The Breach News

Okta Acquires Axiom Security to Enhance Privileged Access Solutions

Governance & Risk Management, Identity & Access Management, Multi-factor & Risk-based Authentication Just-in-Time, Database, Kubernetes Access Fuel Privileged Access Startup M&A Michael Novinson (MichaelNovinson) • August 26, 2025 Arnab Bose, Chief Product Officer, Okta (Image: Okta) Okta has announced its intention to acquire Axiom Security, a startup specializing in privileged…

Read MoreOkta Acquires Axiom Security to Enhance Privileged Access Solutions

CISA Warns of Actively Exploited Vulnerability in SonicWall SMA Devices

Date: April 17, 2025
Category: Vulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has categorized a significant security flaw affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways as a Known Exploited Vulnerability (KEV) due to ongoing active exploitation. This high-severity vulnerability, identified as CVE-2021-20035 (CVSS score: 7.2), involves an operating system command injection that may allow for unauthorized code execution.

According to SonicWall’s advisory from September 2021, “improper neutralization of special elements in the SMA100 management interface permits a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, potentially leading to code execution.”

The vulnerability impacts the following models: SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) running specific versions—10.2.1.0-17sv and earlier (patched in 10.2.1.1-19sv and higher), 10.2.0.7-34sv and earlier (patched in 10.2.0.8-37sv and higher), and 9.0…

CISA Identifies Actively Exploited Vulnerability in SonicWall SMA Devices On April 17, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took significant action by adding a critical security vulnerability affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) list. This classification stems from…

Read More

CISA Warns of Actively Exploited Vulnerability in SonicWall SMA Devices

Date: April 17, 2025
Category: Vulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has categorized a significant security flaw affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways as a Known Exploited Vulnerability (KEV) due to ongoing active exploitation. This high-severity vulnerability, identified as CVE-2021-20035 (CVSS score: 7.2), involves an operating system command injection that may allow for unauthorized code execution.

According to SonicWall’s advisory from September 2021, “improper neutralization of special elements in the SMA100 management interface permits a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, potentially leading to code execution.”

The vulnerability impacts the following models: SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) running specific versions—10.2.1.0-17sv and earlier (patched in 10.2.1.1-19sv and higher), 10.2.0.7-34sv and earlier (patched in 10.2.0.8-37sv and higher), and 9.0…

Salesloft and Drift Breached: OAuth Tokens Stolen and Salesforce Corporate Data Exfiltrated

A significant data breach involving corporate Salesforce instances has emerged, with hackers exploiting compromised OAuth tokens associated with the Salesloft Drift application. This sophisticated exfiltration campaign has led to the exposure of sensitive data from numerous organizations. The threat group, identified as UNC6395, executed their operations between August 8 and…

Read MoreSalesloft and Drift Breached: OAuth Tokens Stolen and Salesforce Corporate Data Exfiltrated

Urgent Vulnerability in Windows Server 2025 dMSA Poses Risk of Active Directory Breach

May 22, 2025
Cybersecurity / Vulnerability

A critical privilege escalation flaw has been identified in Windows Server 2025, allowing attackers to compromise any user within Active Directory (AD). According to Akamai security researcher Yuval Gordon, the vulnerability exploits the Delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025. This attack can be executed easily with the default configuration, posing a significant threat to organizations relying on AD. “In 91% of the environments we examined, users outside of the domain admin group possessed the necessary permissions to carry out this attack,” Gordon noted in a report shared with The Hacker News. The vulnerability takes advantage of the dMSA feature designed to facilitate migration from legacy service accounts and intended to mitigate Kerberoasting attacks. The attack technique has been dubbed “BadSuccessor” by the researchers.

