December, 2023
December 30, 2023 – Malware
Info-Stealing Malware Now Includes Google Session Hijacking Full Text
Abstract
Multiple malware-as-a-service info stealers now have the ability to manipulate authentication tokens to gain persistent access to a victim's Google account, even after the user has reset their password.Cyware
December 30, 2023 – Phishing
Beware: Scam-as-a-Service Aiding Cybercriminals in Crypto Wallet-Draining Attacks Full Text
Abstract
Cybersecurity researchers are warning about an increase in phishing attacks that are capable of draining cryptocurrency wallets. "These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique," Check Point researchers Oded Vanunu, Dikla Barda, and Roman Zaikin said . A prominent contributor to this troubling trend is a notorious phishing group called Angel Drainer, which advertises a "scam-as-a-service" offering by charging a percentage of the stolen amount, typically 20% or 30% , from its collaborators in return for providing wallet-draining scripts and other services. In late November 2023, a similar wallet-draining service known as Inferno Drainer announced that it was shutting down its operations for good after helping scammers plunder over $70 million worth of crypto from 103,676 victims sincThe Hacker News
December 29, 2023 – Outage
Computer Systems at Massachusetts-Based Anna Jaques Hospital Compromised After Cyberattack Full Text
Abstract
Anna Jaques Hospital's health record system was shut down due to a cyberattack, causing delays in receiving services and diverting ambulance arrivals. The hospital is working with cybersecurity professionals to investigate the attack.Cyware
December 29, 2023 – Attack
Albanian Parliament and One Albania Telecom Hit by Cyber Attacks Full Text
Abstract
The Assembly of the Republic of Albania and telecom company One Albania have been targeted by cyber attacks, the country's National Authority for Electronic Certification and Cyber Security (AKCESK) revealed this week. "These infrastructures, under the legislation in force, are not currently classified as critical or important information infrastructure," AKCESK said . One Albania, which has nearly 1.5 million subscribers, said in a Facebook post on December 25 that it had handled the security incident without any issues and that its services, including mobile, landline, and IPTV, remained unaffected. AKCESK further noted that the intrusions did not originate from Albanian IP addresses, adding it managed to "identify potential cases in real-time." The agency also said that it has been focusing its efforts on identifying the source of the attacks, recovering compromised systems, and implementing security measures to prevent such incidents from happening again in the future.The Hacker News
December 29, 2023 – Privacy
With Car Privacy Concerns Rising, Automakers May Be on Road to Regulation Full Text
Abstract
Regulators, particularly the California Privacy Protection Agency and the Federal Trade Commission, are starting to investigate and potentially take action against connected vehicle manufacturers for privacy violations.Cyware
December 29, 2023 – Government
CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information. The activity, which was detected by the agency between December 15 and 25, 2023, targets government entities with email messages urging recipients to click on a link to view a document. However, to the contrary, the links redirect to malicious web resources that abuse JavaScript and the "search-ms:" URI protocol handler to drop a Windows shortcut file (LNK) that launches PowerShell commands to activate an infection chain for a new malware known as MASEPIE. MASEPIE is a Python-based tool to download/upload files and execute commands, with communications with the command-and-control (C2) server taking place over an encrypted channel using the TCP protocol. The attacks further pave the way for the deployment of aThe Hacker News
December 29, 2023 – Policy and Law
Google to Settle Class Action Lawsuit Alleging Incognito Mode Does Not Protect User Privacy Full Text
Abstract
Google has reached a preliminary settlement in a class-action lawsuit accusing the company of deceiving users about their privacy while using the Incognito mode. The settlement comes after a nearly four-year legal battle.Cyware
December 29, 2023 – Phishing
Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks Full Text
Abstract
Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines. South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky . "A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together," the AhnLab Security Emergency Response Center (ASEC) said in an analysis published Thursday. Kimsuky , active for over a decade, is known for its targeting of a wide range of entities in South Korea, before expanding its focus to include other geographies in 2017. It was sanctioned by the U.S. government late last month for amassing intelligence to support North Korea's strategic objectives. The threat actor's espionage campaigns are realized thThe Hacker News
December 29, 2023 – Outage
Update: Operational Halt at First American Financial Corporation, Subsidiary After Cyberattack Full Text
Abstract
The company is working to restore its operations and has notified regulatory authorities. Despite the disruption, the company is still able to close loans and accept payments.Cyware
December 29, 2023 – General
Do the Casino Ransomware Attacks Make the Case to Pay? Full Text
Abstract
Experts caution that the decision to pay or not pay depends on various factors, including the type of data compromised, the availability of backups, the financial impact on the organization, and the sector in which the company operates.Cyware
December 29, 2023 – Vulnerabilities
Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks Full Text
Abstract
Microsoft on Thursday said it's once again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware. "The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," the Microsoft Threat Intelligence team said . It further noted that several cybercriminals are offering a malware kit for sale as a service that leverages the MSIX file format and ms-appinstaller protocol handler. The changes have gone into effect in App Installer version 1.21.3421.0 or higher. The attacks take the form of signed malicious MSIX application packages that are distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google. At least four different financially motivated hacking groups have been observed taking advantage of the App Installer service since miThe Hacker News
December 28, 2023 – Outage
Trinidad and Tobago Social Security Agency Discloses Post-Christmas Ransomware Attack Full Text
Abstract
The National Insurance Board in Trinidad and Tobago has been hit by a ransomware attack, leading to the closure of its offices and limiting its operations for an extended period.Cyware
December 28, 2023 – Vulnerabilities
Google Cloud Resolves Privilege Escalation Flaw Impacting Kubernetes Service Full Text
Abstract
Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges. "An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster," the company said as part of an advisory released on December 14, 2023. Palo Alto Networks Unit 42, which discovered and reported the shortcoming, said adversaries could weaponize it to carry out "data theft, deploy malicious pods, and disrupt the cluster's operations." There is no evidence that the issue has been exploited in the wild. It has been addressed in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) - 1.25.16-gke.1020000 1.26.10-gke.1235000 1.27.7-gke.1293000 1.28.4-gke.1083000 1.17.8-asm.8 1.18.The Hacker News
December 28, 2023 – Attack
Albanian Parliament, Telecom Company Hit by Cyberattacks Full Text
Abstract
The Albanian parliament and a telecom company were targeted by cyberattacks originating from outside Albania. The attacks, which attempted to interfere with infrastructure and delete data, have not been attributed to a specific threat actor.Cyware
December 28, 2023 – Attack
Most Sophisticated iPhone Hack Ever Exploited Apple’s Hidden Hardware Feature Full Text
Abstract
The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company. Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as the "most sophisticated attack chain" it has ever observed to date. The campaign is believed to have been active since 2019. The exploitation activity involved the use of four zero-day flaws that were fashioned into a chain to obtain an unprecedented level of access and backdoor target devices running iOS versions up to iOS 16.2 with the ultimate goal of gathering sensitive information. The starting point of the zero-click attack is an iMessage bearing a malicious attachment, which is automatically processed sans any user interaction to ultimately obtain elevated permissions and deploy a spyware module. SpecificThe Hacker News
December 28, 2023 – Malware
Four-Year Campaign Backdoored Iphones Using Undocumented Hardware Function Full Text
Abstract
The secret hardware function targeted by the attackers allowed them to bypass advanced memory protections, enabling post-exploitation techniques and compromising system integrity.Cyware
December 28, 2023 – Malware
New Rugmi Malware Loader Surges with Hundreds of Daily Detections Full Text
Abstract
A new malware loader is being used by threat actors to deliver a wide range of information stealers such as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms . Cybersecurity firm ESET is tracking the trojan under the name Win/TrojanDownloader.Rugmi . "This malware is a loader with three types of components: a downloader that downloads an encrypted payload, a loader that runs the payload from internal resources, and another loader that runs the payload from an external file on the disk," the company said in its Threat Report H2 2023. Telemetry data gathered by the company shows that detections for the Rugmi loader spiked in October and November 2023, surging from single digit daily numbers to hundreds per day. Stealer malware is typically sold under a malware-as-a-service (MaaS) model to other threat actors on a subscription basis. Lumma Stealer, for instance, is advertised in underground forums for $250 a month. The most expenThe Hacker News
December 28, 2023 – Vulnerabilities
Three Main Tactics Attackers Use to Bypass MFA Full Text
Abstract
SE Labs has warned that multi-factor authentication (MFA) is not foolproof and can be bypassed by attackers using old-school methods such as social engineering, malware, and phishing.Cyware
December 28, 2023 – Insider Threat
How to Incorporate Human-Centric Security Full Text
Abstract
Companies need to shift their focus from solely addressing threats to proactively mitigating risks by analyzing behaviors and implementing insider risk management solutions.Cyware
December 27, 2023 – Vulnerabilities
Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack Full Text
Abstract
A new zero-day security flaw has been discovered in Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467 , resides in the login functionality and is the result of an incomplete patch for another critical vulnerability ( CVE-2023-49070 , CVSS score: 9.8) that was released earlier this month. "The security measures taken to patch CVE-2023-49070 left the root issue intact and therefore the authentication bypass was still present," the SonicWall Capture Labs threat research team, which discovered the bug, said in a statement shared with The Hacker News. CVE-2023-49070 refers to a pre-authenticated remote code execution flaw impacting versions prior to 18.12.10 that, when successfully exploited, could allow threat actors to gain full control over the server and siphon sensitive data. It is caused due to a deprecated XML-RPC component within ApacheThe Hacker News
December 27, 2023 – Attack
Chinese Hackers Exploited New Zero-Day in Barracuda’s ESG Appliances Full Text
Abstract
Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoors on a "limited number" of devices. Tracked as CVE-2023-7102 , the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library named Spreadsheet::ParseExcel that's used by the Amavis scanner within the gateway to screen Microsoft Excel email attachments for malware. The company attributed the activity to a threat actor tracked by Google-owned Mandiant as UNC4841 , which was previously linked to the active exploitation of another zero-day in Barracuda devices (CVE-2023-2868, CVSS score: 9.8) earlier this year. Successful exploitation of the new flaw is accomplished by means of a specially crafted Microsoft Excel email attachment. This is followed by the deployment of new variants of known implants called SEASPY and SALTWATER that are equipped to offer persistence and commanThe Hacker News
December 27, 2023 – Malware
New Sneaky Xamalicious Android Malware Hits Over 327,000 Devices Full Text
Abstract
A new Android backdoor has been discovered with potent capabilities to carry out a range of malicious actions on infected devices. Dubbed Xamalicious by the McAfee Mobile Research Team, the malware is so named for the fact that it's developed using an open-source mobile app framework called Xamarin and abuses the operating system's accessibility permissions to fulfill its objectives. It's also capable of gathering metadata about the compromised device and contacting a command-and-control (C2) server to fetch a second-stage payload, but only after determining if it fits the bill. The second stage is "dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps, among other actions financially motivated without user consent," security researcher Fernando Ruiz said . The cybersecurity firm said it identified 25 apps that come with this active thrThe Hacker News
December 26, 2023 – Vulnerabilities
Ubuntu Security Updates Fixed Vim Vulnerabilities Full Text
Abstract
The vulnerabilities range from denial of service risks to arbitrary code execution possibilities. It emphasizes the importance of regularly updating Vim and applying security patches to mitigate these risks.Cyware
December 26, 2023 – Malware
Carbanak Banking Malware Resurfaces with New Ransomware Tactics Full Text
Abstract
The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics. "The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023. "Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software." Some of the impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero. Carbanak , detected in the wild since at least 2014, is known for its data exfiltration and remote control features. Starting off as a banking malware, it has been put to use by the FIN7 cybercrime syndicate . In the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious installer files masquerading as legitimate utilities toThe Hacker News
December 26, 2023 – Breach
Mobile Virtual Network Operator Mint Mobile Discloses a Data Breach Full Text
Abstract
The breach exposed customers' names, phone numbers, email addresses, SIM serial numbers, IMEI numbers, and service plan information. Importantly, financial data and passwords were not exposed in the breach.Cyware
December 26, 2023 – Business
Mend.io Acquires Cyber Startup Atom Security Full Text
Abstract
The integration of Atom Security's technology into Mend.io's product line is expected to enhance coverage and reduce the number of irrelevant findings in code vulnerabilities.Cyware
December 26, 2023 – Breach
Video Game Giant Ubisoft Investigates Reports of a Data Breach Full Text
Abstract
On December 20, an unknown threat actor had access to Ubisoft's infrastructure for 48 hours. The attackers attempted to steal user data from the game R6 Siege but were unsuccessful.Cyware
December 26, 2023 – Malware
Stealth Android Backdoor Xamalicious Found Actively Infecting Devices Full Text
Abstract
The Xamalicious backdoor, implemented with Xamarin, targets Android devices by gaining accessibility privileges and communicating with a C2 server to download a second-stage payload, potentially enabling fraudulent actions without user consent.Cyware
December 26, 2023 – Malware
Nim-based Malware Distributed Using Microsoft Word Docs Impersonating the Nepali Government Full Text
Abstract
The Nim-based backdoor communicates with command and control servers, evades analysis tools, and establishes persistence on the compromised machine through startup folders and scheduled tasks.Cyware
December 26, 2023 – Phishing
The Rising Threat of Phishing Attacks with Crypto Drainers Full Text
Abstract
The "Angel Drainer" phishing group is notorious for draining cryptocurrency wallets through sophisticated schemes, charging a percentage of the stolen amount from hackers.Cyware
December 25, 2023 – Phishing
Cloud Atlas’ Spear-Phishing Attacks Target Russian Agro and Research Companies Full Text
Abstract
The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises. Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year. Cloud Atlas, active since at least 2014, is a cyber espionage group of unknown origin. Also called Clean Ursa, Inception, Oxygen, and Red October, the threat actor is known for its persistent campaigns targeting Russia, Belarus, Azerbaijan, Turkey, and Slovenia. In December 2022, Check Point and Positive Technologies detailed multi-stage attack sequences that led to the deployment of a PowerShell-based backdoor referred to as PowerShower as well as DLL payloads capable of communicating with an actor-controlled server. The starting point is a phishing message bearing a lure document that exploits CVE-2017-11882 , a six-year-olThe Hacker News
December 24, 2023 – Policy and Law
British LAPSUS$ Teen Members Sentenced for High-Profile Attacks Full Text
Abstract
Two British teens part of the LAPSUS$ cyber crime and extortion gang have been sentenced for their roles in orchestrating a string of high-profile attacks against a number of companies. Arion Kurtaj, an 18-year-old from Oxford, has been sentenced to an indefinite hospital order due to his intent to get back to cybercrime "as soon as possible," BBC reported . Kurtaj, who is autistic, was deemed unfit to stand trial. Another LAPSUS$ member, a 17-year-old unnamed minor, was sentenced to an 18-month-long Youth Rehabilitation Order, including a three-month intensive supervision and surveillance requirement. He was found guilty of two counts of fraud, two Computer Misuse Act offenses, and one count of blackmail. Both defendants were initially arrested in January 2022, and then released under investigation. They were re-arrested in March 2022. While Kurtaj was later granted bail, he continued to attack various companies until he was arrested again in September. The attack spThe Hacker News
