote-code-execution/">Critical Oracle EBS Vulnerability CVE-2025-61882 Actively Exploited by Cl0p Ransomware Group</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>A critical security flaw in <strong>Oracle E-Business Suite (EBS)</strong> is being actively exploited by the <strong>Cl0p ransomware group</strong>, also known as <strong>Graceful Spider</strong>, according to a new advisory from <strong>CrowdStrike</strong>. The first known exploitation was detected on <strong>August 9, 2025</strong>.</p>



<ul class="wp-block-list">
<li><strong>SSRF</strong> (Server-Side Request Forgery) to coerce backend servers into making arbitrary requests.</li>



<li><strong>CRLF injection</strong> to insert custom headers into requests.</li>



<li><strong>Request smuggling</strong> to access internal endpoints and upload malicious templates.</li>
</ul>



<p>This attack abuses the ability of JSP files to load untrusted stylesheets, allowing arbitrary code execution. Persistent HTTP connections are used to chain multiple requests, increasing reliability and reducing detection.</p>



<p>The <strong>Cybersecurity and Infrastructure Security Agency (CISA)</strong> has added CVE-2025-61882 to its <strong>Known Exploited Vulnerabilities (KEV)</strong> catalog. The agency has warned that the vulnerability has already been used in <strong>ransomware campaigns</strong>. All federal agencies have been ordered to apply security patches by <strong>October 27, 2025</strong>.</p>



<p>Security experts have raised alarms that <strong>mass exploitation</strong> is expected within days. Cl0p has already targeted multiple organizations since August, stealing sensitive data and issuing <strong>extortion emails</strong>.</p>



<p>Organizations using Oracle EBS are being strongly advised to <strong>patch immediately</strong>, <strong>conduct threat hunts</strong>, and <strong>strengthen access controls</strong>. Delays in remediation could lead to significant <strong>data breaches</strong>, <strong>financial loss</strong>, and <strong>operational disruption</strong>.</p>



<p><strong>SEO Keywords included</strong>: Oracle E-Business Suite, CVE-2025-61882, Cl0p ransomware, remote code execution, SSRF, CRLF injection, WatchTowr Labs, CrowdStrike, CISA KEV, cybersecurity vulnerability, patch advisory.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/clop-exploits-oracle-ebs-cve-2025-61882-remote-code-execution/">Critical Oracle EBS Vulnerability CVE-2025-61882 Actively Exploited by Cl0p Ransomware Group</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/clop-exploits-oracle-ebs-cve-2025-61882-remote-code-execution/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Akira Ransomware Now Breaches MFA‑Protected SonicWall VPNs, Researchers Warn</title>
		<link>https://firsthackersnews.com/akira-ransomware-bypass-sonicwall-vpn-mfa/</link>
					<comments>https://firsthackersnews.com/akira-ransomware-bypass-sonicwall-vpn-mfa/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 29 Sep 2025 06:26:56 +0000</pubDate>
				<category><![CDATA[Ransomware]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Data Breach]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[Threat Intelligence]]></category>
		<category><![CDATA[#AkiraRansomware]]></category>
		<category><![CDATA[#CyberSecurity]]></category>
		<category><![CDATA[#CyberThreats]]></category>
		<category><![CDATA[#DataBreach]]></category>
		<category><![CDATA[#MFABypass]]></category>
		<category><![CDATA[#RansomwareAttack]]></category>
		<category><![CDATA[#ThreatIntel]]></category>
		<category><![CDATA[#VPNSecurity]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=10519</guid>

					<description><![CDATA[<p>The Akira ransomware gang is now reportedly bypassing multi-factor authentication (MFA) protections on SonicWall VPN devices, according to</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/akira-ransomware-bypass-sonicwall-vpn-mfa/">Akira Ransomware Now Breaches MFA‑Protected SonicWall VPNs, Researchers Warn</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>The Akira ransomware gang is now reportedly bypassing multi-factor authentication (MFA) protections on SonicWall VPN devices, according to a new report from cybersecurity firm Arctic Wolf. This development represents a serious escalation in the group’s tactics, as the criminals appear to be using <strong>stolen one-time password (OTP) seeds</strong> to successfully log in—even when MFA is fully enabled.</p>



