April, 2023
April 30, 2023 – Cryptocurrency
Crooks broke into AT&T email accounts to empty their cryptocurrency wallets Full Text
Abstract
Threat actors are gaining access to AT&T email accounts in an attempt to hack into the victim’s cryptocurrency exchange accounts. Hackers are breaking into the AT&T email accounts and then using the access they are logging into the victim’s...Security Affairs
April 30, 2023 – APT
Russia-linked APT28 uses fake Windows Update instructions to target Ukraine govt bodies Full Text
Abstract
CERT-UA warns of a spear-phishing campaign conducted by APT28 group targeting Ukrainian government bodies with fake ‘Windows Update’ guides. Russia-linked APT28 group is targeting Ukrainian government bodies with fake ‘Windows Update’ guides,...Security Affairs
April 30, 2023 – Hacker
White hat hackers showed how to take over a European Space Agency satellite Full Text
Abstract
Thales cybersecurity researchers have shown this week how they seized control of a European Space Agency (ESA) satellite. This week, during the third edition of CYSAT, the European event dedicated to cybersecurity for the space industry, the European...Security Affairs
April 30, 2023 – General
Security Affairs newsletter Round 417 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press....Security Affairs
April 29, 2023 – Ransomware
Coercion in the Age of Ransomware: New Tactics for Extorting Payments Full Text
Abstract
A ransomware report by GuidePoint Security offers valuable information on the current ransomware threat scenario and highlights the coercion tactic utilized by significant ransomware groups such as double extortion and DDoS attack. In the education sector, there was a 17% rise in publicly disclosed ... Read MoreCyware
April 29, 2023 – Ransomware
RTM Group Launches its Linux Ransomware Full Text
Abstract
RTM Locker threat actors have launched a new version of the ransomware strain that can infects Linux, NAS, and ESXi hosts. Its code share similarities to the Babuk ransomware's leaked source code, revealed Uptycs experts. The encryption function uses pthreads (aka POSIX threads) to speed up executi ... Read MoreCyware
April 29, 2023 – Breach
Israel: Hackers leak thousands of personal details as Netanyahu’s Facebook account targeted Full Text
Abstract
The Facebook account of Israeli Prime Minister Benjamin Netanyahu was hacked into on Wednesday evening, and the identities and names of tens of thousands of Israelis were leaked, following another cyberattack targeting the country's Atid group.Cyware
April 29, 2023 – Breach
Hackers are breaking into AT&T email accounts to steal cryptocurrency Full Text
Abstract
AT&T spokesperson Jim Kimberly said that the company “identified the unauthorized creation of secure mail keys, which can be used in some cases to access an email account without needing a password.”Cyware
April 29, 2023 – Malware
ViperSoftX uses more sophisticated encryption and anti-analysis techniques Full Text
Abstract
A new variant of the information-stealing malware ViperSoftX implements sophisticated techniques to avoid detection. Trend Micro researchers observed a new ViperSoftX malware campaign that unlike previous attacks relies on DLL sideloading for its arrival...Security Affairs
April 29, 2023 – Malware
Atomic macOS Stealer is advertised on Telegram for $1,000 per month Full Text
Abstract
Atomic macOS Stealer is a new information stealer targeting macOS that is advertised on Telegram for $1,000 per month. Cyble Research and Intelligence Labs (CRIL) recently discovered a Telegram channel advertising a new information-stealing malware,...Security Affairs
April 29, 2023 – Government
CISA warns of a critical flaw affecting Illumina medical devices Full Text
Abstract
U.S. CISA released an Industrial Control Systems (ICS) medical advisory warning of a critical flaw affecting Illumina medical devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an Industrial Control Systems (ICS)...Security Affairs
April 29, 2023 – Government
CISA Warns of Critical Flaws in Illumina’s DNA Sequencing Instruments Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an Industrial Control Systems (ICS) medical advisory warning of a critical flaw impacting Illumina medical devices. The issues impact the Universal Copy Service (UCS) software in the Illumina MiSeqDx, NextSeq 550Dx, iScan, iSeq 100, MiniSeq, MiSeq, NextSeq 500, NextSeq 550, NextSeq 1000/2000, and NovaSeq 6000 DNA sequencing instruments. The most severe of the flaws, CVE-2023-1968 (CVSS score: 10.0), permits remote attackers to bind to exposed IP addresses, thereby making it possible to eavesdrop on network traffic and remotely transmit arbitrary commands. The second issue relates to a case of privilege misconfiguration (CVE-2023-1966, CVSS score: 7.4) that could enable a remote unauthenticated malicious actor to upload and execute code with elevated permissions. "Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level," CISA saThe Hacker News
April 29, 2023 – Privacy
ChatGPT is Back in Italy After Addressing Data Privacy Concerns Full Text
Abstract
OpenAI, the company behind ChatGPT, has officially made a return to Italy after the company met the data protection authority's demands ahead of April 30, 2023, deadline. The development was first reported by the Associated Press. OpenAI's CEO, Sam Altman, tweeted , "we're excited ChatGPT is available in [Italy] again!" The reinstatement comes following Garante's decision to temporarily block access to the popular AI chatbot service in Italy on March 31, 2023, over concerns that its practices are in violation of data protection laws in the region. Generative AI systems like ChatGPT and Google Bard primarily rely on huge amounts of information freely available on the internet as well as the data its users provide over the course of their interactions. OpenAI, which published a new FAQ , said it filters and removes information such as hate speech, adult content, sites that primarily aggregate personal information, and spam. It also emphasized thatThe Hacker News
April 28, 2023 – Malware
Atomic - New macOS Info-stealer in Town Full Text
Abstract
Private Telegram channels are being abused by cybercriminals to sell a new macOS malware variant that can infect over 50 cryptocurrency extensions to steal data. Dubbed Atomic, the malware author provides its buyers a ready-to-use web panel for easy victim management, a cryptocurrency checker, a Me ... Read MoreCyware
April 28, 2023 – Government
Biden’s Spyware Order: A Needed First Step Full Text
Abstract
The executive order’s ultimate impact will depend on whether the White House can galvanize similar action in Congress, at the local level, and among like-minded governments abroad.Lawfare
April 28, 2023 – General
OpenAI reinstates ChatGPT service in Italy after meeting Garante Privacy’s demands Full Text
Abstract
OpenAI announced that access to its chatbot service ChatGPT is allowed again in Italy after the company met the demands of regulators. OpenAI restored access to ChatGPT in Italy after the company met the demands of the Italian Data Protection Authority,...Security Affairs
April 28, 2023 – Ransomware
Rapture, a Ransomware Family With Similarities to Paradise Full Text
Abstract
In March and April 2023, Trend Micro researchers observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind.Cyware
April 28, 2023 – Vulnerabilities
Cisco discloses a bug in the Prime Collaboration Deployment solution Full Text
Abstract
Cisco is working on a patch for a bug in the Prime Collaboration Deployment solution that was reported by a member of NATO’s Cyber Security Centre (NCSC). Cisco informed its customers that it’s working on a patch for cross-site scripting (XSS)...Security Affairs
April 28, 2023 – Government
FDA, CISA: Illumina Medical Devices Vulnerable to Remote Hacking Full Text
Abstract
The US government is notifying healthcare providers and lab personnel about a component used by several Illumina medical devices being affected by serious vulnerabilities that can allow remote hacking.Cyware
April 28, 2023 – Malware
New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets Full Text
Abstract
Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer . "The Atomic macOS Stealer can steal various types of information from the victim's machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password," Cyble researchers said in a technical report. Among other features include its ability to extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus. Threat actors who purchase the stealer from its developers are also provided a ready-to-use web panel for managing the victims. The malware takes the form of an unsigned disk image file (Setup.dmg) that, when executed, urges the victim to enter their system password on a bogus prompt to escalate privileges and carry out its malicious activities --The Hacker News
April 28, 2023 – Vulnerabilities
Zyxel fixed a critical RCE flaw in its firewall devices and urges customers to install the patches Full Text
Abstract
A vulnerability impacting Zyxel firewalls, tracked as CVE-2023-28771, can be exploited to execute arbitary code on vulnerable devices. Researchers from TRAPA Security have discovered a critical remote code execution vulnerability, tracked as CVE-2023-28771...Security Affairs
April 28, 2023 – Malware
New TrafficStealer Malware Monetizes Network Traffic Full Text
Abstract
TrendMicro uncovered a new risk to Docker containers from a piece of malware called TrafficStealer. It influences web traffic and ad interaction via the use of containers to generate illegal income. TrafficStealer uses a combination of two techniques: web crawling and click simulation. Experts ... Read MoreCyware
April 28, 2023 – Education
Why Your Detection-First Security Approach Isn’t Working Full Text
Abstract
Stopping new and evasive threats is one of the greatest challenges in cybersecurity. This is among the biggest reasons why attacks increased dramatically in the past year yet again, despite the estimated $172 billion spent on global cybersecurity in 2022. Armed with cloud-based tools and backed by sophisticated affiliate networks, threat actors can develop new and evasive malware more quickly than organizations can update their protections. Relying on malware signatures and blocklists against these rapidly changing attacks has become futile. As a result, the SOC toolkit now largely revolves around threat detection and investigation. If an attacker can bypass your initial blocks, you expect your tools to pick them up at some point in the attack chain. Every organization's digital architecture is now seeded with security controls that log anything potentially malicious. Security analysts pore through these logs and determine what to investigate further. Does this work? Let'The Hacker News
April 28, 2023 – Criminals
Ukraine cyber police arrested a man for selling data of 300M people Full Text
Abstract
The Ukrainian cyber police arrested a Ukraine man for selling the data of over 300 million people from different countries. The Ukrainian cyber police have arrested a man (36) from the city of Netishyn for selling the personal data and sensitive information...Security Affairs
April 28, 2023 – Denial Of Service
DDoS Attacks on Israel’s Independence Day Take Down Websites of News Outlet, Government Authority Full Text
Abstract
The websites of major Israeli news outlet Maariv, sister publication of The Jerusalem Post, were taken offline on Wednesday. The Anonymous Sudan group also managed to take down the website of the Israel Ports Authority and the Meretz political party.Cyware
April 28, 2023 – Vulnerabilities
Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks — Patch Now Full Text
Abstract
Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. The issue, tracked as CVE-2023-28771 , is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw. "Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device," Zyxel said in an advisory on April 25, 2023. Products impacted by the flaw are - ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1) Zyxel has also addressed a high-severity post-authentication command injection vulnerability affecting select firewaThe Hacker News
April 28, 2023 – Policy and Law
Google obtained a temporary court order against CryptBot distributors Full Text
Abstract
Google obtained a temporary court order in the U.S. to disrupt the operations of the CryptBot information stealer. Google announced that a federal judge in the Southern District of New York unsealed its civil action against the operators of the information...Security Affairs
April 28, 2023 – Attack
UK school hit by ransomware attack Full Text
Abstract
A school in Wiltshire was hit by a ransomware attack last weekend. Hardenhuish School, a mixed secondary academy in Chippenham, sent texts to parents and guardians of its 1,623 pupils notifying them of the attack.Cyware
April 28, 2023 – Malware
ViperSoftX InfoStealer Adopts Sophisticated Techniques to Avoid Detection Full Text
Abstract
A significant number of victims in the consumer and enterprise sectors located across Australia, Japan, the U.S., and India have been affected by an evasive information-stealing malware called ViperSoftX . ViperSoftX was first documented by Fortinet in 2020, with cybersecurity company Avast detailing a campaign in November 2022 that leveraged the malware to distribute a malicious Google Chrome extension capable of siphoning cryptocurrencies from wallet applications. Now a new analysis from Trend Micro has revealed the malware's adoption of "more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking." The arrival vector of ViperSoftX is typically a software crack or a key generator (keygen), while also employing actual non-malicious software like multimedia editors and system cleaner apps as "carriers." One of the key steps performed by the malware before downloading a first-stage PoThe Hacker News
April 28, 2023 – Attack
South Carolina’s Spartanburg County Suffers Ransomware Attack Full Text
Abstract
A ransomware attack has been reported in Spartanburg County. WYFF News 4 reached out to Spartanburg County officials and the South Carolina Judicial Branch after hearing about a possible computer issue.Cyware
April 28, 2023 – General
Attention Online Shoppers: Don’t Be Fooled by Their Sleek, Modern Looks — It’s Magecart! Full Text
Abstract
An ongoing Magecart campaign has attracted the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users. "The threat actor used original logos from the compromised store and customized a web element known as a modal to perfectly hijack the checkout page," Jérôme Segura, director of threat intelligence at Malwarebytes, said . "The remarkable thing here is that the skimmer looks more authentic than the original payment page." The term Magecart is a catch-all that refers to several cybercrime groups which employ online skimming techniques to steal personal data from websites – most commonly, customer details and payment information on e-commerce websites. The name originates from the groups' initial targeting of the Magento platform. According to data shared by Sansec, the first Magecart-like attacks were observed as early as 2010. As of 2022, more than 70,000 stoThe Hacker News
April 28, 2023 – Attack
Tonto Team Uses Anti-Malware File to Launch Attacks on South Korean Institutions Full Text
Abstract
South Korean education, construction, diplomatic, and political institutions are at the receiving end of new attacks perpetrated by a China-aligned threat actor known as the Tonto Team . "Recent cases have revealed that the group is using a file related to anti-malware products to ultimately execute their malicious attacks," the AhnLab Security Emergency Response Center (ASEC) said in a report published this week. Tonto Team, active since at least 2009, has a track record of targeting various sectors across Asia and Eastern Europe. Earlier this year, the group was attributed to an unsuccessful phishing attack on cybersecurity company Group-IB. The attack sequence discovered by ASEC starts with a Microsoft Compiled HTML Help (.CHM) file that executes a binary file to side-load a malicious DLL file (slc.dll) and launch ReVBShell , an open source VBScript backdoor also put to use by another Chinese threat actor called Tick . ReVBShell is subsequently leveraged to doThe Hacker News
April 27, 2023 – Outage
NCR restores more services following ransomware attack Full Text
Abstract
NCR is making progress restoring services after a ransomware attack led to a data center outage that impacted its Aloha cloud-based services and Counterpoint applications.Cyware
April 27, 2023 – Policy and Law
Google Gets Court Order to Take Down CryptBot That Infected Over 670,000 Computers Full Text
Abstract
Google on Wednesday said it obtained a temporary court order in the U.S. to disrupt the distribution of a Windows-based information-stealing malware called CryptBot and "decelerate" its growth. The tech giant's Mike Trinh and Pierre-Marc Bureau said the efforts are part of steps it takes to "not only hold criminal operators of malware accountable, but also those who profit from its distribution." CryptBot is estimated to have infected over 670,000 computers in 2022 with the goal of stealing sensitive data such as authentication credentials, social media account logins, and cryptocurrency wallets from users of Google Chrome. The harvested data is then exfiltrated to the threat actors, who then sell the data to other attackers for use in data breach campaigns. CryptBot was first discovered in the wild in December 2019. The malware has been traditionally delivered via maliciously modified versions of legitimate and popular software packages such as GoogThe Hacker News
April 27, 2023 – General
911? We Have an Emergency: Cyberattacks On Emergency Response Systems Full Text
Abstract
Unsecured 911 services can be exploited to sow distrust in the U.S. government among the American public.Lawfare
April 27, 2023 – Ransomware
Researchers found the first Linux variant of the RTM locker Full Text
Abstract
RTM ransomware-as-a-service (RaaS) started offering locker ransomware that targets Linux, NAS, and ESXi systems. The Uptycs threat research team discovered the first ransomware binary attributed to the RTM ransomware-as-a-service (RaaS) provider....Security Affairs
April 27, 2023 – Solution
Google adds new risk assessment tool for Chrome extensions Full Text
Abstract
Google has made available a new tool for Google Workspace admins and security teams to make an assessment of the risk different Chrome extensions may present to their users: Spin.AI App Risk Assessment.Cyware
April 27, 2023 – Attack
Paperbug Attack: New Politically-Motivated Surveillance Campaign in Tajikistan Full Text
Abstract
A little-known Russian-speaking cyber-espionage group has been linked to a new politically-motivated surveillance campaign targeting high-ranking government officials, telecom services, and public service infrastructures in Tajikistan. The intrusion set, dubbed Paperbug by Swiss cybersecurity company PRODAFT, has been attributed to a threat actor known as Nomadic Octopus (aka DustSquad). "The types of compromised machines range from individuals' computers to [operational technology] devices," PRODAFT said in a deep dive technical report shared with The Hacker News. "These targets make operation 'Paperbug' intelligence-driven." The ultimate motive behind the attacks is unclear at this stage, but the cybersecurity firm has raised the possibility that it could be the work of opposition forces within the country or, alternatively, an intelligence-gathering mission carried out by Russia or China. Nomadic Octopus first came to light in October 2018 wThe Hacker News
April 27, 2023 – Ransomware
Crooks use PaperCut exploits to deliver Cl0p and LockBit ransomware Full Text
Abstract
Microsoft revealed that recent attacks against PaperCut servers aimed at distributing Cl0p and LockBit ransomware. Microsoft linked the recent attacks against PaperCut servers to a financially motivated threat actor tracked as Lace Tempest (formerly...Security Affairs
April 27, 2023 – Phishing
TA505 Allegedly Behind New Malware Deployed Using Fake Websites and Malvertising Full Text
Abstract
To trick unsuspecting users into downloading malware onto their systems, threat actors often used the Google advertisements platform to promote fake websites on legit software and application updates.Cyware
April 27, 2023 – Malware
LimeRAT Malware Analysis: Extracting the Config Full Text
Abstract
Remote Access Trojans (RATs) have taken the third leading position in ANY. RUN's Q1 2023 report on the most prevalent malware types, making it highly probable that your organization may face this threat. Though LimeRAT might not be the most well-known RAT family, its versatility is what sets it apart. Capable of carrying out a broad spectrum of malicious activities, it excels not only in data exfiltration, but also in creating DDoS botnets and facilitating crypto mining. Its compact footprint allows it to elude endpoint detection systems, making it a stealthy adversary. Interestingly, LimeRAT shares similarities with njRAT, which ANY.RUN ranks as the third most popular malware family in terms of uploads during Q1 2023. ANY.RUN researchers have recently conducted an in-depth analysis of a LimeRAT sample and successfully extracted its configuration. In this article, we'll provide a brief overview of that analysis. Collected artifacts SHA1 14836dd608efb4a0c552a4f370eThe Hacker News
April 27, 2023 – Phishing
CryptoRom: OkCupid scam cost Florida man $480k – we followed the money to Binance Full Text
Abstract
CyberNews analyzed a classic cryptocurrency romance scam, also known as CryptoRom, explaining how scammers hid the money CryptoRom scammers hid the money with several layers of obfuscation, but the Cybernews research team discovered that the stolen...Security Affairs
April 27, 2023 – General
Corporate boards pressure CISOs to step up risk mitigation efforts Full Text
Abstract
While those working in InfoSec and GRC have high levels of confidence in their cyber/IT risk management systems, persistent problems may be making them less effective than perceived, according to RiskOptics.Cyware
April 27, 2023 – Ransomware
RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts Full Text
Abstract
The threat actors behind RTM Locker have developed a ransomware strain that's capable of targeting Linux machines, marking the group's first foray into the open source operating system. "Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware's leaked source code," Uptycs said in a new report published Wednesday. "It uses a combination of ECDH on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption) to encrypt files." RTM Locker was first documented by Trellix earlier this month, describing the adversary as a private ransomware-as-a-service (RaaS) provider. It has its roots in a cybercrime group called Read The Manual (RTM) that's known to be active since at least 2015. The group is notable for deliberately avoiding high-profile targets such as critical infrastructure, law enforcement, and hospitals so as to draw as little attention as possible. It also leverages affiliaThe Hacker News
April 27, 2023 – APT
Iranian Charming Kitten APT used a new BellaCiao malware in recent wave of attacks Full Text
Abstract
Iran-linked APT group Charming Kitten employed a new malware dubbed BellaCiao in attacks against victims in the U.S., Europe, the Middle East and India. Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team)...Security Affairs
April 27, 2023 – Ransomware
New coercive tactics used to extort ransomware payments Full Text
Abstract
The increase in reported ransomware victims across Q1 2023 reflects the continued prevalence of ransomware as a worldwide, industry-agnostic threat, according to GuidePoint Security.Cyware
April 27, 2023 – Vulnerabilities
Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware Full Text
Abstract
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks that are designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil Corp. "In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service," Microsoft said in a series of tweets. The next phase of the attack entailed the deployment of Cobalt Strike Beacon implant to conduct reconnaissance, move laterally across the network using WMI, and exfiltrate files of interest via the file-sharing service MegaSync. Lace Tempest is a Cl0p ransomware affiliate that's said to havThe Hacker News
April 27, 2023 – Outage
Cyberattack Disrupts Lowell City Government, Shuts Down Computers Full Text
Abstract
The city of Lowell is alerting residents to a cyberattack that impacted the municipality's computer systems starting early on Monday. "We realized Monday morning around 3 to 5 AM that there was a breach," said City Manager Tom Golden.Cyware
April 27, 2023 – General
CISOs: unsupported, unheard, and invisible Full Text
Abstract
A study conducted among CISOs worldwide from various industries sheds light on their strategies amid a challenging threat environment, identifies obstacles from business functions, and highlights their requirements for achieving success.Cyware
April 27, 2023 – Phishing
OkCupid scam cost Florida man $480k – researchers followed the money to Binance Full Text
Abstract
Scammers had lured a victim from Florida into parting with $480,000 after cultivating a long-term relationship, eventually coaxing him into making cryptocurrency investments.Cyware
April 26, 2023 – Vulnerabilities
Google Cloud Platform Flaw ‘GhostToken’ Offers Ghost Entry to Attackers Full Text
Abstract
Google patched a security hole dubbed GhostToken that affects all the users of Google Cloud Platform (GCP). This flaw enables attackers to gain access to user accounts through the installation of malicious OAuth applications obtained from either the Google Marketplace or third-party providers. Crim ... Read MoreCyware
April 26, 2023 – Hacker
Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks Full Text
Abstract
The Chinese nation-state group dubbed Alloy Taurus is using a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033. That's according to findings from Palo Alto Networks Unit 42, which discovered recent malicious cyber activity carried out by the group targeting South Africa and Nepal. Alloy Taurus is the constellation-themed moniker assigned to a threat actor that's known for its attacks targeting telecom companies since at least 2012. It's also tracked by Microsoft as Granite Typhoon (previously Gallium). Last month, the adversary was attributed to a campaign called Tainted Love targeting telecommunication providers in the Middle East as part of a broader operation referred to as Soft Cell. Recent cyber espionage attacks mounted by Alloy Taurus have also broadened their victimology footprint to include financial institutions and government entities. PingPull, first documented by Unit 42 in June 2022, is a remoteThe Hacker News
April 26, 2023 – APT
China-linked Alloy Taurus APT uses a Linux variant of PingPull malware Full Text
Abstract
China-linked threat actor tracked as Alloy Taurus is using a Linux variant of the PingPull backdoor and a new tool dubbed Sword2033. Researchers from Palo Alto Networks Unit 42 recently observed the China-linked Alloy Taurus group (aka GALLIUM,...Security Affairs
April 26, 2023 – Malware
Google Ads Abused to Distribute New LOBSHOT Malware Full Text
Abstract
Elastic Security Labs has uncovered LOBSHOT, a previously unknown hVNC malware, that impersonates legitimate software for financial gain and is promoted through malvertising, such as Google Ads, to extend their reach and perpetrate their attacks. It targets 32 Chrome extensions, nine Edge wallet ex ... Read MoreCyware
April 26, 2023 – Malware
Charming Kitten’s New BellaCiao Malware Discovered in Multi-Country Attacks Full Text
Abstract
The prolific Iranian nation-state group known as Charming Kitten is actively targeting multiple victims in the U.S., Europe, the Middle East and India with a novel malware dubbed BellaCiao , adding to its ever-expanding list of custom tools. Discovered by Bitdefender Labs, BellaCiao is a "personalized dropper" that's capable of delivering other malware payloads onto a victim machine based on commands received from an actor-controlled server. "Each sample collected was tied up to a specific victim and included hard-coded information such as company name, specially crafted subdomains, or associated public IP address," the Romanian cybersecurity firm said in a report shared with The Hacker News. Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (née Phosphorus), TA453, and Yellow Garuda, is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps ( IRGC ). Over the years, theThe Hacker News
April 26, 2023 – Vulnerabilities
A component in Huawei network appliances could be used to take down Germany’s telecoms networks Full Text
Abstract
