August, 2023
August 31, 2023 – Attack
Earth Estries Group Targets Government and IT Organizations Full Text
Abstract
A new cyberespionage campaign called Earth Estries has been discovered, targeting governments and organizations in the technology sector. Active since at least 2020, the campaign shows similarities with another APT group called FamousSparrow. It is essential for organizations to track and analyze t ... Read MoreCyware
August 31, 2023 – Malware
SapphireStealer Malware: A Gateway to Espionage and Ransomware Operations Full Text
Abstract
An open-source .NET-based information stealer malware dubbed SapphireStealer is being used by multiple entities to enhance its capabilities and spawn their own bespoke variants. "Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion," Cisco Talos researcher Edmund Brumaghin said in a report shared with The Hacker News. An entire ecosystem has developed over time that allows both financially motivated and nation-state actors to use services from purveyors of stealer malware to carry out various kinds of attacks. Viewed in that light, such malware not only represents an evolution of the cybercrime-as-a-service (CaaS) model, they also offer other threat actors to monetize the stolen data to distribute ransomware, conduct data theft, and other maliciouThe Hacker News
August 31, 2023 – Criminals
Unmasking Trickbot, One of the World’s Top Cybercrime Gangs Full Text
Abstract
Maksim Sergeevich Galochkin, a member of the Russian cybercrime syndicate Trickbot, has been identified by cybercrime researchers. The identification of Galochkin comes after a comprehensive investigation into leaked data from the Trickbot group.Cyware
August 31, 2023 – Malware
North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository Full Text
Abstract
Three additional rogue Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect , with signs pointing to the involvement of North Korean state-sponsored threat actors. The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. First disclosed at the start of the month by the company and Sonatype, VMConnect refers to a collection of Python packages that mimic popular open-source Python tools to download an unknown second-stage malware. The latest tranche is no different, with ReversingLabs noting that the bad actors are disguising their packages and making them appear trustworthy by using typosquatting techniques to impersonate prettytable and requests and confuse developers. The nefarious code within tablediter is designed to run in an endless execution loop in which a remote server is polled periodically to retrieve and executeThe Hacker News
August 31, 2023 – Malware
BadBazaar Espionage Tool Targets Android Users Full Text
Abstract
ESET discovered two active campaigns distributing trojanized Signal and Telegram apps that aim to exfiltrate user data and spy on victims’ communications. They have been spreading the BadBazaar Android spyware. Mitigation includes cautious app selection, avoiding suspicious sources, and maintaining ... Read MoreCyware
August 31, 2023 – General
Numbers Don’t Lie: Exposing the Harsh Truths of Cyberattacks in New Report Full Text
Abstract
How often do cyberattacks happen? How frequently do threat actors target businesses and governments around the world? The BlackBerry® Threat Research and Intelligence Team recently analyzed 90 days of real-world data to answer these questions. Full results are in the latest BlackBerry Global Threat Intelligence Report , but read on for a teaser of several interesting cyber attack statistics. Analyzing Real-World Cyberattacks In their most recent quarterly report, BlackBerry threat researchers analyzed the onslaught of malware-based attacks from December 2022 to February 2023. During that time, BlackBerry's AI-powered endpoint protection solution, detected and blocked a total of 1,578,733 malware-based cyberattacks targeting customers. 90 Days of Cyberattacks Based on analysis of cyberattacks detected and blocked during the 90-day window, the BlackBerry Threat Research and Intelligence Team recorded the following statistics: Total number of malware-based attacks: 1,578,73The Hacker News
August 31, 2023 – Attack
VMConnect Supply Chain Attack Continues, Evidence Points to North Korea Full Text
Abstract
The recently discovered malicious Python packages, such as tablediter, request-plus, and requestspro, are believed to be a continuation of the VMConnect campaign attributed to North Korean threat actors.Cyware
August 31, 2023 – Attack
Earth Estries’ Espionage Campaign Targets Governments and Tech Titans Across Continents Full Text
Abstract
A hacking outfit nicknamed Earth Estries has been attributed to a new, ongoing cyber espionage campaign targeting government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S. "The threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyber espionage and illicit activities," Trend Micro researchers Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M Chang, and Gilbert Sison said . Active since at least 2020, Earth Estries is said to share tactical overlaps with another nation-state group tracked as FamousSparrow , which was first exposed by ESET in 2021 as exploiting ProxyLogon flaws in Microsoft Exchange Server to penetrate hospitality, government, engineering, and legal sectors. It's worth pointing out that commonalities have also been unearthed between FamousSparrow and UNC4841 , an uncategorized activity cluster held responsible forThe Hacker News
August 31, 2023 – Vulnerabilities
Netgear Releases Patches for Two High-Severity Vulnerabilities Full Text
Abstract
The network hardware giant Netgear has discovered two vulnerabilities affecting one of its router models and its network management software. One of the flaws, tracked as CVE-2023-41183, allows hackers to exploit Netgear’s Orbi 760 routers.Cyware
August 31, 2023 – Breach
Forever 21 Data Breach Leaks Personal Information of Over 539,000 Individuals Full Text
Abstract
Forever 21 experienced a data breach that compromised the personal information, including names and Social Security numbers, of over 539,000 individuals. The breach occurred between January 5, 2023, and March 21, 2023.Cyware
August 31, 2023 – Business
Compliance and Risk Management Startup Hyperproof Raises $40M Full Text
Abstract
Hyperproof, a software-as-a-service risk and compliance management company, today announced that it raised $40 million in a funding round led by Riverwood Capital, with participation from Toba Capital, an early-stage VC firm.Cyware
August 31, 2023 – Breach
National Safety Council Data Leak Impacts Credentials of NASA, Tesla, DoJ, Verizon, and 2000 Other Firms Full Text
Abstract
The National Safety Council has leaked nearly 10,000 emails and passwords of their members, exposing 2000 companies, including governmental organizations and big corporations.Cyware
August 31, 2023 – Education
The Power of Passive OS Fingerprinting for Accurate IoT Device Identification Full Text
Abstract
To effectively safeguard against the risks of IoT sprawl, continuous monitoring, and absolute control are crucial. However, that requires accurate identification of all IoT devices and operating systems (OSes) within the enterprise network.Cyware
August 31, 2023 – APT
APT Attacks From ‘Earth Estries’ Hit Governments, Tech Firms Across the Globe Full Text
Abstract
Earth Estries uses advanced techniques such as DLL sideloading and has developed three custom malware tools: Zingdoor, TrillClient, and HemiGate. It has been active since at least 2020 and has similarities with another group called FamousSparrow.Cyware
August 30, 2023 – Solution
GitHub Enterprise Server Gets New Security Capabilities Full Text
Abstract
Now, teams using GitHub Actions can also create their own custom deployment protection rules, to ensure that only “the deployments that pass all quality, security, and manual approval requirements make it to production,” GitHub explained.Cyware
August 30, 2023 – Vulnerabilities
Hackers Can Exploit Windows Container Isolation Framework to Bypass Endpoint Security Full Text
Abstract
New findings show that malicious actors could leverage a sneaky malware detection evasion technique and bypass endpoint security solutions by manipulating the Windows Container Isolation Framework. The findings were presented by Deep Instinct security researcher Daniel Avinoam at the DEF CON security conference held earlier this month. Microsoft's container architecture (and by extension, Windows Sandbox ) uses what's called a dynamically generated image to separate the file system from each container to the host and at the same time avoid duplication of system files. It's nothing but an "operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host," thereby bringing down the overall size for a full OS. "The result is images that contain 'ghost files,' which store no actual data but point to a different volume on the system,"The Hacker News
August 30, 2023 – Disinformation
Russians Impersonate Washington Post and Fox News With Anti-Ukraine Stories Full Text
Abstract
This operation, named Doppelganger, has persevered in its attempts to influence Western opinion despite numerous disruptions by Meta and “continuous scrutiny by platforms and researchers.”Cyware
August 30, 2023 – Malware
MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature Full Text
Abstract
A previously undocumented Android banking trojan dubbed MMRat has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud. "The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques, enabling its operators to carry out bank fraud on the victim's device," Trend Micro said . What makes MMRat stand apart from others of its kind is the use of a customized command-and-control (C2) protocol based on protocol buffers (aka protobuf ) to efficiently transfer large volumes of data from compromised handsets, demonstrating the growing sophistication of Android malware. Possible targets based on the language used in the phishing pages include Indonesia, Vietnam, Singapore, and the Philippines. The entry point of the attacks is a network of phishing sites that mimic officiThe Hacker News
August 30, 2023
Pay Our Ransom Instead of GDPR Fine, Cybercrime Gang Tells Its Targets Full Text
Abstract
The hackers behind Ransomed are probably linked to other data leak websites like BreachForums and Exposed, Flashpot said. Some of these sites have shut down due to money problems or poor management, the researchers said.Cyware
August 30, 2023 – Malware
China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users Full Text
Abstract
Cybersecurity researchers have discovered malicious Android apps for Signal and Telegram distributed via the Google Play Store and Samsung Galaxy Store that are engineered to deliver the BadBazaar spyware on infected devices. Slovakian company ESET attributed the campaign to a China-linked actor called GREF . "Most likely active since July 2020 and since July 2022, respectively, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites representing the malicious apps Signal Plus Messenger and FlyGram," security researcher Lukáš Štefanko said in a new report shared with The Hacker News. Victims have been primarily detected in Germany, Poland, and the U.S., followed by Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen. BadBazaar was first documented by Lookout in November 2022 as targeting the UThe Hacker News
August 30, 2023 – Phishing
AiTM Attacks Evolve: Warns Microsoft Full Text
Abstract
Microsoft is alerting about a rise in AiTM phishing methods within the PhaaS cybercrime model, enabling widespread large-scale phishing campaigns. The primary aim of these attacks is to steal session cookies, allowing malicious actors to gain entry to privileged systems without needing to authentic ... Read MoreCyware
August 30, 2023 – Education
How to Prevent ChatGPT From Stealing Your Content & Traffic Full Text
Abstract
ChatGPT and similar large language models (LLMs) have added further complexity to the ever-growing online threat landscape. Cybercriminals no longer need advanced coding skills to execute fraud and other damaging attacks against online businesses and customers, thanks to bots-as-a-service, residential proxies, CAPTCHA farms, and other easily accessible tools. Now, the latest technology damaging businesses' bottom line is ChatGPT . Not only have ChatGPT, OpenAI, and other LLMs raised ethical issues by training their models on scraped data from across the internet. LLMs are negatively impacting enterprises' web traffic, which can be extremely damaging to business. 3 Risks Presented by LLMs, ChatGPT, & ChatGPT Plugins Among the threats ChatGPT and ChatGPT plugins can pose against online businesses, there are three key risks we will focus on: Content theft (or republishing data without permission from the original source)can hurt the authority, SEO rankings, and perceivedThe Hacker News
August 30, 2023 – Malware
Malicious npm Packages Aim to Target Developers for Source Code Theft Full Text
Abstract
An unknown threat actor is leveraging malicious npm packages to target developers with an aim to steal source code and configuration files from victim machines, a sign of how threats lurk consistently in open-source repositories. "The threat actor behind this campaign has been linked to malicious activity dating back to 2021," software supply chain security firm Checkmarx said in a report shared with The Hacker News. "Since then, they have continuously published malicious packages." The latest report is a continuation of the same campaign that Phylum disclosed at the start of the month in which a number of npm modules were engineered to exfiltrate valuable information to a remote server. The packages, by design, are configured to execute immediately post-installation by means of a postinstall hook defined in the package.json file. It triggers the launch of preinstall.js, which spawns index.js to capture the system metadata as well as harvest source code andThe Hacker News
August 30, 2023 – Vulnerabilities
Alert: Juniper Firewalls, Openfire, and Apache RocketMQ Under Attack from New Exploits Full Text
Abstract
Recently disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come under active exploitation in the wild, according to multiple reports. The Shadowserver Foundation said that it's "seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& friends) targeting /webauth_operation.php endpoint," the same day a proof-of-concept (PoC) became available. The issues , tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, reside in the J-Web component of Junos OS on Juniper SRX and EX Series. They could be chained by an unauthenticated, network-based attacker to execute arbitrary code on susceptible installations. Patches for the flaw were released on August 17, 2023, a week after which watchTowr Labs published a proof-of-concept (PoC) by combining CVE-2023-36846 and CVE-2023-36845 to execute a PHP file containing malicious shellcode. Currently, there are more than 8,200 JunipThe Hacker News
August 30, 2023 – Vulnerabilities
Critical Vulnerability Alert: VMware Aria Operations Networks at Risk from Remote Attacks Full Text
Abstract
VMware has released software updates to correct two security vulnerabilities in Aria Operations for Networks that could be potentially exploited to bypass authentication and gain remote code execution. The most severe of the flaws is CVE-2023-34039 (CVSS score: 9.8), which relates to a case of authentication bypass arising as a result of a lack of unique cryptographic key generation. "A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI," the company said in an advisory. ProjectDiscovery researchers Harsh Jaiswal and Rahul Maini have been credited with discovering and reporting the issue. The second weakness, CVE-2023-20890 (CVSS score: 7.2), is an arbitrary file write vulnerability impacting Aria Operations for Networks that could be abused by an adversary with administrative access to write files to arbitrary locations and achieve remote code execution. CreditedThe Hacker News
August 30, 2023 – Policy and Law
FBI Dismantles QakBot Malware, Frees 700,000 Computers, Seizes $8.6 Million Full Text
Abstract
A coordinated law enforcement effort codenamed Operation Duck Hunt has felled QakBot , a notorious Windows malware family that's estimated to have compromised over 700,000 computers globally and facilitated financial fraud as well as ransomware. To that end, the U.S. Justice Department (DoJ) said the malware is "being deleted from victim computers, preventing it from doing any more harm," adding it seized more than $8.6 million in cryptocurrency in illicit profits. The cross-border exercise involved the participation of France, Germany, Latvia, Romania, the Netherlands, the U.K., and the U.S., alongside technical assistance from cybersecurity company Zscaler. The dismantling has been hailed as "the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals." No arrests were announced. QakBot, also known as QBot and Pinkslipbot, started its life as a banking trojan in 2007 before morphing into a general-puThe Hacker News
August 29, 2023 – Breach
Japan’s Cybersecurity Agency Breached by Suspected Chinese Hackers: Report Full Text
Abstract
Suspected Chinese hackers breached Japan’s cybersecurity agency and potentially accessed sensitive data stored on its networks for nine months before being discovered, it was reported on Tuesday.Cyware
August 29, 2023 – Attack
Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom Full Text
Abstract
A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign. Mandiant, which is tracking the activity under the name UNC4841 , described the threat actor as "highly responsive to defensive efforts" and capable of actively tweaking their modus operandi to maintain persistent access to targets. "UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda's remediation guidance," the Google-owned threat intelligence firm said in a new technical report published today. Almost a third of the identified affected organizations are government agencies. Interestingly enough, some of the earliest compromisesThe Hacker News
August 29, 2023 – General
Meta Fights Sprawling Chinese ‘Spamouflage’ Operation Full Text
Abstract
The network typically posted praise for China and its Xinjiang province and criticisms of the United States, Western foreign policies, and critics of the Chinese government including journalists and researchers, the Meta report says.Cyware
August 29, 2023 – Malware
DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates Full Text
Abstract
A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate . "The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates," Telekom Security said in a report published last week. The latest report build onn recent findings from security researcher Igal Lytzki, who detailed a "high volume campaign" that leverages hijacked email threads to trick recipients into downloading the malware. The attack commences with a phishing URL that, when clicked, passes through a traffic direction system ( TDS ) to take the victim to an MSI payload subject to certain conditions. This includes the presence of a refresh header in the HTTP response. Opening the MSI file triggers a multi-stage process that incorporates an AutoIt script to execute shellcode that acts as a conduit to decrypt and launch DarkGate via a crypteThe Hacker News
August 29, 2023 – Breach
Compromised OpenCart Payment Module Steals Credit Card Information Full Text
Abstract
Attackers are increasingly using backend PHP infections, making it more challenging to detect Magecart infections without access to the compromised website's backend code.Cyware
August 29, 2023 – General
Survey Provides Takeaways for Security Pros to Operationalize their Remediation Life Cycle Full Text
Abstract
Ask any security professional and they'll tell you that remediating risks from various siloed security scanning tools requires a tedious and labor-intensive series of steps focused on deduplication, prioritization, and routing of issues to an appropriate "fixer" somewhere in the organization. This burden on already resource-strapped security teams is an efficiency killer. A new study , commissioned by Seemplicity and conducted by Dark Reading, provides fresh insight into how security pros handle the challenging remediation life cycle from discovery to resolution. The research reveals the obstacles security professionals face when coordinating remediation activities. The data exposes the outcomes — in increased workload and diminished risk posture — that arise from lengthy remediation times, inefficient and uncontrolled manual processes, the lack of managerial visibility and oversight across the risk life cycle. Remediation Process Broken Down to Steps and Time Spent on Each StepThe Hacker News
August 29, 2023 – General
Is the Cybersecurity Community’s Obsession With Compliance Counter-Productive? Full Text
Abstract
Cybersecurity professionals should focus on effectively defending their organizations against common breach types, rather than prioritizing compliance and checking boxes on audit forms.Cyware
August 29, 2023 – Vulnerabilities
Citrix NetScaler Alert: Ransomware Hackers Exploiting Critical Vulnerability Full Text
Abstract
Unpatched Citrix NetScaler systems exposed to the internet are being targeted by unknown threat actors in what's suspected to be a ransomware attack. Cybersecurity company Sophos is tracking the activity cluster under the moniker STAC4663 . Attack chains involve the exploitation of CVE-2023-3519 , a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could facilitate unauthenticated remote code execution. In one intrusion detected in mid-August 2023, the security flaw is said to have been used to conduct a domain-wide attack, including injecting payloads into legitimate executables such as the Windows Update Agent (wuauclt.exe) and the Windows Management Instrumentation Provider Service (wmiprvse.exe). An analysis of the payload is underway. Other notable aspects include the distribution of obfuscated PowerShell scripts, PHP web shells, and the use of an Estonian service called BlueVPS for malware staging. Sophos said the modus operandiThe Hacker News
August 29, 2023 – Malware
Android Banking Trojan MMRat Carries Out Bank Fraud via Fake App Stores Full Text
Abstract
MMRat uses customized command-and-control protocols and remains undetected on VirusTotal, highlighting its ability to evade detection and exploit large volumes of data transfer.Cyware
August 29, 2023 – Phishing
Phishing-as-a-Service Gets Smarter: Microsoft Sounds Alarm on AiTM Attacks Full Text
Abstract
Microsoft is warning of an increase in adversary-in-the-middle ( AiTM ) phishing techniques, which are being propagated as part of the phishing-as-a-service (PhaaS) cybercrime model. In addition to an uptick in AiTM-capable PhaaS platforms, the tech giant noted that existing phishing services like PerSwaysion are incorporating AiTM capabilities. "This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter). Phishing kits with AiTM capabilities work in two ways, one of which concerns the use of reverse proxy servers (i.e., the phishing page) to relay traffic to and from the client and legitimate website and stealthily capture user credentials, two-factor authentication codes, and session cookies. A second method involves synchronous relay servers. "In AiTM through synchronous relay sThe Hacker News
August 29, 2023 – Criminals
Web Control, Crime Patrol or Real Pawns in Cybercrime Full Text
Abstract
A group of young employees in Hyderabad ran a sophisticated scam using VOIP to target unsuspecting people in the U.S. and trick them into buying gift cards, which were then converted into cryptocurrency and Indian Rupees.Cyware
August 28, 2023 – Attack
Attacks on Citrix NetScaler systems linked to ransomware actor Full Text
Abstract
A threat actor believed to be tied to the FIN8 hacking group exploits the CVE-2023-3519 remote code execution flaw to compromise unpatched Citrix NetScaler systems in domain-wide attacks.BleepingComputer
August 28, 2023 – Attack
Signs of Malware Attack Targeting Rust Developers Found on Crates.io Full Text
Abstract
The Rust Foundation was notified and it quickly removed the packages and locked the uploader’s account. GitHub was also notified and took action against the associated account.Cyware
August 28, 2023 – Vulnerabilities
Experts Uncover How Cybercriminals Could Exploit Microsoft Entra ID for Elevated Privilege Full Text
Abstract
Cybersecurity researchers have discovered a case of privilege escalation associated with a Microsoft Entra ID (formerly Azure Active Directory) application by taking advantage of an abandoned reply URL. "An attacker could leverage this abandoned URL to redirect authorization codes to themselves, exchanging the ill-gotten authorization codes for access tokens," Secureworks Counter Threat Unit (CTU) said in a technical report published last week. "The threat actor could then call Power Platform API via a middle-tier service and obtain elevated privileges." Following responsible disclosure on April 5, 2023, the issue was addressed by Microsoft via an update released a day later. Secureworks has also made available an open-source tool that other organizations can use to scan for abandoned reply URLs. Reply URL , also called redirect URI, refers to the location where the authorization server sends the user once the app has been successfully authorized and grantThe Hacker News
August 28, 2023 – Malware
MalDoc in PDFs: Hiding malicious Word docs in PDF files Full Text
Abstract
Japan's computer emergency response team (JPCERT) is sharing a new 'MalDoc in PDF' attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs.BleepingComputer
August 28, 2023 – Privacy
Uncovering a Privacy-Preserving Approach to Machine Learning Full Text
Abstract
In the era of data-driven decision making, businesses are harnessing the power of machine learning (ML) to unlock valuable insights, gain operational efficiencies, and solidify competitive advantage.Cyware
August 28, 2023 – Malware
Developers Beware: Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel Full Text
Abstract
In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language's crate registry. The libraries, uploaded between August 14 and 16, 2023, were published by a user named "amaperf," Phylum said in a report published last week. The names of the packages, now taken down, are as follows: postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. It's not clear what the end goal of the campaign was, but the suspicious modules were found to harbor functionalities to capture the operating system information (i.e., Windows, Linux, macOS, or Unknown) and transmit the data to a hard-coded Telegram channel via the messaging platform's API. This suggests that the campaign may have been in its early stages and that the threat actor may have been casting a wide net to compromise as many developer machines as possible to deliver rogue updates with impThe Hacker News
August 28, 2023 – Solution
Microsoft will enable Exchange Extended Protection by default this fall Full Text
Abstract
Microsoft announced today that Windows Extended Protection will be enabled by default on servers running Exchange Server 2019 starting this fall after installing the 2023 H2 Cumulative Update (CU14).BleepingComputer
August 28, 2023 – General
Vendors Training AI With Customer Data Is an Enterprise Risk Full Text
Abstract
Zoom received some flak recently for planning to use customer data to train its machine learning models. The reality, however, is that the video conferencing company is not the first, nor will it be the last, to have similar plans.Cyware
August 28, 2023 – General
Cyberattacks Targeting E-commerce Applications Full Text
Abstract
Cyber attacks on e-commerce applications are a common trend in 2023 as e-commerce businesses become more omnichannel, they build and deploy increasingly more API interfaces, with threat actors constantly exploring more ways to exploit vulnerabilities. This is why regular testing and ongoing monitoring are necessary to fully protect web applications, identifying weaknesses so they can be mitigated quickly. In this article, we will discuss the recent Honda e-commerce platform attack, how it happened, and its impact on the business and its clients. In addition, to the importance of application security testing, we will also discuss the different areas of vulnerability testing and its various phases. Finally, we will provide details on how a long-term preventative solution such as PTaaS can protect e-commerce businesses and the differences between continuous testing (PTaaS) and standard pen testing. The 2023 Honda E-commerce Platform Attack Honda's power equipment, lawn, garden, andThe Hacker News
August 28, 2023 – Phishing
Spain warns of LockBit Locker ransomware phishing attacks Full Text
Abstract
The National Police of Spain is warning of an ongoing 'LockBit Locker' ransomware campaign targeting architecture companies in the country through phishing emails.BleepingComputer
August 28, 2023 – Vulnerabilities
PoC for Unauthenticated RCE on Juniper Networks Firewalls Released Full Text
Abstract
Researchers have released additional details about the recently patched four vulnerabilities affecting Juniper Networks’ SRX firewalls and EX switches that could allow remote code execution (RCE), as well as a proof-of-concept (PoC) exploit.Cyware
August 28, 2023 – Botnet
KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities Full Text
Abstract
An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. "The binary now includes support for Telnet scanning and support for more CPU architectures," Akamai security researcher Larry W. Cashdollar said in an analysis published this month. The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors. The fact that it's being actively maintained indicates its effectiveness in real-world attacks. KmsdBot was first documented by the web infrastructure and security company in November 2022. It's mainly designed to target private gaming servers and cloud hosting providers, although it has since set its eyes on some Romanian government and Spanish educational sites. The malware is designed to scan random IP addresses for open SSH ports andThe Hacker News
August 28, 2023 – Vulnerabilities
Exploit released for Juniper firewall bugs allowing RCE attacks Full Text
Abstract
Proof-of-concept exploit code has been publicly released for vulnerabilities in Juniper SRX firewalls that, when chained, can allow unauthenticated attackers to gain remote code execution in Juniper's JunOS on unpatched devices.BleepingComputer
August 28, 2023 – Outage
Leaseweb Reports Cloud Disruptions Due to Cyberattack Full Text
Abstract
“The issue had an impact on a specific portion of our cloud-based infrastructure leading to downtime for a small number of cloud customers,” Leaseweb told customers in an email notification.Cyware
August 28, 2023 – Breach
Mom’s Meals discloses data breach impacting 1.2 million people Full Text
Abstract
PurFoods, which conducts business in the U.S. as 'Mom's Meals,' is warning of a data breach after the personal information of 1.2 million customers and employees was stolen in a ransomware attack.BleepingComputer
August 28, 2023 – Denial Of Service
Tor Tweaks Onion Routing Software to Fend Off DDoS Attacks Full Text
Abstract
The updated software now supports a proof-of-work challenge called EquiX. Designed by Tevador, who developed Monero's proof-of-work algorithm, it is "a CPU-friendly client puzzle with fast verification and small solution size (16 bytes).Cyware
August 28, 2023 – General
Four common password mistakes hackers love to exploit Full Text
Abstract
