Latest CyberSec News by @thecyberpicker

Polish authorities, with support from Europol and international agencies, have arrested four people accused of running six DDoS-for-hire platforms linked to thousands of global cyberattacks.

Hackers are exploiting a critical unauthenticated privilege escalation vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on targeted sites.

A new phishing kit named 'CoGUI' sent over 580 million emails to targets between January and April 2025, aiming to steal account credentials and payment data.

PowerSchool is warning that the hacker behind its December cyberattack is now individually extorting schools, threatening to release the previously stolen student and teacher data if a ransom is not paid.

Meet the minds behind how Microsoft prioritizes cybersecurity across every team and employee. Three deputy chief information security officers share their experiences in cybersecurity and how they are redefining protection.

Inferno Drainer returns, stealing millions from crypto wallets through phishing on Discord

The cybersecurity firm has faced increasing market pressures amid a scramble by rivals to consolidate enterprise customers on unified platforms.

Get a technical breakdown of the 2024 Snowflake data breach, including a description of the Advanced Persistent Threat and how the breach impacted the business.

NCSC CEO Richard Horne said the cyber agency has managed twice as many nationally significant cyber incidents in the period from September 2024 to May 2025

The suspects allegedly operated six platforms that offered distributed denial-of-service attacks for as little as 10 euros.

F5 Labs researchers released a PoC tool to find servers vulnerable to the Apache Parquet vulnerability CVE-2025-30065.

The maker of patient monitoring devices does not currently expect to change its earnings guidance.

The Play ransomware gang has exploited a high-severity Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.

A prolific DDoS-for-hire network has been dismantled by Polish authorities as part of a coordinated international crackdown

Passwords alone aren't cutting it—31% of breaches involve stolen credentials. Learn from Specops Software about how Universal 2nd Factor (U2F) and strong password policies can work together to keep your organization secure.

A U.S. federal jury has ordered Israeli spyware vendor NSO Group to pay WhatsApp $167,254,000 in punitive damages and $444,719 in compensatory damages for a 2019 campaign that targeted 1,400 users of the communication app.

Russian government-backed group COLDRIVER is using LOSTKEYS malware to steal files and system information from NGOs and western targets.

Medical device company Masimo Corporation warns that a cyberattack is impacting production operations and causing delays in fulfilling customers' orders.

The FBI has warned scammers are impersonating the IC3, tricking victims by claiming to be able to recover funds.

CVE-2025-27007 exploited in OttoKit WordPress plugin before v1.0.83 enables admin creation without authentication.

Europol dismantled six DDoS-for-hire services, arrested four, seized nine domains—disrupting attacks since 2022.

Discover the 5 essential pillars of SaaS security to transform your organization's security posture and effectively manage decentralized SaaS environments.

CISA warned critical infrastructure organizations of "unsophisticated" threat actors actively targeting the U.S. oil and natural gas sectors.

This week in cybersecurity from the editors at Cybercrime Magazine

In a fragmented world, resilience starts with partnerships and a vision of collective security.

CISA, FBI, EPA, and DoE warn of attacks on the U.S. Energy sector carried out by unsophisticated cyber actors targeting ICS/SCADA systems.

The UK government has announced that it will be replace its current SMS verification system with passkeys by the end of 2025

SSEs lack visibility into browser activity—missing GenAI data leaks, identity misuse, and extension risks.

SysAid fixed 4 critical pre-auth flaws in March 2025; chained bugs allow full admin access and RCE.

A Chinese company has developed an AI-piloted submersible that can reach speeds “similar to a destroyer or a US Navy torpedo,” dive “up to 60 metres underwater,” and “remain static for more than a month, like the stealth capabilities of a nuclear submarine.” In case you’re worried about the military applications of this, you can relax because the company says that the submersible is “designated for civilian use” and can “launch research rockets.” “Research rockets.” Sure. ...