February, 2023
February 28, 2023 – Hacker
ChromeLoader Operators Hide Malware in VHD Files for Game Cracks Full Text
Abstract
Researchers spotted a new ChromeLoader malware campaign that is being propagated via VHD files named after popular games, such as ROBLOX, Elden Ring, Call of Duty, Pokemon, Animal Crossing, and others. x hijacks browser searches to show advertisements and later modifies the browser setting and coll ... Read MoreCyware
February 28, 2023 – Ransomware
Bitdefender Releases Free Decryptor for MortalKombat Ransomware Strain Full Text
Abstract
Romanian cybersecurity company Bitdefender has released a free decryptor for a new ransomware strain known as MortalKombat . MortalKombat is a new ransomware strain that emerged in January 2023. It's based on commodity ransomware dubbed Xorist and has been observed in attacks targeting entities in the U.S., the Philippines, the U.K., and Turkey. Xorist , detected since 2010, is distributed as a ransomware builder, allowing cyber threat actors to create and customize their own version of the malware. This includes the ransom note, the file name of the ransom note, the list of file extensions targeted, the wallpaper to be used, and the extension to be used on encrypted files. MortalKombat notably was deployed in recent attacks mounted by an unnamed financially motivated threat actor as a part of a phishing campaign aimed at a wide range of organizations. "MortalKombat encrypts various files on the victim machine's filesystem, such as system, application, database,The Hacker News
February 28, 2023 – Ransomware
Bitdefender released a free decryptor for the MortalKombat Ransomware family Full Text
Abstract
Antivirus company Bitdefender has released a free decryptor for the recently discovered ransomware family MortalKombat. Good news for the victims of the recently discovered MortalKombat ransomware, the antivirus firm Bitdefender has released a...Security Affairs
February 28, 2023 – Hacker
Clasiopa Group Uses Distinct Toolset to Targeting Asian Research Organizations Full Text
Abstract
A hacker group, dubbed Clasiopa by the analysts at Broadcom company Symantec, is reportedly launching attacks against organizations in the materials research sector. The group boasts a unique toolset, including the custom Atharvan backdoor. Criminals have also used modified versions of the publicly ... Read MoreCyware
February 28, 2023 – Ransomware
New EX-22 Tool Empowers Hackers with Stealthy Ransomware Attacks on Enterprises Full Text
Abstract
A new post-exploitation framework called EXFILTRATOR-22 (aka EX-22) has emerged in the wild with the goal of deploying ransomware within enterprise networks while flying under the radar. "It comes with a wide range of capabilities, making post-exploitation a cakewalk for anyone purchasing the tool," CYFIRMA said in a new report. Some of the notable features include establishing a reverse shell with elevated privileges, uploading and downloading files, logging keystrokes, launching ransomware to encrypt files, and starting a live VNC (Virtual Network Computing) session for real-time access. It's also equipped to persist after system reboots, perform lateral movement via a worm, view running processes, generate cryptographic hashes of files, and extract authentication tokens. The cybersecurity firm assessed with moderate confidence that threat actors responsible for creating the malware are operating from North, East, or Southeast Asia and are likely former affiliatThe Hacker News
February 28, 2023 – Attack
U.S. Marshals Service suffers a ransomware attack Full Text
Abstract
The U.S. Marshals Service (USMS) was the victim of a ransomware attack, it is investigating the theft of sensitive information. The U.S. Marshals Service (USMS) announced that a ransomware attack has impacted "a stand-alone USMS system." The US bureau...Security Affairs
February 28, 2023 – Breach
Update: Threat actors leak Activision employee data on hacking forum Full Text
Abstract
The threat actors claim to have obtained 19,444 unique records from an Activision Azure database and are offering it for free. The leaked data contains names, phone numbers, job titles, locations, and email addresses of Activision employees.Cyware
February 28, 2023 – Education
Application Security vs. API Security: What is the difference? Full Text
Abstract
As digital transformation takes hold and businesses become increasingly reliant on digital services, it has become more important than ever to secure applications and APIs (Application Programming Interfaces). With that said, application security and API security are two critical components of a comprehensive security strategy. By utilizing these practices, organizations can protect themselves from malicious attacks and security threats, and most importantly, ensure their data remains secure. Interestingly enough, despite the clear advantages these disciplines provide, businesses are struggling to understand which security approach is best for their needs. So in this article, we'll discuss the differences between application and API security, best practices that you should consider, and ultimately make the case for why you need both. What is Application Security Application security, better known as AppSec, is a critical aspect of any organization's cybersecurity strategy.The Hacker News
February 28, 2023 – Government
CISA adds ZK Java Web Framework bug to Known Exploited Vulnerabilities Catalog Full Text
Abstract
US CISA added an actively exploited vulnerability in the ZK Java Web Framework to its Known Exploited Vulnerabilities Catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability, tracked as CVE-2022-36537 (CVSS...Security Affairs
February 28, 2023 – Policy and Law
US National Cyber Strategy Pushes Regulation, Aggressive Hack-Back Operations Full Text
Abstract
The strategy, created by the Office of the National Cyber Director (ONCD), also gives high-level authorization to law enforcement and intelligence agencies to hack into foreign networks to prevent attacks or to retaliate against APT campaigns.Cyware
February 28, 2023 – APT
APT-C-36 Strikes Again: Blind Eagle Hackers Target Key Industries in Colombia Full Text
Abstract
The threat actor known as Blind Eagle has been linked to a new campaign targeting various key industries in Colombia. The activity, which was detected by the BlackBerry Research and Intelligence Team on February 20, 2023, is also said to encompass Ecuador, Chile, and Spain, suggesting a slow expansion of the hacking group's victimology footprint. Targeted entities include health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in Colombia, the Canadian cybersecurity company said. Blind Eagle, also known as APT-C-36 , was recently covered by Check Point Research, detailing the adversary's advanced toolset comprising Meterpreter payloads that are delivered via spear-phishing emails. The latest set of attacks involves the group impersonating the Colombian government tax agency, the National Directorate of Taxes and Customs (DIAN), to phish its targets using lures that urge recipients to settle "outstanding obligations." ThThe Hacker News
February 28, 2023 – Phishing
Resecurity identified the investment scam network ‘Digital Smoke’ Full Text
Abstract
Resecurity identified one of the largest investment fraud networks, tracked as Digital Smoke, by size and volume of operations. Resecurity identified one of the largest investment fraud networks by size and volume of operations created to defraud...Security Affairs
February 28, 2023 – Vulnerabilities
Vulnerability in Popular Real Estate Theme Exploited to Hack WordPress Websites Full Text
Abstract
The vulnerability is tracked as CVE-2023-26009 in the Houzez plugin and CVE-2023-26540 in the theme. The vendor was informed about the security hole and patched it with the release of versions 2.6.4 (plugin) and 2.7.2 (theme).Cyware
February 28, 2023 – Government
CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests. "The ZK Framework is an open source Java framework," CISA said . "This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager." The vulnerability was patched in May 2022 in versions 9.6.2, 9.6.0.2, 9.5.1.4, 9.0.1.3, and 8.6.4.2. As demonstrated by Huntress in a proof-of-concept (PoC) in October 2022, the vulnerability can be weaponized to bypass authentication, upload a backdoored JDBC database driver to gain code execution, and deploy ransomware on susceptibleThe Hacker News
February 28, 2023 – Phishing
Investment Scam Network ‘Digital Smoke’ Impersonates Fortune 100 Corporations Full Text
Abstract
Resecurity identified one of the largest investment fraud networks by size and volume of operations defrauding users from Australia, Canada, China, Colombia, the EU, India, Singapore, Malaysia, UAE, Saudi Arabia, Mexico, the US, and other regions.Cyware
February 28, 2023 – Breach
LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults Full Text
Abstract
LastPass, which in December 2022 disclosed a severe data breach that allowed threat actors to access encrypted password vaults, said it happened as a result of the same adversary launching a second attack on its systems. The company said one of its DevOps engineers had their personal home computer breached and infected with a keylogger as part of a sustained cyber attack that exfiltrated sensitive data from its Amazon AWS cloud storage servers. "The threat actor leveraged information stolen during the first incident, information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated second attack," the password management service said . This intrusion targeted the company's infrastructure, resources, and one of its employees from August 12, 2022 to October 26, 2022. The original incident, on the other hand, ended on August 12, 2022. The August breach saw the intruders accessing source code andThe Hacker News
February 28, 2023 – Business
Cloud security startup Wiz, now valued at $10B, raises $300M Full Text
Abstract
The Series D round was co-led by Lightspeed Venture Partners and Greenoaks Capital Partners, with participation from angel investors including Starbucks owner Howard Schultz and French business magnate Bernard Arnault.Cyware
February 27, 2023 – Attack
Thousands of Cloud Servers Targeted by the Mysterious Nevada Group Full Text
Abstract
An unidentified group of ransomware hackers, dubbed Nevada Group, has targeted the computer networks of almost 5,000 victims across the U.S. and Europe. Hackers ask for two Bitcoins (which is around $50,000) and their ransom notes are publicly visible. The CISA has released a simple workaround ... Read MoreCyware
February 27, 2023 – Malware
Researchers Share New Insights Into RIG Exploit Kit Malware’s Operations Full Text
Abstract
The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal. "RIG EK is a financially-motivated program that has been active since 2014," Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News. "Although it has yet to substantially change its exploits in its more recent activity, the type and version of the malware they distribute constantly change. The frequency of updating samples ranges from weekly to daily updates." Exploit kits are programs used to distribute malware to large numbers of victims by taking advantage of known security flaws in commonly-used software such as web browsers. The fact that RIG EK runs as a service model means threat actors can financially compensate the RIG EK administrator for installing malware of their choice on victim machines. The RIG EK operators primarily employ malvertising to ensure a high infection rate and large-scaleThe Hacker News
February 27, 2023 – Policy and Law
The Jurisdiction of the New Data Protection Review Court Full Text
Abstract
Biden’s recent executive order may transform how privacy complaints are resolved within the context of U.S. intelligence activities abroad by providing access to an adjudicative system globally.Lawfare
February 27, 2023 – Breach
LastPass: hackers breached the computer of a DevOps engineer in a second attack Full Text
Abstract
Threat actors hacked the home computer of a DevOp engineer, they installed a keylogger as part of a sophisticated cyber attack. Password management software firm LastPass disclosed a “second attack,” a threat actor used data stolen from the August...Security Affairs
February 27, 2023 – Malware
Attackers Abuse SM Platforms to Deliver S1deload Stealer Full Text
Abstract
Bitdefender disclosed an active malware campaign targeting Facebook and YouTube users with S1deload Stealer, using adult themes as bait. The new information stealer compromises user credentials and exploits system resources to mine BEAM cryptocurrency. The malware has the ability to propagate its m ... Read MoreCyware
February 27, 2023 – General
Shocking Findings from the 2023 Third-Party App Access Report Full Text
Abstract
Spoiler Alert: Organizations with 10,000 SaaS users that use M365 and Google Workspace average over 4,371 additional connected apps. SaaS-to-SaaS (third-party) app installations are growing nonstop at organizations around the world. When an employee needs an additional app to increase their efficiency or productivity, they rarely think twice before installing. Most employees don't even realize that this SaaS-to-SaaS connectivity, which requires scopes like the ability to read, update, create, and delete content, increases their organization's attack surface in a significant way. Third-party app connections typically take place outside the view of the security team, are not vetted to understand the level of risk they pose. Adaptive Shield's latest report, Uncovering the Risks & Realities of Third-Party Connected Apps , dives into the data on this topic. It reviews the average number of SaaS-to-SaaS apps organizations have, and the level of risk they present. Here are the topThe Hacker News
February 27, 2023 – Breach
Threat actors leak Activision employee data on hacking forum Full Text
Abstract
Data allegedly stolen from the American gaming giant Activision in December security breach were leaked on a cybercrime forum. A threat actor leaked on the Breached hacking forum the data allegedly stolen from the gaming giant Activision in December...Security Affairs
February 27, 2023 – Education
When Low-Tech Hacks Cause High-Impact Breaches – Krebs on Security Full Text
Abstract
The attackers are usually careful to do nothing with the phishing domain until they are ready to initiate a vishing call to a potential victim. And when the attack or call is complete, they disable the website tied to the domain.Cyware
February 27, 2023 – Malware
PlugX Trojan disguised as a legitimate Windows open-source tool in recent attacks Full Text
Abstract
Researchers detailed a new wave of attacks distributing the PlugX RAT disguised as a legitimate Windows debugger tool. Trend Micro uncovered a new wave of attacks aimed at distributing the PlugX remote access trojan masqueraded as an open-source...Security Affairs
February 27, 2023 – Malware
TA569: SocGholish and Beyond Full Text
Abstract
TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish. In addition to serving as an initial access broker, these injects imply it may be running a pay-per-install service.Cyware
February 27, 2023 – Criminals
Dutch Police arrests 3 men involved in a massive extortion scheme. One of them is an ethical hacker Full Text
Abstract
The Dutch police arrested three individuals as a result of an investigation into computer trespass, data theft, extortion, extortion, and money laundering. The Dutch police announced the arrest of three men as the result of an extensive investigation...Security Affairs
February 27, 2023 – Phishing
Fake Amazon Prime email abuses LinkedIn’s URL shortener Full Text
Abstract
Over the last few days, scammers have been sending out phishing emails that disguise bogus URLs with something called Slinks—shortened Linkedin URLs. Now, they're being used in a scam based on Amazon's popular Prime membership.Cyware
February 27, 2023 – Attack
Nine Danish Hospitals Suffer Cyberattack From ‘Anonymous Sudan’ Full Text
Abstract
Copenhagen’s health authority said on Twitter that although the websites for the hospitals were down, medical care at the facilities was unaffected by the attacks. It later added the sites were back online after “a couple of hours.”Cyware
February 27, 2023 – Vulnerabilities
Chromium bug allowed SameSite cookie bypass on Android devices Full Text
Abstract
A recently patched bug in the open-source Chromium browser project could allow malicious actors to bypass a security feature that protects sensitive cookies on Android browsers.Cyware
February 27, 2023 – Vulnerabilities
Microsoft recommending you scan more Exchange server files Full Text
Abstract
In particular, the software giant said this week that sysadmins should now include the Temporary ASP.NET files, Inetsrv folders, and the PowerShell and w3wp processes on the list of files and folders to be run through antivirus systems.Cyware
February 27, 2023 – Breach
Stanford University Discloses Data Breach - Ph.D. Admission Data Leaked Full Text
Abstract
This incident occurred due to the misconfiguration of the folder settings, which led to the availability of the 2022-23 application files for admission to the program on the department’s website.Cyware
February 27, 2023 – Malware
Wiper malware goes global, destructive attacks surge Full Text
Abstract
The threat landscape and organizations’ attack surfaces are constantly transforming, and cybercriminals’ ability to design and adapt their techniques to suit this evolving environment continues to pose significant risks to all businesses.Cyware
February 27, 2023 – Breach
News Corp says hackers first breached its systems between Feb 2020 and Jan 2022 Full Text
Abstract
The attackers compromised one of the company systems and had access to the emails and documents of some employees. Initial investigation into the hack revealed that the attack was carried out by a nation-state actor for cyber espionage purposes.Cyware
February 27, 2023 – Malware
ChromeLoader Malware Targeting Gamers via Fake Nintendo and Steam Game Hacks Full Text
Abstract
A new ChromeLoader malware campaign has been observed being distributed via virtual hard disk (VHD) files, marking a deviation from the ISO optical disc image format. "These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games," AhnLab Security Emergency response Center (ASEC) said in a report last week. ChromeLoader (aka Choziosi Loader or ChromeBack) originally surfaced in January 2022 as a browser-hijacking credential stealer but has since evolved into a more potent, multifaceted threat capable of stealing sensitive data, deploying ransomware, and even dropping decompression bombs . The primary goal of the malware is to compromise web browsers like Google Chrome, and modify the browser settings to intercept and direct traffic to dubious advertising websites. What's more, ChromeLoader has emerged as a conduit to carry out click fraud by leveraging a browser extension to monetize clThe Hacker News
February 27, 2023 – Malware
PureCrypter used to deliver AgentTesla to govt organizations Full Text
Abstract
An unknown threat actor is targeting government organizations with the PureCrypter downloader, Menlo Security firm reported. Menlo Labs researchers uncovered an unknown threat actor is using the PureCrypter downloader in attacks aimed at government...Security Affairs
February 27, 2023 – Insider Threat
Employees bypass cybersecurity guidance to achieve business objectives Full Text
Abstract
Gartner research shows that compliance-centric cybersecurity programs, low executive support, and subpar industry-level maturity are all indicators of an organization that does not view security risk management as critical to business success.Cyware
February 27, 2023 – Attack
PureCrypter Malware Targets Government Entities in Asia-Pacific and North America Full Text
Abstract
Government entities in Asia-Pacific and North America are being targeted by an unknown threat actor with an off-the-shelf malware downloader known as PureCrypter to deliver an array of information stealers and ransomware. "The PureCrypter campaign uses the domain of a compromised non-profit organization as a command-and-control (C2) to deliver a secondary payload," Menlo Security researcher Abhay Yadav said . The different types of malware propagated using PureCrypter include RedLine Stealer , Agent Tesla , Eternity , Blackmoon (aka KRBanker ), and Philadelphia ransomware. First documented in June 2022, PureCrypter is advertised for sale by its author for $59 for one-month access (or $245 for a one-off lifetime purchase) and is capable of distributing a multitude of malware. In December 2022, PureCoder – the developer behind the program – expanded the slate of offerings to include a logger and information stealer known as PureLogs, which is designed to siThe Hacker News
February 27, 2023 – Phishing
ChromeLoader campaign uses VHD files disguised as cracked games and pirated software Full Text
Abstract
Threat actors behind the ChromeLoader malware campaign are using VHD files disguised as popular games, experts warn. Researchers from Ahnlab Security Emergency Response Center (ASEC) recently uncovered a malware campaign distributing the ChromeLoader...Security Affairs
February 27, 2023 – Breach
Pro-Ukraine hackers CH01 defaced tens of Russian websites on the invasion anniversary Full Text
Abstract
A group of hacktivists that goes online with the moniker CH01 defaced at least 32 Russian websites to mark a protest over the one-year anniversary of the Russian invasion. The news was also shared by the collective Anonymous through its accounts.Cyware
February 27, 2023 – Attack
PlugX Trojan Disguised as Legitimate Windows Debugger Tool in Latest Attacks Full Text
Abstract
The PlugX remote access trojan has been observed masquerading as an open source Windows debugger tool called x64dbg in an attempt to circumvent security protections and gain control of a target system. "This file is a legitimate open-source debugger tool for Windows that is generally used to examine kernel-mode and user-mode code, crash dumps, or CPU registers," Trend Micro researchers Buddy Tancio, Jed Valderama, and Catherine Loveria said in a report published last week. PlugX, also known as Korplug , is a post-exploitation modular implant , which, among other things, is known for its multiple functionalities such as data exfiltration and its ability to use the compromised machine for nefarious purposes. Although first documented a decade ago in 2012, early samples of the malware date as far as February 2008, according to a Trend Micro report at the time. Over the years, PlugX has been used by threat actors with a Chinese nexus as well as cybercrime groups. OnThe Hacker News
February 27, 2023 – Hacker
Malicious actors push the limits of attack vectors Full Text
Abstract
The war in Ukraine has seen the emergence of new forms of cyberattacks, and hacktivists became savvier and more emboldened to deface sites, leak information, and execute DDoS attacks, according to Trellix.Cyware
February 27, 2023 – Criminals
Dutch Police Arrest 3 Hackers Involved in Massive Data Theft and Extortion Scheme Full Text
Abstract
The Dutch police announced the arrest of three individuals in connection with a "large-scale" criminal operation involving data theft, extortion, and money laundering. The suspects include two 21-year-old men from Zandvoort and Rotterdam and an 18-year-old man without a permanent residence. The arrests were made on January 23, 2023. It's estimated that the hackers stole personal data belonging to tens of millions of individuals. This comprised names, addresses, telephone numbers, dates of birth, bank account numbers, credit cards, passwords, license plates, social security numbers, and passport details. The Politie said its cybercrime team started the investigation nearly two years ago, in March 2021, after a large Dutch company suffered a security breach. The name of the company was not disclosed but some of the firms that were hit by a cyber attack around that time included RDC , Shell , and Ticketcounter , the last of which was also a victim of an extortion attThe Hacker News
February 27, 2023 – Malware
DarkCloud Stealer Targets Users and Businesses Worldwide Full Text
Abstract
Hackers were found distributing sophisticated DarkCloud Stealer info-stealer through various spam campaigns. The malware operates through a multi-stage process and is capable of collecting sensitive information from a victim’s computer or mobile device. The malware operators claim to target applica ... Read MoreCyware
February 27, 2023 – Criminals
Russian cybercrime alliances upended by Ukraine invasion Full Text
Abstract
According to researchers, the so-called "brotherhood" of Russian-speaking cybercriminals is yet another casualty of the war in Ukraine, albeit one that few outside of Moscow are mourning.Cyware
February 26, 2023 – Outage
Ransomware attack on food giant Dole Food Company blocked North America production Full Text
Abstract
The producers of fruit and vegetables Dole Food Company disclosed a ransomware attack that impacted its operations. Dole Food Company is an Irish agricultural multinational corporation, it is one of the world's largest producers of...Security Affairs
February 26, 2023 – Breach
Pro-Ukraine hackers CH01 defaced tens of Russian websites on the invasion anniversary Full Text
Abstract
The group of hacktivists CH01 defaced at least 32 Russian websites to mark a protest over the one-year anniversary of the Russian invasion A group of hacktivists that goes online with the moniker CH01 defaced at least 32 Russian websites to mark a protest...Security Affairs
February 26, 2023 – Breach
News Corp says hackers first breached its systems between Feb 2020 and Jan 2022 Full Text
Abstract
The investigation conducted by News Corporation (News Corp) revealed that attackers remained on its network for two years. In February 2022, the American media and publishing giant News Corp revealed it was the victim of a cyber attack from an advanced...Security Affairs
February 26, 2023 – General
Security Affairs newsletter Round 408 by Pierluigi Paganini Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. Clasiopa...Security Affairs
February 25, 2023 – Attack
Clasiopa group targets materials research in Asia Full Text
Abstract
A previously unknown threat actor, tracked as Clasiopa, is using a distinct toolset in attacks aimed at materials research organizations in Asia. Broadcom Symantec researchers have reported that a previously unknown threat actor, tracked as Clasiopa,...Security Affairs
February 25, 2023 – APT
CERT of Ukraine says Russia-linked APT backdoored multiple govt sites Full Text
Abstract
The CERT of Ukraine (CERT-UA) revealed that Russia-linked threat actors have compromised multiple government websites this week. The Computer Emergency Response Team of Ukraine (CERT-UA) said that Russia-linked threat actors have breached multiple...Security Affairs
February 25, 2023 – General
Cyberattacks hit data centers to steal information from global companies Full Text
Abstract
Cyberattacks targeting multiple data centers in several regions globally have been observed over the past year and a half, resulting in the exfiltration of information pertaining to some of the world's biggest companies.Cyware
February 24, 2023 – Business
Google Teams Up with Ecosystem Partners to Enhance Security of SoC Processors Full Text
Abstract
Google said it's working with ecosystem partners to harden the security of firmware that interacts with Android. While the Android operating system runs on what's called the application processor (AP), it's just one of the many processors of a system-on-chip ( SoC ) that cater to various tasks like cellular communications and multimedia processing. "Securing the Android Platform requires going beyond the confines of the Application Processor," the Android team said . "Android's defense-in-depth strategy also applies to the firmware running on bare-metal environments in these microcontrollers, as they are a critical part of the attack surface of a device." The tech giant said the goal is to bolster the security of software running on these secondary processors (i.e., firmware) and make it harder to exploit vulnerabilities over the air to achieve remote code execution within the Wi-Fi SoC or the cellular baseband. To that end, Google noted thaThe Hacker News
February 24, 2023 – General
UK won the Military Cyberwarfare exercise Defence Cyber Marvel 2 (DCM2) Full Text
Abstract
Defence Cyber Marvel 2 (DCM2) is the largest Western Europe-led cyber exercise that took place in Tallinn with 34 teams from 11 countries. The Defence Cyber Marvel 2 (DCM2) is the largest training exercise organised by the Army Cyber Association to allow...Security Affairs
February 24, 2023 – General
Threat Actors Weaponize Old Bugs to Launch Ransomware Attacks Full Text
Abstract