Threat actors take advantage of common password mistakes to breach corporate networks. Learn more from Specops Software on the four most common mistakes and how to strengthen your Active Directory against these risks.BleepingComputer
August 28, 2023 – Breach
Hacking Group Kittensec Claims to ‘Pwn Anything We See’ to Expose Corruption Full Text
Abstract
On July 28, KittenSec claimed in a Telegram post to have hacked multiple Romanian government systems and posted a file containing roughly 36 gigabytes of data, including emails, documents, contracts, and healthcare-related data.Cyware
August 28, 2023 – Government
CISA Touts ‘Tremendous Growth’ in Vulnerability Disclosure Platform Full Text
Abstract
The Vulnerability Disclosure Policy (VDP) Platform has seen “tremendous growth” in onboarding 40 agency programs since its launch in July 2021, the Cybersecurity and Infrastructure Security Agency said Friday in a news release.Cyware
August 27, 2023 – Breach
Rhysida claims ransomware attack on Prospect Medical, threatens to sell data Full Text
Abstract
The Rhysida ransomware gang has claimed responsibility for the massive cyberattack on Prospect Medical Holdings, claiming to have stolen 500,000 social security numbers, corporate documents, and patient records.BleepingComputer
August 27, 2023 – Attack
Lazarus Exploits ManageEngine to Deploy QuiteRAT Full Text
Abstract
The Lazarus group was associated with a new campaign against healthcare entities in Europe and the U.S. In this campaign, the attackers exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to distribute the QuiteRAT malware. The malware has many capabilities similar to MagicRAT, anot ... Read MoreCyware
August 26, 2023 – Ransomware
LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants Full Text
Abstract
The leak of the LockBit 3.0 ransomware builder last year has led to threat actors abusing the tool to spawn new variants. Russian cybersecurity company Kaspersky said it detected a ransomware intrusion that deployed a version of LockBit but with a markedly different ransom demand procedure. "The attacker behind this incident decided to use a different ransom note with a headline related to a previously unknown group, called NATIONAL HAZARD AGENCY," security researchers Eduardo Ovalle and Francesco Figurelli said . The revamped ransom note directly specified the amount to be paid to obtain the decryption keys, and directed communications to a Tox service and email, unlike the LockBit group, which doesn't mention the amount and uses its own communication and negotiation platform. NATIONAL HAZARD AGENCY is far from the only cybercrime gang to use the leaked LockBit 3.0 builder. Some of the other threat actors known to leverage it include Bl00dy and Buhti . KasperskThe Hacker News
August 26, 2023 – Policy and Law
UnitedHealthcare Fined $80K for Six-Month Records Access Delay Full Text
Abstract
The HHS' Office for Civil Rights said UnitedHealthcare had agreed to settle a case involving potential HIPAA violations related to allegations that the company took six months to fulfill a health plan member's request to access his PHI.Cyware
August 26, 2023 – Breach
Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack Full Text
Abstract
Risk and financial advisory solutions provider Kroll on Friday disclosed that one of its employees fell victim to a "highly sophisticated" SIM swapping attack. The incident, which took place on August 19, 2023, targeted the employee's T-Mobile account, the company said. "Specifically, T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee's phone number to the threat actor's phone at their request," it said in an advisory. This enabled the unidentified actor to gain access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi , FTX , and Genesis. SIM swapping (aka SIM splitting or simjacking), while generally a benign process, could be exploited by threat actors to fraudulently activate a SIM card under their control with a victim's phone number. This makes it possible to intercept SMS messages and voice calls and receive MFA-related messages that contThe Hacker News
August 26, 2023 – Malware
The Three Malware Loaders Behind 80% of Incidents Full Text
Abstract
QakBot, SocGholish, and Raspberry Robin are the most prevalent malware loaders causing havoc for security teams, with QakBot being the most versatile and persistent threat.Cyware
August 26, 2023 – Policy and Law
DOJ Charged Tornado Cash Founders With Laundering More Than $1 Billion Full Text
Abstract
The duo operated the Tornado Cash cryptocurrency mixer that facilitated more than $1 billion in money laundering transactions and laundered hundreds of millions of dollars for the Lazarus APT group.Cyware
August 26, 2023 – Criminals
Adversary On The Defense: ANTIBOT.PW Full Text
Abstract
The Antibot web traffic filtering service, originally a GitHub project, has evolved into a commercial platform for malicious actors, offering features like cloaking to evade analysis and prolong phishing and malware campaigns.Cyware
August 26, 2023 – Breach
Malwarebytes Announces Acquisition of Online Privacy Company Cyrus Full Text
Abstract
This strategic acquisition reinforces Malwarebytes' commitment to privacy by giving users more control over their information, no matter where or how they choose to browse and interact online.Cyware
August 26, 2023 – Criminals
Update: Prospect Medical Stolen Data Listed for Sale by Emerging Ransomware Group Full Text
Abstract
The Rhysida ransomware group claimed responsibility for a ransomware attack against Prospect Medical Holdings that forced multiple hospital closures earlier this month and continues to impact operations.Cyware
August 26, 2023 – Breach
Thousands of SSNs Leaked After Ransomware Attack on Ohio State Archive Organization Full Text
Abstract
One of the oldest historical societies in the state of Ohio was hit with a ransomware attack that leaked the sensitive information of thousands, according to a statement the organization released this week.Cyware
August 26, 2023 – Business
Cypago Raises $13 Million for GRC Automation Platform Full Text
Abstract
The new investment will allow Cypago to expand its research and development, product, and go-to-market teams, and grow its presence in the North American and European markets.Cyware
August 25, 2023 – Breach
Bankrupt Crypto Platforms FTX and BlockFi Warn Customers of Data Breach Full Text
Abstract
FTX learned that Kroll, the claims agent in the bankruptcy, experienced a cybersecurity incident that compromised non-sensitive customer data of certain claimants in the pending bankruptcy case.Cyware
August 25, 2023 – Policy and Law
Two LAPSUS$ Hackers Convicted in London Court for High-Profile Tech Firm Hacks Full Text
Abstract
Two U.K. teenagers have been convicted by a jury in London for being part of the notorious LAPSUS$ transnational gang and for orchestrating a series of brazen, high-profile hacks against major tech firms and demanding a ransom in exchange for not leaking the stolen information. This includes Arion Kurtaj (aka White, Breachbase, WhiteDoxbin, and TeaPotUberHacker), an 18-year-old from Oxford, and an unnamed minor, who began collaborating in July 2021 after having met online, BBC reported this week. Both the defendants were initially arrested and released under investigation in January 2022, only to be re-arrested and charged by the City of London Police in April 2022. Kurtaj was subsequently granted bail and moved to a hotel in Bicester after he was doxxed in an online cybercrime forum. He, however, continued his hacking spree, targeting companies like Uber , Revolut , and Rockstar Games , as a result of which he was arrested again in September. Another alleged member of theThe Hacker News
August 25, 2023 – APT
China-linked Flax Typhoon APT targets Taiwan Full Text
Abstract
China-linked APT group Flax Typhoon targeted dozens of organizations in Taiwan as part of a suspected espionage campaign. Microsoft linked the Chinese APT Flax Typhoon (aka Ethereal Panda) to a cyber espionage campaign that targeted dozens of organizations...Security Affairs
August 25, 2023 – Vulnerabilities
Cisco NX-OS Software TACACS+ or RADIUS Remote Authentication Directed Request Denial of Service Vulnerability Full Text
Abstract
This vulnerability can only be exploited over Telnet, which is disabled by default, or over the console management connection. This vulnerability cannot be exploited over SSH connections to the device.Cyware
August 25, 2023 – Education
Learn How Your Business Data Can Amplify Your AI/ML Threat Detection Capabilities Full Text
Abstract
In today's digital landscape, your business data is more than just numbers—it's a powerhouse. Imagine leveraging this data not only for profit but also for enhanced AI and Machine Learning (ML) threat detection. For companies like Comcast, this isn't a dream. It's reality. Your business comprehends its risks, vulnerabilities, and the unique environment in which it operates. No generic, one-size-fits-all tool can capture this nuance. By utilizing your own data, you position yourself ahead of potential threats, enabling informed decisions and safeguarding your assets. Join our groundbreaking webinar, " Clean Data, Better Detections: Using Your Business Data for AI/ML Detections ," to unearth how your distinct business data can be the linchpin to amplifying your AI/ML threat detection prowess. This webinar will endow you with the insights and tools necessary to harness your business data, leading to sharper, more efficient, and potent threat detections. UPCThe Hacker News
August 25, 2023 – Botnet
Whiffy Recon malware triangulates the position of infected systems via Wi-Fi Full Text
Abstract
Experts observed the SmokeLoader malware delivering a new Wi-Fi scanning malware strain dubbed Whiffy Recon. Secureworks Counter Threat Unit (CTU) researchers observed the Smoke Loader botnet dropping a new Wi-Fi scanning malware named Whiffy Recon....Security Affairs
August 25, 2023 – Ransomware
Ransomware With an Identity Crisis Targets Small Businesses, Individuals Full Text
Abstract
A key reason it was so tricky for researchers to identify TZW as a spinoff of Adhubllka is because of the small ransom demands the group typically makes. At such a level, victims often pay attackers and the attackers continue to fly under the radar.Cyware
August 25, 2023 – Education
Navigating Legacy Infrastructure: A CISO’s Actionable Strategy for Success Full Text
Abstract
Every company has some level of tech debt. Unless you're a brand new start-up, you most likely have a patchwork of solutions that have been implemented throughout the years, often under various leadership teams with different priorities and goals. As those technologies age, they can leave your organization vulnerable to cyber threats. While replacing legacy technologies can be costly, those costs may pale in comparison to a breach – both in terms of immediate financial impact and reputational damage. Here are three ways you can communicate risk to your leadership team as you work to replace legacy infrastructure. 1: Make the Risk Real Leadership teams are driven by quantifiable business implications. The best way to get support for updating or replacing legacy technology is to make the risk to the business real - and measurable - in a language they understand. One way to do this is to look at the list of critical vulnerabilities that you've identified, then evaluate the impact tThe Hacker News
August 25, 2023a – Government
FBI: Patches for Barracuda ESG Zero-Day CVE-2023-2868 are ineffective Full Text
Abstract
The FBI warned that patches for a critical Barracuda ESG flaw CVE-2023-2868 are "ineffective" and patched appliances are still being hacked. The Federal Bureau of Investigation warned that security patches for critical vulnerability CVE-2023-2868...Security Affairs
August 25, 2023 – Breach
Nearly 1,000 Organizations, 60 Million Individuals Impacted by MOVEit Hack Full Text
Abstract
On August 14 and 15, the cybercriminals leaked nearly 1 Tb of information allegedly stolen from 16 of the victims, Resecurity said. These victims include UCLA, Siemens Energy, Cognizant, and cybersecurity firms Norton LifeLock and Netscout.Cyware
August 25, 2023 – Hacker
China-Linked Flax Typhoon Cyber Espionage Targets Taiwan’s Key Sectors Full Text
Abstract
A nation-state activity group originating from China has been linked to cyber attacks on dozens of organizations in Taiwan as part of a suspected espionage campaign. The Microsoft Threat Intelligence team is tracking the activity under the name Flax Typhoon , which is also known as Ethereal Panda. "Flax Typhoon gains and maintains long-term access to Taiwanese organizations' networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks," the company said . It further said it hasn't observed the group weaponize the access to conduct data-collection and exfiltration. A majority of the targets include government agencies, educational institutions, critical manufacturing, and information technology organizations in Taiwan. A smaller number of victims have also been detected in Southeast Asia, North America, and Africa. The group is suspected to have been active siThe Hacker News
August 25, 2023 – Breach
Title Lender TMX Now Says Payment Card Data Stolen in Breach Full Text
Abstract
A revised data breach notification is being sent to victims stating that attackers may have also stolen their credit/debit card number, beyond the raft of personal information.Cyware
August 25, 2023 – Vulnerabilities
Urgent FBI Warning: Barracuda Email Gateways Vulnerable Despite Recent Patches Full Text
Abstract
The U.S. Federal Bureau of Investigation (FBI) is warning that Barracuda Networks Email Security Gateway (ESG) appliances patched against a recently disclosed critical flaw continue to be at risk of potential compromise from suspected Chinese hacking groups. It also deemed the fixes as "ineffective" and that it "continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit." Tracked as CVE-2023-2868 (CVSS score: 9.8), the zero-day bug is said to have been weaponized as early as October 2022, more than seven months before the security hole was plugged. Google-owned Mandiant is tracking the China-nexus activity cluster under the name UNC4841 . The remote command injection vulnerability, impacting versions 5.1.3.001 through 9.2.0.006, allows for unauthorized execution of system commands with administrator privileges on the ESG product. In the attacks observed so far, a successful bThe Hacker News
August 25, 2023 – Attack
China-based ‘Flax Typhoon’ hackers targeting Taiwan govt: Microsoft Full Text
Abstract
The activities observed suggest the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible.Cyware
August 25, 2023 – General
Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders Full Text
Abstract
In H1 2023, compromised credentials accounted for 50% of root causes, whereas exploiting a bug came in at 23%. We can’t conclusively say that attackers are favoring compromised credentials over vulnerabilities, but it can’t be denied either.Cyware
August 25, 2023 – Hacker
New Luna Grabber Poses as Roblox Packages, Strikes NPM Full Text
Abstract
Malicious actors are targeting Roblox developers with a new malware called Luna Grabber, distributed through npm packages that impersonate legitimate software. These fake packages, including noblox.js-vps, noblox.js-ssh, and noblox.js-secure, house malicious multi-stage payloads. This campaign ... Read MoreCyware
August 25, 2023 – Vulnerabilities
Researchers released PoC exploit for Ivanti Sentry flaw CVE-2023-38035 Full Text
Abstract
The vulnerability could be exploited to access sensitive API data and configurations, run system commands, or write files onto the system. The vulnerability CVE-2023-38035 impacts Sentry versions 9.18 and prior.Cyware
August 24, 2023 – Cryptocurrency
Millions stolen from crypto platforms Exactly Protocol and Harbor Protocol Full Text
Abstract
Two DeFi platforms, Exactly and Harbor, fell victim to cyberattacks resulting in the theft of millions of dollars' worth of cryptocurrency. Exactly Protocol confirmed suffering a loss of around $7.3 million worth of ETH.Cyware
August 24, 2023 – Hacker
Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware Full Text
Abstract
The North Korea-linked threat actor known as Lazarus Group has been observed exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called such as QuiteRAT . Targets include internet backbone infrastructure and healthcare entities in Europe and the U.S., cybersecurity company Cisco Talos said in a two-part analysis published today. What's more, a closer examination of the adversary's recycled attack infrastructure in its cyber assaults on enterprises has led to the discovery of a new threat dubbed CollectionRAT . The fact that the Lazarus Group continues to rely on the same tradecraft despite those components being well-documented over the years underscores the threat actor's confidence in their operations, Talos pointed out. QuiteRAT is said to be a successor to MagicRAT , itself a follow-up to TigerRAT, while CollectionRAT appears to share overlaps with EarlyRAT (aka Jupiter ), an imThe Hacker News
August 24, 2023 – Vulnerabilities
Researchers released PoC exploit for Ivanti Sentry flaw CVE-2023-38035 Full Text
Abstract
Proof-of-concept exploit code for critical Ivanti Sentry authentication bypass flaw CVE-2023-38035 has been released. Researchers released a proof-of-concept (PoC) exploit code for critical Ivanti Sentry authentication bypass vulnerability CVE-2023-38035...Security Affairs
August 24, 2023 – Malware
Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware Full Text
Abstract
Whiffy Recon works by checking for the WLAN AutoConfig service (WLANSVC) on the infected system and terminating itself if the service name doesn't exist. Persistence is achieved by means of a shortcut that's added to the Windows Startup folder.Cyware
August 24, 2023 – Phishing
New Telegram Bot “Telekopye” Powering Large-scale Phishing Scams from Russia Full Text
Abstract
A new financially motivated operation is leveraging a malicious Telegram bot to help threat actors scam their victims. Dubbed Telekopye , a portmanteau of Telegram and kopye (meaning "spear" in Russian), the toolkit functions as an automated means to create a phishing web page from a premade template and send the URL to potential victims, codenamed Mammoths by the criminals. "This toolkit is implemented as a Telegram bot that, when activated, provides several easy-to-navigate menus in the form of clickable buttons that can accommodate many scammers at once," ESET researcher Radek Jizba said in a report shared with The Hacker News. The exact origins of the threat actors, dubbed Neanderthals, are unclear, but evidence points to Russia as the country of origin of the toolkit's authors and users, owing to the use of Russian SMS templates and the fact that a majority of the targeted online marketplaces are popular in the country. Multiple versions of TelekoThe Hacker News
August 24, 2023 – Attack
Lazarus APT exploits Zoho ManageEngine flaw to target an Internet backbone infrastructure provider Full Text
Abstract
The North Korea-linked Lazarus group exploits a critical flaw in Zoho ManageEngine ServiceDesk Plus to deliver the QuiteRAT malware. The North Korea-linked APT group Lazarus has been exploiting a critical vulnerability, tracked as CVE-2022-47966,...Security Affairs
August 24, 2023 – Hacker
Telekopye: Hunting Mammoths using Telegram bot Full Text
Abstract
The exact origins of the threat actors, dubbed Neanderthals, are unclear, but evidence points to Russia as the country of origin of the toolkit's authors and users, owing to the use of Russian SMS templates.Cyware
August 24, 2023 – General
The Hidden Dangers of Public Wi-Fi Full Text
Abstract
Public Wi-Fi, which has long since become the norm, poses threats to not only individual users but also businesses. With the rise of remote work, people can now work from virtually anywhere: a cafe close to home, a hotel in a different city, or even while waiting for a plane at the airport. Next, let's explore the risks of connecting to public Wi-Fi, both for you personally and for businesses. According to the Forbes Advisor the majority of people (56%) connect to public Wi-Fi networks that don't require a password. This convenience comes at a price, and many are unaware that attackers can steal card details, passwords, and other sensitive information. Man-in-the-Middle (MITM) Attacks: This is one of the most common threats on public Wi-Fi. In an MITM attack, the hacker secretly intercepts and possibly alters the communication between two parties. The user believes they are directly communicating with a website, email server, or another user, but the hacker is relaying tThe Hacker News
August 24, 2023 – Policy and Law
Lapsus$ member has been convicted of having hacked multiple high-profile companies Full Text
Abstract
An 18-year-old member of the Lapsus$ gang has been convicted of having helped hack multiple high-profile companies. A teenage member of the Lapsus$ data extortion group, Arion Kurtaj (18), was convicted by a London jury of having hacked multiple...Security Affairs
August 24, 2023 – Malware
Lazarus Group Exploits ManageEngine Vulnerability to Deploy QuiteRAT Full Text
Abstract
QuiteRAT is clearly an evolution of MagicRAT. While MagicRAT is a bigger, bulkier malware family averaging around 18MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5MB in size.Cyware
August 24, 2023 – Malware
New “Whiffy Recon” Malware Triangulates Infected Device Location via Wi-Fi Every Minute Full Text
Abstract
The SmokeLoader malware is being used to deliver a new Wi-Fi scanning malware strain called Whiffy Recon on compromised Windows machines. "The new malware strain has only one operation. Every 60 seconds it triangulates the infected systems' positions by scanning nearby Wi-Fi access points as a data point for Google's geolocation API," Secureworks Counter Threat Unit (CTU) said in a statement shared with The Hacker News. "The location returned by Google's Geolocation API is then sent back to the adversary." SmokeLoader , as the name implies, is a loader malware whose sole purpose is to drop additional payloads onto a host. Since 2014, the malware has been offered for sale to Russian-based threat actors. It's traditionally distributed via phishing emails. Whiffy Recon works by checking for the WLAN AutoConfig service (WLANSVC) on the infected system and terminating itself if the service name doesn't exist. It's worth noting that thThe Hacker News
August 24, 2023 – Vulnerabilities
More than 3,000 Openfire servers exposed to attacks using a new exploit Full Text
Abstract
Researchers warn that more than 3,000 unpatched Openfire servers are exposed to attacks using an exploit for a recent flaw. Vulncheck researchers discovered more than 3,000 Openfire servers vulnerable to the CVE-2023-32315 flaw that are exposed to attacks...Security Affairs
August 24, 2023 – APT
nao-sec.org Full Text
Abstract
The APT group starts by sending a spear-phishing email, which consists of a DOC file embedded with a URL for a ZIP file download. Once the ZIP file gets downloaded, it contains an EXE file and a DLL file which are executed to infect malware.Cyware
August 24, 2023 – Attack
WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders Full Text
Abstract
A recently patched security flaw in the popular WinRAR archiving software has been exploited as a zero-day since April 2023, new findings from Group-IB reveal. The vulnerability, cataloged as CVE-2023-38831 , allows threat actors to spoof file extensions, thereby making it possible to launch malicious scripts contained within an archive that masquerades as seemingly innocuous image or text files. It was addressed in version 6.23 released on August 2, 2023, alongside CVE-2023-40477. In attacks discovered by the Singapore-based firm in July 2023, specially crafted ZIP or RAR archive files distributed via trading-related forums such as Forex Station have been used to deliver a variety of malware families such as DarkMe, GuLoader , and Remcos RAT . "After infecting devices, the cybercriminals withdraw money from broker accounts," Group-IB malware analyst Andrey Polovinkin said , adding as many as 130 traders' devices have been compromised as part of the campaign. TThe Hacker News
August 24, 2023 – Vulnerabilities
Bugs in NVIDIA Graphics Driver Leads to Memory Corruption Full Text
Abstract
An attacker could exploit these vulnerabilities from guest machines running virtualization environments to perform a guest-to-host escape, as we’ve illustrated with previous vulnerabilities in NVIDIA graphics drivers.Cyware
August 24, 2023 – Vulnerabilities
Thousands of Unpatched Openfire XMPP Servers Still Exposed to High-Severity Flaw Full Text
Abstract
Thousands of Openfire XMPP servers are unpatched against a recently disclosed high-severity flaw and are susceptible to a new exploit, according to a new report from VulnCheck. Tracked as CVE-2023-32315 (CVSS score: 7.5), the vulnerability relates to a path traversal vulnerability in Openfire's administrative console that could permit an unauthenticated attacker to access otherwise restricted pages reserved for privileged users. It affects all versions of the software released since April 2015, starting with version 3.10.0. It was remediated by its developer, Ignite Realtime, earlier this May with the release of versions 4.6.8, 4.7.5, and 4.8.0. "Path traversal protections were already in place to protect against exactly this kind of attack, but didn't defend against certain non-standard URL encoding for UTF-16 characters that were not supported by the embedded web server that was in use at the time," the maintainers said in a detailed advisory. "AThe Hacker News
August 24, 2023 – Attack
More than 3,000 Openfire servers exposed to attacks using a new exploit Full Text
Abstract
The experts pointed out that the bug has been exploited for more than two months, but yet to be added to the CISA KEV catalog. The researchers discovered approximately 6,300 servers on Shodan and a bit more using the Censys search engine.Cyware
August 24, 2023 – Policy and Law
Tornado Cash Founders Charged in Billion-Dollar Crypto Laundering Scandal Full Text
Abstract
The U.S. Justice Department (DoJ) on Wednesday unsealed an indictment against two founders of the now-sanctioned Tornado Cash cryptocurrency mixer service, charging them with laundering more than $1 billion in criminal proceeds. Both the individuals, Roman Storm and Roman Semenov, have been charged with conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money-transmitting business. Storm, 34, is said to have been arrested in the U.S. state of Washington. Semenov, 35, remains at large in Dubai. They are alleged to have "made millions of dollars in profits" from promoting and operating the service. Tornado Cash is estimated to have processed upwards of $7 billion worth of crypto assets over a period of three years. In a related move, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned Semenov and eight cryptocurrency addresses connected to him, days after a U.S. couThe Hacker News
August 23, 2023 – Business
Thoma Bravo Merges ForgeRock with Ping Identity Full Text
Abstract
Private equity powerhouse Thoma Bravo on Wednesday announced plans to merge the just-acquired ForgeRock with Ping Identity, combining two of the biggest names in the enterprise identity and access management market.Cyware
August 23, 2023 – Government
North Korean Affiliates Suspected in $40M Cryptocurrency Heist, FBI Warns Full Text
Abstract
The U.S. Federal Bureau of Investigation (FBI) on Tuesday warned that threat actors affiliated with North Korea may attempt to cash out stolen cryptocurrency worth more than $40 million. The law enforcement agency attributed the blockchain activity to an adversary the U.S. government tracks as TraderTraitor, which is also known by the name Jade Sleet. An investigation undertaken by the FBI found that the group moved approximately 1,580 bitcoin from several cryptocurrency heists over the past 24 hours and are currently said to be holding those funds in six different wallets. North Korea is known to blur the lines among cyber warfare, espionage, and financial crime. TraderTraitor , in particular, has been linked to a series of attacks targeting blockchain and cryptocurrency exchanges with the goal of plundering digital assets to generate illicit revenue for the sanctions-hit nation. This includes the $60 million theft of virtual currency from Alphapo on June 22, 2023; the $37 mThe Hacker News
August 23, 2023 – Policy and Law
DoJ charged Tornado Cash founders with laundering more than $1 billion Full Text
Abstract
The U.S. DoJ charged two men with operating the Tornado Cash service and laundering more than $1 Billion in criminal proceeds. The U.S. Justice Department charged two Tornado Cash founders ROMAN STORM and ROMAN SEMENOV have been charged with one count...Security Affairs
August 23, 2023 – Government
FBI Says North Korea’s Lazarus Hackers Behind Recent Crypto Heists Full Text
Abstract
June saw three headline-grabbing incidents involving cryptocurrency companies: a $100 million hack of Atomic Wallet on June 2, as well as two June 22 attacks in which cybercriminals stole $60 million from Alphapo and $37 million from CoinsPaid.Cyware
August 23, 2023 – Solution
Meta Set to Enable Default End-to-End Encryption on Messenger by Year End Full Text
Abstract
Meta has once again reaffirmed its plans to roll out support for end-to-end encryption ( E2EE ) by default for one-to-one friends and family chats on Messenger by the end of the year. As part of that effort, the social media giant said it's upgrading "millions more people's chats" effective August 22, 2023, exactly seven months after it started gradually expanding the feature to more users in January 2023. The changes are part of CEO Mark Zuckerberg's "privacy-focused vision for social networking" that was announced in 2019, although it has since encountered significant technical challenges, causing it to delay its plans by a year. "Like many messaging services, Messenger and Instagram DMs were originally designed to function via servers," Timothy Buck, product manager for Messenger, said . "Meta's servers act as the gateway between the message sender and receiver, what we call the clients." However, the addition of anThe Hacker News
August 23, 2023 – Cryptocurrency
FBI identifies wallets holding cryptocurrency funds stolen by North Korea Full Text
Abstract
The U.S. FBI warned that North Korea-linked threat actors may attempt to cash out stolen cryptocurrency worth more than $40 million. The Federal Bureau of Investigation shared details about the activity of six cryptocurrency wallets operated by North...Security Affairs
August 23, 2023 – Vulnerabilities
3,000 Openfire Servers Exposed to Attacks Targeting Recent Vulnerability Full Text
Abstract
Tracked as CVE-2023-32315, the high-severity flaw was discovered in Openfire’s administration console and is described as a path traversal bug via the setup environment that allows unauthenticated attackers to access restricted pages.Cyware
August 23, 2023 – Hacker
Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead Full Text
Abstract
Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security's p0 Labs team identified and tracked an attacker developing and deploying eight (8) incremental iterations of their credential harvesting malware while continuing to develop infrastructure for an upcoming (spoiler: now launched) campaign targeting various cloud services. While last week Aqua Security published a blog detailing this under-development campaign's stages related to infected Docker images, today Permiso p0 Labs and SentinelLabs are releasing joint research highlighting the incremental updates to the cloud credential harvesting malware samples systematically collected by monitoring the attacker's infrastructure. So get out of your seats and enjoy this scrum meeting stand-up dedicated to sharing knowledge about this actors campaign and the tooling they will use to steal more cloud credentials. If you like IDA screeThe Hacker News