German government warns that technology to regulate power consumption in Huawei network appliances could be used for sabotage purposes. In March, the interior ministry announced it was conducting an audit on the network appliance from Chinese telecoms...Security Affairs
April 26, 2023 – Phishing
Scammers Use Over 3,000 Fake Facebook Profiles to Lure Victims Full Text
Abstract
Group-IB spotted a new phishing campaign targeting Facebook users, leveraging 3,200 fake profiles, in an attempt to steal account credentials from public figures, businesses, celebs, and others. The profiles were either created by the actors or were genuinely hacked accounts of users. Of these fake ... Read MoreCyware
April 26, 2023 – Hacker
Chinese Hackers Using MgBot Malware to Target International NGOs in Mainland China Full Text
Abstract
The advanced persistent threat (APT) group referred to as Evasive Panda has been observed targeting an international non-governmental organization (NGO) in Mainland China with malware delivered via update channels of legitimate applications like Tencent QQ. The attack chains are designed to distribute a Windows installer for MgBot malware, ESET security researcher Facundo Muñoz said in a new report published today. The activity commenced in November 2020 and continued throughout 2021. Evasive Panda, also known as Bronze Highland and Daggerfly, is a Chinese-speaking APT group that has been attributed to a series of cyber espionage attacks targeting various entities in China, Hong Kong, and other countries located in East and South Asia since at least late December 2012. The group's hallmark is the use of the custom MgBot modular malware framework, which is capable of receiving additional components on the fly to expand on its intelligence-gathering capabilities. Some of thThe Hacker News
April 26, 2023 – Vulnerabilities
Thousands of publicly-exposed Apache Superset installs exposed to RCE attacks Full Text
Abstract
Apache Superset open-source data visualization platform is affected by an insecure default configuration that could lead to remote code execution. Apache Superset is an open-source data visualization and data exploration platform. The maintainers...Security Affairs
April 26, 2023 – Botnet
Mirai Botnet Variant Explores TP-Link to Grow its Army of DDoS Devices Full Text
Abstract
The Mirai botnet operators were seen abusing CVE-2023-1389, a vulnerability in the TP-Link Archer A21 (AX1800) WiFi router, and trying to make those devices part of their future DDoS attacks. The initial study of the attack infrastructure revealed targeted devices in the Eastern Europe region, howe ... Read MoreCyware
April 26, 2023 – General
Browser Security Survey: 87% of SaaS Adopters Exposed to Browser-borne Attacks Full Text
Abstract
The browser serves as the primary interface between the on-premises environment, the cloud, and the web in the modern enterprise. Therefore, the browser is also exposed to multiple types of cyber threats and operational risks. In light of this significant challenge, how are CISOs responding? LayerX, Browser Security platform provider, has polled more than 150 CISOs across multiple verticals and geolocations. They asked them about their security practices for SaaS access, BYOD, phishing, browser data loss and browser security. The results of this extensive poll can be found in the report "2023 Browser Security Survey". In this article, we bring a taste of the report. You can read all the results and analysis here . Main Highlights Organizations in the cloud are exposed to web-borne attacks. 87% of all-SaaS adopters and 79% of CISOs in a hybrid environment experienced a web-borne security threat in the past 12 months. Account takeover is a top concern. 48% list credential phisThe Hacker News
April 26, 2023 – Attack
Pro-Russia hacking group executed a disruptive attack against a Canadian gas pipeline Full Text
Abstract
Pro-Russia hacking group Zarya caused a cybersecurity incident at a Canadian gas pipeline, the critical infrastructure sector is on alert. A Canadian gas pipeline suffered a cyber security incident, Canada’s top cyber official and Pro-Russia hacking...Security Affairs
April 26, 2023 – Botnet
The Anatomy of a Scalping Bot: NSB Was Copped! Full Text
Abstract
For the past eight years, NSB has been used by bot operators to acquire limited edition and hard-to-find items from over 100 online shops. It's considered one of the best scalping bots available on the market, with an annual price of $499.Cyware
April 26, 2023 – Vulnerabilities
Apache Superset Vulnerability: Insecure Default Configuration Exposes Servers to RCE Attacks Full Text </p>
Abstract
The maintainers of the Apache Superset open source data visualization software have released fixes to plug an insecure default configuration that could lead to remote code execution. The vulnerability, tracked as CVE-2023-27524 (CVSS score: 8.9), impacts versions up to and including 2.0.1 and relates to the use of a default SECRET_KEY that could be abused by attackers to authenticate and access unauthorized resources on internet-exposed installations. Naveen Sunkavally, the chief architect at Horizon3.ai, described the issue as "a dangerous default configuration in Apache Superset that allows an unauth attacker to gain remote code execution, harvest credentials, and compromise data." It's worth noting that the flaw does not affect Superset instances that have changed the default value for the SECRET_KEY config to a more cryptographically secure random string. The cybersecurity firm, which found that the SECRET_KEY is defaulted to the value "\x02\x01thisismyThe Hacker News
April 26, 2023 – Hacker
FIN7 Hackers Caught Exploiting Recent Veeam Backup & Replication Vulnerability Full Text
Abstract
At the end of March 2023, WithSecure caught FIN7 attacks that exploited internet-facing servers running Veeam Backup & Replication software to execute payloads on the compromised environment.Cyware
April 26, 2023 – Vulnerabilities
VMware Releases Critical Patches for Workstation and Fusion Software Full Text
Abstract
VMware has released updates to resolve multiple security flaws impacting its Workstation and Fusion software, the most critical of which could allow a local attacker to achieve code execution. The vulnerability, tracked as CVE-2023-20869 (CVSS score: 9.3), is described as a stack-based buffer-overflow vulnerability that resides in the functionality for sharing host Bluetooth devices with the virtual machine. "A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host," the company said . Also patched by VMware is an out-of-bounds read vulnerability affecting the same feature (CVE-2023-20870, CVSS score: 7.1), that could be abused by a local adversary with admin privileges to read sensitive information contained in hypervisor memory from a virtual machine. Both vulnerabilities were demonstrated by researchers from STAR Labs on the third day of the Pwn2OThe Hacker News
April 26, 2023 – General
Teenagers, young adults pose prevalent cyberthreat to US, Mandiant says Full Text
Abstract
A group of teenagers and individuals in their 20s from the U.S. and the U.K are among the most prevalent threat actors today, Mandiant Consulting CTO Charles Carmakal said Monday at an off-site media briefing during the RSA Conference.Cyware
April 26, 2023 – APT
Charming Kitten APT Uses BellaCiao Malware to Target Victims in US, Europe, Middle East, and India Full Text
Abstract
This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure.Cyware
April 26, 2023 – General
Attackers are logging in instead of breaking in Full Text
Abstract
Cyberattackers leveraged more than 500 unique tools and tactics in 2022, according to Sophos. The data was analyzed from more than 150 Sophos Incident Response (IR) cases.Cyware
April 25, 2023 – General
The Political Cybersecurity Blindfold in Latin America Full Text
Abstract
Latin America has been at the epicenter of a wave of cyberattacks since the start of the coronavirus pandemic; however, it is still hard to understand what cybersecurity means politically for the countries in the region.Lawfare
April 25, 2023 – Vulnerabilities
SLP flaw allows DDoS attacks with an amplification factor as high as 2200 times Full Text
Abstract
A flaw in the Service Location Protocol (SLP), tracked as CVE-2023-29552, can allow to carry out powerful DDoS attacks. A high-severity security vulnerability (CVE-2023-29552, CVSS score: 8.6) impacting the Service Location Protocol (SLP) can be exploited...Security Affairs
April 25, 2023 – Vulnerabilities
VMware addressed two zero-day flaws demonstrated at Pwn2Own Vancouver 2023 Full Text
Abstract
VMware addressed zero-day flaws that can be chained to achieve arbitrary code execution on Workstation and Fusion software hypervisors. VMware released security updates to address two zero-day vulnerabilities (CVE-2023-20869, CVE-2023-20870) that...Security Affairs
April 25, 2023 – Vulnerabilities
New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks Full Text
Abstract
Details have emerged about a high-severity security vulnerability impacting Service Location Protocol ( SLP ) that could be weaponized to launch volumetric denial-of-service attacks against targets. "Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2,200 times, potentially making it one of the largest amplification attacks ever reported," Bitsight and Curesec researchers Pedro Umbelino and Marco Lux said in a report shared with The Hacker News. The vulnerability, which has been assigned the identifier CVE-2023-29552 (CVSS score: 8.6), is said to impact more than 2,000 global organizations and over 54,000 SLP instances that are accessible over the internet. This includes VMWare ESXi Hypervisor, Konica Minolta printers, Planex Routers, IBM Integrated Management Module (IMM), SMC IPMI, and 665 other product types. The top 10 countries with the most organiThe Hacker News
April 25, 2023 – Botnet
A new Mirai botnet variant targets TP-Link Archer A21 Full Text
Abstract
Mirai botnet started exploiting the CVE-2023-1389 vulnerability (aka ZDI-CAN-19557/ZDI-23-451) in TP-Link Archer A21 in recent attacks. Last week, the Zero Day Initiative (ZDI) threat-hunting team observed the Mirai botnet attempting to exploit the CVE-2023-1389...Security Affairs
April 25, 2023 – Attack
Iranian Hackers Launch Sophisticated Attacks Targeting Israel with PowerLess Backdoor Full Text
Abstract
An Iranian nation-state threat actor has been linked to a new wave of phishing attacks targeting Israel that's designed to deploy an updated version of a Windows backdoor called PowerLess . Cybersecurity firm Check Point is tracking the activity cluster under its mythical creature handle Educated Manticore , which exhibits "strong overlaps" with a hacking crew known as APT35, Charming Kitten, Cobalt Illusion, ITG18, Mint Sandstorm (formerly Phosphorus), TA453, and Yellow Garuda. "Like many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains," the Israeli company said in a technical report published today. Active since at least 2011, APT35 has cast a wide net of targets by leveraging fake social media personas , spear-phishing techniques , and N-day vulnerabilities in internet-exposed applications to gain initial access and drop various payloads, includiThe Hacker News
April 25, 2023 – Vulnerabilities
Google researchers found multiple security issues in Intel TDX Full Text
Abstract
Google Cloud Security and Project Zero researchers found multiple vulnerabilities in the Intel Trust Domain Extensions (TDX). Google Cloud Security and Project Zero researchers, working with Intel experts, discovered multiple vulnerabilities in the Intel...Security Affairs
April 25, 2023 – Solution
Modernizing Vulnerability Management: The Move Toward Exposure Management Full Text
Abstract
Managing vulnerabilities in the constantly evolving technological landscape is a difficult task. Although vulnerabilities emerge regularly, not all vulnerabilities present the same level of risk. Traditional metrics such as CVSS score or the number of vulnerabilities are insufficient for effective vulnerability management as they lack business context, prioritization, and understanding of attackers' opportunities. Vulnerabilities only represent a small part of the attack surface that attackers can leverage. Initially, organizations used manual methods to address known security weaknesses, but as technology and cyber threats evolved, a more automated and comprehensive approach became necessary. However, legacy vulnerability management tools were designed primarily for compliance and modern tools still face challenges in prioritization and limited resources, especially in dynamic and agile cloud environments. Modern vulnerability management integrates security tools such as scanneThe Hacker News
April 25, 2023 – Solution
Google Authenticator App now supports Google Account synchronization Full Text
Abstract
Google announced that its Authenticator app for Android and iOS now supports Google Account synchronization. Google announced that its Google Authenticator app for both iOS and Android now supports Google Account synchronization that allows to safely...Security Affairs
April 25, 2023 – Breach
Peugeot leaks access to user information in South America Full Text
Abstract
Peugeot, a French brand of automobiles owned by Stellantis, exposed its users in Peru, a South American country with a population of nearly 34 million. A brand, best known for its lion roaring for over a century, has leaked access to its user data...Security Affairs
April 24, 2023 – Criminals
8220 Gang of Cryptojackers Exploit Log4Shell to Mint Coins Full Text
Abstract
Researchers found 8220 Gang exploiting the Log4Shell vulnerability to install CoinMiner in VMware Horizon servers of Korean energy-related companies. The gang uses a PowerShell script to download ScrubCrypt and establish persistence by making edits to the registry entries. System administrators are ... Read MoreCyware
April 24, 2023 – Hacker
Russian Hackers Tomiris Targeting Central Asia for Intelligence Gathering Full Text
Abstract
The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on gathering intelligence in Central Asia, fresh findings from Kaspersky reveal. "Tomiris's endgame consistently appears to be the regular theft of internal documents," security researchers Pierre Delcher and Ivan Kwiatkowski said in an analysis published today. "The threat actor targets government and diplomatic entities in the CIS." The Russian cybersecurity firm's latest assessment is based on three new attack campaigns mounted by the hacking crew between 2021 and 2023. Tomiris first came to light in September 2021 when Kaspersky highlighted its potential connections to Nobelium (aka APT29, Cozy Bear, or Midnight Blizzard), the Russian nation-state group behind the SolarWinds supply chain attack. Similarities have also been unearthed between the backdoor and another malware strain dubbed Kazuar , which is attributed to the Turla group (aka Krypton, SecreThe Hacker News
April 24, 2023 – Malware
AuKill tool uses BYOVD attack to disable EDR software Full Text
Abstract
Ransomware operators use the AuKill tool to disable EDR software through Bring Your Own Vulnerable Driver (BYOVD) attack. Sophos researchers reported that threat actors are using a previously undocumented defense evasion tool, dubbed AuKill, to...Security Affairs
April 24, 2023 – Ransomware
Play Ransomware Group Adds Two New Tools to Harvest More Data Full Text
Abstract
The Play ransomware group has added two custom tools written in .NET to expand the effectiveness of its attacks. Named Grixba and Volume Shadow Copy Service (VSS), these tools enable attackers to keep track of users in compromised networks and gather information about security, backup, and remote a ... Read MoreCyware
April 24, 2023 – Ransomware
Ransomware Hackers Using AuKill Tool to Disable EDR Software Using BYOVD Attack Full Text
Abstract
Threat actors are employing a previously undocumented "defense evasion tool" dubbed AuKill that's designed to disable endpoint detection and response (EDR) software by means of a Bring Your Own Vulnerable Driver ( BYOVD ) attack. "The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer , to disable EDR processes before deploying either a backdoor or ransomware on the target system," Sophos researcher Andreas Klopsch said in a report published last week. Incidents analyzed by the cybersecurity firm show the use of AuKill since the start of 2023 to deploy various ransomware strains such as Medusa Locker and LockBit. Six different versions of the malware have been identified to date. The oldest AuKill sample features a November 2022 compilation timestamp. The BYOVD technique relies on threat actors misusing a legitimate, but out-of-date and exploitable, driver signed by Microsoft (or usinThe Hacker News
April 24, 2023 – Vulnerabilities
Experts released PoC Exploit code for actively exploited PaperCut flaw Full Text
Abstract
Threat actors are exploiting PaperCut MF/NG print management software flaws in attacks in the wild, while researchers released PoC exploit code. Hackers are actively exploiting PaperCut MF/NG print management software flaws (tracked as CVE-2023-27350 and CVE-2023-27351)...Security Affairs
April 24, 2023 – Attack
New Blind Eagle Attack Chain Discovered Full Text
Abstract
The Blind Eagle cyberespionage group was identified as the source of a new multi-stage attack chain that ultimately results in the deployment of NjRAT on compromised systems. In this attack campaign, Blind Eagle leverages social engineering, custom malware, and spear-phishing attacks. Therefore, up ... Read MoreCyware
April 24, 2023 – General
Study: 84% of Companies Use Breached SaaS Applications - Here’s How to Fix it for Free! Full Text
Abstract
A recent review by Wing Security, a SaaS security company that analyzed the data of over 500 companies, revealed some worrisome information . According to this review, 84% of the companies had employees using an average of 3.5 SaaS applications that were breached in the previous 3 months. While this is concerning, it isn't much of a surprise. The exponential growth in SaaS usage has security and IT teams struggling to keep up with which SaaS applications are being used and how. This isn't to say that SaaS should be avoided or blocked; on the contrary, SaaS applications must be used to ensure business growth. But using them has to be done with some level of caution. Determining which SaaS applications are risky The most intuitive risk factor to determining whether an application is risky is looking it up and seeing if it has been breached. SaaS applications are clearly a target as we see more and more SaaS related attacks. A breach is a clear indication to stay away, at leasThe Hacker News
April 24, 2023 – Malware
EvilExtractor, a new All-in-One info stealer appeared on the Dark Web Full Text
Abstract
EvilExtractor is a new "all-in-one" info stealer for Windows that is being advertised for sale on dark web cybercrime forums. Fortinet FortiGuard Labs researchers discovered a new "all-in-one" info stealer for Windows, dubbed EvilExtractor (sometimes...Security Affairs
April 24, 2023 – Malware
AuKill Exploits Process Explorer Utility via BYOVD, Deploys Ransomware Full Text
Abstract
Sophos X-Ops uncovered a defense evasion tool called AuKill. The tool exploits an outdated version of the driver used by version 16.32 of the Microsoft utility Process Explorer to disable EDR processes to deploy either a backdoor or ransomware on the targeted system. Since the beginning of 2023, th ... Read MoreCyware
April 24, 2023 – Hacker
Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites Full Text
Abstract
Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week. The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that's then executed every time the posts are opened in a web browser. While Eval PHP has never received an update in 11 years, statistics gathered by WordPress show that it's installed on over 8,000 websites, with the number of downloads skyrocketing from one or two on average since September 2022 to 6,988 on March 30, 2023. On April 23, 2023, alone, it was downloaded 2,140 times. The plugin has racked up 23,110 downloads over the past seven days. GoDaddy-owned Sucuri said it observed some infected websites' databases injected with malicious code into the "wp_posts" table , which stores a site's posts,The Hacker News
April 24, 2023 – Criminals
Russian cybercrime group likely behind ongoing exploitation of PaperCut flaws Full Text
Abstract
Print management software provider PaperCut confirmed ongoing active exploitation of CVE-2023-27350 vulnerability. On April 19th, Print management software provider PaperCut confirmed that it is aware of the active exploitation of the CVE-2023-27350...Security Affairs
April 24, 2023 – APT
Mint Sandstorm Targets U.S. Critical Infrastructure Full Text
Abstract
Microsoft connected the Iranian Mint Sandstorm APT group (aka PHOSPHORUS) to a wave of attacks, between late-2021 and mid-2022, targeting the U.S. critical infrastructure. The group targets private/public organizations, including activists, journalists, the Defense Industrial Base (DIB), political ... Read MoreCyware
April 24, 2023 – Malware
New All-in-One “EvilExtractor” Stealer for Windows Systems Surfaces on the Dark Web Full Text
Abstract
A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. "It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said . "It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker's FTP server." The network security company said it observed a surge in attacks spreading the malware in the wild in March 2023, with a majority of the victims located in Europe and the U.S. While marketed as an educational tool, EvilExtractor has been adopted by threat actors for use as an information stealer. The attack tool is being sold by an actor named Kodex on cybercrime forums like Cracked dating back to October 22, 2022. It's continually updated andThe Hacker News
April 24, 2023 – Hacker
Hackers can hack organizations using data found on their discarded enterprise network equipment Full Text
Abstract
ESET researchers explained that enterprise network equipment that was discarded, but not destroyed, could reveal corporate secrets. ESET researchers purchased a few used routers to set up a test environment and made a shocking discovery, in many cases,...Security Affairs
April 24, 2023 – General
These two countries are teaming up to develop AI for cybersecurity Full Text
Abstract
Singapore and France have announced plans to set up a research facility to jointly develop artificial intelligence (AI) capabilities that can be applied in cyber defense.Cyware
April 24, 2023 – Hacker
Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers Full Text
Abstract
Print management software provider PaperCut said that it has "evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro. "PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01:29 AEST / 13th April 15:29 UTC," it further added . The update comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical improper access control flaw ( CVE-2023-27350 , CVSS score: 9.8) in PaperCut MF and NG to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. Cybersecurity company Huntress, which found about 1,800 publicly exposed PaperCut servers, said it observed PowerShell commands being spawned from PaperCut software to install remote management and maintenance (RMM) software like Atera anThe Hacker News
April 24, 2023 – Malware
Package names repurposed to push malware on PyPI Full Text
Abstract
At the beginning of March, ReversingLabs researchers encountered a malicious package on the Python Package Index (PyPI) named termcolour, a three-stage downloader published in multiple versions.Cyware
April 24, 2023 – Hacker
North Korean Hackers Target Mac Users With New ‘RustBucket’ Malware Full Text
Abstract
Dubbed RustBucket and able to fetch additional payloads from its command-and-control (C&C) server, the malware has been attributed to the APT actor BlueNoroff, which is believed to be a subgroup of the infamous Lazarus hacking group.Cyware
April 24, 2023 – Hacker
Threat actors can use ChatGPT to sharpen cyberthreats, but no need to panic yet Full Text
Abstract
Since the generative artificial intelligence chatbot was released in November, Palo Alto Networks’ Unit 42 has detected up to 118 malicious URLs related to ChatGPT daily and domain squatting related to the tool has surged 17,818%.Cyware
April 24, 2023 – Hacker
Hackers Exploit Generative AI to Spread RedLine Stealer MaaS Full Text
Abstract
As generative AI tools like OpenAI ChatGPT and Google Bard continue to dominate the headlines—and pundits debate whether the technology has taken off too quickly without necessary guardrails—cybercriminals are showing no hesitance in exploiting them.Cyware
April 23, 2023 – Attack
Health insurer Point32Health suffered a ransomware attack Full Text
Abstract
Non-profit health insurer Point32Health suffered a ransomware attack and has taken systems offline in response to the incident. Non-profit health insurer Point32Health has taken systems offline in response to a ransomware attack that took place on April...Security Affairs
April 23, 2023 – Cryptocurrency
Experts spotted first-ever crypto mining campaign leveraging Kubernetes RBAC Full Text
Abstract
Experts warn of a large-scale cryptocurrency mining campaign exploiting Kubernetes (K8s) Role-Based Access Control (RBAC). Cloud security firm Aqua discovered a large-scale cryptocurrency mining campaign exploiting Kubernetes (K8s) Role-Based Access...Security Affairs
April 23, 2023 – General
Security Affairs newsletter Round 416 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press....Security Affairs
April 22, 2023 – Insider Threat
CFPB says employee sent confidential data of 256,000 consumers to personal email Full Text
Abstract
An employee at the Consumer Financial Protection Bureau sent confidential data about hundreds of thousands of consumer accounts to their personal email, the agency told CNN on Thursday.Cyware
April 22, 2023 – Attack
Lazarus X_TRADER Hack Impacts Critical Infrastructure Beyond 3CX Breach Full Text
Abstract
Lazarus, the prolific North Korean hacking group behind the cascading supply chain attack targeting 3CX , also breached two critical infrastructure organizations in the power and energy sector and two other businesses involved in financial trading using the trojanized X_TRADER application. The new findings, which come courtesy of Symantec's Threat Hunter Team , confirm earlier suspicions that the X_TRADER application compromise affected more organizations than 3CX. The names of the organizations were not revealed. Eric Chien, director of security response at Broadcom-owned Symantec, told The Hacker News in a statement that the attacks took place between September 2022 and November 2022. "The impact from these infections is unknown at this time – more investigation is required and is on-going," Chien said, adding it's possible that there's "likely more to this story and possibly even other packages that are trojanized." The development comes as MaThe Hacker News
April 22, 2023 – Malware
Infoblox Uncovers DNS Malware Toolkit & Urges Companies to Block Malicious Domains Full Text
Abstract
Infoblox discovered activity from the remote access trojan (RAT) Pupy active in multiple enterprise networks in early April 2023. This C2 communication went undiscovered since April 2022.Cyware
April 22, 2023 – Government
CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The three vulnerabilities are as follows - CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control Vulnerability CVE-2023-2136 (CVSS score - TBD) - Google Chrome Skia Integer Overflow Vulnerability "In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure," MinIO maintainers said in an advisory published on March 21, 2023. Data gathered by GreyNoise shows that as many as 18 unique malicious IP addresses from the U.S., the Netherlands, France, Japan, and Finland have attempted to exploit the flaw over the past 30 days. The threat intelligence company, in an alert pThe Hacker News
April 22, 2023 – Malware
Abandoned Eval PHP WordPress plugin abused to backdoor websites Full Text
Abstract
Threat actors were observed installing the abandoned Eval PHP plugin on compromised WordPress sites for backdoor deployment. Researchers from Sucuri warned that threat actors are installing the abandoned Eval PHP plugin on compromised WordPress sites...Security Affairs
April 22, 2023 – Government
CISA adds MinIO, PaperCut, and Chrome bugs to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US Cybersecurity and Infrastructure Security Agency (CISA) added MinIO, PaperCut, and Chrome vulnerabilities to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following three...Security Affairs
April 22, 2023 – Breach
At least 2 critical infrastructure orgs breached by North Korea-linked hackers behind 3CX attack Full Text
Abstract