December 23, 2023 – Vulnerabilities
ESET Fixed a High-Severity Bug in the Secure Traffic Scanning Feature of Several Products Full Text
Abstract
The vulnerability was due to improper validation of server certificates, allowing browsers to trust sites with certificates signed with outdated algorithms. ESET has released security patches and is not aware of any attacks exploiting this flaw.Cyware
December 23, 2023 – Breach
Real Estate Agency Exposes Details of 690K Customers in Dubai Full Text
Abstract
The leaked data included personal information such as names, emails, phone numbers, and scanned copies of receipts, checks, contracts, and IDs, increasing the likelihood of targeted scams and unauthorized access to sensitive accounts.Cyware
December 23, 2023 – Malware
Bandook - A Persistent Threat That Keeps Evolving Full Text
Abstract
Bandook malware, a remote access trojan, has evolved with a new variant that uses a PDF file to distribute its payload and injects it into msinfo32.exe, allowing remote attackers to gain control of infected systems.Cyware
December 23, 2023 – Attack
Ukrainian Hackers Claim Attack on Popular Russian CRM Provider Full Text
Abstract
A group of Ukrainian hackers known as the IT Army claimed responsibility for disrupting the operations of Bitrix24, a Russian provider of customer relationship management (CRM) services.Cyware
December 23, 2023 – Policy and Law
Online Platform Carousell Violated Hong Kong Privacy Laws, Watchdog Finds Full Text
Abstract
The violation comes after the personal data of over 320,000 local users was discovered being sold on the dark web. Carousell reported the incident last year, attributing it to a loophole exploited by hackers in its system migration process.Cyware
December 23, 2023 – Phishing
Cyber-Espionage Group Cloud Atlas Targets Russian Companies With War-Related Phishing Attacks Full Text
Abstract
The hacker group known as Cloud Atlas has recently targeted a Russian agro-industrial enterprise and a state-owned research company in an espionage campaign. The group, believed to be state-backed, primarily attacks Russia and surrounding countries.Cyware
December 22, 2023 – Malware
Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft Full Text
Abstract
Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information. The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri. "As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy," security researcher Ben Martin said . "In this case, comments claim the code to be 'WordPress Cache Addons.'" Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site. Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it's automatically enabled and conceals its presence from the admin panel. "Since the only way to reThe Hacker News
December 22, 2023 – Malware
Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities Full Text
Abstract
Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering. The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE. "New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate confidential documents to a web-based service engine, instead of a dedicated command-and-control (C2) server," security researcher Sathwik Ram Prakki said . Tactical overlaps have been uncovered between the cluster and those widely tracked under the monikers Transparent Tribe and SideCopy, both of which are assessed to be linked to Pakistan. SideCopy is also a suspected subordinate element within Transparent Tribe. Last month, SEQRITE detailed multiple campaigns undertaken by the threat actor targeting Indian government bodies to deliver numerous trojans such as AllaKore RAT, Ares RAT, anThe Hacker News
December 22, 2023 – Phishing
Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware Full Text
Abstract
A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language . "Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers' unfamiliarity can hamper their investigation," Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara said . Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scratch using the language or port existing versions of their nefarious programs to it. This has been demonstrated in the case of loaders such as NimzaLoader , Nimbda , IceXLoader , as well as ransomware families tracked under the names Dark Power and Kanti . The attack chain documented by Netskope begins with a phishing email containing a Word document attachment that, when opened, urges the recipiThe Hacker News
December 22, 2023
UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware Full Text
Abstract
The threat actor known as UAC-0099 has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. "The threat actor targets Ukrainian employees working for companies outside of Ukraine," cybersecurity firm Deep Instinct said in a Thursday analysis. UAC-0099 was first documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2023, detailing its attacks against state organizations and media entities for espionage motives. The attack chains leveraged phishing messages containing HTA, RAR, and LNK file attachments that led to the deployment of LONEPAGE , a Visual Basic Script (VBS) malware that's capable of contacting a command-and-control (C2) server to retrieve additional payloads such as keyloggers, stealers, and screenshot malware. "During 2022-2023, the mentioned group received unauthorized remote access to several dozen computerThe Hacker News
December 22, 2023
Microsoft Warns of New ‘FalseFont’ Backdoor Targeting the Defense Sector Full Text
Abstract
Organizations in the Defense Industrial Base (DIB) sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont. The findings come from Microsoft, which is tracking the activity under its weather-themed moniker Peach Sandstorm (formerly Holmium), which is also known as APT33, Elfin, and Refined Kitten. "FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its [command-and-control] servers," the Microsoft Threat Intelligence team said on X (previously Twitter). The first recorded use of the implant was in early November 2023. The tech giant further said that the latest development aligns with previous activity from Peach Sandstorm and demonstrates a continued evolution of the threat actor's tradecraft. In a report published in September 2023, Microsoft linkeThe Hacker News
December 22, 2023
Android Banking Trojan Chameleon can Now Bypass Any Biometric Authentication Full Text
Abstract
The Chameleon banking trojan has evolved with new advanced features, including the ability to bypass biometric prompts and display HTML pages for enabling Accessibility Services on Android 13, making it a potent threat to mobile banking security.Cyware
December 21, 2023 – Vulnerabilities
Google Addressed a New Actively Exploited Chrome Zero-Day Full Text
Abstract
Google has released emergency updates to fix a zero-day vulnerability in the Chrome browser. The vulnerability, known as CVE-2023-7024, is a heap buffer overflow issue in WebRTC.Cyware
December 21, 2023 – Privacy
Experts Detail Multi-Million Dollar Licensing Model of Predator Spyware Full Text
Abstract
A new analysis of the sophisticated commercial spyware called Predator has revealed that its ability to persist between reboots is offered as an "add-on feature" and that it depends on the licensing options opted by a customer. "In 2021, Predator spyware couldn't survive a reboot on the infected Android system (it had it on iOS)," Cisco Talos researchers Mike Gentile, Asheer Malhotra, and Vitor Ventura said in a report shared with The Hacker News. "However, by April 2022, that capability was being offered to their customers." Predator is the product of a consortium called the Intellexa Alliance, which includes Cytrox (subsequently acquired by WiSpear), Nexa Technologies, and Senpai Technologies. Both Cytrox and Intellexa were added to the Entity List by the U.S. in July 2023 for "trafficking in cyber exploits used to gain access to information systems." The latest findings come more than six months after the cybersecurity vendor detaiThe Hacker News
December 21, 2023 – Policy and Law
Cyber Risk Strategies in Hot Seat as SEC Rules Go Live Full Text
Abstract
Companies are reassessing their incident response plans and determining the materiality of cyber incidents. The SEC aims to improve companies' preparedness to mitigate breaches and attacks.Cyware
December 21, 2023 – Malware
Chameleon Android Banking Trojan Variant Bypasses Biometric Authentication Full Text
Abstract
Cybersecurity researchers have discovered an updated version of an Android banking malware called Chameleon that has expanded its targeting to include users in the U.K. and Italy. "Representing a restructured and enhanced iteration of its predecessor, this evolved Chameleon variant excels in executing Device Takeover (DTO) using the accessibility service, all while expanding its targeted region," Dutch mobile security firm ThreatFabric said in a report shared with The Hacker News. Chameleon was previously documented by Cyble in April 2023, noting that it had been used to single out users in Australia and Poland since at least January. Like other banking malware, it's known to abuse its permissions to Android's accessibility service to harvest sensitive data and conduct overlay attacks. The rogue apps containing the earlier version were hosted on phishing pages and found to impersonate genuine institutions in the countries, such as the Australian Taxation OfficThe Hacker News
December 21, 2023 – Attack
Indian Tech Giant HCL Investigating Ransomware Attack Full Text
Abstract
HCL Technologies has reported a ransomware attack on one of its projects in an isolated cloud environment. The company stated that the incident has had no impact on its overall network and that cybersecurity and data protection are top priorities.Cyware
December 21, 2023 – Malware
New JavaScript Malware Targeted 50,000+ Users at Dozens of Banks Worldwide Full Text
Abstract
A new piece of JavaScript malware has been observed attempting to steal users' online banking account credentials as part of a campaign that has targeted more than 40 financial institutions across the world. The activity cluster, which employs JavaScript web injections, is estimated to have led to at least 50,000 infected user sessions spanning North America, South America, Europe, and Japan. IBM Security Trusteer said it detected the campaign in March 2023. "Threat actors' intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users' credentials in order to then access and likely monetize their banking information," security researcher Tal Langus said . Attack chains are characterized by the use of scripts loaded from the threat actor-controlled server ("jscdnpack[.]com"), specifically targeting a page structure that's common to several banks. It's suspThe Hacker News
December 21, 2023 – Attack
Russian Water Utility Rosvodokanal Hit by Disruptive Cyberattack From Blackjack Group Full Text
Abstract
This attack was seen as retaliation for an earlier cyberattack on Kyivstar, a phone company in Ukraine, which was attributed to Russian hackers. There are suspicions that the Security Service of Ukraine (SBU) may have played a role in the attack.Cyware
December 21, 2023 – General
Cost of a Data Breach Report 2023: Insights, Mitigators and Best Practices Full Text
Abstract
John Hanley of IBM Security shares 4 key findings from the highly acclaimed annual Cost of a Data Breach Report 2023 What is the IBM Cost of a Data Breach Report? The IBM Cost of a Data Breach Report is an annual report that provides organizations with quantifiable information about the financial impacts of breaches. With this data, they can make data driven decisions about how they implement security in their organization. The report is conducted by the Ponemon Institute and sponsored, analyzed, and published by IBM Security. In 2023, the 18th year the report was published, the report analyzed 553 breaches across 16 countries and 17 industries. According to Etay Maor, Senior Director of Security Strategy at Cato Networks , "We tend to talk a lot about security issues and solutions. This report puts a number behind threats and solutions and provides a lot of information to support claims of how a threat actor, a solution or a process impacts you financially." Key Finding #1: TheThe Hacker News
December 21, 2023 – Solution
Subdominator: Open-Source Tool for Detecting Subdomain Takeovers Full Text
Abstract
Subdominator is a highly accurate and fast open-source tool for identifying subdomain takeovers, offering significant improvements over existing tools in terms of fingerprint accuracy and count, nested DNS support, and alternate DNS record matching.Cyware
December 21, 2023 – Criminals
German Authorities Dismantle Dark Web Hub ‘Kingdom Market’ in Global Operation Full Text
Abstract
German law enforcement has announced the disruption of a dark web platform called Kingdom Market that specialized in the sales of narcotics and malware to "tens of thousands of users." The exercise , which involved collaboration from authorities from the U.S., Switzerland, Moldova, and Ukraine, began on December 16, 2023, the Federal Criminal Police Office (BKA) said. Kingdom Market is said to have been accessible over the TOR and Invisible Internet Project (I2P) anonymization networks since at least March 2021, trafficking in illegal narcotics as well as advertising malware, criminal services, and forged documents. As many as 42,000 products have been sold via several hundred seller accounts on the English language platform prior to its takedown, with 3,600 of them originating from Germany. Transactions on the Kingdom Market were facilitated through cryptocurrency payments in the form of Bitcoin, Litecoin, Monero, and Zcash, with the website operators receiving a 3The Hacker News
December 21, 2023 – General
AI’s Efficacy is Constrained in Cybersecurity, but Limitless in Cybercrime Full Text
Abstract
The use of AI in cybersecurity has created a cycle where both cyber professionals and cybercriminals employ AI to enhance their tools and techniques. However, there are limitations and trust issues with AI security solutions.Cyware
December 21, 2023 – Phishing
Hackers Exploiting MS Excel Vulnerability to Spread Agent Tesla Malware Full Text
Abstract
Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla . The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's Equation Editor that could result in code execution with the privileges of the user. The findings, which come from Zscaler ThreatLabz, build on prior reports from Fortinet FortiGuard Labs, which detailed a similar phishing campaign that exploited the security flaw to deliver the malware. "Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction," security researcher KaivaThe Hacker News
December 21, 2023 – Phishing
Fake F5 Vulnerability ‘Update’ Delivers Data Wiper to Israeli Victims Full Text
Abstract
The attacker takes advantage of a vulnerability in F5's BIG-IP and tricks recipients into downloading a file that is supposed to be an update for the vulnerability. However, the file actually contains a wiper that deletes F5 servers.Cyware
December 20, 2023 – General
Malware Leveraging Public Infrastructure Like GitGub on the Rise Full Text
Abstract
Public services like GitHub provide a convenient and less suspicious platform for malware authors to operate their C2 infrastructure, eliminating the need for maintaining their own servers.Cyware
December 20, 2023 – Ransomware
Remote Encryption Attacks Surge: How One Vulnerable Device Can Spell Disaster Full Text
Abstract
Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns. "Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network," Mark Loman, vice president of threat research at Sophos, said . "Attackers know this, so they hunt for that one' weak spot' — and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders." Remote encryption (aka remote ransomware), as the name implies, occurs when a compromised endpoint is used to encrypt data on other devices on the same network. In October 2023, Microsoft revealed that around 60% of ransomware attacks now involve malicious remote encryption in an effort to minimize their footprint, with more than 80% of all comprThe Hacker News
December 20, 2023 – Attack
Decrypting the Sidewinder Cyber Intrusion Tactics Full Text
Abstract
The Sidewinder group, a sophisticated APT group originating from South Asia, is behind a highly targeted cyber threat campaign involving a malicious Word document with an embedded macro, potentially targeting Nepalese government officials.Cyware
December 20, 2023 – Solution
Product Explained: Memcyco’s Real-Time Defense Against Website Spoofing Full Text
Abstract
Hands-On Review: Memcyco's Threat Intelligence Solution Website impersonation, also known as brandjacking or website spoofing, has emerged as a significant threat to online businesses. Malicious actors clone legitimate websites to trick customers, leading to financial scams and data theft causing reputation damage and financial losses for both organizations and customers. The Growing Threat of Website Impersonation and Brandjacking Research shows a new phishing site is created every 11 seconds in 2023. Typically, even though the company is a victim of spoofing, the customer holds them responsible for the data breach. Current market solutions rely on threat intelligence tools that search for fake sites and attempt takedowns. However, takedown processes can be time-consuming, leaving fake sites active and the scope of attacks remains unknown during the critical window of exposure, the time between when the fake site is up and until it is down. Bad actor researches a business to tThe Hacker News
December 20, 2023 – Breach
Update: Israel Blames Iran for Hospital Data Breach Full Text
Abstract
Israel has identified Iran and Hezbollah as the perpetrators of a cyberattack on the Ziv Medical Center. The attack, which occurred last month, resulted in the theft of 500GB of medical data.Cyware
December 20, 2023 – Phishing
Alert: Chinese-Speaking Hackers Pose as UAE Authority in Latest Smishing Wave Full Text
Abstract