Latest report by Cyware, along with Cyber Security Works (CSW), Ivanti, and Securin, stated that out of 344 total threats detected in 2022, 56 new vulnerabilities were associated with ransomware threats. Attackers can leverage kill chains to exploit these bugs across 81 unique products. The Log4She ... Read MoreCyware
February 24, 2023 – Education
How to Tackle the Top SaaS Challenges of 2023 Full Text
Abstract
Are you prepared to tackle the top SaaS challenges of 2023? With high-profile data breaches affecting major companies like Nissan and Slack, it's clear that SaaS apps are a prime target for cyberattacks. The vast amounts of valuable information stored in these apps make them a goldmine for hackers. But don't panic just yet. With the right knowledge and tools, you can protect your company's sensitive data and prevent cyberattacks from wreaking havoc on your business. Join us for an upcoming webinar that will equip you with the insights you need to overcome the top SaaS challenges of 2023 . Led by Maor Bin, CEO and Co-Founder of Adaptive Shield, this highly informative session will provide practical tips and actionable strategies for safeguarding your SaaS applications from potential threats. To better prepare and effectively safeguard your organization, it is crucial to have a comprehensive understanding of the potential entry points and challenges within the ever-eThe Hacker News
February 24, 2023 – Government
CISA warns of disruptive attacks amid the anniversary of Russia’s invasion of Ukraine Full Text
Abstract
One year after Russia's invasion of Ukraine, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations to increase vigilance. Exactly one year, Russia invaded Ukraine, and now one year later the U.S. Cybersecurity and Infrastructure...Security Affairs
February 24, 2023 – Malware
PureCrypter Malware Downloader Targets Government Entities Through Discord Full Text
Abstract
Menlo Labs has uncovered an unknown threat actor that’s leveraging an evasive threat campaign distributed via Discord that features the PureCrypter downloader and targets government entities.Cyware
February 24, 2023 – Education
How to Use AI in Cybersecurity and Avoid Being Trapped Full Text
Abstract
The use of AI in cybersecurity is growing rapidly and is having a significant impact on threat detection, incident response, fraud detection, and vulnerability management. According to a report by Juniper Research, the use of AI for fraud detection and prevention is expected to save businesses $11 billion annually by 2023. But how to integrate AI into business cybersecurity infrastructure without being exposed to hackers? In terms of detecting and responding to security threats in a more efficient and effective manner, AI has been helping businesses in lots of ways. Firstly, it can analyze large amounts of data and identify patterns or anomalies much faster and with greater accuracy than humans. AI detects and responds to security threats in real-time, reducing the time it takes to identify and remediate security incidents. The algorithms can learn from past incidents and adapt to new threats as they emerge. With it, cybersecurity systems can become smarter and more effective oveThe Hacker News
February 24, 2023 – Cryptocurrency
Highly evasive cryptocurrency miner targets macOS Full Text
Abstract
Researchers warn of an evasive cryptojacking malware targeting macOS which spreads through pirated applications Jamf Threat Labs researchers reported that an evasive cryptojacking malware targeting macOS was spotted spreading under the guise of the Apple-developed...Security Affairs
February 24, 2023 – Business
CyberSmart secures $15.3m for SME cybersecurity software Full Text
Abstract
CyberSmart’s Series B was led by Oxx, with further contributions from British Patient Capital, IQ Capital, Eos Venture Partners, Legal & General Capital, Seedcamp, and Winton Ventures.Cyware
February 24, 2023 – Government
CISA Sounds Alarm on Cybersecurity Threats Amid Russia’s Invasion Anniversary Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations and individuals to increase their cyber vigilance, as Russia's military invasion of Ukraine officially enters one year . "CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24, 2023, the anniversary of Russia's 2022 invasion of Ukraine," the agency said . To that end, CISA is recommending that organizations implement cybersecurity best practices, increase preparedness, and take proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks. The advisory comes as the Computer Emergency Response Team of Ukraine (CERT-UA) revealed that Russian nation-state hackers breached government websites and planted backdoors as far back as December 2021. CERT-UA attributed the activity to a threat actor it trackThe Hacker News
February 24, 2023 – Vulnerabilities
Hackers are actively exploiting CVE-2022-47966 flaw in Zoho ManageEngine Full Text
Abstract
Experts warn of threat actors actively exploiting the critical CVE-2022-47966 (CVSS score: 9.8) flaw in Zoho ManageEngine. Multiple threat actors are actively exploiting the Zoho ManageEngine CVE-2022-47966 (CVSS score: 9.8) in attacks in the wild,...Security Affairs
February 24, 2023 – Breach
Australian Retailer’s Customer Data Compromised at Former Third-Party Supplier Full Text
Abstract
The Good Guys' customer data, including phone numbers and email addresses, have been compromised in a third-party breach that industry observers say is yet another reminder for businesses to scrutinize their suppliers' security practices.Cyware
February 24, 2023 – General
Even Top-Ranked Android Apps in Google Play Store Provide Misleading Data Safety Labels Full Text
Abstract
An investigation into data safety labels for Android apps available on the Google Play Store has uncovered "serious loopholes" that allow apps to provide misleading or outright false information. The study , conducted by the Mozilla Foundation as part of its *Privacy Not Included initiative, compared the privacy policies and labels of the 20 most popular paid apps and the 20 most popular free apps on the app marketplace. It found that, in roughly 80% of the apps reviewed, "the labels were false or misleading based on discrepancies between the apps' privacy policies and the information apps self-reported on Google's Data safety form ." "The apps aren't self-reporting accurately enough to give the public any meaningful reassurance about the safety and privacy of their data," Mozilla further said, adding consumers are being led to "believe these apps are doing a better job protecting their privacy than they are." Three of theThe Hacker News
February 24, 2023 – General
Wiper Malware Surges Ahead, Spiking 53% in 3 Months Full Text
Abstract
The increased use of disk wipers in cyberattacks that began with Russia's invasion of Ukraine early last year has continued unabated, and the malware has transformed into a potent threat for organizations in the region and elsewhere.Cyware
February 24, 2023 – Breach
Hutchinson Clinic issues alert concerning December data breach Full Text
Abstract
The clinic said a hacker they labeled “an unauthorized actor” had the ability to acquire information that included names, contact information, Social Security numbers, driver’s license numbers, health insurance information, and physician names.Cyware
February 24, 2023 – Criminals
The alleged author of NLBrute Malware was extradited to US from Georgia Full Text
Abstract
Dariy Pankov, a Russian VXer behind the NLBrute malware, has been extradited to the United States from Georgia. The Russian national Dariy Pankov, aka dpxaker, is suspected to be the author of the NLBrute malware. The man has been extradited to the United...Security Affairs
February 23, 2023 – Breach
Trove of L.A. Students’ Mental Health Records Posted to Dark Web After Cyber Hack Full Text
Abstract
The student psychological evaluations, published to a “dark web” leak site by the Russian-speaking ransomware gang Vice Society, offer a startling degree of personally identifiable information.Cyware
February 23, 2023 – Cryptocurrency
Hackers Using Trojanized macOS Apps to Deploy Evasive Cryptocurrency Mining Malware Full Text
Abstract
Trojanized versions of legitimate applications are being used to deploy evasive cryptocurrency mining malware on macOS systems. Jamf Threat Labs, which made the discovery, said the XMRig coin miner was executed as Final Cut Pro, a video editing software from Apple, which contained an unauthorized modification. "This malware makes use of the Invisible Internet Project (i2p) [...] to download malicious components and send mined currency to the attacker's wallet," Jamf researchers Matt Benyo, Ferdous Saljooki, and Jaron Bradley said in a report shared with The Hacker News. An earlier iteration of the campaign was documented exactly a year ago by Trend Micro, which pointed out the malware's use of i2p to conceal network traffic and speculated that it may have been delivered as a DMG file for Adobe Photoshop CC 2019. The Apple device management company said the source of the cryptojacking apps can be traced to Pirate Bay, with the earliest uploads dating all theThe Hacker News
February 23, 2023 – Vulnerabilities
Cisco Patches High-Severity Vulnerabilities in ACI Components Full Text
Abstract
Cisco on Wednesday informed customers about the availability of patches for two high-severity vulnerabilities affecting components of its Application Centric Infrastructure (ACI) software-defined networking solution.Cyware
February 23, 2023 – Vulnerabilities
Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products Full Text
Abstract
Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. As many as 24 different products , including Access Manager Plus, ADManager Plus, ADSelfService Plus, Password Manager Pro, Remote Access Plus, and Remote Monitoring and Management (RMM), are affected by the issue. The shortcoming "allows unauthenticated remote code execution due to usage of an outdated third-party dependency for XML signature validation, Apache Santuario," Bitdefender's Martin Zugec said in a technical advisory shared with The Hacker News. According to the Romanian cybersecurity firm, the exploitation efforts are said to have commenced the day after penetration testing firm Horizon3.ai released a prooThe Hacker News
February 23, 2023 – Vulnerabilities
Fortinet FortiNAC CVE-2022-39952 flaw exploited in the wild hours after the release of PoC exploit Full Text
Abstract
Threat actors are actively exploiting the Fortinet FortiNAC vulnerability CVE-2022-39952 a few hours after the publication of the PoC exploit code. This week, researchers at Horizon3 cybersecurity firm have released a proof-of-concept exploit for a critical-severity...Security Affairs
February 23, 2023 – General
CVSS system criticized for failure to address real-world impact Full Text
Abstract
Weaknesses in the existing CVSS scoring system have been highlighted through new research, with existing metrics deemed responsible for “overhyping” some vulnerabilities.Cyware
February 23, 2023 – General
The Secret Vulnerability Finance Execs are Missing Full Text
Abstract
The (Other) Risk in Finance A few years ago, a Washington-based real estate developer received a document link from First American – a financial services company in the real estate industry – relating to a deal he was working on. Everything about the document was perfectly fine and normal. The odd part, he told a reporter, was that if he changed a single digit in the URL, suddenly, he could see somebody else's document. Change it again, a different document. With no technical tools or expertise, the developer could retrieve FirstAm records dating back to 2003 – 885 million in total, many containing the kinds of sensitive data disclosed in real estate dealings, like bank details, social security numbers, and of course, names and addresses. That nearly a billion records could leak from so simple a web vulnerability seemed shocking. Yet even more severe consequences befall financial services companies every week. Verizon, in its most recent Data Breach Investigations Report ,The Hacker News
February 23, 2023 – Government
The European Commission has banned its staff from using TikTok over security concerns Full Text
Abstract
The European Commission has banned its employees from using the Chinese social media app TikTok over security concerns. The European Union has banned the popular Chinese video-sharing app TikTok from the mobile devices of its employees over security...Security Affairs
February 23, 2023 – Malware
Imposter HTTP libraries lurk on PyPI Full Text
Abstract
The descriptions for these packages, for the most part, don't hint at their malicious intent. Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimate HTTP libraries.Cyware
February 23, 2023 – Hacker
New Hacking Cluster ‘Clasiopa’ Targeting Materials Research Organizations in Asia Full Text
Abstract
Materials research organizations in Asia have been targeted by a previously unknown threat actor using a distinct set of tools. Symantec, by Broadcom Software, is tracking the cluster under the moniker Clasiopa . The origins of the hacking group and its affiliations are currently unknown, but there are hints that suggest the adversary could have ties to India. This includes references to "SAPTARISHI-ATHARVAN-101" in a custom backdoor and the use of the password "iloveindea1998^_^" for a ZIP archive. It's worth noting that Saptarishi , meaning "Seven sages" in Sanskrit, refers to a group of seers who are revered in Hindu literature. Atharvan was an ancient Hindu priest and is believed to have co-authored one of the four Vedas , a collection of religious scriptures in Hinduism. "While these details could suggest that the group is based in India, it is also quite likely that the information was planted as false flags, with the password inThe Hacker News
February 23, 2023 – Government
Many cyber operations conducted by Russia are yet to be publicly disclosed, says Dutch intelligence Full Text
Abstract
Dutch intelligence revealed that many cyber operations attributed to Russia against Ukraine and NATO members have yet to be publicly disclosed. According to a joint report published by the Dutch General Intelligence and Security Service (AIVD), and the Military...Security Affairs
February 23, 2023 – Business
Sublime nabs $9.8M for an anti-phishing email security platform built on collective, crowdsourced rules Full Text
Abstract
Decibel is leading the round, with Slow Ventures and a number of cybersecurity veterans participating, including Sounil Yu, Martin Roesch, Jerry Perullo, Michael Sutton, Rishi Bhargava, Slavik Markovich, Kevin Patrick Mahaffey, and Oliver Friedrichs.Cyware
February 23, 2023 – Malware
Lazarus Group Likely Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data Full Text
Abstract
A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. Its other features comprise listing active sessions, creating and terminating processes, enumerating drives, and compressing directories. Wslink was first documented by the Slovak cybersecurity firm in October 2021, describing it as a "simple yet remarkable" malware loader that's capable of executing received modules in memory. "The Wslink payload can be leveraged later for lateral movement, due to its specific interest in network sessions," ESET researcher Vladislav Hrčka said . "The Wslink loader listens on a port specified in the configuration and canThe Hacker News
February 23, 2023 – General
More vulnerabilities in industrial systems raise fresh concerns about critical infrastructure hacks Full Text
Abstract
Aslew of new reports about vulnerabilities in operational technology systems are raising fresh concerns about potential weaknesses inside U.S. critical infrastructure organizations.Cyware
February 23, 2023 – Malware
New S1deload Malware Hijacking Users’ Social Media Accounts and Mining Cryptocurrency Full Text
Abstract
An active malware campaign has set its sights on Facebook and YouTube users by leveraging a new information stealer to hijack the accounts and abuse the systems' resources to mine cryptocurrency. Bitdefender is calling the malware S1deload Stealer for its use of DLL side-loading techniques to get past security defenses and execute its malicious components. "Once infected, S1deload Stealer steals user credentials, emulates human behavior to artificially boost videos and other content engagement, assesses the value of individual accounts (such as identifying corporate social media admins), mines for BEAM cryptocurrency, and propagates the malicious link to the user's followers," Bitdefender researcher Dávid ÁCS said . Put differently, the goal of the campaign is to take control of the users' Facebook and YouTube accounts and rent out access to raise view counts and likes for videos and posts shared on the platforms. More than 600 unique users are estimateThe Hacker News
February 23, 2023 – Outage
Cyberattack on Dole Temporarily Shuts Down Production in North America Full Text
Abstract
The previously unreported hack — which a source familiar with the incident said was ransomware — led some grocery shoppers to complain on Facebook in recent days that store shelves were missing Dole-made salad kits.Cyware
February 23, 2023 – Malware
Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries Full Text
Abstract
Cybersecurity researchers are warning of "imposter packages" mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3. The names of the packages are as follows: aio5, aio6, htps1, httiop, httops, httplat, httpscolor, httpsing, httpslib, httpsos, httpsp, httpssp, httpssus, httpsus, httpxgetter, httpxmodifier, httpxrequester, httpxrequesterv2, httpxv2, httpxv3, libhttps, piphttps, pohttp, requestsd, requestse, requestst, ulrlib3, urelib3, urklib3, urlkib3, urllb, urllib33, urolib3, xhttpsp "The descriptions for these packages, for the most part, don't hint at their malicious intent," ReversingLabs researcher Lucija Valentić said in a new writeup. "Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimateThe Hacker News
February 22, 2023 – Hacker
Earth Kitsun Return to Target Selected Entities in China and Japan Full Text
Abstract
Trend Micro reported about a new threat actor that would drop a new backdoor dubbed WhiskerSpy. The cybercriminal group, tracked as Earth Kitsune, is a relatively new threat group that conducts watering hole attacks. The malware is delivered to users when they attempt to watch videos on attacker-co ... Read MoreCyware
February 22, 2023 – Vulnerabilities
Apple Warns of 3 New Vulnerabilities Affecting iPhone, iPad, and Mac Devices Full Text
Abstract
Apple has revised the security advisories it released last month to include three new vulnerabilities impacting iOS, iPadOS , and macOS . The first flaw is a race condition in the Crash Reporter component (CVE-2023-23520) that could enable a malicious actor to read arbitrary files as root. The iPhone maker said it addressed the issue with additional validation. The two other vulnerabilities, credited to Trellix researcher Austin Emmitt, reside in the Foundation framework (CVE-2023-23530 and CVE-2023-23531) and could be weaponized to achieve code execution. "An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges," Apple said, adding it patched the issues with "improved memory handling." The medium to high-severity vulnerabilities have been patched in iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2 that were shipped on January 23, 2023. Trellix, in its own report on Tuesday, classified the two flaws as a &quThe Hacker News
February 22, 2023 – Botnet
The number of devices infected by the MyloBot botnet is rapidly increasing Full Text
Abstract
Researchers warn that the MyloBot botnet is rapidly spreading and it is infecting thousands of systems worldwide. The MyloBot botnet has been active since 2017 and was first detailed by cybersecurity firm Deep Instinct in 2018. MyloBot is a highly...Security Affairs
February 22, 2023 – Breach
Hackers Ran Amok Across GoDaddy for Three Years Full Text
Abstract
Internet domain registrar GoDaddy revealed that it has been the victim of a three-year-long campaign that deployed malware on internal systems and pilfered source code. Experts detected that an unauthorized third party had gained access to the company's cPanel hosting servers and installed malware. ... Read MoreCyware
February 22, 2023 – Phishing
Attackers Flood NPM Repository with Over 15,000 Spam Packages Containing Phishing Links Full Text
Abstract
In what's a continuing assault on the open source ecosystem, over 15,000 spam packages have flooded the npm repository in an attempt to distribute phishing links. "The packages were created using automated processes, with project descriptions and auto-generated names that closely resembled one another," Checkmarx researcher Yehuda Gelb said in a Tuesday report. "The attackers referred to retail websites using referral IDs, thus profiting from the referral rewards they earned." The modus operandi involves poisoning the registry with rogue packages that include links to phishing campaigns in their README.md files, evocative of a similar campaign the software supply chain security firm exposed in December 2022. The fake modules masqueraded as cheats and free resources, with some packages named as "free-tiktok-followers," "free-xbox-codes," and "instagram-followers-free." The ultimate goal of the operation is to entice userThe Hacker News
February 22, 2023 – Vulnerabilities
Experts found a large new class of bugs ‘class’ in Apple devices Full Text
Abstract
Tech giant Apple discloses three new vulnerabilities affecting its iOS, iPadOS, and macOS operating systems. Apple updated its advisories by adding three new vulnerabilities, tracked as CVE-2023-23520, CVE-2023-23530 and CVE-2023-23531,...Security Affairs
February 22, 2023 – Vulnerabilities
R1Soft Server Backup Manager Vulnerability Exploited to Deploy Backdoor Full Text
Abstract
During a recent incident response case, Fox-IT found evidence that the R1Soft vulnerability was exploited to gain initial access to a server. The attackers then deployed a malicious database driver that gave them backdoor access.Cyware
February 22, 2023 – Education
3 Steps to Automate Your Third-Party Risk Management Program Full Text
Abstract
If you Google "third-party data breaches" you will find many recent reports of data breaches that were either caused by an attack at a third party or sensitive information stored at a third-party location was exposed. Third-party data breaches don't discriminate by industry because almost every company is operating with some sort of vendor relationship – whether it be a business partner, contractor or reseller, or the use of IT software or platform, or another service provider. Organizations are now sharing data with an average of 730 third-party vendors, according to a report by Osano , and with the acceleration of digital transformation, that number will only grow. The Importance of Third-Party Risk Management With more organizations sharing data with more third-party vendors, it shouldn't be surprising that more than 50% of security incidents in the past two years have stemmed from a third-party with access privileges, according to a CyberRisk Alliance report.The Hacker News
February 22, 2023 – Government
CISA adds IBM Aspera Faspex and Mitel MiVoice to Known Exploited Vulnerabilities Catalog Full Text
Abstract
US CISA added actively exploited flaws in IBM Aspera Faspex and Mitel MiVoice to its Known Exploited Vulnerabilities Catalog. US CISA added the following actively exploited flaws to its Known Exploited Vulnerabilities Catalog: CVE-2022-47986 (CVSS...Security Affairs
February 22, 2023 – Ransomware
A Deep Dive into the Evolution of Ransomware Part 1 Full Text
Abstract
Ransomware extortion tactics range from publishing data bit by bit in an attempt to increase pressure on targets through more aggressive measures, making these threats all the harder for organizations and individuals alike to protect against.Cyware
February 22, 2023 – Hacker
Hydrochasma: New Threat Actor Targets Shipping Companies and Medical Labs in Asia Full Text
Abstract
Shipping companies and medical laboratories in Asia have been the subject of a suspected espionage campaign carried out by a never-before-seen threat actor dubbed Hydrochasma . The activity, which has been ongoing since October 2022, "relies exclusively on publicly available and living-off-the-land tools," Symantec, by Broadcom Software, said in a report shared with The Hacker News. There is no evidence available as yet to determine its origin or affiliation with known threat actors, but the cybersecurity company said the group may be having an interest in industry verticals that are involved in COVID-19-related treatments or vaccines. The standout aspects of the campaign is the absence of data exfiltration and custom malware, with the threat actor employing open source tools for intelligence gathering. By using already available tools, the goal, it appears, is to not only confuse attribution efforts, but also to make the attacks stealthier. The start of the infectionThe Hacker News
February 22, 2023 – Vulnerabilities
VMware addressed a critical bug in Carbon Black App Control Full Text
Abstract
VMware released security updates to address a critical vulnerability, tracked as CVE-2023-20858, in the Carbon Black App Control product. VMware addressed a critical injection vulnerability, tracked as (CVSSv3 score 9.1), Carbon Black App Control....Security Affairs
February 22, 2023 – Attack
Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers Full Text
Abstract
ETW is a high-speed tracing facility built into the Windows operating system. It enables the logging of events and system activities by applications, drivers, and the operating system.Cyware
February 22, 2023 – Hacker
Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks Full Text
Abstract
An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike , Sliver , and Brute Ratel . Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized Havoc . "While C2 frameworks are prolific, the open-source Havoc framework is an advanced post-exploitation command-and-control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation," researchers Niraj Shivtarkar and Niraj Shivtarkar said . The attack sequence documented by Zscaler begins with a ZIP archive that embeds a decoy document and a screen-saver file that's designed to download and launch the Havoc Demon agent on the infected host. Demon is the implant generated vThe Hacker News
February 22, 2023 – General
Accidental WhatsApp account takeovers? It’s a thing Full Text
Abstract
A stranger may be receiving your private WhatsApp messages, and also be able to send messages to all of your contacts – if you have changed your phone number and didn't delete the WhatsApp account linked to it.Cyware
February 22, 2023 – Denial Of Service
Gcore Thwarts Massive 650 Gbps DDoS Attack on Free Plan Client Full Text
Abstract
At the beginning of January, Gcore faced an incident involving several L3/L4 DDoS attacks with a peak volume of 650 Gbps. Attackers exploited over 2000 servers belonging to one of the top three cloud providers worldwide and targeted a client who was using a free CDN plan. However, due to Gcore's distribution of infrastructure and a large number of peering partners, the attacks were mitigated, and the client's web application remained available. Why was mitigating these attacks so significant? 1. These attacks were significant because they exceeded the average bandwidth of similar attacks by 60×. The performed attacks relate to volume-based attacks targeted to saturate the attacked application's bandwidth in order to overflow it. Measuring total volume (bps)—rather than the number of requests—is the way these attacks are usually tabulated. The average bandwidth of this attack type is generally in the tens of Gbps (about 10 Gbps). Therefore, the specified attacks (at 650 Gbps) exceeThe Hacker News
February 22, 2023 – Skimming
Multilingual Skimmer Fingerprints ‘Secret Shoppers’ via Cloudflare Endpoint API Full Text
Abstract
The skimmer uses iframes that are loaded if the current page is the checkout and if the browser's local storage does not include a font item (this is equivalent to using cookies to detect returning visitors).Cyware
February 22, 2023 – Government
U.S. Cybersecurity Agency CISA Adds Three New Vulnerabilities in KEV Catalog Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of shortcomings is as follows - CVE-2022-47986 (CVSS score: 9.8) - IBM Aspera Faspex Code Execution Vulnerability CVE-2022-41223 (CVSS score: 6.8) - Mitel MiVoice Connect Code Injection Vulnerability CVE-2022-40765 (CVSS score: 6.8) - Mitel MiVoice Connect Command Injection Vulnerability CVE-2022-47986 is described as a YAML deserialization flaw in the file transfer solution that could allow a remote attacker to execute code on the system. Details of the flaw and a proof-of-concept (PoC) were shared by Assetnote on February 2, a day after which the Shadowserver Foundation said it "picked up exploitation attempts" in the wild. The active exploitation of the Aspera Faspex flaw comes shortly after a vulnerability in Fortra's GoAnywhere MFT-managed filThe Hacker News