North Korea-linked APT group behind the 3CX supply chain attack also broke into two critical infrastructure organizations in the energy sector. Symantec researchers reported that the campaign conducted by North Korea-linked threat actors that included...Security Affairs
April 21, 2023 – Breach
Multinational ICICI Bank leaks passports and credit card numbers Full Text
Abstract
Among the leaked data were bank account details, bank statements, credit card numbers, full names, dates of birth, home addresses, phone numbers, emails, personal identification documents, and employees’ and candidates’ CVs.Cyware
April 21, 2023 – Cryptocurrency
Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining Full Text
Abstract
A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control ( RBAC ) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which dubbed the attack RBAC Buster , said it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign. The attack chain commenced with the attacker gaining initial access via a misconfigured API server, followed by checking for evidence of competing miner malware on the compromised server and then using RBAC to set up persistence. "The attacker created a new ClusterRole with near admin-level privileges," the company said. "Next, the attacker created a 'ServiceAccount', 'kube-controller' in the 'kube-system' namespace. LastThe Hacker News
April 21, 2023 – Business
American Bar Association (ABA) suffered a data breach,1.4 million members impacted Full Text
Abstract
The American Bar Association (ABA) disclosed a data breach, threat actors gained access to older credentials for 1,466,000 members. The American Bar Association (ABA) is a voluntary bar association of lawyers and law students; it is not specific to any jurisdiction...Security Affairs
April 21, 2023 – General
ChatGPT-Themed Scam Attacks Are on the Rise Full Text
Abstract
The dark side of this popularity is that ChatGPT is also attracting the attention of scammers seeking to benefit from using wording and domain names that appear related to the site.Cyware
April 21, 2023 – Vulnerabilities
GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform Full Text
Abstract
Cybersecurity researchers have disclosed details of a now-patched zero-day flaw in Google Cloud Platform (GCP) that could have enabled threat actors to conceal an unremovable, malicious application inside a victim's Google account. Dubbed GhostToken by Israeli cybersecurity startup Astrix Security, the shortcoming impacts all Google accounts, including enterprise-focused Workspace accounts. It was discovered and reported to Google on June 19, 2022. The company deployed a global-patch more than nine months later on April 7, 2023. "The vulnerability [...] allows attackers to gain permanent and unremovable access to a victim's Google account by converting an already authorized third-party application into a malicious trojan app, leaving the victim's personal data exposed forever," Astrix said in a report. In a nutshell, the flaw makes it possible for an attacker to hide their malicious app from a victim's Google account application management page , theThe Hacker News
April 21, 2023 – Attack
Pro-Russia hackers launched a massive attack against the EUROCONTROL agency Full Text
Abstract
Pro-Russia hackers KillNet launched a massive DDoS attack against Europe’s air-traffic agency EUROCONTROL. Europe’s air-traffic control agency EUROCONTROL announced that it was under attack from pro-Russian hackers. The European Organisation...Security Affairs
April 21, 2023 – Vulnerabilities
VMware Patches Pre-Auth Code Execution Flaw in Logging Product Full Text
Abstract
The company shipped urgent patches on Thursday to cover critical security defects in the VMware Aria Operations for Logs (formerly vRealize Log Insight) product line and warned of the risk of pre-authentication remote root exploits.Cyware
April 21, 2023 – Education
14 Kubernetes and Cloud Security Challenges and How to Solve Them Full Text
Abstract
Recently, Andrew Martin, founder and CEO of ControlPlane, released a report entitled Cloud Native and Kubernetes Security Predictions 2023. These predictions underscore the rapidly evolving landscape of Kubernetes and cloud security, emphasizing the need for organizations to stay informed and adopt comprehensive security solutions to protect their digital assets. In response, Uptycs , the first unified CNAPP and XDR platform, released a whitepaper, " 14 Kubernetes and Cloud Security Predictions for 2023 and How Uptycs Meets Them Head-On " addressing the most pressing challenges and trends in Kubernetes and cloud security for 2023. Uptycs explains how their unified CNAPP and XDR solution is designed to tackle these emerging challenges head-on. Read on for key takeaways from the whitepaper and learn how Uptycs helps modern organizations successfully navigate the evolving landscape of Kubernetes and cloud security. 14 Kubernetes and Cloud Security Predictions for 2023 CThe Hacker News
April 21, 2023 – Vulnerabilities
Cisco fixed critical flaws in the Industrial Network Director and Modeling Labs solutions Full Text
Abstract
Cisco released security updates to address critical security flaws in its Industrial Network Director and Modeling Labs solutions. Cisco released security updates to address critical security vulnerabilities in the Industrial Network Director and Modeling...Security Affairs
April 21, 2023 – General
Security beyond software: The open source hardware security evolution Full Text
Abstract
Some ISAs include built-in security features to mitigate vulnerabilities and attacks, such as hardware-based encryption, memory protection, and data execution prevention.Cyware
April 21, 2023 – Attack
N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX Full Text
Abstract
The supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors. Google-owned Mandiant, which is tracking the attack event under the moniker UNC4736 , said the incident marks the first time it has seen a "software supply chain attack lead to another software supply chain attack." The Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it emerged that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer. "The malicious application next attempts to steal sensitive information from the victim user's web browser," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) saidThe Hacker News
April 21, 2023 – Education
Intro to phishing: simulating attacks to build resiliency Full Text
Abstract
Phishing attacks are a major threat to organizations, they remain a perennial choice of cybercriminals when it comes to hacking their victims. Original post at https://cybernews.com/security/phishing-intro-to-build-resiliency/ While organizations...Security Affairs
April 21, 2023 – Government
US Teams Up With Partner Nations to Release Smart City Cyber Guidance Full Text
Abstract
These guidelines, developed by a group of agencies—including the U.S. CISA, the ACSC, and the U.K NCSC—aim to help communities transitioning into "smart cities" fortify the digital networks crucial to delivering basic utilities and services.Cyware
April 21, 2023 – Vulnerabilities
Cisco and VMware Release Security Updates to Patch Critical Flaws in their Products Full Text
Abstract
Cisco and VMware have released security updates to address critical security flaws in their products that could be exploited by malicious actors to execute arbitrary code on affected systems. The most severe of the vulnerabilities is a command injection flaw in Cisco Industrial Network Director (CVE-2023-20036, CVSS score: 9.9), which resides in the web UI component and arises as a result of improper input validation when uploading a Device Pack . "A successful exploit could allow the attacker to execute arbitrary commands as NT AUTHORITY\SYSTEM on the underlying operating system of an affected device," Cisco said in an advisory released on April 19, 2023. The networking equipment major also resolved a medium-severity file permissions vulnerability in the same product (CVE-2023-20039, CVSS score: 5.5) that an authenticated, local attacker could abuse to view sensitive information. Patches have been made available in version 1.11.3 , with Cisco crediting an unnamedThe Hacker News
April 21, 2023 – Phishing
Massive MitID SMS Phishing Campaign Tries to Phish Nordea Bank Customers Full Text
Abstract
The data analyzed so far suggests that the threat actor takes advantage of the MitID authentication mechanism in order to redirect the customer to a fake webpage for various malicious actions on target.Cyware
April 20, 2023 – Phishing
Phishing Scams Abusing Microsoft Teams and More Full Text
Abstract
Cybercriminals have become increasingly adept at designing new phishing tactics. Lately, a scam was found camouflaging as the legitimate Microsoft Teams login with the goal of tricking users into entering their login credentials.Cyware
April 20, 2023 – Vulnerabilities
Two Critical Flaws Found in Alibaba Cloud’s PostgreSQL Databases Full Text
Abstract
A chain of two critical flaws has been disclosed in Alibaba Cloud's ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers. "The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers' PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services," cloud security firm Wiz said in a new report shared with The Hacker News. The issues , dubbed BrokenSesame , were reported to Alibaba Cloud in December 2022, following mitigations were deployed by the company on April 12, 2023. There is no evidence to suggest that the weaknesses were exploited in the wild. In a nutshell, the vulnerabilities – a privilege escalation flaw in AnalyticDB and a remote code execution bug in ApsaraDB RDS – made it possible to elevate privileges to root wThe Hacker News
April 20, 2023 – Breach
Multinational ICICI Bank leaks passports and credit card numbers Full Text
Abstract
ICICI Bank leaked millions of records with sensitive data, including financial information and personal documents of the bank's clients. ICICI Bank, an Indian multinational valued at more than $76 billion, has more than 5,000 branches across India...Security Affairs
April 20, 2023 – APT
APT28 Uses Vulnerability in Cisco Routers to Deploy Malware Full Text
Abstract
Government agencies in the U.S. and the U.K. issued a joint advisory to warn organizations about attacks exploiting an old vulnerability in Cisco routers. The attacks are attributed to the Fancy Bear threat group and the flaw in question is CVE-2017-6742. The attackers are exploiting the vulnerabil ... Read MoreCyware
April 20, 2023 – Education
Beyond Traditional Security: NDR’s Pivotal Role in Safeguarding OT Networks Full Text
Abstract
Why is Visibility into OT Environments Crucial? The significance of Operational Technology (OT) for businesses is undeniable as the OT sector flourishes alongside the already thriving IT sector. OT includes industrial control systems, manufacturing equipment, and devices that oversee and manage industrial environments and critical infrastructures. In recent years, adversaries have recognized the lack of detection and protection in many industrial systems and are actively exploiting these vulnerabilities. In response, IT security leaders have become more aware of the need to protect their OT environments with security monitoring and response capabilities. This development was accelerated by severe past cyber incidents targeting critical OT environments and even causing physical damage to infrastructures. Given the pivotal role these systems play in business operations and modern society, ensuring their security is of utmost importance. The underlying trend is clear: OT and IoT networThe Hacker News
April 20, 2023 – Vulnerabilities
VMware fixed a critical flaw in vRealize that allows executing arbitrary code as root Full Text
Abstract
VMware fixed two severe flaws, tracked as CVE-2023-20864 and CVE-2023-20865, impacting the VMware Aria Operations for Logs product. The virtualization giant VMware released security updates to address two critical vulnerabilities, tracked as CVE-2023-20864...Security Affairs
April 20, 2023 – Ransomware
LockBit Eyes macOS; Test Version of macOS Encryptor Revealed Full Text
Abstract
MalwareHunterTeam discovered a ZIP archive—belonging to the LockBit ransomware group—uploaded to VirusTotal containing previously unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC. Security analysts from BleepingComputer assert that the discovered builds could have been created for testin ... Read MoreCyware
April 20, 2023 – Criminals
Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job Full Text
Abstract
The notorious North Korea-aligned state-sponsored actor known as the Lazarus Group has been attributed to a new campaign aimed at Linux users. The attacks are part of a persistent and long-running activity tracked under the name Operation Dream Job , ESET said in a new report published today. The findings are crucial, not least because it marks the first publicly documented example of the adversary using Linux malware as part of this social engineering scheme. Operation Dream Job , also known as DeathNote or NukeSped , refers to multiple attack waves wherein the group leverages fraudulent job offers as a lure to trick unsuspecting targets into downloading malware. It also exhibits overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star. The attack chain discovered by ESET is no different in that it delivers a fake HSBC job offer as a decoy within a ZIP archive file that's then used to launch a Linux backdoor named SimplexTeaThe Hacker News
April 20, 2023 – APT
Lazarus APT group employed Linux Malware in recent attacks and was linked to 3CX supply chain attack Full Text
Abstract
North Korea-linked APT group Lazarus employed new Linux malware in attacks that are part of Operation Dream Job. North Korea-linked APT group Lazarus is behind a new campaign tracked as Operation DreamJob (aka DeathNote or NukeSped) that employed...Security Affairs
April 20, 2023 – Phishing
Tax-Themed Phishing Attacks Proliferate During Tax Filing Season Full Text
Abstract
With the tax reason around, the frequency of campaigns related to taxes and accounting has increased with threats like Remcos RAT, Emotet, and GuLoader hovering to scam users. The IRS issued an advisory, urging taxpayers to be wary and vigilant of new tax-related scams.Cyware
April 20, 2023 – Ransomware
Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks Full Text
Abstract
Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under active exploitation by ransomware actors to steal sensitive data. The high-severity flaw, tracked as CVE-2023-0669 (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The issue was patched by the company in version 7.1.2 of the software in February 2023, but not before it was weaponized as a zero-day since January 18. Fortra, which worked with Palo Alto Networks Unit 42, said it was made aware of suspicious activity associated with some of the file transfer instances on January 30, 2023. "The unauthorized party used CVE-2023-0669 to create unauthorized user accounts in some MFTaaS customer environments," the company said . "For a subset of these customers, the unauthorized party leveraged these user accounts to download files from their hThe Hacker News
April 20, 2023 – Vulnerabilities
Experts disclosed two critical flaws in Alibaba cloud database services Full Text
Abstract
Researchers disclosed two critical flaws in Alibaba Cloud's ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL. Researchers from cloud security firm Wiz discovered two critical flaws, collectively dubbed BrokenSesame, in Alibaba Cloud's ApsaraDB...Security Affairs
April 20, 2023 – APT
New Infrastructure of MuddyWater APT Group Uncovered Full Text
Abstract
MuddyWater has been employing SimpleHelp, a lawful tool used for managing and controlling remote devices, to establish persistence on compromised devices, revealed researchers. The attackers send phishing emails containing links to file storage systems such as OneDrive, Dropbox, or OneHub to downlo ... Read MoreCyware
April 20, 2023 – Education
ChatGPT’s Data Protection Blind Spots and How Security Teams Can Solve Them Full Text
Abstract
In the short time since their inception, ChatGPT and other generative AI platforms have rightfully gained the reputation of ultimate productivity boosters. However, the very same technology that enables rapid production of high-quality text on demand, can at the same time expose sensitive corporate data. A recent incident , in which Samsung software engineers pasted proprietary code into ChatGPT, clearly demonstrates that this tool can easily become a potential data leakage channel. This vulnerability introduces a demanding challenge for security stakeholders, since none of the existing data protection tools can ensure no sensitive data is exposed to ChatGPT. In this article we'll explore this security challenge in detail and show how browser security solutions can provide a solution. All while enabling organizations to fully realize ChatGPT's productivity potential and without having to compromise on data security. The ChatGPT data protection blind spot: How can you governThe Hacker News
April 20, 2023 – APT
Google TAG warns of Russia-linked APT groups targeting Ukraine Full Text
Abstract
The researchers from Google TAG are warning of Russia-linked threat actors targeting Ukraine with phishing campaigns. Russia-linked threat actors launched large-volume phishing campaigns against hundreds of users in Ukraine to gather intelligence...Security Affairs
April 20, 2023 – Education
Wargaming an effective data breach playbook Full Text
Abstract
Foreseeing every possible twist and turn of a breach may be impossible, but through extensive wargaming, security teams can simulate diverse situations to give them a proactive edge.Cyware
April 20, 2023 – Attack
Daggerfly Cyberattack Campaign Hits African Telecom Services Providers Full Text
Abstract
Telecommunication services providers in Africa are the target of a new campaign orchestrated by a China-linked threat actor at least since November 2022. The intrusions have been pinned on a hacking crew tracked by Symantec as Daggerfly , and which is also tracked by the broader cybersecurity community as Bronze Highland and Evasive Panda. The campaign makes use of "previously unseen plugins from the MgBot malware framework," the cybersecurity company said in a report shared with The Hacker News. "The attackers were also seen using a PlugX loader and abusing the legitimate AnyDesk remote desktop software." Daggerfly's use of the MgBot loader (aka BLame or MgmBot) was spotlighted by Malwarebytes in July 2020 as part of phishing attacks aimed at Indian government personnel and individuals in Hong Kong. According to a profile published by Secureworks, the threat actor uses spear-phishing as an initial infection vector to drop MgBot as well as otherThe Hacker News
April 20, 2023 – Ransomware
Trigona Ransomware targets Microsoft SQL servers Full Text
Abstract
Threat actors are hacking poorly secured and Interned-exposed Microsoft SQL servers to deploy the Trigona ransomware. Threat actors are hacking into poorly secured and public-facing Microsoft SQL servers to deploy Trigona ransomware. Trigona is a malware...Security Affairs
April 20, 2023 – Hacker
Hackers Storing Malware in Google Drive as Encrypted ZIP Files To Evade Detection Full Text
Abstract
Google’s Cybersecurity Action Team (GCAT) and Mandiant researched a list of techniques and methods used by threat actors over the period for penetrating the environments and other malicious activities.Cyware
April 20, 2023 – Privacy
NSO Group Used 3 Zero-Click iPhone Exploits Against Human Rights Defenders Full Text
Abstract
Israeli spyware maker NSO Group deployed at least three novel "zero-click" exploits against iPhones in 2022 to infiltrate defenses erected by Apple and deploy Pegasus, according to the latest findings from Citizen Lab. "NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world," the interdisciplinary laboratory based at the University of Toronto said . NSO Group is the manufacturer of Pegasus , a sophisticated cyber weapon that's capable of extracting sensitive information stored in a device – e.g., messages, locations, photos, and call logs, among others — in real-time. It's typically delivered to targeted iPhones using zero-click and/or zero-day exploits. While it has been pitched as a tool for law enforcement agencies to combat serious crimes such as child sexual abuse and terrorism, it has also been deployed illegally by authoritarian governments to spy on human rigThe Hacker News
April 20, 2023 – General
Cyber insurance premium hikes slowed in 2022, Fitch says Full Text
Abstract
Experts say insurance companies’ demand for stronger cybersecurity practices from policyholders contributed toward fewer ransomware claims and decelerating premiums in 2022.Cyware
April 20, 2023 – Malware
‘AuKill’ EDR killer malware abuses Process Explorer driver Full Text
Abstract
The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.Cyware
April 20, 2023 – Malware
Giving a Face to the Malware Proxy Service ‘Faceless’ – Krebs on Security Full Text
Abstract
For less than a dollar per day, Faceless customers can route their malicious web traffic through tens of thousands of compromised systems advertised on the proxy service.Cyware
April 19, 2023 – Privacy
WhatsApp and Signal unite against online safety bill amid privacy concerns Full Text
Abstract
The rival chat apps WhatsApp and Signal have joined forces in a rare show of unity to protest against the online safety bill, which they say could undermine the UK’s privacy and safety.Cyware
April 19, 2023 – Phishing
Google TAG Warns of Russian Hackers Conducting Phishing Attacks in Ukraine Full Text
Abstract
Elite hackers associated with Russia's military intelligence service have been linked to large-volume phishing campaigns aimed at hundreds of users in Ukraine to extract intelligence and influence public discourse related to the war. Google's Threat Analysis Group (TAG), which is monitoring the activities of the actor under the name FROZENLAKE , said the attacks continue the "group's 2022 focus on targeting webmail users in Eastern Europe." The state-sponsored cyber actor, also tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, is both highly active and proficient. It has been active since at least 2009, targeting media, governments, and military entities for espionage. The latest intrusion set, starting in early February 2023, involved the use of reflected cross-site scripting ( XSS ) attacks in various Ukrainian government websites to redirect users to phishing domains and capture their credentials. The disclosure coThe Hacker News
April 19, 2023 – Criminals
Russian national sentenced to time served for committing money laundering for the Ryuk ransomware operation Full Text
Abstract
Russian national Denis Mihaqlovic Dubnikov has been sentenced to time served for committing money laundering for the Ryuk ransomware operation. Russian national Denis Dubnikov (30) has been sentenced to time served for committing money laundering...Security Affairs
April 19, 2023 – Breach
1.2 Million Records and 800 GB of Data From Philippine Police Impacted in Data Breach Full Text
Abstract
A database containing more than 1.2 million police records and 800 GB of information on people who work or applied for employment in law enforcement in the Philippines appears to have been breached, according to a cybersecurity researcher.Cyware
April 19, 2023 – Attack
Blind Eagle Cyber Espionage Group Strikes Again: New Attack Chain Uncovered Full Text
Abstract
The cyber espionage actor tracked as Blind Eagle has been linked to a new multi-stage attack chain that leads to the deployment of the NjRAT remote access trojan on compromised systems. "The group is known for using a variety of sophisticated attack techniques, including custom malware, social engineering tactics, and spear-phishing attacks," ThreatMon said in a Tuesday report. Blind Eagle, also referred to as APT-C-36, is a suspected Spanish-speaking group that chiefly strikes private and public sector entities in Colombian. Attacks orchestrated by the group have also targeted Ecuador, Chile, and Spain. Infection chains documented by Check Point and BlackBerry this year have revealed the use of spear-phishing lures to deliver commodity malware families like BitRAT, AsyncRAT, and in-memory Python loaders capable of launching a Meterpreter payload. The latest discovery from ThreatMon entails the use of a JavaScript downloader to execute a PowerShell script hostedThe Hacker News
April 19, 2023 – Vulnerabilities
Google fixed the second actively exploited Chrome zero-day of 2023 Full Text
Abstract
Google rolled out emergency security patches to address another actively exploited high-severity zero-day flaw in the Chrome browser. Google rolled out emergency fixes to address another actively exploited high-severity zero-day flaw, tracked as CVE-2023-2136,...Security Affairs
April 19, 2023 – General
CSC 2.0 Report: Space Systems Should Be Designated Critical Infrastructure Full Text
Abstract
Most of today’s space systems were developed under the premise that space was a sanctuary from conflict, but according to the CSC 2.0 commission, this is no longer the case.Cyware
April 19, 2023 – Vulnerabilities
Google Chrome Hit by Second Zero-Day Attack - Urgent Patch Update Released Full Text
Abstract
Google on Tuesday rolled out emergency fixes to address another actively exploited high-severity zero-day flaw in its Chrome web browser. The flaw, tracked as CVE-2023-2136 , is described as a case of integer overflow in Skia , an open source 2D graphics library. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on April 12, 2023. "Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page," according to the NIST's National Vulnerability Database (NVD). The tech giant, which also fixed seven other security issues with the latest update, said it's aware of active exploitation of the flaw, but did not disclose additional details to prevent further abuse. The development marks the second Chrome zero-day vulnerability to be exploited by malicious actors thThe Hacker News
April 19, 2023 – APT
US and UK agencies warn of Russia-linked APT28 exploiting Cisco router flaws Full Text
Abstract
UK and US agencies are warning of Russia-linked APT28 group exploiting vulnerabilities in Cisco networking equipment. Russia-linked APT28 group accesses unpatched Cisco routers to deploy malware exploiting the not patched CVE-2017-6742 vulnerability...Security Affairs
April 19, 2023 – Business
Dasera Scores $12M Funding for Cloud Data Security Full Text
Abstract
The Silicon Valley startup has banked $12 million in venture capital funding to drive innovation in the data security and governance space. The Series A funding round was led by Storm Ventures and brings the total raised by Dasera to $20 million.Cyware
April 19, 2023 – General
Uncovering (and Understanding) the Hidden Risks of SaaS Apps Full Text
Abstract
Recent data breaches across CircleCI, LastPass, and Okta underscore a common theme: The enterprise SaaS stacks connected to these industry-leading apps can be at serious risk for compromise. CircleCI, for example, plays an integral, SaaS-to-SaaS role for SaaS app development. Similarly, tens of thousands of organizations rely on Okta and LastPass security roles for SaaS identity and access management. Enterprise and niche SaaS apps alike have effectively introduced multitudes of unmonitored endpoints into organizations of all sizes. While spending for SaaS security is trending up, it lags behind categories such as cloud infrastructure protection and network security. According to Statista, the average organization employs 100+ SaaS apps, many of which are unsanctioned by IT, creating a glaring gap in SaaS security. Why Users Flock to SaaS Apps — And Often Bypass IT in the Process As productivity tools for tasks such as marketing automation, document signature, and sales forecaThe Hacker News
April 19, 2023 – APT
Iran-linked Mint Sandstorm APT targeted US critical infrastructure Full Text
Abstract
An Iran-linked APT group tracked as Mint Sandstorm is behind a string of attacks aimed at US critical infrastructure between late 2021 to mid-2022. Microsoft has linked the Iranian Mint Sandstorm APT (previously tracked by Microsoft as PHOSPHORUS)...Security Affairs
April 19, 2023 – Ransomware
Action1 RMM Abused by Threat Actors for Ransomware Attacks Full Text
Abstract
A rising trend has been identified among cybercriminals; they are using Action1 remote access software for reconnaissance activity and to run code with system privileges on network hosts. In fact, it was observed in at least three ransomware attacks by threat actor groups.Cyware
April 19, 2023 – Hacker
Pakistani Hackers Use Linux Malware Poseidon to Target Indian Government Agencies Full Text
Abstract
