The Hacker News | Expert Insights

The disclosure of CVE-2026-25177, a high-severity privilege escalation flaw in Microsoft Active Directory Domain Services, is a timely reminder that identity infrastructure remains one of the most consequential attack surfaces in the modern enterprise. Rated HIGH with a CVSS score of 8.8, this vulnerability allows an authenticated domain user to escalate privileges and move laterally across the network without elevated starting permissions or any user interaction. The mechanics are instructive. If a compromised account holds native Active Directory (AD) permission to modify Service Principal Names (SPNs), an attacker can create a duplicate SPN for a targeted service. When clients request Kerberos authentication, the domain controller may issue a ticket encrypted with the wrong key, causing a denial of service or forcing a fallback to the weaker NTLM protocol. No access to the targeted server is required beyond that initial SPN-write permission. In an environment where Active Directo...

The structural flaw in detection-only security postures runs deeper than tooling choices. Every hour a security team spends triaging runtime alerts is an hour not spent governing what entered the pipeline in the first place. And in modern CI/CD environments, that means the handful of alerts that represent genuine software supply chain compromise arrive only after the malicious dependency has already executed its payload, exfiltrated credentials, or established persistence inside the environment. The industry built an entire market category on that backwards logic, and enterprises are now paying for it in breach costs, developer burnout, and regulatory exposure that carries personal liability for the security leaders whose names appear on the program. The shift that actually reduces risk is not better monitoring at the end of the pipeline; it is governing the point of ingestion before code ever enters your lifecycle, which is a fundamentally different problem requiring a fundamental...

Microsoft Teams' cross-tenant collaboration feature, which allows external accounts to message employees directly, is enabled by default in most enterprise deployments . Most organizations have never audited or restricted it. That default setting has become one of the more reliable social engineering entry points security teams are managing today. The base attack is straightforward. An attacker creates an external Teams account, identifies a target through LinkedIn or a company directory, and sends a message posing as IT helpdesk staff. The message cites an urgent account issue (an MFA problem, a security alert, a failed login) and asks the employee to open Quick Assist, a built-in Microsoft remote assistance tool, and approve a session. What has changed recently is the layer added on top of that initial contact: an AI-generated voice that sounds like someone the target already knows. How the Base Attack Chain Unfolds Once Quick Assist access is established, the attack fol...

AI is changing the security landscape. More and more threat groups incorporate LLMs into their reconnaissance and exploitation workflows. The notion that some vulnerabilities are too complex to implement is now obsolete. Using LLMs, hackers can automatically find and exploit complex vulnerabilities. We have all heard of Claude Mythos and its ability to identify vulnerabilities in large codebases and exploit them automatically. But LLMs can do more than find vulnerabilities in code. ShinyHunters has scanned thousands of Salesforce Sites. They used a modified version of "AuraInspector". They possibly used an LLM to code their framework, mods, reconnaissance tools, and other aspects of their workflow. But the next step is to use AI to supercharge the attack process itself. We at Reco decided to explore what it would look like. Reco's security research team built an AI-powered agent capable of performing end-to-end security assessments of Salesforce Experience Cloud sit...

Phishing and insider threats continue to pose significant, often overlapping risks in modern threat landscapes. Compromised credentials obtained through phishing campaigns or social engineering attacks can grant adversaries legitimate access, effectively converting external threats into insider risks. This convergence complicates detection, as malicious activity may closely mimic authorized user behavior. To address this challenge, security teams require a platform that can correlate events from multiple sources, including endpoints, users, and network activity. Security teams, therefore, need a Security Information and Event Management (SIEM) platform that can collect and correlate activity across endpoints, users, and network sources. A SIEM platform enables the aggregation and correlation of data from multiple sources, helping analysts uncover suspicious patterns that would otherwise go unnoticed. Phishing attacks Phishing attacks remain among the most effective techniques us...

New Bitdefender research reveals that 97.7% of respondents now use endpoint detection and response (EDR). That number might seem high compared to commonly accepted market penetration estimates, particularly for mid-market organizations. But it is further confirmation that the vast majority of businesses have already upgraded their endpoint protection. This is hardly surprising. The conversation in enterprise security is no longer just about blocking malware or stopping known threats. It is about "proving" that an organization can detect, investigate, and respond to modern attacks before they escalate into operational disruption, financial loss, or reputational damage. This shift was driven by a new reality: endpoint protection alone is no longer enough. The laggards, typically mid-market organizations with lean IT and security teams, are now realizing this. Threat actors are AI-enabled, more evasive, and increasingly successful at bypassing traditional defenses. At the...

Most identity verification failures do not originate from flawless synthetic IDs or visually undetectable deepfakes. Instead, they stem from structural exposures and information loss between the point of data capture and the final automated decision. As remote identity systems evolve, trust becomes an architectural property. If a backend cannot verify the hardware provenance of an image or video, the rest of the security pipeline operates on degraded input. By the time a synthetic face reaches a visual liveness model, the most critical context may already be gone. This post examines why fragmented identity APIs drop vital signals, how identity supply chains dilute accountability, and why these gaps allow digital injection attacks to succeed. The Hidden Risk in Identity Supply Chains Modern identity verification often relies on a complex supply chain that distributes camera capture, document parsing, liveness checks, and risk scoring across multiple vendors. Rather than opera...