The Chinese-speaking threat actors behind Smishing Triad have been observed masquerading as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious SMS messages with the ultimate goal of gathering sensitive information from residents and foreigners in the country. "These criminals send malicious links to their victims' mobile devices through SMS or iMessage and use URL-shortening services like Bit.ly to randomize the links they send," Resecurity said in a report published this week. "This helps them protect the fake website's domain and hosting location." Smishing Triad was first documented by the cybersecurity company in September 2023, highlighting the group's use of compromised Apple iCloud accounts to send smishing messages for carrying out identity theft and financial fraud. The threat actor is also known to offer ready-to-use smishing kits for sale to other cybercriminals for $200 a month, alongside engThe Hacker News
December 20, 2023 – Criminals
Global Law Enforcement Seizes $300 Million, Arrests 3,500 Involved in Transnational Cybercrime Operation Full Text
Abstract
The operation targeted various online scams, including voice phishing, romance scams, investment fraud, and e-commerce fraud, highlighting the significant financial incentives driving the growth of organized cybercrime.Cyware
December 20, 2023 – Criminals
3,500 Arrested in Global Operation HAECHI-IV Targeting Financial Criminals Full Text
Abstract
A six-month-long international police operation codenamed HAECHI-IV has resulted in the arrests of nearly 3,500 individuals and seizures worth $300 million across 34 countries. The exercise, which took place from July through December 2023, took aim at various types of financial crimes such as voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud. In addition, authorities froze associated bank and virtual asset service provider (VASP) accounts in an effort to shut off access to criminal proceeds. In total, authorities blocked 82,112 suspicious bank accounts, confiscating $199 million in hard currency and $101 million in virtual assets. "Cooperation between Filipino and Korean authorities led to the arrest in Manila of a high-profile online gambling criminal after a two-year manhunt by Korea's National Police Agency," Interpol, an internationaThe Hacker News
December 20, 2023 – Phishing
Global Malspam Targets Hotels, Spreading Redline and Vidar Stealers Full Text
Abstract
The hospitality industry is being targeted by a sophisticated malspam campaign that uses social engineering tactics to trick hotel representatives into opening password-protected archives containing malware.Cyware
December 20, 2023 – Malware
New Go-Based JaskaGO Malware Targeting Windows and macOS Systems Full Text
Abstract
A new Go-based information stealer malware called JaskaGO has emerged as the latest cross-platform threat to infiltrate both Windows and Apple macOS systems. AT&T Alien Labs, which made the discovery, said the malware is "equipped with an extensive array of commands from its command-and-control (C&C) server." Artifacts designed for macOS were first observed in July 2023, impersonating installers for legitimate software such as CapCut. Other variants of the malware have masqueraded as AnyConnect and security tools. Upon installation, JaskaGO runs checks to determine if it is executing within a virtual machine (VM) environment, and if so, executes a harmless task like pinging Google or printing a random number in a likely effort to fly under the radar. In other scenarios, JaskaGO proceeds to harvest information from the victim system and establishes a connection to its C&C for receiving further instructions, including executing shell commands, enumeratingThe Hacker News
December 20, 2023 – APT
Iranian APT Group Targets Telecom Organizations in North and East Africa Full Text
Abstract
Seedworm (aka Muddywater) continues to use a combination of living-off-the-land and publicly available tools, but has also developed its own custom tools, such as a custom build of Venom Proxy and a custom keylogger.Cyware
December 20, 2023 – Government
‘No Evidence’ of Foreign Election Interference in 2022 US Midterms, Spy Agencies Say Full Text
Abstract
The U.S. intelligence community has stated that Russia and China attempted to influence the 2022 U.S. midterms, but were unsuccessful in hacking the election infrastructure or disrupting voting.Cyware
December 20, 2023 – Criminals
Authorities Claim Seizure of Notorious ALPHV Ransomware Gang’s Dark Web Leak Site Full Text
Abstract
The FBI has released a decryption tool that has helped over 500 ALPHV ransomware victims restore their systems, saving them from paying approximately $68 million in ransom demands.Cyware
December 19, 2023 – Phishing
New Scam Involving Remote Jobs on Social Media Platforms Full Text
Abstract
Researchers at Bitdefender Labs have uncovered a new scam involving remote jobs on social media platforms. Scammers are promising payment for simply liking YouTube videos.Cyware
December 19, 2023 – Criminals
FBI Takes Down BlackCat Ransomware, Releases Free Decryption Tool Full Text
Abstract
The U.S. Justice Department (DoJ) has officially announced the disruption of the BlackCat ransomware operation and released a decryption tool that victims can use to regain access to files locked by the malware. Court documents show that the U.S. Federal Bureau of Investigation (FBI) enlisted the help of a confidential human source (CHS) to act as an affiliate for the BlackCat and gain access to a web panel used for managing the gang's victims, in what's a case of hacking the hackers. BlackCat , also called ALPHV and Noberus, first emerged in December 2021 and has since gone on to be the second most prolific ransomware-as-a-service variant in the world after LockBit. It's also the first Rust-language-based ransomware strain spotted in the wild. The development puts an end to speculations of a rumored law enforcement action after its dark web leak portal went offline on December 7, only to resurface five days later with just a single victim. The FBI said it workeThe Hacker News
December 19, 2023 – Government
FBI, CISA, and ACSC Release Joint Advisory on Play Ransomware Full Text
Abstract
The Play ransomware group has been targeting businesses and critical infrastructure in North America, South America, and Europe since June 2022. They use a double-extortion model, encrypting systems after exfiltrating data.Cyware
December 19, 2023 – Criminals
Behind the Scenes of Matveev’s Ransomware Empire: Tactics and Team Full Text
Abstract
Cybersecurity researchers have shed light on the inner workings of the ransomware operation led by Mikhail Pavlovich Matveev, a Russian national who was indicted by the U.S. government earlier this year for his alleged role in launching thousands of attacks across the world. Matveev, who resides in Saint Petersburg and is known by the aliases Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange, and waza, is alleged to have played a crucial part in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020. "Wazawaka and his team members prominently exhibit an insatiable greed for ransom payments, demonstrating a significant disregard for ethical values in their cyber operations," Swiss cybersecurity firm PRODAFT said in a comprehensive analysis shared with The Hacker News. "Employing tactics that involve intimidation through threats to leak sensitive files, engaging in dishonest practices, and persisting in retaining filThe Hacker News
December 19, 2023 – Attack
Ransomware Attack on Westpole Disrupted Digital Services for Italian Public Administration Full Text
Abstract
One of Westpole's customers, PA Digitale, which serves 1300 public administrations including 540 municipalities, was targeted. The incident has led to manual operations for some services and may affect salary payments.Cyware
December 19, 2023 – Hacker
Hackers Abusing GitHub to Evade Detection and Control Compromised Hosts Full Text
Abstract
Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages. "Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools," ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News. "But lately, we have observed the increasing use of the GitHub open-source development platform for hosting malware." Legitimate public services are known to be used by threat actors for hosting malware and acting as dead drop resolvers to fetch the actual command-and-control (C2) address. While using public sources for C2 does not make them immune to takedowns, they do offer the benefit of allowing threat actors to easily create attack infrastructure that's both inexpensive and reliable. This technique is sneakyThe Hacker News
December 19, 2023 – Phishing
Novel SMTP Smuggling Technique Slips Past DMARC, Email Protections Full Text
Abstract
Attackers can exploit SMTP smuggling to send spoofed emails with fake sender addresses, bypassing email security checks and putting organizations and individuals at risk for targeted phishing attacks.Cyware
December 19, 2023 – General
Are We Ready to Give Up on Security Awareness Training? Full Text
Abstract
Some of you have already started budgeting for 2024 and allocating funds to security areas within your organization. It is safe to say that employee security awareness training is one of the expenditure items, too. However, its effectiveness is an open question with people still engaging in insecure behaviors at the workplace. Besides, social engineering remains one of the most prevalent attacks, followed by a successful data breach. Microsoft found that a popular form of video-based training reduces phish-clicking behavior by about 3%, at best. This number has been stable over the years, says Microsoft, while phishing attacks are increasing yearly. Regardless, organizations have faith in training and tend to increase their security investments in employee training after attacks. It comes second in the priority list for 51% of organizations, right after incident response planning and testing, according to the IBM Security "Cost of the Data Breach Report 2023" . So, whThe Hacker News
December 19, 2023 – Government
US Agencies Release Security Guidance on Managing SBOMs and Open Source Software Full Text
Abstract
The report provides guidance on open source software adoption, including criteria for selection, risk assessment, licensing, export control, maintenance, vulnerability response, and secure software delivery.Cyware
December 19, 2023 – Attack
Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa Full Text
Abstract
The Iranian nation-state actor known as MuddyWater has leveraged a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania. The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix. Active since at least 2017, MuddyWater is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS), primarily singling out entities in the Middle East. The cyber espionage group's use of MuddyC2Go was first highlighted by Deep Instinct last month, describing it as a Golang-based replacement for PhonyC2 , itself a successor to MuddyC3. However, there is evidence to suggest that it may have been employed as early as 2020. While the full extent of MuddyC2Go'The Hacker News
December 19, 2023 – Attack
Iran Hit by Major Cyberattack Targeting Nation’s Fuel Supply Full Text
Abstract
Gas stations in Iran experienced widespread disruptions due to a cyberattack claimed by the group Predatory Sparrow, which has previously targeted Iranian critical infrastructure.Cyware
December 19, 2023 – Phishing
New Malvertising Campaign Distributing PikaBot Disguised as Popular Software Full Text
Abstract
The malware loader known as PikaBot is being distributed as part of a malvertising campaign targeting users searching for legitimate software like AnyDesk. "PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577," Malwarebytes' Jérôme Segura said . The malware family, which first appeared in early 2023, consists of a loader and a core module that allows it to operate as a backdoor as well as a distributor for other payloads. This enables the threat actors to gain unauthorized remote access to compromised systems and transmit commands from a command-and-control (C2) server, ranging from arbitrary shellcode, DLLs, or executable files, to other malicious tools such as Cobalt Strike. One of the threat actors leveraging PikaBot in its attacks is TA577 , a prolific cybercrime threat actor that has, in the past, delivered QakBot, IcedID, SystemBC, SmokeLoadThe Hacker News
December 19, 2023 – Attack
Apparel Giant VF Corporation Reports Cyberattack on First Day of SEC Disclosure Rule Full Text
Abstract
VF Corporation, one of the largest apparel companies in the world, reported a cyberattack to the U.S. Securities and Exchange Commission (SEC) on the first day of a new cyber incident reporting rule.Cyware
December 18, 2023 – General
Pro-China Influence Operation Gained YouTube Following, Researchers Find Full Text
Abstract
The campaign utilizes a network of at least 30 YouTube channels and employs tactics associated with both Russian and Chinese influence operations, including the use of artificially generated voices in videos.Cyware
December 18, 2023 – Vulnerabilities
Beware: Experts Reveal New Details on Zero-Click Outlook RCE Exploits Full Text
Abstract
Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction. "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai security researcher Ben Barnea, who discovered the vulnerabilities, said in a two-part report shared with The Hacker News. The security issues, which were addressed by Microsoft in August and October 2023 , respectively, are listed below - CVE-2023-35384 (CVSS score: 5.4) - Windows HTML Platforms Security Feature Bypass Vulnerability CVE-2023-36710 (CVSS score: 7.8) - Windows Media Foundation Core Remote Code Execution Vulnerability CVE-2023-35384 has been described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (CThe Hacker News
December 18, 2023 – Government
UK National Grid Pulls Chinese Equipment Over Cybersecurity Concerns Full Text
Abstract
The contract with NR Electric UK, a subsidiary of China's Nari Technology, was terminated without reason given in April, highlighting growing concerns over Chinese involvement in critical infrastructure.Cyware
December 18, 2023 – General
Top 7 Trends Shaping SaaS Security in 2024 Full Text
Abstract
Over the past few years, SaaS has developed into the backbone of corporate IT. Service businesses, such as medical practices, law firms, and financial services firms, are almost entirely SaaS based. Non-service businesses, including manufacturers and retailers, have about 70% of their software in the cloud. These applications contain a wealth of data, from minimally sensitive general corporate information to highly sensitive intellectual property, customer records, and employee data. Threat actors have noted this shift, and are actively working to breach apps to access the data. Here are the top trends influencing the state of SaaS Security for 2024 — and what you can do about it. Democratization of SaaS SaaS apps have transformed the way organizations purchase and use software. Business units purchase and onboard the SaaS tools that best fit their needs. While this is empowering for business units that have long been frustrated by delays in procuring and onboarding software, iThe Hacker News
December 18, 2023 – Insider Threat
Ubiquiti Fixes Glitch That Exposed Private Video Streams to Other Customers Full Text
Abstract
The bug was caused by a misconfiguration during an upgrade to Ubiquiti's cloud infrastructure, resulting in 1,216 accounts being improperly associated with another group of 1,177 accounts.Cyware
December 18, 2023 – Malware
Rhadamanthys Malware: Swiss Army Knife of Information Stealers Emerges Full Text
Abstract
The developers of the information stealer malware known as Rhadamanthys are actively iterating on its features, broadening its information-gathering capabilities and also incorporating a plugin system to make it more customizable. This approach not only transforms it into a threat capable of delivering "specific distributor needs," but also makes it more potent, Check Point said in a technical deepdive published last week. Rhadamanthys, first documented by ThreatMon in October 2022, has been sold under the malware-as-a-service (MaaS) model as early as September 2022 by an actor under the alias "kingcrete2022." Typically distributed through malicious websites mirroring those of genuine software that are advertised through Google ads, the malware is capable of harvesting a wide range of sensitive information from compromised hosts, including from web browsers, crypto wallets, email clients, VPN, and instant messaging apps. "Rhadamanthys represents a sThe Hacker News
December 18, 2023 – Botnet
InfectedSlurs Botnet Targets QNAP VioStor NVR Vulnerability Full Text
Abstract
Default admin credentials and outdated, unsupported networked systems are being exploited as routes for botnet infections, highlighting the importance of updating and securing legacy systems.Cyware
December 18, 2023 – Policy and Law
Four U.S. Nationals Charged in $80 Million Pig Butchering Crypto Scam Full Text
Abstract
Four U.S. nationals have been charged for participating in an illicit scheme that earned them more than $80 million via cryptocurrency investment scams. The defendants – Lu Zhang, 36, of Alhambra, California; Justin Walker, 31, of Cypress, California; Joseph Wong, 32, Rosemead, California; and Hailong Zhu, 40, Naperville, Illinois – have been charged with conspiracy to commit money laundering, concealment money laundering, and international money laundering. The U.S. Department of Justice (DoJ), which announced the arrests of both Zhang and Walker in connection with the fraudulent operation, said the quartet opened shell companies and bank accounts to carry out pig butchering scams , transferring the ill-gotten funds to domestic and international financial entities. If convicted, Zhang and Walker face a maximum penalty of 20 years in prison. Their alleged co-conspirators remain at large. "The overall fraud scheme in the related pig-butchering syndicate involved at least 284The Hacker News
December 18, 2023 – Policy and Law
NY Engineer Pleads Guilty to Stealing Millions From Two Crypto Exchanges Full Text
Abstract
A former security engineer has pleaded guilty to hacking two decentralized cryptocurrency exchanges, resulting in the theft of over $12 million. The hacker exploited vulnerabilities in the smart contracts of the exchanges.Cyware
December 18, 2023 – General
Unmasking the Dark Side of Low-Code/No-Code Applications Full Text
Abstract