The Pakistan-based advanced persistent threat (APT) actor known as Transparent Tribe used a two-factor authentication (2FA) tool used by Indian government agencies as a ruse to deliver a new Linux backdoor called Poseidon. "Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week. "It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways." Transparent Tribe is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities. It has also repeatedly leveraged trojanized versions of KavacThe Hacker News
April 19, 2023 – Phishing
Ukraine Facing Phishing Attacks, Information Operations Full Text
Abstract
The Russian government continues to use an array of phishing attacks and information operations, including hack-and-leak efforts, to support its invasion of Ukraine, researchers reported.Cyware
April 19, 2023 – Hacker
U.S. and U.K. Warn of Russian Hackers Exploiting Cisco Router Flaws for Espionage Full Text
Abstract
U.K. and U.S. cybersecurity and intelligence agencies have warned of Russian nation-state actors exploiting now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against targets. The intrusions , per the authorities, took place in 2021 and targeted a small number of entities in Europe, U.S. government institutions, and about 250 Ukrainian victims. The activity has been attributed to a threat actor tracked as APT28 , which is also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, and is affiliated with the Russian General Staff Main Intelligence Directorate (GRU). "APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742," the National Cyber Security Centre (NCSC) said. CVE-2017-6742 (CVSS score: 8.8) is part of a set of remote code execution flaws that stem from a buffer overflow condition in the Simple Network MaThe Hacker News
April 19, 2023 – Vulnerabilities
Oracle Releases 433 New Security Patches With April 2023 CPU Full Text
Abstract
Oracle on Tuesday announced the release of 433 new patches as part of its quarterly set of security updates, including more than 70 fixes for critical-severity vulnerabilities.Cyware
April 19, 2023 – Insider Threat
Misconfiguration leaves thousands of servers vulnerable to attack, researchers find Full Text
Abstract
Misconfigured web servers remain a “major problem” with thousands left exposed online waiting for hackers to gain access to valuable information that’s left up for grabs, according to a recent report from the security company Censys.Cyware
April 19, 2023 – Malware
Goldoson Library Infects Popular Apps with Adware Full Text
Abstract
A recently detected Android malware named 'Goldoson' has made its way into Google Play and has been found in 60 legitimate applications, which have been downloaded a total of 100 million times. Users are suggested to always perform due diligence, especially for new apps without good reviews.Cyware
April 19, 2023 – Education
Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight Full Text
Abstract
By mimicking normal behavior, LOTL attacks make it extremely difficult for IT teams and security solutions to detect any signs of malicious activities. Experienced analysts, however, might be able to pick up on subindicate an LOTL attack.Cyware
April 19, 2023 – Hacker
Iranian Government-Backed Hackers Targeting U.S. Energy and Transit Systems Full Text
Abstract
An Iranian government-backed actor known as Mint Sandstorm has been linked to attacks aimed at critical infrastructure in the U.S. between late 2021 to mid-2022. "This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran's national priorities," the Microsoft Threat Intelligence team said in an analysis. Targeted entities consist of seaports, energy companies, transit systems, and a major U.S. utility and gas company. The activity is suspected to be retaliatory and in response to attacks targeting its maritime, railway , and gas station payment systems that took place between May 2020 and late 2021. It's worth noting here that Iran subsequently accused Israel and the U.S. of masterminding the attacks on the gas stations in a bid to create unrest in the nation. Mint SandstoThe Hacker News
April 19, 2023 – Privacy
PWNYOURHOME, FINDMYPWN, LATENTIMAGE: 3 iOS Zero-Click exploits used by NSO Group in 2022 Full Text
Abstract
Citizen Lab reported that Israeli surveillance firm NSO Group used at least three iOS zero-click exploits in 2022. A new report from Citizen Lab states that the Israeli surveillance firm NSO Group used at least three zero-click zero-day exploits...Security Affairs
April 19, 2023 – Vulnerabilities
Discarded, not destroyed: Old routers reveal corporate secrets Full Text
Abstract
In the wrong hands, the data gleaned from the devices – including customer data, router-to-router authentication keys, application lists, and much more – is enough to launch a cyberattack.Cyware
April 19, 2023 – Vulnerabilities
Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution Full Text
Abstract
A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of the sandbox protections. Both the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring system and have been addressed in versions 3.9.16 and 3.9.17, respectively. Successful exploitation of the bugs , which allow an attacker to raise an unsanitized host exception, could be weaponized to escape the sandbox and run arbitrary code in the host context. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," the maintainers of the vm2 library said in an alert. Credited with discovering and reporting the vulnerabilities is security researcher SeungHyun Lee , who has also released proof-of-concept (PoC) exploits for the two issues in question. The disclosure comes a little over a week after vm2 remediated another sandThe Hacker News
April 18, 2023 – APT
Ex-Conti Members and Fin7 APT Join Hands for New Domino Backdoor Full Text
Abstract
The now-defunct Conti ransomware gang members were observed deploying a new malware strain, dubbed Domino, that appears to have been developed by the FIN7 cybercrime organization. Domino has been active in the wild since at least October 2022. Organizations and security teams need a robust Threat I ... Read MoreCyware
April 18, 2023 – Malware
YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader Full Text
Abstract
Cybersecurity researchers have detailed the inner workings of a highly evasive loader named " in2al5d p3in4er " (read: invalid printer) that's used to deliver the Aurora information stealer malware. "The in2al5d p3in4er loader is compiled with Embarcadero RAD Studio and targets endpoint workstations using advanced anti-VM (virtual machine) technique," cybersecurity firm Morphisec said in a report shared with The Hacker News. Aurora is a Go-based information stealer that emerged on the threat landscape in late 2022. Offered as a commodity malware to other actors, it's distributed through YouTube videos and SEO-poised fake cracked software download websites. Clicking the links present in YouTube video descriptions redirects the victim to decoy websites where they are enticed into downloading the malware under the garb of a seemingly-legitimate utility. The loader analyzed by Morphisec is designed to query the vendor ID of the graphics card installThe Hacker News
April 18, 2023 – Criminals
Experts temporarily disrupted the RedLine Stealer operations Full Text
Abstract
Security experts from ESET, have temporarily disrupted the operations of the RedLine Stealer with the help of GitHub. ESET researchers announced to have temporarily disrupted the operations of the RedLine Stealer with the help of GitHub. The two companies...Security Affairs
April 18, 2023 – Education
Introducing DevOpt: A Multifunctional Backdoor Arsenal Full Text
Abstract
The malware is currently still in development and is receiving continuous improvement updates designed to make it a more potent and effective tool for attackers and a threat to defenders.Cyware
April 18, 2023 – Malware
Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads Full Text
Abstract
A new Android malware strain named Goldoson has been detected in the official Google Play Store spanning more than 60 legitimate apps that collectively have over 100 million downloads. An additional eight million installations have been tracked through ONE store, a leading third-party app storefront in South Korea. The rogue component is part of a third-party software library used by the apps in question and is capable of gathering information about installed apps, Wi-Fi and Bluetooth-connected devices, and GPS locations. "Moreover, the library is armed with the functionality to perform ad fraud by clicking advertisements in the background without the user's consent," McAfee security researcher SangRyol Ryu said in a report published last week. What's more, it includes the ability to stealthily load web pages, a feature that could be abused to load ads for financial profit. It achieves this by loading HTML code in a hidden WebView and driving traffic to thThe Hacker News
April 18, 2023 – Government
CISA adds bugs in Chrome and macOS to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US Cybersecurity and Infrastructure Security Agency (CISA) added Chrome and macOS vulnerabilities to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following five new issues...Security Affairs
April 18, 2023 – Malware
in2al5d p3in4er is Almost Completely Undetectable Full Text
Abstract
The component that makes Aurora’s delivery stealthy and dangerous is a highly evasive loader we named “in2al5d p3in4er.” It is compiled with Embarcadero RAD Studio and targets endpoint workstations using an advanced anti-VM technique.Cyware
April 18, 2023 – Education
DFIR via XDR: How to expedite your investigations with a DFIRent approach Full Text
Abstract
Rapid technological evolution requires security that is resilient, up to date and adaptable. In this article, we will cover the transformation in the field of DFIR (digital forensics and incident response) in the last couple years, focusing on the digital forensics' aspect and how XDR fits into the picture. Before we dive into the details, let's first break down the main components of DFIR and define the differences between them. Digital Forensics vs Incident Response Digital forensics: the practice of using scientific techniques and tools to identify, preserve, and analyze digital evidence from various sources, such as computers, smartphones, and other electronic devices, in a way that is admissible in a court of law. Incident response: the process of responding to and managing the aftermath of a security breach or cyberattack. This involves identifying the nature and scope of the incident, containing the damage, eradicating the threat, and restoring the affected systThe Hacker News
April 18, 2023 – Criminals
The intricate relationships between the FIN7 group and members of the Conti ransomware gang Full Text
Abstract
A new malware, dubbed Domino, developed by the FIN7 cybercrime group has been used by the now-defunct Conti ransomware gang. IBM Security X-Force researchers recently discovered a new malware family, called Domino, which was created by developers...Security Affairs
April 18, 2023 – General
AI tools like ChatGPT expected to fuel BEC attacks Full Text
Abstract
Across all BEC attacks seen over the past year, 57% of them relied on language as the main attack vector to get them in front of unsuspecting employees, according to Armorblox.Cyware
April 18, 2023 – Hacker
Iranian Hackers Using SimpleHelp Remote Support Software for Persistent Access Full Text
Abstract
The Iranian threat actor known as MuddyWater is continuing its time-tested tradition of relying on legitimate remote administration tools to commandeer targeted systems. While the nation-state group has previously employed ScreenConnect, RemoteUtilities, and Syncro , a new analysis from Group-IB has revealed the adversary's use of the SimpleHelp remote support software in June 2022. MuddyWater, active since at least 2017, is assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS). Some of the top targets include Turkey, Pakistan, the U.A.E., Iraq, Israel, Saudi Arabia, Jordan, the U.S., Azerbaijan, and Afghanistan. "MuddyWater uses SimpleHelp, a legitimate remote device control and management tool, to ensure persistence on victim devices," Nikita Rostovtsev, senior threat analyst at Group-IB, said. "SimpleHelp is not compromised and is used as intended. The threat actors found a way to download the tool from the ofThe Hacker News
April 18, 2023 – Business
Israeli surveillance firm QuaDream is shutting down amidst spyware accusations Full Text
Abstract
The Israeli surveillance firm QuaDream is allegedly shutting down its operations after Citizen Lab and Microsoft uncovered their spyware. Last week Citizen Lab researchers reported that at least five civil society members were victims of spyware...Security Affairs
April 18, 2023 – Breach
Hackers Publish Sensitive Employee Data Stolen During CommScope Ransomware Attack Full Text
Abstract
The North Carolina–based company, which designs and manufactures network infrastructure products for a range of customers, including hospitals, schools, and U.S. federal agencies, was listed on the data leak site of the Vice Society ransomware gang.Cyware
April 18, 2023 – Ransomware
LockBit Ransomware Now Targeting Apple macOS Devices Full Text
Abstract
Threat actors behind the LockBit ransomware operation have developed new artifacts that can encrypt files on devices running Apple's macOS operating system. The development, which was reported by the MalwareHunterTeam over the weekend, appears to be the first time a big-game ransomware crew has created a macOS-based payload. Additional samples identified by vx-underground show that the macOS variant has been available since November 11, 2022, and has managed to evade detection by anti-malware engines until now. LockBit is a prolific cybercrime crew with ties to Russia that has been active since late 2019, with the threat actors releasing two major updates to the locker in 2021 and 2022. According to statistics released by Malwarebytes last week, LockBit emerged as the second most used ransomware in March 2023 after Cl0p, accounting for 93 successful attacks. An analysis of the new macOS version ("locker_Apple_M1_64"_ reveals that it's still a work in prThe Hacker News
April 18, 2023 – Ransomware
PowerShell Data Theft: Vice Society Ransomware’s Latest Weapon Full Text
Abstract
Researchers revealed that the Vice Society ransomware group is utilizing a specialized tool based on PowerShell to escape detection and automate the data extraction process. With the adoption of increasingly sophisticated tools, Vice Society has become a formidable threat to organizations globally. ... Read MoreCyware
April 18, 2023 – Breach
DeFi Protocol Hundred Finance Loses $7M in Latest Exploit Full Text
Abstract
Hundred Finance confirmed the exploit on April 15, noting that it had contacted the hacker for negotiations. The platform is also working with security teams to resolve the issue and has urged anyone with information on the incident to reach out.Cyware
April 18, 2023 – Business
Cyber venture capital funding slows to a trickle, a sharp decline from 2022 investment Full Text
Abstract
The flow of venture capital funding to cybersecurity firms hit a steep decline in the first quarter of 2023 compared with year-ago figures, lending more credence to the notion the industry may be oversaturated with vendors and overlapping tools.Cyware
April 17, 2023 – Malware
Understanding the Threat of Titan Stealer Malware Full Text
Abstract
The malware spreads through methods like phishing, malicious ads, and cracked software. It also uses a technique called process hollowing to inject the malicious code into a legitimate process called AppLaunch.exe.Cyware
April 17, 2023 – Malware
Israeli Spyware Vendor QuaDream to Shut Down Following Citizen Lab and Microsoft Expose Full Text
Abstract
Israeli spyware vendor QuaDream is allegedly shutting down its operations in the coming days, less than a week after its hacking toolset was exposed by Citizen Lab and Microsoft. The development was reported by the Israeli business newspaper Calcalist , citing unnamed sources, adding the company "hasn't been fully active for a while" and that it "has been in a difficult situation for several months." The company's board of directors are looking to sell off its intellectual property, the report further added. News of the purported shutdown comes as the firm's spyware framework – dubbed REIGN – was outed as having been used against journalists, political opposition figures, and NGO workers across North America, Central Asia, Southeast Asia, Europe, and the Middle East. Microsoft described REIGN as a "suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices." The attacks entailed the exploitation ofThe Hacker News
April 17, 2023 – Phishing
New QBot campaign delivered hijacking business correspondence Full Text
Abstract
Kaspersky researchers warn of a new QBot campaign leveraging hijacked business emails to deliver malware. In early April, Kaspersky experts observed a surge in attacks that QBot malware attacks (aka Qakbot, QuackBot, and Pinkslipbot). QBot has been...Security Affairs
April 17, 2023 – APT
China-linked APT41 group spotted using open-source red teaming tool GC2 Full Text
Abstract
In October 2022, threat actors sent phishing emails that contained links to a password-protected file hosted in Drive. The final payload was the Go-written GC2 tool that gets commands from Google Sheets and exfiltrates data to Google Drive.Cyware
April 17, 2023 – Malware
New QBot Banking Trojan Campaign Hijacks Business Emails to Spread Malware Full Text
Abstract
A new QBot malware campaign is leveraging hijacked business correspondence to trick unsuspecting victims into installing the malware, new findings from Kaspersky reveal. The latest activity, which commenced on April 4, 2023, has primarily targeted users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco. QBot (aka Qakbot or Pinkslipbot) is a banking trojan that's known to be active since at least 2007. Besides stealing passwords and cookies from web browsers, it doubles up as a backdoor to inject next-stage payloads such as Cobalt Strike or ransomware. Distributed via phishing campaigns, the malware has seen constant updates during its lifetime that pack in anti-VM, anti-debugging, and anti-sandbox techniques to evade detection. It has also emerged as the most prevalent malware for the month of March 2023, per Check Point. "Early on, it was distributed through infected websites and pirated software," Kaspersky reThe Hacker News
April 17, 2023 – Hacker
China-linked APT41 group spotted using open-source red teaming tool GC2 Full Text
Abstract
China-linked APT41 group used the open-source red teaming tool GC2 in an attack against a Taiwanese media organization. Google Threat Analysis Group (TAG) team reported that the China-linked APT41 group used the open-source red teaming tool Google...Security Affairs
April 17, 2023 – Business
ZeroFox to Acquire Threat Intelligence Firm LookingGlass for $26 Million Full Text
Abstract
ZeroFox (ZFOX), which advertises itself as an external cybersecurity solutions provider, on Monday, announced that it’s in the process of acquiring threat intelligence and attack surface management company LookingGlass.Cyware
April 17, 2023 – Criminals
FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks Full Text
Abstract
A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to use by the members of the now-defunct Conti ransomware gang, indicating collaboration between the two crews. The malware, dubbed Domino , is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer that has been advertised for sale on the dark web since December 2021. "Former members of the TrickBot/Conti syndicate [...] have been using Domino since at least late February 2023 to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike," IBM Security X-Force security researcher Charlotte Hammond said in a report published last week. FIN7 , also called Carbanak and ITG14, is a prolific Russian-speaking cybercriminal syndicate that's known to employ an array of custom malware to deploy additional malware and broaden its monetThe Hacker News
April 17, 2023 – Criminals
Vice Society gang is using a custom PowerShell tool for data exfiltration Full Text
Abstract
Vice Society ransomware operators have been spotted using a PowerShell tool to exfiltrate data from compromised networks. Palo Alto Unit 42 team identified observed the Vice Society ransomware gang exfiltrating data from a victim network using a custom-built Microsoft...Security Affairs
April 17, 2023 – Phishing
New Captcha Protected Phishing Attack Targets Access to Payroll Files Full Text
Abstract
The phishing attack is hosted on a landing page at payroll-microsoft365-access-panel-2023[.]softr[.]app/ which redirects to azaleastays[.]com/devr365web2023/ once a button is clicked.Cyware
April 17, 2023 – Education
What’s the Difference Between CSPM & SSPM? Full Text
Abstract
Cloud Security Posture Management (CSPM) and SaaS Security Posture Management (SSPM) are frequently confused. The similarity of the acronyms notwithstanding, both security solutions focus on securing data in the cloud. In a world where the terms cloud and SaaS are used interchangeably, this confusion is understandable. This confusion, though, is dangerous to organizations that need to secure data that exists within cloud infrastructures like AWS, Google Cloud, and Microsoft Azure, as well as data within SaaS applications like Salesforce, Microsoft 365, Google Workspace, Jira, Zoom, Slack and more. Assuming that either your CSPM or SSPM will secure your company resources that live off-premises is misplaced trust in a security tool that was only designed to secure either your cloud or your SaaS stack. It's absolutely vital for decision makers to understand the difference between CSPM and SSPM, the value derived from each solution, and that both complement each other. What DoThe Hacker News
April 17, 2023 – Malware
Experts warn of an emerging Python-based credential harvester named Legion Full Text
Abstract
Legion is an emerging Python-based credential harvester and hacking tool that allows operators to break into various online services. Cado Labs researchers recently discovered a new Python-based credential harvester and hacking tool, named Legion,...Security Affairs
April 17, 2023 – APT
Vixen Panda APT Group suspected of targeting foreign ministry in cyberattack Full Text
Abstract
A Chinese hacker group, Vixen Panda, is suspected of targeting the Foreign Ministry in a recent cyberattack. As per a new report by Euractiv, the hackers showed a keen interest in policy documents.Cyware
April 17, 2023 – APT
Google Uncovers APT41’s Use of Open Source GC2 Tool to Target Media and Job Sites Full Text
Abstract
A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control ( GC2 ) amid broader abuse of Google's infrastructure for malicious ends. The tech giant's Threat Analysis Group (TAG) attributed the campaign to a threat actor it tracks under the geological and geographical-themed moniker HOODOO , which is also known by the names APT41 , Barium, Bronze Atlas, Wicked Panda, and Winnti . The starting point of the attack is a phishing email that contains links to a password-protected file hosted on Google Drive, which, in turn, incorporates the GC2 tool to read commands from Google Sheets and exfiltrate data using the cloud storage service. "After installation on the victim machine, the malware queries Google Sheets to obtain attacker commands," Google's cloud division said in its sixth Threat Horizons Report. "In addition to exfiltration via Drive, GC2 enablThe Hacker News
April 17, 2023 – Attack
German Arms Manufacturer Rheinmetall Targeted in Cyberattack Full Text
Abstract
Over the weekend, Rheinmetall, a leading German armaments and technology company, was the victim of a cyberattack that targeted all three of its divisions. However, company officials have stated that the attack did not impact operations.Cyware
April 17, 2023 – Education
Tour of the Underground: Master the Art of Dark Web Intelligence Gathering Full Text
Abstract
The Deep, Dark Web – The Underground – is a haven for cybercriminals, teeming with tools and resources to launch attacks for financial gain, political motives, and other causes. But did you know that the underground also offers a goldmine of threat intelligence and information that can be harnessed to bolster your cyber defense strategies? The challenge lies in continuously monitoring the right dark web sources and gathering actionable intelligence through manual methods, which can lead to analyst fatigue and delayed action. Traditional methods of unearthing dark web intelligence can be time-consuming, exhausting, and often fruitless. Discover how to pierce the veil of darkness and illuminate the path to a more secure cyber landscape in our exclusive, high-impact webinar. Register now to secure your spot ! In this enlightening session, you will: Gain practical insights on how to access the dark web Uncover the various types of underground sources that threat actors use Learn howThe Hacker News
April 17, 2023 – Attack
NCR Says it was hit by BlackCat Ransomware Attack Full Text
Abstract
NCR is suffering an outage on its Aloha point of sale (PoS) platform since Wednesday after it was hit by a ransomware attack conducted by the BlackCat/ALPHV ransomware group.Cyware
April 17, 2023 – Ransomware
Vice Society Ransomware Using Stealthy PowerShell Tool for Data Exfiltration Full Text
Abstract
Threat actors associated with the Vice Society ransomware gang have been observed using a bespoke PowerShell-based tool to fly under the radar and automate the process of exfiltrating data from compromised networks. "Threat actors (TAs) using built-in data exfiltration methods like [living off the land binaries and scripts] negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms," Palo Alto Networks Unit 42 researcher Ryan Chapman said . "These methods can also hide within the general operating environment, providing subversion to the threat actor." Vice Society , tracked by Microsoft under the name DEV-0832, is an extortion-focused hacking group that emerged on the scene in May 2021. It's known to rely on ransomware binaries sold on the criminal underground to meet its goals. In December 2022, SentinelOne detailed the group's use of a ransomware variant, dubbed PolyViThe Hacker News
April 17, 2023 – Policy and Law
US extradites Nigerian charged over $6m email fraud scam Full Text
Abstract
They used a technique dubbed Business Email Compromise (BEC). As part of this, it's claimed, the fraudsters broke into people's email accounts, too, and chatted via mobile apps to organize their crimes.Cyware
April 17, 2023 – Malware
New Zaraza Bot Credential-Stealer Sold on Telegram Targeting 38 Web Browsers Full Text
Abstract
A novel credential-stealing malware called Zaraza bot is being offered for sale on Telegram while also using the popular messaging service as a command-and-control (C2). "Zaraza bot targets a large number of web browsers and is being actively distributed on a Russian Telegram hacker channel popular with threat actors," cybersecurity company Uptycs said in a report published last week. "Once the malware infects a victim's computer, it retrieves sensitive data and sends it to a Telegram server where the attackers can access it immediately." A 64-bit binary file compiled using C#, Zaraza bot is designed to target as many as 38 different web browsers, including Google Chrome, Microsoft Edge, Opera, AVG Browser, Brave, Vivaldi, and Yandex. It's also equipped to capture screenshots of the active window. It's the latest example of malware that's capable of capturing login credentials associated with online bank accounts, cryptocurrency walletsThe Hacker News
April 16, 2023 – Ransomware
Experts found the first LockBit encryptor that targets macOS systems Full Text
Abstract
Researchers warn that the LockBit ransomware gang has developed encryptors to target macOS devices. The LockBit group is the first ransomware gang of all time that has created encryptors to target macOS systems, MalwareHunterTeam team warn. MalwareHunterTeam...Security Affairs
April 16, 2023 – Outage
NCR was the victim of BlackCat/ALPHV ransomware gang Full Text
Abstract
NCR was the victim of the BlackCat/ALPHV ransomware gang, the attack caused an outage on the company's Aloha PoS platform. NCR Corporation, previously known as National Cash Register, is an American software, consulting and technology company providing...Security Affairs
April 16, 2023 – General
Security Affairs newsletter Round 415 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. New Android malicious library Goldoson found in 60 apps +100M downloadsSiemens Metaverse...Security Affairs
April 16, 2023 – Attack
Remcos RAT campaign targets US accounting and tax return preparation firms Full Text
Abstract
Microsoft warns of a new Remcos RAT campaign targeting US accounting and tax return preparation firms ahead of Tax Day. Ahead of the U.S. Tax Day, Microsoft has observed a new Remcos RAT campaign targeting US accounting and tax return preparation...Security Affairs
April 15, 2023 – Ransomware