August 23, 2023 – APT
Carderbee APT targets Hong Kong orgs via supply chain attacks Full Text
Abstract
A previously unknown APT group, tracked as Carderbee, was behind a supply chain attack against Hong Kong organizations. Symantec Threat Hunter Team reported that a previously unknown APT group, tracked as Carderbee, used a malware-laced version of the legitimate...Security Affairs
August 23, 2023 – Breach
University of Minnesota Investigates Alleged Data Breach Involving Seven Million Alumni Full Text
Abstract
The University of Minnesota has contacted law enforcement and launched an investigation into a data breach that could impact millions of alumni. A hacker claimed to have collected 7 million Social Security numbers in July.Cyware
August 23, 2023 – Hacker
Syrian Threat Actor EVLF Unmasked as Creator of CypherRAT and CraxsRAT Android Malware Full Text
Abstract
A Syrian threat actor named EVLF has been outed as the creator of malware families CypherRAT and CraxsRAT. "These RATs are designed to allow an attacker to remotely perform real-time actions and control the victim device's camera, location, and microphone," Cybersecurity firm Cyfirma said in a report published last week. CypherRAT and CraxsRAT are said to be offered to other cybercriminals as part of a malware-as-a-service (MaaS) scheme. As many as 100 unique threat actors are estimated to have purchased the twin tools on a lifetime license over the past three years. EVLF is said to be operating a web shop to advertise their warez since at least September 2022. CraxsRAT is billed as an Android trojan that enables a threat actor to remote control an infected device from a Windows computer, with the developer consistently releasing new updates based on feedback from the customers. The malicious package is generated using a builder, which comes with options to cusThe Hacker News
August 23, 2023 – Vulnerabilities
TP-Link Tapo L530E smart bulb flaws allow hackers to steal user passwords Full Text
Abstract
Four vulnerabilities in the TP-Link Tapo L530E smart bulb and impacting the mobile app used to control them expose users to hack. Researchers from the University of Catania (Italy) and the University of London (UK) have discovered four vulnerabilities...Security Affairs
August 23, 2023 – Government
CISA Prioritizing On-Site K-12 Cybersecurity Reviews This School Year Full Text
Abstract
The assessments can encompass a wide range of individualized reviews and actions, from preventing cyber-enabled fraud schemes to combating ransomware attacks and other digital intrusions.Cyware
August 23, 2023 – Ransomware
Spacecolon Toolset Fuels Global Surge in Scarab Ransomware Attacks Full Text
Abstract
A malicious toolset dubbed Spacecolon is being deployed as part of an ongoing campaign to spread variants of the Scarab ransomware across victim organizations globally. "It probably finds its way into victim organizations by its operators compromising vulnerable web servers or via brute forcing RDP credentials," ESET security researcher Jakub Souček said in a detailed technical write-up published Tuesday. The Slovak cybersecurity firm, which dubbed the threat actor CosmicBeetle, said the origins of the Spacecolon date back to May 2020. The highest concentration of victims has been detected in France, Mexico, Poland, Slovakia, Spain, and Turkey. While the exact provenance of the adversary is unclear, several Spacecolon variants are said to contain Turkish strings, likely pointing to the involvement of a Turkish-speaking developer. There is no evidence currently linking it to any other known threat actor group. Some of the targets include a hospital and a tourist resoThe Hacker News
August 23, 2023 – Vulnerabilities
First Weekly Chrome Security Update Patches High-Severity Vulnerabilities Full Text
Abstract
Google this week announced a Chrome 116 security update that patches five memory safety vulnerabilities reported by external researchers, including four issues rated ‘high severity’.Cyware
August 23, 2023 – Malware
Over a Dozen Malicious npm Packages Target Roblox Game Developers Full Text
Abstract
More than a dozen malicious packages have been discovered on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called Luna Token Grabber on systems belonging to Roblox developers. The ongoing campaign, first detected on August 1 by ReversingLabs, employs modules that masquerade as the legitimate package noblox.js , an API wrapper that's used to create scripts that interact with the Roblox gaming platform. The software supply chain security company described the activity as a "replay of an attack uncovered two years ago" in October 2021. "The malicious packages [...] reproduce code from the legitimate noblox.js package but add malicious, information-stealing functions," software threat researcher Lucija Valentić said in a Tuesday analysis. The packages were cumulatively downloaded 963 times before they were taken down. The names of the rogue packages are as follows - noblox.js-vThe Hacker News
August 23, 2023 – Ransomware
Report: Ransomware Attackers’ Dwell Time Shrinks Full Text
Abstract
Ransomware-wielding hackers are moving faster than ever to pull the trigger on malicious encryption - but they could be bumping up against the limits of how fast they can go, said security researchers from Sophos.Cyware
August 23, 2023 – Attack
Ransomware Intrusion Impacts All Servers of Danish Cloud Provider Full Text
Abstract
The attack occurred on August 18, and since then, efforts have been made to restore the data, but it has proved difficult. CloudNordic has stated that it will not pay the ransom demanded by the hackers.Cyware
August 23, 2023 – APT
Supply Chain Attack: Carderbee APT Strikes Hong Kong Organizations Full Text
Abstract
Undocumented threat cluster Carderbee was observed targeting organizations in Hong Kong and other Asian regions via a trojanized version of the legitimate software EsafeNet Cobra DocGuard Client to deliver the PlugX backdoor and gain access to victim networks. Strengthening supply chain security th ... Read MoreCyware
August 23, 2023 – Breach
Defense Contractor Belcan Leaks Admin Password With a List of Flaws Full Text
Abstract
On May 15th, the Cybernews research team discovered an open Kibana instance containing sensitive information regarding Belcan, their employees, and internal infrastructure.Cyware
August 22, 2023 – Criminals
MOVEit Attack Spree Makes Clop This Summer’s Most-Prolific Ransomware Group Full Text
Abstract
Clop was responsible for one-third of all ransomware attacks in July, positioning the financially-motivated threat actor to become the most prolific ransomware threat actor this summer, according to multiple threat intelligence reports.Cyware
August 22, 2023 – General
CISOs Tout SaaS Cybersecurity Confidence, But 79% Admit to SaaS Incidents, New Report Finds Full Text
Abstract
A new State of SaaS Security Posture Management Report from SaaS cybersecurity provider AppOmni indicates that Cybersecurity, IT, and business leaders alike recognize SaaS cybersecurity as an increasingly important part of the cyber threat landscape. And at first glance, respondents appear generally optimistic about their SaaS cybersecurity. Over 600 IT, cybersecurity, and business leaders at companies between 500-2,500+ employees were surveyed and responded with confidence in their SaaS cybersecurity preparedness and capabilities. For example: When asked to rate the SaaS cybersecurity maturity level of their organizations, 71% noted that their organizations' SaaS cybersecurity maturity has achieved either a mid-high level (43%) or the highest level (28%). For the security levels of the SaaS applications authorized for use in their organization, sentiment was similarly high. Seventy-three percent rated SaaS application security as mid-high (41%) or the highest maturity level (The Hacker News
August 22, 2023 – Breach
Defense contractor Belcan leaks admin password with a list of flaws Full Text
Abstract
US Government and defense contractor Belcan left its super admin credentials open to the public, Cybernews research team reveals. Belcan is a government, defense, and aerospace contractor offering global design, software, manufacturing, supply chain,...Security Affairs
August 22, 2023 – Malware
Thousands of Android Malware Apps Use Stealthy APKs to Bypass Security Full Text
Abstract
Threat actors are reportedly exploiting APK files that employ unknown or unsupported compression methods to bypass malware analysis, warned cybersecurity firm Zimperium. The approach hinders decompilation efforts while still enabling installation on Android devices running OS versions above Android ... Read MoreCyware
August 22, 2023 – Attack
Carderbee Attacks: Hong Kong Organizations Targeted via Malicious Software Updates Full Text
Abstract
A previously undocumented threat cluster has been linked to a software supply chain attack targeting organizations primarily located in Hong Kong and other regions in Asia. The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under its insect-themed moniker Carderbee. The attacks, per the cybersecurity firm, leverage a trojanized version of a legitimate software called EsafeNet Cobra DocGuard Client to deliver a known backdoor called PlugX (aka Korplug) on victim networks. "In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate," the company said in a report shared with The Hacker News. The use of Cobra DocGuard Client to pull off a supply chain attack was previously highlighted by ESET in its quarterly Threat Report this year, detailing a September 2022 intrusion in which an unnamed gambling company in Hong Kong was compromised via a malicious update pushed by the software. The same companyThe Hacker News
August 22, 2023 – Criminals
Akira ransomware gang spotted targeting Cisco VPN products to hack organizations Full Text
Abstract
The Akira ransomware gang targets Cisco VPN products to gain initial access to corporate networks and steal their data. The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple...Security Affairs
August 22, 2023 – Hacker
EVLF DEV - Knowing the Creator of CypherRAT and CraxsRAT Full Text
Abstract
A fresh player in the realm of cyber threats has emerged under the moniker EVLF DEV, operating as a Malware-as-a-Service (MaaS) provider. Hailing from Syria and active for over eight years, this actor has developed the CypherRAT and CraxsRAT malware strains. To counteract such campaigns by maliciou ... Read MoreCyware
August 22, 2023 – Malware
New Variant of XLoader macOS Malware Disguised as ‘OfficeNote’ Productivity App Full Text
Abstract
A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote." "The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C)." XLoader , first detected in 2020, is considered a successor to Formbook and is an information stealer and keylogger offered under the malware-as-a-service (MaaS) model. A macOS variant of the malware emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file. "Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE withThe Hacker News
August 22, 2023 – Criminals
Snatch gang claims the hack of the Department of Defence South Africa Full Text
Abstract
Snatch gang claims the hack of the Department of Defence South Africa and added the military organization to its leak site. The Snatch ransomware group added the Department of Defence South Africa to its data leak site. The mission of the Department...Security Affairs
August 22, 2023 – Breach
Two Data Breaches in Gadsden: Court System, EMS Report That Data May Have Been Stolen Full Text
Abstract
The 2nd Judicial Circuit announced Monday that law enforcement is investigating a data breach involving Gadsden County court records. In a news release, the circuit said that initial assessments show some of the records contained PII.Cyware
August 22, 2023 – Vulnerabilities
Ivanti Warns of Critical Zero-Day Flaw Being Actively Exploited in Sentry Software Full Text
Abstract
Software services provider Ivanti is warning of a new critical zero-day flaw impacting Ivanti Sentry (formerly MobileIron Sentry) that it said is being actively exploited in the wild, marking an escalation of its security woes. Tracked as CVE-2023-38035 (CVSS score: 9.8), the issue has been described as a case of authentication bypass impacting versions 9.18 and prior due to what it called an due to an insufficiently restrictive Apache HTTPD configuration. "If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS)," the company said . "While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet." Successful exploitation of the bug could allow an attacker to change configuration, run system commands, or write files onto the system. It's recommenThe Hacker News
August 22, 2023 – Government
CISA adds critical Adobe ColdFusion flaw to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added critical vulnerability CVE-2023-26359 in Adobe ColdFusion to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw CVE-2023-26359 (CVSS score 9.8) affecting...Security Affairs
August 22, 2023 – Breach
Snatch Gang Claims the Hack of South Africa’s Department of Defense Full Text
Abstract
The group claims to have stolen military contracts, internal call signs, and personal data, amounting to 1.6 TB. If the attack gets confirmed, the disclosure of confidential information poses a serious risk to organizations involved in the contracts.Cyware
August 22, 2023 – Vulnerabilities
Critical Adobe ColdFusion Flaw Added to CISA’s Exploited Vulnerability Catalog Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier) that could result in arbitrary code execution in the context of the current user without requiring any interaction. Deserialization (aka unmarshaling) refers to the process of reconstructing a data structure or an object from a byte stream. But when it's performed without validating its source or sanitizing its contents, it can lead to unexpected consequences such as code execution or denial-of-service (DoS). It was patched by Adobe as part of updates issued in March 2023. As of writing, it's immediately not clear how the flaw is being abused in the wilThe Hacker News
August 22, 2023 – Attack
A cyber attack hit the Australian software provider Energy One Full Text
Abstract
The Australian software provider Energy One announced it was hit by a cyberattack last week that affected certain corporate systems in Australia and the UK. The Australian software provider Energy One announced that a cyberattack hit certain corporate...Security Affairs
August 22, 2023 – APT
Carderbee APT Uses Legitimate Software in Supply Chain Attack Targeting Hong Kong Firms Full Text
Abstract
The group appears to be skilled and patient, selectively pushing payloads to specific victims. The use of signed malware and supply chain attacks makes it difficult for security software to detect.Cyware
August 22, 2023 – Vulnerabilities
Ivanti fixed a new critical Sentry API authentication bypass flaw Full Text
Abstract
Ivanti warned customers of a new critical Sentry API authentication bypass vulnerability tracked as CVE-2023-38035. The software company Ivanti released urgent security patches to address a critical-severity vulnerability, tracked as CVE-2023-38035...Security Affairs
August 22, 2023 – Business
Grip Security Raises $41 Million to Accelerate Growth and Extend its Market Full Text
Abstract
The investment brings Grip Security’s total funding to $66 million and marks a major milestone for the company, further accelerating its go-to-market strategy and advancing product development.Cyware
August 22, 2023 – Breach
Ukrainian Hackers Claim to Leak Emails of Russian Parliament Deputy Chief Full Text
Abstract
Ukrainian hackers claim to have broken into the email account of a senior Russian politician and exposed documents that allegedly prove his involvement in money laundering and sanction evasion schemes.Cyware
August 22, 2023 – Business
Cerby Raises $17 Million for Access Management Platform for Nonstandard Applications Full Text
Abstract
The investment round was led by Two Sigma Ventures, with additional funding from Outpost Ventures, AV8, Bowery Capital, Founders Fund, Incubate Fund, Okta Ventures, Ridge Ventures, Salesforce Ventures, and Tau Ventures.Cyware
August 21, 2023 – Phishing
Researchers Spoof an Apple Device and Trick Users Into Sharing Sensitive Data Full Text
Abstract
The spoofed Apple device prompts users to connect their Apple ID or share a password with a nearby Apple TV, allowing threat actors to collect data such as phone numbers and Apple ID emails.Cyware
August 21, 2023 – Vulnerabilities
New WinRAR Vulnerability Could Allow Hackers to Take Control of Your PC Full Text
Abstract
A high-severity security flaw has been disclosed in the WinRAR utility that could be potentially exploited by a threat actor to achieve remote code execution on Windows systems. Tracked as CVE-2023-40477 (CVSS score: 7.8), the vulnerability has been described as a case of improper validation while processing recovery volumes. "The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer," the Zero Day Initiative (ZDI) said in an advisory. "An attacker can leverage this vulnerability to execute code in the context of the current process." Successful exploitation of the flaw requires user interaction in that the target must be lured into visiting a malicious page or by simply opening a booby-trapped archive file. A security researcher, who goes by the alias goodbyeselene, has been credited with discovering and reporting the flaw on June 8, 2023. The issue has been addressThe Hacker News
August 21, 2023 – Breach
BlackCat ransomware group claims the hack of Seiko network Full Text
Abstract
The BlackCat/ALPHV ransomware group claims to have hacked the Japanese maker of watches Seiko and added the company to its data leak site. On August 10, 2023, the Japanese maker of watches Seiko disclosed a data breach following a cyber attack. "Seiko...Security Affairs
August 21, 2023 – Malware
HiatusRAT Returns after a Hiatus in a Fresh Wave of Attacks Full Text
Abstract
The HiatusRAT malware group reemerged to target Taiwan-based organizations and a U.S. military procurement system allegedly to snoop on military contracts. The audacity of threat actors is evident in their disregard for previous disclosures and their minimal efforts to change their payload servers. ... Read MoreCyware
August 21, 2023 – Solution
How to Investigate an OAuth Grant for Suspicious Activity or Overly Permissive Scopes Full Text
Abstract
From a user's perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you're seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving away unintended access to corporate environments. In one of the highest-profile examples , Pawn Storm's attacks against the Democratic National Convention and others leveraged OAuth to target victims through social engineering. Security and IT teams would be wise to establish a practice of reviewing new and existing OAuth grants programmatically to catch risky activity or overly-permissive scopes. And, there are new solutions for SaaS security cropping up that can make this process easier. Let's take a look at some best practices for prioritizing and investigating your organization's grantsThe Hacker News
August 21, 2023 – Attack
New HiatusRAT campaign targets Taiwan and U.S. military procurement system Full Text
Abstract
HiatusRAT malware operators resurfaced with a new wave of attacks targeting Taiwan-based organizations and a U.S. military procurement system. In March 2023, Lumen Black Lotus Labs researchers uncovered a sophisticated campaign called “HiatusRAT”...Security Affairs
August 21, 2023 – Criminals
Researchers Uncover Real Identity of CypherRAT and CraxsRAT Malware Developer Full Text
Abstract
The CraxsRAT builder, Cyfirma says, generates highly obfuscated packages, allowing threat actors to customize the contents based on the type of attack they are preparing, including with WebView page injections.Cyware
August 21, 2023 – Malware
This Malware Turned Thousands of Hacked Windows and macOS PCs into Proxy Servers Full Text
Abstract
Threat actors are leveraging access to malware-infected Windows and macOS machines to deliver a proxy server application and use them as exit nodes to reroute proxy requests. According to AT&T Alien Labs, the unnamed company that offers the proxy service operates more than 400,000 proxy exit nodes, although it's not immediately clear how many of them were co-opted by malware installed on infected machines without user knowledge and interaction. "Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device," the cybersecurity company said it found evidence where "malware writers are installing the proxy silently in infected systems." Multiple malware families have been observed delivering the proxy to users searching for cracked software and games. The proxy software, written in the Go programming language, is capable of targeting both Windows and macOS, with the former capable oThe Hacker News
August 21, 2023 – Vulnerabilities
Spoofing an Apple device and tricking users into sharing sensitive data Full Text
Abstract
White hat hackers at the recent hacking conference Def Con demonstrated how to spoof an Apple device and trick users into sharing their sensitive data. At the recent Def Con hacking conference, white hat hackers demonstrated how to spoof an Apple...Security Affairs
August 21, 2023 – Breach
Tesla Discloses Data Breach Impacting 75,000 People’s Personal Information Full Text
Abstract
A notification letter sent to impacted people reveals that the data breach is related to a couple of former employees sending confidential information to German media outlet Handelsblatt.Cyware
August 21, 2023 – Malware
HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack Full Text
Abstract
The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system. Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs), Lumen Black Lotus Labs said in a report published last week. The cybersecurity firm described the activity cluster as "brazen" and "one of the most audacious," indicating no signs of slowing down. The identity and the origin of the threat actors are presently unknown. Targets included commercial firms, such as semiconductor and chemical manufacturers, and at least one municipal government organization in Taiwan as well as a U.S. Department of Defense (DoD) server associated with submitting and retrieving proposals for defense contracts. HiatusRAT was first disclosed by the cybersecurity company in MarchThe Hacker News
August 21, 2023 – Government
Israel and US to Invest $3.85 Million in projects for critical infrastructure protection through the BIRD Cyber Program Full Text
Abstract
Israel and US government agencies announced the BIRD Cyber Program, an investment of roughly $4M in projects to enhance the cyber resilience of critical infrastructure. The BIRD Cyber Program is a joint initiative from the Israel National Cyber Directorate...Security Affairs
August 21, 2023 – Policy and Law
Federally Insured Credit Unions Required to Report Cyber Incidents Within 72 Hours Full Text
Abstract
The new policy, National Credit Union Administration (NCUA) announced, comes into effect on September 1, and will cover all incidents that impact information systems or the integrity, confidentiality, or availability of data on those systems.Cyware
August 21, 2023 – Criminals
Australia’s .AU Domain Administrator Denies Data Breach After Ransomware Posting Full Text
Abstract
The organization that manages Australia’s internet domain .au denied that it was affected by a data breach on Friday after a ransomware gang added it to their list of victims.Cyware
August 20, 2023 – APT
N. Korean Kimsuky APT targets S. Korea-US military exercises Full Text
Abstract
North Korea-linked APT Kimsuky launched a spear-phishing campaign targeting US contractors working at the war simulation centre. North Korea-linked APT group Kimsuky carried out a spear-phishing campaign against US contractors involved in a joint...Security Affairs
August 20, 2023 – Vulnerabilities
Four Juniper Junos OS flaws can be chained to remotely hack devices Full Text
Abstract
Juniper Networks addressed multiple flaws in the J-Web component of Junos OS that could be chained to achieve remote code execution. Juniper Networks has released an "out-of-cycle" security update to address four vulnerabilities in the J-Web component...Security Affairs
August 20, 2023 – General
Security Affairs newsletter Round 433 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Over...Security Affairs
August 20, 2023 – Solution
Cybersecurity: CASB vs SASE Full Text
Abstract
Understanding cybersecurity aspects addressed by Cloud Access Security Broker (CASB) and Secure Access Service Edge (SASE) In an increasingly digital world, where businesses rely on cloud services and remote access, cybersecurity has become paramount....Security Affairs
August 19, 2023 – Attack
Germany’s National Bar Association Investigating Ransomware Attack Full Text
Abstract
The German Federal Bar (BRAK) Association discovered the attack on August 2. The group is an umbrella organization overseeing 28 regional bars across Germany and representing about 166,000 lawyers nationally and internationally.Cyware
August 19, 2023 – Malware
WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams Full Text
Abstract
Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker that's engineered to conduct tech support scams. The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks to serve next-stage JavaScript that redirects users to a browser locker (aka browlock). This redirection mechanism, in turn, makes use of steganographic tricks to conceal the JavaScript code within a PNG image that's served only when the validation phase is successful. Should a user be detected as a bot or not interesting traffic, a decoy PNG file without the malicious code is used. WoofLocker is also known as 404Browlock due to the fact that visiting the browlock URL directly without the appropriate redirection or one-time session token results in a 404 error page. The cybersecurity firm&The Hacker News
August 19, 2023 – Ransomware
Cuba Ransomware Deploys New Tools to Target U.S. Critical Infrastructure Sector and IT Integrator in Latin America Full Text
Abstract
The group's toolkit includes custom and off-the-shelf parts, such as the BUGHATCH downloader and the Metasploit framework. The attacks often start with the compromise of valid credentials through a credentials reuse scheme or vulnerability exploits.Cyware
August 19, 2023 – Vulnerabilities
New Juniper Junos OS Flaws Expose Devices to Remote Attacks - Patch Now Full Text
Abstract
Networking hardware company Juniper Networks has released an "out-of-cycle" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The four vulnerabilities have a cumulative CVSS rating of 9.8, making them Critical in severity. They affect all versions of Junos OS on SRX and EX Series. "By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices," the company said in an advisory released on August 17, 2023. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. A brief description of the flaws is as follows - CVE-2023-36844 and CVE-2023-36845 (CVSS scores: 5.3) - Two PHP external variable modification vulnerabilities in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker toThe Hacker News
August 19, 2023 – Breach
Illinois Hospital Notifies Patients, Employees of Data Breach After Royal Gang Posting Full Text
Abstract
In late May, reports said the Royal ransomware gang had posted data from the organization on its leak site. As of May 23, the hospital had said it was still investigating the incident.Cyware
August 19, 2023 – Malware
Thousands of Android Malware Apps Using Stealthy APK Compression to Evade Detection Full Text
Abstract
Threat actors are using Android Package (APK) files with unknown or unsupported compression methods to elude malware analysis. That's according to findings from Zimperium, which found 3,300 artifacts leveraging such compression algorithms in the wild. 71 of the identified samples can be loaded on the operating system without any problems. There is no evidence that the apps were available on the Google Play Store at any point in time, indicating that the apps were distributed through other means, typically via untrusted app stores or social engineering to trick the victims into sideloading them. The APK files use "a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analyzed," security researcher Fernando Ortega said . "In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method." The advantage of such an approach is its abilitThe Hacker News
August 19, 2023 – Vulnerabilities
Update: Companies Respond to ‘Downfall’ Intel CPU Vulnerability Full Text
Abstract
AWS said its customers’ data and cloud instances are not affected by Downfall and no action is required. The cloud giant did note that it has “designed and implemented its infrastructure with protections against this class of issues”.Cyware
August 19, 2023 – Criminals
Ransomware Gang Threatens Raleigh Housing Authority Months After Devastating Attack Full Text
Abstract
A ransomware gang has started posting sensitive personal information connected to a devastating attack on the Raleigh Housing Authority (RHA) that disrupted the organization for weeks in May.Cyware
August 19, 2023 – Malware
Over 3,000 Android Malware spotted using unsupported/unknown compression methods to avoid detection Full Text
Abstract
Threat actors are using Android Package (APK) files with unsupported compression methods to prevent malware analysis. On June 28th, researchers from Zimperium zLab researchers observed that Joe Sandbox announced the availability of an Android APK that...Security Affairs
August 19, 2023 – Criminals
Update: Man Arrested in Northern Ireland Police Data Leak Full Text
Abstract
The unnamed man was questioned by detectives who were said to be "investigating criminality linked to last week's freedom of information data breach," but has now been released on bail to allow for further inquiries, the PSNI stated.Cyware
August 18, 2023 – Phishing
Cloaked Malvertising: Unmasking Complex Fingerprinting and Evading Detection Full Text
Abstract
Malwarebytes Labs identified a new trend in malvertising campaigns that use advanced cloaking techniques to evade detection. Threat actors are targeting the users of popular IT programs by creating malicious ads displayed on Google search results. To safeguard against ever-evolving malvertising tac ... Read MoreCyware
August 18, 2023 – Criminals
14 Suspected Cybercriminals Arrested Across Africa in Coordinated Crackdown Full Text
Abstract
A coordinated law enforcement operation across 25 African countries has led to the arrest of 14 suspected cybercriminals, INTERPOL announced Friday. The exercise, conducted in partnership with AFRIPOL, enabled investigators to identify 20,674 cyber networks that were linked to financial losses of more than $40 million. "The four-month Africa Cyber Surge II operation was launched in April 2023 and focused on identifying cybercriminals and compromised infrastructure," the agency said. As part of the operation, three suspects were arrested in Cameroon in connection with an online scam involving the fraudulent sale of works of art worth $850,000. Another suspect was arrested in Nigeria for defrauding a Gambian victim. Also arrested were two money mules linked to scams initiated through messaging platforms. The cyber networks comprised 3,786 command-and-control (C2) servers, 14,134 victim IP addresses tied to data stealer infections, 1,415 phishing links and domains, 939The Hacker News