February 22, 2023 – Business
Entitle Nabs $15M Seed Funding for Cloud Permissions Management Tech Full Text
Abstract
The Israeli security startup has attracted $15 million in early-stage venture capital funding from Glilot Capital Partners to build technology to address entitlement sprawl in the enterprise.Cyware
February 22, 2023 – Vulnerabilities
VMware Patches Critical Vulnerability in Carbon Black App Control Product Full Text
Abstract
VMware on Tuesday released patches to address a critical security vulnerability affecting its Carbon Black App Control product. Tracked as CVE-2023-20858 , the shortcoming carries a CVSS score of 9.1 out of a maximum of 10 and impacts App Control versions 8.7.x, 8.8.x, and 8.9.x. The virtualization services provider describes the issue as an injection vulnerability. Security researcher Jari Jääskelä has been credited with discovering and reporting the bug. "A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system," the company said in an advisory. VMware said there are no workarounds that resolve the flaw, necessitating that customers update to versions 8.7.8, 8.8.6, and 8.9.4 to mitigate potential risks. It's worth pointing out that Jääskelä was also credited with reporting two critical vulnerabilities in the same product ( CVE-2022-229The Hacker News
February 22, 2023 – Vulnerabilities
Bypassing Akamai’s Web Application Firewall Using an Injected Content-Encoding Header Full Text
Abstract
During a recent customer pilot, Praetorian researchers identified an interesting method to bypass the cross-site scripting (XSS) filtering functionality within the Akamai Web Application Firewall (WAF) solution.Cyware
February 21, 2023 – Vulnerabilities
Apple Updates Advisories as Security Firm Discloses New Class of Vulnerabilities Full Text
Abstract
Trellix published a blog post on Tuesday to describe these flaws, which the firm says are part of a new class of bugs that can allow attackers to bypass code signing on macOS and iOS systems.Cyware
February 21, 2023 – Botnet
MyloBot Botnet Spreading Rapidly Worldwide: Infecting Over 50,000 Devices Daily Full Text
Abstract
A sophisticated botnet known as MyloBot has compromised thousands of systems, with most of them located in India, the U.S., Indonesia, and Iran. That's according to new findings from BitSight, which said it's "currently seeing more than 50,000 unique infected systems every day," down from a high of 250,000 unique hosts in 2020. Furthermore, an analysis of MyloBot's infrastructure has found connections to a residential proxy service called BHProxies, indicating that the compromised machines are being used by the latter. MyloBot, which emerged on the threat landscape in 2017, was first documented by Deep Instinct in 2018, calling out its anti-analysis techniques and its ability to function as a downloader. "What makes Mylobot dangerous is its ability to download and execute any type of payload after it infects a host," Lumen's Black Lotus Labs said in November 2018. "This means at any time it could download any other type of malware thThe Hacker News
February 21, 2023 – Malware
PoC exploit code for critical Fortinet FortiNAC bug released online Full Text
Abstract
Researchers released a proof-of-concept exploit code for the critical CVE-2022-39952 vulnerability in the Fortinet FortiNAC network access control solution. Researchers at Horizon3 cybersecurity firm have released a proof-of-concept exploit for a critical-severity...Security Affairs
February 21, 2023 – Business
Scrut Automation Raises $7.5 Million for GRC Platform Full Text
Abstract
India-based Scrut Automation has announced raising $7.5 million in a new funding round that will help the company improve its governance, risk, and compliance (GRC) automation platform and expand its presence in the United States.Cyware
February 21, 2023 – Education
The Future of Network Security: Predictive Analytics and ML-Driven Solutions Full Text
Abstract
As the digital age evolves and continues to shape the business landscape, corporate networks have become increasingly complex and distributed. The amount of data a company collects to detect malicious behaviour constantly increases, making it challenging to detect deceptive and unknown attack patterns and the so-called "needle in the haystack". With a growing number of cybersecurity threats, such as data breaches, ransomware attacks, and malicious insiders, organizations are facing significant challenges in successfully monitoring and securing their networks. Furthermore, the talent shortage in the field of cybersecurity makes manual threat hunting and log correlation a cumbersome and difficult task. To address these challenges, organizations are turning to predictive analytics and Machine Learning (ML) driven network security solutions as essential tools for securing their networks against cyber threats and the unknown bad. The Role of ML-Driven Network Security SolutionsThe Hacker News
February 21, 2023 – Criminals
HardBit ransomware gang adjusts their demands so the insurance company would cover the ransom cost Full Text
Abstract
Recently emerged HardBit ransomware gang adjusts their demands so the insurance company would cover the ransom cost. The HardBit ransomware group first appeared on the threat landscape in October 2022, but unlike other ransomware operations, it doesn't...Security Affairs
February 21, 2023 – Breach
Hackers Scored Corporate Giants’ Logins for Asian Data Centers Full Text
Abstract
The information included credentials in varying numbers for some of the world’s biggest companies, including Alibaba Group, Amazon, Apple, BMW AG, Goldman Sachs Group, Huawei Technologies, Microsoft, and Walmart, according to Resecurity.Cyware
February 21, 2023 – Malware
Researchers Discover Numerous Samples of Information Stealer ‘Stealc’ in the Wild Full Text
Abstract
A new information stealer called Stealc that's being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar , Raccoon , Mars , and RedLine stealers," SEKOIA said in a Monday report. The French cybersecurity company said it discovered more than 40 Stealc samples distributed in the wild and 35 active command-and-control (C2) servers, suggesting that the malware is already gaining traction among criminal groups. Stealc, first marketed by an actor named Plymouth on the XSS and BHF Russian-speaking underground forums on January 9, 2023, is written in C and comes with capabilities to steal data from web browsers, crypto wallets, email clients, and messaging apps. The malware-as-a-service (MaaS) also boasts of a "customizable" file grabber that allows its buyers to tailor the module to siphon files oThe Hacker News
February 21, 2023 – General
Resecurity warns about cyber-attacks on data center service providers Full Text
Abstract
Resecurity warns about the increase of malicious cyber activity targeting data center service providers globally. According to the detailed report recently released by the California-based cybersecurity company, during September 2021, Resecurity...Security Affairs
February 21, 2023 – Policy and Law
DNA Diagnostic Center fined $400,000 for 2021 data breach Full Text
Abstract
The DNA testing company will pay a penalty of $400,000 to the attorneys general of Pennsylvania and Ohio for a data breach in 2021 that affected 2.1 million individuals nationwide, according to a settlement deal with the states’ attorneys general.Cyware
February 21, 2023 – Breach
Coinbase Employee Falls for SMS Scam in Cyber Attack, Limited Data Exposed Full Text
Abstract
Popular cryptocurrency exchange platform Coinbase disclosed that it experienced a cybersecurity attack that targeted its employees. The company said its "cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information." The incident, which took place on February 5, 2023, resulted in the exposure of a "limited amount of data" from its directory, including employee names, e-mail addresses, and some phone numbers. As part of the attack, several employees were targeted in an SMS phishing campaign urging them to sign in to their company accounts to read an important message. One employee is said to have fallen for the scam, who entered their username and password in a fake login page set up by the threat actors to harvest the credentials. "After 'logging in,' the employee is prompted to disregard the message and thanked for complying," the company said. "What hapThe Hacker News
February 21, 2023 – Malware
Stealc, a new advanced infostealer appears in the threat landscape Full Text
Abstract
Researchers spotted a new information stealer, called Stealc, which supports a wide set of stealing capabilities. In January 2023, researchers at SEKOIA.IO discovered a new information stealer, dubbed Stealc, which was advertised in the dark web forums....Security Affairs
February 21, 2023 – APT
Newly Identified Earth Yako APT Observed Targeting Japanese Entities Full Text
Abstract
Trend Micro experts observed several targeted attacks against researchers of academic organizations and think tanks in Japan and attributed the campaign to Earth Yako. Previous to this, Earth Yako APT group has been abusing legitimate services such as Dropbox, GitHub, and Protonmail to expand its c ... Read MoreCyware
February 21, 2023 – Malware
Researchers Warn of ReverseRAT Backdoor Targeting Indian Government Agencies Full Text
Abstract
A spear-phishing campaign targeting Indian government entities aims to deploy an updated version of a backdoor called ReverseRAT . Cybersecurity firm ThreatMon attributed the activity to a threat actor tracked as SideCopy . SideCopy is a threat group of Pakistani origin that shares overlaps with another actor called Transparent Tribe . It is so named for mimicking the infection chains associated with SideWinder to deliver its own malware. The adversarial crew was first observed delivering ReverseRAT in 2021, when Lumen's Black Lotus Labs detailed a set of attacks targeting victims aligned with the government and power utility verticals in India and Afghanistan. Recent attack campaigns associated with SideCopy have primarily set their sights on a two-factor authentication solution known as Kavach (meaning "armor" in Hindi) that's used by Indian government officials. The infection journey documented by ThreatMon commences with a phishing email containiThe Hacker News
February 21, 2023 – General
ChatGPT is bringing advancements and challenges for cybersecurity Full Text
Abstract
ChatGPT is a gold mine of insight that removes much of the work involved in research and problem-solving by enabling users to access the entire corpus of the public internet with just one set of instructions.Cyware
February 21, 2023 – General
Complexity, volume of cyber attacks lead to burnout in security teams Full Text
Abstract
The rapid evolution of cybercrime is weighing on security teams substantially more than it did last year, leading to widespread burnout and potential regulatory risk, according to Magnet Forensics.Cyware
February 21, 2023 – Ransomware
HardBit 2.0 Engages in Clever Ransom Negotiation Based on Cyber Insurance Coverage Full Text
Abstract
Seemingly improving upon their initial release, HardBit version 2.0 was introduced toward the end of November 2022, with samples seen throughout the end of 2022 and into 2023.Cyware
February 20, 2023 – Breach
Indian Ticketing Platform RailYatri Hacked – 31 Million Impacted Full Text
Abstract
The compromised data includes email addresses, full names, genders, phone numbers, and locations, which could put millions of users at risk of identity theft, phishing attacks, and other cybercrimes.Cyware
February 20, 2023 – Criminals
Norway Seizes $5.84 Million in Cryptocurrency Stolen by Lazarus Hackers Full Text
Abstract
Norwegian police agency Økokrim has announced the seizure of 60 million NOK (about $5.84 million) worth of cryptocurrency stolen by the Lazarus Group in March 2022 following the Axie Infinity Ronin Bridge hack. "This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods," the agency said in a statement. The development comes more than 10 months after the U.S. Treasury Department implicated the North Korea-backed hacking group for the theft of $620 million from the Ronin cross-chain bridge. Then in September 2022, the U.S. government announced the recovery of more than $30 million worth of cryptocurrency, representing 10% of the stolen funds. Økokrim said it worked with international law enforcement partners to follow and piece together the money trail, thereby making it more difficult for criminal actors to carry out money laundering activities. "This is money that can support North KorThe Hacker News
February 20, 2023 – Attack
A sophisticated threat actor hit cryptocurrency exchange Coinbase Full Text
Abstract
The Coinbase cryptocurrency exchange was the victim of a sophisticated cyberattack, experts believe is was targeted by Twilio hackers. A sophisticated threat actor launched a smishing campaign against the employees of the cryptocurrency exchange Coinbase. According...Security Affairs
February 20, 2023 – Attack
Lockbit Ransomware Gang Hit the Portuguese Municipal Water Utility Aguas do Porto Full Text
Abstract
Lockbit added the municipal water utility company to the list of victims on its Tor leak site, the deadline is March 07, 2023. CNN Portugal confirmed that the National Cybersecurity Center and the Judiciary Police are investigating the breach.Cyware
February 20, 2023 – Education
How to Detect New Threats via Suspicious Activities Full Text
Abstract
Unknown malware presents a significant cybersecurity threat and can cause serious damage to organizations and individuals alike. When left undetected, malicious code can gain access to confidential information, corrupt data, and allow attackers to gain control of systems. Find out how to avoid these circumstances and detect unknown malicious behavior efficiently. Challenges of new threats' detection While known malware families are more predictable and can be detected more easily, unknown threats can take on a variety of forms, causing a bunch of challenges for their detection: Malware developers use polymorphism, which enables them to modify the malicious code to generate unique variants of the same malware. There is malware that is still not identified and doesn't have any rulesets for detection. Some threats can be Fully UnDetectable (FUD) for some time and challenge perimeter security. The code is often encrypted, making it difficult to detect by signature-basedThe Hacker News
February 20, 2023 – Solution
Samsung announces Message Guard feature to neutralize zero-click attacks Full Text
Abstract
Samsung introduces a new protection feature called Message Guard to protect users from zero-click malware attacks. Samsung announced the implementation of a new security feature called Message Guard that aims at protecting users from malicious...Security Affairs
February 20, 2023 – Criminals
Spain Orders Extradition of British Alleged Hacker to US Full Text
Abstract
Spain’s National Court has agreed to the extradition to the US of a British citizen who allegedly took part in computer attacks, including the July 2020 hacking of Twitter accounts of public figures such as Joseph Biden, Barack Obama, and Bill Gates.Cyware
February 20, 2023 – Attack
Google Reveals Alarming Surge in Russian Cyber Attacks Against Ukraine Full Text
Abstract
Russia's cyber attacks against Ukraine surged by 250% in 2022 when compared to two years ago, Google's Threat Analysis Group (TAG) and Mandiant disclosed in a new joint report. The targeting, which coincided and has since persisted following the country's military invasion of Ukraine in February 2022, focused heavily on the Ukrainian government and military entities, alongside critical infrastructure, utilities, public services, and media sectors. Mandiant said it observed, "more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years with attacks peaking around the start of the invasion." As many as six unique wiper strains – including WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, and SDelete – have been deployed against Ukrainian networks, suggesting a willingness on the part of Russian threat actors to forgo persistent access. Phishing attacks aimed at NATO countries witnessed a 3The Hacker News
February 20, 2023 – Education
Social engineering, deception becomes increasingly sophisticated Full Text
Abstract
Social engineering techniques are becoming increasingly sophisticated and are exploiting multiple emerging means, such as deep fakes. The increasing use of videoconferencing platforms and the various forms of remote work also adopted in the post-emergency...Security Affairs
February 20, 2023 – Breach
Data Breach Reported At Mount Pleasant Central School District Full Text
Abstract
The breach was announced by Mount Pleasant Central School District Superintendent Peter Giarrizzo on Friday, February 17, who said that several student email passwords may have been compromised by the incident.Cyware
February 20, 2023 – Attack
Cyber Espionage Group Earth Kitsune Deploys WhiskerSpy Backdoor in Latest Attacks Full Text
Abstract
The cyber espionage threat actor tracked as Earth Kitsune has been observed deploying a new backdoor called WhiskerSpy as part of a social engineering campaign. Earth Kitsune, active since at least 2019, is known to primarily target individuals interested in North Korea with self-developed malware such as dneSpy and agfSpy. Previously documented intrusions have entailed the use of watering holes that leverage browser exploits in Google Chrome and Internet Explorer to activate the infection chain. The differentiating factor in the latest attacks is a shift to social engineering to trick users into visiting compromised websites related to North Korea, according to a new report from Trend Micro released last week. The cybersecurity company said the website of an unnamed pro-North Korean organization was hacked and modified to distribute the WhiskerSpy implant. The compromise was discovered at the end of last year. "When a targeted visitor tries to watch videos on the websitThe Hacker News
February 20, 2023 – Breach
QR Code Generator MyQRcode Leaks Users’ Login Data and Addresses Full Text
Abstract
At the time of writing, the total number of impacted customers was 65,000; however, at the time of publishing this article, the number had increased to 67,000, meaning the leak is ongoing.Cyware
February 20, 2023 – Breach
Phishing scam cost small Ohio city $219,000, finance director his job Full Text
Abstract
The author of the phishing email pretended to be an existing vendor and persuaded the finance worker in the Columbus suburb of Hilliard, Ohio, to change bank-routing information for the vendor.Cyware
February 20, 2023 – Government
ENISA and CERT-EU Warn of Chinese APTs Targeting EU Organizations Full Text
Abstract
The joint report focus on cyber activities conducted by multiple Chinese Advanced Persistent Threat (APT) groups, including APT27, APT30, APT31, Ke3chang, GALLIUM, and Mustang Panda.Cyware
February 20, 2023 – Attack
Hackers Target Chinese Speaking Individuals via Poisoned Google Search Full Text
Abstract
Security analysts at ESET unearthed a malware campaign targeting Chinese-speaking people in Southeast and East Asia. The unknown hacker group has created copycat websites of popular apps, such as Firefox, WhatsApp, and Telegram. Along with legitimate software, cyber foes also deliver FatalRAT to ta ... Read MoreCyware
February 20, 2023 – Outage
German airport websites down in possible hacker attack Full Text
Abstract
Among the airports affected were Düsseldorf, Nüremberg, Erfurt-Weimar, and Dortmund. The websites were unreachable or flagged up failure messages. The websites of the biggest airports, in Frankfurt, Munich, and Berlin, were operating normally.Cyware
February 20, 2023 – Solution
Samsung Introduces New Feature to Protect Users from Zero-Click Malware Attacks Full Text
Abstract
Samsung has announced a new feature called Message Guard that comes with safeguards to protect users from malware and spyware via what's referred to as zero-click attacks . The South Korean chaebol said the solution "preemptively" secures users' devices by "limiting exposure to invisible threats disguised as image attachments." The security feature, available on Samsung Messages and Google Messages, is currently limited to the Samsung Galaxy S23 series, with plans to expand it to other Galaxy smartphones and tablets later this year that are running on One UI 5.1 or higher. Zero-click attacks are highly-targeted and sophisticated attacks that exploit previously unknown flaws (i.e., zero-days) in software to trigger execution of malicious code without requiring any user interaction. Unlike traditional methods of remotely exploiting a device wherein threat actors rely on phishing tactics to trick a user into clicking on a malicious link or opening an rogThe Hacker News
February 20, 2023 – Attack
Lockbit ransomware gang hit the Portuguese municipal water utility Aguas do Porto Full Text
Abstract
The LockBit ransomware gang claims to have hacked Aguas do Porto, a Portuguese municipal water utility company. The LockBit ransomware gang claims to have hacked Aguas do Porto, a Portuguese municipal water utility company, and is threatening to leak...Security Affairs
February 19, 2023 – Malware
Havoc Replaces Cobalt Strike and Brute Ratel Full Text
Abstract
Threat actors have been switching to a new open-source C2 framework, dubbed Havoc, as an alternative to Brute Ratel and Cobalt Strike - stated researchers. The advanced post-exploitation C2 framework can bypass even the most updated version of Windows 11 Defender. An unknown threat group dropp ... Read MoreCyware
February 19, 2023 – Vulnerabilities
Fortinet Issues Patches for 40 Flaws Affecting FortiWeb, FortiOS, FortiNAC, and FortiProxy Full Text
Abstract
Fortinet has released security updates to address 40 vulnerabilities in its software lineup, including FortiWeb, FortiOS, FortiNAC, and FortiProxy, among others. Two of the 40 flaws are rated Critical, 15 are rated High, 22 are rated Medium, and one is rated Low in severity. Top of the list is a severe bug residing in the FortiNAC network access control solution (CVE-2022-39952, CVSS score: 9.8) that could lead to arbitrary code execution. "An external control of file name or path vulnerability [CWE-73] in FortiNAC web server may allow an unauthenticated attacker to perform arbitrary write on the system," Fortinet said in an advisory earlier this week. The products impacted by the vulnerability are as follows - FortiNAC version 9.4.0 FortiNAC version 9.2.0 through 9.2.5 FortiNAC version 9.1.0 through 9.1.7 FortiNAC 8.8 all versions FortiNAC 8.7 all versions FortiNAC 8.6 all versions FortiNAC 8.5 all versions, and FortiNAC 8.3 all versions Patches have beeThe Hacker News
February 19, 2023 – Malware
Frebniis malware abuses Microsoft IIS feature to create a backdoor Full Text
Abstract
Experts spotted a malware dubbed Frebniis that abuses a Microsoft IIS feature to deploy a backdoor and monitor all HTTP traffic to the system. Broadcom Symantec researchers have spotted a new malware, tracked as Frebniis, that abuses Microsoft Internet...Security Affairs
February 19, 2023 – Phishing
Scammers Found Exploiting YouTube to Launch Crypto Scams Full Text
Abstract
Researchers discovered a massive network of fake YouTube videos that cybercriminals are using to launch crypto scams. These fake videos advertise fraudulent web-based apps for USDT. To make the channels look legitimate, threat actors automated copy-pasting comments to videos. Many of these vid ... Read MoreCyware
February 19, 2023 – APT
ENISA and CERT-EU warns Chinese APTs targeting EU organizations Full Text
Abstract
A joint report published by ENISA and CERT-EU warns of Chinese APTs targeting businesses and government organizations in the European Union. The European Union Agency for Cybersecurity (ENISA) and CERT-EU warn of multiple China-linked threat actors...Security Affairs
February 19, 2023 – Breach
Hackers disclose Atlassian data after the theft of an employee’s credentials Full Text
Abstract
Atlassian discloses a data leak that was caused by the theft of employee credentials which was used to steal data from a third-party vendor. A group of hackers called SiegedSec recently published on its Telegram channel a JSON file containing data...Security Affairs
February 19, 2023 – General
Security Affairs newsletter Round 407 by Pierluigi Paganini Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. Twitter...Security Affairs
February 18, 2023 – Business
Twitter Limits SMS-Based 2-Factor Authentication to Blue Subscribers Only Full Text
Abstract
Twitter has announced that it's limiting the use of SMS-based two-factor authentication (2FA) to its Blue subscribers. "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors," the company said . "We will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers." Twitter users who have not subscribed to Blue that have enrolled for SMS-based 2FA have time till March 20, 2023, to switch to an alternative method such as an authenticator app or a hardware security key. After this cutoff date, non-Twitter Blue subscribers will have their option disabled. The alternative methods "require you to have physical possession of the authentication method and are a great way to ensure your account is secure," Twitter noted. Given that SMS has been the least secure form of 2FA , the latest enforcement is likely to force peopleThe Hacker News
February 18, 2023 – Malware
New Frebniis Malware Abuses IIS Features for Secret Communications Full Text
Abstract
There’s a new malware threat to Microsoft Internet Information Services (IIS) servers dubbed Frebniss. Discovered by Symantec's Threat Hunter Team, the malware abuse 'Failed Request Event Buffering' (FREB) feature of IIS that is responsible for collecting request metadata such as IP addresses, HTTP ... Read MoreCyware
February 18, 2023 – Breach
GoDaddy Discloses Multi-Year Security Breach Causing Malware Installations and Source Code Theft Full Text
Abstract
Web hosting services provider GoDaddy on Friday disclosed a multi-year security breach that enabled unknown threat actors to install malware and siphon source code related to some of its services. The company attributed the campaign to a "sophisticated and organized group targeting hosting services." GoDaddy said in December 2022, it received an unspecified number of customer complaints about their websites getting sporadically redirected to malicious sites, which it later found was due to the unauthorized third party gaining access to servers hosted in its cPanel environment . The threat actor "installed malware causing the intermittent redirection of customer websites," the company said . The ultimate objective of the intrusions, GoDaddy said, is to "infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities." In a related 10-K filing with the U.S. Securities and Exchange Commission (SECThe Hacker News
February 18, 2023 – Vulnerabilities
SolarWinds Announces Upcoming Patches for High-Severity Vulnerabilities Full Text
Abstract
Out of a total of seven security defects, five are described as deserialization of untrusted data issues that could be exploited to achieve command execution. Four of them have a CVSS score of 8.8.Cyware
February 18, 2023 – Vulnerabilities
New Variant of Mirai Targets 13 Known IoT Device Vulnerabilities Full Text
Abstract
Researchers at Unit42 laid bare a Mirai botnet variant dubbed V3G4 that compromised hosts by abusing several vulnerabilities in products from DrayTek, Geutebruck, FreePBX, Atlassian, and others. The botnet infected exposed servers and networking devices running on Linux OS. Successful exploitation ... Read MoreCyware
February 18, 2023 – Business
Twitter will allow using the SMS-based two-factor authentication (2FA) only to its Blue subscribers Full Text
Abstract
Twitter has announced that the platform will allow using the SMS-based two-factor authentication (2FA) only to its Blue subscribers. To date, Twitter has offered three methods of 2FA: text message, authentication app, and security key. However,...Security Affairs
February 18, 2023 – Breach
WordPress sites backdoored with ad fraud plugin Full Text
Abstract
About 50 WordPress blogs have been backdoored with a plugin called fuser-master. This plugin is being triggered via popunder traffic from a large ad network. The WordPress sites are loaded on a separate page underneath and display a number of ads.Cyware
February 18, 2023 – Breach
GoDaddy discloses a new data breach Full Text
Abstract
GoDaddy discloses a security breach, threat actors have stolen source code and installed malware on its servers in a long-runing attack. Web hosting company GoDaddy announced that attackers have stolen source code and installed malware on its servers....Security Affairs
February 18, 2023 – Ransomware
Analysis of New CatB Ransomware Variant Full Text
Abstract
CatB is a reasonably new entrant to the ransomware field, with samples only dating back to December 2022. The CatB threat actor does not offer a web portal (on TOR or otherwise) to name and shame victims.Cyware