RTM Locker Enforces Strict Rules on Affiliates to Avoid Public Attention Full Text
Abstract
Trellix detected a new private RaaS group, named Read The Manual (RTM) Locker, that has been leveraging affiliates for ransom. Also, it flies under the radar by avoiding high-profile targets. Moreover, the self-destructive nature of RTM Locker and the wipeout of logs make it a tough game to cr ... Read MoreCyware
April 15, 2023 – Vulnerabilities
Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day Vulnerability Full Text
Abstract
Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year. Tracked as CVE-2023-2033 , the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on April 11, 2023. "Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to the NIST's National Vulnerability Database (NVD). The tech giant acknowledged that "an exploit for CVE-2023-2033 exists in the wild," but stopped short of sharing additional technical specifics or indicators of compromise (IoCs) to prevent further exploitation by threat actors. CVE-2023-2033 also appears to share similarities with CVE-2022-1096The Hacker News
April 15, 2023 – Hacker
Transparent Tribe Eyes Indian Education Sector Full Text
Abstract
SentinelLabs identified a campaign by the Transparent Tribe that targets the Indian education sector via education-themed malicious Office documents propagating Crimson RAT. The group has long been targeting different sectors in India. Hence, vigilance and robust cyber defense strategies are n ... Read MoreCyware
April 15, 2023 – Attack
Forensic Analysis Confirms Involvement of North Korean Attackers in 3CX Supply Chain Attack Full Text
Abstract
3CX confirmed that the software supply chain attack was the work of a North Korean hacker group, UNC4736. The group used the Taxhaul and Simplesea malware for infecting Windows and macOS, respectively. Attackers used Taxhaul (or TxRLoader) to target Windows machines, which was further used to deplo ... Read MoreCyware
April 15, 2023 – APT
APT28 Leader’s Email Breached by Ukrainian Hackers Full Text
Abstract
Ukrainian hacker group Cyber Resistance claimed to have hacked the personal accounts, emails, and social media of a Russian GRU officer, who is also the leader of APT28. The email hack allowed the hackers to extract sensitive documents along with personal information and photos, and then leak them ... Read MoreCyware
April 15, 2023 – Malware
Legion: A Python-Based Hacking Tool Targets Websites and Web Services Full Text
Abstract
The cybercriminal group, which goes by the moniker “Forza Tools,” was seen offering Legion - a Python-based credential harvester and SMTP hijacking tool. The malware targets online email services for phishing and spam attacks. Experts suggest it is likely based on the AndroxGhOst malware and has se ... Read MoreCyware
April 15, 2023 – Malware
New Android malicious library Goldoson found in 60 apps +100M downloads Full Text
Abstract
A new Android malware named Goldoson was distributed through 60 legitimate apps on the official Google Play store. The Goldoson library was discovered by researchers from McAfee’s Mobile Research Team, it collects lists of applications installed...Security Affairs
April 15, 2023 – Breach
iPhones Hacked to Drop QuaDream’s KingsPawn Spyware Full Text
Abstract
QuaDream, an Israeli company best known for its malware Reign, has launched the new commercial spyware KingsPawn (a Pegasus-like threat). To begin the attack, iCloud calendar invitations with backdated timestamps are sent to targeted iOS devices. Experts recommend following best practices, suc ... Read MoreCyware
April 15, 2023 – Breach
Siemens Metaverse exposes sensitive corporate data Full Text
Abstract
Siemens Metaverse, a virtual space built to mirror real machines, factories, and other highly complex systems, has exposed sensitive data, including the company’s office plans and internet of things (IoT) devices. While metaverse is no longer a buzzword,...Security Affairs
April 15, 2023 – Phishing
Massive malvertising campaign targets seniors via fake Weebly sites Full Text
Abstract
The malvertising campaign is run via Google ads aimed at seniors. The threat actor is creating hundreds of fake websites via Weebly to host decoy content to fool search engines and crawlers while redirecting victims to a fake computer alert.Cyware
April 15, 2023 – Government
CISA adds bugs in Android and Novi Survey to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US Cybersecurity and Infrastructure Security Agency (CISA) added Android and Novi Survey flaws to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following five new issues to its Known...Security Affairs
April 15, 2023 – Breach
Volvo retailer leaks sensitive files Full Text
Abstract
The Brazilian retail arm of car manufacturing giant Volvo leaked sensitive files, putting its clientele in the vast South American country in peril. Volvo’s retailer in Brazil, Dimas Volvo, leaked sensitive files through its website. The leaked...Security Affairs
April 14, 2023 – Vulnerabilities
Researchers Disclosure Cisco ISE Broken Access Control Issue Full Text
Abstract
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass authorization and access system files.Cyware
April 14, 2023 – Attack
Russia-Linked Hackers Launches Espionage Attacks on Foreign Diplomatic Entities Full Text
Abstract
The Russia-linked APT29 (aka Cozy Bear) threat actor has been attributed to an ongoing cyber espionage campaign targeting foreign ministries and diplomatic entities located in NATO member states, the European Union, and Africa. According to Poland's Military Counterintelligence Service and the CERT Polska team, the observed activity shares tactical overlaps with a cluster tracked by Microsoft as Nobelium , which is known for its high-profile attack on SolarWinds in 2020. Nobelium's operations have been attributed to Russia's Foreign Intelligence Service ( SVR ), an organization that's tasked with protecting "individuals, society, and the state from foreign threats." That said, the campaign represents an evolution of the Kremlin-backed hacking group's tactics, indicating persistent attempts at improving its cyber weaponry to infiltrate victim systems for intelligence gathering. "New tools were used at the same time and independently of eacThe Hacker News
April 14, 2023 – Policy and Law
Enforcement of Cybersecurity Regulations: Part 3 Full Text
Abstract
Cybersecurity enforcement will likely require an expansion of government inspections of critical infrastructure.Lawfare
April 14, 2023 – Attack
A cyberattack on the Cornwall Community Hospital in Ontario is causing treatment delays Full Text
Abstract
The Cornwall Community Hospital in Ontario, Canada, is under a cyber attack that is causing delays to scheduled and non-urgent care. A cyberattack on the Cornwall Community Hospital in Ontario, Canada, is causing delays to scheduled and non-urgent...Security Affairs
April 14, 2023 – Vulnerabilities
Juniper Networks Patches Critical Third-Party Component Vulnerabilities Full Text
Abstract
Networking, cloud, and cybersecurity solutions provider Juniper Networks this week published advisories detailing tens of vulnerabilities found across its product portfolio, including critical bugs in third-party components of Junos OS and STRM.Cyware
April 14, 2023 – Breach
Kodi Confirms Data Breach: 400K User Records and Private Messages Stolen Full Text
Abstract
Open source media player software provider Kodi has confirmed a data breach after threat actors stole the company's MyBB forum database containing user data and private messages. What's more, the unknown threat actors attempted to sell the data dump comprising 400,635 Kodi users on the now-defunct BreachForums cybercrime marketplace. "MyBB admin logs show the account of a trusted but currently inactive member of the forum admin team was used to access the web-based MyBB admin console twice: on 16 February and again on 21 February," Kodi said in an advisory. The threat actors then abused the account to create database backups that were then downloaded and deleted. Also downloaded were existing nightly full backups of the database. The account in question has now been disabled. The nightly backups contained all public forum posts, team forum posts, messages sent through the user-to-user messaging system, and user information such as forum username, email aThe Hacker News
April 14, 2023 – Vulnerabilities
Google fixed the first Chrome zero-day of 2023 Full Text
Abstract
Google released an emergency security update to address a zero-day vulnerability in Chrome which is actively exploited in the wild. Google released an emergency security update to address the first Chrome zero-day vulnerability (CVE-2023-2033)...Security Affairs
April 14, 2023 – Malware
Privacy-invasive and Clicker Android Adware found in popular apps in South Korea Full Text
Abstract
Some apps were removed from Google Play while others were updated by the official developers. Users are encouraged to update the apps to the latest version to remove the identified threat from their devices.Cyware
April 14, 2023 – Vulnerabilities
Severe Android and Novi Survey Vulnerabilities Under Active Exploitation Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The two flaws are listed below - CVE-2023-20963 (CVSS score: 7.8) - Android Framework Privilege Escalation Vulnerability CVE-2023-29492 (CVSS score: TBD) - Novi Survey Insecure Deserialization Vulnerability "Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed," CISA said in an advisory for CVE-2023-20963. Google, in its monthly Android Security Bulletin for March 2023, acknowledged "there are indications that CVE-2023-20963 may be under limited, targeted exploitation." The development comes as tech news site Ars Technica disclosed late last month that Android apps digitally signed by China's e-commerce company Pinduoduo weapThe Hacker News
April 14, 2023 – Breach
Kodi discloses data breach after its forum was compromised Full Text
Abstract
Open-source media player software provider Kodi discloses a data breach after threat actors stole its MyBB forum database. Kodi has disclosed a data breach, threat actors have stolen the company's MyBB forum database that contained data for over 400K...Security Affairs
April 14, 2023 – Government
12,000 Indian Government Websites on Alert for Indonesian Hacking Threat Full Text
Abstract
CERT-In issued an ‘Urgent- High Alert’ warning to all Central and state agencies and departments to be alert of potential attacks by Indonesian hackers and report any such incidents to them immediately.Cyware
April 14, 2023 – Education
Webinar: Tips from MSSPs to MSSPs – Building a Profitable vCISO Practice Full Text
Abstract
In today's fast-paced and ever-changing digital landscape, businesses of all sizes face a myriad of cybersecurity threats. Putting in place the right people, technological tools and services, MSSPs are in a great position to ensure their customers' cyber resilience. The growing need of SMEs and SMBs for structured cybersecurity services can be leveraged by MSPs and MSSPs to provide strategic cybersecurity services such as virtual CISO (vCISO) services, leading to recurring revenues and high margins while differentiating service provider from their competitors. There is a consensus among MSPs and MSSPs that starting a vCISO practice poses a great business opportunity, but how can you successfully pull it off? Cynomi has leveraged its network of top-notch vCISO service providers and invited three of them to a panel discussion, where they shared tips on how to start and scale a vCISO practice, and most importantly – how to keep it profitable. This panel discussion is aimThe Hacker News
April 14, 2023 – Criminals
RTM Locker, a new RaaS gains notorieties in the threat landscape Full Text
Abstract
Cybersecurity firm Trellix analyzed the activity of an emerging cybercriminal group called 'Read The Manual' RTM Locker. Researchers from cybersecurity firm Trellix have detailed the tactics, techniques, and procedures of an emerging cybercriminal...Security Affairs
April 14, 2023 – General
Nation-state actors are taking advantage of weak passwords to go after cloud customers, Google says Full Text
Abstract
Weak passwords and other comprises of user identity continue to drive security incidents for Google Cloud customers, with weak passwords accounting for nearly half of the incidents affecting its clients, according to a report released by the company.Cyware
April 14, 2023 – Vulnerabilities
Hikvision fixed a critical flaw in Hybrid SAN and cluster storage products Full Text
Abstract
Chinese video surveillance giant Hikvision addressed a critical vulnerability in its Hybrid SAN and cluster storage products. Chinese video surveillance giant Hikvision addressed an access control vulnerability, tracked as CVE-2023-28808, affecting...Security Affairs
April 14, 2023 – Cryptocurrency
Bitrue Hot Wallet Exploit Results in $23M Cryptocurrency Theft Full Text
Abstract
The exchange said it will suspend all withdrawals temporarily to conduct additional security checks, and withdrawals are expected to resume on April 18, 2023. The exchange explained that they will compensate all identified users affected in full.Cyware
April 14, 2023 – Policy and Law
Former TSB chief information officer fined $101,000 over IT meltdown in 2018 Full Text
Abstract
UK regulators have imposed an £81,000 (~$101,000) fine on a former TSB information officer over the bank’s IT meltdown in 2018 that left millions of customers locked out of their accounts.Cyware
April 13, 2023 – Malware
Qbot Takes New Distribution Method to Infect Korean Users Full Text
Abstract
AhnLab has discovered a fresh attack strategy that spreads Qbot malware through malevolent PDF attachments added to replies or forwarded messages in already-existing emails. Qbot or Qakbot follows a destructive attack pattern, shifting from one tactic to another for maximum profits.Cyware
April 13, 2023 – Solution
Google Launches New Cybersecurity Initiatives to Strengthen Vulnerability Management Full Text
Abstract
Google on Thursday outlined a set of initiatives aimed at improving the vulnerability management ecosystem and establishing greater transparency measures around exploitation. "While the notoriety of zero-day vulnerabilities typically makes headlines, risks remain even after they're known and fixed, which is the real story," the company said in an announcement. "Those risks span everything from lag time in OEM adoption, patch testing pain points, end user update issues and more." Security threats also stem from incomplete patches applied by vendors, with a chunk of the zero-days exploited in the wild turning out to be variants of previously patched vulnerabilities. Mitigating such risks requires addressing the root cause of the vulnerabilities and prioritizing modern secure software development practices to eliminate entire classes of threats and block potential attack avenues. Taking these factors into consideration, Google said it's forming a HackingThe Hacker News
April 13, 2023 – Education
Tackling Software Supply Chain Security: A Toolbox for Policymakers Full Text
Abstract
Security flaws keep software and entire supply chains vulnerable. It is critical that policymakers work to set regulatory lanes for companies to build safe and secure technology.Lawfare
April 13, 2023 – APT
The Russia-linked APT29 is behind recent attacks targeting NATO and EU Full Text
Abstract
Poland intelligence linked the Russian APT29 group to a series of attacks targeting NATO and European Union countries. Poland's Military Counterintelligence Service and its Computer Emergency Response Team linked a recent string of attacks targeting...Security Affairs
April 13, 2023 – Policy and Law<br
Personal email from Dutch Police warns ex-Raidforums users Full Text
Abstract
The Dutch Police, in collaboration with international police organizations, has launched an investigation into Raidforums.com, leading to the platform’s shutdown and the seizure of a dataset containing user information.Cyware
April 13, 2023 – Criminals
RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware Full Text
Abstract
Cybersecurity researchers have detailed the tactics of a "rising" cybercriminal gang called "Read The Manual" (RTM) Locker that functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit. "The 'Read The Manual' Locker gang uses affiliates to ransom victims, all of whom are forced to abide by the gang's strict rules," cybersecurity firm Trellix said in a report shared with The Hacker News. "The business-like set up of the group, where affiliates are required to remain active or notify the gang of their leave, shows the organizational maturity of the group, as has also been observed in other groups, such as Conti ." RTM , first documented by ESET in February 2017, started off in 2015 as a banking malware targeting businesses in Russia via drive-by downloads, spam, and phishing emails. Attack chains mounted by the group have since evolved to deploy a ransomwaThe Hacker News
April 13, 2023 – Vulnerabilities
A flaw in the Kyocera Android printing app can be abused to drop malware Full Text
Abstract
Security experts warn that a Kyocera Android printing app is vulnerable to improper intent handling and can be abused to drop malware. An improper intent handling issue affecting the Kyocera Android printing app can allow malicious applications...Security Affairs
April 13, 2023 – Malware
Malicious ChatGPT & Google Bard Installers Distribute RedLine Stealer Full Text
Abstract
When a victim installs a malicious file from one of these sponsored ads, their device is hijacked by the RedLine infostealer, which can then steal confidential data, disrupt critical infrastructure, and compromise financial accounts.Cyware
April 13, 2023 – Solution
WhatsApp Introduces New Device Verification Feature to Prevent Account Takeover Attacks Full Text
Abstract
Popular instant messaging app WhatsApp on Thursday announced a new account verification feature that ensures that malware running on a user's mobile device doesn't impact their account. "Mobile device malware is one of the biggest threats to people's privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages," the Meta-owned company said in an announcement. Called Device Verification , the security measure is designed to help prevent account takeover (ATO) attacks by blocking the threat actor's connection and allowing targets of the malware infection to use the app without any interruption. In other words, the goal is to deter attackers' use of malware to steal WhatsApp authentication keys and hijack victim accounts, and subsequently impersonate them to distribute spam and phishing links to other contacts. This, in turn, is achieved by introducing a security-token thThe Hacker News
April 13, 2023 – Vulnerabilities
Fortinet fixed a critical vulnerability in its Data Analytics product Full Text
Abstract
Fortinet addressed a critical vulnerability that can lead to remote, unauthenticated access to Redis and MongoDB instances. Fortinet has addressed a critical vulnerability, tracked as CVE-2022-41331 (CVSS score of 9.3), in its Fortinet FortiPresence...Security Affairs
April 13, 2023 – Vulnerabilities
Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data Full Text
Abstract
The vulnerability, tracked as CVE-2023-28808, has been described by the vendor as an access control issue that can be exploited to obtain administrator permissions by sending specially crafted messages to the targeted device.Cyware
April 13, 2023 – Malware
New Python-Based “Legion” Hacking Tool Emerges on Telegram Full Text
Abstract
An emerging Python-based credential harvester and a hacking tool named Legion is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation. Legion, according to Cado Labs , includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and WebHost Manager (WHM) accounts. The malware is said to bear similarities to another malware family called AndroxGh0st that was first documented by cloud security services provider Lacework in December 2022. Cybersecurity firm SentinelOne, in an analysis published late last month, revealed that AndroxGh0st is part of a comprehensive toolset called AlienFox that's offered to threat actors to steal API keys and secrets from cloud services. "Legion appears to be part of an emerging generation of cloud-focused credential harvester/spam utilities," security researcher Matt MuirThe Hacker News
April 13, 2023 – Insider Threat
How to Combat Insider Threats Full Text
Abstract
Knowing that insider threats are a risk is one thing. Knowing how to fight them off is entirely another. Dealing with issues of insider cyber risk can be different and nuanced. It’s hard to admit that someone from within the company could ‘not...Security Affairs
April 13, 2023 – Phishing
Zelle Phishing Campaign Sends Spoofed Emails Full Text
Abstract
Zelle, the widely used and highly acclaimed money-transfer service, is now a prime target for cybercriminals. The simplicity of sending funds to friends or businesses through Zelle has made it appealing for hackers looking to cash in.Cyware
April 13, 2023 – Hacker
Pakistan-based Transparent Tribe Hackers Targeting Indian Educational Institutions Full Text
Abstract
The Transparent Tribe threat actor has been linked to a set of weaponized Microsoft Office documents in intrusions directed against the Indian education sector to deploy a continuously maintained piece of malware called Crimson RAT. While the suspected Pakistan-based threat group is known to target military and government entities in the country, the activities have since expanded to include the education vertical . The hacking group, also called APT36, Operation C-Major, PROJECTM, and Mythic Leopard, has been active as far back as 2013. Educational institutions have been at the receiving end of the adversary's attacks since late 2021. "Crimson RAT is a consistent staple in the group's malware arsenal the adversary uses in its campaigns," SentinelOne researcher Aleksandar Milenkoski said in a report shared with The Hacker News. The .NET malware has the functionality to exfiltrate files and system data to an actor-controlled server. It's also buiThe Hacker News
April 13, 2023 – APT
Pakistan-Aligned Transparent Tribe APT Expands Interest in Indian Education Sector Full Text
Abstract
SentinelLabs has been tracking a recently disclosed cluster of malicious Office documents that distribute Crimson RAT, used by the APT36 group (aka Transparent Tribe) targeting the education sector.Cyware
April 13, 2023 – Education
Why Shadow APIs are More Dangerous than You Think Full Text
Abstract
Shadow APIs are a growing risk for organizations of all sizes as they can mask malicious behavior and induce substantial data loss. For those that aren't familiar with the term, shadow APIs are a type of application programming interface (API) that isn't officially documented or supported. Contrary to popular belief, it's unfortunately all too common to have APIs in production that no one on your operations or security teams knows about. Enterprises manage thousands of APIs, many of which are not routed through a proxy such as an API gateway or web application firewall. This means they aren't monitored, are rarely audited, and are most vulnerable. Since they aren't visible to security teams, shadow APIs provide hackers with a defenseless path to exploit vulnerabilities. These APIs can potentially be manipulated by malicious actors to gain access to a range of sensitive information, from customer addresses to company financial records. Considering the potentialThe Hacker News
April 13, 2023 – Hacker
Lazarus Hacker Group Evolves Tactics, Tools, and Targets in DeathNote Campaign Full Text
Abstract
The North Korean threat actor known as the Lazarus Group has been observed shifting its focus and rapidly evolving its tools and tactics as part of a long-running campaign called DeathNote . While the nation-state adversary is known for persistently singling out the cryptocurrency sector, recent attacks have also targeted automotive, academic, and defense sectors in Eastern Europe and other parts of the world, in what's perceived as a "significant" pivot. "At this point, the actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services," Kaspersky researcher Seongsu Park said in an analysis published Wednesday. The deviation in targeting, along with the use of updated infection vectors, is said to have occurred in April 2020. It's worth noting that the DeathNote cluster is also tracked under the monikers Operation Dream Job or NukeSped . Google-owned Mandiant has also tied a subset of the activitThe Hacker News
April 13, 2023 – General
ChatGPT Security: OpenAI’s Bug Bounty Program Offers Up to $20,000 Prizes Full Text
Abstract
OpenAI, the company behind the massively popular ChatGPT AI chatbot, has launched a bug bounty program in an attempt to ensure its systems are "safe and secure." To that end, it has partnered with the crowdsourced security platform Bugcrowd for independent researchers to report vulnerabilities discovered in its product in exchange for rewards ranging from "$200 for low-severity findings to up to $20,000 for exceptional discoveries." It's worth noting that the program does not cover model safety or hallucination issues , wherein the chatbot is prompted to generate malicious code or other faulty outputs. The company noted that "addressing these issues often involves substantial research and a broader approach." Other prohibited categories are denial-of-service (DoS) attacks, brute-forcing OpenAI APIs, and demonstrations that aim to destroy data or gain unauthorized access to sensitive information beyond what's necessary to highlight the probThe Hacker News
April 12, 2023 – Breach
A leak of files could be America’s worst intelligence breach in a decade Full Text
Abstract
The leaked files, which include military assessments on the war in Ukraine and CIA reports on a range of global issues, came to widespread attention when some appeared on Telegram, a messaging app widely used in Russia.Cyware
April 12, 2023 – Malware
Israel-based Spyware Firm QuaDream Targets High-Risk iPhones with Zero-Click Exploit Full Text
Abstract
Threat actors using hacking tools from an Israeli surveillanceware vendor named QuaDream targeted at least five members of civil society in North America, Central Asia, Southeast Asia, Europe, and the Middle East. According to findings from a group of researchers from the Citizen Lab, the spyware campaign was directed against journalists, political opposition figures, and an NGO worker in 2021. The names of the victims were not disclosed. It's also suspected that the company abused a zero-click exploit dubbed ENDOFDAYS in iOS 14 to deploy spyware as a zero-day in version 14.4 and 14.4.2. There is no evidence that the exploit has been used after March 2021. ENDOFDAYS "appears to make use of invisible iCloud calendar invitations sent from the spyware's operator to victims," the researchers said , adding the .ics files contain invites to two backdated and overlapping events so as to not alert the users. The attacks are suspected to have leveraged a quirk in iOS 1The Hacker News
April 12, 2023 – Breach
Hyundai suffered a data breach that impacted customers in France and Italy Full Text
Abstract
Hyundai disclosed a data breach that impacted Italian and French car owners and clients who booked a test drive. Hyundai has suffered a data breach that impacted Italian and French car owners and customers who booked a test drive. Threat actors...Security Affairs
April 12, 2023 – General
Why the EU Should Stop Talking About Digital Sovereignty Full Text
Abstract
Instead of pursuing digital sovereignty, the EU should adopt the concept of digital responsibility, which emphasizes fostering cybersecurity partnerships with trusted organizations outside of government.Cyware
April 12, 2023 – General
The Service Accounts Challenge: Can’t See or Secure Them Until It’s Too Late Full Text
Abstract
Here's a hard question to answer: 'How many service accounts do you have in your environment?'. A harder one is: 'Do you know what these accounts are doing?'. And the hardest is probably: 'If any of your service account was compromised and used to access resources would you be able to detect and stop that in real-time?'. Since most identity and security teams would provide a negative reply, it's no wonder that one of the immediate actions today's attackers are doing following an initial endpoint compromised is hunting down unwatched service accounts. And it's even less of a wonder that in most cases, they would succeed in finding one and leveraging it to spread within the entire environment, getting noticed only when it's too late – after workstations and server got encrypted by ransomware or sensitive data was stolen. In this article, we unfold the reasons that have caused service accounts to become one of the most dangerous weaknesseThe Hacker News
April 12, 2023 – Privacy