August 18, 2023 – Vulnerabilities
WinRAR flaw enables remote code execution of arbitrary code Full Text
Abstract
A flaw impacting the file archiver utility for Windows WinRAR can allow the execution of commands on a computer by opening an archive. WinRAR is a popular file compression and archival utility for Windows operating systems. The utility is affected...Security Affairs
August 18, 2023 – Phishing
Ongoing Phishing Campaign Targets Zimbra Credentials Full Text
Abstract
ESET uncovered an ongoing phishing campaign targeting Zimbra Collaboration users, aiming to harvest their Zimbra account credentials. The phishing emails lure victims by posing as email server updates, account deactivations, or similar issues, and directing them to click on an attached HTML file. S ... Read MoreCyware
August 18, 2023 – Education
The Vulnerability of Zero Trust: Lessons from the Storm 0558 Hack Full Text
Abstract
While IT security managers in companies and public administrations rely on the concept of Zero Trust, APTS (Advanced Persistent Threats) are putting its practical effectiveness to the test. Analysts, on the other hand, understand that Zero Trust can only be achieved with comprehensive insight into one's own network. Just recently, an attack believed to be perpetrated by the Chinese hacker group Storm-0558 targeted several government agencies. They used fake digital authentication tokens to access webmail accounts running on Microsoft's Outlook service. In this incident, the attackers stole a signing key from Microsoft, enabling them to issue functional access tokens for Outlook Web Access (OWA) and Outlook.com and to download emails and attachments. Due to a plausibility check error, the digital signature, which was only intended for private customer accounts (MSA), also worked in the Azure Active Directory for business customers. Embracing the Zero Trust Revolution AccThe Hacker News
August 18, 2023 – Hacker
#OpFukushima: Anonymous group protests against the plan to dump Fukushima RADIOACTIVE wastewater into Pacific Full Text
Abstract
#OpFukushima: The famous collective Anonymous has launched cyberattacks against Japan nuclear websites over Fukushima water plan. The hacker collective Anonymous has launched cyberattacks against nuclear power-linked groups in Japan as part of an operation...Security Affairs
August 18, 2023 – Phishing
Behind WoofLocker: Long-running Traffic Diversion Scheme Full Text
Abstract
The long-standing WoofLocker tech support scam campaign, initiated in 2017, remains active with enhanced resilience as it employs a unique traffic redirection approach on compromised websites. Redirecting targeted users to a fake virus warning browser locker screen, WoofLocker has exhibited stabili ... Read MoreCyware
August 18, 2023 – Attack
New Wave of Attack Campaign Targeting Zimbra Email Users for Credential Theft Full Text
Abstract
A new "mass-spreading" social engineering campaign is targeting users of the Zimbra Collaboration email server with an aim to collect their login credentials for use in follow-on operations. The activity, active since April 2023 and still ongoing, targets a wide range of small and medium businesses and governmental entities, most of which are located in Poland, Ecuador, Mexico, Italy, and Russia. It has not been attributed to any known threat actor or group. "Initially, the target receives an email with a phishing page in the attached HTML file," ESET researcher Viktor Šperka said in a report. "The email warns the target about an email server update, account deactivation, or similar issue and directs the user to click on the attached file." The messages also spoof the from address to appear as if they are coming from a Zimbra administrator in a likely attempt to convince the recipients into opening the attachment. The HTML file contains a Zimbra loThe Hacker News
August 18, 2023 – Phishing
Massive phishing campaign targets users of the Zimbra Collaboration email server Full Text
Abstract
A massive social engineering campaign is targeting users of the Zimbra Collaboration email server to steal their login credentials. ESET researchers uncovered a mass-spreading phishing campaign targeting users of the Zimbra Collaboration email server...Security Affairs
August 18, 2023 – Phishing
Catching up With Wooflocker, the Most Elaborate Traffic Redirection Scheme to Tech Support Scams Full Text
Abstract
The WoofLocker tech support scam campaign, which was first discovered in 2020, is still active and has evolved to become more sophisticated. The campaign relies on compromised websites to distribute its malicious code, with a focus on adult websites.Cyware
August 18, 2023 – Ransomware
New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools Full Text
Abstract
Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company's threat intelligence team said in a series of posts on X (formerly Twitter). "This BlackCat version also has the RemCom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment." RemCom, billed as an open-source alternative to PsExec, has been put to use by Chinese and Iranian nation-state threat actors like Dalbit and Chafer (aka Remix Kitten) to move across the victim environments in the past. Redmond said it startedThe Hacker News
August 18, 2023 – Policy and Law
Africa Cyber Surge II law enforcement operation has led to the arrest of 14 suspects Full Text
Abstract
An international law enforcement operation across 25 African countries has led to the arrest of 14 cybercriminals. A coordinated law enforcement operation conducted by INTERPOL and AFRIPOL across 25 African countries has led to the arrest of 14 suspected...Security Affairs
August 18, 2023 – Attack
Cleveland City School District Suffers Ransomware Attack Full Text
Abstract
Cleveland City Schools say they are dealing with the aftermath of a ransomware attack Tuesday. They say less than 5% of faculty and staff devices were affected. A CCS spokesperson says their printers are down.Cyware
August 18, 2023 – Solution
Google Chrome’s New Feature Alerts Users About Auto-Removal of Malicious Extensions Full Text
Abstract
Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to alert users when an extension they have installed has been removed from the Chrome Web Store. The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware. The tech giant said it intends to highlight such extensions under a "Safety check" category in the "Privacy and security" section of the browser settings page. "When a user clicks 'Review,' they will be taken to their extensions and given the choice to either remove the extension or hide the warning if they wish to keep the extension installed," Oliver Dunk, a developer relations engineer for Chrome extensions, said . "As in previous versions of Chrome, extensions marked as malware are automatically disabled." The development comes as the cThe Hacker News
August 18, 2023 – APT
Bronze Starlight targets the Southeast Asian gambling sector Full Text
Abstract
Experts warn of an ongoing campaign attributed to China-linked Bronze Starlight that is targeting the Southeast Asian gambling sector. SentinelOne observed China-linked APT group Bronze Starlight (aka APT10, Emperor Dragonfly or Storm-0401) targeting...Security Affairs
August 18, 2023 – Education
Security Basics Aren’t So Basic — They’re Hard Full Text
Abstract
Fundamental defenses — identity and access management, MFA, memory-safe languages, patching and vulnerability management — are lacking or nonexistent across the economy, according to cybersecurity experts.Cyware
August 18, 2023 – Hacker
Chinese Hackers Accused of Targeting Southeast Asian Gambling Sector Full Text
Abstract
Hackers based in China are targeting the gambling sector across Southeast Asia in a campaign that researchers say is closely related to data collection and surveillance operations identified earlier this year.Cyware
August 17, 2023 – Vulnerabilities
NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security Full Text
Abstract
A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform ( WFP ) to achieve privilege escalation in the Windows operating system. "If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering , these privileges are not enough," Ron Ben Yizhak, a security researcher at Deep Instinct, told The Hacker News. "Running as "NT AUTHORITY\SYSTEM" is required. The techniques described in this research can escalate from admin to SYSTEM." The findings were presented at the DEF CON security conference over the weekend. The starting point of the research is an in-house tool called RPC Mapper the cybersecurity company used to map remote procedure call ( RPC ) methods, specifically those that invoke WinAPI , leading to the discovery of a method named "BfeRpcOpenToken," which is part of WFP. WFP is a set of API and system services that'sThe Hacker News
August 17, 2023 – APT
APT29 is targeting Ministries of Foreign Affairs of NATO-aligned countries Full Text
Abstract
Russia-linked APT29 used the Zulip Chat App in attacks aimed at ministries of foreign affairs of NATO-aligned countries EclecticIQ researchers uncovered an ongoing spear-phishing campaign conducted by Russia-linked threat actors targeting Ministries...Security Affairs
August 17, 2023 – Hacker
China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons Full Text
Abstract
An ongoing cyber attack campaign originating from China is targeting the Southeast Asian gambling sector to deploy Cobalt Strike beacons on compromised systems. Cybersecurity firm SentinelOne said the tactics, techniques, and procedures point to the involvement of a threat actor tracked as Bronze Starlight (aka Emperor Dragonfly or Storm-0401), which has been linked to the use of short-lived ransomware families as a smokescreen to conceal its espionage motives. "The threat actors abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons," security researchers Aleksandar Milenkoski and Tom Hegel said in an analysis published today. It also bears noting that the campaign exhibits overlaps with an intrusion set monitored by ESET under the name Operation ChattyGoblin . This activity, in turn, shares commonalities with a supply chain attack that came to light last year leveraging a trojaThe Hacker News
August 17, 2023 – Phishing
A massive campaign delivered a proxy server application to 400,000 Windows systems Full Text
Abstract
Researchers discovered a massive campaign that delivered a proxy server application to at least 400,000 Windows systems. AT&T Alien Labs researchers uncovered a massive campaign that delivered a proxy server application to at least 400,000 Windows...Security Affairs
August 17, 2023 – Vulnerabilities
New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode Full Text
Abstract
Cybersecurity researchers have documented a novel post-exploit persistence technique on iOS 16 that could be abused to fly under the radar and maintain access to an Apple device even when the victim believes it is offline. The method "tricks the victim into thinking their device's Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application," Jamf Threat Labs researchers Hu Ke and Nir Avraham said in a report shared with The Hacker News. Airplane Mode , as the name implies, allows users to turn off wireless features in their devices, effectively preventing them from connecting to Wi-Fi networks, cellular data, and Bluetooth as well as sending or receiving calls and text messages. The approach devised by Jamf, in a nutshell, provides an illusion to the user that the Airplane Mode isThe Hacker News
August 17, 2023 – General
Alarming lack of cybersecurity practices on world’s most popular websites Full Text
Abstract
The world’s most popular websites lack basic cybersecurity hygiene, an investigation by Cybernews shows. Do you happen to love exploring DIY ideas on Pinterest? Scrolling through IMDB to pick the next movie to watch? Or simply scrolling through...Security Affairs
August 17, 2023 – Vulnerabilities
New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities Full Text
Abstract
A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign. "The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence," Sysdig said in a report shared with The Hacker News. "Furthermore, the attacker abused a legitimate service, TryCloudflare , to obfuscate their C2 network." Proxyjacking allows the attacker to rent the compromised host out to a proxy network, making it possible to monetize the unused bandwidth. Cryptojacking, on the other hand, refers to the abuse of the system resources to mine cryptocurrency. A notable aspect of the campaign is the use of compiled binaries written in Go and .NET to fly under the radar, with LABRAT also providing backdoor access to the infected systems.The Hacker News
August 17, 2023 – Vulnerabilities
Experts devise an exploit for Apple iOS 16 that relies on fake Airplane Mode Full Text
Abstract
Researchers detailed a new exploit for Apple iOS 16 that can allow attackers to gain access to a device even when the victim believes it is in Airplane Mode. Jamf Threat Labs researchers developed a post-exploit persistence technique on iOS 16 that...Security Affairs
August 17, 2023 – Outage
Cleaning Products manufacturer Clorox Company took some systems offline after a cyberattack Full Text
Abstract
Cleaning products manufacturer Clorox Company announced that it has taken some systems offline in response to a cyberattack. The Clorox Company is a multinational consumer goods company that specializes in the production and marketing of various household...Security Affairs
August 17, 2023 – Criminals
Cybercriminals Selling SMS Bomber Attack Tools on Underground Forums Full Text
Abstract
The underground market for SMS Bomber services is thriving, with various platforms offering attack services for a fee, highlighting the need for increased security measures in registration pages and APIs.Cyware
August 17, 2023 – Phishing
Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks Full Text
Abstract
An ongoing campaign targeting ministries of foreign affairs of NATO-aligned countries points to the involvement of Russian threat actors. The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke , which has been attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes). "The threat actor used Zulip – an open-source chat application – for command-and-control, to evade and hide its activities behind legitimate web traffic," Dutch cybersecurity company EclecticIQ said in an analysis last week. The infection sequence is as follows: The PDF attachment, named "Farewell to Ambassador of Germany," comes embedded with JavaScript code that initiates a multi-stage process to leave a persistent backdoor on compromised networks. APT29's use of invitation themes has been previously reported by Lab52, which docThe Hacker News
August 17, 2023 – Government
CISA Publishes Plan For Remote Monitoring Tools After Nation-State, Ransomware Exploitation Full Text
Abstract
In an announcement Wednesday, CISA said it worked with industry partners as part of the Joint Cyber Defense Collaborative (JCDC) to create a “clear roadmap to advance security and resilience of the RMM ecosystem.”Cyware
August 17, 2023 – Government
CISA Adds Citrix ShareFile Flaw to KEV Catalog Due to In-the-Wild Attacks Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Citrix ShareFile storage zones controller to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active in-the-wild exploitation. Tracked as CVE-2023-24489 (CVSS score: 9.8), the shortcoming has been described as an improper access control bug that, if successfully exploited, could allow an unauthenticated attacker to compromise vulnerable instances remotely. The problem is rooted in ShareFile's handling of cryptographic operations, enabling adversaries to upload arbitrary files, resulting in remote code execution. "This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24," Citrix said in an advisory released in June. Dylan Pindur of Assetnote has been credited with discovering and reporting the issue. It's worth noting that the first signs of exploitatioThe Hacker News
August 17, 2023 – Malware
Large-Scale Campaign Delivers Proxy Server App to Make Systems Serve as Residential Exit Nodes Full Text
Abstract
The proxy application is silently installed by malware on infected systems without user knowledge or interaction, and it goes undetected by anti-virus software as it is signed.Cyware
August 17, 2023 – Phishing
Malvertisers up Their Game Against Researchers Full Text
Abstract
Threat actors are using advanced cloaking techniques in malvertising campaigns to remain undetected and drop malware, making it more challenging for defenders to identify and report these incidents.Cyware
August 17, 2023 – Breach
Ongoing Hijacking Campaign Targets LinkedIn Accounts Full Text
Abstract
Several LinkedIn users have reported difficulties in recovering their hacked or locked-out accounts through LinkedIn support. Some claimed to have faced ransom demands or account deletion threats. In the past few months, according to Google Trends, there’s been a 5000% increase in searches related ... Read MoreCyware
August 16, 2023 – Vulnerabilities
Chrome 116 Patches 26 Vulnerabilities Full Text
Abstract
Google on Tuesday announced the release of Chrome 116 to the stable channel with patches for 26 vulnerabilities, including 21 reported by external researchers. Of the externally reported bugs, eight have a severity rating of ‘high.’Cyware
August 16, 2023 – General
What’s the State of Credential theft in 2023? Full Text
Abstract
At a little overt halfway through 2023, credential theft is still a major thorn in the side of IT teams. The heart of the problem is the value of data to cybercriminals and the evolution of the techniques they use to get hold of it. The 2023 Verizon Data Breach Investigations Report (DBIR) revealed that 83% of breaches involved external actors, with almost all attacks being financially motivated. Of these breaches by external actors, 49% involved the use of stolen credentials. We'll explore why credential theft is still such an attractive (and successful) attack route, and look at how IT security teams can fight back in the second half of 2023 and beyond. Users are still often the weak link The hallmarks of many successful cyberattacks are the determination, inventiveness, and patience threat actors show. Though a user may spot some attacks through security and awareness training, it only takes one well-crafted attack to catch them. Sometimes all it takes is for a user to beThe Hacker News
August 16, 2023 – Government
CISA adds flaw in Citrix ShareFile to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added critical vulnerability CVE-2023-24489 in Citrix ShareFile to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added critical flaw CVE-2023-24489 (CVSS score 9.8) affecting...Security Affairs
August 16, 2023 – Government
Chamber of Commerce Urges SEC to Delay Cyber Rule Implementation Full Text
Abstract
The U.S. Chamber of Commerce urged the Securities and Exchange Commission to delay by a year the effective date of new cybersecurity rules, saying the regulatory move could otherwise have “severe consequences” for companies.Cyware
August 16, 2023 – Vulnerabilities
Experts Uncover Weaknesses in PowerShell Gallery Enabling Supply Chain Attacks Full Text
Abstract
Active flaws in the PowerShell Gallery could be weaponized by threat actors to pull off supply chain attacks against the registry's users. "These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package," Aqua security researchers Mor Weinberger, Yakir Kadkoda, and Ilay Goldman said in a report shared with The Hacker News. Maintained by Microsoft, PowerShell Gallery is a central repository for sharing and acquiring PowerShell code, including PowerShell modules, scripts, and Desired State Configuration (DSC) resources. The registry boasts 11,829 unique packages and 244,615 packages in total. The issues identified by the cloud security firm have to do with the service's lax policy surrounding package names, lacking protections against typosquatting attacks, as a result enabling attackers to upload malicious PowerShell modules that appear genuine to unsuspecting usersThe Hacker News
August 16, 2023 – Phishing
A massive phishing campaign using QR codes targets the energy sector Full Text
Abstract
A phishing campaign employing QR codes targeted a leading energy company in the US, cybersecurity firm Cofense reported. Starting from May 2023, researchers from Cofense discovered a large-scale phishing campaign using QR codes in attacks aimed at stealing...Security Affairs
August 16, 2023 – Privacy
Automotive data privacy under scrutiny in California Full Text
Abstract
California regulators are examining how automakers and others handle data collected from internet-connected vehicles, the California Privacy Protection Agency said late last month.Cyware
August 16, 2023 – Solution
Guide: How Google Workspace-based Organizations can leverage Chrome to improve Security Full Text
Abstract
More and more organizations are choosing Google Workspace as their default employee toolset of choice. But despite the productivity advantages, this organizational action also incurs a new security debt. Security teams now have to find a way to adjust their security architecture to this new cloud workload. Some teams may rely on their existing network security solutions. According to a new guide , this is a hit and a miss. Network solutions, the guide claims, just don't cover all SaaS and browsing requirements. Meanwhile, Google offers a wide range of native security functionalities built-in to Chrome. These functionalities enable the organization to leverage the browser for consolidating security, simplifying operations and reducing costs. If you're wary about trusting Chrome with your security, then the guide is recommended to read. In great detail, it explains which security features Chrome offers users. These include: Forcing users to sign into Chrome, to ensure theThe Hacker News
August 16, 2023 – Vulnerabilities
Two unauthenticated stack buffer overflows found in Ivanti Avalanche EMM Full Text
Abstract
Ivanti Avalanche EMM product is impacted by two buffer overflows collectively tracked as CVE-2023-32560. Tenable researchers discovered two stack-based buffer overflows, collectively tracked as CVE-2023-32560 (CVSS v3: 9.8), impacting the Ivanti...Security Affairs
August 16, 2023 – Outage
Ransomware Attack on Rapattoni Disrupts US Real Estate Property Listings Full Text
Abstract
Real estate agents' ability to list or update property information has been compromised by an attack on California-based data services company Rapattoni, which hosts multiple listing services.Cyware
August 16, 2023 – Encryption
Google Introduces First Quantum Resilient FIDO2 Security Key Full Text
Abstract
Google on Tuesday announced the first quantum resilient FIDO2 security key implementation as part of its OpenSK security keys initiative. "This open-source hardware optimized implementation uses a novel ECC/Dilithium hybrid signature schema that benefits from the security of ECC against standard attacks and Dilithium's resilience against quantum attacks," Elie Bursztein and Fabian Kaczmarczyck said . OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards. The development comes less than a week after the tech giant said it plans to add support for quantum-resistant encryption algorithms in Chrome 116 to set up symmetric keys in TLS connections. It's also part of broader efforts to switch to cryptographic algorithms that can withstand quantum attacks in the future, necessitating the need to incorporate such technologies early on to facilitate a gradual rollout. "Fortunately, with the receThe Hacker News
August 16, 2023 – Breach
Approximately 2000 Citrix NetScaler servers were backdoored in a massive campaign Full Text
Abstract
A threat actor has compromised roughly 2,000 Citrix NetScaler servers exploiting a remote code execution tracked as CVE-2023-3519. In July Citrix warned customers of a critical vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), in NetScaler...Security Affairs
August 16, 2023 – Outage
Clorox Cleans up Security Breach That Disrupted Operations Full Text
Abstract
The intrusion continues to disrupt "parts of the company's business operations," and it is "working diligently to respond to and address this issue, and is also coordinating with law enforcement," according to the Form 8-K submission.Cyware
August 16, 2023 – Vulnerabilities
Critical Security Flaws Affect Ivanti Avalanche, Threatening 30,000 Organizations Full Text
Abstract
Multiple critical security flaws have been reported in Ivanti Avalanche , an enterprise mobile device management solution that's used by 30,000 organizations. The vulnerabilities, collectively tracked as CVE-2023-32560 (CVSS score: 9.8), are stack-based buffer overflows in Ivanti Avalanche WLAvanacheServer.exe v6.4.0.0. Cybersecurity company Tenable said the shortcomings are the result of buffer overflows arising as a consequence of processing specific data types. An unauthenticated remote attacker can specify a long hex string or long type 9 item to overflow the buffer, it noted. Successful exploitation of both issues could be exploited by a remote adversary to achieve code execution or a system crash. Stack-based buffer overflow vulnerabilities occur when the buffer being overwritten is in the stack, leading to a scenario where program execution can be altered to run arbitrary code with elevated privileges. Ivanti has released Avalanche version 6.4.1 to remediate theThe Hacker News
August 16, 2023 – Outage
Prince George’s County Public Schools Responds Suffers Network Outage Owing to Cyberattack Full Text
Abstract
District leaders initially said they were working to address a “broad network outage” that knocked out email and other services. On Monday night, the district released a statement saying 4,500 of the system’s 180,000 accounts were “impacted.”Cyware
August 16, 2023 – Breach
Nearly 2,000 Citrix NetScaler Instances Hacked via Critical Vulnerability Full Text
Abstract
Nearly 2,000 Citrix NetScaler instances have been compromised with a backdoor by weaponizing a recently disclosed critical security vulnerability as part of a large-scale attack. "An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing web shells on vulnerable NetScalers to gain persistent access," NCC Group said in an advisory released Tuesday. "The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted." CVE-2023-3519 refers to a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could lead to unauthenticated remote code execution. It was patched by Citrix last month. The development comes a week after the Shadowserver Foundation said it identified close to 7,000 vulnerable, unpatched NetScaler ADC and Gateway instances online and the flaw is being abused to drop PHP web shells on vulnerable servers for remote access. A follow-up analThe Hacker News
August 15, 2023 – Breach
Georgia Healthcare System Notifies 180,000 People of Breach After Suffering Ransomware Attack Full Text
Abstract
The apparent Hive ransomware attack on the Tift Regional Health System involved hackers accessing and copying files containing patient information, including medical and banking account information.Cyware
August 15, 2023 – Criminals
Cybercriminals Abusing Cloudflare R2 for Hosting Phishing Pages, Experts Warn Full Text
Abstract
Threat actors' use of Cloudflare R2 to host phishing pages has witnessed a 61-fold increase over the past six months. "The majority of the phishing campaigns target Microsoft login credentials, although there are some pages targeting Adobe, Dropbox, and other cloud apps," Netskope security researcher Jan Michael said . Cloudflare R2 , analogous to Amazon Web Service S3, Google Cloud Storage, and Azure Blob Storage, is a data storage service for the cloud. The development comes as the total number of cloud apps from which malware downloads originate has increased to 167 , with Microsoft OneDrive, Squarespace, GitHub, SharePoint, and Weebly taking the top five spots. The phishing campaigns identified by Netskope not only abuse Cloudflare R2 to distribute static phishing pages, but also leverage the company's Turnstile offering, a CAPTCHA replacement, to place such pages behind anti-bot barriers to evade detection. In doing so, it prevents online scanners likeThe Hacker News
August 15, 2023 – Criminals
Credentials for cybercrime forums found on roughly 120K computers infected with info stealers Full Text
Abstract
Researchers discovered credentials associated with cybercrime forums on roughly 120,000 computers infected with information stealers. Threat intelligence firm Hudson Rock has discovered credentials associated with cybercrime forums on roughly 120,000...Security Affairs
August 15, 2023 – Denial Of Service
Most DDoS Attacks Tied to Gaming, Business Disputes, FBI and Prosecutors Say Full Text
Abstract
The majority of distributed denial-of-service (DDoS) attacks are launched in response to disputes over business or gaming, according to federal officials investigating the incidents.Cyware
August 15, 2023 – Education
Catching the Catphish: Join the Expert Webinar on Combating Credential Phishing Full Text
Abstract
Is your organization constantly under threat from credential phishing? Even with comprehensive security awareness training, many employees still fall victim to credential phishing scams. The result? Cybercriminals gaining immediate and unhindered access to sensitive data, email accounts, and other applications. But what if you could outsmart these criminals and protect your organization? Join Graham Cluley , renowned cybersecurity expert and host of the Smashing Security podcast, and Mike Britton , CISO at Abnormal Security, for an illuminating webinar that delves into the world of credential phishing and offers actionable insights. What Will You Learn? Understanding the Lure: How attackers manipulate victims into submitting credentials, employing tactics such as generative AI. Why Victims Fall for the Trap: A detailed look at why security awareness training may not always succeed in preventing employees from taking the bait. Effective Strategies to Combat Threats: CompreThe Hacker News
August 15, 2023 – Ransomware
Monti Ransomware gang launched a new Linux encryptor Full Text
Abstract
Monti Ransomware operators returned, after a two-month pause, with a new Linux variant of their encryptor. The Monti ransomware operators returned, after a two-month break, with a new Linux version of the encryptor. The variant was employed in attacks...Security Affairs
August 15, 2023 – Breach
UK: Norfolk and Suffolk Police Admit Breach Involving Personal Data of 1,230 People Full Text
Abstract
Two police forces in England have admitted mishandling the sensitive data of victims, witnesses, and suspects in cases including domestic abuse incidents, sexual offenses, assaults, thefts, and hate crime.Cyware
August 15, 2023 – Vulnerabilities
Multiple Flaws Found in ScrutisWeb Software Exposes ATMs to Remote Hacking Full Text
Abstract
Four security vulnerabilities in the ScrutisWeb ATM fleet monitoring software made by Iagona could be exploited to remotely break into ATMs, upload arbitrary files, and even reboot the terminals. The shortcomings were discovered by the Synack Red Team (SRT) following a client engagement. The issues have been addressed in ScrutisWeb version 2.1.38. "Successful exploitation of these vulnerabilities could allow an attacker to upload and execute arbitrary files," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory published last month. ScrutisWeb is a web browser-based solution for monitoring banking and retail ATM fleets, including gleaning information system status, detecting low paper alerts, shutting down or restarting a terminal, and remotely modifying data. Details of the four flaws are as follows - CVE-2023-33871 (CVSS score: 7.5) - A directory traversal vulnerability that could allow an unauthenticated user to directly accessThe Hacker News