Low-code/no-code (LCNC) and robotic process automation (RPA) have gained immense popularity, but how secure are they? Is your security team paying enough attention in an era of rapid digital transformation, where business users are empowered to create applications swiftly using platforms like Microsoft PowerApps, UiPath, ServiceNow, Mendix, and OutSystems? The simple truth is often swept under the rug. While low-code/no-code (LCNC) apps and robotic process automations (RPA) drive efficiency and agility, their dark security side demands scrutiny. LCNC application security emerges as a relatively new frontier, and even seasoned security practitioners and security teams grapple with the dynamic nature and sheer volume of citizen-developed applications. The accelerated pace of LCNC development poses a unique challenge for security professionals, underscoring the need for dedicated efforts and solutions to effectively address the security nuances of low-code development environments. DigThe Hacker News
December 18, 2023 – Education
Fortifying Cyber Defenses: A Proactive Approach to Ransomware Resilience Full Text
Abstract
Investing in cutting-edge cybersecurity tools not only enhances defensive capabilities but also stimulates innovation and fosters public-private partnerships to strengthen the nation's cyber defenses.Cyware
December 18, 2023 – Malware
QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry Full Text
Abstract
A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry. "Targets received a PDF from a user masquerading as an IRS employee," the tech giant said in a series of posts shared on X (formerly Twitter). "The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export 'hvsi' execution of an embedded DLL." Microsoft said that the payload was generated the same day the campaign started and that it's configured with the previously unseen version 0x500. Zscaler ThreatLabz, in a post shared on X, described the resurfaced QakBot as a 64-bit binary that utilizes AESThe Hacker News
December 17, 2023 – Breach
MongoDB Suffers Security Breach, Exposing Customer Data Full Text
Abstract
MongoDB on Saturday disclosed it's actively investigating a security incident that has led to unauthorized access to "certain" corporate systems, resulting in the exposure of customer account metadata and contact information. The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts. It further noted that "this unauthorized access has been going on for some period of time before discovery," but emphasized it's not "aware of any exposure to the data that customers store in MongoDB Atlas." It did not disclose the exact time period of the compromise. In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords. That's not all. The company said it's also expeThe Hacker News
December 16, 2023 – Outage
Central Bank of Lesotho Facing Outages After Cyberattack Full Text
Abstract
The ongoing downtime of the National Payments System has made it impossible for local banks in Lesotho to honor inter-bank transactions, requiring alternative measures to facilitate payments.Cyware
December 16, 2023 – Outage
Ontario Public Library Shuts Down Most Services Due to Cyberattack Full Text
Abstract
The attack on the library, along with recent ransomware incidents at other major libraries, underscores the need for improved cybersecurity measures and data protection in the library sector.Cyware
December 16, 2023 – Government
China’s MIIT Introduces Color-Coded Action Plan for Data Security Incidents Full Text
Abstract
China's Ministry of Industry and Information Technology (MIIT) on Friday unveiled draft proposals detailing its plans to tackle data security events in the country using a color-coded system. The effort is designed to "improve the comprehensive response capacity for data security incidents, to ensure timely and effective control, mitigation and elimination of hazards and losses caused by data security incidents, to protect the lawful rights and interests of individuals and organizations, and to safeguard national security and public interests, the department said. The 25-page document encompasses all incidents in which data has been illegally accessed, leaked, destroyed, or tampered with, categorized them into four hierarchical tiers based on the scope and the degree of harm caused - Red: Level I ("especially significant"), which applies to widespread shutdowns, substantial loss of business processing capability, interruptions arising due to serious anomalieThe Hacker News
December 16, 2023 – Phishing
PikaBot Distributed via Malicious Search Ads Full Text
Abstract
Threat actors are bypassing Google's security measures and using fingerprinting techniques to ensure successful execution of malicious downloads, pointing to a potential "malvertising as a service" model.Cyware
December 16, 2023 – Hacker
Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds Full Text
Abstract
Microsoft is warning of an uptick in malicious activity from an emerging threat cluster it's tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season. The goal of the attacks is to propagate booby-trapped links that direct victims to adversary-in-the-middle (AiTM) phishing pages that are capable of harvesting their credentials and session tokens. "After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity," the tech giant said in a series of posts on X (formerly Twitter). The foothold obtained in this manner further acts as a conduit for escalating privileges, moving laterally across the network, and accessing cloud resources in order to grab sensitive information,The Hacker News
December 15, 2023 – Criminals
Researchers Detect Undocumented 8220 Gang Activities Full Text
Abstract
The 8220 gang, a Chinese-origin threat actor, continues to target Windows and Linux web servers with cryptojacking malware using evolving tactics and known vulnerabilities.Cyware
December 15, 2023 – Botnet
New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks Full Text
Abstract
A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon . Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022. "The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years," the company said . The two clusters – codenamed KY and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China. While the bots part of JDY engages in broader scanningThe Hacker News
December 15, 2023 – Criminals
ALPHV Ransomware Gang Returns, Sorta Full Text
Abstract
The ALPHV ransomware gang is facing technical difficulties, with their leak site showing only one victim and negotiation links not working, potentially leaving them without payment.Cyware
December 15, 2023 – Breach
Crypto Hardware Wallet Ledger’s Supply Chain Breach Results in $600,000 Theft Full Text
Abstract
Crypto hardware wallet maker Ledger published a new version of its " @ledgerhq/connect-kit " npm module after unidentified threat actors pushed malicious code that led to the theft of more than $600,000 in virtual assets. The compromise was the result of a former employee falling victim to a phishing attack, the company said in a statement. This allowed the attackers to gain access to Ledger's npm account and upload three malicious versions of the module – 1.1.5, 1.1.6, and 1.1.7 — and propagate crypto drainer malware to other applications that are dependent on the module, resulting in a software supply chain breach. "The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet," Ledger said . Connect Kit , as the name implies, makes it possible to connect DApps (short decentralized applications) to Ledger's hardware wallets. According to security firm Sonatype, version 1.1.7 directly embedded a wallet-draining paThe Hacker News
December 15, 2023 – Breach
Data of Over a Million Users of the Crypto Exchange GokuMarket Exposed Full Text
Abstract
The centralized crypto exchange GokuMarket, owned by ByteX, left an open instance, exposing sensitive user data, including IP addresses, email addresses, encrypted passwords, and crypto wallet addresses.Cyware
December 15, 2023 – General
Bug or Feature? Hidden Web Application Vulnerabilities Uncovered Full Text
Abstract
Web Application Security consists of a myriad of security controls that ensure that a web application: Functions as expected. Cannot be exploited to operate out of bounds. Cannot initiate operations that it is not supposed to do. Web Applications have become ubiquitous after the expansion of Web 2.0, which Social Media Platforms, E-Commerce websites, and email clients saturating the internet spaces in recent years. As the applications consume and store even more sensitive and comprehensive data, they become an ever more appealing target for attackers. Common Attack Methods The three most common vulnerabilities that exist in this space are Injections (SQL, Remote Code), Cryptographic Failures (previously sensitive data exposure), and Broken Access Control (BAC). Today, we will focus on Injections and Broken Access Control. Injections SQL is the most common Database software that is used, and hosts a plethora of payment data, PII data, and internal business records. A SQThe Hacker News
December 15, 2023 – Criminals
BianLian, White Rabbit, and Mario Ransomware Gangs Spotted in a Joint Extortion Campaign Full Text
Abstract
The ransomware gangs utilized a "password spraying" attack and compromised email accounts through Business Email Compromise (BEC) to anonymously deliver ransom payment demands and complicate investigations.Cyware
December 15, 2023 – Vulnerabilities
New Security Vulnerabilities Uncovered in pfSense Firewall Software - Patch Now Full Text
Abstract
Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances. The issues relate to two reflected cross-site scripting ( XSS ) bugs and one command injection flaw, according to new findings from Sonar. "Security inside a local network is often more lax as network administrators trust their firewalls to protect them from remote attacks," security researcher Oskar Zeino-Mahmalat said . "Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network." Impacting pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below, the shortcomings could be weaponized by tricking an authenticated pfSense user (i.e., an admin user) into clicking on a specially crafted URL, which contains an XSS payload that activates command injection. A brief descriptionThe Hacker News
December 15, 2023 – Attack
Kraft Heinz Reviewing Claims of Cyberattack but Internal Systems ‘Operating Normally’ Full Text
Abstract
Kraft Heinz is investigating claims of a data breach by the Snatch ransomware gang, but currently sees no evidence of a broader attack or adverse effects on its internal systems.Cyware
December 15, 2023 – Privacy
Google’s New Tracking Protection in Chrome Blocks Third-Party Cookies Full Text
Abstract
Google on Thursday announced that it will start testing a new feature called "Tracking Protection" starting January 4, 2024, to 1% of Chrome users as part of its efforts to deprecate third-party cookies in the web browser. The setting is designed to limit "cross-site tracking by restricting website access to third-party cookies by default," Anthony Chavez, vice president of Privacy Sandbox at Google, said . The tech giant noted that participants for Tracking Protection will be selected at random and that chosen users will be notified upon opening Chrome on either a desktop or an Android device. The goal is to restrict third-party cookies (also called "non-essential cookies") by default, preventing them from being used to track users as they move from one website to the other for serving personalized ads. While several major browsers like Apple Safari and Mozilla Firefox have either already placed restrictions on third-party cookies via features lThe Hacker News
December 15, 2023 – Malware
New NKAbuse Malware Exploits NKN Blockchain Tech for DDoS Attacks Full Text
Abstract
A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel. "The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian cybersecurity company Kaspersky said in a Thursday report. NKN, which has over 62,000 nodes, is described as a "software overlay network built on top of today's Internet that enables users to share unused bandwidth and earn token rewards." It incorporates a blockchain layer on top of the existing TCP/IP stack. While threat actors are known to take advantage of emerging communication protocols for command-and-control (C2) purposes and evade detection, NKAbuse leverages blockchain technology to conduct distributed denial-of-service (DDoS) attacks and function as an implant inside comThe Hacker News
December 14, 2023 – General
Saudi Cyber Students Team with Bahrain to Assess AI Security & Risk Full Text
Abstract
Saudi Arabian students specializing in AI and cybersecurity are participating in workshops to enhance their capabilities in identifying and assessing potential risks of large language models (LLMs) across different platforms.Cyware
December 14, 2023 – Malware
116 Malware Packages Found on PyPI Repository Infecting Windows and Linux Systems Full Text
Abstract
Cybersecurity researchers have identified a set of 116 malicious packages on the Python Package Index (PyPI) repository that are designed to infect Windows and Linux systems with a custom backdoor. "In some cases, the final payload is a variant of the infamous W4SP Stealer , or a simple clipboard monitor to steal cryptocurrency, or both," ESET researchers Marc-Etienne M.Léveillé and Rene Holt said in a report published earlier this week. The packages are estimated to have been downloaded over 10,000 times since May 2023. The threat actors behind the activity have been observed using three techniques to bundle malicious code into Python packages, namely via a test.py script, embedding PowerShell in setup.py file, and incorporating it in obfuscated form in the __init__.py file . Irrespective of the method used, the end goal of the campaign is to compromise the targeted host with malware, primarily a backdoor capable of remote command execution, data exfiltration, anThe Hacker News
December 14, 2023 – Attack
Sony Investigating Potential Ransomware Attack on Insomniac Games Unit Full Text
Abstract
Sony's subsidiary, Insomniac Games, is currently investigating a reported ransomware attack by the Rhysida gang, which has targeted various government institutions and healthcare organizations in the past.Cyware
December 14, 2023 – Malware
New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities Full Text
Abstract
A pro-Hamas threat actor known as Gaza Cyber Gang is targeting Palestinian entities using an updated version of a backdoor dubbed Pierogi. The findings come from SentinelOne, which has given the malware the name Pierogi++ owing to the fact that it's implemented in the C++ programming language unlike its Delphi- and Pascal-based predecessor. "Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war," security researcher Aleksandar Milenkoski said in a report shared with The Hacker News. Gaza Cyber Gang, believed to be active since at least 2012, has a history of striking targets throughout the Middle East, particularly Israel and Palestine, often leveraging spear-phishing as a method of initial access. Some of the notable malware families in its arsenal include BarbWire, DropBook, LastConn, Molerat Loader, Micropsia, NimbleMamba, SharpStThe Hacker News
December 14, 2023 – Solution
ThreatNG Open-Source Datasets Aim to Improve Cybersecurity Practices Full Text
Abstract
The ThreatNG Governance and Compliance Dataset is an open-source initiative that aims to provide access to critical cybersecurity data, promoting transparency and collaboration.Cyware
December 14, 2023 – APT
Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders Full Text
Abstract
The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader dubbed SampleCheck5000 (or SC5k). "These lightweight downloaders [...] are notable for using one of several legitimate cloud service APIs for [command-and-control] communication and data exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API," security researchers Zuzana Hromcová and Adam Burgher said in a report shared with The Hacker News. By using well-known cloud service providers for command-and-control communication, the goal is to blend with authentic network traffic and cover up the group's attack infrastructureThe Hacker News
December 14, 2023 – Attack
District Court in Switzerland ‘Victim of a Cyber Attack’ Full Text
Abstract
This incident follows a similar ransomware attack on the municipal administration of Zollikofen in November, highlighting the growing threat of ransomware attacks targeting Swiss organizations.Cyware
December 14, 2023 – Education
Reimagining Network Pentesting With Automation Full Text
Abstract
Network penetration testing plays a crucial role in protecting businesses in the ever-evolving world of cybersecurity. Yet, business leaders and IT pros have misconceptions about this process, which impacts their security posture and decision-making. This blog acts as a quick guide on network penetration testing, explaining what it is, debunking common myths and reimagining its role in today's security landscape. What is network penetration testing? Network penetration testing is a proactive approach to cybersecurity in which security experts simulate cyberattacks to identify gaps in an organization's cyberdefense. The key objective of this process is to identify and rectify weaknesses before hackers can exploit them. This process is sometimes called "pentesting" or "ethical hacking." Network pentesting checks for chinks in an organization's armor to help mitigate cyber-risks and protect against data, financial and reputational losses. DiffereThe Hacker News
December 14, 2023 – Business
Check Point Software in SEC Settlement Talks in Connection With SolarWinds Probe Full Text
Abstract
Check Point Software Technologies has cooperated with the SEC inquiry into the SolarWinds Orion cyber vulnerability, voluntarily providing documents and information about its limited testing environment access.Cyware
December 14, 2023 – APT
Russian SVR-Linked APT29 Targets JetBrains TeamCity Servers in Ongoing Attacks Full Text
Abstract
Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. The activity has been tied to a nation-state group known as APT29 , which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain attack targeting SolarWinds and its customers in 2020. "The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments," cybersecurity agencies from Poland, the U.K., and the U.S. said . The vulnerability in question is CVE-2023-42793 (CVSS score: 9.8), a critical security flaw that could be weaponized by unauthenticated attackers to achieve remote code execution on affecThe Hacker News
December 14, 2023 – APT
China-Linked APT Volt Typhoon Linked to KV-Botnet Attacks Full Text
Abstract