<p>Arctic Wolf observed multiple incidents where SonicWall Secure Mobile Access (SMA) appliances were accessed despite OTP-based MFA being active. In each case, multiple OTP challenges were issued, but attackers still authenticated successfully, suggesting they had access to the correct OTP codes.</p>



<h2 class="wp-block-heading"><strong>Background: Zero-Day Vulnerability and CVE-2024-40766</strong></h2>



<p>These incidents follow a wave of Akira ransomware attacks earlier this year that exploited an unknown vulnerability in SonicWall&#8217;s SMA VPN appliances. At the time, the method of initial access was unclear. However, SonicWall later confirmed the attackers were exploiting a <strong>zero-day vulnerability</strong>, now tracked as <strong>CVE-2024-40766</strong>, involving <strong>improper access control</strong> in the web management interface.</p>



<p>A patch was released in <strong>August 2024</strong>, and SonicWall urged customers to upgrade to the latest versions of <strong>SonicOS 7.1.1-7040 / 7.0.1-5146</strong> and <strong>SMA 100 firmware</strong> to mitigate the issue. They also advised administrators to <strong>reset all user credentials</strong> for impacted VPN portals, particularly those not integrated with Active Directory.</p>



<p>However, Arctic Wolf’s new findings indicate that the threat actors may have <strong>already harvested OTP seed data</strong> during prior compromises—making even patched devices vulnerable if credentials were not rotated.</p>



<h2 class="wp-block-heading"><strong>OTP MFA Bypass: What Researchers Observed</strong></h2>



<p>According to Arctic Wolf’s investigation:</p>



<ul class="wp-block-list">
<li>In multiple breach incidents, <strong>VPN user logins occurred with OTP MFA enabled</strong>.</li>



<li><strong>Multiple OTP prompts were issued</strong>, yet the login was ultimately successful.</li>



<li>This behavior suggests that the attackers possessed <strong>valid OTP secrets or were able to generate valid tokens</strong> at will.</li>



<li>The exploitation was <strong>not due to a new vulnerability</strong>, but likely stemmed from previously compromised credentials and OTP seeds.</li>
</ul>



<p>This theory is supported by a <strong>June 2024 report</strong> from Google’s Threat Analysis Group (TAG) and Mandiant, which detailed how another threat group, <strong>UNC6148</strong>, used stolen OTP seeds to bypass MFA on SonicWall SMA 100 series devices—<strong>even when those systems were fully patched</strong>.</p>



<h2 class="wp-block-heading"><strong>Post-Breach Activity: Fast and Aggressive Lateral Movement</strong></h2>



<p>Once initial access was achieved, Akira operators wasted no time escalating privileges and moving laterally within victim networks. Arctic Wolf reports that:</p>



<ul class="wp-block-list">
<li><strong>Internal network scanning</strong> typically began <strong>within 5 minutes</strong> of VPN login.</li>



<li>Attackers used tools like <strong>Impacket</strong>, <strong>RDP</strong>, and <strong>Active Directory enumeration</strong> utilities including:</li>
</ul>



<ul class="wp-block-list">
<li><code>dsquery</code></li>



<li><code>SharpShares</code></li>



<li><code>BloodHound</code></li>
</ul>



<ul class="wp-block-list">
<li>A high-priority target was the <strong>Veeam Backup &amp; Replication server</strong>, a critical system used for managing backup infrastructure.The threat actors deployed <strong>custom PowerShell scripts</strong> to:</li>



<li><strong>Extract and decrypt credentials</strong> from Veeam, MSSQL, and PostgreSQL databases.</li>



<li>Retrieve <strong>Data Protection API (DPAPI) secrets</strong> to further compromise systems.</li>
</ul>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/akira-ransomware-bypass-sonicwall-vpn-mfa/">Akira Ransomware Now Breaches MFA‑Protected SonicWall VPNs, Researchers Warn</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/akira-ransomware-bypass-sonicwall-vpn-mfa/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