August 15, 2023 – Vulnerabilities
Hacking ATMs by exploiting flaws in ScrutisWeb ATM fleet software Full Text
Abstract
Researchers found several flaws in the ScrutisWeb ATM fleet monitoring software that can expose ATMs to hack. Researchers from the Synack Red Team found multi flaws (CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189) in the ScrutisWeb...Security Affairs
August 15, 2023 – Business
Protect AI Purchases Huntr to Extend Bug Bounties to AI, ML Full Text
Abstract
The Seattle-based AI and ML security vendor said its acquisition of Seattle-based Huntr will allow customers to discover exploits in the artificial intelligence or machine learning supply chain weeks before they're publicly revealed.Cyware
August 15, 2023 – Criminals
Monti Ransomware Returns with New Linux Variant and Enhanced Evasion Tactics Full Text
Abstract
The threat actors behind the Monti ransomware have resurfaced after a two-month break with a new Linux version of the encryptor in its attacks targeting government and legal sectors. Monti emerged in June 2022, weeks after the Conti ransomware group shut down its operations, deliberately imitating the tactics and tools associated with the latter, including its leaked source code. Not anymore. The new version, per Trend Micro, is a departure of sorts, exhibiting significant changes from its other Linux-based predecessors. "Unlike the earlier variant, which is primarily based on the leaked Conti source code, this new version employs a different encryptor with additional distinct behaviors," Trend Micro researchers Nathaniel Morales and Joshua Paul Ignacio said . A BinDiff analysis has revealed that while the older iterations had a 99% similarity rate with Conti, the latest version has only a 29% similarity rate, suggesting an overhaul. Some of the crucial changes inThe Hacker News
August 15, 2023 – Malware
QwixxRAT, a new Windows RAT appears in the threat landscape Full Text
Abstract
QwixxRAT is a new Windows remote access trojan (RAT) that is offered for sale through Telegram and Discord platforms. The Uptycs Threat Research team discovered the QwixxRAT (aka Telegram RAT) in early August 2023 while it was advertised through Telegram...Security Affairs
August 15, 2023 – Malware
New Windows Malware QwixxRAT Appears in the Threat Landscape Full Text
Abstract
According to the experts, QwixxRAT is meticulously designed to steal a broad range of information, including data from browser histories, credit card details, screenshots, and keystrokes.Cyware
August 15, 2023 – General
Malware Unleashed: Public Sector Hit in Sudden Surge, Reveals New Report Full Text
Abstract
The just-released BlackBerry Global Threat Intelligence Report reveals a 40% increase in cyberattacks against government and public service organizations versus the previous quarter. This includes public transit, utilities, schools, and other government services we rely on daily. With limited resources and often immature cyber defense programs, these publicly funded organizations are struggling against the double-pronged threat of attacks from both nation-states and the criminal underground. These are just a few of the findings contained in the latest edition of BlackBerry's quarterly cybersecurity benchmarking guide. Covering events between March and May 2023, provides new information for the cybersecurity industry worldwide based on a detailed geopolitical analysis. BlackBerry observed and stopped 1.5 million attacks within the 90-day period. Here are a few highlights in the report: 90 days by the numbers: From March 2023 to May 2023, threat actors deployed approximatThe Hacker News
August 15, 2023 – Business
Dallas to Pay Vendors $8.6m for Their Ransomware Recovery Services Full Text
Abstract
The bill covers invoices from “various vendors for emergency purchases of hardware, software, professional services, consultants and monitoring services,” the city said in a statement.Cyware
August 15, 2023 – Malware
Gigabud RAT Android Banking Malware Targets Institutions Across Countries Full Text
Abstract
Account holders of over numerous financial institutions in Thailand, Indonesia, Vietnam, the Philippines, and Peru are being targeted by an Android banking malware called Gigabud RAT . "One of Gigabud RAT's unique features is that it doesn't execute any malicious actions until the user is authorized into the malicious application by a fraudster, [...] which makes it harder to detect," Group-IB researchers Pavel Naumov and Artem Grischenko said . "Instead of using HTML overlay attacks, Gigabud RAT gathers sensitive information primarily through screen recording." Gigabud RAT was first documented by Cyble in January 2023 after it was spotted impersonating bank and government apps to siphon sensitive data. It's known to be active in the wild since at least July 2022. The Singapore-based company said it also identified a second variant of the malware minus the RAT capabilities. Dubbed Gigabud.Loan, it comes under the guise of a loan application thatThe Hacker News
August 15, 2023 – Criminals
Over 120,000 Computers Compromised by Info Stealers Linked to Users of Cybercrime Forums Full Text
Abstract
A "staggering" 120,000 computers infected by stealer malware have credentials associated with cybercrime forums, many of them belonging to malicious actors. The findings come from Hudson Rock, which analyzed data collected from computers compromised between 2018 to 2023. "Hackers around the world infect computers opportunistically by promoting results for fake software or through YouTube tutorials directing victims to download infected software," Hudson Rock CTO Alon Gal told The Hacker News. "It is not a case of the threat actor infecting his own computer, it is that out of the 14,500,000 computers we have in our cybercrime database, some of them happen to be hackers that accidentally got infected ." Data retrieved from machines compromised by stealer malware is often expansive and wide-ranging, enabling the real-world identities of hackers to be discovered based on indicators such as credentials, addresses, phone numbers, computer names, and IP aThe Hacker News
August 15, 2023 – Hacker
North Korean Hackers Suspected in New Wave of Malicious npm Packages Full Text
Abstract
The npm package registry has emerged as the target of yet another highly targeted attack campaign that aims to entice developers into downloading malevolent modules. Software supply chain security firm Phylum told The Hacker News the activity exhibits similar behaviors to that of a previous attack wave uncovered in June , which has since been linked to North Korean threat actors . As many as nine packages have been identified as uploaded to npm between August 9 and 12, 2023. This includes: ws-paso-jssdk, pingan-vue-floating, srm-front-util, cloud-room-video, progress-player, ynf-core-loader, ynf-core-renderer, ynf-dx-scripts, and ynf-dx-webpack-plugins. "Due to the sophisticated nature of the attack and the small number of affected packages, we suspect this is another highly targeted attack, likely with a social engineering aspect involved in order to get targets to install these packages," the company said . The attack chain commences with the package.json file withThe Hacker News
August 14, 2023 – Vulnerabilities
Ford Says Wi-Fi Vulnerability Not a Safety Risk to Vehicles Full Text
Abstract
The issue is described as a buffer overflow that could lead to remote code execution. An attacker within the wireless range of an impacted device can trigger the flaw using a specially crafted frame.Cyware
August 14, 2023 – Malware
QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord Full Text
Abstract
A new remote access trojan (RAT) called QwixxRAT is being advertised for sale by its threat actor through Telegram and Discord platforms. "Once installed on the victim's Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker's Telegram bot, providing them with unauthorized access to the victim's sensitive information," Uptycs said in a new report published today. The cybersecurity company, which discovered the malware earlier this month, said it's "meticulously designed" to harvest web browser histories, bookmarks, cookies, credit card information, keystrokes, screenshots, files matching certain extensions, and data from apps like Steam and Telegram. The tool is offered for 150 rubles for weekly access and 500 rubles for a lifetime license. It also comes in a limited free version. A C#-based binary, QwixxRAT comes with various anti-analysis features to remain covert and evade detection. ThiThe Hacker News
August 14, 2023 – Attack
Ongoing Xurum attacks target Magento 2 e-stores Full Text
Abstract
Experts warn of ongoing attacks, dubbed Xurum, targeting e-commerce websites using Adobe's Magento 2 CMS. Akamai researchers warn of ongoing attacks, dubbed Xurum, targeting e-commerce websites running the Magento 2 CMS. The attackers are actively...Security Affairs
August 14, 2023 – Vulnerabilities
Nine Flaws in CyberPower and Dataprobe Solutions Expose Data Centers to Hacking Full Text
Abstract
Researchers from Trellix Advanced Research Center discovered multiple vulnerabilities impacting CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe’s iBoot Power Distribution Unit (PDU).Cyware
August 14, 2023 – Vulnerabilities
Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability Full Text
Abstract
E-commerce sites using Adobe's Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw ( CVE-2022-24086 , CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. "The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days," Akamai researchers said in an analysis published last week, attributing the campaign to actors of Russian origin. Some of the websites have also been observed to be infected with simple JavaScript-based skimmers that's designed to collect credit card information and transmit it to a remote server. The exact scale of the campaign remains unclear. In the attack chains observed by the company, CVE-2022-24086 is weaponized for initial access, subsequently exploitingThe Hacker News
August 14, 2023 – Breach
Colorado HCPF Department notifies 4 million individuals after IBM MOVEit breach Full Text
Abstract
The Colorado Department of Health Care Policy & Financing (HCPF) disclose a data breach after MOVEit attack on IBM. The Colorado Department of Health Care Policy & Financing (HCPF) disclosed a data breach that impacted more than four million...Security Affairs
August 14, 2023 – Vulnerabilities
Iagona ScrutisWeb Vulnerabilities Could Expose ATMs to Remote Hacking Full Text
Abstract
Several vulnerabilities in the ScrutisWeb ATM could be exploited to remotely hack ATMs. The security holes were discovered by Synack Red Team members and they were patched by the vendor in July 2023 with the release of ScrutisWeb version 2.1.38.Cyware
August 14, 2023 – Education
Identity Threat Detection and Response: Rips in Your Identity Fabric Full Text
Abstract
Why SaaS Security Is a Challenge In today's digital landscape, organizations are increasingly relying on Software-as-a-Service (SaaS) applications to drive their operations. However, this widespread adoption has also opened the doors to new security risks and vulnerabilities. The SaaS security attack surface continues to widen. It started with managing misconfigurations and now requires a holistic approach to handling the entire SaaS ecosystem. This includes the continuous monitoring and management of user access, roles and permissions, 3rd party apps installed by users, risks deriving from SaaS user devices and Identity Threat Detection & Response (ITDR). There are a variety of reasons that SaaS security is so complex today. Firstly, there are a diverse range of applications, each having its own UI and terminology. And those environments are dynamic, from SaaS vendors understanding the importance of security and continually enhancing their applications with modern securityThe Hacker News
August 14, 2023 – Vulnerabilities
Experts found multiple flaws in AudioCodes desk phones and Zoom’s Zero Touch Provisioning (ZTP) Full Text
Abstract
Multiple flaws in AudioCodes desk phones and Zoom's Zero Touch Provisioning (ZTP) can expose to several attacks. Researchers from security firm SySS discovered multiple vulnerabilities in AudioCodes desk phones and Zoom's Zero Touch Provisioning (ZTP)...Security Affairs
August 14, 2023 – Hacker
Hacktivists Claim Attacks Against 21 Organizations Over Fukushima Wastewater Release Full Text
Abstract
Anonymous Italia, a group claiming to be affiliated with the hacktivist collective Anonymous, has launched cyber protests against the Japanese government over its decision to release wastewater from the Fukushima Daini Nuclear Power Plant.Cyware
August 14, 2023 – Attack
Charming Kitten Targets Iranian Dissidents with Advanced Cyber Attacks Full Text
Abstract
Germany's Federal Office for the Protection of the Constitution (BfV) has warned of cyber attacks targeting Iranian persons and organizations in the country since the end of 2022. "The cyber attacks were mainly directed against dissident organizations and individuals – such as lawyers, journalists, or human rights activists – inside and outside Iran," the agency said in an advisory. The intrusions have been attributed to a threat actor called Charming Kitten , which is also tracked under the names APT35, Mint Sandstorm, TA453 and Yellow Garuda. While Iranian nation-state actors lag behind their Russian and Chinese counterparts in sophistication, they have demonstrated a continued advancement of tools and techniques, adding an arsenal of custom malware to facilitate information gathering and rapidly exploiting n-day security flaws to obtain initial access. Charming Kitten, in particular, has a long, storied history of leveraging elaborate social engineering andThe Hacker News
August 14, 2023 – Vulnerabilities
Nine flaws in CyberPower and Dataprobe solutions expose data centers to hacking Full Text
Abstract
Multiple vulnerabilities in CyberPower PowerPanel Enterprise DCIM platform and Dataprobe PDU could expose data centers to hacking. Researchers from Trellix Advanced Research Center discovered multiple vulnerabilities impacting CyberPower's PowerPanel...Security Affairs
August 14, 2023 – Education
How to Handle API Sprawl and the Security Threat it Poses Full Text
Abstract
With recent reports indicating that API vulnerabilities are costing businesses billions of dollars annually, it’s no wonder they are at the top of mind of many cybersecurity professionals.Cyware
August 14, 2023 – Malware
New Financial Malware ‘JanelaRAT’ Targets Latin American Users Full Text
Abstract
Users in Latin America (LATAM) are the target of a financial malware called JanelaRAT that's capable of capturing sensitive information from compromised Microsoft Windows systems. "JanelaRAT mainly targets financial and cryptocurrency data from LATAM bank and financial institutions," Zscaler ThreatLabz researchers Gaetano Pellegrino and Sudeep Singh said , adding it "abuses DLL side-loading techniques from legitimate sources (like VMWare and Microsoft) to evade endpoint detection." The exact starting point of the infection chain is unclear, but the cybersecurity company, which discovered the campaign in June 2023, said the unknown vector is used to deliver a ZIP archive file containing a Visual Basic Script. The VBScript is engineered to fetch a second ZIP archive from the attackers' server as well as drop a batch file used to establish persistence of the malware. The ZIP archive is packed with two components, the JanelaRAT payload and a legitimateThe Hacker News
August 14, 2023 – Ransomware
Monti Ransomware Unleashes New Encryptor for Linux Full Text
Abstract
The Monti ransomware group has reemerged after a two-month break, targeting legal and government institutions with a new Linux-based variant that shows significant differences from its previous versions.Cyware
August 14, 2023 – Policy and Law
India Passes New Digital Personal Data Protection Bill (DPDPB), Putting Users’ Privacy First Full Text
Abstract
The Indian President Droupadi Murmu on Friday granted assent to the Digital Personal Data Protection Bill ( DPDPB ) after it was unanimously passed by both houses of the parliament last week, marking a significant step towards securing people's information. "The Bill provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto," the Indian government said . The long-awaited data protection law comes months after the Ministry of Electronics and Information Technology (MeitY) released a draft version of the bill in November 2022. It has been in the making for over five years, with a first draft released in July 2018. A year before, India's Supreme Court upheld privacy as a fundamental right . The legislative framework, which applies to personal data collThe Hacker News
August 14, 2023 – Education
How Executives’ Personal Devices Threaten Business Security Full Text
Abstract
While the cyber threat landscape has seen this major shift, security software to manage these direct personal risks has not kept up to protect public-facing individuals and leaders the way large enterprise organizations have.Cyware
August 13, 2023 – Vulnerabilities
Multiple flaws in CODESYS V3 SDK could lead to RCE or DoS Full Text
Abstract
16 vulnerabilities in Codesys products could result in remote code execution and DoS attacks exposing OT environments to hacking. Microsoft Threat Intelligence researchers discovered 16 high-severity vulnerabilities, collectively tracked as CoDe16,...Security Affairs
August 13, 2023 – General
Security Affairs newsletter Round 432 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Police...Security Affairs
August 13, 2023 – Government
The DHS’s CSRB to review cloud security practices following the hack of Microsoft Exchange govt email accounts Full Text
Abstract
The DHS's CSRB will review cloud security practices following recent hacks of Microsoft Exchange accounts used by US govt agencies. The US DHS announced that the Cyber Safety Review Board (CSRB) will review the security measure to protect cloud computing...Security Affairs
August 12, 2023 – Malware
MacOS Systems Turned Into Proxy Exit Nodes by Adload Full Text
Abstract
AdLoad malware is still infecting Mac systems and has been observed turning infected systems into a giant proxy botnet. AT&T Alien Labs has identified over 10,000 IPs behaving as proxy exit nodes, indicating a potentially widespread infection.Cyware
August 12, 2023 – Vulnerabilities
Multiple Flaws in CyberPower and Dataprobe Products Put Data Centers at Risk Full Text
Abstract
Multiple security vulnerabilities impacting CyberPower's PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe's iBoot Power Distribution Unit (PDU) could be potentially exploited to gain unauthenticated access to these systems and inflict catastrophic damage in target environments. The nine vulnerabilities, from CVE-2023-3259 through CVE-2023-3267, carry severity scores ranging from 6.7 to 9.8, enabling threat actors to shut down entire data centers and compromise data center deployments to steal data or launch massive attacks at a massive scale. "An attacker could chain these vulnerabilities together to gain full access to these systems," Trellix security researchers Sam Quinn, Jesse Chick, and Philippe Laulheret said in a report shared with The Hacker News. "Furthermore, both products are vulnerable to remote code injection that could be leveraged to create a backdoor or an entry point to the broader network of connectThe Hacker News
August 12, 2023 – Criminals
Honor Among Cybercriminals? Why a Canadian Firm Paid Ransom Full Text
Abstract
A nonprofit firm that administers government dental programs in Canada is notifying nearly 1.5 million individuals that their data, including banking information for some, was compromised in a ransomware incident last month.Cyware
August 12, 2023 – Vulnerabilities
Zoom ZTP & AudioCodes Phones Flaws Uncovered, Exposing Users to Eavesdropping Full Text
Abstract
Multiple security vulnerabilities have been disclosed in AudioCodes desk phones and Zoom's Zero Touch Provisioning ( ZTP ) that could be potentially exploited by a malicious attacker to conduct remote attacks. "An external attacker who leverages the vulnerabilities discovered in AudioCodes Ltd.'s desk phones and Zoom's Zero Touch Provisioning feature can gain full remote control of the devices," SySS security researcher Moritz Abrell said in an analysis published Friday. The unfettered access could then be weaponized to eavesdrop on rooms or phone calls, pivot through the devices and attack corporate networks, and even build a botnet of infected devices. The research was presented at the Black Hat USA security conference earlier this week. The problems are rooted in Zoom's ZTP, which allows IT administrators to configure VoIP devices in a centralized manner such that it makes it easy for organizations to monitor, troubleshoot and update the devices asThe Hacker News
August 12, 2023 – Malware
JanelaRAT: Repurposed BX Rat Variant Targeting LATAM FinTech Full Text
Abstract
Zscaler ThreatLabz has discovered a threat actor targeting FinTech users in the LATAM region with a malware called JanelaRAT. This malware uses tactics such as DLL side-loading and dynamic C2 infrastructure.Cyware
August 12, 2023 – Criminals
Lolek Bulletproof Hosting Servers Seized, 5 Key Operators Arrested Full Text
Abstract
European and U.S. law enforcement agencies have announced the dismantling of a bulletproof hosting service provider called Lolek Hosted , which cybercriminals have used to launch cyber-attacks across the globe. "Five of its administrators were arrested, and all of its servers seized, rendering LolekHosted.net no longer available," Europol said in a statement. "The service facilitated the distribution of information-stealing malware, and also the launching of DDoS (distributed denial of service) attacks, fictitious online shops, botnet server management, and distribution of spam messages worldwide," it added. Polish authorities, who made the arrests, said three other detainees have been subjected to preventive measures in the form of police supervision, bail, and a ban on leaving the country. Alongside the arrests, hundreds of servers containing terabytes of data, computer equipment, and mobile phones have been confiscated. The seizure, carried out on AuguThe Hacker News
August 12, 2023 – Breach
UK: Cumbria Police Admit Huge Breach of Data of Officers and Staff Full Text
Abstract
Cumbria police have admitted accidentally publishing the names and salaries of every one of its more than 2,000 employees and have apologized. The data breach happened in March and has not previously been publicized.Cyware
August 12, 2023 – Vulnerabilities
New Python URL Parsing Flaw Could Enable Command Execution Attacks Full Text
Abstract
A high-severity security flaw has been disclosed in the Python URL parsing function that could be exploited to bypass domain or protocol filtering methods implemented with a blocklist, ultimately resulting in arbitrary file reads and command execution. "urlparse has a parsing problem when the entire URL starts with blank characters," the CERT Coordination Center (CERT/CC) said in a Friday advisory. "This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail." The flaw has been assigned the identifier CVE-2023-24329 and carries a CVSS score of 7.5. Security researcher Yebo Cao has been credited with discovering and reporting the issue in August 2022. It has been addressed in the following versions - >= 3.12 3.11.x >= 3.11.4 3.10.x >= 3.10.12 3.9.x >= 3.9.17 3.8.x >= 3.8.17, and 3.7.x >= 3.7.17 urllib.parse is a widely used parsing function that makes it possible to break dowThe Hacker News
August 12, 2023 – Policy and Law
Police dismantled bulletproof hosting service provider Lolek Hosted Full Text
Abstract
A joint operation conducted by European and U.S. law enforcement agencies dismantled the bulletproof hosting service provider Lolek Hosted. Lolek Hosted is a bulletproof hosting service provider used to facilitate the distribution of information-stealing...Security Affairs
August 12, 2023 – Vulnerabilities
Python URL parsing function flaw can enable command execution Full Text
Abstract
A severe vulnerability in the Python URL parsing function can be exploited to gain arbitrary file reads and command execution. Researchers warn of a high-severity security vulnerability, tracked as CVE-2023-24329 (CVSS score of 7.5), has been disclosed...Security Affairs
August 12, 2023 – Breach
UK govt contractor MPD FM leaks employee passport data Full Text
Abstract
UK govt contractor MPD FM left an open instance that exposed employee passports, visas, and other sensitive data MPD FM, a facility management and security company providing services to various UK government departments, left an open instance that...Security Affairs
August 12, 2023 – Attack
Power Generator in South Africa hit with DroxiDat and Cobalt Strike Full Text
Abstract
Threat actors employed a new variant of the SystemBC malware, named DroxiDat, in attacks aimed at African critical infrastructure. Researchers from Kaspersky's Global Research and Analysis Team (GReAT) reported that an unknown threat actor used a new variant...Security Affairs
August 11, 2023 - Vulnerabilities
Magento Shopping Cart Attack Targets Critical Vulnerability Full Text
Abstract
Security researchers at Akamai say they have identified a server-side template injection campaign aimed at Magneto 2 shops that have yet to address CVE-2022-24086, an input validation flaw with a CVSS score of 9.8.Cyware
August 11, 2023 – Attack
Researchers Uncover Years-Long Cyber Espionage on Foreign Embassies in Belarus Full Text
Abstract
A hitherto undocumented threat actor operating for nearly a decade and codenamed MoustachedBouncer has been attributed to cyber espionage attacks aimed at foreign embassies in Belarus. "Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets," ESET security researcher Matthieu Faou said , describing the group as skilled and advanced. The adversary, active since at least 2014, is assessed to be aligned with Belarusian interests, likely employing a lawful interception system such as SORM to conduct its AitM attacks as well as deploy disparate tools called NightClub and Disco. Both the Windows malware frameworks support additional spying plugins including a screenshotter, an audio recorder, and a file stealer. The oldest sample of NightClub dates back to November 19, 2014, when it was uploaded to VirusTotal from Ukraine. Embassy staff from four differThe Hacker News
August 11, 2023 – Education
The Evolution of API: From Commerce to Cloud Full Text
Abstract
API (or Application Programming Interface) is a ubiquitous term in the tech community today, and it’s one with a long history. As a concept, APIs (or Application Programming Interfaces) have been around since the 1950s. What started out as a potential...Security Affairs
August 11, 2023 – Attack
Charming Kitten Hackers Target Iranian Dissidents in Germany Full Text
Abstract
The Federal Office for the Protection of the Constitution (BfV) reported it had found concrete attempts by the group known as Charming Kitten to target the Iranian opposition and exiles based in Germany.Cyware
August 11, 2023 – Encryption
Enhancing TLS Security: Google Adds Quantum-Resistant Encryption in Chrome 116 Full Text
Abstract
Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116. "Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS , starting in Chrome 116, and available behind a flag in Chrome 115," Devon O'Brien said in a post published Thursday. Kyber was chosen by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) as the candidate for general encryption in a bid to tackle future cyber attacks posed by the advent of quantum computing. Kyber-768 is roughly the security equivalent of AES-192 . The encryption algorithm has already been adopted by Cloudflare , Amazon Web Services , and IBM. X25519Kyber768 is a hybrid algorithm that combines the output of X25519 , an elliptic curve algorithm widely used for key agreement in TLS, and Kyber-768 to create a strong session key to encrypt TLS connections. "Hybrid mechanismThe Hacker News
August 11, 2023 – Botnet
Gafgyt botnet is targeting EoL Zyxel routers Full Text
Abstract
Researchers warn that the Gafgyt botnet is actively exploiting a vulnerability impacting the end-of-life Zyxel P660HN-T1A router. A variant of the Gafgyt botnet is actively attempting to exploit a vulnerability, tracked as CVE-2017-18368 (CVSS v3: 9.8),...Security Affairs
August 11, 2023 – Government
Ukrainian Official Touts Country’s Wartime Cyber Intelligence Efforts Full Text
Abstract
Intelligence gathered in cyberspace is helping Ukraine understand Russia's plans and stop the enemy from carrying them out, according to the country’s top cyber and information security official.Cyware
August 11, 2023 – APT
Researchers Shed Light on APT31’s Advanced Backdoors and Data Exfiltration Tactics Full Text
Abstract
The Chinese threat actor known as APT31 (aka Bronze Vinewood, Judgement Panda, or Violet Typhoon) has been linked to a set of advanced backdoors that are capable of exfiltrating harvested sensitive information to Dropbox. The malware is part of a broader collection of more than 15 implants that have been put to use by the adversary in attacks targeting industrial organizations in Eastern Europe in 2022. "The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems," Kaspersky said in an analysis spotlighting APT31's previously undocumented tradecraft. The intrusions employ a three-stage malware stack, each focused on disparate aspects of the attack chain: setting up persistence, gathering sensitive data, and transmitting the information to a remote server under the threat actor's control. Some variants of the second-stage backdoors also come with features designed to look up file names in the MicrosoThe Hacker News
August 11, 2023 – APT
Charming Kitten APT is targeting Iranian dissidents in Germany Full Text
Abstract
Germany’s Federal Office for the Protection of the Constitution (BfV) warns that the Charming Kitten APT group targeted Iranian dissidents in the country. The Federal Office for the Protection of the Constitution (BfV) is warning that an alleged...Security Affairs
August 11, 2023 – Policy and Law
India Passes Data Protection Legislation in Parliament. Critics Fear Privacy Violation Full Text
Abstract
Indian lawmakers Wednesday approved a data protection legislation that “seeks to better regulate big tech firms and penalize companies for data breaches” as several groups expressed concern over citizens’ privacy rights.Cyware
August 11, 2023 – Attack
New SystemBC Malware Variant Targets Southern African Power Company Full Text
Abstract
An unknown threat actor has been linked to a cyber attack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat as a precursor to a suspected ransomware attack. "The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure," Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT), said . The Russian cybersecurity company said the attack, which took place in late March 2023, was in its early stages and involved the use of DroxiDat to profile the system and proxy network traffic using the SOCKS5 protocol to and from command-and-control (C2) infrastructure. SystemBC is a C/C++-based commodity malware and remote administrative tool that was first seen in 2019 . Its main feature is to set up SOCKS5 proxies on victim computers that can then be used by threat actors to tunnel malicious traffic associThe Hacker News