Volt Typhoon utilizes living-off-the-land techniques and hands-on-keyboard activity to evade detection, routing malicious traffic through compromised SOHO network devices and relying on customized versions of open-source tools for communication.Cyware
December 14, 2023 – Attack
New Hacker Group ‘GambleForce’ Tageting APAC Firms Using SQL Injection Attacks Full Text
Abstract
A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023. "GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials," Singapore-headquartered Group-IB said in a report shared with The Hacker News. The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful. The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive infThe Hacker News
December 14, 2023 – Attack
Red Roof Hotels Claims Cybersecurity Incident Did Not Involve Guest Data Full Text
Abstract
Hotel company Red Roof experienced a ransomware attack in September, but fortunately, no guest data was compromised. The attack was detected when suspicious activity was noticed, leading to the discovery of ransomware.Cyware
December 13, 2023 – Business
Zero Networks Raises $20 Million Series B to Prevent Attackers From Spreading in Corporate Networks Full Text
Abstract
The funding round was led by U.S. Venture Partners (USVP), and included strategic investor Dmitri Alperovitch, co-founder and former CTO of CrowdStrike, as well as existing investors Venrock, CyberArk, F2 Capital, and Pico Venture Partners.Cyware
December 13, 2023 – Phishing
BazaCall Phishing Scammers Now Leveraging Google Forms for Deception Full Text
Abstract
The threat actors behind the BazaCall call back phishing attacks have been observed leveraging Google Forms to lend the scheme a veneer of credibility. The method is an "attempt to elevate the perceived authenticity of the initial malicious emails," cybersecurity firm Abnormal Security said in a report published today. BazaCall (aka BazarCall), which was first observed in 2020, refers to a series of phishing attacks in which email messages impersonating legitimate subscription notices are sent to targets, urging them to contact a support desk to dispute or cancel the plan, or risk getting charged anywhere between $50 to $500. By inducing a false sense of urgency, the attacker convinces the target over a phone call to grant them remote access capabilities using remote desktop software and ultimately establish persistence on the host under the guise of offering help to cancel the supposed subscription. Some of the popular services that are impersonated include NetflThe Hacker News
December 13, 2023 – Criminals
New Underground Market Comes Online Just inTime for the Holidays Full Text
Abstract
The OLVX marketplace operates on the clear web and has gained popularity in recent months. It offers various products and services, including phish kits, remote desktop connections, cPanel credentials, webshells, and stolen data.Cyware
December 13, 2023 – Solution
Google Using Clang Sanitizers to Protect Android Against Cellular Baseband Vulnerabilities Full Text
Abstract
Google is highlighting the role played by Clang sanitizers in hardening the security of the cellular baseband in the Android operating system and preventing specific kinds of vulnerabilities. This comprises Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), both of which are part of UndefinedBehaviorSanitizer ( UBSan ), a tool designed to catch various kinds of undefined behavior during program execution. "They are architecture agnostic, suitable for bare-metal deployment, and should be enabled in existing C/C++ code bases to mitigate unknown vulnerabilities," Ivan Lozano and Roger Piqueras Jover said in a Tuesday post. The development comes months after the tech giant said it's working with ecosystem partners to increase the security of firmware that interacts with Android, thereby making it difficult for threat actors to achieve remote code execution within the Wi-Fi SoC or the cellular baseband. IntSan and BoundSan are two of the compiThe Hacker News
December 13, 2023 – Breach
Update: Ransomware Group Publishes Stolen Medical Data Full Text
Abstract
The effects of a November ransomware attack against Oceanside, California’s Tri-City Medical Center were contained more than two weeks ago, but now those behind the cyber incident are publishing stolen data on the dark web.Cyware
December 13, 2023 – Solution
How to Analyze Malware’s Network Traffic in A Sandbox Full Text
Abstract
Malware analysis encompasses a broad range of activities, including examining the malware's network traffic. To be effective at it, it's crucial to understand the common challenges and how to overcome them. Here are three prevalent issues you may encounter and the tools you'll need to address them. Decrypting HTTPS traffic Hypertext Transfer Protocol Secure (HTTPS), the protocol for secure online communication, has become a tool for malware to conceal their malicious activities. By cloaking data exchange between infected devices and command-and-control (C&C) servers, malware can operate undetected, exfiltrating sensitive data, installing additional payloads, and receiving instructions from the operators. Yet, with the right tool, decrypting HTTPS traffic is an easy task. For this purpose, we can use a man-in-the-middle (MITM) proxy. The MITM proxy works as an intermediary between the client and the server, intercepting their communication. The MITM proxy aids analyThe Hacker News
December 13, 2023 – Vulnerabilities
Sophos Backports Fix for CVE-2022-3236 for EOL Firewall Firmware Full Text
Abstract
Sophos has backported the patch for CVE-2022-3236 to end-of-life (EOL) firewall firmware versions due to ongoing attacks exploiting the vulnerability. The code injection vulnerability is being actively exploited by threat actors to target South Asia.Cyware
December 13, 2023 – Cryptocurrency
Microsoft Warns of Hackers Exploiting OAuth for Cryptocurrency Mining and Phishing Full Text
Abstract
Microsoft has warned that adversaries are using OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and launch phishing attacks. "Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity," the Microsoft Threat Intelligence team said in an analysis. "The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account." OAuth , short for Open Authorization, is an authorization and delegation framework (as opposed to authentication) that provides applications the ability to securely access information from other websites without handing over passwords. In the attacks detailed by Microsoft, threat actors have been observed launching phishing or password-spraying attacks against poorly secured accounts with permissions to create or modify OAuthThe Hacker News
December 13, 2023 – Government
FCC Reminds Mobile Phone Carriers They Must do More to Prevent SIM Swaps Full Text
Abstract
The FCC has updated its rules to require carriers to better verify customers' identities before making any changes to their accounts. The agency also emphasized the importance of quickly notifying customers of any account changes.Cyware
December 13, 2023 – Outage
Major Cyber Attack Paralyzes Kyivstar - Ukraine’s Largest Telecom Operator Full Text
Abstract
Ukraine's biggest telecom operator Kyivstar has become the victim of a " powerful hacker attack ," disrupting customer access to mobile and internet services. "The cyberattack on Ukraine's #Kyivstar telecoms operator has impacted all regions of the country with high impact to the capital, metrics show, with knock-on impacts reported to air raid alert network and banking sector as work continues to restore connectivity," NetBlocks said in a series of posts on X (formerly Twitter). Kyivstar, which is owned by Dutch-domiciled multinational telecommunication services company VEON, serves nearly 25 million mobile subscribers and more than 1 million home internet customers. The company said the attack was "a result of" the war with Russia and that it has notified law enforcement and special state services. While Kyivstar is working to restore the services, the internet watchdog noted that the telco is largely offline. That said, Kyivstar has yet tThe Hacker News
December 13, 2023 – Malware
Cluster of Malicious Python Packages in PyPI Discovered Distributing Malware Full Text
Abstract
ESET Research has discovered a cluster of malicious Python packages in PyPI, the official Python package repository. These packages target both Windows and Linux systems and deliver a custom backdoor.Cyware
December 13, 2023 – Privacy
Congress Finds Pharmacies Give Patient Records to Law Enforcement Without Warrants Full Text
Abstract
A congressional review found that major pharmacy chains do not require a warrant before sharing customers' records with law enforcement, raising concerns about the privacy of Americans' pharmaceutical information.Cyware
December 13, 2023 – Breach
DonorView Exposes One Million Records for Unknown Time Frame Full Text
Abstract
The exposed information included donor names, addresses, payment methods, and even sensitive data about children associated with the organizations, posing a potential risk for phishing attacks and fraudulent donation requests.Cyware
December 13, 2023 – Breach
UK Ministry of Defence Fined $440K for Afghan Evacuation Data Breach Full Text
Abstract
The UK's Ministry of Defence has been fined £350,000 ($440,000) by the ICO for failing to protect the personal information of Afghans who worked with the British government and sought relocation after the Taliban took control of Afghanistan.Cyware
December 13, 2023 – Breach
Dubai’s Largest Taxi App DTC Exposes Data on Over 220,000 People Full Text
Abstract
The leaked data included personal information such as email addresses, phone numbers, and bank details. It also included driver information such as driving license numbers and work permit numbers.Cyware
December 13, 2023 – Vulnerabilities
Microsoft’s Final 2023 Patch Tuesday: 33 Flaws Fixed, Including 4 Critical Full Text
Abstract
Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years. Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for November 2023 . According to data from the Zero Day Initiative , the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022. While none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below - CVE-2023-35628 (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability CVE-2023-35630 (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability CVEThe Hacker News
December 12, 2023 – Vulnerabilities
Gamers Warned of Potential CS2 Exploit That can Reveal IP Addresses Full Text
Abstract
The exploit, which is an XSS vulnerability, allows players to display GIFs using HTML code blocks in-game. This poses a potential security threat to players, as the exploit can access player IP addresses and potentially execute code on their PCs.Cyware
December 12, 2023 – Policy and Law
Long-Running Clearview AI Class Action Biometric Privacy Case Settles Full Text
Abstract
Clearview AI has reached a settlement in a class-action privacy lawsuit, which alleged that the company violated Illinois' Biometric Information Privacy Act (BIPA) by using online images without consent for its facial recognition technology.Cyware
December 12, 2023 – Education
Unveiling the Cyber Threats to Healthcare: Beyond the Myths Full Text
Abstract
Let's begin with a thought-provoking question: among a credit card number, a social security number, and an Electronic Health Record (EHR), which commands the highest price on a dark web forum? Surprisingly, it's the EHR, and the difference is stark: according to a study , EHRs can sell for up to $1,000 each, compared to a mere $5 for a credit card number and $1 for a social security number. The reason is simple: while a credit card can be canceled, your personal data can't. This significant value disparity underscores why the healthcare industry remains a prime target for cybercriminals. The sector's rich repository of sensitive data presents a lucrative opportunity for profit-driven attackers. For 12 years running, healthcare has faced the highest average costs per breach compared to any other sector. Exceeding an average of $10 million per breach , it surpasses even the financial sector, which incurs an average cost of around $6 million. The severity of this issThe Hacker News
December 12, 2023 – Phishing
Fake LinkedIn Profiles Target Saudi Workers for Information Leakage and Financial Fraud Full Text
Abstract
Researchers have discovered nearly a thousand fake profiles created with the intention of reaching out to companies in the Middle East. These profiles, often difficult to distinguish from real ones, have been successful in their campaigns.Cyware
December 12, 2023 – APT
Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign Full Text
Abstract
The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422. "The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers," security researchers Golo Mühr, Claire Zaboeva, and Joe Fasulo said . "ITG05's infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign." Targets of the campaign include Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and RomaniaThe Hacker News
December 12, 2023 – General
Security Automation Gains Traction, Prompting a “Shift Everywhere” Philosophy Full Text
Abstract
According to Synopsys, the use of automated security technology is on the rise, as organizations increasingly embrace the "shift everywhere" philosophy to improve the effectiveness and reduce the cost of security activities.Cyware
December 12, 2023 – General
Non-Human Access is the Path of Least Resistance: A 2023 Recap Full Text
Abstract
2023 has seen its fair share of cyber attacks, however there's one attack vector that proves to be more prominent than others - non-human access. With 11 high-profile attacks in 13 months and an ever-growing ungoverned attack surface, non-human identities are the new perimeter, and 2023 is only the beginning. Why non-human access is a cybercriminal's paradise People always look for the easiest way to get what they want, and this goes for cybercrime as well. Threat actors look for the path of least resistance, and it seems that in 2023 this path was non-user access credentials (API keys, tokens, service accounts and secrets). " 50% of the active access tokens connecting Salesforce and third-party apps are unused. In GitHub and GCP the numbers reach 33%." These non-user access credentials are used to connect apps and resources to other cloud services. What makes them a true hacker's dream is that they have no security measures like user credentials do (MFA, SSO or other IAM polThe Hacker News
December 12, 2023 – Criminals
Cybercriminals Continue Targeting Open Remote Access Products Full Text
Abstract
According to WatchGuard, cybercriminals are still primarily targeting open remote access products and using legitimate remote access tools to hide their malicious activities.Cyware
December 12, 2023 – Phishing
New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam Full Text
Abstract
A phishing campaign has been observed delivering an information stealer malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures. "This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin said . "MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions." There is evidence to suggest that Germany is the primary target of the attack as of November 2023, owing to the number of times the downloader URL hosting the payload has been queried. Masquerading as a company looking to book hotel rooms, the phishing email bears a PDF file that, upon opening, activates the infection by prompting the recipient to download an updated version of Adobe Flash. Doing so results in the execution of .NET executables and PowerShell scripts to ultimately run a pernicious Python script, which iThe Hacker News
December 12, 2023 – Attack
Nearly 130,000 Affected by Ransomware Attack on Cold Storage Company Americold Full Text
Abstract
The cyberattack resulted in the leak of sensitive data, including names, addresses, Social Security numbers, financial account information, and employment-related health insurance and medical information.Cyware
December 12, 2023 – Vulnerabilities
Apple Releases Security Updates to Patch Critical iOS and macOS Security Flaws Full Text
Abstract
Apple on Monday released security patches for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to address multiple security flaws, in addition to backporting fixes for two recently disclosed zero-days to older devices. This includes updates for 12 security vulnerabilities in iOS and iPadOS spanning AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit. macOS Sonoma 14.2 , for its part, resolves 39 shortcomings, counting six bugs impacting the ncurses library . Notable among the flaws is CVE-2023-45866 , a critical security issue in Bluetooth that could allow an attacker in a privileged network position to inject keystrokes by spoofing a keyboard. The vulnerability was disclosed by SkySafe security researcher Marc Newlin last week. It has been remediated in iOS 17.2, iPadOS 17.2, and macOS Sonoma 14.2 with improved checks, the iPhone maker said. Also released by Apple is Safari 17.2 , containing fixes for two WebKit flaws – CThe Hacker News
December 12, 2023 – Vulnerabilities
New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now Full Text
Abstract
Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164 , the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code. Struts is a Java framework that uses the Model-View-Controller ( MVC ) architecture for building enterprise-oriented web applications. Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software - Struts 2.3.37 (EOL) Struts 2.5.0 - Struts 2.5.32, and Struts 6.0.0 - Struts 6.3.0 Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue. "All developers are strongly advised to perform this upgrThe Hacker News
December 11, 2023 – Breach
Australia: University of Wollongong Confirms Data Breach, Notifies Authorities Full Text
Abstract
The University of Wollongong has experienced a data breach, with potentially both staff and students affected. The breach has been detected and contained, and investigations are underway to determine the scope of the breach.Cyware
December 11, 2023 – APT
Researchers Unmask Sandman APT’s Hidden Link to China-Based KEYPLUG Backdoor Full Text
Abstract