Critical Vulnerability in Windows Server 2025 Poses Risk to Active Directory Security May 22, 2025 In a significant cybersecurity development, researchers have identified a privilege escalation vulnerability in Windows Server 2025 that threatens the integrity of Active Directory (AD). This flaw allows attackers to potentially compromise any user account within…

Read More

Urgent Vulnerability in Windows Server 2025 dMSA Poses Risk of Active Directory Breach

May 22, 2025
Cybersecurity / Vulnerability

A critical privilege escalation flaw has been identified in Windows Server 2025, allowing attackers to compromise any user within Active Directory (AD). According to Akamai security researcher Yuval Gordon, the vulnerability exploits the Delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025. This attack can be executed easily with the default configuration, posing a significant threat to organizations relying on AD. “In 91% of the environments we examined, users outside of the domain admin group possessed the necessary permissions to carry out this attack,” Gordon noted in a report shared with The Hacker News. The vulnerability takes advantage of the dMSA feature designed to facilitate migration from legacy service accounts and intended to mitigate Kerberoasting attacks. The attack technique has been dubbed “BadSuccessor” by the researchers.

RTM Locker: A Rising Cybercrime Collective Targeting Enterprises with Ransomware

April 13, 2023
Ransomware / Cyber Attack

Cybersecurity experts have revealed insights into the tactics of a burgeoning cybercriminal organization known as “Read The Manual” (RTM) Locker. This group operates as a private ransomware-as-a-service (RaaS) provider, executing opportunistic attacks to illicitly generate profits. According to a report from cybersecurity firm Trellix shared with The Hacker News, “The RTM Locker gang employs affiliates to extort victims, all of whom must adhere to the gang’s stringent rules.” The structured nature of the group, where affiliates are expected to remain active or inform the gang of their departure, highlights its organizational maturity, akin to that seen in other sophisticated groups like Conti. Originally documented by ESET in February 2017, RTM began in 2015 as a banking malware targeting businesses in Russia through methods such as drive-by downloads, spam, and phishing emails. The group’s attack strategies have since evolved to include ransomware deployment.

RTM Locker: A Rising Cybercriminal Threat Targeting Businesses with Ransomware April 13, 2023 Recent insights from cybersecurity researchers have illuminated the operations of an emerging cybercrime group known as “Read The Manual” (RTM) Locker. This gang functions as a ransomware-as-a-service (RaaS) provider, engaging in opportunistic attacks aimed at businesses to…

Read More

RTM Locker: A Rising Cybercrime Collective Targeting Enterprises with Ransomware

April 13, 2023
Ransomware / Cyber Attack

Cybersecurity experts have revealed insights into the tactics of a burgeoning cybercriminal organization known as “Read The Manual” (RTM) Locker. This group operates as a private ransomware-as-a-service (RaaS) provider, executing opportunistic attacks to illicitly generate profits. According to a report from cybersecurity firm Trellix shared with The Hacker News, “The RTM Locker gang employs affiliates to extort victims, all of whom must adhere to the gang’s stringent rules.” The structured nature of the group, where affiliates are expected to remain active or inform the gang of their departure, highlights its organizational maturity, akin to that seen in other sophisticated groups like Conti. Originally documented by ESET in February 2017, RTM began in 2015 as a banking malware targeting businesses in Russia through methods such as drive-by downloads, spam, and phishing emails. The group’s attack strategies have since evolved to include ransomware deployment.

DOGE Creates Live Replica of Social Security Data

Government, Industry Specific Department of Government Efficiency Staffers Established Unauthorized ‘Live Replica’ of SSA Data Chris Riotta • August 26, 2025 Image: Matt Gush/Shutterstock A report published Tuesday by a whistleblower reveals that staffers from the Trump administration’s Department of Government Efficiency (DOGE) created an unauthorized live replica of Social…

Read MoreDOGE Creates Live Replica of Social Security Data

Blockchain Enhances Security—But Remember the Importance of Strong Passwords

April 17, 2025 | Password Security / Blockchain

Blockchain technology, widely recognized for its role in cryptocurrencies like Bitcoin, is increasingly being leveraged for online authentication. As various industries adopt blockchain-based security solutions, could this technology eventually render passwords obsolete?

Understanding Blockchain

At its core, blockchain is a secure method for maintaining, encrypting, and exchanging digital transaction records. Its security advantages lie in its decentralized structure: the distributed ledger can be accessed by participants across multiple nodes, and it remains immutable. Control is collective, meaning no single entity can alter the ledger’s contents.