February 17, 2023 – Solution
ChatGPT Subs In as Security Analyst, Hallucinates Only Occasionally Full Text
Abstract
A number of experiments suggest ChatGPT could be useful to help defenders triage potential security incidents and find security vulnerabilities in code, even though it was not specifically trained for such activities, according to recent studies.Cyware
February 17, 2023 – Malware
Experts Warn of RambleOn Android Malware Targeting South Korean Journalists Full Text
Abstract
Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign. The findings come from South Korea-based non-profit Interlab, which coined the new malware RambleOn . The malicious functionalities include the "ability to read and leak target's contact list, SMS, voice call content, location and others from the time of compromise on the target," Interlab threat researcher Ovi Liber said in a report published this week. The spyware camouflages as a secure chat app called Fizzle (ch.seme), but in reality, acts as a conduit to deliver a next-stage payload hosted on pCloud and Yandex. The chat app is said to have been sent as an Android Package (APK) file over WeChat to the targeted journalist on December 7, 2022, under the pretext of wanting to discuss a sensitive topic. The primary purpose of RambleOn is to function as a loader for another APK file ( com.data.WeCoin ) whileThe Hacker News
February 17, 2023 – Vulnerabilities
Fortinet fixes critical vulnerabilities in FortiNAC and FortiWeb Full Text
Abstract
Cybersecurity vendor Fortinet has addressed two critical vulnerabilities impacting its FortiNAC and FortiWeb products. Cybersecurity firm Fortinet has released security updates to address two critical vulnerabilities in FortiNAC and FortiWeb solutions....Security Affairs
February 17, 2023 – Breach
Atlassian Says Leaked Data Stolen via Third-Party App Full Text
Abstract
A threat group called SiegedSec recently posted a cache of employee and operations information allegedly stolen from software workforce collaboration tool provider Atlassian.Cyware
February 17, 2023 – General
⚡Top Cybersecurity News Stories This Week — Cybersecurity Newsletter Full Text
Abstract
Hey 👋 there, cyber friends! Welcome to this week's cybersecurity newsletter , where we aim to keep you informed and empowered in the ever-changing world of cyber threats. In today's edition, we will cover some interesting developments in the cybersecurity landscape and share some insightful analysis of each to help you protect yourself against potential attacks. 1. Apple 📱 Devices Hacked with New Zero-Day Bug - Update ASAP! Have you updated your Apple devices lately? If not, it's time to do so, as the tech giant just released security updates for iOS, iPadOS, macOS, and Safari. The update is to fix a zero-day vulnerability that hackers have been exploiting. This vulnerability, tracked as CVE-2023-23529, is related to a type confusion bug in the WebKit browser engine. What does this mean? Well, it means that if you visit a website with malicious code, the bug can be activated, leading to arbitrary code execution. In other words, hackers can take control of your deviThe Hacker News
February 17, 2023 – Denial Of Service
German airport websites hit by DDos attacks once again Full Text
Abstract
Experts are investigating the failures of several German airports after some media attributed them to a possible hacking campaign. On Thursday, the websites of several German airports were unreachable, experts launched an investigation speculating...Security Affairs
February 17, 2023 – Malware
New Frebniis Malware Abuses Microsoft IIS Feature to Establish Backdoor Full Text
Abstract
Frebniis ensures Failed Request Tracing is enabled and then accesses w3wp.exe (IIS) process memory, obtaining the address of where the Failed Request Event Buffering code (iisfreb.dll) is loaded.Cyware
February 17, 2023 – Attack
Armenian Entities Hit by New Version of OxtaRAT Spying Tool Full Text
Abstract
Entities in Armenia have come under a cyber attack using an updated version of a backdoor called OxtaRAT that allows remote access and desktop surveillance. "The tool capabilities include searching for and exfiltrating files from the infected machine, recording the video from the web camera and desktop, remotely controlling the compromised machine with TightVNC, installing a web shell, performing port scanning, and more," Check Point Research said in a report. The latest campaign is said to have commenced in November 2022 and marks the first time the threat actors behind the activity have expanded their focus beyond Azerbaijan. "The threat actors behind these attacks have been targeting human rights organizations, dissidents, and independent media in Azerbaijan for several years," the cybersecurity firm noted, calling the campaign Operation Silent Watch. The late 2022 intrusions are significant, not least because of the changes in the infection chain, the sThe Hacker News
February 17, 2023 – Vulnerabilities
Cisco fixed critical RCE bug in ClamAV Open-Source Antivirus engine Full Text
Abstract
Cisco addressed a critical vulnerability in the ClamAV open source antivirus engine that can lead to remote code execution on vulnerable devices. Cisco fixed a critical flaw, tracked as CVE-2023-20032 (CVSS score: 9.8), in the ClamAV open source...Security Affairs
February 17, 2023 – Encryption
Pending National Cyber Strategy to Feature ‘Strong Stand’ on Quantum Cryptography Full Text
Abstract
Ahead of the release of the first National Cybersecurity Strategy from the White House Office of the National Cyber Director, Dylan Presman, the director for budget and assessment, confirmed that it will include guidance on post-quantum cryptography.Cyware
February 17, 2023 – Botnet
New Mirai Botnet Variant ‘V3G4’ Exploiting 13 Flaws to Target Linux and IoT Devices Full Text
Abstract
A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. Observed during the second half of 2022, the new version has been dubbed V3G4 by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor. "Once the vulnerable devices are compromised, they will be fully controlled by attackers and become a part of the botnet," Unit 42 researchers said . "The threat actor has the capability to utilize those devices to conduct further attacks, such as distributed denial-of-service (DDoS) attacks." The attacks primarily single out exposed servers and networking devices running Linux, with the adversary weaponizing as many as 13 flaws that could lead to remote code execution (RCE). Some of the notable flaws relate to critical flaws in Atlassian Confluence Server and Data Center, DrayTek Vigor routers, Airspan AirSpot, and GeuThe Hacker News
February 17, 2023 – Government
CISA adds Cacti, Office, Windows and iOS bugs to its Known Exploited Vulnerabilities Catalog Full Text
Abstract
US CISA added actively exploited flaws in Cacti framework, Microsoft Office, Windows, and iOS to its Known Exploited Vulnerabilities Catalog. US CISA added the following actively exploited flaws to its Known Exploited Vulnerabilities Catalog: CVE-2022-46169...Security Affairs
February 17, 2023 – Vulnerabilities
Critical RCE Vulnerability Discovered in ClamAV Open Source Antivirus Software Full Text
Abstract
Cisco has rolled out security updates to address a critical flaw reported in the ClamAV open source antivirus engine that could lead to remote code execution on susceptible devices. Tracked as CVE-2023-20032 (CVSS score: 9.8), the issue relates to a case of remote code execution residing in the HFS+ file parser component. The flaw affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Google security engineer Simon Scannell has been credited with discovering and reporting the bug. "This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write," Cisco Talos said in an advisory. "An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device." Successful exploitation of the weakness could enable an adversary to run arbitrary code with the same privileges as that of the ClamAV scanning process, or crash the process, resuThe Hacker News
February 16, 2023 – Vulnerabilities
ESXiArgs Ransomware Mayhem in Europe and More Full Text
Abstract
Skipping patching VMware ESXi bugs? Beware! Hundreds of systems in Europe were found infected with the ESXiArgs ransomware. Hackers reportedly abused a two-year-old RCE bug (CVE-2021-21974) and compromised thousands of servers across the world.Cyware
February 16, 2023 – Vulnerabilities
Researchers Hijack Popular NPM Package with Millions of Downloads Full Text
Abstract
A popular npm package with more than 3.5 million weekly downloads has been found vulnerable to an account takeover attack. "The package can be taken over by recovering an expired domain name for one of its maintainers and resetting the password," software supply chain security company Illustria said in a report. While npm's security protections limit users to have only one active email address per account, the Israeli firm said it was able to reset the GitHub password using the recovered domain. The attack, in a nutshell, grants a threat actor access to the package's associated GitHub account, effectively making it possible to publish trojanized versions to the npm registry that can be weaponized to conduct supply chain attacks at scale. This is achieved by taking advantage of a GitHub Action that's configured in the repository to automatically publish the packages when new code changes are pushed. "Even though the maintainer's npm user account iThe Hacker News
February 16, 2023 – Botnet
Mirai V3G4 botnet exploits 13 flaws to target IoT devices Full Text
Abstract
During the second half of 2022, a variant of the Mirai bot, tracked as V3G4, targeted IoT devices by exploiting tens of flaws. Palo Alto Networks Unit 42 researchers reported that a Mirai variant called V3G4 was attempting to exploit several flaws...Security Affairs
February 16, 2023 – Hacker
Hackers Deploy MortalKombat Ransomware and Laplas Clipper Malware Full Text
Abstract
There’s a new financially motivated campaign utilizing MortalKombat ransomware and the Laplas clipper. While the former is a variant of the Xortist commodity ransomware, the latter is a cryptocurrency hijacker that monitors the Windows clipboard for crypto addresses. The campaign’s focus remained o ... Read MoreCyware
February 16, 2023 – Attack
Researchers Link SideWinder Group to Dozens of Targeted Attacks in Multiple Countries Full Text
Abstract
The prolific SideWinder group has been attributed as the nation-state actor behind attempted attacks against 61 entities in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021. Targets included government, military, law enforcement, banks, and other organizations, according to an exhaustive report published by Group-IB, which also found links between the adversary and two other intrusion sets tracked as Baby Elephant and DoNot Team . SideWinder is also referred to as APT-C-17, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4. It's suspected to be of Indian origin, although Kaspersky in 2022 noted that the attribution is no longer deterministic. The group has been linked to no less than 1,000 attacks against government organizations in the Asia-Pacific region since April 2020, according to a report from the Russian cybersecurity firm early last year. Of the 61 potential targets compiled by Group-IB, 29 of them are locatedThe Hacker News
February 16, 2023 – General
Over 500 ESXiArgs Ransomware infections in one day, but they dropped the day after Full Text
Abstract
ESXiArgs ransomware continues to spread in Europe, most of the recent infections were observed in France, Germany, the Netherlands, the UK, and Ukraine Researchers from Censys reported that more than 500 hosts have been infected in a new wave of ESXiArgs...Security Affairs
February 16, 2023 – Breach
Medibank class action launched after massive hack put private information of millions on dark web Full Text
Abstract
The law firm Baker McKenzie has launched a class action lawsuit against Medibank over the health insurer’s massive cyber attack last year that resulted in the personal details of up to 10 million customers being posted on the dark web.Cyware
February 16, 2023 – Phishing
Hackers Using Google Ads to Spread FatalRAT Malware Disguised as Popular Apps Full Text
Abstract
Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines. The attacks involve purchasing ad slots to appear in Google search results that direct users searching for popular applications to rogue websites hosting trojanized installers, ESET said in a report published today. The ads have since been taken down. Some of the spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office. "The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China," the Slovak cybersecurity firm said , adding it observed the attacks between August 2022 and January 2023. A majority of the victims are located in Taiwan, China, and Hong Kong, followed by Malaysia, JapaThe Hacker News
February 16, 2023 – Ransomware
New MortalKombat ransomware employed in financially motivated campaign Full Text
Abstract
Talos researchers observed a financially motivated threat actor using a new ransomware dubbed MortalKombat and a clipper malware named Laplas. Since December 2022, Cisco Talos researchers have been observing an unidentified financially motivated...Security Affairs
February 16, 2023 – Education
What’s Going Into NIST’s New Digital Identity Guidelines? Full Text
Abstract
These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors. The security risk around digital identities stems from verification.Cyware
February 16, 2023 – Vulnerabilities
Researchers Warn of Critical Security Bugs in Schneider Electric Modicon PLCs Full Text
Abstract
Security researchers have disclosed two new vulnerabilities affecting Schneider Electric Modicon programmable logic controllers (PLCs) that could allow for authentication bypass and remote code execution. The flaws, tracked as CVE-2022-45788 (CVSS score: 7.5) and CVE-2022-45789 (CVSS score: 8.1), are part of a broader collection of security defects tracked by Forescout as OT:ICEFALL. Successful exploitation of the bugs could enable an adversary to execute unauthorized code, denial-of-service, or disclosure of sensitive information. The cybersecurity company said the shortcomings can be chained by a threat actor with known flaws from other vendors (e.g., CVE-2021-31886 ) to achieve deep lateral movement in operational technology (OT) networks. "Deep lateral movement lets attackers gain deep access to industrial control systems and cross often overlooked security perimeters, allowing them to perform highly granular and stealthy manipulations as well as override functThe Hacker News
February 16, 2023 – Vulnerabilities
Hyundai and Kia to patch a flaw that allows the theft of the cars with a USB cable Full Text
Abstract
Hyundai and Kia car makers are releasing an emergency software update to fix a flaw that can allow stealing a car with a USB cable. Carmakers Hyundai and KIA are rolling out an emergency update for the software shipped with several car models. The update...Security Affairs
February 16, 2023 – Business
Costanoa Ventures and Norrsken22 back Smile Identity in $20M Series B round Full Text
Abstract
Silicon Valley investor Costanoa Ventures, one of the co-leads in its Series A, also co-led this recent Series B round with Africa-focused venture capital firm Norrsken22. Lexi Novitske, general partner at Norrsken22, will join the company’s Board.Cyware
February 16, 2023 – Education
Breaking the Security “Black Box” in DBs, Data Warehouses and Data Lakes Full Text
Abstract
Security teams typically have great visibility over most areas, for example, the corporate network, endpoints, servers, and cloud infrastructure. They use this visibility to enforce the necessary security and compliance requirements. However, this is not the case when it comes to sensitive data sitting in production or analytic databases, data warehouses or data lakes. Security teams have to rely on data teams to locate sensitive data and enforce access controls and security policies. This is a huge headache for both the security and data teams. It weakens the business's security and compliance putting it at risk of exposing sensitive data, large fines, reputational damages, and more. Also, in many cases, it slows down the business's ability to scale up data operations. This article examines how Satori, a data security platform, gives control of the sensitive data in databases, data warehouses and data lakes to the security teams. Satori's automated data security platThe Hacker News
February 16, 2023 – Vulnerabilities
Critical Vulnerability Patched in Cisco Security Products Full Text
Abstract
Cisco on Wednesday announced updates for endpoint, cloud, and web security products to address a critical vulnerability in the third-party open-source scanning library ClamAV.Cyware
February 16, 2023 – Hacker
New Threat Actor WIP26 Targeting Telecom Service Providers in the Middle East Full Text
Abstract
Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected intelligence gathering mission. Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster under the former's work-in-progress moniker WIP26 . "WIP26 relies heavily on public cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate," researchers Aleksandar Milenkoski, Collin Farr, and Joey Chen said in a report shared with The Hacker News. This includes the misuse of Microsoft 365 Mail, Azure, Google Firebase, and Dropbox for malware delivery, data exfiltration, and command-and-control (C2) purposes. The initial intrusion vector used in the attacks entails "precision targeting" of employees via WhatsApp messages that contain links to Dropbox links to supposedly benign archive files. The files, in reality, harbor a malware loader whose core feature is to deplThe Hacker News
February 16, 2023 – General
High-risk users may be few, but the threat they pose is huge Full Text
Abstract
High-risk users represent approximately 10% of the worker population and are found in every department and function of the organization, according to Elevate Security research.Cyware
February 16, 2023 – General
ESXiArgs Ransomware Hits Over 500 New Targets in European Countries Full Text
Abstract
More than 500 hosts have been newly compromised en masse by the ESXiArgs ransomware strain, most of which are located in France, Germany, the Netherlands, the U.K., and Ukraine. The findings come from attack surface management firm Censys, which discovered "two hosts with strikingly similar ransom notes dating back to mid-October 2022, just after ESXi versions 6.5 and 6.7 reached end of life." The first set of infections dates back to October 12, 2022, much earlier than when the campaign began to gain traction at the start of February 2023. Then on January 31, 2023, the ransom notes on the two hosts are said to have been updated with a revised version that matches the ones used in the current wave. Some of the crucial differences between the two ransom notes include the use of an onion URL instead of a Tox chat ID, a Proton Mail address at the bottom of the note, and a lower ransom demand (1.05 Bitcoin vs. 2.09 Bitcoin). "Each variant of the ransom notes fromThe Hacker News
February 15, 2023 – Cryptocurrency
How Concerned Should You be about Your Hardware Wallet? Full Text
Abstract
Security company Unciphered successfully breached OneKey, the maker of hardware wallets for cryptocurrencies, in a matter of seconds, underlining security gaps in the emerging crypto world. Unciphered posted a video on YouTube demonstrating its ability to exploit a critical flaw that enabled it to ... Read MoreCyware
February 15, 2023 – APT
North Korea’s APT37 Targeting Southern Counterpart with New M2RAT Malware Full Text
Abstract
The North Korea-linked threat actor tracked as APT37 has been linked to a piece of new malware dubbed M2RAT in attacks targeting its southern counterpart, suggesting continued evolution of the group's features and tactics. APT37, also tracked under the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea's Ministry of State Security (MSS) unlike the Lazarus and Kimsuky threat clusters that are part of the Reconnaissance General Bureau (RGB). According to Google-owned Mandiant, MSS is tasked with "domestic counterespionage and overseas counterintelligence activities," with APT37's attack campaigns reflective of the agency's priorities. The operations have historically singled out individuals such as defectors and human rights activists. "APT37's assessed primary mission is covert intelligence gathering in support of DPRK's strategic military, political, and economic interests," the threat intelligence fiThe Hacker News
February 15, 2023 – Attack
City of Oakland issued a local state of emergency after recent ransomware attack Full Text
Abstract
The City of Oakland has declared a local state of emergency due to the effect of the ransomware attack that hit the city on February 8, 2023. The City of Oakland disclosed last week a ransomware attack, the security breach began on February 8, 2023....Security Affairs
February 15, 2023 – APT
Dark Caracal APT Reappears with a New Version of Bandook Spyware Full Text
Abstract
Lookout Security published a report describing the activities of a new APT actor dubbed Dark Caracal that has claimed hundreds of infections in more than a dozen countries since March of 2022. The APT is currently using a new version of Bandook spyware to target Windows systems. Organizations ... Read MoreCyware
February 15, 2023 – Education
Webinar — A MythBusting Special: 9 Myths about File-based Threats Full Text
Abstract
Bad actors love to deliver threats in files. Persistent and persuasive messages convince unsuspecting victims to accept and open files from unknown sources, executing the first step in a cyber attack. This continues to happen whether the file is an EXE or a Microsoft Excel document. Far too often, end users have an illusion of security, masked by good faith efforts of other users and (ineffective) security controls. This creates a virality effect for ransomware, malware, spyware, and annoying grayware and adware to be spread easily from user to user and machine to machine. To stop users from saying, "I reject your reality and substitute my own!" – it's time to bust some myths about file-based attacks. Testing in three! Two! One! Register here and join Zscaler's Vinay Polurouthu, Principal Product Manager, and Amy Heng, Product Marketing Manager, to: Bust the 9 most common assumptions and myths about file-based threats Uncover the latest evasion trends and dThe Hacker News
February 15, 2023 – Vulnerabilities
Citrix released security updates for multiple High-Severity flaws in its products Full Text
Abstract
Citrix released security updates for multiple High-Severity flaws in Virtual Apps and Desktops, and Workspace apps for Windows and Linux. Citrix released security patches to fix multiple vulnerabilities in Virtual Apps and Desktops, and Workspace...Security Affairs
February 15, 2023 – Vulnerabilities
Recently Patched IBM Aspera Faspex Vulnerability Exploited in the Wild Full Text
Abstract
The security hole, tracked as CVE-2022-47986 and classified as ‘high severity’, is a YAML deserialization flaw that can be exploited by a remote attacker for arbitrary code execution using specially crafted API calls.Cyware
February 15, 2023 – Hacker
Financially Motivated Threat Actor Strikes with New Ransomware and Clipper Malware Full Text
Abstract
A new financially motivated campaign that commenced in December 2022 has seen the unidentified threat actor behind it deploying a novel ransomware strain dubbed MortalKombat and a clipper malware known as Laplas. Cisco Talos said it "observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389." The attacks, per the cybersecurity company, primarily focuses on individuals, small businesses, and large organizations located in the U.S., and to a lesser extent in the U.K., Turkey, and the Philippines. The starting point that kicks off the multi-stage attack chain is a phishing email bearing a malicious ZIP file that's used as a pathway to deliver either the clipper or the ransomware. In addition to using cryptocurrency-themed email lures impersonating CoinPayments, the threat actor is also known to erase infection markers in an attempt to cover its tracks. MortalKombat, first detected in January 2023, is capableThe Hacker News
February 15, 2023 – Vulnerabilities
Adobe addressed critical bugs in Illustrator, After Effects Software Full Text
Abstract
Adobe Patch Tuesday addressed at least a half dozen vulnerabilities, including critical issues that expose Windows and macOS to hack. Adobe released security updates to address at least a half dozen vulnerabilities impacting Photoshop, Illustrator...Security Affairs
February 15, 2023 – Business
Passwordless authentication startup Descope lands $53M seed round Full Text
Abstract
The money came from Lightspeed Venture Partners and GGV Capital, with additional funds contributed by Dell Technologies Capital, TechAviv, J Ventures, Cerca, Unusual Ventures, Silicon Valley CISO Investments, and several individual investors.Cyware
February 15, 2023 – Education
Regular Pen Testing Is Key to Resolving Conflict Between SecOps and DevOps Full Text
Abstract
In an ideal world, security and development teams would be working together in perfect harmony. But we live in a world of competing priorities, where DevOps and security departments often butt heads with each other. Agility and security are often at odds with each other— if a new feature is delivered quickly but contains security vulnerabilities, the SecOps team will need to scramble the release and patch the vulnerabilities, which can take days or weeks. On the other hand, if the SecOps team takes too long to review and approve a new feature, the development team will get frustrated with the slow pace of delivery. Security needs to move slowly and cautiously, while development wants to "move fast and break things" and release new features quickly. DevOps teams can view security as an impediment to their work instead of an important part of the process. With each team pulling in opposite directions, there is often tension and conflict between the two teams, slowing deveThe Hacker News
February 15, 2023 – Malware
Beep, a new highly evasive malware appeared in the threat landscape Full Text
Abstract
Experts detected a new evasive malware dubbed Beep, it implements many anti-debugging and anti-sandbox techniques. Researchers from Minerva recently discovered a new evasive malware dubbed Beep, which implements many anti-debugging and anti-sandbox...Security Affairs
February 15, 2023 – Attack
Tonga is the latest Pacific Island nation hit with ransomware Full Text
Abstract
Tonga Communications Corporation (TCC) — one of two telecoms companies in the country — published a notice on Facebook saying the attack may slow down administrative operations.Cyware
February 15, 2023 – Malware
Experts Warn of ‘Beep’ - A New Evasive Malware That Can Fly Under the Radar Full Text
Abstract
Cybersecurity researchers have unearthed a new piece of evasive malware dubbed Beep that's designed to fly under the radar and drop additional payloads onto a compromised host. "It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find," Minerva Labs researcher Natalie Zargarov said . "One such technique involved delaying execution through the use of the Beep API function , hence the malware's name." Beep comprises three components, the first of which is a dropper that's responsible for creating a new Windows Registry key and executing a Base64-encoded PowerShell script stored in it. The PowerShell script, for its part, reaches out to a remote server to retrieve an injector, which, after confirming it's not being debugged or launched in a virtual machine, extracts and launches the payload via a technique called process hollowing . The payload is anThe Hacker News
February 15, 2023 – Breach
Community Health Systems data breach caused by GoAnywhere MFT hack Full Text
Abstract
Community Health Systems (CHS) disclosed a data breach, attackers exploited the zero-day vulnerability in Fortra’s GoAnywhere MFT platform. Community Health Systems (CHS) is one of the nation’s leading healthcare providers. CHS operates 79 acute-care...Security Affairs
February 15, 2023 – Vulnerabilities
SAP’s February 2023 Security Updates Patch High-Severity Vulnerabilities Full Text
Abstract
The most severe of the new security notes delivers updates to the Chromium browser in the SAP Business Client, to resolve a total of 54 vulnerabilities, including 22 high-severity issues.Cyware
February 15, 2023 – Solution
Google Rolling Out Privacy Sandbox Beta on Android 13 Devices Full Text
Abstract