Tactical and targeting overlaps have been discovered between the enigmatic advanced persistent threat (APT) called Sandman and a China-based threat cluster that's known to use a backdoor known as KEYPLUG. The assessment comes jointly from SentinelOne, PwC, and the Microsoft Threat Intelligence team based on the fact that the adversary's Lua-based malware LuaDream and KEYPLUG have been determined to cohabit in the same victim networks. Microsoft and PwC are tracking the activity under the names Storm-0866 and Red Dev 40, respectively. "Sandman and Storm-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions," the companies said in a report shared with The Hacker News. "The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators."The Hacker News
December 11, 2023 – Business
Opal Security, Which Helps Companies Manage Access and Identities, Raises $22M Full Text
Abstract
Identity management solution provider Opal Security has managed to raise $22 million in a Series B round to expand its team and develop new AI-powered tools for identity and access risk remediation.Cyware
December 11, 2023 – Attack
Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans Full Text
Abstract
The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based malware families, including a RAT called NineRAT that leverages Telegram for command-and-control (C2), DLRAT, and a downloader dubbed BottomLoader. The cybersecurity firm described the latest tactics of the adversary as a definitive shift and that they overlap with the cluster widely tracked as Andariel (aka Onyx Sleet or Silent Chollima), a sub-group within the Lazarus umbrella. "Andariel is typically tasked with initial access, reconnaissance and establishing long term access for espionage in support of the North Korean government's national interests," Talos researchers Jung soo An, AsThe Hacker News
December 11, 2023 – Vulnerabilities
Apache Fixed Critical RCE Flaw CVE-2023-50164 in Struts 2 Full Text
Abstract
The Apache Software Foundation has released security updates to address a critical file upload vulnerability in the Struts 2 framework, which could allow for remote code execution.Cyware
December 11, 2023 – Education
Playbook: Your First 100 Days as a vCISO - 5 Steps to Success Full Text
Abstract
In an increasingly digital world, no organization is spared from cyber threats. Yet, not every organization has the luxury of hiring a full-time, in-house CISO. This gap in cybersecurity leadership is where you, as a vCISO, come in. You are the person who will establish, develop, and solidify the organization's cybersecurity infrastructure, blending strategic guidance with actionable cybersecurity services. As an organizational leader, you will be required to navigate professional duties, business needs, diverse organizational personas and leadership demands. Your success relies on your ability to build trust and establish yourself as a strategic decision-maker that can protect the organization. As such, your first 100 days in a new organization are key to your success . They will lay the groundwork for your long-term achievements. To aid you in this critical phase, we introduce a comprehensive guide: a five-step, 100-day action plan, "Your First 100 Days as a vCISO - 5The Hacker News
December 11, 2023 – Malware
GULOADER Adds New Anti-Analysis Tactic to Arsenal Full Text
Abstract
Researchers have identified new techniques employed by the GuLoader malware to enhance its evasion capabilities and make analysis more challenging. The highly evasive shellcode downloader malware was found leveraging Vectored Exception Handler (VEH) capability. Organizations can leverage the late ... Read MoreCyware
December 11, 2023 – Malware
SpyLoan Scandal: 18 Malicious Loan Apps Defraud Millions of Android Users Full Text
Abstract
Cybersecurity researchers have discovered 18 malicious loan apps for Android on the Google Play Store that have been collectively downloaded over 12 million times. "Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims' personal and financial information to blackmail them, and in the end gain their funds," ESET said . The Slovak cybersecurity company is tracking these apps under the name SpyLoan , noting they are designed to target potential borrowers located in Southeast Asia, Africa, and Latin America. The list of apps, which have now been taken down by Google, is below - AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android) Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo) Oro Préstamo - Efectivo rápido (com.app.lo.go) Cashwow (com.cashwow.cow.eg) CrediBus Préstamos de crédito (com.dinero.profin.prThe Hacker News
December 11, 2023 – Government
CISA and ENISA Signed a Working Arrangement to Enhance Cooperation Full Text
Abstract
The collaboration aims to strengthen cybersecurity, safeguard critical infrastructure, and reinforce the resilience of digital products in the face of increasing cyber threats.Cyware
December 11, 2023 – Education
Webinar — Psychology of Social Engineering: Decoding the Mind of a Cyber Attacker Full Text
Abstract
In the ever-evolving cybersecurity landscape, one method stands out for its chilling effectiveness – social engineering. But why does it work so well? The answer lies in the intricate dance between the attacker's mind and human psychology. Our upcoming webinar, " Think Like a Hacker, Defend Like a Pro ," highlights this alarming trend. We delve deep into social engineering, exploring its roots in human psychology and why it remains a formidable weapon in the cyber attacker's arsenal. What Will You Learn? Understanding Social Engineering : An in-depth look at the evolution and continued effectiveness of social engineering in cyberattacks. Human Psychology in Cybersecurity : Insights into how social engineers twist psychological principles for nefarious purposes. Tactical Awareness : Learn to identify both used and unused tactics by social engineers, and understand the misinformation leveraged in their campaigns. Strategic Defense : Arm yourself with the knowlThe Hacker News
December 11, 2023 – Policy and Law
UK Sanctions Nine Linked to Cyber Trafficking in Southeast Asia Full Text
Abstract
The United Kingdom has imposed sanctions on individuals and entities involved in Southeast Asia's online scamming industry, targeting both human traffickers and companies connected to scam operations.Cyware
December 11, 2023 – Malware
New PoolParty Process Injection Techniques Outsmart Top EDR Solutions Full Text
Abstract
A new collection of eight process injection techniques, collectively dubbed PoolParty , could be exploited to achieve code execution in Windows systems while evading endpoint detection and response (EDR) systems. SafeBreach researcher Alon Leviev said the methods are "capable of working across all processes without any limitations, making them more flexible than existing process injection techniques." The findings were first presented at the Black Hat Europe 2023 conference last week. Process injection refers to an evasion technique used to run arbitrary code in a target process. A wide range of process injection techniques exists, such as dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging. PoolParty is so named because it's rooted in a component called Windows user-mode thread pool, leveraging it to insert any type of work item into a target process on the system. IThe Hacker News
December 9, 2023 – Vulnerabilities
Researchers Automated Jailbreaking of LLMs With Other LLMs Full Text
Abstract
Researchers have developed an automated machine learning technique, called TAP, that can quickly exploit vulnerabilities in large language models (LLMs) and make them produce harmful and toxic responses.Cyware
December 09, 2023 – Vulnerabilities
SLAM Attack: New Spectre-based Vulnerability Impacts Intel, AMD, and Arm CPUs Full Text
Abstract
Researchers from the Vrije Universiteit Amsterdam have disclosed a new side-channel attack called SLAM that could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm. The attack is an end-to-end exploit for Spectre based on a new feature in Intel CPUs called Linear Address Masking ( LAM ) as well as its analogous counterparts from AMD (called Upper Address Ignore or UAI ) and Arm (called Top Byte Ignore or TBI ). "SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data," VUSec researchers said , adding it could be leveraged to leak the root password hash within minutes from kernel memory. While LAM is presented as a security feature, the study found that it ironically degrades security and "dramatically" increases the Spectre attack surface , resulting in a transient execution attack, which exploits speculative execution to extract sensitive data viaThe Hacker News
December 9, 2023 – Malware
Bypassing Major EDRs Using Pool Party Process Injection Techniques Full Text
Abstract
The technique utilizes Windows thread pools and includes a chain of three primitives for memory allocation, writing malicious code, and executing it, making it more flexible than existing process injection techniques.Cyware
December 09, 2023 – Malware
Researchers Unveal GuLoader Malware’s Latest Anti-Analysis Techniques Full Text
Abstract
Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging. "While GuLoader's core functionality hasn't changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process," Elastic Security Labs researcher Daniel Stepanic said in a report published this week. First spotted in late 2019, GuLoader (aka CloudEyE) is an advanced shellcode-based malware downloader that's used to distribute a wide range of payloads, such as information stealers, while incorporating a bevy of sophisticated anti-analysis techniques to dodge traditional security solutions. A steady stream of open-source reporting into the malware in recent months has revealed the threat actors behind it have continued to improve its ability to bypass existing or new security features alongside other implemented feThe Hacker News
December 9, 2023 – Attack
Central Virginia Transit System Affected by Cyber Incident Full Text
Abstract
The Greater Richmond Transit Company (GRTC) experienced a cyberattack over the Thanksgiving holiday, resulting in a temporary disruption to their computer network. The Play ransomware gang has claimed responsibility for the attack.Cyware
December 9, 2023 – Attack
Hackers Hit Erris Water in Stance Over Israel Full Text
Abstract
Cybercriminals targeted a private group water scheme in the Erris area, causing disruption to 180 homeowners and highlighting the vulnerability of critical infrastructure to politically motivated cyber-attacks.Cyware
December 9, 2023 – Breach
Android Barcode Scanner App Exposes User Passwords Full Text
Abstract
The Android app Barcode to Sheet, with over 100k downloads, has left sensitive user data exposed due to an open instance, including plaintext enterprise data and weakly hashed passwords.Cyware
December 8, 2023 – Government
FCC Partners With Four States on Privacy and Data Protection Enforcement Full Text
Abstract
By collaborating with state enforcers, the FCC can enhance its investigative efforts, share information, and leverage tools to address consumer harms more effectively in the realm of privacy and cybersecurity.Cyware
December 08, 2023 – Vulnerabilities
New 5G Modems Flaws Affect iOS Devices and Android Models from Major Brands Full Text
Abstract
A collection of security flaws in the firmware implementation of 5G mobile network modems from major chipset vendors such as MediaTek and Qualcomm impact USB and IoT modems as well as hundreds of smartphone models running Android and iOS. Of the 14 flaws – collectively called 5Ghoul (a combination of "5G" and "Ghoul") – 10 affect 5G modems from the two companies, out of which three have been classified as high-severity vulnerabilities. "5Ghoul vulnerabilities may be exploited to continuously launch attacks to drop the connections, freeze the connection that involve manual reboot or downgrade the 5G connectivity to 4G," the researchers said in a study published today. As many as 714 smartphones from 24 brands are impacted, including those from Vivo, Xiaomi, OPPO, Samsung, Honor, Motorola, realme, OnePlus, Huawei, ZTE, Asus, Sony, Meizu, Nokia, Apple, and Google. The vulnerabilities were disclosed by a team of researchers from the ASSET (AutomatedThe Hacker News
December 8, 2023 – Breach
Update: Records Reveal New Information About Sweetwater Union High School District Data Breach Full Text
Abstract
New records obtained through a public records request reveal that over 22,000 people were affected by a data breach at the Sweetwater Union High School District in California.Cyware
December 08, 2023 – Attack
N. Korean Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks Full Text
Abstract
The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems. "The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an analysis posted last week. The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document. The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor. The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server. It's also capable ofThe Hacker News
December 8, 2023 – Breach
Shoe Retailer Aldo Says LockBit Posting Is Related to System at Franchise Partner Full Text
Abstract
The affected data was limited to information related to the franchise partner's operations in a specific overseas territory and did not include any financial or payment card information.Cyware
December 08, 2023 – Ransomware
Ransomware-as-a-Service: The Growing Threat You Can’t Ignore Full Text
Abstract
Ransomware attacks have become a significant and pervasive threat in the ever-evolving realm of cybersecurity. Among the various iterations of ransomware, one trend that has gained prominence is Ransomware-as-a-Service (RaaS). This alarming development has transformed the cybercrime landscape, enabling individuals with limited technical expertise to carry out devastating attacks. Traditional and double extortion ransomware attacks Traditionally, ransomware refers to a type of malware that encrypts the victim's files, effectively blocking access to data and applications until a ransom is paid to the attacker. However, more contemporary attackers often employ an additional strategy. The bad actors create copies of the compromised data and leverage the threat of publishing sensitive information online unless their demands for ransom are met. This dual approach adds an extra layer of complexity and potential harm to the victims. A new model for ransomware RaaS is the latest businThe Hacker News
December 8, 2023 – General
Ransomware, Vendor Hacks Push Breach Number to Record High Full Text
Abstract
Data breaches in the U.S. have reached an all-time high, with 2.6 billion personal records compromised in the past two years, driven by aggressive ransomware attacks and breaches targeting third-party vendors.Cyware
December 08, 2023 – Malware
Mac Users Beware: New Trojan-Proxy Malware Spreading via Pirated Software Full Text
Abstract
Unauthorized websites distributing trojanized versions of cracked software have been found to infect Apple macOS users with a new Trojan-Proxy malware. "Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods," Kaspersky security researcher Sergey Puzan said . The Russian cybersecurity firm said it found evidence indicating that the malware is a cross-platform threat, owing to artifacts unearthed for Windows and Android that piggybacked on pirated tools. The macOS variants propagate under the guise of legitimate multimedia, image editing, data recovery, and productivity tools. This suggests that users searching for pirated software are the targets of the campaign. Unlike their genuine, unaltered counterparts, which are offered as disk image (.DMG) files, the rogue versions are deliveredThe Hacker News
December 8, 2023 – Vulnerabilities
Novel ‘DDSpoof’ Attacks Abuse Microsoft DHCP Servers to Spoof DNS Records Full Text
Abstract
The default configuration of Microsoft Dynamic Host Configuration Protocol (DHCP) servers leaves a significant number of organizations vulnerable to these attacks, making them accessible to a wide range of attackers.Cyware
December 08, 2023 – Vulnerabilities
WordPress Releases Update 6.4.2 to Address Critical Remote Attack Vulnerability Full Text
Abstract
WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites. "A remote code execution vulnerability that is not directly exploitable in core; however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations," WordPress said . According to WordPress security company Wordfence, the issue is rooted in the WP_HTML_Token class that was introduced in version 6.4 to improve HTML parsing in the block editor. A threat actor with the ability to exploit a PHP object injection vulnerability present in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the targeted site. "If a POP [property-oriented programming] chain is present via an additional plugin or theme installed on the target system, it could allThe Hacker News
December 8, 2023 – Business
ProvenRun Raises $16.2M in Series A Funding Full Text
Abstract
The round was led by Tikehau Capital, through its new vintage of Brienne, its flagship private equity cybersecurity strategy with the French Ministry of Defence’s Definvest fund, managed by Bpifrance.Cyware
December 08, 2023 – Policy and Law
Founder of Bitzlato Cryptocurrency Exchange Pleads Guilty in Money-Laundering Scheme Full Text
Abstract
The Russian founder of the now-defunct Bitzlato cryptocurrency exchange has pleaded guilty, nearly 11 months after he was arrested in Miami earlier this year. Anatoly Legkodymov (aka Anatolii Legkodymov, Gandalf, and Tolik), according to the U.S. Justice Department, admitted to operating an unlicensed money-transmitting business that enabled other criminal actors to launder their illicit proceeds. He faces up to five years in prison. "Legkodymov operated a cryptocurrency exchange that was open for business to money launderers and other criminals," said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department's Criminal Division. "He profited from catering to criminals, and now he must pay the price. Transacting in cryptocurrency does not put you beyond the reach of the law." Bitzlato, which served as a safe haven for fraudsters and ransomware crews such as Conti , is estimated to have received $2.5 billion in cryptocurrency betThe Hacker News
December 8, 2023 – Malware
New Variants of HeadCrab Malware Commandeer Thousands of Servers Full Text
Abstract
The HeadCrab malware has resurfaced with a new variant that allows root access to Redis servers, infecting over 1,100 servers and enabling the attacker to control and modify responses.Cyware
December 7, 2023 – Vulnerabilities
Google Pushes Yet Another Security Update to Its Chrome Browser Full Text
Abstract
Chrome version 120 includes 10 bug fixes, with two of them being highly critical security patches. The high-ranked security vulnerabilities include "Use after free" exploits in Media Stream and Side Panel Search.Cyware