Potential Security Benefits

One notable benefit is the creation of a ‘self-sovereign identity’ that revolutionizes online identification. This approach allows users to manage their identity independently of centralized institutions, enabling them to log in to websites or services using a personal, private ID they fully control…

Blockchain Provides Enhanced Security: Don’t Overlook Password Protection April 17, 2025 As the digital landscape evolves, blockchain technology is garnering attention beyond its cryptocurrency roots, particularly for its potential applications in online security and authentication. With businesses across multiple sectors exploring blockchain-based security measures, the question arises: will blockchain technology…

Read More

Blockchain Enhances Security—But Remember the Importance of Strong Passwords

April 17, 2025 | Password Security / Blockchain

Blockchain technology, widely recognized for its role in cryptocurrencies like Bitcoin, is increasingly being leveraged for online authentication. As various industries adopt blockchain-based security solutions, could this technology eventually render passwords obsolete?

Understanding Blockchain

At its core, blockchain is a secure method for maintaining, encrypting, and exchanging digital transaction records. Its security advantages lie in its decentralized structure: the distributed ledger can be accessed by participants across multiple nodes, and it remains immutable. Control is collective, meaning no single entity can alter the ledger’s contents.

Potential Security Benefits

One notable benefit is the creation of a ‘self-sovereign identity’ that revolutionizes online identification. This approach allows users to manage their identity independently of centralized institutions, enabling them to log in to websites or services using a personal, private ID they fully control…

Data Breaches, Political Unrest, and Practical Legislative Solutions

A recent whistleblower revelation has led to the exposure of a significant data breach affecting the sensitive information of approximately 300 million Americans. Allegations link this cybersecurity failure to Elon Musk, raising alarms in the industry. Despite prior warnings, lapses in cybersecurity protocols are steering the nation toward a major…

Read MoreData Breaches, Political Unrest, and Practical Legislative Solutions

Chinese Hackers Leverage Trimble Cityworks Vulnerability to Access U.S. Government Networks

May 22, 2025
Vulnerability / Threat Intelligence

A Chinese-speaking threat actor, identified as UAT-6382, has exploited a recently patched remote-code-execution vulnerability in Trimble Cityworks to deploy Cobalt Strike and VShell. According to an analysis by Cisco Talos researchers Asheer Malhotra and Brandon White, “UAT-6382 effectively targeted CVE-2025-0944, conducted reconnaissance, and quickly implemented various web shells and custom malware for sustained access.” Following their infiltration, UAT-6382 showed significant interest in systems related to utility management. Cisco Talos observed these attacks beginning in January 2025, specifically aimed at the enterprise networks of local government entities in the U.S. CVE-2025-0944, with a CVSS score of 8.6, pertains to a vulnerability in the GIS-focused asset management software that could allow for remote code execution. The flaw has been patched.

Chinese Hackers Exploit Trimble Cityworks Vulnerability to Gain Access to U.S. Government Networks May 22, 2025 In a concerning cybersecurity development, a group of Chinese-speaking hackers identified as UAT-6382 has been implicated in exploiting a recently patched vulnerability in Trimble Cityworks. This flaw enabled the group to execute remote code…

Read More

Chinese Hackers Leverage Trimble Cityworks Vulnerability to Access U.S. Government Networks

May 22, 2025
Vulnerability / Threat Intelligence

A Chinese-speaking threat actor, identified as UAT-6382, has exploited a recently patched remote-code-execution vulnerability in Trimble Cityworks to deploy Cobalt Strike and VShell. According to an analysis by Cisco Talos researchers Asheer Malhotra and Brandon White, “UAT-6382 effectively targeted CVE-2025-0944, conducted reconnaissance, and quickly implemented various web shells and custom malware for sustained access.” Following their infiltration, UAT-6382 showed significant interest in systems related to utility management. Cisco Talos observed these attacks beginning in January 2025, specifically aimed at the enterprise networks of local government entities in the U.S. CVE-2025-0944, with a CVSS score of 8.6, pertains to a vulnerability in the GIS-focused asset management software that could allow for remote code execution. The flaw has been patched.