QuaDream surveillance firm’s spyware targeted iPhones with zero-click exploit Full Text
Abstract
At least five members of civil society worldwide have been targeted with spyware and exploits developed by surveillance firm QuaDream. Citizen Lab researchers reported that at least five civil society members were victims of spyware and exploits developed...Security Affairs
April 12, 2023 – Vulnerabilities
Fortinet Patches Critical Vulnerability in Data Analytics Solution Full Text
Abstract
Cybersecurity solutions provider Fortinet this week announced the release of security updates across multiple products, including patches for a critical vulnerability in FortiPresence.Cyware
April 12, 2023 – Vulnerabilities
Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit Full Text
Abstract
It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild. Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevation of privilege vulnerabilities. The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month. The security flaw that's come under active exploitation is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue. CVE-2023-28252 is the fourth privilege escalationThe Hacker News
April 12, 2023 – Vulnerabilities
SAP April 2023 security updates fix critical vulnerabilities Full Text
Abstract
SAP fixed two critical bugs that affect the Diagnostics Agent and the BusinessObjects Business Intelligence Platform. SAP April 2023 security updates include a total of 24 notes, 19 of which are new vulnerabilities. The most critical vulnerabilities...Security Affairs
April 12, 2023 – Solution
Announcing the deps.dev API: critical dependency data for secure supply chains Full Text
Abstract
As part of Google’s ongoing efforts to improve open-source security, the Open Source Insights team has built a reliable view of software metadata across five packaging ecosystems.Cyware
April 12, 2023 – Attack
North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack Full Text
Abstract
Enterprise communications service provider 3CX confirmed that the supply chain attack targeting its desktop application for Windows and macOS was the handiwork of a threat actor with North Korean nexus. The findings are the result of an interim assessment conducted by Google-owned Mandiant, whose services were enlisted after the intrusion came to light late last month. The threat intelligence and incident response unit is tracking the activity under its uncategorized moniker UNC4736 . It's worth noting that cybersecurity firm CrowdStrike has attributed the attack to a Lazarus sub-group dubbed Labyrinth Chollima, citing tactical overlaps. The attack chain , based on analyses from multiple security vendors, entailed the use of DLL side-loading techniques to load an information stealer known as ICONIC Stealer, followed by a second-stage called Gopuram in selective attacks aimed at crypto companies. Mandiant's forensic investigation has now revealed that the threat actoThe Hacker News
April 12, 2023 – General
OpenAI launched a bug bounty program Full Text
Abstract
AI company OpenAI launched a bug bounty program and announced payouts of up to $20,000 for security flaws in its ChatGPT chatbot service. OpenAI launched a bug bounty program and it is offering up to $20,000 to bug hunters that will report vulnerabilities...Security Affairs
April 12, 2023 – Criminals
Following the Lazarus group by tracking DeathNote campaign Full Text
Abstract
This threat cluster linked to the North Korean threat actor Lazarus is also known as Operation DreamJob or NukeSped. It's dubbed DeathNote after its malware payloads named Dn.dll or Dn64.dll.Cyware
April 12, 2023 – Criminals
Cybercrime group exploits Windows zero-day in ransomware attacks Full Text
Abstract
Microsoft has addressed a zero-day in the Windows Common Log File System (CLFS) actively exploited in ransomware attacks. Microsoft has addressed a zero-day vulnerability, tracked as CVE-2023-28252, in the Windows Common Log File System (CLFS), which...Security Affairs
April 12, 2023 – General
FTX bankruptcy filing highlights security failures Full Text
Abstract
Debtors claim that the defunct cryptocurrency exchange FTX lacked any dedicated security personnel and failed to implement critical access controls for billions of dollars in assets.Cyware
April 12, 2023 – Criminals
Criminals Pose as Chinese Authorities to Target US-based Chinese Community Full Text
Abstract
Criminals exploit widely publicized efforts by the People’s Republic of China government to harass and facilitate the repatriation of individuals living in the United States to build plausibility for their fraud.Cyware
April 12, 2023 – Government
IRS acting CIO: Securing software supply chain remains a challenge for agencies Full Text
Abstract
Finding the right balance between encouraging innovation within development teams and securing the software supply chain remains a challenge for federal agencies, according to the acting chief information officer of the IRS.Cyware
April 12, 2023 – APT
Ukrainian Hackers Breach Email of APT28 Leader, Who’s Wanted by FBI Full Text
Abstract
Ukrainian hacker group Cyber Resistance, aka Ukrainian Cyber Alliance, has claimed to have hacked the email, social media, and personal accounts of Russian GRU officer Lieutenant Colonel Sergey Alexandrovich Morgachev, the leader of APT28.Cyware
April 11, 2023 - Cryptocurrency
Color1337 Cryptojacking Campaign Churns Juices From Linux Servers Full Text
Abstract
Cybersecurity company Tehtris analyzed a cryptojacking campaign targeting Linux systems and infecting those with a malware bot called uhQCCSpB. With the bot, attackers use two strategies to launch a Monero miner on the infected machine. The "diicot" cryptominer is activated on machines that have mo ... Read MoreCyware
April 11, 2023 – Vulnerabilities
Newly Discovered “By-Design” Flaw in Microsoft Azure Could Expose Storage Accounts to Hackers Full Text
Abstract
A "by-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code. "It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE)," Orca said in a new report shared with The Hacker News. The exploitation path that underpins this attack is a mechanism called Shared Key authorization , which is enabled by default on storage accounts. According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key. "Storage account access keys provide full access to the configuration of a storage accounThe Hacker News
April 11, 2023 – General
Addressing the Security Risks of AI Full Text
Abstract
AI’s vulnerability to adversarial attack is not futuristic, and there are reasonable measures that should be taken now to address the risk.Lawfare
April 11, 2023 – Vulnerabilities
A “By-Design” flaw in Microsoft Azure can allow storage accounts takeover Full Text
Abstract
A flaw in Microsoft Azure could be exploited by attackers to gain access to storage accounts, perform lateral movements, and even execute remote code. Researchers from the security firm Orca demonstrated how to abuse Microsoft Azure Shared Key authorization...Security Affairs
April 11, 2023 – Vulnerabilities
Siemens, Schneider Electric Address Dozens of ICS Vulnerabilities Full Text
Abstract
The total number of vulnerabilities patched this month is significantly smaller than in February and March, when the industrial giants addressed roughly 100 security issues.Cyware
April 11, 2023 – Criminals
Cybercriminals Turn to Android Loaders on Dark Web to Evade Google Play Security Full Text
Abstract
Malicious loader programs capable of trojanizing Android applications are being traded on the criminal underground for up to $20,000 as a way to evade Google Play Store defenses. "The most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners, and even dating apps," Kaspersky said in a new report based on messages posted on online forums between 2019 and 2023. Dropper apps are the primary means for threat actors looking to sneak malware via the Google Play Store. Such apps often masquerade as seemingly innocuous apps, with malicious updates introduced upon clearing the review process and the applications have amassed a significant user base. This is achieved by using a loader program that's responsible for injecting malware into a clean app, which is then made available for download from the app marketplace. Users who install the tampered app are prompted to grant it intrusive permissThe Hacker News
April 11, 2023 – Breach
Yum! Brands, the owner of KFC, Taco Bell and Pizza Hut, discloses data breach Full Text
Abstract
Yum! Brands, the company that owns the KFC, Pizza Hut, and Taco Bell brands, disclosed a data breach after the January ransomware attack. On January 13, 2023, Yum! Brands suffered a cyberattack that forced the company to take its systems offline closing...Security Affairs
April 11, 2023 – Malware
Malware Disguised as Document from Ukraine’s Energoatom Delivers Havoc Demon Backdoor Full Text
Abstract
When opened, it displays an image instructing the user to enable Word’s macro code execution to reveal information supposedly protected by M.E. Doc (My Electronic Document).Cyware
April 11, 2023 – Education
[eBook] A Step-by-Step Guide to Cyber Risk Assessment Full Text
Abstract
In today's perilous cyber risk landscape, CISOs and CIOs must defend their organizations against relentless cyber threats, including ransomware, phishing, attacks on infrastructure, supply chain breaches, malicious insiders, and much more. Yet at the same time, security leaders are also under tremendous pressure to reduce costs and invest wisely. One of the most effective ways for CISOs and CIOs to make the best use of their limited resources to protect their organizations is by conducting a cyber risk assessment. A comprehensive cyber risk assessment can help: Identify vulnerabilities and threats Prioritize security investments Assess cybersecurity maturity Communicate cyber risk to executives Provide the basis for cyber risk quantification A new guide by cybersecurity optimization provider CYE ( download here ) explains how this can be accomplished. The guide outlines several approaches to cyber risk assessments and describes the necessary steps that can yield solid inThe Hacker News
April 11, 2023 – Vulnerabilities
Apple released emergency updates to fix recently disclosed zero-day bugs on older devices Full Text
Abstract
Apple released updates to backport patches addressing two actively exploited zero-day vulnerabilities in older iPhones, iPads, and Macs. Apple has released emergency updates to backport security patches that address two actively exploited zero-day...Security Affairs
April 11, 2023 – General
Belgium Anti-Phishing Shield (BAPS) Stops 14 Million Dangerous Clicks in 2022 Full Text
Abstract
The Belgium Anti-Phishing Shield (BAPS) has prevented a staggering 14 million clicks to suspicious websites in 2022, thanks to the unique collaboration between the Centre for Cybersecurity Belgium (CCB) and the general public.Cyware
April 11, 2023 – Malware
Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages Full Text
Abstract
Cybersecurity researchers have detailed the inner workings of the cryptocurrency stealer malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers. The sophisticated typosquatting campaign, which was detailed by JFrog late last month, impersonated legitimate packages to execute PowerShell code designed to retrieve a follow-on binary from a hard-coded server. The two-stage attack culminates in the deployment of a .NET-based persistent backdoor, called Impala Stealer, which is capable of gaining unauthorized access to users' cryptocurrency accounts. "The payload used a very rare obfuscation technique, called '.NET AoT compilation,' which is a lot more stealthy than using 'off the shelf' obfuscators while still making the binary hard to reverse engineer," JFrog told The Hacker News in a statement. .NET AoT compilation is an optimization technique that allows apps to be ahead-of-time cThe Hacker News
April 11, 2023 – Attack
A cyber attack hit the water controllers for irrigating fields in the Jordan Valley Full Text
Abstract
A cyber attack paralyzed the water controllers for irrigating fields in the Jordan Valley that are operated by the Galil Sewage Corporation. A cyberattack blocked several controllers for irrigating fields in the Jordan Valley. The systems operated...Security Affairs
April 11, 2023 – Policy and Law
Battle could be brewing over new FCC data breach reporting rules Full Text
Abstract
An expanded data breach definition and the telcos’ desire to link notifications to “concrete harm” are among the most controversial aspects of the proposed FCC data breach reporting rules.Cyware
April 11, 2023 – Vulnerabilities
Miscreants could use Azure access keys as backdoors Full Text
Abstract
A design flaw in Microsoft Azure – that shared key authorization is enabled by default when creating storage accounts – could give attackers full access to your environment, according to Orca Security researchers.Cyware
April 11, 2023 – Business
Fivecast Completes Series A Raise With New US and Existing Australian VC Investors Full Text
Abstract
The Australian open-source intelligence (OSINT) software company has closed its Series A funding round with almost US$20 million raised to fuel its expansion and service contracts in key markets.Cyware
April 11, 2023 – Government
CISA Issues Advisories on Critical ICS and SCADA Vulnerabilities Full Text
Abstract
Multiple advisories have been released by the CISA covering bugs found in ICS and SCADA software from several vendors including Rockwell Automation, Hitachi Energy, JTEKT Electronics, Korenix, mySCADA Technologies, and Industrial Control Links. ScadaFlex II series controllers by Industrial Control ... Read MoreCyware
April 11, 2023 – General
Why reporting an incident only makes the cybersecurity community stronger Full Text
Abstract
CISOs and cyber leaders may not see reporting a breach as the most pleasant of tasks, but experts say mandatory and voluntary sharing of intelligence around incidents can only improve the readiness and resilience of responders.Cyware
April 10, 2023 – Criminals
New Darknet Market Styx Offers a Variety of Frauds and Services Full Text
Abstract
A new dark web marketplace identified as Styx is gaining popularity among cybercriminals for providing access to a wide range of illegal services such as DDoS attacks, banking trojans, stolen IDs, and 2FA/MFA bypass solutions. It uses Telegram channels where various automated bots interact wit ... Read MoreCyware
April 10, 2023 – Policy and Law
Estonian National Charged in U.S. for Acquiring Electronics and Metasploit Pro for Russian Military Full Text
Abstract
An Estonian national has been charged in the U.S. for purchasing U.S.-made electronics on behalf of the Russian government and military. The 45-year-old individual, Andrey Shevlyakov, was arrested on March 28, 2023, in Tallinn. He has been indicted with 18 counts of conspiracy and other charges. If found guilty, he faces up to 20 years in prison. Court documents allege that Shevlyakov operated front companies that were used to import sensitive electronics from U.S. manufacturers. The goods were then shipped to Russia, bypassing export restrictions. The purchased items included analog-to-digital converters and low-noise pre-scalers and synthesizers that are found in defense systems. Shevlyakov is also accused of attempting to acquire hacking tools like Rapid7 Metasploit Pro, a legitimate penetration testing and adversary simulation software. Although Shevlyakov was placed in Entity List in 2012 by the U.S. government for acting as a procurement agent for Russia, he is said to haThe Hacker News
April 10, 2023 – Government
CISA adds zero-day bugs in iPhones, Macs, and iPads to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US Cybersecurity and Infrastructure Security Agency (CISA) added two flaws in iPhones, Macs, and iPads to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following five new issues...Security Affairs
April 10, 2023 – Hacker
Inside the sting operation to catch North Korean crypto hackers Full Text
Abstract
In late January, the hackers moved a fraction of their loot to a crypto account pegged to the dollar, temporarily relinquishing control of it. The investigators pounced, flagging the transaction to U.S. law enforcement officials to freeze the money.Cyware
April 10, 2023 – Denial Of Service
Hackers Flood NPM with Bogus Packages Causing a DoS Attack Full Text
Abstract
Threat actors are flooding the npm open source package repository with bogus packages that briefly even resulted in a denial-of-service (DoS) attack. "The threat actors create malicious websites and publish empty packages with links to those malicious websites, taking advantage of open-source ecosystems' good reputation on search engines," Checkmarx's Jossef Harush Kadouri said in a report published last week. "The attacks caused a denial-of-service (DoS) that made NPM unstable with sporadic 'Service Unavailable' errors." While similar campaigns were recently observed propagating phishing links, the latest wave pushed the number of package versions to 1.42 million, a dramatic uptick from the approximate 800,000 packages released on npm. The attack technique leverages the fact that open source repositories are ranked higher on search engine results to create rogue websites and upload empty npm modules with links to those sites in the README.The Hacker News
April 10, 2023 – Outage
SD Worx shuts down UK and Ireland services after cyberattack Full Text
Abstract
Belgian HR giant SD Worx was forced to shut down its IT infrastructure for its UK and Ireland services after a cyber attack. HR and payroll management firm SD Worx shut down its IT systems for its UK and Ireland services after a cyber attack. The company...Security Affairs
April 10, 2023 – Education
How LockBit Changed Cybersecurity Forever Full Text
Abstract
Operating as a Ransomware-as-a-Service, the group consists of a central team that crafts the malware and manages its website. Meanwhile, the group also grants access to its code to affiliates who help execute the cyberattacks.Cyware
April 10, 2023 – General
Top 10 Cybersecurity Trends for 2023: From Zero Trust to Cyber Insurance Full Text
Abstract
As technology advances, cyberattacks are becoming more sophisticated. With the increasing use of technology in our daily lives, cybercrime is on the rise, as evidenced by the fact that cyberattacks caused 92% of all data breaches in the first quarter of 2022. Staying current with cybersecurity trends and laws is crucial to combat these threats, which can significantly impact business development. In 2023, the cybersecurity market is expected to see new trends, and businesses must be adequately prepared for any developments. Andrey Slastenov, Head of Web Security at Gcore, shares his insights on these trends in this article. 1 — Application security As businesses shifted online to stay afloat during the pandemic, the forecast for application security spending is projected to surpass $7.5 billion, according to Statista . Source However, every application might be susceptible to hacking, zero-day attacks, and identity theft. Ensuring application security demands professionals wThe Hacker News
April 10, 2023 – Vulnerabilities
Sophos patches three issues in the Sophos Web Security appliance, one of them rated as critical Full Text
Abstract
Sophos addressed three vulnerabilities in Sophos Web Appliance, including a critical flaw that can lead to code execution. Cybersecurity vendor Sophos addressed three vulnerabilities in Sophos Web Appliance, including a critical flaw, tracked as CVE-2023-1671...Security Affairs
April 10, 2023 – Government
Biden cyber officials see auto, food safety as models for security overhaul Full Text
Abstract
The blueprint for holding the technology industry accountable for product security is based on similar efforts that resulted in the automobile industry creating safer cars, Acting National Cyber Director Kemba Walden said last week.Cyware
April 10, 2023 – Attack
Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign Full Text
Abstract
Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017 . The massive campaign, per GoDaddy's Sucuri, "leverages all known and recently discovered theme and plugin vulnerabilities" to breach WordPress sites. The attacks are known to play out in waves once every few weeks. "This campaign is easily identified by its preference for String.fromCharCode obfuscation, the use of freshly registered domain names hosting malicious scripts on random subdomains, and by redirects to various scam sites," security researcher Denis Sinegubko said . The websites include fake tech support , fraudulent lottery wins, and rogue CAPTCHA pages urging users to turn on notifications to 'Please Allow to verify, that you are not a robot,' thereby enabling the actors to send spam ads. The report builds on recent findings from Doctor Web, which detailed a Linux malware family thThe Hacker News
April 10, 2023 – APT
Iran-linked MERCURY APT behind destructive attacks on hybrid environments Full Text
Abstract
Iran-linked APT group MERCURY is behind destructive attacks on hybrid environments masquerading as a ransomware operation. The Microsoft Threat Intelligence team observed a series of destructive attacks on hybrid environments that were carried out by MuddyWater...Security Affairs
April 10, 2023 – General
Leftover data lurks across the enterprise, creating a business risk Full Text
Abstract
Cloud computing makes data storage scalable and readily accessible. More than 85% of companies store some or all of their data in the cloud, according to a Blancco study.Cyware
April 10, 2023 – Solution
Protecting your business with Wazuh: The open source security platform Full Text
Abstract
Today, businesses face a variety of security challenges like cyber attacks, compliance requirements, and endpoint security administration. The threat landscape constantly evolves, and it can be overwhelming for businesses to keep up with the latest security trends. Security teams use processes and security solutions to curb these challenges. These solutions include firewalls, antiviruses, data loss prevention services, and XDRs (Extended Detection and Response). Wazuh is a free and open source security platform that unifies XDR and SIEM (System Information and Event Management) capabilities. It comprises a universal security agent for event data collection from various sources and the central components for event analysis, correlation, and alerting. The central components include the Wazuh server, dashboard, and indexer. Wazuh offers a suite of modules capable of providing extended threat detection and response for on-premises and cloud workloads. In this article, we emphasize theThe Hacker News
April 10, 2023 – Breach
Samsung employees unwittingly leaked company secret data by using ChatGPT Full Text
Abstract
Samsung employees have unwittingly leaked top secret data by providing them to the popular chatbot service ChatGPT. Samsung employees have shared internal documents, including meeting notes and source code, with the popular chatbot service ChatGPT....Security Affairs
April 10, 2023 – Breach
Data breach at Elmbrook School District exposes personal information about former and current employees Full Text
Abstract
Once it learned of the breach, the district investigated, with the help of cybersecurity professionals. The initial group of employees affected was informed in late September and October 2022, Chief Strategy Officer Chris Thompson said.Cyware
April 10, 2023 – Outage
Rochester Public Schools to close Monday after possible cyberattack Full Text
Abstract
The school district detected "unusual activity on the district’s network," Thursday, and responded by shutting down the network and "almost all core technology systems," while staff began an investigation, as per an update posted on its website.Cyware
April 10, 2023 – Breach
Samsung employees unwittingly leaked company’s secret data by using ChatGPT Full Text
Abstract
Samsung Electronics is warning its employees of the potential risks associated with the use of ChatGPT, explaining that there is no way to prevent the leak of the data provided to OpenAI’s chatbot service.Cyware
April 10, 2023 – Breach
Mastodon Vulnerability Exposes Sensitive Information: Data Leak Alert Full Text
Abstract
The vulnerability has been labeled CVE-2023-28853, with a " high " risk assessment. Mastodon versions from 2.5.0 were affected, but the developers have since closed the security gaps in versions 4.1.2, 4.0.4, and 3.5.8.Cyware
April 10, 2023 – Government
CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands on the underlying system. The flaws were fixed in a patch released by Veritas in March 2021. CVE-2021-27876 (CVSS score: 8.1) - Veritas Backup Exec Agent File Access Vulnerability CVE-2021-27877 (CVSS score: 8.2) - Veritas Backup Exec Agent Improper Authentication Vulnerability CVE-2021-27878 (CVSS score: 8.8) - Veritas Backup Exec Agent Command Execution Vulnerability Google-owned Mandiant, in a report published last week, revealed that an affiliate associated with the BlackCat (aka ALPHV and Noberus) ransomware operation is targeting publicly exposed Veritas Backup Exec inThe Hacker News
April 9, 2023 – Vulnerabilities
Researchers disclose critical sandbox escape bug in vm2 sandbox library Full Text
Abstract
The development team behind the vm2 JavaScript sandbox library addressed a critical Remote Code Execution vulnerability. The developers behind the vm2 JavaScript sandbox module have addressed a critical vulnerability, tracked as CVE-2023-29017 (CVSS...Security Affairs
April 9, 2023 – Malware
Hackers Hide Backdoors Behind Malicious Self-Extracting Archives Full Text
Abstract
Malicious actors are incorporating harmful features into self-extracting archives created with WinRAR, which contain benign decoy files. This tactic enables them to implant backdoors on the targeted system without arousing any suspicion. An apparently empty SFX archive file can be missed by technol ... Read MoreCyware
April 9, 2023 – General
Security Affairs newsletter Round 414 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. CISA adds Veritas Backup Exec flaws to its Known Exploited Vulnerabilities catalogApple...Security Affairs
April 9, 2023 – Phishing
New Scam Alerts Users About YouTube Altering Policy Full Text
Abstract
A phishing scam has come to light that uses YouTube's genuine no-reply@youtube[.]com email address to trick users into revealing their login details. The phishing email write-up contains a YouTube video and text informing users about YouTube’s new monetization policy and new rules. Meanwhile, YouTu ... Read MoreCyware
April 9, 2023 – Criminals
Estonian National charged with helping Russia acquire U.S. hacking tools and electronics Full Text
Abstract
Andrey Shevlyakov, an Estonian national, was charged in the US with conspiracy and other charges related to acquiring U.S.-made electronics on behalf of the Russian government and military. The Estonian man is accused of having helped the Russian...Security Affairs
April 9, 2023 – Malware
CryptoClippy: New Clipper Malware That Targets Portuguese Users Full Text
Abstract
Cybercriminals launched a malvertising campaign involving malware named CryptoClippy to pilfer cryptocurrency from users in Portugal. Discovered by Palo Alto Networks Unit 42, the campaign uses SEO poisoning techniques to push users looking for "WhatsApp web" to fake domains containing malicious so ... Read MoreCyware
April 9, 2023 – Malware
FusionCore - An Emerging Malware-as-a-Service Group in Europe Full Text
Abstract
Active since November, FusionCore acts as a one-stop-shop for cybercriminals; it offers services such as malware-as-a-subscription, hacking for hire, and ransomware. It has rolled out a ransomware affiliate program as well called AnthraXXXLocker. Typhon Reborn is one example of the group's propriet ... Read MoreCyware
April 9, 2023 – General
Almost Every Organization Suffered a Cyberattack, Says Sophos Full Text
Abstract
Over the last year, almost all organizations, at 94%, have faced some type of cyberattack. The survey data presented below is derived from responses provided by 3,000 cybersecurity and IT leaders from 14 countries and was collected between January and February.Cyware
April 08, 2023 – Attack
Taiwanese PC Company MSI Falls Victim to Ransomware Attack Full Text
Abstract
Taiwanese PC company MSI (short for Micro-Star International) officially confirmed it was the victim of a cyber attack on its systems. The company said it "promptly" initiated incident response and recovery measures after detecting "network anomalies." It also said it alerted law enforcement agencies of the matter. That said, MSI did not disclose any specifics about when the attack took place and if it entailed the exfiltration of any proprietary information, including source code. "Currently, the affected systems have gradually resumed normal operations, with no significant impact on financial business," the company said in a brief notice shared on Friday. In a regulatory filing with the Taiwan Stock Exchange, it said that it's setting up enhanced controls of its network and infrastructure to ensure the security of data. MSI is further urging users to obtain firmware/BIOS updates only from its official website, and refrain from downloadingThe Hacker News