August 11, 2023 – Criminals
California City Investigating Data Theft After Ransomware Group’s Claims Full Text
Abstract
The LockBit gang added 15 victims to its leak site on Wednesday including El Cerrito, which is home to more than 25,000 residents and is about 10 minutes north of Oakland.Cyware
August 11, 2023 – Vulnerabilities
16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks Full Text
Abstract
A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments. The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16 , carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities. "Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution (RCE) and denial-of-service (DoS)," Vladimir Tokarev of the Microsoft Threat Intelligence Community said in a report. While a successful weaponization of the flaws requires user authentication as well as an in-depth knowledge of the proprietary protocol of CODESYThe Hacker News
August 11, 2023 – Government
CISA Adds Microsoft .NET Vulnerability to KEV Catalog Due to Active Exploitation Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched security flaw in Microsoft's .NET and Visual Studio products to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as CVE-2023-38180 (CVSS score: 7.5), the high-severity flaw relates to a case denial-of-service (DoS) impacting .NET and Visual Studio. It was addressed by Microsoft as part of its August 2023 Patch Tuesday updates shipped earlier this week, tagging it with an "Exploitation More Likely" assessment. While exact details surrounding the nature of exploitation are unclear, the Windows maker has acknowledged the existence of a proof-of-concept (PoC) in its advisory. It also said that attacks leveraging the flaw can be pulled off without any additional privileges or user interaction. "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems," the companyThe Hacker News
August 10, 2023 – Business
Sweet Security Raises $12M Seed Round for its Cloud Security Suite Full Text
Abstract
The $12 million seed round was led by Glilot Capital Partners, with participation from CyberArk Ventures and a number of angel investors including Gerhard Eschelbeck, a former CISO at Google, and Travis McPeak, who led product security at Databricks.Cyware
August 10, 2023 – Attack
New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks Full Text
Abstract
Malicious actors are using a legitimate Rust-based injector called Freeze[.]rs to deploy a commodity malware called XWorm in victim environments. The novel attack chain, detected by Fortinet FortiGuard Labs on July 13, 2023, is initiated via a phishing email containing a booby-trapped PDF file. It has also been used to introduce Remcos RAT by means of a crypter called SYK Crypter, which was first documented by Morphisec in May 2022. "This file redirects to an HTML file and utilizes the 'search-ms' protocol to access an LNK file on a remote server," security researcher Cara Lin said . "Upon clicking the LNK file, a PowerShell script executes Freeze[.]rs and SYK Crypter for further offensive actions." Freeze[.]rs, released on May 4, 2023, is a open-source red teaming tool from Optiv that functions as a payload creation tool used for circumventing security solutions and executing shellcode in a stealthy manner. "Freeze[.]rs utilizes multiple tecThe Hacker News
August 10, 2023 – Malware
Statc Stealer, a new sophisticated info-stealing malware Full Text
Abstract
Experts warn that a new info-stealer named Statc Stealer is infecting Windows devices to steal a broad range of sensitive information. Zscaler ThreatLabz researchers discovered a new information stealer malware, called Statc Stealer, that...Security Affairs
August 10, 2023 – Vulnerabilities
Fourty Vulnerabilities Patched in Android With August 2023 Security Updates Full Text
Abstract
“Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible,” Google noted in its security bulletin.Cyware
August 10, 2023 – Malware
New Statc Stealer Malware Emerges: Your Sensitive Data at Risk Full Text
Abstract
A new information malware strain called Statc Stealer has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information. "Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week. "It can steal sensitive information from various web browsers, including login data, cookies, web data, and preferences. Additionally, it targets cryptocurrency wallets, credentials, passwords, and even data from messaging apps like Telegram." Written in C++, the malicious stealer finds its way into victim systems when potential victims are tricked into clicking on seemingly innocuous ads, with the stealer imitating an MP4 video file format on web browsers like Google Chrome. The first-stage payload, while dropping and executing a decoy PDF installer, also stealthily deploys a downloaderThe Hacker News
August 10, 2023 – Government
CISA discovered a new backdoor, named Whirlpool, used in Barracuda ESG attacks Full Text
Abstract
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) observed a new backdoor, named Whirlpool, in attacks on Barracuda ESG appliances. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has discovered a new backdoor,...Security Affairs
August 10, 2023 – Criminals
IRS Confirms Takedown of Bulletproof Hosting Provider Lolek Full Text
Abstract
A popular bulletproof hosting platform was taken down by authorities in the U.S. and Poland this week, marking the latest effort to limit the anonymous access cybercriminals have to critical tools.Cyware
August 10, 2023 – Vulnerabilities
Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization Full Text
Abstract
Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. The attacker group Nobelium, linked with the SolarWinds attacks, has been documented using native functionality like the creation of Federated Trusts [1] to enable persistent access to a Microsoft tenant. This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement capabilities to another tenant. This attack vector enables an attacker operating in a compromised tenant to abuse a misconfigured Cross-Tenant Synchronization (CTS) configuration and gain access to other connected tenants or deploy a rogue CTS configuration to maintain persistence within the teThe Hacker News
August 10, 2023 – Government
CISA adds actively exploited flaw in .NET, Visual Studio to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added zero-day vulnerability CVE-2023-38180 affecting .NET and Visual Studio to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added an actively exploited zero-day vulnerability CVE-2023-38180...Security Affairs
August 10, 2023 – Vulnerabilities
Adobe Patches 30 Acrobat, Reader Vulnerabilities on Patch Tuesday Full Text
Abstract
Adobe on Tuesday rolled out a big batch of security updates for its flagship Acrobat and Reader software, patching at least 30 vulnerabilities affecting Windows and macOS installations.Cyware
August 10, 2023 – Vulnerabilities
Encryption Flaws in Popular Chinese Language App Put Users’ Typed Data at Risk Full Text
Abstract
A widely used Chinese language input app for Windows and Android has been found vulnerable to serious security flaws that could allow a malicious interloper to decipher the text typed by users. The findings from the University of Toronto's Citizen Lab, which carried out an analysis of the encryption mechanism used in Tencent's Sogou Input Method , an app that has over 455 million monthly active users across Windows, Android, and iOS. The vulnerabilities are rooted in EncryptWall, the service's custom encryption system, allowing network eavesdroppers to extract the textual content and access sensitive data. "The Windows and Android versions of Sogou Input Method contain vulnerabilities in this encryption system, including a vulnerability to a CBC padding oracle attack , which allow network eavesdroppers to recover the plaintext of encrypted network transmissions, revealing sensitive information including what users have typed," the researchers said . CBC, sThe Hacker News
August 10, 2023 – Government
US Govt launches Artificial Intelligence Cyber Challenge Full Text
Abstract
The US Government House this week launched an Artificial Intelligence Cyber Challenge competition for creating a new generation of AI systems. On Wednesday, the United States Government House introduced an Artificial Intelligence Cyber Challenge competition....Security Affairs
August 10, 2023 – Breach
Update: The MOVEit Spree is as Bad as — or Worse — Than You Think it is Full Text
Abstract
The mass exploit of a zero-day vulnerability in MOVEit has compromised more than 600 organizations and 40 million individuals to date, but the numbers mask a more disastrous outcome that’s still unfolding.Cyware
August 10, 2023 – Phishing
Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives Full Text
Abstract
Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies. According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations worldwide between March and June 2023. Nearly 39% of the hundreds of compromised users are said to be C-level executives, including CEOs (9%) and CFOs (17%). The attacks have also singled out personnel with access to financial assets or sensitive information. At least 35% of all compromised users had additional account protections enabled. The campaigns are seen as a response to the increased adoption of multi-factor authentication (MFA) in enterprises, prompting threat actors to evolve their tactics to bypass new security layers by incorporating adversary-in-the-middle ( AitM ) phishing kits toThe Hacker News
August 10, 2023 – Breach
Data of all serving police officers Police Service of Northern Ireland (PSNI) mistakenly published online Full Text
Abstract
Police Service of Northern Ireland (PSNI) mistakenly shared sensitive data of all 10,000 serving police officers in response to a FOI request. The Police Service of Northern Ireland (PSNI) has mistakenly shared sensitive data of all 10,000 serving...Security Affairs
August 10, 2023 – Government
NIST Releases Draft Overhaul of Its Core Cybersecurity Framework Full Text
Abstract
The National Institute of Standards and Technology released a long-anticipated draft version of the Cybersecurity Framework 2.0 Tuesday, the first major update of the agency’s risk guidance since 2014.Cyware
August 10, 2023 – Criminals
Interpol Busts Phishing-as-a-Service Platform ‘16Shop,’ Leading to 3 Arrests Full Text
Abstract
Interpol has announced the takedown of a phishing-as-a-service (PhaaS) platform called 16Shop, in addition to the arrests of three individuals in Indonesia and Japan. 16Shop specialized in the sales of phishing kits that other cybercriminals can purchase to mount phishing attacks on a large scale, ultimately facilitating the theft of credentials and payment details from users of popular services such as Apple, PayPal, American Express, Amazon, and Cash App, among others. "Victims typically receive an email with a pdf file or link that redirects to a site requesting the victims' credit card or other personally identifiable information," Interpol said . "This information is then stolen and used to extract money from the victims." No less than 70,000 users across 43 countries are estimated to have been compromised via services offered on 16Shop. The law enforcement operation has also led to the arrest of the site's administrator, a 21-year-old IndonesianThe Hacker News
August 10, 2023 – Attack
Pro-Russian Hacker Group Claims Attacks on French, Dutch Websites Full Text
Abstract
The latest attacks come a week after the group, NoName057(16), hit Spanish and Italian government and private sector organizations with distributed denial-of-service (DDoS) attacks.Cyware
August 10, 2023 – General
Report: 37% Of Third-Party Applications Have High-Risk Permissions Full Text
Abstract
Examining data since 2013, Abnormal identified a massive increase in third-party apps integrated with email, underscoring the proliferation of an emerging threat vector that cybercriminals are exploiting as they continue to shift their tactics.Cyware
August 9, 2023 – Business
Horizon3 AI Raises $40 Million to Expand Automated Pentesting Platform Full Text
Abstract
The additional funding will help the San Francisco-based company integrate pentesting, SOAR, and detection engineering into its platform and expand its channel and partner presence to fuel global growth.Cyware
August 09, 2023 – Vulnerabilities
Collide+Power, Downfall, and Inception: New Side-Channel Attacks Affecting Modern CPUs Full Text
Abstract
Cybersecurity researchers have disclosed details of a trio of side-channel attacks that could be exploited to leak sensitive data from modern CPUs. Called Collide+Power ( CVE-2023-20583 ), Downfall ( CVE-2022-40982 ), and Inception ( CVE-2023-20569 ), the novel methods follow the disclosure of another newly discovered security vulnerability affecting AMD's Zen 2 architecture-based processors known as Zenbleed (CVE-2023-20593). "Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers," Daniel Moghimi , senior research scientist at Google, said . "This vulnerability [...] enables a user to access and steal data from other users who share the same computer." In a hypothetical attack scenario, a malicious app installed on a device could weaponize the method to steal sensitive information like passwords and encryption keys, effectively undermining Intel's Software Guard eXtensions ( SGXThe Hacker News
August 9, 2023 – Malware
Balada Injector still at large – new domains discovered Full Text
Abstract
The Balada Injector is still at large and still evading security software by utilizing new domain names and using new obfuscation. During a routine web monitoring operation, we discovered an address that led us down a rabbit hole of WordPress-orientated...Security Affairs
August 9, 2023 – General
Data Exfiltration is Now the Go-to Cyber Extortion Strategy Full Text
Abstract
The abuse of zero-day and one-day vulnerabilities in the past six months led to a 143% increase in victims when comparing Q1 2022 with Q1 2023, according to a report by Akamai.Cyware
August 09, 2023 – Attack
China-Linked Hackers Strike Worldwide: 17 Nations Hit in 3-Year Cyber Campaign Full Text
Abstract
Hackers associated with China's Ministry of State Security (MSS) have been linked to attacks in 17 different countries in Asia, Europe, and North America from 2021 to 2023. Cybersecurity firm Recorded Future attributed the intrusion set to a nation-state group it tracks under the name RedHotel (previously Threat Activity Group-22 or TAG-22), which overlaps with a cluster of activity broadly monitored as Aquatic Panda , Bronze University , Charcoal Typhoon, Earth Lusca , and Red Scylla (or Red Dev 10). Active since 2019, some of the prominent sectors targeted by the prolific actor encompass academia, aerospace, government, media, telecommunications, and research. A majority of the victims during the period were government organizations. "RedHotel has a dual mission of intelligence gathering and economic espionage," the cybersecurity company said , calling out its persistence, operational intensity, and global reach. "It targets both government entities forThe Hacker News
August 9, 2023 – Phishing
EvilProxy used in massive cloud account takeover scheme Full Text
Abstract
Cloud account takeover scheme utilizing EvilProxy hit over 100 top-level executives of global organizations EvilProxy was observed sending 120,000 phishing emails to over a hundred organizations to steal Microsoft 365 accounts. Proofpoint noticed...Security Affairs
August 9, 2023 – General
Hackers Prepare to Take on a Satellite at DEF CON Full Text
Abstract
The annual Hack-A-Sat CTF competition held at Aerospace Village at the DEF CON in Las Vegas is the first time an on-orbit satellite will test contestants' mettle while bringing together hackers who don’t typically work on space systems.Cyware
August 09, 2023 – Solution
Continuous Security Validation with Penetration Testing as a Service (PTaaS) Full Text
Abstract
Validate security continuously across your full stack with Pen Testing as a Service. In today's modern security operations center (SOC), it's a battle between the defenders and the cybercriminals. Both are using tools and expertise – however, the cybercriminals have the element of surprise on their side, and a host of tactics, techniques, and procedures (TTPs) that have evolved. These external threat actors have now been further emboldened in the era of AI with open-source tools like ChatGPT. With the potential of an attack leading to a breach within minutes, CISOs now are looking to prepare all systems and assets for cyber resilience and rapid response when needed. With tools and capabilities to validate security continuously – including penetration testing as a service – DevSecOps teams can remediate critical vulnerabilities fast due to the easy access to tactical support to the teams that need it the most. This gives the SOC and DevOps teams tools to that remove false poThe Hacker News
August 9, 2023 – Vulnerabilities
Downfall Intel CPU side-channel attack exposes sensitive data Full Text
Abstract
Google researcher Daniel Moghimi devised a new side-channel attack technique, named Downfall, against Intel CPU. Google researcher Daniel Moghimi devised a new side-channel attack technique Intel CPU, named Downfall, that relies on a flaw tracked...Security Affairs
August 9, 2023 – Ransomware
The Ransomware Rollercoaster Continues as Criminals Advance Their Business Models Full Text
Abstract
Ransomware shows no signs of slowing, with ransomware activity ending 13 times higher than at the start of 2023 as a proportion of all malware detections, according to Fortinet.Cyware
August 09, 2023 – Solution
New Android 14 Security Feature: IT Admins Can Now Disable 2G Networks Full Text
Abstract
Google has introduced a new security feature in Android 14 that allows IT administrators to disable support for 2G cellular networks in their managed device fleet. The search giant said it's introducing a second user setting to turn off support, at the model level, for null-ciphered cellular connections . "The Android Security Model assumes that all networks are hostile to keep users safe from network packet injection, tampering, or eavesdropping on user traffic," Roger Piqueras Jover, Yomna Nasser, and Sudhi Herle said . "Android does not rely on link-layer encryption to address this threat model. Instead, Android establishes that all network traffic should be end-to-end encrypted (E2EE)." 2G networks, in particular, employ weak encryption and lack mutual authentication, rendering them susceptible to over-the-air interception and traffic decryption attacks by impersonating a real 2G tower. The threat posed by rogue cellular base stations means thThe Hacker News
August 9, 2023 – Breach
LockBit threatens to leak medical data of cancer patients stolen from Varian Medical Systems Full Text
Abstract
The LockBit ransomware group threatens to leak medical data of cancer patients stolen from Varian Medical Systems. The LockBit ransomware group claims to have hacked the healthcare company Varian Medical Systems and threatens to leak the medical data...Security Affairs
August 9, 2023 – Business
Rubrik Buys Startup Laminar to Unify Cyber Posture, Recovery Full Text
Abstract
Rubrik purchased a data security posture management startup backed by Salesforce and SentinelOne to provide visibility into where a company's data lives and who has access.Cyware
August 09, 2023 – Breach
U.K. Electoral Commission Breach Exposes Voter Data of 40 Million Britons Full Text
Abstract
The U.K. Electoral Commission on Tuesday disclosed a "complex" cyber attack on its systems that went undetected for over a year, allowing the threat actors to access years worth of voter data belonging to 40 million people. "The incident was identified in October 2022 after suspicious activity was detected on our systems," the regulator said . "It became clear that hostile actors had first accessed the systems in August 2021." The intrusion enabled unauthorized access to the Commission's servers hosting email, control systems, and copies of the electoral registers it maintains for research purposes. The identity of the intruders are presently unknown. The registers included the name and address of anyone in the U.K. who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. However, they did not contain information of those who qualified to register anonymously and addresses of overseas electors regiThe Hacker News
August 9, 2023 – Attack
Big Cyberespionage Attack Against Japan Attributed to China Full Text
Abstract
Classified military networks run by Japan reportedly suffered a massive breach in 2020 at the hands of a Chinese cyberespionage group that proved tough to eject even after being discovered.Cyware
August 09, 2023 – Vulnerabilities
Microsoft Releases Patches for 74 New Vulnerabilities in August Update Full Text
Abstract
Microsoft has patched a total of 74 flaws in its software as part of the company's Patch Tuesday updates for August 2023, down from the voluminous 132 vulnerabilities the company fixed last month. This comprises six Critical, 67 Important, and one Moderate severity vulnerabilities. Released along with the security improvements are two defense-in-depth updates for Microsoft Office ( ADV230003 ) and the Memory Integrity System Readiness Scan Tool ( ADV230004 ). The updates are also in addition to 30 issues addressed by Microsoft in its Chromium-based Edge browser since last month's Patch Tuesday edition and one side-channel flaw impacting certain processor models offered by AMD ( CVE-2023-20569 or Inception ). ADV230003 concerns an already known security flaw tracked as CVE-2023-36884 , a remote code execution vulnerability in Office and Windows HTML that has been actively exploited by the Russia-linked RomCom threat actor in attacks targeting Ukraine as well as pro-UkrThe Hacker News
August 9, 2023 – Solution
Android 14 Introduces First-Of-Its-Kind Cellular Connectivity Security Features Full Text
Abstract
Android 14 introduces new security measures to mitigate the risks associated with 2G networks, allowing users and enterprises to disable 2G connectivity and protect against potential attacks.Cyware
August 09, 2023 – Cryptocurrency
Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining Full Text
Abstract
Exposed Kubernetes (K8s) clusters are being exploited by malicious actors to deploy cryptocurrency miners and other backdoors. Cloud security firm Aqua, in a report shared with The Hacker News, said a majority of the clusters belonged to small to medium-sized organizations, with a smaller subset tied to bigger companies, spanning financial, aerospace, automotive, industrial, and security sectors. In total, Kubernetes clusters belonging to more than 350 organizations, open-source projects, and individuals were discovered, 60% of which were the target of an active crypto-mining campaign. The publicly-accessible clusters, per Aqua, are said to suffer from two different kinds of misconfigurations: allowing anonymous access with high privileges and running kubectl proxy with the flags "--address=`0.0.0.0` --accept-hosts `.*`" "Housing a wide array of sensitive and valuable assets, Kubernetes clusters can store customer data, financial records, intellectual property, aThe Hacker News
August 9, 2023 – Breach
Lockbit Threatens to Leak Medical Data of Cancer Patients Stolen From Varian Medical Systems Full Text
Abstract
Lockbit has fixed the deadline for the ransom payment on August 17, 2023. If confirmed the incident could have a dramatic impact on the privacy of cancer patients. The company has yet to disclose the security incident.Cyware
August 09, 2023 – Criminals
New Report Exposes Vice Society’s Collaboration with Rhysida Ransomware Full Text
Abstract
Tactical similarities have been unearthed between the double extortion ransomware group known as Rhysida and Vice Society , including in their targeting of education and healthcare sectors. "As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest that Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that Vice Society operators are now using Rhysida ransomware," Check Point said in a new report. Vice Society , tracked by Microsoft under the name Storm-0832, has a pattern of employing already existing ransomware binaries that are sold on criminal forums to pull off their attacks. The financially motivated gang has also been observed resorting to pure extortion-themed attacks wherein the data is exfiltrated without encrypting them. First observed in May 2023, the Rhysida ransomware group is known to rely on phishing attacks and Cobalt Strike to breach targets' networks andThe Hacker News
August 9, 2023 – Policy and Law
For TSA’s Updated Pipeline Security Directive, Consistency and Collaboration are Key Full Text
Abstract
This most recent update does not vacate previously established requirements in the simple pursuit of change. Instead, the new directive pursues incremental change that builds on but does not abandon previous requirements.Cyware
August 8, 2023 – Attack
Ukrainian State Agencies Targeted with Open-Source Malware MerlinAgent Full Text
Abstract
In early August, an unidentified threat actor tracked as UAC-0154 sent malicious emails to its targets, purportedly containing security tips from Ukraine's computer emergency response team (CERT-UA).Cyware
August 08, 2023 – Malware
QakBot Malware Operators Expand C2 Network with 15 New Servers Full Text
Abstract
The operators associated with the QakBot (aka QBot) malware have set up 15 new command-and-control (C2) servers as of late June 2023. The findings are a continuation of the malware's infrastructure analysis from Team Cymru, and arrive a little over two months after Lumen Black Lotus Labs revealed that 25% of its C2 servers are only active for a single day. "QakBot has a history of taking an extended break each summer before returning sometime in September, with this year's spamming activities ceasing around 22 June 2023," the cybersecurity firm said . "But are the QakBot operators actually on vacation when they aren't spamming, or is this 'break' a time for them to refine and update their infrastructure and tools?" QakBot's C2 network, like in the case of Emotet and IcedID, is characterized by a tiered architecture in which C2 nodes communicate with upstream Tier 2 (T2) C2 nodes hosted on VPS providers geolocated in Russia. A majoThe Hacker News
August 8, 2023 – Vulnerabilities
Microsoft Patch Tuesday for August 2023 fixed 2 actively exploited flaws Full Text
Abstract
Microsoft Patch Tuesday security updates for August 2023 addressed 74 vulnerabilities, including two actively exploited flaws. Microsoft Patch Tuesday security updates for August 2023 addressed 74 new vulnerabilities in multiple products including...Security Affairs
August 8, 2023 – Hacker
New Threat Actor Targets Bulgaria, China, Vietnam, and Other Countries With Customized Yashma Ransomware Full Text
Abstract
The threat actor behind this operation uses an uncommon technique of downloading the ransom note from a GitHub repository, evading detection by embedding it in an embedded batch file.Cyware
August 08, 2023 – Hacker
Hackers Abusing Cloudflare Tunnels for Covert Communications Full Text
Abstract
New research has revealed that threat actors are abusing Cloudflare Tunnels to establish covert communication channels from compromised hosts and retain persistent access. "Cloudflared is functionally very similar to ngrok," Nic Finn, a senior threat intelligence analyst at GuidePoint Security, said . "However, Cloudflared differs from ngrok in that it provides a lot more usability for free, including the ability to host TCP connectivity over cloudflared." A command-line tool for Cloudflare Tunnel, cloudflared allows users to create secure connections between an origin web server and Cloudflare's nearest data center so as to hide the web server IP addresses as well as block volumetric distributed denial-of-service (DDoS) and brute-force login attacks. For a threat actor with elevated access on an infected host, this feature presents a lucrative approach to set up a foothold by generating a token required to establish the tunnel from the victim machine.The Hacker News
August 8, 2023 – Breach
UK Electoral Commission discloses a data breach Full Text
Abstract
The UK Electoral Commission suffered a data breach that exposed voters' personal information between 2014 and 2022. The UK Electoral Commission disclosed a data breach that exposed the personal information of voters in the United Kingdom between 2014...Security Affairs
August 8, 2023 – Government
White House Pushes Cybersecurity Defense for K-12 Schools Full Text
Abstract
Typically understaffed and underfunded when it comes to cybersecurity, American K-12 schools have experienced a ramp-up in ransomware attacks, particularly after the pandemic forced the hasty adoption of remote tools for teaching.Cyware
August 08, 2023 – Education
Understanding Active Directory Attack Paths to Improve Security Full Text
Abstract
Introduced in 1999, Microsoft Active Directory is the default identity and access management service in Windows networks, responsible for assigning and enforcing security policies for all network endpoints. With it, users can access various resources across networks. As things tend to do, times, they are a'changin' – and a few years back, Microsoft introduced Azure Active Directory, the cloud-based version of AD to extend the AD paradigm, providing organizations with an Identity-as-a-Service (IDaaS) solution across both the cloud and on-prem apps. (Note that as of July 11th 2023, this service was renamed to Microsoft Entra ID , but for the sake of simplicity, we'll refer to it as Azure AD in this post) Both Active Directory and Azure AD are critical to the functioning of on-prem, cloud-based, and hybrid ecosystems, playing a key role in uptime and business continuity. And with 90% of organizations using the service for employee authentication, access control and ID managThe Hacker News
August 8, 2023 – Government
HHS Warns Healthcare Sector of Attacks by Rhysida Ransomware Group Full Text
Abstract
Authorities are sounding the alarm about double-extortion attacks against healthcare and public health sector organizations by a relatively new ransomware-as-a-service group, Rhysida, which until recently had mainly focused on other industries.Cyware
August 08, 2023 – Ransomware
New Yashma Ransomware Variant Targets Multiple English-Speaking Countries Full Text
Abstract
An unknown threat actor is using a variant of the Yashma ransomware to target various entities in English-speaking countries, Bulgaria, China, and Vietnam at least since June 4, 2023. Cisco Talos, in a new write-up, attributed the operation with moderate confidence to an adversary of likely Vietnamese origin. "The threat actor uses an uncommon technique to deliver the ransom note," security researcher Chetan Raghuprasad said . "Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file." Yashma, first described by the BlackBerry research and intelligence team in May 2022, is a rebranded version of another ransomware strain called Chaos. A month prior to its emergence, the Chaos ransomware builder was leaked in the wild. A notable aspect of the ransom note is its resemblance to the well-known WannaCry ransomware, possibly done so in an attempt to obsThe Hacker News
August 8, 2023 – Government
CISA Unveils Cybersecurity Strategic Plan for Next Three Years Full Text
Abstract