Google announced on Tuesday that it's officially rolling out Privacy Sandbox on Android in beta to eligible mobile devices running Android 13. "The Privacy Sandbox Beta provides new APIs that are designed with privacy at the core, and don't use identifiers that can track your activity across apps and websites," the search and advertising giant said . "Apps that choose to participate in the Beta can use these APIs to show you relevant ads and measure their effectiveness." Devices that have been selected for the Beta test will have a Privacy Sandbox section within Settings so as to allow users to control their participation as well as view and manage their top interests as determined by the Topics API to serve relevant ads. The initial Topics taxonomy is set to include somewhere between a few hundred and a few thousand topics, according to Google , and will be human-curated to exclude sensitive topics. The Beta test is expected to start off withThe Hacker News
February 15, 2023 – Breach
AdSense fraud campaign relies on 10,890 sites that were infected since September 2022 Full Text
Abstract
The threat actors behind a massive AdSense fraud campaign infected 10,890 WordPress sites since September 2022. In November 2022, researchers from security firm Sucuri reported to have tracked a surge in WordPress malware redirecting website visitors...Security Affairs
February 15, 2023 – Cryptocurrency
Binance, Huobi freeze some cryptocurrency stolen in $100 million Harmony hack Full Text
Abstract
The two crypto platforms were notified about the funds by blockchain research company Elliptic, which managed to trace it through sanctioned cryptocurrency mixer Tornado Cash.Cyware
February 15, 2023 – Vulnerabilities
Update Now: Microsoft Releases Patches for 3 Actively Exploited Windows Vulnerabilities Full Text
Abstract
Microsoft on Tuesday released security updates to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild. The updates are in addition to 22 flaws the Windows maker patched in its Chromium-based Edge browser over the past month. Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws. The three zero-days of note that have been exploited are as follows - CVE-2023-21715 (CVSS score: 7.3) - Microsoft Office Security Feature Bypass Vulnerability CVE-2023-21823 (CVSS score: 7.8) - Windows Graphics Component Elevation of Privilege Vulnerability CVE-2023-23376 (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability "The attack itself is carried out locally by a user with authentication to the targeted system," Microsoft said in advisory for CVE-2023-21715. "The Hacker News
February 15, 2023 – Vulnerabilities
Citrix Patches High-Severity Vulnerabilities in Windows, Linux Apps Full Text
Abstract
Tracked as CVE-2023-24483, the Virtual Apps and Desktops vulnerability is described as a privilege escalation issue that allows an attacker with access to a Windows VDA as a standard Windows user to elevate privileges to System.Cyware
February 15, 2023 – General
One in nine online stores are leaking your data: study Full Text
Abstract
Sansec has revealed it's found a number of online stores accidentally leaking highly sensitive data. After studying 2,037 online stores, the company found that 12.3 percent exposed compressed files (in ZIP, SQL, and TAR archive formats).Cyware
February 14, 2023 – General
Social Engineering Attacks Increases in Q4 2022, Reveals Avast Labs Full Text
Abstract
Cybercriminals are becoming more adept at creating a sense of urgency for victims and motivating them to engage in their agenda, reveals the Avast Q4 2022 report. Refund and invoice fraud saw a 22% jump in December 2022, with perpetrators utilizing emails originating from a trustworthy organization ... Read MoreCyware
February 14, 2023 – Breach
Massive AdSense Fraud Campaign Uncovered - 10,000+ WordPress Sites Infected Full Text
Abstract
The threat actors behind the black hat redirect malware campaign have scaled up their campaign to use more than 70 bogus domains mimicking URL shorteners and infected over 10,800 websites. "The main objective is still ad fraud by artificially increasing traffic to pages which contain the AdSense ID which contain Google ads for revenue generation," Sucuri researcher Ben Martin said in a report published last week. Details of the malicious activity were first exposed by the GoDaddy-owned company in November 2022. The campaign, which is said to have been active since September last year, is orchestrated to redirect visitors to compromised WordPress sites to fake Q&A portals. The goal, it appears, is to increase the authority of spammy sites in search engine results. "It's possible that these bad actors are simply trying to convince Google that real people from different IPs using different browsers are clicking on their search results," Sucuri noted aThe Hacker News
February 14, 2023 – Vulnerabilities
Microsoft Patch Tuesday for February 2023 fixed actively exploited zero-days Full Text
Abstract
Microsoft Patch Tuesday security updates for February 2023 addressed 75 flaws, including three actively exploited zero-day bugs. Microsoft Patch Tuesday security updates for February 2023 fixed 75 vulnerabilities in multiple products, including Microsoft...Security Affairs
February 14, 2023 – Attack
11,000 WordPress Sites Hacked in a Backdoor Attack Full Text
Abstract
According to Sucuri’s research, the backdoor redirects users to sites that show fraudulent views of Google AdSense ads. The company’s SiteCheck remote scanner has detected more than 10,890 infected sites.Cyware
February 14, 2023 – Malware
Python Developers Beware: Clipper Malware Found in 450+ PyPI Packages! Full Text
Abstract
Malicious actors have published more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to infect developer systems with clipper malware . Software supply chain security company Phylum, which spotted the libraries , said the ongoing activity is a follow-up to a campaign that was initially disclosed in November 2022. The initial vector entails using typosquatting to mimic popular packages such as beautifulsoup, bitcoinlib, cryptofeed, matplotlib, pandas, pytorch, scikit-learn, scrapy, selenium, solana, and tensorflow, among others. "After installation, a malicious JavaScript file is dropped to the system and executed in the background of any web browsing session," Phylum said in a report published last year. "When a developer copies a cryptocurrency address, the address is replaced in the clipboard with the attacker's address." This is achieved by creating a Chromium web browser extension in the WindowThe Hacker News
February 14, 2023 – Malware
Experts discover over 451 clipper malware-laced packages in the PyPI repository Full Text
Abstract
Threat actors published more than 451 unique malware-laced Python packages on the official Python Package Index (PyPI) repository. Phylum researchers spotted more than 451 unique Python packages on the official Python Package Index (PyPI) repository...Security Affairs
February 14, 2023 – Attack
GoAnywhere Zero-Day Attack Victims Start Disclosing Significant Impact Full Text
Abstract
In an SEC filing, Community Health Systems (CHS), one of the largest US healthcare services providers, revealed that a “security breach experienced by Fortra” resulted in the exposure of personal info and PHI belonging to patients of CHS affiliates.Cyware
February 14, 2023 – Education
A CISOs Practical Guide to Storage and Backup Ransomware Resiliency Full Text
Abstract
One thing is clear. The " business value" of data continues to grow, making it an organization's primary piece of intellectual property. From a cyber risk perspective, attacks on data are the most prominent threat to organizations. Regulators, cyber insurance firms, and auditors are paying much closer attention to the integrity, resilience, and recoverability of organization data – as well as the IT infrastructure & systems that store the data. What Impact Does This Have On The Security Of Storage & Backup Systems? Just a few years ago, almost no CISO thought that storage & backups were important. That's no longer the case today. Ransomware has pushed backup and recovery back onto the IT and corporate agenda. Cybercriminals, such as Conti, Hive and REvil, are targeting storage and backup systems, to prevent recovery. Some ransomwares – Locky and Crypto, for example – now bypass production systems altogether, and directly target backups. ThisThe Hacker News
February 14, 2023 – Denial Of Service
The Tor network hit by wave of DDoS attacks for at least 7 months Full Text
Abstract
Tor Project maintainers revealed that for at least 7 months, the Tor network was hit by several different waves of ongoing DDoS attacks. During the last months Tor users have experienced Tor network performance issues lately, Tor Project maintainers...Security Affairs
February 14, 2023 – Breach
Update: BlackCat Leaks Data Belonging to Irish University Full Text
Abstract
The Sunday dump, which appears to include sensitive data including staff medical diagnoses and student bank account information, came days after the Irish High Court issued a temporary injunction prohibiting ransomware attackers from leaking data.Cyware
February 14, 2023 – Attack
Chinese Hackers Targeting South American Diplomatic Entities with ShadowPad Full Text
Abstract
Microsoft on Monday attributed a China-based cyber espionage actor to a set of attacks targeting diplomatic entities in South America. The tech giant's Security Intelligence team is tracking the cluster under the emerging moniker DEV-0147 , describing the activity as an "expansion of the group's data exfiltration operations that traditionally targeted government agencies and think tanks in Asia and Europe." The threat actor is said to use established hacking tools such as ShadowPad to infiltrate targets and maintain persistent access. ShadowPad, also called PoisonPlug, is a successor to the PlugX remote access trojan and has been widely put to use by Chinese adversarial collectives with links to the Ministry of State Security (MSS) and People's Liberation Army (PLA), per Secureworks. One of the other malicious tools utilized by DEV-0147 is a webpack loader called QuasarLoader , which allows for deploying additional payloads onto the compromised hosts.The Hacker News
February 14, 2023 – Denial Of Service
Cloudflare blocked record-breaking 71 million request-per-second DDoS attack Full Text
Abstract
Cloudflare mitigated a record distributed denial-of-service (DDoS) that reached 71 Million requests per second. Cloudflare announced it has mitigated a record hyper-volumetric distributed denial-of-service (DDoS) attack that peaked at over 71 million...Security Affairs
February 14, 2023 – Ransomware
VMware ransomware was on the rise leading up to ESXiArgs spree, research finds Full Text
Abstract
Only two cyberattacks targeted ESXi with ransomware in 2020, but in 2021, Recorded Future identified more than 400 incidents. Last year the number ballooned, growing almost threefold to 1,118 in 2022, the research found.Cyware
February 14, 2023 – Attack
Massive HTTP DDoS Attack Hits Record High of 71 Million Requests/Second Full Text
Abstract
Web infrastructure company Cloudflare on Monday disclosed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at over 71 million requests per second (RPS). "The majority of attacks peaked in the ballpark of 50-70 million requests per second (RPS) with the largest exceeding 71 million," the company said , calling it a "hyper-volumetric" DDoS attack. It's also the largest HTTP DDoS attack reported to date, more than 35% higher than the previous 46 million RPS DDoS attack that Google Cloud mitigated in June 2022 . Cloudflare said the attacks singled out websites secured by its platform and that they emanated from a botnet comprising more than 30,000 IP addresses that belonged to "numerous" cloud providers. Targeted websites included a popular gaming provider, cryptocurrency companies, hosting providers, and cloud computing platforms. HTTP attacks of this kind are designed to send a tsunami of HTTP requests tThe Hacker News
February 14, 2023 – Vulnerabilities
Apple fixes the first zero-day in iPhones and Macs this year Full Text
Abstract
Apple has released emergency security updates to fix a new actively exploited zero-day vulnerability that impacts iPhones, iPads, and Macs. Apple has released emergency security updates to address a new actively exploited zero-day vulnerability, tracked...Security Affairs
February 14, 2023 – Business
Accenture acquires cybersecurity company Morphus Full Text
Abstract
Acquiring the privately held cyber defence, risk management, and cyber threat intelligence services provider is set to enable Accenture to widen its cybersecurity footprint within the region.Cyware
February 14, 2023 – Vulnerabilities
Patch Now: Apple’s iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw Full Text
Abstract
Apple on Monday rolled out security updates for iOS, iPadOS , macOS , and Safari to address a zero-day flaw that it said has been actively exploited in the wild. Tracked as CVE-2023-23529 , the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution. The iPhone maker said the bug was addressed with improved checks, adding it's "aware of a report that this issue may have been actively exploited." An anonymous researcher has been credited with reporting the flaw. It's not immediately clear as to how the vulnerability is being exploited in real-world attacks, but it's the second actively abused type confusion flaw in WebKit to be patched by Apple after CVE-2022-42856 in as many months, which was closed in December 2022. WebKit flaws are also notable for the fact that they impact every third-party web browser that's available foThe Hacker News
February 14, 2023 – Attack
New MortalKombat Ransomware and Laplas Clipper Malware Threats Deployed in Recent Attacks Full Text
Abstract
Talos observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389, using one of their download servers that run an RDP crawler and also facilitates MortalKombat ransomware.Cyware
February 14, 2023 – Attack
Hackers Target Bahrain Airport, State News Agency Sites to Mark Uprising Full Text
Abstract
Hackers said they had taken down the websites of Bahrain’s international airport and state news agency on Tuesday to mark the 12-year anniversary of an Arab Spring uprising in the small Gulf country.Cyware
February 14, 2023 – Malware
Enigma info-stealing malware targets the cryptocurrency industry Full Text
Abstract
Alleged Russian threat actors have been targeting cryptocurrency users in Eastern Europe with Enigma info-stealing malware. A malware campaign conducted by alleged Russian threat actors has been targeting users in Eastern European in the crypto industry....Security Affairs
February 13, 2023 – Hacker
New TA866 Threat Group Selectively Targets U.S. and German Organizations Full Text
Abstract
Proofpoint security experts uncovered a threat actor, tracked as TA886, infecting companies in the U.S. and Germany with the new WasabiSeed and Screenshotter malware. The custom malware can perform surveillance and steal data. Hackers push their malware via phishing emails that include Microsoft Pu ... Read MoreCyware
February 13, 2023 – Hacker
Hackers Create Malicious Dota 2 Game Modes to Secretly Access Players’ Systems Full Text
Abstract
An unknown threat actor created malicious game modes for the Dota 2 multiplayer online battle arena (MOBA) video game that could have been exploited to establish backdoor access to players' systems. The modes exploited a high-severity flaw in the V8 JavaScript engine tracked as CVE-2021-38003 (CVSS score: 8.8), which was exploited as a zero-day and addressed by Google in October 2021. "Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players," Avast researcher Jan Vojtěšek said in a report published last week. Following responsible disclosure to Valve, the game publisher shipped fixes on January 12, 2023, by upgrading the version of V8. Game modes are essentially custom capabilities that can either augment an existing title or offer completely new gameplay in a manner that deviates from the standard rules. While publishing a custom game mode to the Steam store includes a vetting process fromThe Hacker News
February 13, 2023 – Breach
Enigma InfoStealer Steals Sensitive Data From Crypto Firms Full Text
Abstract
Trend Micro spotted an active campaign that leverages a fake employment bait against the cryptocurrency industry in Eastern Europe. Hackers are reportedly deploying Enigma Stealer which is a modified version of the Stealerium information stealer. The infection chain begins with a malicious RAR arch ... Read MoreCyware
February 13, 2023 – General
Honeypot-Factory: The Use of Deception in ICS/OT Environments Full Text
Abstract
There have been a number of reports of attacks on industrial control systems (ICS) in the past few years. Looking a bit closer, most of the attacks seem to have spilt over from traditional IT. That's to be expected, as production systems are commonly connected to ordinary corporate networks at this point. Though our data does not indicate at this point that a lot of threat actors specifically target industrial systems – in fact, most evidence points to purely opportunistic behaviour – the tide could turn any time, once the added complexity of compromising OT environments promises to pay off. Criminals will take any chance they get to blackmail victims into extortion schemes, and halting production can cause immense damage. It is likely only a matter of time. So cybersecurity for operational technology (OT) is vitally important. Deception is an effective option to improve threat detection and response capabilities. However, ICS security differs from traditional IT security in seThe Hacker News
February 13, 2023 – Denial Of Service
Pro-Russia hacker group Killnet targets NATO websites with DDoS attacks Full Text
Abstract
Pro-Russia hacker group Killnet launched a Distributed Denial of Service (DDoS) attack on NATO servers, including the NATO Special Operations Headquarters (NSHQ) website. Pro-Russia hacker group Killnet launched a Distributed Denial of Service (DDoS)...Security Affairs
February 13, 2023 – APT
Earth Zhulong Group Uses ShellFang Loader to Target Vietnam Full Text
Abstract
Information on the sophisticated APT group Earth Zhulong, which targets Vietnamese organizations, has recently come to light. The gang, which has been active since 2020, is thought to be connected to the hacker collective 1937CN from China. Organizations are suggested to stay alert and leverage bes ... Read MoreCyware
February 13, 2023 – Attack
Chinese Tonto Team Hackers’ Second Attempt to Target Cybersecurity Firm Group-IB Fails Full Text
Abstract
The advanced persistent threat (APT) actor known as Tonto Team carried out an unsuccessful attack on cybersecurity company Group-IB in June 2022. The Singapore-headquartered firm said that it detected and blocked malicious phishing emails originating from the group targeting its employees. It's also the second attack aimed at Group-IB, the first of which took place in March 2021. Tonto Team, also called Bronze Huntley, Cactus Pete , Earth Akhlut, Karma Panda, and UAC-0018, is a suspected Chinese hacking group that has been linked to attacks targeting a wide range of organizations in Asia and Eastern Europe. The actor is known to be active since at least 2009 and is said to share ties to the Third Department ( 3PLA ) of the People's Liberation Army's Shenyang TRB ( Unit 65016 ). Attack chains involve spear-phishing lures containing malicious attachments created using the Royal Road Rich Text Format (RTF) exploitation toolkit to drop backdoors like Bisonal, DexbiThe Hacker News
February 13, 2023 – Breach
Hacktivists hacked Iranian State TV during President’s speech on Revolution Day Full Text
Abstract
The Ali’s Justice (Edalat-e Ali) hacker group broke into the State TV broadcast during the President’s speech on Revolution Day. A collective of hackers that calls itself Ali’s Justice (Edalat-e Ali) disrupted the transmission of an Iranian...Security Affairs
February 13, 2023 – Hacker
NewsPenguin Waddles into Pakistani Organizations Full Text
Abstract
A previously unknown threat group, named NewsPenguin, was found targeting organizations in Pakistan with the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as bait. The researchers stated that the goal of the cybercriminal group is solely focused on cyberespionage, with ... Read MoreCyware
February 13, 2023 – Hacker
Hackers Targeting U.S. and German Firms Monitor Victims’ Desktops with Screenshotter Full Text
Abstract
A previously unknown threat actor has been targeting companies in the U.S. and Germany with bespoke malware designed to steal confidential information. Enterprise security company Proofpoint, which is tracking the activity cluster under the name Screentime , said the group, dubbed TA866 , is likely financially motivated. "TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools; ability and connections to purchase tools and services from other vendors; and increasing activity volumes," the company assessed . Campaigns mounted by the adversary are said to have commenced around October 3, 2022, with the attacks launched via emails containing a booby-trapped attachment or URL that leads to malware. The attachments range from macro-laced Microsoft Publisher files to PDFs with URLs pointing to JavaScript files. The intrusions have also leveraged conversation hijacking to entice recipients into clicking on seeThe Hacker News
February 13, 2023 – Vulnerabilities
Vulnerabilities open Korenix JetWave industrial networking devices to attack Full Text
Abstract
Three vulnerabilities found in a variety of Korenix JetWave industrial access points and LTE cellular gateways may allow attackers to either disrupt their operation or to use them as a foothold for further attacks, CyberDanube researchers have found.Cyware
February 13, 2023 – Breach
Medical records for 4,000 Garrison Women’s Health patients lost Full Text
Abstract
Medical records of Garrison Women’s Health patients were recently "subject to unauthorized third-party activity," according to information released Friday evening by Wentworth-Douglass Hospital.Cyware
February 13, 2023 – Vulnerabilities
Radio silence from DMS vendor quartet over XSS zero-days Full Text
Abstract
The most severe issue belongs to ONLYOFFICE’s Workspace enterprise app platform. Tracked as CVE-2022-47412, the stored cross-site scripting (XSS) vulnerability is believed to impact versions from 0 through 12.1.0.1760.Cyware
February 13, 2023 – Breach
Play Ransomware Lists A10 Networks on Its Leak Site Full Text
Abstract
BetterCyber says that the leak site claims the ransomware group has "private and personal confidential data, a lot of technical documentation, agreements, employee and client documents."Cyware
February 13, 2023 – Government
Education Department reminds colleges of deadline for following cybersecurity rules Full Text
Abstract
Higher-education institutions that handle federal financial aid data have until early June to comply with federal rules for protecting privacy and personal information, the Education Department noted this week.Cyware
February 12, 2023 – APT
Russian Nodaria APT Adds Advanced Information Stealing Functionality Full Text
Abstract
Researchers from Broadcom Symantec took the wraps off of an information-stealing malware known as Graphiron. Russia-affiliated ATP group Nodaria is using it in operations against Ukraine. Written in the Go programming language, the malware enables operators to gather a variety of data from the infe ... Read MoreCyware
February 12, 2023 – Attack
The Israel Institute of Technology Technion suffered a ransomware attack Full Text
Abstract
The Technion – Israel Institute of Technology was breached on Sunday by a new anti-Israel threat actor calling itself DarkBit. Technion – Israel Institute of Technology is Israel's top technology research university and a leading center for cyber...Security Affairs
February 12, 2023 – Government
Australian Defense Department will replace surveillance cameras from Chinese firms Hikvision and Dahua Full Text
Abstract
Australia’s Defense Department announced that they will remove surveillance cameras made by Chinese firms linked to the government of Beijing. Australia’s Defense Department is going to replace surveillance cameras made by Chinese firms Hikvision...Security Affairs
February 12, 2023 – Government
Russian Government evaluates the immunity to hackers acting in the interests of Russia Full Text
Abstract
The Russian Government proposed to give a sort of immunity to the hackers that operate in the interests of Moscow. Russian media reported that Alexander Khinshtein, the head of the Duma committee on information policy, announced that the Russian...Security Affairs
February 12, 2023 – General
Security Affairs newsletter Round 406 by Pierluigi Paganini Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. Clop...Security Affairs
February 11, 2023 – Ransomware
New ESXiArgs Ransomware Variant Emerges After CISA Releases Decryptor Tool Full Text
Abstract
After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks , the threat actors have bounced back with an updated version that encrypts more data. The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB will have 50% of their data encrypted, making the recovery process more challenging. Another notable change is the removal of the Bitcoin address from the ransom note, with the attackers now urging victims to contact them on Tox to obtain the wallet information. The threat actors "realized that researchers were tracking their payments, and they may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent," Censys said in a write-up. "In other words: they are watching." Statistics sharedThe Hacker News
February 11, 2023 – Vulnerabilities
Dota 2 Under Attack: Threat Actors Exploit a Chrome Flaw to Infect Gamers Full Text
Abstract
Security experts at Avast Threat Labs uncovered four malicious Dota 2 game mods that cyber adversaries are using to backdoor players' systems. The game mods were named Overdog no annoying heroes (id 2776998052), Custom Hero Brawl (id 2780728794), and Overthrow RTZ Edition X10 XP (id 2780559339). Th ... Read MoreCyware
February 11, 2023 – Hacker
Enigma, Vector, and TgToxic: The New Threats to Cryptocurrency Users Full Text
Abstract
Suspected Russian threat actors have been targeting Eastern European users in the crypto industry with fake job opportunities as bait to install information-stealing malware on compromised hosts. The attackers "use several highly obfuscated and under-development custom loaders in order to infect those involved in the cryptocurrency industry with Enigma stealer," Trend Micro researchers Aliakbar Zahravi and Peter Girnus said in a report this week. Enigma is said to be an altered version of Stealerium, an open source C#-based malware that acts as a stealer, clipper, and keylogger. The intricate infection journey starts with a rogue RAR archive file that's distributed via phishing or social media platforms. It contains two documents, one of which is a .TXT file that includes a set of sample interview questions related to cryptocurrency. The second file is a Microsoft Word document that, while serving as a decoy, is tasked with launching the first-stage Enigma loader,The Hacker News
February 11, 2023 – Government
Remcos RAT Used to Spy on Ukrainian Government - Says CERT-UA Full Text
Abstract
An alert from the CERT-UA revealed that threat actors conducted a phishing campaign against Ukrainian government agencies to deploy the Remcos RAT on their computers. The email contained a file reminding recipients to pay for services availed from Ukrtelecom. This latest Remcos version leverages th ... Read MoreCyware
February 11, 2023 – Government
CISA Warns of Active Attacks Exploiting Fortra MFT, TerraMaster NAS, and Intel Driver Flaws Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active abuse in the wild. Included among the three is CVE-2022-24990 , a bug affecting TerraMaster network-attached storage (TNAS) devices that could lead to unauthenticated remote code execution with the highest privileges. Details about the flaw were disclosed by Ethiopian cyber security research firm Octagon Networks in March 2022. The vulnerability, according to a joint advisory released by U.S. and South Korean government authorities, is said to have been weaponized by North Korean nation-state hackers to strike healthcare and critical infrastructure entities with ransomware. The second shortcoming to be added to KEV catalog is CVE-2015-2291 , an unspecified flaw in the Intel ethernet diagnostics driver for Windows (IQVW32.sys and IQVW64.sys) that could throw an affected device into a denial-of-serviceThe Hacker News
February 11, 2023 – Ransomware
Cl0p Goes Linux Ways, With Flaws and Frowns Full Text
Abstract
SentinelLabs claimed to have observed the first Linux variant of Cl0p ransomware. The ELF variant of the ransomware uses the same encryption method and similar process logic as it does for Windows. Given that some Windows-only capabilities are missing from this new Linux version, it appears to stil ... Read MoreCyware
February 11, 2023 – Hacker
Digital Rights Defenders Infiltrate Alleged Mercenary Hacking Group Full Text
