New York University suffered a major data breach when a hacker hijacked an NYU website on Saturday, exposing admissions records of over 3 million applicants spanning decades​. For at least two hours, visitors to an NYU subdomain were presented with lists of names, SAT/ACT scores, GPAs, intended majors, zip codes, and even financial aid and family information dating back to 1989​. The hacker claimed the motive was to “expose” alleged illegal admissions practices, but in doing so leaked massive amounts of sensitive personal data​. NYU’s IT team quickly took down the malicious page and is investigating the incident with law enforcement​. The attacker bragged that the breach was accomplished by exploiting unpatched web software rather than any sophisticated zero-day​. NYU has begun notifying affected individuals and shoring up its systems, as the exposed student records may have implications under education privacy laws​.

Security researchers are warning of a new multi-platform ransomware-as-a-service (RaaS) operation dubbed “VanHelsing.” Launched in early March, VanHelsing’s malware can target Windows, Linux (including VMware ESXi), BSD, and ARM-based systems​. The RaaS was advertised on cybercrime forums with a unique model: experienced affiliates can join free, while newcomers must pay a $5,000 deposit​. According to Check Point, the group appears to be a Russian cybercrime project and explicitly forbids attacking entities in CIS (former Soviet) countries​. Affiliates keep 80% of any ransom paid, with 20% going to the operators. In its first two weeks, VanHelsing’s leak site already listed three victims — two in the U.S. and one in France — including a city government in Texas and two tech companies​. The gang is threatening to publish stolen data if ransoms (around $500,000 per victim) aren’t paid​. The malware itself is written in C++ and employs ChaCha20 encryption with Curve25519 public-key protection, using a stealthy two-phase encryption process to avoid detection​. Analysts note that VanHelsing’s code and tactics suggest it’s still evolving, but its rapid debut and multi-OS capability make it a significant new threat on the ransomware scene.

Ukraine’s national railway operator (Ukrzaliznytsia) was hit by a massive cyberattack that crippled its online ticketing services on March 23​. Travelers were unable to purchase tickets via the website or mobile apps, forcing crowds to line up at station counters and causing significant delays and frustration​. The railway, a crucial transport mode especially during the ongoing conflict, had to activate backup manual processes. In a public update, Ukrzaliznytsia said the attackers’ “key objective failed” – train operations continued on schedule using offline alternatives – and that prior experience with cyberattacks had strengthened its resilience and incident response​. The company described the attack as “highly systematic and multi-layered,”and its cyber teams are working with Ukraine’s SBU security service and CERT-UA to investigate and restore normal services​. Thus far, no specific hacker group has been publicly blamed, but officials implied the “enemy” (a likely reference to Russian actors amid the war) was behind the intrusion​. The incident highlights ongoing efforts to disrupt Ukraine’s critical infrastructure, even as the railway vowed that “even the most devious cyberattacks cannot stop” its operations​.

Threat actors are exploiting Microsoft’s new Trusted Signing service to obtain authentic code signatures for their malware​. This cloud-based service, launched in 2024 to help developers easily sign software, issues short-lived three-day digital certificates for executables. However, researchers found cybercriminals using it to sign malicious files, which then remain trusted even after the cert’s 3-day validity, until Microsoft explicitly revokes it​. Multiple malware samples (including info-stealers like “Lumma” and others) were found signed by Microsoft’s “ID Verified” certificate authority​. Microsoft acknowledged the abuse and said it is actively monitoring for such misuse​. The company’s security teams are revoking rogue certificates and suspending involved accounts once identified​. In this case, Microsoft has already revoked the certificates tied to the discovered malware and confirmed its Defender anti-malware products detect those samples. The incident illustrates how attackers continuously seek trust mechanisms to bypass security – in this case turning a legitimate code-signing service against itself – and it puts pressure on providers to quickly clamp down on abuse. Microsoft has tightened verification requirements for corporate signing and relies on threat intel to catch illicit use​, but the cat-and-mouse game between certificate misuse and revocation is ongoing.

A critical vulnerability (CVE-2025-29927) in the popular Next.js web development framework was revealed, prompting urgent updates from developers. The flaw (CVSS 9.1) could allow attackers to bypass middleware authorization checks in Next.js applications under certain conditions​. Next.js uses a special internal HTTP header (x-middleware-subrequest) to prevent infinite loops in request processing. Researchers discovered that a crafted request could abuse this header to skip executing middleware entirely – meaning security logic like authentication or authorization could be bypassed, letting an unauthorized request reach a protected API route or page​. In practical terms, an attacker might access sensitive functions or data that should be gated by login checks. Vercel (the maintainer of Next.js) released patched versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3 to fix the issue​. They advised all Next.js users to upgrade immediately; if immediate patching isn’t possible, a suggested mitigation is to block any external requests containing the x-middleware-subrequest header from reaching the app​. This incident serves as a reminder to keep web frameworks up to date, as their vulnerabilities can have far-reaching impact on numerous sites and applications.

Industry players rolled out new security measures over the past few days to counter emerging threats. Cloudflare announced that it will now block all unencrypted HTTP traffic to its API endpoints, requiring HTTPS for any API requests​. Previously, a script or user hitting the Cloudflare API over HTTP might get a redirect or error, but as of March 22, such connections are simply rejected to eliminate any chance of sensitive data leaking in transit. This proactive step helps ensure that API keys and commands to Cloudflare’s services (used for managing DNS, firewall, DDoS settings, etc.) are never exposed in plaintext, even due to user misconfiguration.

Meanwhile, Microsoft introduced a new data-protection feature in its Edge for Business browser aimed at the rise of generative AI in the workplace. The feature, announced March 24, provides “inline data protection” to prevent employees from unintentionally sharing sensitive corporate information with AI chatbots and other external web apps. In practice, Edge for Business can now detect when a user is about to input potentially confidential data into a site like ChatGPT, Google’s Gemini, or other GenAI and cloud apps, and then block or redact the data before it leaves the browser​. This is an extension of Microsoft Purview’s data loss prevention (DLP) capabilities into the browser, coming as part of broader efforts (including new security features in Teams) to mitigate insider risks and phishing via collaboration tools. Both Cloudflare’s and Microsoft’s moves show how organizations are bolstering defenses: Cloudflare by hardening infrastructure defaults, and Microsoft by adapting to new AI-related data leakage concerns in enterprise settings. Each initiative is a response to real-world threat trends observed in recent months.

https://www.bleepingcomputer.com/news/security/cloudflare-now-blocks-all-unencrypted-traffic-to-its-api-endpoints/