The Cybersecurity Strategic Plan for fiscal years 2024-2026 outlines the agency’s plans for achieving a future where damaging cyberattacks are rare, organizations are resilient, and technology is secure by design.Cyware
August 8, 2023 – Phishing
Massive Phishing Campaign Impersonates 340 Companies Using Over 800 Scam Domains Full Text
Abstract
The phishing operation, originating from Russia but pretending to be Ukrainian, utilized a high-quality single-page application to create convincing websites and steal credit card and bank details.Cyware
August 8, 2023 – Criminals
Nigerian Man Admits to $1.3M Business Email Compromise Scam Full Text
Abstract
A Nigerian national pleaded guilty to participating in a BEC scheme to steal $1.25m from a Boston investment firm. The scam involved using malware and a spoofed domain name to trick the firm into transferring money to attacker-controlled accounts.Cyware
August 8, 2023 – Phishing
Teach a Man to Phish and He’s Set for Life – Krebs on Security Full Text
Abstract
A recent phishing scam has been using an old trick to fool Microsoft Windows users. The scam involves sending an email with an attachment that appears to be a PDF file, but is actually an .eml file disguised as a .pdf.Cyware
August 08, 2023 – Malware
LOLBAS in the Wild: 11 Living-Off-The-Land Binaries Used for Malicious Purposes Full Text
Abstract
Cybersecurity researchers have discovered a set of 11 living-off-the-land binaries-and-scripts ( LOLBAS ) that could be maliciously abused by threat actors to conduct post-exploitation activities. "LOLBAS is an attack method that uses binaries and scripts that are already part of the system for malicious purposes," Pentera security researcher Nir Chako said . "This makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities." To that end, the Israeli cybersecurity company said it uncovered nine LOLBAS downloaders and three executors that could enable adversaries to download and execute "more robust malware" on infected hosts. This includes: MsoHtmEd.exe, Mspub.exe, ProtocolHandler.exe, ConfigSecurityPolicy.exe, InstallUtil.exe, Mshta.exe, Presentationhost.exe, Outlook.exe, MSAccess.exe, scp.exe, and sftp.exe. "In a complete attack chain, a hacker will usThe Hacker News
August 8, 2023 – Vulnerabilities
43 Android apps in Google Play with 2.5M installs loaded ads when a phone screen was off Full Text
Abstract
Experts found 43 Android apps in Google Play with 2.5 million installs that displayed advertisements while a phone's screen was off. Recently, researchers from McAfee’s Mobile Research Team discovered 43 Android apps in Google Play with 2.5 million...Security Affairs
August 8, 2023 – Business
Cyberinsurance Firm Resilience Raises $100 Million to Expand Its Cyber Risk Platform Full Text
Abstract
The Series D round was led by Intact Ventures, an affiliate of Resilience’s primary capacity provider, Intact Insurance’s underwriting companies, with participation by Lightspeed Venture Partners, as well as General Catalyst and Founders Fund.Cyware
August 8, 2023 – Malware
Latest Batloader Campaigns Use Pyarmor Pro for Evasion Full Text
Abstract
The Batloader initial access malware, used by the group Water Minyades, has upgraded its evasion techniques by utilizing Pyarmor Pro to obfuscate its malicious Python scripts.Cyware
August 7, 2023 – Criminals
Cl0p Ransomware Gang Revises its Extortion Strategy Full Text
Abstract
MOVEit-hijacker Cl0p ransomware gang has changed its extortion tactics and is now using torrents to distribute data stolen in the MOVEit Transfer breaches. Previously, the group utilized Tor data leak sites, but this method was slow and easier to shut down. Through torrents, criminals are expecting ... Read MoreCyware
August 07, 2023 – Malware
New Malware Campaign Targets Inexperienced Cyber Criminals with OpenBullet Configs Full Text
Abstract
A new malware campaign has been observed making use of malicious OpenBullet configuration files to target inexperienced cyber criminals with the goal of delivering a remote access trojan (RAT) capable of stealing sensitive information. Bot mitigation company Kasada said the activity is designed to "exploit trusted criminal networks," describing it as an instance of advanced threat actors "preying on beginner hackers." OpenBullet is a legitimate open-source pen testing tool used for automating credential stuffing attacks. It takes in a configuration file that's tailored to a specific website and can combine it with a password list procured through other means to log successful attempts. "OpenBullet can be used with Puppeteer, which is a headless browser that can be used for automating web interactions," the company said . "This makes it very easy to launch credential stuffing attacks without having to deal with browser windows popping uThe Hacker News
August 7, 2023 – Privacy
Zoom trains its AI model with some user data, without giving them an opt-out option Full Text
Abstract
Zoom changed its terms of service requiring users to allow AI to train on all their data without giving them an opt-out option. Zoom updated its terms of service and informed users that it will train its artificial intelligence models using some...Security Affairs
August 7, 2023 – Criminals
Spyware Maker Letmespy Shuts Down After Hacker Deletes Server Data Full Text
Abstract
In a notice on its website in both English and Polish, LetMeSpy confirmed the “permanent shutdown” of the spyware service and that it would cease operations by the end of August.Cyware
August 07, 2023 – Attack
North Korean Hackers Targets Russian Missile Engineering Firm Full Text
Abstract
Two different North Korean nation-state actors have been linked to a cyber intrusion against the major Russian missile engineering company NPO Mashinostroyeniya. Cybersecurity firm SentinelOne said it identified "two instances of North Korea related compromise of sensitive internal IT infrastructure," including a case of an email server compromise and the deployment of a Windows backdoor dubbed OpenCarrot. The breach of the Linux email server has been attributed to ScarCruft . OpenCarrot, on the other hand, is a known implant previously identified as used by the Lazarus Group. The attacks were flagged in mid-May 2022. A rocket design bureau based in Reutov, NPO Mashinostroyeniya was sanctioned by the U.S. Treasury Department in July 2014 in connection to "Russia's continued attempts to destabilize eastern Ukraine and its ongoing occupation of Crimea." While both ScarCruft (aka APT37) and the Lazarus Group are affiliated to North Korea, it's wThe Hacker News
August 7, 2023 – Breach
North Korea compromised Russian missile engineering firm NPO Mashinostroyeniya Full Text
Abstract
Two North Korea-linked APT groups compromised the infrastructure of the major Russian missile engineering firm NPO Mashinostroyeniya. Cybersecurity firm SentinelOne linked the compromise of the major Russian missile engineering firm NPO Mashinostroyeniya...Security Affairs
August 7, 2023 – General
C-Suite, Rank-And-File at Odds Over Security’s Role Full Text
Abstract
A disconnect is brewing between how C-suite executives and cybersecurity workers perceive security’s role, according to a Cloud Security Alliance report released last week. The study by Expel surveyed 1,000 IT and security professionals in May.Cyware
August 07, 2023 – Solution
Enhancing Security Operations Using Wazuh: Open Source XDR and SIEM Full Text
Abstract
In today's interconnected world, evolving security solutions to meet growing demand is more critical than ever. Collaboration across multiple solutions for intelligence gathering and information sharing is indispensable. The idea of multiple-source intelligence gathering stems from the concept that threats are rarely isolated. Hence, their detection and prevention require a comprehensive understanding of the broader landscape. A comprehensive and robust security framework should be established by aggregating resources, knowledge, and expertise from various sources. This collaborative effort allows for the analysis of diverse data sets, the identification of emerging patterns, and the timely dissemination of crucial information. In this article, we discuss a versatile security platform that can operate in two distinct roles within a security ecosystem. This platform can function as a subscriber, actively collecting and aggregating security data from various endpoints and other soThe Hacker News
August 7, 2023 – Malware
A new sophisticated SkidMap variant targets unsecured Redis servers Full Text
Abstract
A new campaign targets Redis servers, this time the malware employed in the attacks is a new variant of the SkidMap malware. Skidmap is a piece of crypto-miner detected by Trend Micro in September 2019 while it was targeting Linux machines. The malicious...Security Affairs
August 7, 2023 – Government
US ‘Lagging Behind’ on Border Gateway Protocol Security Practices, CISA and FCC Chiefs Say Full Text
Abstract
The U.S. government is lagging behind other countries in instituting more stringent cybersecurity measures governing the Border Gateway Protocol (BGP) – a set of technical rules responsible for routing data efficiently.Cyware
August 07, 2023 – Education
New ‘Deep Learning Attack’ Deciphers Laptop Keystrokes with 95% Accuracy Full Text
Abstract
A group of academics has devised a "deep learning-based acoustic side-channel attack" that can be used to classify laptop keystrokes that are recorded using a nearby phone with 95% accuracy. "When trained on keystrokes recorded using the video conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium," researchers Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad said in a new study published last week. Side-channel attacks refer to a class of security exploits that aim to glean insights from a system by monitoring and measuring its physical effects during the processing of sensitive data. Some of the common observable effects include runtime behavior, power consumption, electromagnetic radiation, acoustics, and cache accesses. Although a completely side-channel-free implementation does not exist, practical attacks of this kind can have damaging consequences for user privacy and security as they could be weaponized by a maThe Hacker News
August 7, 2023 – Government
FBI warns of crooks posing as NFT developers in fraudulent schema Full Text
Abstract
The FBI is warning about cyber criminals masquerading as NFT developers to steal cryptocurrency and other digital assets. The U.S. Federal Bureau of Investigation (FBI) is warning about cyber criminals posing as legitimate NFT developers in fraud...Security Affairs
August 7, 2023 – General
VPNs remain a risky gamble for remote access Full Text
Abstract
A new Zscaler report stresses the need for organizations to reevaluate their security posture and migrate to a zero-trust architecture due to the increasing threat of cybercriminals exploiting VPN vulnerabilities.Cyware
August 07, 2023 – Malware
New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers Full Text
Abstract
Vulnerable Redis services have been targeted by a "new, improved, dangerous" variant of a malware called SkidMap that's engineered to target a wide range of Linux distributions. "The malicious nature of this malware is to adapt to the system on which it is executed," Trustwave security researcher Radoslaw Zdonczyk said in an analysis published last week. Some of the Linux distribution SkidMap sets its eyes on include Alibaba, Anolis, openEuler, EulerOS, Stream, CentOS, RedHat, and Rocky. SkidMap was first disclosed by Trend Micro in September 2019 as a cryptocurrency mining botnet with capabilities to load malicious kernel modules that can obfuscate its activities as well as monitor the miner process. The operators of the malware have also been found camouflaging their backup command-and-control (C2) IP address on the Bitcoin blockchain, evocative of another botnet malware known as Glupteba . "The technique of fetching real-time data from a deThe Hacker News
August 7, 2023 – General
The number of ransomware attacks targeting Finland increased fourfold since it started the process to join NATO Full Text
Abstract
Senior official reports a quadruple increase in ransomware attacks against Finland since it started the process to join NATO. The number of ransomware attacks targeting Finland has increased fourfold since the country began the process of joining...Security Affairs
August 7, 2023 – Malware
Reptile Rootkit Targets Linux Systems in South Korea Full Text
Abstract
Reptile, an open-source kernel module rootkit, designed to target Linux systems was found on GitHub. Unlike typical rootkit malware, Reptile not only conceals its presence but also offers a reverse shell, granting threat actors control over compromised systems. I t is crucial to regularly inspect ... Read MoreCyware
August 07, 2023 – Government
FBI Alert: Crypto Scammers are Masquerading as NFT Developers Full Text
Abstract
The U.S. Federal Bureau of Investigation (FBI) is warning about cyber crooks masquerading as legitimate non-fungible token (NFT) developers to steal cryptocurrency and other digital assets from unsuspecting users. In these fraudulent schemes, criminals either obtain direct access to NFT developer social media accounts or create look-alike accounts to promote "exclusive" new NFT releases, often employing misleading advertising campaigns that create a sense of urgency to pull them off. "Links provided in these announcements are phishing links directing victims to a spoofed website that appears to be a legitimate extension of a particular NFT project," the FBI said in an advisory last week. The replica websites urge potential targets to connect their cryptocurrency wallets and purchase the NFT, only for the threat actors to siphon the funds and NFTs to wallets under their control. "Contents stolen from victims' wallets are often processed through a serThe Hacker News
August 7, 2023 – Solution
Multi-Modal Data Protection With AI’s Help Full Text
Abstract
Multi-modal monitoring through AI enables the identification of both data and conversation types, enhancing the ability to detect and prevent data leakage or any unauthorized activities.Cyware
August 6, 2023 – Vulnerabilities
Microsoft fixed a flaw in Power Platform after being criticized Full Text
Abstract
Microsoft announced it has addressed a critical flaw in its Power Platform after it was criticized for the delay in fixing the issue. Microsoft this week addressed a critical vulnerability in its Power Platform, after it was criticized for the delay...Security Affairs
August 6, 2023 – Breach
Colorado Department of Higher Education (CDHE) discloses data breach after ransomware attack Full Text
Abstract
The Colorado Department of Higher Education (CDHE) finally disclosed a data breach impacting students, past students, and teachers after the June attack. In June a ransomware attack hit the Colorado Department of Higher Education (CDHE), now the organization...Security Affairs
August 6, 2023 – General
Security Affairs newsletter Round 431 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Reptile...Security Affairs
August 6, 2023 – APT
BlueCharlie changes attack infrastructure in response to reports on its activity Full Text
Abstract
Russia-linked APT group BlueCharlie was observed changing its infrastructure in response to recent reports on its activity. Researchers from Recorded Future reported that Russia-linked APT group BlueCharlie (aka Blue Callisto, Callisto, COLDRIVER,...Security Affairs
August 5, 2023 – Government
CISA Cybersecurity Strategic Plan: An Important Step To Secure Critical Infrastructure Full Text
Abstract
As a founding member of the Network Resilience Coalition, Cisco appreciates CISA’s shared commitment to driving focused attention and investment in efforts to secure and maintain existing critical networked technologies.Cyware
August 05, 2023 – Solution
MDR: Empowering Organizations with Enhanced Security Full Text
Abstract
Managed Detection and Response (MDR) has emerged as a crucial solution for organizations looking to bolster their security measures. MDR allows businesses to outsource the management of Endpoint Detection and Response (EDR) products deployed across their network domain. With real-time threat-hunting capabilities, MDR services detect and mitigate malicious activities on individual endpoints while promptly alerting the service provider's Security Operations Center (SOC) for further investigation. By leveraging the expertise of security specialists, MDR services relieve organizations of the complexities and criticality associated with security operations. Types of MDR Solutions: MDR services come in various forms, tailored to an organization's technology environment and risk requirements. These include: Bring-Your-Own Security Stack / Hybrid Solution: MDR solutions that integrate with existing security products deployed within an environment. Full Vendor-Supplied MDR StaThe Hacker News
August 5, 2023 – Vulnerabilities
CISA, Five Eyes cyber advisory lists common vulnerabilities among 2022’s top exploits Full Text
Abstract
This guidance is the latest released by the Five Eyes organization, which consists of government cybersecurity organizations from the U.S., New Zealand, the U.K., Australia and Canada.Cyware
August 05, 2023 – Malware
Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems Full Text
Abstract
Threat actors are using an open-source rootkit called Reptile to target Linux systems in South Korea. "Unlike other rootkit malware that typically only provide concealment capabilities, Reptile goes a step further by offering a reverse shell, allowing threat actors to easily take control of systems," the AhnLab Security Emergency Response Center (ASEC) said in a report published this week. "Port knocking is a method where the malware opens a specific port on an infected system and goes on standby. When the threat actor sends a magic packet to the system, the received packet is used as a basis to establish a connection with the C&C server." A rootkit is a malicious software program that's designed to provide privileged, root-level access to a machine while concealing its presence. At least four different campaigns have leveraged Reptile since 2022. The first use of the rootkit was recorded by Trend Micro in May 2022 in connection with an intrusionThe Hacker News
August 5, 2023 – Breach
Millions of people’s healthcare files accessed by Clop gang Full Text
Abstract
The new additions to the victims' list bring the headcount to 514 organizations and more than 36 million individuals, according to Emsisoft threat researchers. It may take months if not years for the full impact and costs to become clear.Cyware
August 05, 2023 – Vulnerabilities
Microsoft Addresses Critical Power Platform Flaw After Delays and Criticism Full Text
Abstract
Microsoft on Friday disclosed that it has addressed a critical security flaw impacting Power Platform , but not before it came under criticism for its failure to swiftly act on it. "The vulnerability could lead to unauthorized access to Custom Code functions used for Power Platform custom connectors," the tech giant said . "The potential impact could be unintended information disclosure if secrets or other sensitive information were embedded in the Custom Code function." The company further noted that no customer action is required and that it found no evidence of active exploitation of the vulnerability in the wild. Tenable, which initially discovered and reported the shortcoming to Redmond on March 30, 2023, said the problem could enable limited, unauthorized access to cross-tenant applications and sensitive data. The cybersecurity firm said the flaw arises as a result of insufficient access control to Azure Function hosts, leading to a scenario where a tThe Hacker News
August 5, 2023 – Outage
Cyberattack disrupts hospital computer systems across US, hindering services Full Text
Abstract
The hack caused chaos in medical facilities in several states. In Connecticut, the emergency departments at Manchester Memorial and Rockville General hospital were closed for much of the day and patients were diverted to other nearby medical centers.Cyware
August 05, 2023 – Vulnerabilities
Researchers Uncover New High-Severity Vulnerability in PaperCut Software Full Text
Abstract
Cybersecurity researchers have discovered a new high-severity security flaw in PaperCut print management software for Windows that could result in remote code execution under specific circumstances. Tracked as CVE-2023-39143 (CVSS score: 8.4), the flaw impacts PaperCut NG/MF prior to version 22.1.3. It has been described as a combination of a path traversal and file upload vulnerability. "CVE-2023-39143 enables unauthenticated attackers to potentially read, delete, and upload arbitrary files to the PaperCut MF/NG application server, resulting in remote code execution in certain configurations," Horizon3.ai's Naveen Sunkavally said . The cybersecurity firm said that file upload leading to remote code execution is possible when the external device integration setting is enabled, which is on by default in some installations of PaperCut. Earlier this April, another remote code execution vulnerability in the same product (CVE-2023-27350, CVSS score: 9.8) and an inforThe Hacker News
August 5, 2023 – Government
Government watchdog finds U.S. embassies running software vulnerable to attacks Full Text
Abstract
The assessment, which GAO began at the end of last year, also found that many State Department posts lack not only a chief information security officer, but any cybersecurity personnel whatsoever.Cyware
August 5, 2023 – Attack
Reptile Rootkit employed in attacks against Linux systems in South Korea Full Text
Abstract
Researchers observed threat actors that are using an open-source rootkit called Reptile in attacks aimed at systems in South Korea. Reptile is an open-source kernel module rootkit that was designed to target Linux systems, unlike other rootkits,...Security Affairs
August 5, 2023 – Malware
Malicious packages in the NPM designed for highly-targeted attacks Full Text
Abstract
The files and directories targeted by the malicious code could potentially contain developers' sensitive data. Researchers speculate the packages are part of a highly-targeted attack on developers working in the cryptocurrency sector.Cyware
August 5, 2023 – Vulnerabilities
New PaperCut flaw in print management software exposes servers to RCE attacks Full Text
Abstract
Researchers discovered a vulnerability in PaperCut NG/MF print management software that can lead to remote code execution. Cybersecurity researchers at Horizon3 discovered a high-severity vulnerability, tracked as CVE-2023-39143 (CVSS score: 8.4),...Security Affairs
August 4, 2023 – Breach
Mondee Security Lapse Exposed Flight Itineraries and Unencrypted Credit Card Numbers Full Text
Abstract
The database, hosted on Oracle’s cloud and more than 1.7 terabytes in size at the time it was exposed, contained customer’s personal information, including names, gender, dates of birth, home addresses, flight information and passport numbers.Cyware
August 04, 2023 – Policy and Law
NYC Couple Pleads Guilty to Money Laundering in $3.6 Billion Bitfinex Hack Full Text
Abstract
A married couple from New York City has pleaded guilty to money laundering charges in connection with the 2016 hack of cryptocurrency stock exchange Bitfinex, resulting in the theft of about 120,000 bitcoin. The development comes more than a year after Ilya Lichtenstein, 35, and his wife, Heather Morgan, 33, were arrested in February 2022 , following the seizure of roughly 95,000 of the stolen crypto assets that were held by the defendants. The funds were valued at $3.6 billion at the time. Since then, the U.S. government said it has since seized another approximately $475 million tied to the breach. "Lichtenstein used a number of advanced hacking tools and techniques to gain access to Bitfinex's network," the U.S. Department of Justice (DoJ) said . "Once inside their systems, Lichtenstein fraudulently authorized more than 2,000 transactions in which 119,754 bitcoin was transferred from Bitfinex to a cryptocurrency wallet in Lichtenstein's control."The Hacker News
August 4, 2023 – Outage
A cyberattack impacted operations of multiple hospitals in several US states Full Text
Abstract
A cyberattack has disrupted the computer systems of multiple hospitals in several states, with a severe impact on their operations. Some emergency rooms in multiple hospitals in several states were forced to close and ambulances were diverted due to a cyberattack...Security Affairs
August 4, 2023 – Outage
Hawai’I’s Gemini North Observatory Suspends Operations Following Cyberattack Full Text
Abstract
The National Science Foundation’s NOIRLab did not respond to requests for comment but published a notice on Tuesday night explaining that the lab had discovered an attempted cyberattack on its systems that morning.Cyware
August 04, 2023 – Education
Webinar - Making PAM Great Again: Solving the Top 5 Identity Team PAM Challenges Full Text
Abstract
Privileged Access Management (PAM) solutions are widely acknowledged as the gold standard for securing critical privileged accounts. However, many security and identity teams face inherent obstacles during the PAM journey, hindering these solutions from reaching their full potential. These challenges deprive organizations of the resilience they seek, making it essential to address them effectively. Discover how you can enhance your PAM strategy in our upcoming webinar: " Solving the Top 5 PAM Pain Points Plaguing Identity Teams ," featuring Yiftach Keshet from Silverfort. Reserve your spot now [Register here] to gain invaluable insights. Gain insights into: Key Challenges: Identify the primary challenges identity teams encounter when implementing PAM solutions. Solutions & Approaches: Discover different strategies to effectively overcome these challenges and enhance your security posture. Unified Identity Protection: Learn how combining Unified Identity ProtectioThe Hacker News
August 4, 2023 – Criminals
Married couple pleaded guilty to laundering billions in cryptocurrency stolen from Bitfinex in 2016 Full Text
Abstract
A married couple from New York pleaded guilty this week to laundering billions of dollars stolen from Bitfinex in 2016. The couple pleaded guilty to money laundering charges in connection with the hack of the cryptocurrency stock exchange Bitfinex...Security Affairs
August 4, 2023 – Malware
Rilide Stealer Evolves to Target Chrome Extension Manifest V3 Full Text
Abstract
A rather sophisticated version of the Rilide malware was identified targeting Chromium-based web browsers to steal sensitive data and cryptocurrency. Experts identified over 1,300 phishing websites distributing the new version of Rilide Stealer along with other harmful malware such as Bu ... Read MoreCyware
August 04, 2023 – Malware
Malicious npm Packages Found Exfiltrating Sensitive Data from Developers Full Text
Abstract
Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information. Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," hours after which they were removed and re-uploaded under different, legitimate-sounding package names. While the end goal of the undertaking is not clear, it's suspected to be a highly targeted campaign aimed at the cryptocurrency sector based on references to modules such as "rocketrefer" and "binarium." All the packages were published by the npm user malikrukd4732. A common feature across all the modules is the ability to launch JavaScript ("index.js") that's equipped to exfiltrate valuable information to a remote server. "The index.js code is spawned in a child process by the preinstall.jThe Hacker News
August 4, 2023 – Malware
Malicious packages in the NPM designed for highly-targeted attacks Full Text
Abstract
Researchers discovered a new set of malicious packages on the npm package manager that can exfiltrate sensitive developer data. On July 31, 2023, Phylum researchers observed the publication of ten different "test" packages on the npm package manager...Security Affairs
August 4, 2023 – Insider Threat
Burger King Forgets to put a Password on Their Systems, Again Full Text
Abstract
On June 1st, 2023, the Cybernews research team discovered a publicly accessible environment file (.env) belonging to Burger King’s French website, containing various credentials. The file was hosted on the subdomain used for posting job offers.Cyware
August 04, 2023 – Government
Major Cybersecurity Agencies Collaborate to Unveil 2022’s Most Exploited Vulnerabilities Full Text
Abstract
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five Eyes nations, which comprises Australia, Canada, New Zealand, the U.K., and the U.S., said in a joint alert. The continued weaponization of CVE-2018-13379 , which was also one among the most exploited bugs in 2020 and 2021 , suggests a failure on the part of organizations to apply patches in a timely manner, the authorities said. "Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs," according to the advisory. "While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for criThe Hacker News
August 4, 2023 – Attack
Attackers use dynamic code loading to bypass Google Play store’s malware detections Full Text
Abstract
Threat actors rely on the 'versioning' technique to evade malware detections of malicious code uploaded to the Google Play Store. Google Cybersecurity Action Team (GCAT) revealed that threat actors are using a technique called versioning to evade...Security Affairs
August 4, 2023 – Encryption
SCARF Cipher Sets New Standards in Protecting Sensitive Data Full Text
Abstract
The cipher, designed by Assistant Professor Rei Ueno from the Research Institute of Electrical Communication at Tohoku University, addresses the threat of cache side-channel attacks, offering enhanced security and exceptional performance.Cyware
August 4, 2023 – Government
CISA, FBI, and NSA published the list of 12 most exploited vulnerabilities of 2022 Full Text
Abstract
CISA, the FBI, and NSA, along with Five Eyes cybersecurity agencies published a list of the 12 most exploited vulnerabilities of 2022. CISA, the NSA, and the FBI, in collaboration with cybersecurity authorities from Australia, Canada, New Zealand,...Security Affairs
August 4, 2023 – General
These Are the Top Five Cloud Security Risks, Qualys Says Full Text
Abstract
The five key risk areas are misconfigurations, external-facing vulnerabilities, weaponized vulnerabilities, malware inside a cloud environment, and remediation lag (that is, delays in patching).Cyware
August 3, 2023 – Vulnerabilities
Google Chrome 115 Update Patches V8 JavaScript and WebAssembly Engine Vulnerabilities Full Text
Abstract
The browser update resolves three high-severity type confusion bugs in the V8 JavaScript and WebAssembly engine that earned the reporting researchers over $60,000 in bug bounties, Google notes in its advisory.Cyware
August 03, 2023 – Malware
Malicious Apps Use Sneaky Versioning Technique to Bypass Google Play Store Scanners Full Text
Abstract
Threat actors are leveraging a technique called versioning to evade Google Play Store's malware detections and target Android users. "Campaigns using versioning commonly target users' credentials, data, and finances," Google Cybersecurity Action Team (GCAT) s aid in its August 2023 Threat Horizons Report shared with The Hacker News. While versioning is not a new phenomenon, it's sneaky and hard to detect. In this method, a developer releases an initial version of an app on the Play Store that passes Google's pre-publication checks, but is later updated with a malware component. This is achieved by pushing an update from an attacker-controlled server to serve malicious code on the end user device using a method called dynamic code loading (DCL), effectively turning the app into a backdoor. Earlier this May, ESET discovered a screen recording app named "iRecorder - Screen Recorder" that remained innocuous for nearly a year after it was firstThe Hacker News