Abstract
The EFF has been tracking Dark Caracal since 2015. In 2020, Quintin and EFF’s director of cybersecurity Eva Galperin published a report about a hacking campaign focused on Lebanese targets.Cyware
February 11, 2023 – Attack
Clop ransomware claims the hack of 130 orgs using GoAnywhere MFT flaw Full Text
Abstract
The Clop ransomware group claims to have breached over 130 organizations exploiting the GoAnywhere MFT zero-day. The Clop ransomware group claims to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669)...Security Affairs
February 11, 2023 – Government
CISA adds Fortra MFT, TerraMaster NAS, Intel driver Flaws, to its Known Exploited Vulnerabilities Catalog Full Text
Abstract
US CISA added actively exploited flaws in Fortra MFT, Intel driver, and TerraMaster NAS to its Known Exploited Vulnerabilities Catalog. US CISA added actively exploited flaws in Fortra MFT, Intel driver, and TerraMaster NAS, respectively tracked as CVE-2023-0669,...Security Affairs
February 11, 2023 – Education
Six Common Ways That Malware Strains Get Their Names Full Text
Abstract
If a cybercriminal doesn’t name their strain themselves, a cybersecurity researcher creates the name. The primary researcher of the strain will usually come up with the name, and they sometimes assign one that seems random but usually is not.Cyware
February 11, 2023 – Breach
Ransomware crooks steal 3m+ patients’ sensitive info Full Text
Abstract
Several California medical groups have sent security breach notification letters to more than three million patients alerting them that crooks may have stolen a ton of their sensitive health and personal information during a ransomware infection.Cyware
February 11, 2023 – Hacker
MagicWeb Mystery Highlights Nobelium Attacker’s Sophistication Full Text
Abstract
Microsoft has tracked down a sophisticated authentication bypass for Active Directory Federated Services (AD FS), pioneered by the Russia-linked Nobelium threat actor group.Cyware
February 10, 2023 – Malware
Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages Full Text
Abstract
Four different rogue packages in the Python Package Index ( PyPI ) have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorized_keys file. The packages in question are aptx , bingchilling2 , httops , and tkint3rs , all of which were collectively downloaded about 450 times before they were taken down. While aptx is an attempt to impersonate Qualcomm's highly popular audio codec of the same name, httops and tkint3rs are typosquats of https and tkinter, respectively. "Most of these packages had well thought out names, to purposely confuse people," Security researcher and journalist Ax Sharma said . An analysis of the malicious code injected in the setup script reveals the presence of an obfuscated Meterpreter payload that's disguised as " pip ," a legitimate package installer for Python, and can be leveraged to gain shell access to the infected host. AlsoThe Hacker News
February 10, 2023 – Attack
Ransomware attack hit the City of Oakland Full Text
Abstract
A ransomware attack hit the City of Oakland this week, forcing it to take all systems offline in response to the incident. The City of Oakland disclosed a ransomware attack, the security breach began on Wednesday night. In an abundance of caution,...Security Affairs
February 10, 2023 – Hacker
North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations Full Text
Abstract
State-backed hackers from North Korea are conducting ransomware attacks against healthcare and critical infrastructure facilities to fund illicit activities, U.S. and South Korean cybersecurity and intelligence agencies warned in a joint advisory. The attacks, which demand cryptocurrency ransoms in exchange for recovering access to encrypted files, are designed to support North Korea's national-level priorities and objectives. This includes "cyber operations targeting the United States and South Korea governments — specific targets include Department of Defense Information Networks and Defense Industrial Base member networks," the authorities said . Threat actors with North Korea have been linked to espionage , financial theft , and cryptojacking operations for years, including the infamous WannaCry ransomware attacks of 2017 that infected hundreds of thousands of machines located in over 150 countries. Since then, North Korean nation-state crews have dabbledThe Hacker News
February 10, 2023 – APT
DPRK fund malicious cyber activities with ransomware attacks on critical Infrastructure Full Text
Abstract
North Korea-linked APT groups conduct ransomware attacks against healthcare and critical infrastructure facilities to fund its activities. Ransomware attacks on critical infrastructure conducted by North Korea-linked hacker groups are used by the government...Security Affairs
February 10, 2023 – Education
3 Overlooked Cybersecurity Breaches Full Text
Abstract
Here are three of the worst breaches, attacker tactics and techniques of 2022, and the security controls that can provide effective, enterprise security protection for them. #1: 2 RaaS Attacks in 13 Months Ransomware as a service is a type of attack in which the ransomware software and infrastructure are leased out to the attackers. These ransomware services can be purchased on the dark web from other threat actors and ransomware gangs. Common purchasing plans include buying the entire tool, using the existing infrastructure while paying per infection, or letting other attackers perform the service while sharing revenue with them. In this attack, the threat actor consists of one of the most prevalent ransomware groups, specializing in access via third parties, while the targeted company is a medium-sized retailer with dozens of sites in the United States. The threat actors used ransomware as a service to breach the victim's network. They were able to exploit third-party credenThe Hacker News
February 10, 2023 – Hacker
New TA886 group targets companies with custom Screenshotter malware Full Text
Abstract
The TA886 hacking group targets organizations in the United States and Germany with new spyware tracked as Screenshotter. A recently discovered threat actor, tracked as TA886 by security firm Proofpoint, is targeting organizations in the United States...Security Affairs
February 10, 2023 – Vulnerabilities
February 2023 Patch Tuesday forecast: A Valentine’s date Full Text
Abstract
For many, CVSS from FIRST has been the driving force in that process. One of the major objectives behind the calculation of the actual CVSS number is to ensure standardization so all CVEs are scored consistently and can be accurately compared.Cyware
February 10, 2023 – Policy and Law
U.K. and U.S. Sanction 7 Russians for TrickBot, Ryuk, and Conti Ransomware Attacks Full Text
Abstract
In a first-of-its-kind coordinated action, the U.K. and U.S. governments on Thursday levied sanctions against seven Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime operation. The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka Tropa), Dmitry Pleshevskiy (aka Iseldor), Ivan Vakhromeyev (aka Mushroom), and Valery Sedletski (aka Strix). "Current members of the TrickBot group are associated with Russian Intelligence Services," the U.S. Treasury Department noted . "The TrickBot group's preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services." TrickBot, which is attributed to a threat actor named ITG23, Gold Blackburn, and Wizard Spider, emerged in 2016 as a derivative of the Dyre banking trojan and evolved into a highlyThe Hacker News
February 10, 2023 – Breach
Reddit discloses security breach that exposed source code and internal docs Full Text
Abstract
Social news aggregation platform Reddit suffered a security breach, attackers gained unauthorized access to internal documents, code, and some business systems. Reddit announced it was hit by a sophisticated and highly-targeted attack that took place...Security Affairs
February 10, 2023 – Vulnerabilities
Apple says watchdog tweaks would make iOS an Android ‘clone’ Full Text
Abstract
Apple said in its response that it was "particularly concerned by some of the remedy options that the CMA is now considering in relation to cloud gaming, which appear to fall outside the underlying basis for the market investigation."Cyware
February 10, 2023 – Breach
Reddit Suffers Security Breach Exposing Internal Documents and Source Code Full Text
Abstract
Popular social news aggregation platform Reddit has disclosed that it was the victim of a security incident that enabled unidentified threat actors to gain unauthorized access to internal documents, code, and some unspecified business systems. The company blamed it on a "sophisticated and highly-targeted phishing attack" that took place on February 5, 2023, aimed at its employees. The attack entailed sending out "plausible-sounding prompts" that redirected to a website masquerading as Reddit's intranet portal in an attempt to steal credentials and two-factor authentication (2FA) tokens. A single employee's credentials is said to have been phished in this manner, enabling the threat actor to access Reddit's internal systems. The affected employee self-reported the hack, it further added. The company, however, stressed that there is no evidence to suggest that its production systems were breached or that users' non-public data had been compromiseThe Hacker News
February 10, 2023 – Malware
Android mobile devices from top vendors in China have pre-installed malware Full Text
Abstract
Researchers reported that the top-of-the-line Android mobile devices sold in China are shipped with malware. China is currently the country with the largest number of Android mobile devices, but a recent study conducted by researchers from the University...Security Affairs
February 10, 2023 – General
Avast Threat Labs releases Q4 2022 Threat Report Full Text
Abstract
The top countries affected by tech support scams are the United States, Brazil, Japan, Canada, and France. These scams typically start with a pop-up window claiming a malware infection and urging the person to call a helpline for resolution.Cyware
February 9, 2023 – Malware
Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs Full Text
Abstract
The initial stage of Enigma, Interview conditions.word.exe, is a downloader written in C++. Its primary objective is to download, deobfuscate, decompress, and launch the secondary stage payload.Cyware
February 09, 2023 – Vulnerabilities
Critical Infrastructure at Risk from New Vulnerabilities Found in Wireless IIoT Devices Full Text
Abstract
A set of 38 security vulnerabilities has been uncovered in wireless industrial internet of things (IIoT) devices from four different vendors that could pose a significant attack surface for threat actors looking to exploit operational technology (OT) environments. "Threat actors can exploit vulnerabilities in Wireless IIoT devices to gain initial access to internal OT networks," Israeli industrial cybersecurity company Otorio said . "They can use these vulnerabilities to bypass security layers and infiltrate target networks, putting critical infrastructure at risk or interrupting manufacturing." The flaws, in a nutshell, offer a remote entry point for attack, enabling unauthenticated adversaries to gain a foothold and subsequently use it as leverage to spread to other hosts, thereby causing significant damage. Some of the identified shortcomings could be chained to give an external actor direct access to thousands of internal OT networks over the internet, secuThe Hacker News
February 9, 2023 – Government
United States and United Kingdom Issue Joint Sanctions on Members of Russian Cybercrime Gang Full Text
Abstract
The United States and United Kingdom have issued joint sanctions against members of Trickbot, the first sanctions of their kind from U.K. authorities.Lawfare
February 9, 2023 – Criminals
US and UK sanctioned seven Russian members of Trickbot gang Full Text
Abstract
The US and the UK have sanctioned seven Russian individuals for their involvement in the TrickBot operations. The US and the UK authorities have sanctioned seven Russian individuals for their involvement in the TrickBot operations. The US Treasury...Security Affairs
February 9, 2023 – Botnet
Medusa Botnet Goes Through a Major Transformation Full Text
Abstract
Researchers at Cyble uncovered a new Medusa DDoS botnet version based on the leaked Mirai source code. With this, it has appropriated Mirai's DDoS attack choices and Linux targeting capabilities. It comes with a ransomware module and Telnet brute-forcer. Additionally, a dedicated portal now adverti ... Read MoreCyware
February 09, 2023 – Education
THN Webinar – Learn How to Comply with New Cyber Insurance Identity Security Requirements Full Text
Abstract
The Hacker News is thrilled to announce the launch of our new educational webinar series , in collaboration with the leading cybersecurity companies in the industry! Get ready to dive into the world of enterprise-level security with expert guests who will share their vast knowledge and provide you with valuable insights and information on various security topics. Whether you're a seasoned professional or just starting out in the cybersecurity industry, these webinars are a must-attend. So, mark your calendars and sign up today ! Have you ever stopped to think about the potential consequences of a cyberattack on your organization? It's getting more intense and destructive every day, and organizations are feeling the heat. That's why more and more businesses are turning to cyber insurance to find some much-needed peace of mind. Imagine, in the unfortunate event of a successful security breach or ransomware attack, the right policy can help minimize liability and contaiThe Hacker News
February 9, 2023 – Education
Cyberspace and Instability: Reconceptualizing Instability Full Text
Abstract
A new volume edited by Bobby Chesney and co-authors reconceptualizes instability in relation to cyberspace.Lawfare
February 9, 2023 – Ransomware
A new variant of ESXiArgs ransomware makes recovery much harder Full Text
Abstract
Experts warn of new ESXiArgs ransomware attacks using an upgraded version that makes it harder to recover VMware ESXi virtual machines. Experts spotted a new variant of ESXiArgs ransomware targeting VMware ESXi servers, authors have improved the encryption...Security Affairs
February 9, 2023 – Attack
QakNote Campaign Leverages OneNote to Infect Victims with QBot Full Text
Abstract
A large-scale QakNote campaign is ongoing that drops QBot banking trojan on systems via malicious Microsoft OneNote attachments. The phishing emails contain OneNote files that have an embedded HTML application (HTA file) that retrieves the QBot malware payload. The adoption signals “a much more aut ... Read MoreCyware
February 09, 2023 – Hacker
NewsPenguin Threat Actor Emerges with Malicious Campaign Targeting Pakistani Entities Full Text
Abstract
A previously unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure. "The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23," the BlackBerry Research and Intelligence Team said . PIMEC , short for Pakistan International Maritime Expo and Conference, is an initiative of the Pakistan Navy and is organized by the Ministry of Maritime Affairs with an aim to "jump start development in the maritime sector." It's scheduled to be held from February 10-12, 2023. The Canadian cybersecurity company said the attacks are designed to target marine-related entities and the event's visitors by tricking the message recipients into opening the seemingly harmless Microsoft Word document. Once the document is launched, a method called remote template injection is employThe Hacker News
February 9, 2023 – Disinformation
Twitter restricted in Turkey after the earthquake amid disinformation fear Full Text
Abstract
Global internet monitor NetBlocks reported that Twitter has been restricted in Turkey in the aftermath of the earthquake. Global internet monitor NetBlocks reported that network data confirm that Twitter has been restricted in Turkey in the aftermath...Security Affairs
February 9, 2023 – Malware
Quasar RAT Propagated via Private Home Trading System Full Text
Abstract
A private Home Trading System is used to spread the Quasar RAT virus, according to ASEC. In other cases, phoney investment firms that passed for real ones persuaded customers to install a fake HTS so they could steal their money. Quasar RAT comes with remote command execution and uploading and down ... Read MoreCyware
February 09, 2023 – General
A Hackers Pot of Gold: Your MSP’s Data Full Text
Abstract
A single ransomware attack on a New Zealand managed service provider (MSP) disrupted several of its clients' business operations overnight, most belonging to the healthcare sector. According to the country's privacy commissioner, " a cyber security incident involving a ransomware attack " in late November upended the daily operations of New Zealand's health ministry when it prevented the staff from accessing thousands of medical records. The Ministry of Justice, six health regulatory authorities, a health insurer, and a handful of other businesses also number among those affected by second-hand damage from the attack. There are ways to recover from a ransomware attack , but the damage often extends into that attacked organization's customers and vendors. The targeted MSP in this incident is Mercury IT, a business based in Australia. Te Whatu Ora, the New Zealand health ministry, was unable to access at least 14,000 medical records because of the outage atThe Hacker News
February 9, 2023 – Criminals
Experts published a list of proxy IPs used by the pro-Russia group Killnet Full Text
Abstract
SecurityScorecard’s researchers released a list of proxy IPs used by the pro-Russia group Killnet to neutralize its attacks. SecurityScorecard’s researchers published a list of proxy IPs used by the pro-Russia group Killnet with the intent to interfere...Security Affairs
February 9, 2023 – Hacker
Scattered Spider Shifts Focus from BPOs and Telecos to IT and Gaming Companies Full Text
Abstract
A CrowdStrike report revealed that the Scattered Spider threat actors are still actively targeting video game and tech companies, after attacking 130 organizations in 2022. There are fake domains impersonating video game makers Roblox and Zynga; IT giants Intuit, Salesforce, Comcast, and Grubhub; a ... Read MoreCyware
February 09, 2023 – Malware
Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms Full Text
Abstract
The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason. The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver Cobalt Strike and SystemBC for post-exploitation. "The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than 4 hours," Cybereason said in an analysis published February 8, 2023. Gootkit, also called Gootloader, is exclusively attributed to a threat actor tracked by Mandiant as UNC2565. Starting its life in 2014 as a banking trojan, the malware has since morphed into a loader capable of delivering next-stage payloads. The shift in tactics was first uncovered by Sophos in March 2021. Gootloader takes the form of heavily-obfuscated JavaScript files thatThe Hacker News
February 9, 2023 – Hacker
NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool Full Text
Abstract
The Canadian cybersecurity company said the attacks are designed to target marine-related entities and the event's visitors by tricking the message recipients into opening the seemingly harmless Microsoft Word document.Cyware
February 09, 2023 – Vulnerabilities
OpenSSL Fixes Multiple New Security Flaws with Latest Update Full Text
Abstract
The OpenSSL Project has released fixes to address several security flaws, including a high-severity bug in the open source encryption toolkit that could potentially expose users to malicious attacks. Tracked as CVE-2023-0286 , the issue relates to a case of type confusion that may permit an adversary to "read memory contents or enact a denial-of-service," the maintainers said in an advisory. The vulnerability is rooted in the way the popular cryptographic library handles X.509 certificates, and is likely to impact only those applications that have a custom implementation for retrieving a certificate revocation list ( CRL ) over a network. "In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature," OpenSSL said . "If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon."The Hacker News
February 9, 2023 – Breach
AmerisourceBergen Healthcare Company Has Been Breached Full Text
Abstract
The Lorenz gang chose to get inside organizations’ networks by leveraging critical flaws in Mitel telephony systems. After the initial access, the threat actor remains silent for months and then exfiltrates and encrypts files using a backdoor.Cyware
February 9, 2023 – Government
FBI Media Alert: Valentine’s Day in New Mexico Means Love - and Scams Full Text
Abstract
Romance scam perpetrators are usually men targeting older women who are divorced, widowed, elderly, or disabled—but scammers do not discriminate. To facilitate the investment and demonstrate the ROI, victims are directed to fake websites.Cyware
February 8, 2023 – Outage
Ireland’s Munster Technological University Forced to Cancel All Classes Due to Cyberattack Full Text
Abstract
The Munster Technological University (MTU) in Ireland announced on Monday that its campuses in Cork would be closed following a “significant IT breach and telephone outage.” A number of learning tools, including Canvas, are reportedly affected.Cyware
February 08, 2023 – Encryption
NIST Standardizes Ascon Cryptographic Algorithm for IoT and Other Lightweight Devices Full Text
Abstract
The U.S. National Institute of Standards and Technology (NIST) has announced that a family of authenticated encryption and hashing algorithms known as Ascon will be standardized for lightweight cryptography applications. "The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators," NIST said . "They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles." Put differently, the idea is to adopt security protections via lightweight cryptography in devices that have a "limited amount of electronic resources." Ascon is credited to a team of cryptographers from the Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University. The suite comprises authenticated ciphers ASCON-128, ASCON-128a, and a variThe Hacker News
February 8, 2023 – Breach
Russian e-commerce giant Elevel exposed buyers’ delivery addresses Full Text
Abstract
A leading electrical engineering company in Russia, Elevel, has exposed its customers' personally identifiable information (PII,) including full names and addresses. Original post at https://cybernews.com/privacy/russian-e-commerce-giant-data-leak/ Founded...Security Affairs
February 8, 2023 – Vulnerabilities
GoAnywhere MFT Zero-Day Exploited in the Wild; Patch and Exploit Out Full Text
Abstract
A security researcher from Code White issued a POC exploit code against vulnerable GoAnywhere MFT servers. The exploitation of the bug allows an attacker to perform unauthenticated RCE on compromised systems. The administrative console of the application is needed for this exploit's attack vector. ... Read MoreCyware
February 08, 2023 – Vulnerabilities
Unpatched Security Flaws Disclosed in Multiple Document Management Systems Full Text
Abstract
Multiple unpatched security flaws have been disclosed in open source and freemium Document Management System (DMS) offerings from four vendors LogicalDOC, Mayan, ONLYOFFICE, and OpenKM. Cybersecurity firm Rapid7 said the eight vulnerabilities offer a mechanism through which "an attacker can convince a human operator to save a malicious document on the platform and, once the document is indexed and triggered by the user, giving the attacker multiple paths to control the organization." The list of eight cross-site scripting ( XSS ) flaws, discovered by Rapid7 researcher Matthew Kienow, is as follows - CVE-2022-47412 - ONLYOFFICE Workspace Search Stored XSS CVE-2022-47413 and CVE-2022-47414 - OpenKM Document and Application XSS CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, and CVE-2022-47418 - LogicalDOC Multiple Stored XSS CVE-2022-47419 - Mayan EDMS Tag Stored XSS Stored XSS, also known as persistent XSS, occurs when a malicious script is injected directly intoThe Hacker News
February 8, 2023 – Breach
Researcher compromised the Toyota Supplier Management Network Full Text
Abstract
The infrastructure of Toyota was compromised again, this time its global supplier management network was hacked by a researcher. The security researcher Eaton Zveare has exploited a vulnerability in Toyota’s Global Supplier Preparation Information...Security Affairs
February 8, 2023 – Botnet
Qakbot Mechanizes Distribution of Malicious OneNote Documents Full Text
Abstract
Qakbot began using OneNote .one documents (also called “Notebooks” by Microsoft) in their attacks on January 31. On Tuesday, Sophos researchers observed two parallel spam campaigns.Cyware
February 08, 2023 – Policy and Law
Sydney Man Sentenced for Blackmailing Optus Customers After Data Breach Full Text
Abstract
A Sydney man has been sentenced to an 18-month Community Correction Order ( CCO ) and 100 hours of community service for attempting to take advantage of the Optus data breach last year to blackmail its customers. The unnamed individual, 19 when arrested in October 2022 and now 20, used the leaked records stolen from the security lapse to orchestrate an SMS-based extortion scheme. The suspect contacted dozens of victims to threaten that their personal information would be sold to other hackers and "used for fraudulent activity" unless an AU$ 2,000 payment is made to a bank account under their control. The scammer is said to have sent the SMS messages to 92 individuals whose information was part of a larger cache of 10,200 records that was briefly published in a criminal forum in September 2022, The Australian Federal Police (AFP), which launched Operation Guardian following the breach, said there is no evidence that any of the affected customers transferred the demThe Hacker News
February 8, 2023 – Criminals
Russian national pleads guilty to money laundering linked to Ryuk Ransomware operation Full Text
Abstract
A Russian national pleaded guilty in the U.S. to money laundering charges linked to the Ryuk ransomware operation. On February 7, 2023, Russian national Denis Mihaqlovic Dubnikov (30) pleaded guilty in the U.S. to one count of conspiracy to commit...Security Affairs
February 8, 2023 – Criminals
Hong Kong police and Interpol uncover servers used by global phishing syndicate Full Text
Abstract
Bogus apps impersonated banks, media players, and others to steal data from victims’ smartphones. Registered subscribers for servers were individuals in mainland China, the Philippines, and Cambodia.Cyware
February 08, 2023 – Attack
Russian Hackers Using Graphiron Malware to Steal Data from Ukraine Full Text
Abstract
A Russia-linked threat actor has been observed deploying a new information-stealing malware in cyber attacks targeting Ukraine. Dubbed Graphiron by Broadcom-owned Symantec, the malware is the handiwork of an espionage group known as Nodaria , which is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056. "The malware is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files," the Symantec Threat Hunter Team said in a report shared with The Hacker News. Nodaria was first spotlighted by CERT-UA in January 2022, calling attention to the adversary's use of SaintBot and OutSteel malware in spear-phishing attacks targeting government entities. The group, which is said to be active since at least April 2021, has since repeatedly deployed custom backdoors such as GraphSteel and GrimPlant in various campaigns since Russia'sThe Hacker News
February 8, 2023 – Malware
New Graphiron info-stealer used in attacks against Ukraine Full Text
Abstract
A Russia-linked threat actor has been observed deploying a new information stealer dubbed Graphiron in attacks against Ukraine. Researchers from Broadcom Symantec spotted a Russia-linked ATP group, tracked as Nodaria (aka UAC-0056), deploying new info-stealing...Security Affairs
February 8, 2023 – Phishing
Crypto Drainer Scam Lures Unwitting Users into Giving Away their Funds Full Text
Abstract
Threat actors are providing pre-made, counterfeit cryptocurrency webpages that are being used as phishing baits under a malicious campaign dubbed Crypto Drainer to steal assets from wallets. These phishing pages purport to mint non-fungible tokens (NFTs) and use third-party services and application ... Read MoreCyware
February 08, 2023 – Education
How to Think Like a Hacker and Stay Ahead of Threats Full Text
Abstract