December 07, 2023 – Hacker
Microsoft Warns of COLDRIVER’s Evolving Evading and Credential-Stealing Tactics Full Text
Abstract
The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities. The Microsoft Threat Intelligence team is tracking under the cluster as Star Blizzard (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), and TA446. The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond said . Star Blizzard , linked to Russia's Federal Security Service (FSB), has a track record of setting up lookalike domains that impersonate the login pages of targeted companies. It's known to be active since at least 2017. In August 2023, Recorded FutureThe Hacker News
December 7, 2023 – Vulnerabilities
Dangerous Vulnerability in Fleet Management Software Seemingly Ignored by Vendor Full Text
Abstract
The vulnerability, which impacts the Syrus4 IoT gateway made by Digital Communications Technologies (DCT), gives hackers access to the software and commands used to manage thousands of vehicles.Cyware
December 07, 2023 – Vulnerabilities
New Bluetooth Flaw Let Hackers Take Over Android, Linux, macOS, and iOS Devices Full Text
Abstract
A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices. Tracked as CVE-2023-45866 , the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim. "Multiple Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to connect to a discoverable host without user confirmation and inject keystrokes," said security researcher Marc Newlin , who disclosed the flaws to the software vendors in August 2023. Specifically, the attack deceives the target device into thinking that it's connected to a Bluetooth keyboard by taking advantage of an "unauthenticated pairing mechanism" that's defined in the Bluetooth specification. Successful exploitation of the flaw could permit an adversary in close physical proximity to connect to a vulnerable device and transThe Hacker News
December 7, 2023 – Breach
Groveport Madison School District Servers Hacked by Ransomware Group Full Text
Abstract
The BlackSuit ransomware group was able to hack into two servers belonging to the school district, impacting Windows devices, file services, printers, and copiers. Phones were not impacted.Cyware
December 07, 2023 – Education
Hacking the Human Mind: Exploiting Vulnerabilities in the ‘First Line of Cyber Defense’ Full Text
Abstract
Humans are complex beings with consciousness, emotions, and the capacity to act based on thoughts. In the ever-evolving realm of cybersecurity, humans consistently remain primary targets for attackers. Over the years, these attackers have developed their expertise in exploiting various human qualities, sharpening their skills to manipulate biases and emotional triggers with the objective of influencing human behaviour to compromise security whether it be personal and organisational security. More than just a 'human factor' Understanding what defines our humanity, recognizing how our qualities can be perceived as vulnerabilities, and comprehending how our minds can be targeted provide the foundation for identifying and responding when we inevitably become the target. The human mind is a complex landscape that evolved over years of exposure to the natural environment, interactions with others, and lessons drawn from past experiences. As humans, our minds set us apart, markeThe Hacker News
December 7, 2023 – Breach
Millions of Patient Scans and Health Records Spilling Online Thanks to Decades-Old DICOM Bug Full Text
Abstract
Over 3,800 PACS servers across 110 countries are unintentionally exposing the private data of 16 million patients, including names, addresses, and even Social Security numbers.Cyware
December 07, 2023 – Education
Building a Robust Threat Intelligence with Wazuh Full Text
Abstract
Threat intelligence refers to gathering, processing, and analyzing cyber threats, along with proactive defensive measures aimed at strengthening security. It enables organizations to gain a comprehensive insight into historical, present, and anticipated threats, providing context about the constantly evolving threat landscape. Importance of threat intelligence in the cybersecurity ecosystem Threat intelligence is a crucial part of any cybersecurity ecosystem. A robust cyber threat intelligence program helps organizations identify, analyze, and prevent security breaches. Threat intelligence is important to modern cyber security practice for several reasons: Proactive defense: Organizations can enhance their overall cyber resilience by integrating threat intelligence into security practices to address the specific threats and risks that are relevant to their industry, geolocation, or technology stack. Threat intelligence allows organizations to identify potential threats in advancThe Hacker News
December 7, 2023 – Vulnerabilities
Apple and Some Linux Distros are Open to Bluetooth Attack Full Text
Abstract
A Bluetooth authentication bypass vulnerability, tracked as CVE-2023-45866, allows attackers to connect to Apple, Android, and Linux devices and inject keystrokes to run arbitrary commands.Cyware
December 07, 2023 – Privacy
Governments May Spy on You by Requesting Push Notifications from Apple and Google Full Text
Abstract
Unspecified governments have demanded mobile push notification records from Apple and Google users to pursue people of interest, according to U.S. Senator Ron Wyden. "Push notifications are alerts sent by phone apps to users' smartphones," Wyden said . "These alerts pass through a digital post office run by the phone operating system provider -- overwhelmingly Apple or Google. Because of that structure, the two companies have visibility into how their customers use apps and could be compelled to provide this information to U.S. or foreign governments." Wyden, in a letter to U.S. Attorney General Merrick Garland, said both Apple and Google confirmed receiving such requests but noted that information about the practice was restricted from public release by the U.S. government, raising questions about the transparency of legal demands they receive from governments. When mobile apps for Android and iOS send push notifications to users' devices, they are roThe Hacker News
December 7, 2023 – APT
TA422’s Dedicated Exploitation Loop—the Same Week After Week Full Text
Abstract
Russian APT group TA422 has been actively exploiting patched vulnerabilities to target government, aerospace, education, finance, manufacturing, and technology sectors in Europe and North America.Cyware
December 07, 2023 – Malware
New Stealthy ‘Krasue’ Linux Trojan Targeting Telecom Firms in Thailand Full Text
Abstract
A previously unknown Linux remote access trojan called Krasue has been observed targeting telecom companies in Thailand by threat actors to main covert access to victim networks at lease since 2021. Named after a nocturnal female spirit of Southeast Asian folklore, the malware is "able to conceal its own presence during the initialization phase," Group-IB said in a report shared with The Hacker News. The exact initial access vector used to deploy Krasue is currently not known, although it's suspected that it could be via vulnerability exploitation, credential brute-force attacks, or downloaded as part of a bogus software package or binary. The scale of the campaign is The malware's core functionalities are realized through a rootkit that allows it to maintain persistence on the host without attracting any attention. The rootkit is derived from open-source projects such as Diamorphine, Suterusu, and Rooty. This has raised the possibility that Krasue is eitheThe Hacker News
December 7, 2023 – Attack
Schools in Maine, Indiana and Georgia Contend Ransomware Attacks Full Text
Abstract
The Henry County Schools district in Georgia and the Hermon School Department in Maine are among the latest victims, with the former experiencing a ransomware attack and the latter having outdated software vulnerabilities exploited.Cyware
December 6, 2023 – Criminals
North Korean Andariel Hackers Steal South Korean Anti-Aircraft Data Full Text
Abstract
Seoul police have seized the servers and virtual asset exchanges used by Andariel, arrested the person involved in transferring ransomware funds, and advised organizations to strengthen their cybersecurity measures to prevent future attacks.Cyware
December 06, 2023 – Vulnerabilities
Alert: Threat Actors Can Leverage AWS STS to Infiltrate Cloud Accounts Full Text
Abstract
Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks. The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth said in a Tuesday analysis. AWS STS is a web service that enables users to request temporary, limited-privilege credentials for users to access AWS resources without needing to create an AWS identity. These STS tokens can be valid anywhere from 15 minutes to 36 hours . Threat actors can steal long-term IAM tokens through a variety of methods like malware infections, publicly exposed credentials, and phishing emails, subsequently using them to determine roles and privileges associated with those tokens via API calls. "Depending on the token's permission level, adversaries may also be able to use it to create additional IAM users with long-term AKIA tokens to eThe Hacker News
December 6, 2023 – Business
Mine Digs up $30M for Its No-Code Approach to Vetting Data Privacy Full Text
Abstract
Battery Ventures and PayPal Ventures are co-leading this round, with participation also from Nationwide Ventures and all its previous backers, including Saban Ventures, Gradient Ventures, MassMutual Ventures, and Headline Ventures.Cyware
December 06, 2023 – General
New Report: Unveiling the Threat of Malicious Browser Extensions Full Text
Abstract
Compromising the browser is a high-return target for adversaries. Browser extensions, which are small software modules that are added to the browser and can enhance browsing experiences, have become a popular browser attack vector. This is because they are widely adopted among users and can easily turn malicious through developer actions or attacks on legitimate extensions. Recent incidents like DataSpii and the Nigelthorn malware attack have exposed the extent of damage that malicious extensions can inflict. In both cases, users innocently installed extensions that compromised their privacy and security. The underlying issue lies in the permissions granted to extensions. These permissions, often excessive and lacking granularity, allow attackers to exploit them. What can organizations do to protect themselves from the risks of browser extensions without barring them from use altogether (an act that would be nearly impossible to enforce)? A new report by LayerX, "Unveiling theThe Hacker News
December 6, 2023 – Vulnerabilities
Post-Exploitation Tampering Technique can be Used to Simulate Fake Lockdown Mode on iPhones Full Text
Abstract
Hackers can manipulate Lockdown Mode to provide visual cues of activation without actually implementing any protections. Lockdown Mode should not be relied upon as a comprehensive security measure and users should be aware of its limitations.Cyware
December 06, 2023 – Vulnerabilities
Sierra:21 - Flaws in Sierra Wireless Routers Expose Critical Sectors to Cyber Attacks Full Text
Abstract
A collection of 21 security flaws have been discovered in Sierra Wireless AirLink cellular routers and open-source software components like TinyXML and OpenNDS . Collectively tracked as Sierra:21 , the issues expose over 86,000 devices across critical sectors like energy, healthcare, waste management, retail, emergency services, and vehicle tracking to cyber threats, according to Forescout Vedere Labs. A majority of these devices are located in the U.S., Canada, Australia, France, and Thailand. "These vulnerabilities may allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device and use it as an initial access point into critical networks," the industrial cybersecurity company said in a new analysis. Of the 21 vulnerabilities, one is rated critical, nine are rated high, and 11 are rated medium in severity. This includes remote code execution (RCE), cross-site scripting (XSS), denial-of-service (DoS), unauthoriThe Hacker News
December 6, 2023 – Malware
SpyLoan Android Malware Targets Users in Southeast Asia, Africa, and Latin America Full Text
Abstract
These apps trick users into providing sensitive personal and financial information, which is then used to blackmail them. The apps focus on users in Southeast Asia, Africa, and Latin America.Cyware
December 06, 2023 – Education
Scaling Security Operations with Automation Full Text
Abstract
In an increasingly complex and fast-paced digital landscape, organizations strive to protect themselves from various security threats. However, limited resources often hinder security teams when combatting these threats, making it difficult to keep up with the growing number of security incidents and alerts. Implementing automation throughout security operations helps security teams alleviate these challenges by streamlining repetitive tasks, reducing the risk of human error, and allowing them to focus on higher-value initiatives. While automation offers significant benefits, there is no foolproof method or process to guarantee success. Clear definitions, consistent implementation, and standardized processes are crucial for optimal results. Without guidelines, manual and time-consuming methods can undermine the effectiveness of automation. This blog explores the challenges faced by security operations teams when implementing automation and the practical steps needed to build a stroThe Hacker News
December 06, 2023 – Government
Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers. "The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution," CISA said , adding an unnamed federal agency was targeted between June and July 2023. The shortcoming affects ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, released on March 14, 2023, respectively. It was added by CISA to the Known Exploited Vulnerabilities (KEV) catalog a day later, citing evidence of active exploitation in the wild. Adobe, in an advisory released around that time, said it's aware of the flaw being "exploited in the wild in very limited attacks."The Hacker News
December 06, 2023 – Vulnerabilities
Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution Full Text
Abstract
Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution. The list of vulnerabilities is below - CVE-2022-1471 (CVSS score: 9.8) - Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products CVE-2023-22522 (CVSS score: 9.0) - Remote code execution vulnerability in Confluence Data Center and Confluence Server (affects all versions including and after 4.0.0) CVE-2023-22523 (CVSS score: 9.8) - Remote code execution vulnerability in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (affects all versions up to but not including 3.2.0-cloud / 6.2.0 data center and server) CVE-2023-22524 (CVSS score: 9.6) - Remote code execution vulnerability in Atlassian Companion app for macOS (affects all versions up to but not including 2.0.0) Atlassian described CVE-2023-22522 as a template injection flaw that alloThe Hacker News
December 5, 2023 – Attack
Florida Water Agency Latest to Confirm Cyber Incident as Feds Warn of Nation-State Attacks Full Text
Abstract
The St. Johns River Water Management District in Florida has confirmed that it responded to a cyberattack last week, amid warnings from top cybersecurity agencies about foreign attacks on water utilities.Cyware
December 05, 2023 – Vulnerabilities
Warning for iPhone Users: Experts Warn of Sneaky Fake Lockdown Mode Attack Full Text
Abstract
A new "post-exploitation tampering technique" can be abused by malicious actors to visually deceive a target into believing that their Apple iPhone is running in Lockdown Mode when it's actually not and carry out covert attacks. The novel method, detailed by Jamf Threat Labs in a report shared with The Hacker News, "shows that if a hacker has already infiltrated your device, they can cause Lockdown Mode to be 'bypassed' when you trigger its activation." In other words, the goal is to implement Fake Lockdown Mode on a device that's compromised by an attacker through other means, such as unpatched security flaws that can trigger execution of arbitrary code. Lockdown Mode , introduced by Apple last year with iOS 16, is an enhanced security measure that aims to safeguard high-risk individuals from sophisticated digital threats such as mercenary spyware by minimizing the attack surface . What it doesn't do is prevent the execution of maliThe Hacker News
December 5, 2023 – Breach
Iran-Linked Hackers Claim to Leak Troves of Documents From Israeli Hospital Full Text
Abstract
A hacker group allegedly linked to Iran, known as Malek Team, has claimed responsibility for a cyberattack on an Israeli hospital, resulting in the leak of thousands of medical records, including those of Israeli soldiers.Cyware
December 05, 2023 – Disinformation
Russia’s AI-Powered Disinformation Operation Targeting Ukraine, U.S., and Germany Full Text
Abstract
The Russia-linked influence operation called Doppelganger has targeted Ukrainian, U.S., and German audiences through a combination of inauthentic news sites and social media accounts. These campaigns are designed to amplify content designed to undermine Ukraine as well as propagate anti-LGBTQ+ sentiment, U.S. military competence, and Germany's economic and social issues, according to a new report shared with The Hacker News. Doppelganger , described by Meta as the "largest and the most aggressively-persistent Russian-origin operation," is a pro-Russian network known for spreading anti-Ukrainian propaganda. Active since at least February 2022, it has been linked to two companies named Structura National Technologies and Social Design Agency. Activities associated with the influence operation are known to leverage manufactured websites as well as those impersonating authentic media – a technique called brandjacking – to disseminate adversarial narratives. The lateThe Hacker News
December 5, 2023 – Breach
International Dog Breeding Organization WALA Exposes 25GB of Pet Owners’ Data Full Text
Abstract
The breach exposes the global customer base of WALA to potential threats like phishing attacks and financial scams, emphasizing the need for affected parties to monitor their financial accounts and implement additional security measures.Cyware
December 05, 2023 – Education
Generative AI Security: Preventing Microsoft Copilot Data Exposure Full Text