April 8, 2023 – Government
CISA adds Veritas Backup Exec flaws to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA has added Veritas Backup Exec flaws, which were exploited in ransomware attacks, to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following five new issues to its Known...Security Affairs
April 8, 2023 – Hacker
Google: North Korea-Linked Hackers Target Subject Experts and Think Tanks Full Text
Abstract
Google’s TAG identified a new campaign by the North Korean ARCHIPELAGO threat cluster (aka APT43) targeting U.S. and South Korean governments, think tanks, military personnel, academics, policymakers, and researchers. Most notably, ARCHIPELAGO used fraudulent Google Chrome extensions in combination ... Read MoreCyware
April 8, 2023 – Attack
Color1337: Linux Cryptomining Attack Campaign Used uhQCCSpB Bot Full Text
Abstract
The attackers use a bot called uhQCCSpB that installs and launches a Monero miner on the infected machine. After killing all other miners on the device, the attacker uses two different strategies to maximize access to the compromised Linux machine.Cyware
April 8, 2023 – Vulnerabilities
Tesla Retail Tool Vulnerability Led to Account Takeover Full Text
Abstract
The application allows both internal and external account logins and uses for authentication a JSON Web Token (JWT) that specifies an email address cleared for manually defined user accounts, security researcher Evan Connelly explains.Cyware
April 08, 2023 – Attack
Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise Full Text
Abstract
The Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation. That's according to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed DEV-1084 . "While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation," the tech giant revealed Friday. MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country's Ministry of Intelligence and Security (MOIS). It's been known to be active since at least 2017. It's also tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster,The Hacker News
April 8, 2023 – Attack
Belgium’s Herselt Municipality Hit by Cyberattack Full Text
Abstract
The cyberattack was detected on Friday evening (07-04-2023), and security measures were immediately heightened. Currently, experts are combing through the municipality’s servers to determine whether any sensitive information has been accessed.Cyware
April 08, 2023 – Vulnerabilities
Apple Releases Updates to Address Zero-Day Flaws in iOS, iPadOS, macOS, and Safari Full Text
Abstract
Apple on Friday released security updates for iOS, iPadOS , macOS , and Safari web browser to address a pair of zero-day flaws that are being exploited in the wild. The two vulnerabilities are as follows - CVE-2023-28205 - A use after free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content. CVE-2023-28206 - An out-of-bounds write issue in IOSurfaceAccelerator that could enable an app to execute arbitrary code with kernel privileges. Apple said it addressed CVE-2023-28205 with improved memory management and the second with better input validation, adding it's aware the bugs "may have been actively exploited." Credited with discovering and reporting the flaws are Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab. Details about the two vulnerabilities have been withheld in light of active exploitation and to prevent moreThe Hacker News
April 08, 2023 – Vulnerabilities
Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library Full Text
Abstract
The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcode. The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15 on Friday. "A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," vm2 disclosed in an advisory. The vulnerability has been assigned the identified CVE-2023-29017 and is rated 9.8 on the CVSS scoring system. The issue stems from the fact that it does not properly handle errors that occur in asynchronous functions. vm2 is a popular library that's used to run untrusted code in an isolated environment on Node.js. It has nearly four million weekly downloads and is used in 721 packages . KAIST security resThe Hacker News
April 7, 2023 – Vulnerabilities
Apple addressed two actively exploited zero-day flaws Full Text
Abstract
Apple released emergency security updates to address two actively exploited zero-day vulnerabilities impacting iPhones, Macs, and iPads. Apple has released emergency security updates to address two actively exploited zero-day vulnerabilities, tracked...Security Affairs
April 7, 2023 – Breach
MSI confirms security breach after Money Message ransomware attack Full Text
Abstract
Multinational IT corporation MSI (Micro-Star International) confirms security breach after Money Message ransomware gang claimed the hack. This week the ransomware gang Money Message announced to have hacked the Taiwanese multinational IT corporation...Security Affairs
April 7, 2023 – Malware
Typhon Reborn V2 Enhances Evasion Capabilities Full Text
Abstract
Crypto miner/stealer for hire, Typhon Stealer, received a new update, disclosed Palo Alto Networks. The new variant boasts enhanced anti-analysis techniques, as well as other stealing and file-grabber features. The malware leverages Telegram’s API and infrastructure to exfiltrate all stolen data.Cyware
April 7, 2023 – Criminals
Microsoft aims at stopping cybercriminals from using cracked copies of Cobalt Strike Full Text
Abstract
Microsoft announced it has taken legal action to disrupt the illegal use of copies of the post-exploitation tool Cobalt Strike by cybercriminals. Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named...Security Affairs
April 7, 2023 – Breach
Adobe Reset User Passwords as Precaution Against Data Breach Risks Full Text
Abstract
The email states that Adobe has reset the password for the account associated with the users’ Adobe ID, as it may have been compromised in data breaches from other online services.Cyware
April 07, 2023 – Phishing
Researchers Uncover Thriving Phishing Kit Market on Telegram Channels Full Text
Abstract
In yet another sign that Telegram is increasingly becoming a thriving hub for cybercrime, researchers have found that threat actors are using the messaging platform to peddle phishing kits and help set up phishing campaigns. "To promote their 'goods,' phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, 'What type of personal data do you prefer?'," Kaspersky web content analyst Olga Svistunova said in a report published this week. The links to these Telegram channels are distributed via YouTube, GitHub, and the phishing kits that are developed by the crooks themselves. The Russian cybersecurity firm said it detected over 2.5 million malicious URLs generated using phishing kits in the past six months. One of the prominent services offered is to provide threat actors with Telegram bots that automate the process of generating phishing pages and collecting user data. AlthoughThe Hacker News
April 7, 2023 – Vulnerabilities
Sophos Patches Critical Code Execution Vulnerability in Web Security Appliance Full Text
Abstract
The critical issue, tracked as CVE-2023-1671 (CVSS score of 9.8), was identified in the warning page handler of the appliance and it could be exploited without authentication.Cyware
April 07, 2023 – Policy and Law
Microsoft Takes Legal Action to Disrupt Cybercriminals’ Illegal Use of Cobalt Strike Tool Full Text
Abstract
Microsoft said it teamed up with Fortra and Health Information Sharing and Analysis Center (Health-ISAC) to tackle the abuse of Cobalt Strike by cybercriminals to distribute malware, including ransomware. To that end, the tech giant's Digital Crimes Unit (DCU) revealed that it secured a court order in the U.S. to "remove illegal, legacy copies of Cobalt Strike so they can no longer be used by cybercriminals." While Cobalt Strike, developed and maintained by Fortra (formerly HelpSystems), is a legitimate post-exploitation tool used for adversary simulation, illegal cracked versions of the software have been weaponized by threat actors over the years. Ransomware groups, in particular, have leveraged Cobalt Strike after obtaining initial access to a target environment to escalate privileges, lateral move across the network, and deploy file-encrypting malware. "The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linkThe Hacker News
April 7, 2023 – Breach
Hackers leak info on 16,000 Aussie school kids Full Text
Abstract
Hackers have released 16,000 Tasmanian education department documents on the dark web including school children’s personal information, the state government has confirmed.Cyware
April 07, 2023 – General
Are Source Code Leaks the New Threat Software vendors Should Care About? Full Text
Abstract
Less than a month ago, Twitter indirectly acknowledged that some of its source code had been leaked on the code-sharing platform GitHub by sending a copyright infringement notice to take down the incriminated repository. The latter is now inaccessible, but according to the media, it was accessible to the public for several months. A user going by the name FreeSpeechEnthousiast committed thousands of documents belonging to the social media platform over several months. While there is no concrete evidence to support this hypothesis, the timing of the leak and the ironic username used by the perpetrator suggest that the leak was a deliberate act aimed at causing harm to the company. Although it is still too early to measure the impact of this leak on the health of Twitter, this incident should be an opportunity for all software vendors to ask a simple question: what if this happened to us? Protecting sensitive information in the software industry is becoming increasingly critical asThe Hacker News
April 7, 2023 – Vulnerabilities
Default static key in ThingsBoard IoT platform can give attackers admin access Full Text
Abstract
The flaw was fixed in ThingsBoard version 3.4.2 by generating a random key for every new installation or upgrade to version 3.4.2 or later. If admins can't upgrade immediately, they can manually change the default signing key for older versions.Cyware
April 07, 2023 – Government
CISA Warns of Critical ICS Flaws in Hitachi, mySCADA, ICL, and Nexx Products Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published eight Industrial Control Systems (ICS) advisories warning of critical flaws affecting products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx. Topping the list is CVE-2022-3682 (CVSS score: 9.9), impacting Hitachi Energy's MicroSCADA System Data Manager SDM600 that could allow an attacker to take remote control of the product. The flaw stems from an issue with file permission validation, thereby permitting an adversary to upload a specially crafted message to the system, leading to arbitrary code execution. Hitachi Energy has released SDM600 1.3.0.1339 to mitigate the issue for SDM600 versions prior to version 1.2 FP3 HF4 (Build Nr. 1.2.23000.291). Another set of five critical vulnerabilities – CVE-2023-28400 , CVE-2023-28716 , CVE-2023-28384 , CVE-2023-29169 , and CVE-2023-29150 (CVSS scores: 9.9) – relate to command injection bugs present in mySCADA myThe Hacker News
April 7, 2023 – Denial Of Service
Pro-Russia Hacker Group Launches DDoS Attacks Against Finnish Parliament, Technical Research Center Full Text
Abstract
NoName057(16) reportedly claimed it was behind DoS attacks against the Finnish parliament’s website on Tuesday, the day the country joined NATO. The country’s Technical Research Centre of Finland was also hacked, according to Finnish news site, YLE.Cyware
April 6, 2023 – Malware
BatLoader Malware Dropper Continues to Pose a Threat to Organizations in 2023 Full Text
Abstract
BatLoader can modify Windows UAC prompt, disable Windows Defender notifications, disable Task Manager, prevent users from accessing Windows registry tools, disable the Run command, and modify the display timeout.Cyware
April 06, 2023 – Education
Supply Chain Attacks and Critical Infrastructure: How CISA Helps Secure a Nation’s Crown Jewels Full Text
Abstract
Critical infrastructure attacks are a preferred target for cyber criminals. Here's why and what's being done to protect them. What is Critical Infrastructure and Why is It Attacked? Critical infrastructure is the physical and digital assets, systems and networks that are vital to national security, the economy, public health, or safety. It can be government- or privately-owned. According to Etay Maor, Senior Director Security Strategy at Cato Networks , "It's interesting to note critical infrastructure doesn't necessarily have to be power plants or electricity. A nation's monetary system or even a global monetary system can be and should be considered a critical infrastructure as well." These qualities make critical infrastructure a preferred target for cyber attacks. If critical infrastructure is disrupted, the impact is significant. In some cases, such cyber attacks on critical infrastructure have become another means of modern warfare. But unlikeThe Hacker News
April 6, 2023 – Phishing
Phishers migrate to Telegram Full Text
Abstract
Experts warn that Telegram is becoming a privileged platform for phishers that use it to automate their activities and for providing various services. Kaspersky researchers have published an analysis of phishers’ Telegram channels used to promote...Security Affairs
April 6, 2023 – Breach
OCR Labs Exposes Sensitive Credentials Due to Misconfiguration of its Systems Full Text
Abstract
The data leak affected QBANK, Defence Bank, Bloom Money, Admiral Money, MA Money, and Reed. Using leaked data, threat actors could potentially breach banks’ backend infrastructure and consequently the infrastructure of their clients.Cyware
April 06, 2023 – Criminals
FBI Cracks Down on Genesis Market: 119 Arrested in Cybercrime Crackdown Full Text
Abstract
A coordinated international law enforcement operation has dismantled Genesis Market, an illegal online marketplace that specialized in the sale of stolen credentials associated with email, bank accounts, and social media platforms. Coinciding with the infrastructure seizure, the major crackdown, which involved authorities from 17 countries, culminated in 119 arrests and 208 property searches in 13 nations. However, the .onion mirror of the market appears to be still up and running . The "unprecedented" law enforcement exercise has been codenamed Operation Cookie Monster . Genesis Market, since its inception in March 2018, evolved into a major hub for criminal activities, offering access to data stolen from over 1.5 million compromised computers across the world totaling more than 80 million credentials. A majority of infections associated with Genesis Market related malware have been detected in the U.S., Mexico, Germany, Turkey, Sweden, Italy, France, Spain, PoThe Hacker News
April 6, 2023 – Attack
Money Message ransomware group claims to have hacked IT giant MSI Full Text
Abstract
Ransomware gang Money Message claims to have hacked the Taiwanese multinational IT corporation MSI (Micro-Star International). Ransomware gang Money Message announced to have hacked the Taiwanese multinational IT corporation MSI (Micro-Star International)....Security Affairs
April 6, 2023 – Criminals
FBI Says it Obtained Details on 59,000 Users of Hacking Site Genesis Market Full Text
Abstract
A US official says the server copies include information about approximately 59,000 individual user accounts, such as usernames, passwords, email accounts, and secure messenger accounts, in addition to a history of user activity.Cyware
April 06, 2023 – General
Google Mandates Android Apps to Offer Easy Account Deletion In-App and Online Full Text
Abstract
Google is enacting a new data deletion policy for Android apps that allow account creation to also offer users with a setting to delete their accounts in an attempt to provide more transparency and control over their data. "For apps that enable app account creation, developers will soon need to provide an option to initiate account and data deletion from within the app and online," Bethel Otuteye, senior director of product management for Android App Safety, said . "This web requirement, which you will link in your Data safety form , is especially important so that a user can request account and data deletion without having to reinstall an app." The goal, the search behemoth said, is to have a "readily discoverable option" to initiate an app account deletion process from both within an app and outside of it. To that end, developers are to provide users with an in-app path as well as a web link resource to request app account deletion and associatedThe Hacker News
April 6, 2023 – Breach
OCR Labs exposes its systems, jeopardizing major banking clients Full Text
Abstract
A digital identification tool provided by OCR Labs to major banks and government agencies leaked sensitive credentials, putting clients at severe risk. London-based OCR Labs is a major provider of digital ID verification tools. Its services are used...Security Affairs
April 6, 2023 – Phishing
Beware of New YouTube Phishing Scam Using Authentic Email Address Full Text
Abstract
The phishing email content is similar to those seen in previous phishing scams, containing a YouTube video and a message informing users about YouTube’s new monetization policy and new rules.Cyware
April 6, 2023 – General
Threat Report Portugal: Q3 & Q4 2022 Full Text
Abstract
The Threat Report Portugal: H2 2022 compiles data collected on the malicious campaigns that occurred from July to December, H2, 2022. The Portuguese Abuse Open Feed 0xSI_f33d is an open-sharing database with the ability to collect indicators...Security Affairs
April 6, 2023 – General
Cyberattacks hit almost all companies last year, Sophos says Full Text
Abstract
Cyberattacks aren’t a roll of the dice for organizations, but rather a near certainty. Almost all organizations, 94%, experienced a cyberattack of some form during the last year, according to research Sophos released Tuesday.Cyware
April 6, 2023 – APT
Analyzing attacks conducted by North Korea-linked ARCHIPELAGO APT group Full Text
Abstract
Google's Threat Analysis Group (TAG) warns of a North Korea-linked cyberespionage group tracked as ARCHIPELAGO. Google's Threat Analysis Group (TAG) is warning of the North Korea-linked ARCHIPELAGO group that is targeting government and military personnel,...Security Affairs
April 6, 2023 – Vulnerabilities
Researchers Uncover Method to Steal Cars Using Vehicle CAN Bus Full Text
Abstract
Automotive security experts say they have uncovered a method of car theft relying on direct access to the vehicle's Controller Area Network (CAN) bus via a smart headlamp's wiring.Cyware
April 6, 2023 – Attack
Update: 3CX makes progress in restoring Windows app from state-linked supply chain attack Full Text
Abstract
The business communications company restored its Windows Electron app, making progress in its ongoing recovery from a recent supply chain attack, CEO Nick Galea said in a forum post on Tuesday.Cyware
April 6, 2023 – Vulnerabilities
Vulnerabilities in popular Japanese word processing software could lead to arbitrary code execution, other issues Full Text
Abstract
Cisco Talos recently discovered four vulnerabilities in Ichitaro, a popular word processing software in Japan produced by JustSystems that could lead to arbitrary code execution.Cyware
April 6, 2023 – Outage
UK Criminal Records Office’s Customer Portal Offline Amid Cybersecurity Incident Full Text
Abstract
As the name implies, the government agency manages people's criminal record information, running checks as needed on individuals for any convictions, cautions, or ongoing prosecutions.Cyware
April 5, 2023 – Attack
New Proxyjacking Attack Exploits Log4j for Initial Access Full Text
Abstract
Researchers at Sysdig highlight that the new Proxyjacking attack, which is much like cryptojacking, is abusing the infamous Log4j vulnerability to gain initial access to victims’ systems. On a broader scale, researchers note that a modest compromise of 100 IPs can enable attackers to make a profit ... Read MoreCyware
April 05, 2023 – Malware
CryptoClippy: New Clipper Malware Targeting Portuguese Cryptocurrency Users Full Text
Abstract
Portuguese users are being targeted by a new malware codenamed CryptoClippy that's capable of stealing cryptocurrency as part of a malvertising campaign. The activity leverages SEO poisoning techniques to entice users searching for "WhatsApp web" to rogue domains hosting the malware, Palo Alto Networks Unit 42 said in a new report published today. CryptoClippy, a C-based executable, is a type of cryware known as clipper malware that monitors a victim's clipboard for content matching cryptocurrency addresses and substituting them with a wallet address under the threat actor's control. "The clipper malware uses regular expressions (regexes) to identify what type of cryptocurrency the address pertains to," Unit 42 researchers said. "It then replaces the clipboard entry with a visually similar but adversary-controlled wallet address for the appropriate cryptocurrency. Later, when the victim pastes the address from the clipboard to conduThe Hacker News
April 5, 2023 – General
Civilianization of Digital Operations: A Risky Trend Full Text
Abstract
The growing involvement of civilians in activities on the digital battlefield puts individuals at risk of harm and contributes to the erosion of the principle of distinction, an edifice on which the rest of the law applicable in armed conflicts is built.Lawfare
April 5, 2023 – Government
U.K. National Cyber Force, Responsible Cyber Power, and Cyber Persistence Theory Full Text
Abstract
The U.K. National Cyber Force’s operating document offers a framework for responsible cyber behavior in the highly contested cyber strategic environment and further validates cyber persistence theory.Lawfare
April 5, 2023 – Vulnerabilities
Nexx bugs allow to open garage doors, and take control of alarms and plugs Full Text
Abstract
A series of vulnerabilities in multiple smart devices manufactured by Nexx can be exploited to remotely open garage doors, and take control of alarms and plugs. In late 2022, the researcher Sam Sabetan discovered a series of critical vulnerabilities...Security Affairs
April 5, 2023 – Ransomware
Rorschach - New Ransomware with Highest-Ever Encryption Speed Full Text
Abstract
A new ransomware strain, named Rorschach, was unveiled by Check Point Research. The ransomware boasts an advanced level of customization and fast encryption, which sets it apart from other strains. Furthermore, an in-depth examination of Rorschach's source code indicates similarities with the Babuk ... Read MoreCyware
April 05, 2023 – Hacker
Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks Full Text
Abstract
An unknown threat actor used a malicious self-extracting archive ( SFX ) file in an attempt to establish persistent backdoor access to a victim's environment, new findings from CrowdStrike show. SFX files are capable of extracting the data contained within them without the need for dedicated software to display the file contents. It achieves this by including a decompressor stub, a piece of code that's executed to unpack the archive. "However, SFX archive files can also contain hidden malicious functionality that may not be immediately visible to the file's recipient, and could be missed by technology-based detections alone," CrowdStrike researcher Jai Minton said . In the case investigated by the cybersecurity firm, compromised credentials to a system were used to run a legitimate Windows accessibility application called Utility Manager (utilman.exe) and subsequently launch a password-protected SFX file. This, in turn, is made possible by configuring a deThe Hacker News
April 5, 2023 – Breach
Tax preparation and e-file service eFile.com compromised to serve malware Full Text
Abstract
The eFile.com online service, which is authorized by the US Internal Revenue Service (IRS), was spotted serving malicious malware to visitors. eFile.com, the personal online tax preparation and e-file service authorized by the US Internal Revenue...Security Affairs
April 5, 2023 – Attack
Exploited Elementor Pro Plugin Under Attack; Affects Over 11 Million Sites Full Text
Abstract
A security vulnerability in the Elementor Pro website builder plugin for WordPress is under active exploitation by a threat actor. An authenticated user can take advantage of this to take full control over a WordPress site having WooCommerce enabled. The bug in the plugin, roughly deployed on over ... Read MoreCyware
April 05, 2023 – Attack
Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks Full Text
Abstract
A North Korean government-backed threat actor has been linked to attacks targeting government and military personnel, think tanks, policy makers, academics, and researchers in South Korea and the U.S. Google's Threat Analysis Group (TAG) is tracking the cluster under the name ARCHIPELAGO , which it said is a subset of another threat group tracked by Mandiant under the name APT43 . The tech giant said it began monitoring the hacking crew in 2012, adding it has "observed the group target individuals with expertise in North Korea policy issues such as sanctions, human rights, and non-proliferation issues." The priorities of APT43, and by extension ARCHIPELAGO, are said to align with North Korea's Reconnaissance General Bureau (RGB), the primary foreign intelligence service, suggesting overlaps with a group broadly known as Kimsuky . Attack chains mounted by ARCHIPELAGO involve the use of phishing emails containing malicious links that, when clicked by the reciThe Hacker News
April 5, 2023 – Vulnerabilities
HP would take up to 90 days to fix a critical bug in some business-grade printers Full Text
Abstract
HP would take up to 90 days to address a critical flaw, tracked as CVE-2023-1707, that resides in the firmware of some business-grade printers. HP is aware of a critical vulnerability, tracked as CVE-2023-1707 (CVSS v3.1 score 9.1), that affects tens...Security Affairs
April 5, 2023 – Hacker
Hackers can Remotely Open Smart Garage Doors Across the World Full Text
Abstract
A security researcher found a series of vulnerabilities with the Nexx brand of smart garage openers. He says he could remotely find garages to target, and then open them across the internet.Cyware
April 05, 2023 – Education
Protect Your Company: Ransomware Prevention Made Easy Full Text
Abstract
Every year hundreds of millions of malware attacks occur worldwide, and every year businesses deal with the impact of viruses, worms, keyloggers, and ransomware. Malware is a pernicious threat and the biggest driver for businesses to look for cybersecurity solutions. Naturally, businesses want to find products that will stop malware in its tracks, and so they search for solutions to do that. But malware protection alone is not enough, instead what's needed is a more holistic approach. Businesses need to defend against malware entering the network, and then on top of that have systems and processes in place to restrict the damage that malware can do if it infects a user device. This approach will not only help stop and mitigate the damage from malware, but defend against other types of threats too, such as credential theft as a result of phishing, insider threats, and supply-chain attacks. Element 1: Malware Protection and Web Filtering The first and most sensible place toThe Hacker News
April 5, 2023 – Government
CISA JCDC Will Focus on Energy Sector Full Text
Abstract
The CISA 's Joint Cyber Defense Collective (JCDC) initiative is going to build operation plans for protecting and responding to cyber threats. What comes to mind when you think of cyber criminals? Depending on who you ask, you’ll get a variety of answers....Security Affairs
April 5, 2023 – Breach
Florida Hospital Begins Breach Notification Post-Attack Full Text
Abstract
Tallahassee Memorial HealthCare says its investigation into the February incident determined that an "unauthorized person" had gained access to its computer network and obtained certain files from its systems between January 26 and February 2.Cyware
April 05, 2023 – Malware
Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques Full Text
Abstract
The threat actor behind the information-stealing malware known as Typhon Reborn has resurfaced with an updated version (V2) that packs in improved capabilities to evade detection and resist analysis. The new version is offered for sale on the criminal underground for $59 per month, $360 per year, or alternatively, for $540 for a lifetime subscription. "The stealer can harvest and exfiltrate sensitive information and uses the Telegram API to send stolen data to attackers," Cisco Talos researcher Edmund Brumaghin said in a Tuesday report. Typhon was first documented by Cyble in August 2022, detailing its myriad features, including hijacking clipboard content, capturing screenshots, logging keystrokes, and stealing data from crypto wallet, messaging, FTP, VPN, browser, and gaming apps. Based on another stealer malware called Prynt Stealer , Typhon is also capable of delivering the XMRig cryptocurrency miner. In November 2022, Palo Alto Networks Unit 42 unearthed anThe Hacker News