To succeed as a cybersecurity analyst, you need to understand the traits, values, and thought processes of hackers, along with the tools they use to launch their attacks. During a webinar called The Hacker Mindset, a Red Team Researcher shared how you can use some of these tools for your own detection and prevention of breaches. He also demonstrated how an attack takes place using the Follina exploit as an example. So, what does "the hacker mindset" mean? The hacker mindset can be characterized by three core values: a strong sense of curiosity, an adversarial attitude, and persistence. 3 core values of a hacker's mindset 1 — "Curiosity might have killed the cat, but it had nine lives." Curiosity drives hackers to explore and understand systems, networks, and software in order to identify vulnerabilities. Not only are they constantly seeking new knowledge and skills to improve their abilities and stay ahead of security measures, they're consThe Hacker News
February 8, 2023 – Government
Ukraine CERT-UA warns of phishing attacks employing Remcos software Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) warns of a new wave of attacks against state authorities to deploy the Remcos software. The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a phishing campaign aimed at state...Security Affairs
February 8, 2023 – Business
Build38 Raises $14M in Series A Funding Full Text
Abstract
The round was led by Tikehau Capital’s European Cybersecurity Growth Fund, with participation from existing investors eCAPITAL Entrepreneurial Partners and Caixa Capital Risc.Cyware
February 08, 2023 – Criminals
Russian Hacker Pleads Guilty to Money Laundering Linked to Ryuk Ransomware Full Text
Abstract
A Russian national on February 7, 2023, pleaded guilty in the U.S. to money laundering charges and for attempting to conceal the source of funds obtained in connection with Ryuk ransomware attacks. Denis Mihaqlovic Dubnikov, 30, was arrested in Amsterdam in November 2021 before he was extradited from the Netherlands in August 2022. He is awaiting sentencing on April 11, 2023. "Between at least August 2018 and August 2021, Dubnikov and his co-conspirators laundered the proceeds of Ryuk ransomware attacks on individuals and organizations throughout the United States and abroad," the Department of Justice (DoJ) said . Dubnikov and his accomplices are said to have engaged in various criminal schemes designed to obscure the trail of the ill-gotten proceeds. According to DoJ, a chunk of the 250 Bitcoin ransom paid by a U.S. company in July 2019 after a Ryuk attack was sent to Dubnikov in exchange for about $400,000. The crypto was subsequently converted to Tether and transThe Hacker News
February 8, 2023 – Government
US CISA releases a script to recover servers infected with ESXiArgs ransomware Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a script to recover VMware ESXi servers infected with ESXiArgs ransomware. Good news for the victims of the recent wave of ESXiArgs ransomware attacks, the U.S. Cybersecurity...Security Affairs
February 8, 2023 – Cryptocurrency
Backdoor in Dingo Cryptocurrency Allows Creator to Steal (Nearly) Everything Full Text
Abstract
While the documents describing the Dingo Token claimed that the scheme charged 10% per transaction, Check Point researchers found 47 transactions where the total fee per transaction had been increased to 99%.Cyware
February 08, 2023 – Government
CERT-UA Alerts Ukrainian State Authorities of Remcos Software-Fueled Cyber Attacks Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert warning of cyber attacks against state authorities in the country that deploy a legitimate remote access software named Remcos. The mass phishing campaign has been attributed to a threat actor it tracks as UAC-0050 , with the agency describing the activity as likely motivated by espionage given the toolset employed. The bogus emails that kick-start the infection sequence claim to be from Ukrainian telecom company Ukrtelecom and come bearing a decoy RAR archive. Of the two files present in the file, one is a password-protected RAR archive that's over 600MB and the other is a text file containing the password to open the RAR file. Embedded within the second RAR archive is an executable that leads to the installation of the Remcos remote access software, granting the attacker full access to commandeer compromised computers. Remcos , short for remote control and surveillance software, is offered by BThe Hacker News
February 8, 2023 – Attack
Ransomware Attacks Target VMware ESXi Servers Worldwide Full Text
Abstract
Threats surrounding VMware ESXi servers have multiplied. At least two ransomware variants, including Royal Ransomware and ESXiArgs, were found launching attacks on the servers. The latter exploits an old VMware flaw, identified as CVE-2021-21974. With this, they has joined the likes of Black B ... Read MoreCyware
February 7, 2023 – Attack
British Steel Industry Supplier Vesuvius Suffers Cyber Incident Full Text
Abstract
The British manufacturer confirmed that the incident “involved unauthorized access to our systems,” although it did not provide further details on what the access was or what kind of cyber actor may have been responsible.Cyware
February 07, 2023 – Criminals
Encrypted Messaging App Exclu Used by Criminal Groups Cracked by Joint Law Enforcement Full Text
Abstract
A joint law enforcement operation conducted by Germany, the Netherlands, and Poland has cracked yet another encrypted messaging application named Exclu used by organized crime groups. Eurojust, in a press statement, said the February 3 exercise resulted in the arrests of 45 individuals across Belgium and the Netherlands, some of whom include users as well as the administrators and owners of the service, Authorities also launched raids in 79 locations, leading to the seizure of €5.5 million in cash, 300,000 ecstasy tablets, 20 firearms, and 200 phones. Two drug laboratories have further been shut down. Investigation into Exlcu is said to have commenced in Germany as far back as June 2020. The application, prior to its takedown, had an estimated 3,000 users, of which 750 are Dutch speakers. The Politie, in an announcement of its own, noted that it was able to gain covert access to the service, permitting the agency to read messages sent by its users for the past five months. &The Hacker News
February 7, 2023 – Ransomware
New Linux variant of Clop Ransomware uses a flawed encryption algorithm Full Text
Abstract
A new Linux variant of the Clop ransomware has been observed in the wild, the good news is that its encryption algorithm is flawed. SentinelLabs researchers have observed the first Linux variant of the Clop ransomware. The researchers noticed that...Security Affairs
February 7, 2023 – Outage
Cyberattack Gives 19,000 Students A Day Off School at Berkeley County Schools Full Text
Abstract
The Berkeley County Schools suffered a network outage which affected IT operations across the school system, WV Metro News reported. Personal data on the students may have been harvested in the cyberattack.Cyware
February 07, 2023 – Vulnerabilities
Hackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework Full Text
Abstract
Threat actors are leveraging known flaws in Sunlogin software to deploy the Sliver command-and-control (C2) framework for carrying out post-exploitation activities. The findings come from AhnLab Security Emergency response Center (ASEC), which found that security vulnerabilities in Sunlogin, a remote desktop program developed in China, are being abused to deploy a wide range of payloads. "Not only did threat actors use the Sliver backdoor, but they also used the BYOVD (Bring Your Own Vulnerable Driver) malware to incapacitate security products and install reverse shells," the researchers said . Attack chains commence with the exploitation of two remote code execution bugs in Sunlogin versions prior to v11.0.0.33 (CNVD-2022-03672 and CNVD-2022-10270), followed by delivering Sliver or other malware such as Gh0st RAT and XMRig crypto coin miner. In one instance, the threat actor is said to have weaponized the Sunlogin flaws to install a PowerShell script that, in turnThe Hacker News
February 7, 2023 – Attack
VMware has no evidence of zero-day exploitation in ESXiArgs ransomware attacks Full Text
Abstract
VMware said there is no evidence that threat actors are exploiting a zero-day flaw in its software as part of an ongoing ESXiArgs ransomware campaign. VMware said that it found no evidence that the threat actors behind the ongoing ESXiArgs ransomware...Security Affairs
February 7, 2023 – Breach
Sharp HealthCare Notifies Nearly 63,000 Patients of Data Breach Full Text
Abstract
Sharp HealthCare, San Diego’s largest health provider, announced Monday that it has begun notifying 62,777 of its patients that some of their personal information was compromised during an attack on the computers that run its website, sharp.com.Cyware
February 07, 2023 – General
Tackling the New Cyber Insurance Requirements: Can Your Organization Comply? Full Text
Abstract
With cyberattacks around the world escalating rapidly, insurance companies are ramping up the requirements to qualify for a cyber insurance policy. Ransomware attacks were up 80% last year , prompting underwriters to put in place a number of new provisions designed to prevent ransomware and stem the record number of claims. Among these are a mandate to enforce multi-factor authentication (MFA) across all admin access in a network environment as well as protect all privileged accounts, specifically machine-to-machine connections known as service accounts. But identifying MFA and privileged account protection gaps within an environment can be extremely challenging for organizations, as there is no utility among the most commonly used security and identity products that can actually provide this visibility. In this article, we'll explore these identity protection challenges and suggest steps organizations can take to overcome them, including signing up for a free identity risk aThe Hacker News
February 7, 2023 – Vulnerabilities
OpenSSH addressed a new pre-auth double free vulnerability Full Text
Abstract
The maintainers of OpenSSH address multiple security issues, including a memory safety bug in the OpenSSH server (sshd). The maintainers of OpenSSH have addressed a number of security vulnerabilities with the release of version 9.2. One of the issues...Security Affairs
February 7, 2023 – Malware
AveMaria Info-stealer Changes its Strategy to Infect More Users Full Text
Abstract
Zscaler’s ThreatLabz disclosed details about a new infostealer AveMaria RAT that targets sensitive data with added capabilities of remote camera control and privilege escalation. Over the past six months, the operators behind the info-stealer have been making significant additions to the execution ... Read MoreCyware
February 07, 2023 – Ransomware
Linux Variant of Clop Ransomware Spotted, But Uses Faulty Encryption Algorithm Full Text
Abstract
The first-ever Linux variant of the Clop ransomware has been detected in the wild, but with a faulty encryption algorithm that has made it possible to reverse engineer the process. "The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom," SentinelOne researcher Antonis Terefos said in a report shared with The Hacker News. The cybersecurity firm, which has made available a decryptor , said it observed the ELF version on December 26, 2022, while also noting its similarities to the Windows flavor when it comes using the same encryption method. The detected sample is said to be part of a larger attack targeting educational institutions in Colombia, including La Salle University, around the same time. The university was added to the criminal group's leak site in early January 2023, per FalconFeedsio . Known to have been active since 2019, the Clop (stylized as Cl0p) ransomware operation sufferedThe Hacker News
February 7, 2023 – Breach
Anonymous leaked 128GB of data stolen from Russian ISP Convex revealing FSB’s warrantless surveillance Full Text
Abstract
The popular collective Anonymous has leaked 128 GB of data allegedly stolen from the Russian Internet Service Provider Convex. The collective Anonymous released last week 128 gigabytes of documents that were allegedly stolen from the Russian Internet...Security Affairs
February 7, 2023 – Attack
Massachusetts-Based MKS Instruments Falls Victim to Ransomware Attack Full Text
Abstract
The company said it has notified law enforcement authorities while it investigates and assesses the impact of the incident by engaging “appropriate incident response professionals.”Cyware
February 07, 2023 – Attack
VMware Finds No Evidence of 0-Day in Ongoing ESXiArgs Ransomware Spree Full Text
Abstract
VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. "Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs)," the virtualization services provider said . The company is further recommending users to upgrade to the latest available supported releases of vSphere components to mitigate known issues and disable the OpenSLP service in ESXi. "In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default," VMware added. The announcement comes as unpatched and unsecured VMware ESXi servers around the world have been targeted in a large-scale ransomware campaign dubbed ESXiArgs by likely exploiting a two-year-old bug VMware pThe Hacker News
February 7, 2023 – General
Hive takedown puts ‘small dent’ in ransomware problem Full Text
Abstract
The takedown did not result in criminal arrests of any individuals involved or affiliated with Hive, and the predominant assumption is that the Hive members will regroup or splinter to join other ransomware groups.Cyware
February 7, 2023 – Malware
Banking Trojan TgToxic Targets Android Users in Southeast Asia Full Text
Abstract
Trend Micro experts took the wraps off of an ongoing campaign that has been targeting Android users in Southeast Asia since July 2022. It involves embedding a trojan they named TgToxic for harvesting user data from multiple fake finance and banking apps, including cryptocurrency wallets. The sample ... Read MoreCyware
February 6, 2023 – Outage
Feds Say Cyberattack Caused Suicide Helpline’s Outage Full Text
Abstract
“On Dec. 1, the voice calling functionality of the 988 Lifeline was rendered unavailable as a result of a cybersecurity incident,” Danielle Bennett, a spokeswoman for the Substance Abuse and Mental Health Services Administration, said in an email.Cyware
February 06, 2023 – Malware
GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry Full Text
Abstract
E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month. The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, Taiwan and Japan. NSIS , short for Nullsoft Scriptable Install System, is a script-driven open source system used to develop installers for the Windows operating system. While attack chains in 2021 leveraged a ZIP archive containing a macro-laced Word document to drop an executable file tasked with loading GuLoader, the new phishing wave employs NSIS files embedded within ZIP or ISO images to activate the infection. "Embedding malicious executable files in archives and images can help threat actors evade detection," Trellix researcher Nico Paulo Yturriaga said . Over the couThe Hacker News
February 6, 2023 – Ransomware
Italy, France and Singapore Warn of a Spike in ESXI Ransomware Full Text
Abstract
ESXi ransomware targeted thousands of VMware servers in a global-scale campaign, security experts and international CERTs warn. Thousands of computer servers have been targeted by a global ransomware hacking attack targeting VMware (VMW.N) ESXi servers....Security Affairs
February 6, 2023 – Breach
Update: 110,000 more users affected in LG Uplus’ data breach Full Text
Abstract
On January 10, the nation's third-largest wireless carrier disclosed that the personal data of 180,000 customers, including their names, birth dates, and phone numbers, had been breached.Cyware
February 06, 2023 – Criminals
Microsoft: Iranian Nation-State Group Sanctioned by U.S. Behind Charlie Hebdo Hack Full Text
Abstract
An Iranian nation-state group sanctioned by the U.S. government has been attributed to the hack of the French satirical magazine Charlie Hebdo in early January 2023. Microsoft, which disclosed details of the incident, is tracking the activity cluster under its chemical element-themed moniker NEPTUNIUM , which is an Iran-based company known as Emennet Pasargad. In January 2022, the U.S. Federal Bureau of Investigation (FBI) tied the state-backed cyber unit to a sophisticated influence campaign carried out to interfere with the 2020 presidential elections. Two Iranian nationals have been accused for their role in the disinformation and threat campaign. Microsoft's disclosure comes after a "hacktivist" group named Holy Souls (now identified as NEPTUNIUM) claimed to be in possession of the personal information of more than 200,000 Charlie Hebdo customers, including their full names, telephone numbers, and home and email addresses. The breach, which allowed NEPTUNIUThe Hacker News
February 6, 2023 – Ransomware
Royal Ransomware adds support for encrypting Linux, VMware ESXi systems Full Text
Abstract
Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines. The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi...Security Affairs
February 6, 2023 – Criminals
Finland’s Most-Wanted Hacker Nabbed in France Full Text
Abstract
In late October 2022, Julius “Zeekill” Kivimäki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center.Cyware
February 06, 2023 – Education
SaaS in the Real World: Who’s Responsible to Secure this Data? Full Text
Abstract
When SaaS applications started growing in popularity, it was unclear who was responsible for securing the data. Today, most security and IT teams understand the shared responsibility model, in which the SaaS vendor is responsible for securing the application, while the organization is responsible for securing their data. What's far murkier, however, is where the data responsibility lies on the organization's side. For large organizations, this is a particularly challenging question. They store terabytes of customer data, employee data, financial data, strategic data, and other sensitive data records online. SaaS data breaches and SaaS ransomware attacks can lead to the loss or public exposure of that data. Depending on the industry, some businesses could face stiff regulatory penalties for data breaches on top of the negative PR and loss of faith these breaches bring with them. Finding the right security model is the first step before deploying any type of SSPM or other SaaS secThe Hacker News
February 6, 2023 – Government
Italian National Cybersecurity Agency (ACN) warns of massive ransomware campaign targeting VMware ESXi servers Full Text
Abstract
The Italian National Cybersecurity Agency (ACN) warns of an ongoing massive ransomware campaign targeting VMware ESXi servers. The Italian National Cybersecurity Agency (ACN) warns of an ongoing massive ransomware campaign targeting VMware ESXi servers...Security Affairs
February 6, 2023 – Breach
Mortgage Financial Technologies Company 8Twelve Exposed 717,814 Records Online Full Text
Abstract
Security researcher Jeremiah Fowler together with the Website Planet research team discovered an open and non-password-protected database that contained 717,814 records and the PII of thousands of Canadian citizens.Cyware
February 06, 2023 – Vulnerabilities
OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability Full Text
Abstract
The maintainers of OpenSSH have released OpenSSH 9.2 to address a number of security bugs, including a memory safety vulnerability in the OpenSSH server (sshd). Tracked as CVE-2023-25136 , the shortcoming has been classified as a pre-authentication double free vulnerability that was introduced in version 9.1. "This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms," OpenSSH disclosed in its release notes on February 2, 2023. Credited with reporting the flaw to OpenSSH in July 2022 is security researcher Mantas Mikulenas. OpenSSH is the open source implementation of the secure shell ( SSH ) protocol that offers a suite of services for encrypted communications over an unsecured network in a client-server architecture. "The exposure occurs in the chunk of memory freed twice, the 'options.kex_algorithms,'" Qualys researcher Saeed Abbasi sThe Hacker News
February 6, 2023 – General
CVEs expected to rise in 2023, as organizations still struggle to patch Full Text
Abstract
The increase is likely because researchers are investing more to uncover vulnerabilities and organizations are also conducting more audits to find flaws in their software inventory.Cyware
February 06, 2023 – Malware
FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection Full Text
Abstract
An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a technical write-up. The shift to Google malvertising is the latest example of how crimeware actors are devising alternate delivery routes to distribute malware ever since Microsoft announced plans to block the execution of macros in Office by default from files downloaded from the internet. Malvertising entails placing rogue search engine advertisements in hopes of tricking users searching for popular software like Blender into downloading the trojanized software. The MalVirt loaders, which are implemented in .NET, use the legitimate KoiVM virtualizing protector for .NET applicatiThe Hacker News
February 6, 2023 – Attack
Hackers Target Switzerland’s Largest University With ‘Professional’ Cyberattack Full Text
Abstract
The university said on Friday that it is battling to keep the hackers out of critical zones by isolating parts of its IT system. This defense has compromised access to its systems but prevented cyberattackers from encrypting or extracting data.Cyware
February 6, 2023 – General
Inability to prevent bad things from happening seen as the worst part of a security job Full Text
Abstract
83% of organizations experienced more than one data breach in 2022. However, 97% of respondents feel confident that they are well-equipped with the tools and processes needed to prevent and identify intrusions or breaches, according to Exabeam.Cyware
February 6, 2023 – Breach
Truck Brokerage Company FR8 Exposed 140GB of Data Due to Misconfigured Server Full Text
Abstract
According to the IT security researcher Anurag Sen working with Italian cyber security firm FlashStart, the organization has exposed more than 140 gigabytes of data, which is available to the public without any password or security authentication.Cyware
February 6, 2023 – Malware
MalVirt Loader Distributes Formbook and XLoader with Unusual Levels of Obfuscation Full Text
Abstract
Cybercriminals were found distributing virtualized .NET malware loaders, dubbed MalVirt, in a Google Ads-based malvertising campaign to install the Formbook stealer and XLoader. The hackers used KoiVM virtualization technology to obfuscate their implementation and execution in their campaigns. The ... Read MoreCyware
February 5, 2023 – Breach
Microsoft attributes Charlie Hebdo data leak to Iran-linked NEPTUNIUM APT Full Text
Abstract
Microsoft attributes a recent cyber attack against the satirical French magazine Charlie Hebdo to an Iran-linked NEPTUNIUM APT group. Microsoft’s Digital Threat Analysis Center (DTAC) attributes a recent cyberattacks against the satirical...Security Affairs
February 5, 2023 – General
Security Affairs newsletter Round 405 by Pierluigi Paganini Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. CISA...Security Affairs
February 04, 2023 – Malware
PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions Full Text
Abstract
A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate. "PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS ( Automatic Transfer System ), enabling attackers to automate the insertion of a malicious money transfer over the Instant Payment platform Pix, adopted by multiple Brazilian banks," researchers Francesco Iubatti and Alessandro Strino said . It is also the latest addition in a long list of Android banking malware to abuse the operating system's accessibility services API to carry out its nefarious functions, including disabling Google Play Protect, intercepting SMS messages, preventing uninstallation, and serving rogue ads via push notifications. Besides stealing passwords enteredThe Hacker News
February 04, 2023 – Attack
New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers Full Text
Abstract
VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. "These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021," the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an OpenSLP heap-overflow vulnerability that could lead to the execution of arbitrary code. "A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution," the virtualization services provider noted . French cloud services provider OVHcloud said the attacks are being detected globally with a specific focus on Europe. It's being suspected that the intrusions are related to a new Rust-based ransomware strain called Nevada that emergedThe Hacker News
February 04, 2023 – Vulnerabilities
Warning: Hackers Actively Exploiting Zero-Day in Fortra’s GoAnywhere MFT Full Text
Abstract
A zero-day vulnerability affecting Fortra's GoAnywhere MFT managed file transfer application is being actively exploited in the wild. Details of the flaw were first publicly shared by security reporter Brian Krebs on Mastodon. No public advisory has been published by Fortra. The vulnerability is a case of remote code injection that requires access to the administrative console of the application, making it imperative that the systems are not exposed to the public internet. According to security researcher Kevin Beaumont, there are over 1,000 on-premise instances that are publicly accessible over the internet, a majority of which are located in the U.S. "The Fortra advisory Krebs quoted advises GoAnywhere MFT customers to review all administrative users and monitor for unrecognized usernames, especially those created by system," Rapid7 researcher Caitlin Condon said . "The logical deduction is that Fortra is likely seeing follow-on attacker behavior that incThe Hacker News
February 4, 2023 – Government
CISA adds Oracle, SugarCRM bugs to its Known Exploited Vulnerabilities Catalog Full Text
Abstract
US CISA added actively exploited vulnerabilities in SugarCRM and Oracle products to its Known Exploited Vulnerabilities Catalog. The Cybersecurity and Infrastructure Security Agency (CISA) added Oracle and SugarCRM flaws, respectively tracked as CVE-2022-21587...Security Affairs
February 4, 2023 – Vulnerabilities
GoAnywhere MFT zero-day flaw actively exploited Full Text
Abstract
Threat actors are actively exploiting a zero-day vulnerability affecting Fortra's GoAnywhere MFT managed file transfer application. Experts warn that threat actors are actively exploiting a zero-day vulnerability in Fortra's GoAnywhere MFT managed...Security Affairs
February 4, 2023 – Government
CERT-FR warns of a new wave of ransomware attacks targeting VMware ESXi servers Full Text
Abstract
A new wave of ransomware attacks is targeting VMware ESXi servers to deliver ransomware, CERT of France warns. The French Computer Emergency Response Team (CERT-FR) warns that threat actors are targeting VMware ESXi servers to deploy ransomware. CERT-FR...Security Affairs
February 4, 2023 – Outage
Tallahassee Memorial HealthCare, Florida, has taken IT systems offline after cyberattack Full Text
Abstract
The Tallahassee Memorial HealthCare (TMH) hospital in Florida was forced to take offline its systems after a cyberattack. The Tallahassee Memorial HealthCare (TMH) hospital has taken its IT systems offline and suspended non-emergency procedures after...Security Affairs
February 3, 2023 – Ransomware
Nevada Ransomware: Another Feather in the RaaS Ecosystem Full Text
Abstract
A new ransomware family called Nevada Ransomware has emerged on underground forums. The actors behind this variant, as experts with Resecurity confirmed, have an affiliate platform first introduced in the RAMP underground community. The group recently distributed an updated locker—written in Rust— ... Read MoreCyware
February 03, 2023 – Vulnerabilities
Is Your EV Charging Station Safe? New Security Vulnerabilities Uncovered Full Text
Abstract
Two new security weaknesses discovered in several electric vehicle (EV) charging systems could be exploited to remotely shut down charging stations and even expose them to data and energy theft. The findings, which come from Israel-based SaiFlow, once again demonstrate the potential risks facing the EV charging infrastructure. The issues have been identified in version 1.6J of the Open Charge Point Protocol ( OCPP ) standard that uses WebSockets for communication between EV charging stations and the Charging Station Management System (CSMS) providers. The current version of OCPP is 2.0.1. "The OCPP standard doesn't define how a CSMS should accept new connections from a charge point when there is already an active connection," SaiFlow researchers Lionel Richard Saposnik and Doron Porat said . "The lack of a clear guideline for multiple active connections can be exploited by attackers to disrupt and hijack the connection between the charge point and the CSMS.&qThe Hacker News
February 3, 2023 – Vulnerabilities
