Toggle light / dark theme

At least two different cybercrime groups BianLian and RansomExx are said to have exploited a recently disclosed security flaw in SAP NetWeaver tracked as CVE-2025–31324, indicating that multiple threat actors are taking advantage of the bug.

Cybersecurity firm ReliaQuest, in a new update published today, said it uncovered evidence suggesting involvement from the BianLian data extortion crew and the RansomExx ransomware family, which is traced by Microsoft under the moniker Storm-2460.

BianLian is assessed to be involved in at least one incident based on infrastructure links to IP addresses previously identified as attributed to the e-crime group.

Then last year, Trustwave SpiderLabs revealed details of another phishing campaign targeting the same region with malicious payloads which it said exhibits similarities with that of Horabot malware.

The latest set of attacks starts with a phishing email that employs invoice-themed lures to entice users into opening a ZIP archive containing a PDF document. However, in reality, the attached ZIP file contains a malicious HTML file with Base64-encoded HTML data that’s designed to reach out to a remote server and download the next-stage payload.

“Attackers can exploit the flaw via a malicious web page or script that causes the scripting engine to misinterpret object types, resulting in memory corruption and arbitrary code execution in the context of the current user. If the user has administrative privileges, attackers could gain full system control – enabling data theft, malware installation, and lateral movement across networks.”

CVE-2025–30400 is the third privilege escalation flaw in DWM Core Library to be weaponized in the wild since 2023. In May 2024, Microsoft issued patches for CVE-2024–30051, which Kaspersky said was used in attacks distributing QakBot (aka Qwaking Mantis) malware.

“Since 2022, Patch Tuesday has addressed 26 elevation of privilege vulnerabilities in DWM,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

A new study led by researchers from Michigan State University, Yale University and Johns Hopkins University reveals that ransomware attacks—which involve a hacker putting encryption controls into a file and then demanding a ransom to unlock the files—have become the primary driver of health care data breaches in the United States, compromising 285 million patient records over 15 years.

Published May 14 in JAMA Network Open, the study provides the first comprehensive analysis of ransomware’s role in health care breaches across all entities covered by privacy laws—hospitals, physician practices, and data clearinghouses—from 2010 to 2024.

“Ransomware has become the most disruptive force in health care cybersecurity,” said John (Xuefeng) Jiang, Eli Broad Endowed Professor of accounting and in the MSU Broad College of Business and lead author of the study. “Hospitals have been forced to delay care, shut down systems and divert patients—all while sensitive patient data is held hostage.”

Hundreds of thousands of Americans are now at risk of identity theft and fraud after a major data breach at a human resources firm.

In a new filing with the Office of the Maine Attorney General, Maryland-based Kelly Benefits says it has discovered a significant cybersecurity incident impacting 413,032 people.

The company says an internal investigation revealed that an unknown entity gained unauthorized access to its database and stole sensitive customer information, including names, dates of birth, Social Security numbers, tax ID numbers, medical and health insurance records and financial account datasets.