April 5, 2023 – Criminals
Law enforcement seized the Genesis Market cybercrime marketplace Full Text
Abstract
Law enforcement seized the Genesis Market black marketplace, a platform focused on the sale of stolen credentials, as part of Operation Cookie Monster. The FBI seized the Genesis Market, a black marketplace for stolen credentials that was launched...Security Affairs
April 5, 2023 – Criminals
STYX Marketplace emerged in Dark Web focused on Financial Fraud Full Text
Abstract
The STYX marketplace was launched at the beginning of 2023. This discovery illustrates the post-pandemic menace of cyber-enabled financial crime and the threat it poses to financial institutions and their customers.Cyware
April 5, 2023 – General
STYX Marketplace emerged in Dark Web focused on Financial Fraud Full Text
Abstract
Resecurity has recently identified the STYX Marketplace, a new cybercriminal e-commerce platform with a specialized focus on financial fraud and money laundering. The STYX marketplace was launched at the beginning of 2023. This platform is specifically...Security Affairs
April 5, 2023 – Policy and Law
Notorious Genesis Market cybercrime forum seized in international law enforcement operation Full Text
Abstract
The FBI-led effort known as “Operation Cookie Monster” took down a notorious cybercrime marketplace known for selling compromised credentials and biometric data for digital fraudsters to carry out attacks or commit identity theft.Cyware
April 5, 2023 – Breach
Australia: TAFE data breach uncovered by SA Police Full Text
Abstract
TAFE South Australia has revealed a data breach that was discovered when SA Police seized “devices containing electronic scanned copies of TAFE SA student identification forms”.Cyware
April 5, 2023 – Privacy
Alcohol Recovery Startups Monument and Tempest Shared Patients’ Private Data With Advertisers Full Text
Abstract
In its disclosure, the companies confirmed their use of website trackers, which are small snippets of code that share with tech giants information about visitors to their websites and are often used for analytics and advertising.Cyware
April 4, 2023 – Policy and Law
Britain’s data watchdog fines TikTok $15.9 million for alleged misuse of children’s data Full Text
Abstract
The ICO estimated the app allowed up to 1.4 million U.K. children under 13 to use the platform in 2020. The regulator accused TikTok of failing to take the necessary steps to verify user identity and remove children under 13 from the platform.Cyware
April 04, 2023 – General
Sorting Through Haystacks to Find CTI Needles Full Text
Abstract
Clouded vision CTI systems are confronted with some major issues ranging from the size of the collection networks to their diversity, which ultimately influence the degree of confidence they can put on their signals. Are they fresh enough and sufficiently reliable to avoid any false positives or any poisoning? Do I risk acting on outdated data? This difference is major since a piece of information is just a decision helper, whereas a piece of actionable information can directly be weaponized against an aggressor. If raw data are the hayfields, information is the haystacks, and needles are the actionable signal. To illustrate the collection networks' size & variety point, without naming anyone in particular, let's imagine a large CDN provider. Your role is to deliver, on a massive scale, content over HTTP(s). This attracts a lot of "attention" and signals, but only on the HTTP layer. Also, any smart attacker will probably avoid probing your IP ranges (which areThe Hacker News
April 4, 2023 – Criminals
ALPHV/BlackCat ransomware affiliate targets Veritas Backup solution bugs Full Text
Abstract
An ALPHV/BlackCat ransomware affiliate was spotted exploiting vulnerabilities in the Veritas Backup solution. An affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was observed exploiting three vulnerabilities in the Veritas Backup...Security Affairs
April 4, 2023 – Government
Zimbra Flaw Exploited by Russia Against NATO Countries Added to CISA ‘Must Patch’ List Full Text
Abstract
Because of this issue, an endpoint URL may accept parameters without sanitization, which could allow an unauthenticated attacker to provide crafted request parameters leading to the execution of arbitrary web scripts or HTML code.Cyware
April 04, 2023 – Ransomware
Rorschach Ransomware Emerges: Experts Warn of Advanced Evasion Strategies Full Text
Abstract
Cybersecurity researchers have taken the wraps off a previously undocumented ransomware strain called Rorschach that's both sophisticated and fast. "What makes Rorschach stand out from other ransomware strains is its high level of customization and its technically unique features that have not been seen before in ransomware," Check Point Research said in a new report. "In fact, Rorschach is one of the fastest ransomware strains ever observed, in terms of the speed of its encryption." The cybersecurity firm said it observed the ransomware deployed against an unnamed U.S.-based company, adding it found no branding or overlaps that connect it to any previously known ransomware actors. However, further analysis of Rorschach's source code reveals similarities to Babuk ransomware , which suffered a leak in September 2021, and LockBit 2.0 . On top of that, the ransom notes sent out to the victims appear to be inspired by that of Yanluowang and DarkSiThe Hacker News
April 4, 2023 – Ransomware
Rorschach ransomware has the fastest file-encrypting routine to date Full Text
Abstract
A new ransomware strain named Rorschach ransomware supports the fastest file-encrypting routine observed to date. Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) researchers detected a previously unknown ransomware strain,...Security Affairs
April 4, 2023 – Business
Cybereason Raises $100 Million, Appoints New CEO Full Text
Abstract
The new funding, Cybereason says, will help it advance its XDR, EDR, and EPP solutions and support global growth. In addition to the investment, Cybereason also announced that SoftBank’s executive vice president, Eric Gan, will become its new CEO.Cyware
April 04, 2023 – Malware
New Rilide Malware Targeting Chromium-Based Browsers to Steal Cryptocurrency Full Text
Abstract
Chromium-based web browsers are the target of a new malware called Rilide that masquerades itself as a seemingly legitimate extension to harvest sensitive data and siphon cryptocurrency. "Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges," Trustwave SpiderLabs Research said in a report shared with The Hacker News. What's more, the stealer malware can display forged dialogs to deceive users into entering a two-factor authentication code to withdraw digital assets. Trustwave said it identified two different campaigns involving Ekipa RAT and Aurora Stealer that led to the installation of the malicious browser extension. While Ekipa RAT is distributed via booby-trapped Microsoft Publisher files, rogue Google Ads act as tThe Hacker News
April 4, 2023 – Government
CISA adds Zimbra bug exploited in attacks against NATO countries to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA has added a Zimbra flaw, which was exploited in attacks targeting NATO countries, to its Known Exploited Vulnerabilities catalog U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Zimbra flaw, tracked as CVE-2022-27926,...Security Affairs
April 4, 2023 – Outage
Websites of Israeli Universities and Cybersecurity Company Briefly Taken Down in Cyberattack Full Text
Abstract
Among the websites affected were Tel Aviv University, the Hebrew University of Jerusalem, Ben-Gurion University of the Negev, Haifa University, Weizmann Institute of Science, Open University of Israel, and Reichman University.Cyware
April 04, 2023 – Attack
Arid Viper Hacking Group Using Upgraded Malware in Middle East Cyber Attacks Full Text
Abstract
The threat actor known as Arid Viper has been observed using refreshed variants of its malware toolkit in its attacks targeting Palestinian entities since September 2022. Symantec, which is tracking the group under its insect-themed moniker Mantis, said the adversary is "going to great lengths to maintain a persistent presence on targeted networks." Also known by the names APT-C-23 and Desert Falcon , the hacking group has been linked to attacks aimed at Palestine and the Middle East at least since 2014. Mantis has used an arsenal of homemade malware tools such as ViperRat , FrozenCell (aka VolatileVenom), and Micropsia to execute and conceal its campaigns across Windows, Android, and iOS platforms. The threat actors are believed to be native Arabic speakers and based in Palestine, Egypt, and Turkey, according to a report published by Kaspersky in February 2015. Prior public reporting has also tied the group to the cyber warfare division of Hamas. In ApriThe Hacker News
April 4, 2023 – Cryptocurrency
3CX Supply chain attack allowed targeting cryptocurrency companies Full Text
Abstract
Threat actors behind the 3CX supply chain attack have targeted a limited number of cryptocurrency companies with a second-state implant. As of Mar 22, 2023, SentinelOne observed a spike in behavioral detections of the 3CXDesktopApp, which is a popular...Security Affairs
April 4, 2023 – General
China to probe Micron over cybersecurity, in chip war’s latest battle Full Text
Abstract
A statement by Chinese government said that the review is being undertaken to ensure the security of the key information infrastructure supply chain, prevent network security risks caused by hidden product problems, and maintain national security.Cyware
April 04, 2023 – General
Think Before You Share the Link: SaaS in the Real World Full Text
Abstract
Collaboration sits at the essence of SaaS applications. The word, or some form of it, appears in the top two headlines on Google Workspace's homepage. It can be found six times on Microsoft 365's homepage, three times on Box, and once on Workday. Visit nearly any SaaS site, and odds are 'collaboration' will appear as part of the app's key selling point. By sitting on the cloud, content within the applications is immediately shareable, making it easier than ever to work with others. However, that shareability is a two-sided coin. On the flip side are often sensitive links sitting on public-facing websites that can be easily accessed. The exposure caused by leaked documents can cause tremendous harm, from competitors trying to gather corporate secrets to whistleblowers sharing internal information with reporters or legislators. As integral as collaboration is to SaaS, sharing links creates a high-risk situation, and real-life breaches, that can be mitigated through the right processThe Hacker News
April 4, 2023 – Malware
Rilide Stealer Delivered via Malicious Browser Extension to Siphon Cryptocurrency Full Text
Abstract
Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.Cyware
April 04, 2023 – Solution
Microsoft Tightens OneNote Security by Auto-Blocking 120 Risky File Extensions Full Text
Abstract
Microsoft has announced plans to automatically block embedded files with "dangerous extensions" in OneNote following reports that the note-taking service is being increasingly abused for malware delivery. Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files. That's going to change going forward. Microsoft said it intends to prevent users from directly opening an embedded file with a dangerous extension and display the message: "Your administrator has blocked your ability to open this file type in OneNote." The update is expected to start rolling out with Version 2304 later this month and only impacts OneNote for Microsoft 365 on devices running Windows. It does not affect other platforms, including macOS, Android, and iOS, as well as OneNote versions available on the web and for Windows 10. "By default, OneNote blocks the saThe Hacker News
April 4, 2023 – Government
Australia takes its turn to kick TikTok off government kit Full Text
Abstract
Australia has joined the growing list of nations that have decided TikTok represents an unacceptable risk when running on government-owned devices, so has decided not to allow it onto those machines.Cyware
April 04, 2023 – Attack
Cryptocurrency Companies Targeted in Sophisticated 3CX Supply Chain Attack Full Text
Abstract
The adversary behind the supply chain attack targeting 3CX deployed a second-stage implant specifically singling out a small number of cryptocurrency companies. Russian cybersecurity firm Kaspersky, which has been internally tracking the versatile backdoor under the name Gopuram since 2020, said it observed an increase in the number of infections in March 2023 coinciding with the 3CX breach. Gopuram's primary function is to connect to a command-and-control (C2) server and await further instructions that allow the attackers to interact with the victim's file system, create processes, and launch as many as eight in-memory modules. The backdoor's links to North Korea stem from the fact that it "co-existed on victim machines with AppleJeus , a backdoor attributed to the Korean-speaking threat actor Lazarus," detailing an attack on an unnamed crypto firm located in Southeast Asia in 2020. The targeting of cryptocurrency companies is another telltale sign ofThe Hacker News
April 4, 2023 – Privacy
ChatGPT, the AI Revolution, and the Security, Privacy and Ethical Implications Full Text
Abstract
For AI, security is a two-way street: It can be used by malicious actors to abuse victims, while its own security can be abused by those same malicious actors. ChatGPT has already suffered at least one breach that is known.Cyware
April 3, 2023 – Breach
Service NSW Breach Exposes Data of Thousands of Customers Full Text
Abstract
An update released to the “My services” dashboard on March 20 resulted in the data breach, Service NSW chief executive officer Greg Wells said in an email to affected customers shared with AAP on Monday.Cyware
April 03, 2023 – Breach
Western Digital Hit by Network Security Breach - Critical Services Disrupted! Full Text
Abstract
Data storage devices maker Western Digital on Monday disclosed a "network security incident" that involved unauthorized access to its systems. The breach is said to have occurred on March 26, 2023, enabling an unnamed third party to gain access to a "number of the company's systems." Following the discovery of the hack, Western Digital said it has initiated incident response efforts and enlisted the help of cybersecurity and forensic experts to conduct an investigation. It also said it's coordinating with law enforcement agencies on the matter, adding the probe is in its initial stages. The company has taken several of its services offline, noting that the threat actor may have obtained "certain data from its systems" and that it's working on estimating the nature and scope of the data accessed. While Western Digital did not reveal the exact services that are impacted, the My Cloud status page shows that cloud, proxy, web, authenticThe Hacker News
April 3, 2023 – Attack
UK outsourcing services provider Capita suffered a cyber incident Full Text
Abstract
UK outsourcing services provider Capita confirmed that the outage suffered on Friday was caused by a cyberattack. Capita, the UK outsourcing giant, confirmed that its staff was locked out of their accounts on Friday after a cyber incident. Capita...Security Affairs
April 3, 2023 – Solution
Microsoft OneNote Starts Blocking Dangerous File Extensions Full Text
Abstract
Just like other Office applications, OneNote has been abused for malware delivery, especially since OneNote documents allow attackers to attach files that would be executed with few warnings to the user.Cyware
April 03, 2023 – Policy and Law
Italian Watchdog Bans OpenAI’s ChatGPT Over Data Protection Concerns Full Text
Abstract
The Italian data protection watchdog, Garante per la Protezione dei Dati Personali (aka Garante), has imposed a temporary ban of OpenAI's ChatGPT service in the country, citing data protection concerns. To that end, it has ordered the company to stop processing users' data with immediate effect, stating it intends to investigate the company over whether it's unlawfully processing such data in violation of the E.U. General Data Protection Regulation ( GDPR ) laws. "No information is provided to users and data subjects whose data are collected by Open AI," the Garante noted . "More importantly, there appears to be no legal basis underpinning the massive collection and processing of personal data in order to 'train' the algorithms on which the platform relies." ChatGPT, which is estimated to have reached over 100 million monthly active users since its release late last year, has not disclosed what it used to train its latest large languagThe Hacker News
April 3, 2023 – Outage
Western Digital took its services offline due to a security breach Full Text
Abstract
Western Digital disclosed a security breach, according to the company an unauthorized party gained access to multiple systems. Western Digital has shut down several of its services after discovering a security breach, the company disclosed that an unauthorized...Security Affairs
April 3, 2023 – Education
Managing the risks of unstructured data growth Full Text
Abstract
Much of the data in the cloud is unstructured and highly vulnerable to cyber threats. Unstructured data can include anything from emails and FedEx receipts to sensor data and social media feeds.Cyware
April 03, 2023 – General
“It’s The Service Accounts, Stupid”: Why Do PAM Deployments Take (almost) Forever To Complete? Full Text
Abstract
Privileged Access Management (PAM) solutions are regarded as the common practice to prevent identity threats to administrative accounts. In theory, the PAM concept makes absolute sense: place admin credentials in a vault, rotate their passwords, and closely monitor their sessions. However, the harsh reality is that the vast majority of PAM projects either become a years-long project, or even come to a halt altogether, preventing them from delivering their promised security value. In this article, we explore what makes service accounts a key obstacle in PAM onboarding . We'll learn why vaulting and password rotation of service accounts are an almost impossible task, resulting in leaving them exposed to compromise. We'll then conclude with introducing how Silverfort enables identity teams, for the first time, to overcome these challenges with automated discovery, monitoring, and protection of service accounts, and streamline PAM onboarding process in mere weeks. The PAM PromiThe Hacker News
April 3, 2023 – Vulnerabilities
Microsoft fixed Azure AD bug that led to Bing.com results manipulation and account takeover Full Text
Abstract
Microsoft addressed a misconfiguration flaw in the Azure Active Directory (AAD) identity and access management service. Microsoft has addressed a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service...Security Affairs
April 3, 2023 – Government
Bank of England Warns of Potential Cyberattacks on Financial System Full Text
Abstract
The Bank of England has issued a stern warning to banks, insurers, and market infrastructure companies to take immediate steps to bolster their defenses against a potential major cyberattack.Cyware
April 03, 2023 – Malware
Crypto-Stealing OpcJacker Malware Targets Users with Fake VPN Service Full Text
Abstract
A piece of new information-stealing malware called OpcJacker has been spotted in the wild since the second half of 2022 as part of a malvertising campaign. "OpcJacker's main functions include keylogging, taking screenshots, stealing sensitive data from browsers, loading additional modules, and replacing cryptocurrency addresses in the clipboard for hijacking purposes," Trend Micro researchers Jaromir Horejsi and Joseph C. Chen said . The initial vector of the campaign involves a network of fake websites advertising seemingly innocuous software and cryptocurrency-related applications. The February 2023 campaign specifically singled out users in Iran under the pretext of offering a VPN service. The installer files act as a conduit to deploy OpcJacker, which is also capable of delivering next-stage payloads such as NetSupport RAT and a hidden virtual network computing ( hVNC ) variant for remote access. OpcJacker is concealed using a crypter known as Babadeda anThe Hacker News
April 3, 2023 – Botnet
Moobot botnet spreads by targeting Cacti and RealTek flaws Full Text
Abstract
The Moobot botnet is actively exploiting critical vulnerabilities in Cacti, and Realtek in attacks in the wild. FortiGuard Labs researchers observed an ongoing hacking campaign targeting Cacti (CVE-2022-46169) and Realtek (CVE-2021-35394) vulnerabilities...Security Affairs
April 3, 2023 – Privacy
Chinese E-Commerce Giant Pinduoduo Allegedly Spys on Users Full Text
Abstract
"E-commerce giant Pinduoduo has taken violations of privacy and data security to the next level," CNN reported, citing multiple cybersecurity experts from Asia, Europe, and the United States.Cyware
April 3, 2023 – Denial Of Service
German Police Raid DDoS-Friendly Host ‘FlyHosting’ – Krebs on Security Full Text
Abstract
News of a raid on FlyHosting first surfaced Thursday in a Telegram chat channel that is frequented by people interested or involved in the DDoS-for-hire industry, where a user by the name Dstatcc broke the news to Fly Hosting customers.Cyware
April 3, 2023 – General
Hook, Line, and Sinker: Phishing Landscape in 2022 Full Text
Abstract
Cofense released a report around the top phishing trends from 2022 and found that attackers largely preferred credential phishing as their primary attack method. The use of malware in these attacks increased by 44%, with Emotet and Qakbot being the most used malware families. Moreover, the tot ... Read MoreCyware
April 3, 2023 – Attack
Mustang Panda Cyberespionage Strikes Over 200 Targets Full Text
Abstract
Researchers discovered that a series of cyberespionage attacks launched by the subgroups of Earth Preta APT has affected over 200 organizations. While part of these subgroups is focused on stealing intellectual property and business information, others target government and diplomatic entities.Cyware
April 2, 2023 – General
Security Affairs newsletter Round 413 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. LockBit...Security Affairs
April 2, 2023 – APT
Leaked documents from Russian firm NTC Vulkan show Sandworm cyberwarfare arsenal Full Text
Abstract
Files leaked by Russian IT contractor NTC Vulkan show that Russia-linked Sandworm APT requested it to develop offensive tools. Documents leaked from Russian IT contractor NTC Vulkan show it was likely involved in the development of offensive tools....Security Affairs
April 01, 2023 – Vulnerabilities
Microsoft Fixes New Azure AD Vulnerability Impacting Bing Search and Major Apps Full Text
Abstract
Microsoft has patched a misconfiguration issue impacting the Azure Active Directory ( AAD ) identity and access management service that exposed several "high-impact" applications to unauthorized access. "One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users," cloud security firm Wiz said in a report. "Those attacks could compromise users' personal data, including Outlook emails and SharePoint documents." The issues were reported to Microsoft in January and February 2022, following which the tech giant applied fixes and awarded Wiz a $40,000 bug bounty. Redmond said it found no evidence that the misconfigurations were exploited in the wild. The crux of the vulnerability stems from what's called "Shared Responsibility confusion," wherein an Azure app can be incorrectly configured to allow users from any MicroThe Hacker News
April 1, 2023 – Criminals
Operation Henhouse: Hundreds of arrests and millions in assets seized in month tackling fraud Full Text
Abstract
The NCA’s National Economic Crime Centre has led a successful operation working closely with the City of London Police and other policing partners against suspected fraudsters across the UK.Cyware
April 1, 2023 – Breach
LockBit leaks data stolen from the South Korean National Tax Service Full Text
Abstract
The LockBit ransomware gang announced the publishing of data stolen from the South Korean National Tax Service. On March 29, 2023, The Lock Bit ransomware gang announced the hack of the South Korean National Tax Service. The group added the South...Security Affairs
April 1, 2023 – Privacy
Italy Temporarily Blocks ChatGPT Over Privacy Concerns Full Text
Abstract
Italy is temporarily blocking the artificial intelligence software ChatGPT in the wake of a data breach as it investigates a possible violation of stringent European Union data protection rules, the government’s privacy watchdog said Friday.Cyware
April 1, 2023 – General
Italy’s Data Protection Authority temporarily blocks ChatGPT over privacy concerns Full Text
Abstract
Italy’s data protection agency is temporarily blocking the popular chatbot ChatGPT due to a possible violation of the European data privacy regulation. The Italian Data Protection Authority, Garante Privacy, has temporarily banned ChatGPT due to the illegal...Security Affairs
April 1, 2023 – Ransomware
New Cylance Ransomware Targets Linux and Windows, Warn Researchers Full Text
Abstract
Researchers at Palo Alto Networks Unit 42 discovered the new Cylance ransomware, which has already claimed several victims. Researchers noticed it early Friday morning, and further probing revealed that it is targeting Linux and Windows devices.Cyware
April 1, 2023 – Government
CISA adds bugs exploited by commercial surveillance spyware to Known Exploited Vulnerabilities catalog Full Text
Abstract
CISA has added nine flaws to its Known Exploited Vulnerabilities catalog, including bugs exploited by commercial spyware on mobile devices. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added nine new vulnerabilities to its Known...Security Affairs
April 1, 2023 – Business
SCADAfence raises $16 million, adds Fujitsu and Mitsubishi Electric as new investors Full Text
Abstract
This new funding round will enable SCADAfence to continue scaling its global reach into new markets, increasing sales and support teams in key regions, and building stronger collaborative relationships with its strategic partners.Cyware
April 1, 2023 – Ransomware
Ransomware Roundup – Dark Power and PayMe100USD Ransomware Full Text
Abstract
Dark Power is a relatively new ransomware written in the Nim programming language and launched in early February 2023. PayMe100USD is a new ransomware written in Python that was discovered in March 2023.Cyware
April 1, 2023 – Business
LeapXpert Banks $22M Funding to Secure Corporate Messaging With Consumer Apps Full Text
Abstract
The company said the Series A financing was led by Rockefeller Asset Management through its Technology Ventures Group with equity investments from Uncorrelated Ventures, the Partnership Fund for New York City.Cyware
April 01, 2023 – Vulnerabilities
Cacti, Realtek, and IBM Aspera Faspex Vulnerabilities Under Active Exploitation Full Text
Abstract
Critical security flaws in Cacti, Realtek, and IBM Aspera Faspex are being exploited by various threat actors in hacks targeting unpatched systems. This entails the abuse of CVE-2022-46169 (CVSS score: 9.8) and CVE-2021-35394 (CVSS score: 9.8) to deliver MooBot and ShellBot (aka PerlBot), Fortinet FortiGuard Labs said in a report published this week. CVE-2022-46169 relates to a critical authentication bypass and command injection flaw in Cacti servers that allows an unauthenticated user to execute arbitrary code. CVE-2021-35394 also concerns an arbitrary command injection vulnerability impacting the Realtek Jungle SDK that was patched in 2021. While the latter has been previously exploited to distribute botnets like Mirai, Gafgyt, Mozi, and RedGoBot, the development marks the first time it has been utilized to deploy MooBot, a Mirai variant known to be active since 2019. The Cacti flaw, besides being leveraged for MooBot attacks, has also been observed serving ShellBThe Hacker News
April 01, 2023 – Hacker
Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk! Full Text
Abstract
Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22. "Improved code security enforcement in WooCommerce components," the Elementor said in its release notes. The premium plugin is estimated to be used on over 12 million sites. Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled. "This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges," Patchstack said in an alert of March 30, 2023. "After this, they are likely to either rediThe Hacker News