Exploitation attempts for Oracle E-Business Suite flaw observed after PoC release Full Text
Abstract
Threat actors started exploiting a critical Oracle E-Business Suite flaw, tracked as CVE-2022-21587, shortly after a PoC was published. Shadowserver researchers warn that threat actors have started attempting to exploit critical Oracle E-Business...Security Affairs
February 3, 2023 – Vulnerabilities
GoAnywhere MFT Users Warned of Zero-Day Exploit Full Text
Abstract
Users of the GoAnywhere secure managed file transfer (MFT) software have been warned about a zero-day exploit that malicious actors can target directly from the internet.Cyware
February 03, 2023 – Malware
Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware Full Text
Abstract
In a continuing sign that threat actors are adapting well to a post-macro world , it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise. Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer , Agent Tesla, DOUBLEBACK , Quasar RAT, XWorm, Qakbot , BATLOADER , and FormBook . Enterprise firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone. In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server. Other scenarios entail the execution of a rogue VBScript that's embedded within the OneNote document and concealed behind an image that appears as a seemingly harmless button. The VBScript, for its part, is designed to drop a PowerShell script to run DOUBLEBACK. "The Hacker News
February 3, 2023 – Vulnerabilities
VMware Workstation update fixes an arbitrary file deletion bug Full Text
Abstract
VMware addressed a high-severity privilege escalation vulnerability, tracked as CVE-2023-20854, in VMware Workstation. VMware fixed a high-severity privilege escalation flaw, tracked as CVE-2023-20854, that impacts Workstation. An attacker can exploit...Security Affairs
February 3, 2023 – Malware
IceBreaker Backdoor Targets Gaming/Gambling Companies Full Text
Abstract
Online gaming and gambling firms are once again under attack by a never-before-seen backdoor known as IceBreaker. According to security analysts at SecurityJoes, the malware’s compromise method relies on tricking customer service agents into opening malicious screenshots that the threat actor sent ... Read MoreCyware
February 03, 2023 – Hacker
Iranian OilRig Hackers Using New Backdoor to Exfiltrate Data from Govt. Organizations Full Text
Abstract
The Iranian nation-state hacking group known as OilRig has continued to target government organizations in the Middle East as part of a cyber espionage campaign that leverages a new backdoor to exfiltrate data. "The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers," Trend Micro researchers Mohamed Fahmy, Sherif Magdy, and Mahmoud Zohdy said . While the technique in itself is not unheard of, the development marks the first time OilRig has adopted it in its playbook, indicating the continued evolution of its methods to bypass security protections. The advanced persistent threat (APT) group, also referred to as APT34, Cobalt Gypsy, Europium, and Helix Kitten, has been documented for its targeted phishing attacks in the Middle East since at least 2014. Linked to Iran's Ministry of Intelligence and Security (MOIS), the group is known to use a diverse toolset in its operations, with reThe Hacker News
February 3, 2023 – Vulnerabilities
Atlassian fixed critical authentication vulnerability in Jira Software Full Text
Abstract
Atlassian fixed a critical flaw in Jira Service Management Server and Data Center that can allow an attacker to impersonate another user and gain access to a Jira Service Management instance. Atlassian has released security updates to address a critical...Security Affairs
February 3, 2023 – Cryptocurrency
Crypto hacks stole record $3.8 billion in 2022, led by North Korea groups - report Full Text
Abstract
Last year was the worst on record for cryptocurrency heists, with hackers stealing as much as $3.8 billion, led by attackers linked to North Korea who netted more than ever before, a U.S.-based blockchain analytics firm said in a report on Wednesday.Cyware
February 03, 2023 – Education
The Pivot: How MSPs Can Turn a Challenge Into a Once-in-a-Decade Opportunity Full Text
Abstract
Cybersecurity is quickly becoming one of the most significant growth drivers for Managed Service Providers (MSPs). That's the main insight from a recent study from Lumu: in North America, more than 80% of MSPs cite cybersecurity as a primary growth driver of their business. Service providers have a huge opportunity to expand their business and win new customers by developing their cybersecurity offerings. This hardly comes as a surprise since the demand for cybersecurity is in full swing among SMBs and larger enterprises. According to Gartner , "by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements." This means that the perception around security is transforming: from liability, it's becoming a powerful business driver. Of course, cybersecurity continues to evolve at a very rapid pace, with threats emerging every day and the stakes getting higher. This alone can fuel theThe Hacker News
February 3, 2023 – APT
Russia-linked Gamaredon APT targets Ukrainian authorities with new malware Full Text
Abstract
Russia-linked threat actor Gamaredon employed new spyware in cyber attacks aimed at public authorities and critical information infrastructure in Ukraine. The State Cyber Protection Centre (SCPC) of Ukraine warns of a new wave of targeted attacks...Security Affairs
February 3, 2023 – Malware
Konami Code Backdoor Concealed in Image File of Fake WordPress Plugins Full Text
Abstract
The malware was first detected back in 2019 within a compromised Drupal environment. However, over the last few months, it appears to have surged in popularity among attackers. It tends to be uploaded into WordPress environments as a fake plugin.Cyware
February 03, 2023 – Vulnerabilities
Atlassian’s Jira Software Found Vulnerable to Critical Authentication Vulnerability Full Text
Abstract
Atlassian has released fixes to resolve a critical security flaw in Jira Service Management Server and Data Center that could be abused by an attacker to pass off as another user and gain unauthorized access to susceptible instances. The vulnerability is tracked as CVE-2023-22501 (CVSS score: 9.4) and has been described as a case of broken authentication with low attack complexity. "An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances," Atlassian said . "With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into." The tokens, Atlassian noted, can be obtained in either of the two scenarios - If the attacker is included on Jira iThe Hacker News
February 3, 2023 – Vulnerabilities
Cisco fixed command injection bug in IOx Application Hosting Environment Full Text
Abstract
Cisco fixed a high-severity flaw in the IOx application hosting environment that can be exploited in command injection attacks. Cisco has released security updates to address a command injection vulnerability, tracked as CVE-2023-20076, in the Cisco...Security Affairs
February 3, 2023 – Botnet
HeadCrab Botnet Targets 1,200 Redis Servers in a New Elusive Campaign Full Text
Abstract
Aqua Security researchers found a new malware, dubbed HeadCrab, that has infected over a thousand Redis servers since September 2021. Researchers found approximately 1,200 actively infected servers that it has been abusing to mine Monero cryptocurrency. HeadCrab uses state-of-the-art infrastructure ... Read MoreCyware
February 03, 2023 – Vulnerabilities
New High-Severity Vulnerabilities Discovered in Cisco IOx and F5 BIG-IP Products Full Text
Abstract
F5 has warned of a high-severity flaw impacting BIG-IP appliances that could lead to denial-of-service (DoS) or arbitrary code execution. The issue is rooted in the iControl Simple Object Access Protocol ( SOAP ) interface and affects the following versions of BIG-IP - 13.1.5 14.1.4.6 - 14.1.5 15.1.5.1 - 15.1.8 16.1.2.2 - 16.1.3, and 17.0.0 "A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code," the company said in an advisory. "In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary." Tracked as CVE-2023-22374 (CVSS score: 7.5/8.5), security researcher Ron Bowes of Rapid7 has been credited with discovering and reporting the flaw on December 6, 2022. Given that the iCOntrol SOAP interface runs as root, a successful exploit could permit a threat actor to remotely trigger coThe Hacker News
February 3, 2023 – Breach
Update: Data breach at Vice Media involved SSNs, financial info Full Text
Abstract
A data breach involving Vice Media leaked the sensitive information and financial data of more than 1,700 individuals, according to filings with Maine’s Attorney General.Cyware
February 03, 2023 – Government
CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 2 added two security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The first of the two vulnerabilities is CVE-2022-21587 (CVSS score: 9.8), a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product. "Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator," CISA said . The issue was addressed by Oracle as part of its Critical Patch Update released in October 2022. Not much is known about the nature of the attacks exploiting the vulnerability, but the development follows the publication of a proof-of-concept (PoC) by cybersecurity firm Viettel on January 16, 2023. The second security flaw to be added to the KEV catalog is CVE-2023-22952 (CVSS score:The Hacker News
February 2, 2023 – Vulnerabilities
EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft Full Text
Abstract
Researchers warn that many electric vehicle (EV) charging management systems are affected by vulnerabilities that could allow hackers to cause disruption, steal energy, or obtain driver information.Cyware
February 02, 2023 – Malware
New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities Full Text
Abstract
The State Cyber Protection Centre (SCPC) of Ukraine has called out the Russian state-sponsored threat actor known as Gamaredon for its targeted cyber attacks on public authorities and critical information infrastructure in the country. The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of striking Ukrainian entities dating as far back as 2013. "UAC-0010 group's ongoing activity is characterized by a multi-step download approach and executing payloads of the spyware used to maintain control over infected hosts," the SCPC said . "For now, the UAC-0010 group uses GammaLoad and GammaSteel spyware in their campaigns." GammaLoad is a VBScript dropper malware engineered to download next-stage VBScript from a remote server. GammaSteel is a PowerShell script that's capable of conducting reconnaissance and executing additional commands. The goal of tThe Hacker News
February 2, 2023 – Education
API management (APIM): What It Is and Where It’s Going Full Text
Abstract
Analyzing the concept of API management (APIM), its benefits, and what it will look like as the API landscape continues to evolve. There are two fundamental truths in the API landscape. First: APIs have become a strategic tool for companies to expand...Security Affairs
February 2, 2023 – APT
New APT34 Malware Targets The Middle East Full Text
Abstract
Trend Micro analyzed a cyberespionage campaign targeting organizations in the Middle East in December 2022 using a new backdoor. It abuses compromised email accounts to send stolen data to external mail accounts controlled by attackers.Cyware
February 02, 2023 – General
Cybersecurity Budgets Are Going Up. So Why Aren’t Breaches Going Down? Full Text
Abstract
Over the past few years, cybersecurity has become a major concern for businesses around the globe. With the total cost of cybercrime in 2023 forecasted to reach $8 Trillion – with a T, not a B – it's no wonder that cybersecurity is top of mind for leaders across all industries and regions. However, despite growing attention and budgets for cybersecurity in recent years, attacks have only become more common and more severe. While threat actors are becoming increasingly sophisticated and organized, this is just one piece to the puzzle in determining why cybercrime continues to rise and what organizations can do to stay secure. 🔓 Unlock the future of cybersecurity: Get ahead of the game with 2023 Cyber Security Trends Forecast ! Discover the major trends of 2022 and learn how to protect your business from emerging threats in the coming year. ⚡ Get your insider's guide to cybersecurity now! An abundance of cyber spending, a shortage of cyber security It's easy to assume that tThe Hacker News
February 2, 2023 – Vulnerabilities
A High-severity bug in F5 BIG-IP can lead to code execution and DoS Full Text
Abstract
Experts warn of a high-severity vulnerability that affects F5 BIG-IP that can lead to arbitrary code execution or DoS condition. A high-severity vulnerability in F5 BIG-IP, tracked as CVE-2023-22374, can be exploited to cause a DoS condition and potentially...Security Affairs
February 2, 2023 – General
50% of organizations have indirect relationships with 200+ breached fourth-party vendors Full Text
Abstract
About 98 percent of organizations have vendor relationships with at least one third-party that has experienced a breach in the last two years, according to SecurityScorecard and The Cyentia Institute.Cyware
February 02, 2023 – Hacker
North Korean Hackers Exploit Unpatched Zimbra Devices in ‘No Pineapple’ Campaign Full Text
Abstract
A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems. That's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple in reference to an error message that's used in one of the backdoors. Targets of the malicious operation included a healthcare research organization in India, the chemical engineering department of a leading research university, as well as a manufacturer of technology used in the energy, research, defense, and healthcare sectors, suggesting an attempt to breach the supply chain. Roughly 100GB of data is estimated to have been exported by the hacking crew following the compromise of an unnamed customer, with the digital break-in likely taking place in the third quarter of 2022. "The threat actor gained access to the network by exploiting a vulnerable ZimbraThe Hacker News
February 2, 2023 – Vulnerabilities
Experts warn of two flaws in popular open-source software ImageMagick Full Text
Abstract
Experts disclosed details of two security flaws in the open-source software ImageMagick that could potentially lead to information disclosure or trigger a DoS condition. Researchers at Metabase Q discovered a couple of security vulnerabilities in the open-source...Security Affairs
February 2, 2023 – Vulnerabilities
Vulnerability in Cisco industrial appliances is a potential nightmare (CVE-2023-20076) Full Text
Abstract
CVE-2023-20076 was discovered by the researchers in a Cisco ISR 4431 router – more specifically, in the Cisco IOx application hosting environment, which allows admins to deploy application containers or virtual machines directly on Cisco devices.Cyware
February 02, 2023 – Breach
New Threat: Stealthy HeadCrab Malware Compromised Over 1,200 Redis Servers Full Text
Abstract
At least 1,200 Redis database servers worldwide have been corralled into a botnet using an "elusive and severe threat" dubbed HeadCrab since early September 2021. "This advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers," Aqua security researcher Asaf Eitani said in a Wednesday report. A significant concentration of infections has been recorded in China, Malaysia, India, Germany, the U.K., and the U.S. to date. The origins of the threat actor are presently unknown. The findings come two months after the cloud security firm shed light on a Go-based malware codenamed Redigo that has been found compromising Redis servers. The attack is designed to target Redis servers that are exposed to the internet, followed by issuing a SLAVEOF command from another Redis server that's already under the adversary's control. InThe Hacker News
February 2, 2023 – Vulnerabilities
Over 30k Internet-Exposed QNAP NAS hosts impacted by CVE-2022-27596 flaw Full Text
Abstract
Censys found 30,000 internet-facing QNAP appliances potentially impacted by a recently disclosed critical code injection flaw. On January 30, Taiwanese vendor QNAP released QTS and QuTS firmware updates to address a critical vulnerability, tracked...Security Affairs
February 2, 2023 – Attack
Global Derivatives Markets Impacted by LockBit Ransomware Attack on Financial Software Company Full Text
Abstract
The attack is “impacting the trading and clearing of exchange-traded derivatives by ION customers across global markets,” according to the Futures Industry Association (FIA).Cyware
February 2, 2023 – Attack
‘No Pineapple’ Cyber Espionage Campaign Reveals North Korean Toolkit Full Text
Abstract
A threat intelligence firm spotted North Korean hackers engaged in technological espionage in a campaign that betrayed recurring elements of the Pyongyang hacking toolkit.Cyware
February 2, 2023 – Education
Mapping Threat Intelligence to the NIST Compliance Framework Part 2 Full Text
Abstract
As CTI teams prioritize the intelligence requirements of their business stakeholders, it is beneficial to provide context by mapping the impact of cybersecurity threat intelligence programs to the following NIST core functions.Cyware
February 1, 2023 – Ransomware
Nevada Ransomware has Released Upgraded Locker Full Text
Abstract
The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups.Cyware
February 01, 2023 – Vulnerabilities
Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility Full Text
Abstract
Cybersecurity researchers have disclosed details of two security flaws in the open source ImageMagick software that could potentially lead to a denial-of-service (DoS) and information disclosure. The two issues, which were identified by Latin American cybersecurity firm Metabase Q in version 7.1.0-49, were addressed in ImageMagick version 7.1.0-52 , released in November 2022. A brief description of the flaws is as follows - CVE-2022-44267 - A DoS vulnerability that arises when parsing a PNG image with a filename that's a single dash ("-") CVE-2022-44268 - An information disclosure vulnerability that could be exploited to read arbitrary files from a server when parsing an image That said, an attacker must be able to upload a malicious image to a website using ImageMagick so as to weaponize the flaws remotely. The specially crafted image, for its part, can be created by inserting a text chunk that specifies some metadata of the attacker's choice (e.g.,The Hacker News
February 1, 2023 – Attack
Pro-Russia Killnet group hit Dutch and European hospitals Full Text
Abstract
The Dutch National Cyber Security Centre (NCSC) confirmed that Pro-Russia group Killnet hit websites of national and European hospitals. The Dutch National Cyber Security Centre (NCSC) reported that the websites of several hospital in the Netherlands...Security Affairs
February 1, 2023 – Vulnerabilities
Update: POC exploit released for VMware vRealize Log Insight vulnerabilities Full Text
Abstract
Updates for the vulnerabilities are available for VMware vRealize Log Insight in the form of version 8.10.2. VMware also published workarounds as an alternative for affected customers.Cyware
February 01, 2023 – Attack
Experts Warn of ‘Ice Breaker’ Cyberattacks Targeting Gaming and Gambling Industry Full Text
Abstract
A new attack campaign has targeted the gaming and gambling sectors since at least September 2022, just months prior to the ICE London 2023 gaming industry trade fair event that's scheduled next week. Israeli cybersecurity company Security Joes is tracking the activity cluster under the name Ice Breaker , stating the intrusions employ clever social engineering tactics to deploy a JavaScript backdoor. The attack sequence proceeds as follows: The threat actor poses as a customer while initiating a conversation with a support agent of a gaming website and urges the individual on the other end to open a screenshot image hosted on Dropbox. Security Joes said that the threat actor is "well-aware of the fact that the customer service is human-operated." Clicking the malicious link sent in the chat leads to the retrieval of an LNK payload or, alternatively, a VBScript file as a backup option, the former of which is configured to download and run an MSI package containinThe Hacker News
February 1, 2023 – Malware
New Prilex PoS Malware evolves to target NFC-enabled credit cards Full Text
Abstract
Authors of the Prolex PoS malware improved their malicious code to target contactless credit card transactions. The threat actors behind the sophisticated point-of-sale (PoS) malware Prilex have have improved its capabilities to block contactless...Security Affairs
February 1, 2023 – Ransomware
New LockBit Green Ransomware Variant Borrows Code From Conti Ransomware Full Text
Abstract
Lockbit ransomware operators have implemented a new version of their malware, dubbed LockBit Green, which was apparently designed to include cloud-based services among its targets.Cyware
February 01, 2023 – Malware
New SH1MMER Exploit for Chromebook Unenrolls Managed ChromeOS Devices Full Text
Abstract
A new exploit has been devised to "unenroll" enterprise- or school-managed Chromebooks from administrative control. Enrolling ChromeOS devices makes it possible to enforce device policies as set by the organization via the Google Admin console , including the features that are available to users. "Each enrolled device complies with the policies you set until you wipe or deprovision it," Google states in its documentation. That's where the exploit – dubbed Shady Hacking 1nstrument Makes Machine Enrollment Retreat aka SH1MMER – comes in, allowing users to bypass these admin restrictions. The method is also a reference to shim, a Return Merchandise Authorization (RMA) disk image used by service center technicians to reinstall the operating system and run diagnosis and repair programs. The Google-signed shim image is a "combination of existing Chrome OS factory bundle components" – namely a release image, a toolkit, and the firmware, amonThe Hacker News
February 1, 2023 – Ransomware
New LockBit Green ransomware variant borrows code from Conti ransomware Full Text
Abstract
Lockbit ransomware operators have released a new version of their malware, LockBit Green, that also targets cloud-based services. Lockbit ransomware operators have implemented a new version of their malware, dubbed LockBit Green, which was designed...Security Affairs
February 1, 2023 – Denial Of Service
Pro-Russian DDoS attacks raise alarm in Denmark, U.S. Full Text
Abstract
Since Russia began its invasion of Ukraine 11 months ago, hacking groups like Killnet and NoName057 have targeted an array of government institutions, businesses, and organizations across Europe and the United States.Cyware
February 01, 2023 – Education
Auditing Kubernetes with Open Source SIEM and XDR Full Text
Abstract
Container technology has gained traction among businesses due to the increased efficiency it provides. In this regard, organizations widely use Kubernetes for deploying, scaling, and managing containerized applications. Organizations should audit Kubernetes to ensure compliance with regulations, find anomalies, and identify security risks. The Wazuh open source platform plays a critical role in monitoring Kubernetes and other components of an organization's infrastructure. What is Kubernetes? Kubernetes is an open source container management solution that automates the deployment and scaling of containers and also manages the life cycle of containers. It organizes containers into logical units for simple management and discovery. Kubernetes extends how we scale containerized applications so that we may use a truly persistent infrastructure. You can build cloud-native applications based on microservices with Kubernetes. Enthusiasts view Kubernetes as the cornerstone of application mThe Hacker News
February 1, 2023 – Ransomware
Nevada Ransomware Has Released Upgraded Locker Full Text
Abstract
Researchers from Resecurity have identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. Resecurity, California-based cybersecurity company protecting Fortune 500 globally, has identified...Security Affairs
February 1, 2023 – Outage
Ransomware Attack Forces the Closure of Four Public Schools in Nantucket Full Text
Abstract
A ransomware attack forced the closure Tuesday of four public schools serving 1,700 students on the island of Nantucket, Massachusetts, the school district’s superintendent said in an email to parents.Cyware
February 01, 2023 – Malware
Prilex PoS Malware Evolves to Block Contactless Payments to Steal from NFC Cards Full Text
Abstract
The Brazilian threat actors behind an advanced and modular point-of-sale (PoS) malware known as Prilex have reared their head once again with new updates that allow it to block contactless payment transactions. Russian cybersecurity firm Kaspersky said it detected three versions of Prilex (06.03.8080, 06.03.8072, and 06.03.8070) that are capable of targeting NFC-enabled credit cards, taking its criminal scheme a notch higher. Having evolved out of ATM-focused malware into PoS malware over the years since going operational in 2014, the threat actor steadily incorporated new features that are designed to facilitate credit card fraud, including a technique called GHOST transactions . While contactless payments have taken off in a big way, in part due to the COVID-19 pandemic, the underlying motive behind the new functionality is to disable the feature so as to force the user to insert the card into the PIN pad. To that end, the latest version of Prilex, which Kaspersky discoverThe Hacker News
February 1, 2023 – Malware
TrickGate, a packer used by malware to evade detection since 2016 Full Text
Abstract
TrickGate is a shellcode-based packer offered as a service to malware authors to avoid detection, CheckPoint researchers reported. TrickGate is a shellcode-based packer offered as a service, which is used at least since July 2016, to hide malware...Security Affairs
February 1, 2023 – Attack
Update: LockBit takes credit for November ransomware attack on Sacramento PBS station Full Text
Abstract
The PBS station KVIE announced the attack on November 23, noting that some of its internal systems were affected on October 31. It immediately took systems offline, notified law enforcement, and hired experts to investigate the incident.Cyware
February 1, 2023 – Breach
Planet Ice Suffers Hack Resulting in Theft of 240,000 Customers’ Accounts Details Full Text
Abstract
The data from 240,488 customer accounts is now in the hands of hackers, including dates of birth, names, and genders of children having parties, email addresses, IP addresses, passwords, phone numbers, physical addresses, and purchases.Cyware
February 1, 2023 – General
Reality check: Is ChatGPT really the next big cybersecurity threat? Full Text
Abstract
When OpenAI released ChatGPT in November, programmers were astounded to discover that the artificial intelligence-powered chatbot could not only mimic a huge variety of human speech but could also write code.Cyware
February 1, 2023 – Vulnerabilities
Microsoft’s Verified Publisher Status Abused in Email Theft Campaign Full Text
Abstract
The campaign mainly targeted Microsoft customers in Ireland and the UK. The tech giant has taken steps to disrupt the operation and it has published an article on how users can protect against these threats, which the company calls consent phishing.Cyware
February 01, 2023 – Hacker
Hackers Abused Microsoft’s “Verified Publisher” OAuth Apps to Hack Corporate Email Accounts Full Text
Abstract
Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email. "The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps," the tech giant said . "This phishing campaign targeted a subset of customers primarily based in the U.K. and Ireland." Consent phishing is a social engineering attack wherein users are tricked into granting permissions to malicious cloud applications, which can then be weaponized to gain access to legitimate cloud services and sensitive user data. The Windows maker said it became aware of the campaign on December 15, 2022. It has since alerted affected customers via email, with the company noting that the threat actors abused the consThe Hacker News
February 01, 2023 – Vulnerabilities
Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software Full Text
Abstract
Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations. The issues, collectively tracked as BMC&C , could act as springboard for cyber attacks, enabling threat actors to obtain remote code execution and unauthorized device access with superuser permissions. The two new flaws in question are as follows - CVE-2022-26872 (CVSS score: 8.3) - Password reset interception via API CVE-2022-40258 (CVSS score: 5.3) - Weak password hashes for Redfish and API Specifically, MegaRAC has been found to use the MD5 hashing algorithm with a global salt for older devices, or SHA-512 with per user salts on newer appliances, potentially allowing a threat actor to crack theThe Hacker News