August 3, 2023 – Vulnerabilities
Decommissioned medical infusion pumps sold on secondary market could reveal Wi-Fi configuration settings Full Text
Abstract
Experts warn that decommissioned medical infusion pumps sold via the secondary market could expose Wi-Fi configuration settings. The sale of decommissioned medical infusion pumps through the secondary market may lead to the potential exposure of Wi-Fi...Security Affairs
August 3, 2023 – Breach
Canadian Healthcare Workers’ Private Information Subject to Data Breach Full Text
Abstract
Hackers had access to the HEABC system from May 9 to June 10 and the breach wasn’t detected until July 13, according to the association, after staff “identified a potential anomaly” but did not provide further explanation.Cyware
August 03, 2023 – Malware
New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3 Full Text
Abstract
Cybersecurity researchers have discovered a new version of malware called Rilide that targets Chromium-based web browsers to steal sensitive data and steal cryptocurrency. "It exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3 , and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures," Trustwave security researcher Pawel Knapczyk said in a report shared with The Hacker News. Rilide was first documented by the cybersecurity company in April 2023, uncovering two different attack chains that made use of Ekipa RAT and Aurora Stealer to deploy rogue browser extensions capable of data and crypto theft. It's sold on dark web forums by an actor named "friezer" for $5,000. The malware is equipped with a wide range of features that allow it to disable other browser add-ons, harvest browsing history and cookies,The Hacker News
August 3, 2023 – General
OWASP Top 10 for LLM (Large Language Model) applications is out! Full Text
Abstract
The OWASP Top 10 for LLM (Large Language Model) Applications version 1.0 is out, it focuses on the potential security risks when using LLMs. OWASP released the OWASP Top 10 for LLM (Large Language Model) Applications project, which provides a list...Security Affairs
August 3, 2023 – Business
Threat Intelligence Provider Cyble Raises $24 Million in Series B Funding Full Text
Abstract
The new funding round was co-led by Blackbird Ventures and King River Capital, with participation from January Capital, Spider Capital, Summit Peak Ventures, and other investors.Cyware
August 03, 2023 – Attack
Hundreds of Citrix NetScaler ADC and Gateway Servers Hacked in Major Cyber Attack Full Text
Abstract
Hundreds of Citrix NetScaler ADC and Gateway servers have been breached by malicious actors to deploy web shells, according to the Shadowserver Foundation. The non-profit said the attacks take advantage of CVE-2023-3519 , a critical code injection vulnerability that could lead to unauthenticated remote code execution. The flaw, patched by Citrix last month, carries a CVSS score of 9.8. The largest number of impacted IP addresses are based in Germany, followed by France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil. The exploitation of CVE-2023-3519 to deploy web shells was previously disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which said the attack was directed against an unnamed critical infrastructure organization in June 2023. The disclosure comes as GreyNoise said it detected three IP addresses attempting to exploit CVE-2023-24489 (CVSS score: 9.1), another critical flaw in Citrix ShareFile software thatThe Hacker News
August 3, 2023 – Vulnerabilities
Rapid7 found a bypass for the recently patched actively exploited Ivanti EPMM bug Full Text
Abstract
Researchers discovered a bypass for a recently fixed actively exploited vulnerability in Ivanti Endpoint Manager Mobile (EPMM). Rapid7 cybersecurity researchers have discovered a bypass for the recently patched actively exploited vulnerability in Ivanti...Security Affairs
August 3, 2023 – Breach
Pennsylvania County Says Data Breach May Have Exposed 690,000 People’s Personal Information Full Text
Abstract
The county says it, along with 22 million people worldwide, has been targeted by a global cyber security breach. The breach gave a group of cybercriminals access to personal information like driver's license numbers and Social Security numbers.Cyware
August 03, 2023 – Solution
A Penetration Testing Buyer’s Guide for IT Security Teams Full Text
Abstract
The frequency and complexity of cyber threats are constantly evolving. At the same time, organizations are now collecting sensitive data that, if compromised, could result in severe financial and reputational damage. According to Cybersecurity Ventures , the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025. There is also increasing public and regulatory scrutiny over data protection. Compliance regulations (such as PCI DSS and ISO 27001), as well as the need for a better understanding of your cybersecurity risks, are driving the need to conduct regular penetration tests. Pen testing helps to identify security flaws in your IT infrastructure before threat actors can detect and exploit them. This gives you visibility into the risks posed by potential attacks and enables you to take swift corrective action to address them. Here, we outline key factors to consider before, during, and post the penetration testing process. Pre-PenetratiThe Hacker News
August 3, 2023 – APT
Russian APT29 conducts phishing attacks through Microsoft Teams Full Text
Abstract
Russia-linked APT29 group targeted dozens of organizations and government agencies worldwide with Microsoft Teams phishing attacks. Microsoft Threat Intelligence reported that Russia-linked cyberespionage group APT29 (aka SVR group, Cozy Bear, Nobelium,...Security Affairs
August 3, 2023 – Attack
Russian Hacker Group NoName057(16) Claim Attacks on Italian Banks, Government Agencies Full Text
Abstract
A pro-Russian hacking group has claimed responsibility for cyberattacks on Italian banks, businesses, and government agencies which flooded networks and disrupted services.Cyware
August 03, 2023 – General
Microsoft Flags Growing Cybersecurity Concerns for Major Sporting Events Full Text
Abstract
Microsoft is warning of the threat malicious cyber actors pose to stadium operations, warning that the cyber risk surface of live sporting events is "rapidly expanding." "Information on athletic performance, competitive advantage, and personal information is a lucrative target," the company said in a Cyber Signals report shared with The Hacker News. "Sports teams, major league and global sporting associations, and entertainment venues house a trove of valuable information desirable to cybercriminals." "Unfortunately, this information can be vulnerable at-scale, due to the number of connected devices and interconnected networks in these environments." The company specifically singled out hospitals delivering critical support and health services for fans and players as being targets of ransomware attacks, resulting in service disruptions. To defend against such attacks, Microsoft is recommending that - Companies disable unnecessary ports aThe Hacker News
August 3, 2023 – General
Report: One in 100 Emails is Malicious Full Text
Abstract
With the ever-increasing reliance on workplace technologies, including web-based tools and SaaS applications, organizations face an unparalleled need to strengthen their cybersecurity measures.Cyware
August 03, 2023 – Denial Of Service
“Mysterious Team Bangladesh” Targeting India with DDoS Attacks and Data Breaches Full Text
Abstract
A hacktivist group known as Mysterious Team Bangladesh has been linked to over 750 distributed denial-of-service (DDoS) attacks and 78 website defacements since June 2022. "The group most frequently attacks logistics, government, and financial sector organizations in India and Israel," Singapore-headquartered cybersecurity firm Group-IB said in a report shared with The Hacker News. "The group is primarily driven by religious and political motives." Some of the other targeted countries include Australia, Senegal, the Netherlands, Sweden, and Ethiopia. In addition, the threat actor is said to have gained access to web servers and administrative panels, likely by exploiting known security flaws or poorly-secured passwords. Mysterious Team Bangladesh, as the name indicates, is suspected to be of Bangladeshi origin. "We are working to protect Our Bangladesh Cyberspace," the group's Intro on Facebook reads . The group has an active social media preThe Hacker News
August 3, 2023 – Malware
New Variants of NodeStealer Found Infecting Facebook Business Accounts Full Text
Abstract
Unit 42 researchers discovered a previously unreported phishing campaign targeting Facebook business accounts. The campaign distributed new variants of NodeStealer malware that could fully take over these accounts, steal cryptocurrency, and download further payloads. This type of attack can cause b ... Read MoreCyware
August 03, 2023 – Phishing
Microsoft Exposes Russian Hackers’ Sneaky Phishing Tactics via Microsoft Teams Chats Full Text
Abstract
Microsoft on Wednesday disclosed that it identified a set of highly targeted social engineering attacks mounted by a Russian nation-state threat actor using credential theft phishing lures sent as Microsoft Teams chats. The tech giant attributed the attacks to a group it tracks as Midnight Blizzard (previously Nobelium). It's also called APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes. "In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities," the company said . "Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multi-factor authentication (MFA) prompts." Microsoft said the campaign, observed since at least late May 2023, affected less than 40 organizations globalThe Hacker News
August 03, 2023 – Vulnerabilities
Researchers Discover Bypass for Recently Patched Critical Ivanti EPMM Vulnerability Full Text
Abstract
Cybersecurity researchers have discovered a bypass for a recently fixed actively exploited vulnerability in some versions of Ivanti Endpoint Manager Mobile (EPMM), prompting Ivanti to urge users to update to the latest version of the software. Tracked as CVE-2023-35082 (CVSS score: 10.0) and discovered by Rapid7, the issue "allows unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below)." "If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," Ivanti said in an advisory released on August 2, 2023. Rapid7 security researcher Stephen Fewer said , "CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application's security filter chain." With the latest disclosure, Ivanti hasThe Hacker News
August 2, 2023 – Breach
Hackers already installed web shells on 581 Citrix servers in CVE-2023-3519 attacks Full Text
Abstract
Researchers warn that hundreds of Citrix servers have been hacked in an ongoing campaign exploiting the RCE CVE-2023-3519. Security researchers from the non-profit organization Shadowserver Foundation reported that hundreds of Citrix Netscaler ADC and Gateway...Security Affairs
August 2, 2023 – Cryptocurrency
Millions Stolen From Crypto Platforms Through Exploited ‘Vyper’ Vulnerability Full Text
Abstract
Millions of dollars worth of cryptocurrency were stolen from several platforms over the weekend after hackers exploited a vulnerability in a programming language used widely in the cryptocurrency world.Cyware
August 2, 2023 – Phishing
Zero-day in Salesforce email services exploited in targeted Facebook phishing campaign Full Text
Abstract
Experts spotted a spear-phishing Facebook campaign exploiting a zero-day vulnerability in Salesforce email services. Researchers from Guardio Labs uncovered a sophisticated phishing campaign exploiting a zero-day vulnerability in Salesforce email...Security Affairs
August 2, 2023 – General
The Gap in Users’ Identity Security Knowledge Gives Cybercriminals an Opening Full Text
Abstract
With exponential growth in the number of human and machine actors on the network and more sophisticated technology in more places, identity in this new era is rapidly becoming a super-human problem, according to RSA.Cyware
August 02, 2023 – Hacker
Russian Cyber Adversary BlueCharlie Alters Infrastructure in Response to Disclosures Full Text
Abstract
A Russia-nexus adversary has been linked to 94 new domains starting March 2023, suggesting that the group is actively modifying its infrastructure in response to public disclosures about its activities. Cybersecurity firm Recorded Future linked the revamped infrastructure to a threat actor it tracks under the name BlueCharlie , a hacking crew that's broadly known by the names Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446. BlueCharlie was previously given the temporary designation Threat Activity Group 53 (TAG-53). "These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers," the company said in a technical report shared with The Hacker News. BlueCharlie is assessed to be affiliated with Russia's Federal Security Service (FSB), with the threat actor linkedThe Hacker News
August 2, 2023 – Breach
Burger King forgets to put a password on their systems, again Full Text
Abstract
The fast food giant Burger King put their systems and data at risk by exposing sensitive credentials to the public for a second time. Original post @https://cybernews.com/security/burger-king-data-leak/ Burger King is a renowned US-based international...Security Affairs
August 2, 2023 – Business
Nile, Which Offers Enterprise Networks as a Service, Raises $175M Full Text
Abstract
Nile, a networking-as-a-service (NaaS) provider founded by former Cisco executive Pankaj Patel, has raised $175 million in a Series C funding round. The funding will be used for go-to-market growth and expanding the company's workforce.Cyware
August 02, 2023 – Phishing
Phishers Exploit Salesforce’s Email Services Zero-Day in Targeted Facebook Campaign Full Text
Abstract
A sophisticated Facebook phishing campaign has been observed exploiting a zero-day flaw in Salesforce's email services, allowing threat actors to craft targeted phishing messages using the company's domain and infrastructure. "Those phishing campaigns cleverly evade conventional detection methods by chaining the Salesforce vulnerability and legacy quirks in Facebook's Web Games platform," Guardio Labs researchers Oleg Zaytsev and Nati Tal said in a report shared with The Hacker News. The email messages masquerade as coming from Meta, while being sent from an email address with a "@salesforce.com" domain. They seek to trick recipients into clicking on a link by claiming that their Facebook accounts are undergoing a "comprehensive investigation" due to "suspicions of engaging in impersonation." The goal is to direct users to a rogue landing page that's designed to capture the victim's account credentials and two-factor autThe Hacker News
August 2, 2023 – Government
CISA adds second Ivanti EPMM flaw to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added a second actively exploited Ivanti ‘s Endpoint Manager Mobile (EPMM) vulnerability to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added the second actively exploited Ivanti...Security Affairs
August 2, 2023 – Vulnerabilities
Firefox Fixes a Flurry of Flaws in the First of Two Releases This Month Full Text
Abstract
Mozilla has released a new version of Firefox, marking the first of two upgrades for the month. The patched flaws are tracked as CVE-2023-4045, CVE-2023-4047, CVE-2023-4048, CVE-2023-4050, CVE-2023-4051, CVE-2023-4057, and CVE-2023-4058.Cyware
August 02, 2023 – General
Industrial Control Systems Vulnerabilities Soar: Over One-Third Unpatched in 2023 Full Text
Abstract
About 34% of security vulnerabilities impacting industrial control systems (ICSs) that were reported in the first half of 2023 have no patch or remediation, registering a significant increase from 13% the previous year. According to data compiled by SynSaber, a total of 670 ICS product flaws were reported via the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the first half of 2023, down from 681 reported during the first half of 2022. Of the 670 CVEs, 88 are rated Critical, 349 are rated High, 215 are rated Medium, and 18 are rated Low in Severity. 227 of the flaws have no fixes in comparison to 88 in H1 2022. "Critical manufacturing (37.3% of total reported CVEs) and Energy (24.3% of the total reported) sectors are the most likely to be affected," the OT cybersecurity and asset monitoring company said in a report shared with The Hacker News. Other prominent industry verticals include water and wastewater systems, commercial facilities, communicationThe Hacker News
August 2, 2023 – Policy and Law
Lawsuit Alleges Bytedance’s Capcut App Secretly Reaps Massive Amounts of User Data Full Text
Abstract
CapCut and sister company TikTok are owned by the Chinese company ByteDance Ltd., which has long been under scrutiny by American officials concerned with how it collects and leverages American users’ personal data, allegedly including biometric data.Cyware
August 02, 2023 – General
Top Industries Significantly Impacted by Illicit Telegram Networks Full Text
Abstract
In recent years the rise of illicit activities conducted within online messaging platforms has become a growing concern for countless industries. One of the most notable platforms that has been host to many malicious actors and nefarious activities has been Telegram. Thanks to its accessibility, popularity, and user anonymity, Telegram has attracted a large number of threat actors driven by criminal purposes. Many of the cybercriminals that have moved operations into illicit telegram channels in order to expand their reach and exploits to wider audiences. As a result, many of these illicit Telegram networks have negatively impacted many industries in relation to the increase of cyberattacks and data leaks that have occurred across the globe. While any industry can be affected by the cybercriminals operating on Telegram, there are several industries that are more significantly impacted by these illicit activities. In this post, we'll cover several of the common illicit activiThe Hacker News
August 2, 2023 – Policy and Law
Cyberattack on Montclair Township Led to $450K Settlement Full Text
Abstract
The Garden State Joint Insurance Fund made the deal as law enforcement began investigations into possible criminal charges, Joseph Hartnett, interim township manager, said Thursday.Cyware
August 02, 2023 – Vulnerabilities
Researchers Uncover AWS SSM Agent Misuse as a Covert Remote Access Trojan Full Text
Abstract
Cybersecurity researchers have discovered a new post-exploitation technique in Amazon Web Services (AWS) that allows the AWS Systems Manager Agent (SSM Agent) to be run as a remote access trojan on Windows and Linux environments "The SSM agent, a legitimate tool used by admins to manage their instances, can be re-purposed by an attacker who has achieved high privilege access on an endpoint with SSM agent installed, to carry out malicious activities on an ongoing basis," Mitiga researchers Ariel Szarf and Or Aspir said in a report shared with The Hacker News. "This allows an attacker who has compromised a machine, hosted on AWS or anywhere else, to maintain access to it and perform various malicious activities." SSM Agent is a software installed on Amazon Elastic Compute Cloud (Amazon EC2) instances that makes it possible for administrators to update, manage, and configure their AWS resources through a unified interface. The advantages of using an SSM AgentThe Hacker News
August 2, 2023 – Government
Possible Chinese Malware in US Systems a ‘Ticking Time Bomb’: Report Full Text
Abstract
The Biden administration believes China has implanted malware in key US power and communications networks in a “ticking time bomb” that could disrupt the military in event of a conflict, The New York Times reported Saturday.Cyware
August 02, 2023 – Criminals
Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers Full Text
Abstract
Services offered by an obscure Iranian company known as Cloudzy are being leveraged by multiple threat actors, including cybercrime groups and nation-state crews. "Although Cloudzy is incorporated in the United States, it almost certainly operates out of Tehran, Iran – in possible violation of U.S. sanctions – under the direction of someone going by the name Hassan Nozari ," Halcyon said in a new report published Tuesday. The Texas-based cybersecurity firm said the company acts as a command-and-control provider (C2P), which provides attackers with Remote Desktop Protocol (RDP) virtual private servers and other anonymized services that ransomware affiliates and others use to pull off the cybercriminal endeavors. "[C2Ps] enjoy a liability loophole that does not require them to ensure that the infrastructure they provide is not being used for illegal operations," Halcyon said in a statement shared with The Hacker News. The ransomware-as-a-service (RaaS) busineThe Hacker News
August 02, 2023 – APT
Norwegian Entities Targeted in Ongoing Attacks Exploiting Ivanti EPMM Vulnerability Full Text
Abstract
Advanced persistent threat (APT) actors exploited a recently disclosed critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023 in attacks directed against Norwegian entities, including a government network. The disclosure comes as part of a new joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) Tuesday. The exact identity or origin of the threat actor remains unclear. "The APT actors have exploited CVE-2023-35078 since at least April 2023," the authorities said . "The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy to target infrastructure.' CVE-2023-35078 refers to a severe flaw that allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. It can be chained with a second vulneThe Hacker News
August 1, 2023 – Business
Dynatrace Acquires Cloud-Native Debugging Platform Rookout Full Text
Abstract
Observability and security platform Dynatrace today announced that it plans to acquire Rookout, a Tel Aviv-based observability startup that focuses on helping developers troubleshoot and debug their code in production.Cyware
August 01, 2023 – Malware
New NodeStealer Targeting Facebook Business Accounts and Crypto Wallets Full Text
Abstract
Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer that's equipped to fully take over Facebook business accounts as well as siphon cryptocurrency. Palo Alto Network Unit 42 said it detected the previously undocumented strain as part of a campaign that commenced in December 2022. NodeStealer was first exposed by Meta in May 2023, describing it as a stealer capable of harvesting cookies and passwords from web browsers to compromise Facebook, Gmail, and Outlook accounts. While the prior samples were written in JavaScript, the latest versions are coded in Python. "NodeStealer poses great risk for both individuals and organizations," Unit 42 researcher Lior Rochberger said . "Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks." The attacks start with bogus messages on Facebook that purportedly claiThe Hacker News
August 1, 2023 – Malware
NodeStealer 2.0 takes over Facebook Business accounts and targets crypto wallets Full Text
Abstract
Researchers spotted a Python variant of the NodeStealer that was designed to take over Facebook business accounts and cryptocurrency wallets. Palo Alto Network Unit 42 discovered a previously unreported phishing campaign that distributed...Security Affairs
August 1, 2023 – Phishing
Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack Full Text
Abstract
During the conversation, the malicious actors would send seemingly harmless attachments, such as invitations to conferences or files related to the targets’ professional interests, such as studies or articles.Cyware
August 01, 2023 – Attack
European Bank Customers Targeted in SpyNote Android Trojan Campaign Full Text
Abstract
Various European customers of different banks are being targeted by an Android banking trojan called SpyNote as part of an aggressive campaign detected in June and July 2023. "The spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vishing attack," Italian cybersecurity firm Cleafy said in a technical analysis released Monday. SpyNote , also called SpyMax, is similar to other Android banking Trojans in that it requires Android's accessibility permissions in order to grant itself other necessary permissions and gather sensitive data from infected devices. What makes the malware strain notable is its dual functions as spyware and perform bank fraud. The attack chains commence with a bogus SMS message urging users to install a banking app by clicking on the accompanying link, redirecting the victim to the legitimate TeamViewer QuickSupport aThe Hacker News
August 1, 2023 – Government
US govt is hunting a Chinese malware that can interfere with its military operations Full Text
Abstract
The US government believes that China has deployed malware in key US power and communications networks that can be activated in case of a conflict. American intelligence officials believe China has implanted malware in key US power and communications...Security Affairs
August 1, 2023 – Vulnerabilities
Stremio Vulnerability Exposes Millions to Attack Full Text
Abstract
CyFox researchers have discovered a DLL planting/hijacking vulnerability in popular media center application Stremio, which could be exploited by attackers to execute code on the victim’s system, steal information, and more.Cyware
August 01, 2023 – Education
What is Data Security Posture Management (DSPM)? Full Text
Abstract
Data Security Posture Management is an approach to securing cloud data by ensuring that sensitive data always has the correct security posture - regardless of where it's been duplicated or moved to. So, what is DSPM? Here's a quick example: Let's say you've built an excellent security posture for your cloud data. For the sake of this example, your data is in production, it's protected behind a firewall, it's not publicly accessible, and your IAM controls have limited access properly. Now along comes a developer and replicates that data into a lower environment. What happens to that fine security posture you've built? Well, it's gone - and now the data is only protected by the security posture in that lower environment. So if that environment is exposed or improperly secured - so is all that sensitive data you've been trying to protect. Security postures just don't travel with their data . Data Security Posture Management ( DSPM ) was creaThe Hacker News
August 1, 2023 – Malware
WikiLoader malware-as-a-service targets Italian organizations Full Text
Abstract
Threat actors are targeting Italian organizations with a phishing campaign aimed at delivering a new malware called WikiLoader. WikiLoader is a new piece of malware that is employed in a phishing campaign that is targeting Italian organizations....Security Affairs
August 1, 2023 – Attack
Meow Campaign Reaches Misconfigured Jupyter Notebook Instances Full Text
Abstract
The "Meow" campaign, targeting unsecured databases, has resurfaced, with the threat actor using misconfigured Jupyter Notebook instances to gather information and delete databases.Cyware
August 01, 2023 – Criminals
Researchers Expose Space Pirates’ Cyber Campaign Across Russia and Serbia Full Text
Abstract
The threat actor known as Space Pirates has been linked to attacks against at least 16 organizations in Russia and Serbia over the past year by employing novel tactics and adding new cyber weapons to its arsenal. "The cybercriminals' main goals are still espionage and theft of confidential information, but the group has expanded its interests and the geography of its attacks," Positive Technologies said in a deep dive report published last week. Targets comprise government agencies, educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and healthcare firms in Russia and Serbia. Space Pirates was first exposed by the Russian cybersecurity company in May 2022, highlighting its attacks on the aerospace sector in the nation. The group, said to be active since at least late 2019, has links to another adversary tracked by Symantec as Webworm . Positive Technologies' analysis of the attack infrastThe Hacker News
August 1, 2023 – Vulnerabilities
Be aware of exposure of sensitive data on Wi-Fi settings for Canon inkjet printers Full Text
Abstract
Canon warns that sensitive data on the Wi-Fi connection settings stored in the memories of inkjet printers may not be deleted during initialization. Canon warns that sensitive information on the Wi-Fi connection settings stored in the memories of home...Security Affairs
August 1, 2023 – Outage
Mattress Giant Tempur Sealy Hit with Cyberattack Forcing System Shutdown Full Text
Abstract
The company’s chief financial officer Bhaskar Rao reported to the U.S. Securities and Exchange Commission on Monday morning that Tempur Sealy’s operations had been hindered by a cyberattack that began on July 23.Cyware
August 01, 2023 – APT
China’s APT31 Suspected in Attacks on Air-Gapped Systems in Eastern Europe Full Text
Abstract
A nation-state actor with links to China is suspected of being behind a series of attacks against industrial organizations in Eastern Europe that took place last year to siphon data stored on air-gapped systems. Cybersecurity company Kaspersky attributed the intrusions with medium to high confidence to a hacking crew called APT31 , which is also tracked under the monikers Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), citing commonalities in the tactics observed. The attacks entailed the use of more than 15 distinct implants and their variants, broken down into three broad categories based on their ability to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure. "One of the implant types appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of indusThe Hacker News
August 1, 2023 – Ransomware
Spike in Ransomware Delivery via URLs, Reports Unit 42 Full Text
Abstract
Ransomware delivered through URLs has become the leading method for distributing ransomware, accounting for over 77% of cases in 2022 - found Unit 42. This is followed by emails at 12%. Researchers observed attackers using different URLs/hostnames to host or deliver different malware, including ran ... Read MoreCyware
August 01, 2023 – Criminals
Cybercriminals Renting WikiLoader to Target Italian Organizations with Banking Trojan Full Text
Abstract
Organizations in Italy are the target of a new phishing campaign that leverages a new strain of malware called WikiLoader with an ultimate aim to install a banking trojan, stealer, and spyware referred to as Ursnif (aka Gozi). "It is a sophisticated downloader with the objective of installing a second malware payload," Proofpoint said in a technical report. "The malware uses multiple mechanisms to evade detection and was likely developed as a malware that can be rented out to select cybercriminal threat actors." WikiLoader is so named due to the malware making a request to Wikipedia and checking that the response has the string "The Free." The enterprise security firm said it first detected the malware in the wild on December 27, 2022, in connection with an intrusion set mounted by a threat actor it tracks as TA544 , which is also known as Bamboo Spider and Zeus Panda. The campaigns are centered around the use of emails containing either MicroThe Hacker News
August 1, 2023 – Policy and Law
Meta Subsidiaries Must Pay $14M Over Misleading Data Collection Disclosure Full Text
Abstract
Facebook's subsidiaries, including Onavo, have been ordered to pay $14 million in an Australian court case for undisclosed data collection through a now-discontinued VPN, highlighting the company's privacy issues.Cyware