Abstract
Microsoft Copilot has been called one of the most powerful productivity tools on the planet. Copilot is an AI assistant that lives inside each of your Microsoft 365 apps — Word, Excel, PowerPoint, Teams, Outlook, and so on. Microsoft's dream is to take the drudgery out of daily work and let humans focus on being creative problem-solvers. What makes Copilot a different beast than ChatGPT and other AI tools is that it has access to everything you've ever worked on in 365. Copilot can instantly search and compile data from across your documents, presentations, email, calendar, notes, and contacts. And therein lies the problem for information security teams. Copilot can access all the sensitive data that a user can access, which is often far too much. On average, 10% of a company's M365 data is open to all employees. Copilot can also rapidly generate net new sensitive data that must be protected. Prior to the AI revolution, humans' ability to create and share dataThe Hacker News
December 5, 2023 – Government
OPM Launches Cyber Rotational Program for Feds Full Text
Abstract
The OPM has launched a new Federal Rotational Cyber Workforce Program, allowing cybersecurity employees in the federal government to apply for rotational opportunities at other agencies to enhance their skills and defend against evolving threats.Cyware
December 05, 2023 – Vulnerabilities
15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack Full Text
Abstract
New research has found that over 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking. "More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes," Jacob Baines, chief technology officer at VulnCheck, said in a report shared with The Hacker News. "More than 6,000 repositories were vulnerable to repojacking due to account deletion." Collectively, these repositories account for no less than 800,000 Go module-versions. Repojacking , a portmanteau of "repository" and "hijacking," is an attack technique that allows a bad actor to take advantage of account username changes and deletions to create a repository with the same name and the pre-existing username to stage open-source software supply chain attacks. Earlier this June, cloud security firm Aqua revealed that millions of software repositories on GitHub are likely vulnerable to the threat, urging organizations that undergoThe Hacker News
December 5, 2023 – Attack
Accounting Software Giant Tipalti Investigating Ransomware Attack Full Text
Abstract
ALHV, a prolific ransomware group, allegedly gained persistent access to multiple Tipalti systems and stole over 265GB of data, with claims of insider involvement in the attacks.Cyware
December 05, 2023 – Attack
New Threat Actor ‘AeroBlade’ Emerges in Espionage Attack on U.S. Aerospace Full Text
Abstract
A previously undocumented threat actor has been linked to a cyber attack targeting an aerospace organization in the U.S. as part of what's suspected to be a cyber espionage mission. The BlackBerry Threat Research and Intelligence team is tracking the activity cluster as AeroBlade . Its origin is currently unknown and it's not clear if the attack was successful. "The actor used spear-phishing as a delivery mechanism: A weaponized document, sent as an email attachment, contains an embedded remote template injection technique and a malicious VBA macro code, to deliver the next stage to the final payload execution," the company said in an analysis published last week. The network infrastructure used for the attack is said to have gone live around September 2022, with the offensive phase of the intrusion occurring nearly a year later in July 2023, but not before the adversary took steps to improvise its toolset to make it more stealthy in the intervening time perioThe Hacker News
December 5, 2023 – Phishing
Hershey phishes! Crooks snarf chocolate lovers’ creds Full Text
Abstract
The phishing emails were sent to employees in early September and allowed the criminals to steal a range of personal data, including names, health and medical information, credit card numbers, and online account credentials.Cyware
December 05, 2023 – APT
Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability Full Text
Abstract
Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a now-patched critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422. The security vulnerability in question is CVE-2023-23397 (CVSS score: 9.8), a critical privilege escalation bug that could allow an adversary to access a user's Net-NTLMv2 hash that could then be used to conduct a relay attack against another service to authenticate as the user. It was patched by Microsoft in March 2023. The goal, according to the Polish Cyber Command (DKWOC), is to obtain unauthorized access to mailboxes belonging to public and private entities in the country. "In the next stage of maliciThe Hacker News
December 4, 2023 – Policy and Law
Establishing New Rules for Cyber Warfare Full Text
Abstract
The International Committee of the Red Cross (ICRC) has released a set of rules for civilian hackers involved in cyber conflicts. The rules aim to clarify the line between civilians and combatants in cyberspace during times of war.Cyware
December 04, 2023 – Vulnerabilities
New BLUFFS Bluetooth Attack Expose Devices to Adversary-in-the-Middle Attacks Full Text
Abstract
New research has unearthed multiple novel attacks that break Bluetooth Classic's forward secrecy and future secrecy guarantees, resulting in adversary-in-the-middle (AitM) scenarios between two already connected peers. The issues, collectively named BLUFFS , impact Bluetooth Core Specification 4.2 through 5.4. They are tracked under the identifier CVE-2023-24023 (CVSS score: 6.8) and were responsibly disclosed in October 2022. The attacks "enable device impersonation and machine-in-the-middle across sessions by only compromising one session key," EURECOM researcher Daniele Antonioli said in a study published late last month. This is made possible by leveraging two new flaws in the Bluetooth standard's session key derivation mechanism that allow the derivation of the same key across sessions. While forward secrecy in key-agreement cryptographic protocols ensures that past communications are not revealed, even if the private keys to a particular exchange are reThe Hacker News
December 4, 2023 – Attack
BlackCat Ransomware Strikes Ho Chi Minh City Power Corporation Full Text
Abstract
The ongoing attack spree by the BlackCat ransomware group extends beyond Vietnam Electricity, with social media platforms like Roblox and Twitch potentially being targeted next.Cyware
December 04, 2023 – General
Make a Fresh Start for 2024: Clean Out Your User Inventory to Reduce SaaS Risk Full Text
Abstract
As work ebbs with the typical end-of-year slowdown, now is a good time to review user roles and privileges and remove anyone who shouldn't have access as well as trim unnecessary permissions. In addition to saving some unnecessary license fees, a clean user inventory significantly enhances the security of your SaaS applications. From reducing risk to protecting against data leakage, here is how you can start the new year with a clean user list. How Offboarded Users Still Have Access to Your Apps When employees leave a company, they trigger a series of changes to backend systems in their wake. First, they are removed from the company's identity provider (IdP), which kicks off an automated workflow that deactivates their email and removes access to all internal systems. When enterprises use an SSO (single sign-on), these former employees lose access to any online properties – including SaaS applications – that require SSO for login. However, that doesn't mean that former employeeThe Hacker News
December 4, 2023 – Breach
More Than 1,500 Hugging Face API Tokens Exposed, Major Projects Vulnerable Full Text
Abstract
The exposed API tokens had write permissions, allowing attackers to modify files in account repositories and potentially manipulate existing models, posing a significant threat to organizations and their applications.Cyware
December 04, 2023 – Botnet
New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices Full Text
Abstract
Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect that's capable of targeting routers and IoT devices. The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages ( MIPS ) architecture, broadening its capabilities and reach. "It's highly likely that by targeting MIPS, the P2PInfect developers intend to infect routers and IoT devices with the malware," security researcher Matt Muir said in a report shared with The Hacker News. P2PInfect, a Rust-based malware, was first disclosed back in July 2023, targeting unpatched Redis instances by exploiting a critical Lua sandbox escape vulnerability ( CVE-2022-0543 , CVSS score: 10.0) for initial access. A subsequent analysis from the cloud security firm in September revealed a surge in P2PInfect activity, coinciding with the release of iterative variants of the malware. The new artifacts, besides attempting to conduThe Hacker News
December 4, 2023 – Breach
Depauw University Warns of Data Breach as Ransomware Attacks on Colleges Surge Full Text
Abstract
The attack on DePauw University was conducted by the Black Suit ransomware gang, highlighting the increasing trend of ransomware attacks targeting educational institutions.Cyware
December 04, 2023 – Vulnerabilities
LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks Full Text
Abstract
The Unified Extensible Firmware Interface ( UEFI ) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware. The shortcomings, collectively labeled LogoFAIL by Binarly, "can be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel Boot Guard, and other security technologies by design." Furthermore, they can be weaponized to bypass security solutions and deliver persistent malware to compromised systems during the boot phase by injecting a malicious logo image file into the EFI system partition . While the issues are not silicon-specific, meaning they impact both x86 and ARM-based devices, they are also UEFI and IBV-specific. The vulnerabilities comprise a heap-based buffer overflow flaw and an out-of-bounds read, details of which are expected to be made public later this week at the Black Hat Europe conference .The Hacker News
December 4, 2023 – Malware
New Variant of P2Pinfect Targets MIPS Devices Including Routers and IoT Devices Full Text
Abstract
The new variant includes updated evasion techniques, such as Virtual Machine detection, debugger detection, and anti-forensics measures on Linux hosts, making it more difficult for researchers to analyze.Cyware
December 04, 2023 – Phishing
Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware Full Text
Abstract
Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector. The DanaBot infections led to "hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter). DanaBot , tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that's capable of acting as a stealer and a point of entry for next-stage payloads. UNC2198, for its part, has been previously observed infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as detailed by Google-owned Mandiant in February 2021. Per Microsoft, the threat actor has also taken advantage of initial access provided by QakBot infections. The shift to DanaBot, therefore, is likely the resuThe Hacker News
December 4, 2023 – Breach
Astrology Website WeMystic Exposes Over 13 Million User Records Full Text
Abstract
The astrology and spiritual content platform WeMystic exposed the sensitive data of its users, including names, email addresses, and dates of birth, due to an open and passwordless MongoDB database.Cyware
December 4, 2023 – Education
Bridging the Gap Between Cloud vs On-Premise Security Full Text
Abstract
It is crucial to maintain unified visibility, control, and management across both cloud-based and on-premise security measures to bridge the gap and create a comprehensive and future-proof security stack.Cyware
December 4, 2023 – Attack
Update: New Relic Admits Attack on Staging Systems, User Accounts Full Text
Abstract
Web tracking and analytics company New Relic has disclosed a cyberattack on its staging systems, which were compromised in mid-November by an unauthorized actor using stolen credentials and social engineering.Cyware
December 2, 2023 – Outage
60 US Credit Unions Offline After Cloud Ransomware Infection Full Text
Abstract
The affected IT provider, Ongoing Operations, was infiltrated through the Citrix Bleed vulnerability, emphasizing the importance of robust cybersecurity measures and patching vulnerabilities promptly.Cyware
December 02, 2023 – Attack
Agent Racoon Backdoor Targets Organizations in Middle East, Africa, and U.S. Full Text
Abstract
Organizations in the Middle East, Africa, and the U.S. have been targeted by an unknown threat actor to distribute a new backdoor called Agent Racoon . "This malware family is written using the .NET framework and leverages the domain name service (DNS) protocol to create a covert channel and provide different backdoor functionalities," Palo Alto Networks Unit 42 researcher Chema Garcia said in a Friday analysis. Targets of the attacks span various sectors such as education, real estate, retail, non-profits, telecom, and governments. The activity has not been attributed to a known threat actor, although it's assessed to be a nation-state aligned owing to the victimology pattern and the detection and defense evasion techniques used. The cybersecurity firm is tracking the cluster under the moniker CL-STA-0002. It's currently not clear how these organizations were breached, and when the attacks took place. Some of the other tools deployed by the adversary includeThe Hacker News
December 2, 2023 – Ransomware
Expert Warns of Turtle macOS Ransomware Full Text
Abstract
While the Turtle ransomware may not pose a significant risk to macOS users currently, its existence highlights the ongoing efforts by ransomware authors to target Apple devices.Cyware
December 02, 2023 – Policy and Law
Russian Hacker Vladimir Dunaev Convicted for Creating TrickBot Malware Full Text
Abstract
A Russian national has been found guilty in connection with his role in developing and deploying a malware known as TrickBot, the U.S. Department of Justice (DoJ) announced. Vladimir Dunaev, 40, was arrested in South Korea in September 2021 and extradited to the U.S. a month later. "Dunaev developed browser modifications and malicious tools that aided in credential harvesting and data mining from infected computers, facilitated and enhanced the remote access used by TrickBot actors, and created a program code to prevent the TrickBot malware from being detected by legitimate security software," the DoJ said . "During Dunaev's participation in the scheme, 10 victims in the Northern District of Ohio, including Avon schools and a North Canton real-estate company, were defrauded of more than $3.4 million via ransomware deployed by TrickBot." Dunaev, who pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and banThe Hacker News
December 2, 2023 – Breach
Surgical Practice Notifying 437,400 Patients of Data Theft Full Text
Abstract
Proliance Surgeons, a large Seattle-based surgical group, suffered a ransomware attack and data theft, potentially compromising the personal information of nearly 437,400 individuals.Cyware
December 2, 2023 – Breach
Update: 23andMe Says Hackers Accessed ‘Significant Number’ of Files About Users’ Ancestry Full Text
Abstract
Genetic testing company 23andMe experienced a data breach, with hackers accessing around 14,000 customer accounts and potentially compromising the personal information of other users connected to those accounts.Cyware
December 01, 2023 – Malware
New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia Full Text
Abstract
Cybersecurity researchers have disclosed a new sophisticated Android malware called FjordPhantom that has been observed targeting users in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023. "Spreading primarily through messaging services, it combines app-based malware with social engineering to defraud banking customers," Oslo-based mobile app security firm Promon said in an analysis published Thursday. Propagated mainly via email, SMS, and messaging apps, attack chains trick recipients into downloading a purported banking app that comes fitted with legitimate features but also incorporates rogue components. Victims are then subjected to a social engineering technique akin to telephone-oriented attack delivery ( TOAD ), which involves calling a bogus call center to receive step-by-step instructions for running the app. A key characteristic of the malware that sets it apart from other banking trojans of its kind is the use ofThe Hacker News
December 01, 2023 – Education
Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats Full Text
Abstract
The U.S. Department of Justice (DOJ) and the FBI recently collaborated in a multinational operation to dismantle the notorious Qakbot malware and botnet. While the operation was successful in disrupting this long-running threat, concerns have arisen as it appears that Qakbot may still pose a danger in a reduced form. This article discusses the aftermath of the takedown, provides mitigation strategies, and offers guidance on determining past infections. The Takedown and Its Limitations During the takedown operation, law enforcement secured court orders to remove Qakbot malware from infected devices remotely. It was discovered that the malware had infected a substantial number of devices, with 700,000 machines globally, including 200,000 computers in the U.S., being compromised at the time of the takedown. However, recent reports suggest that Qakbot is still active but in a diminished state. The absence of arrests during the takedown operation indicates that only the command-and-contThe Hacker News
December 1, 2023 – Attack
XDSpy Hackers Attack Military-Industrial Companies in Russia Full Text
Abstract
XDSpy has a history of targeting Russia's government, military, financial institutions, as well as energy, research, and mining companies, demonstrating a focus on strategic organizations in Eastern Europe.Cyware
December 01, 2023 – Attack
Chinese Hackers Using SugarGh0st RAT to Target South Korea and Uzbekistan Full Text
Abstract
A suspected Chinese-speaking threat actor has been attributed to a malicious campaign that targets the Uzbekistan Ministry of Foreign Affairs and South Korean users with a remote access trojan called SugarGh0st RAT . The activity, which commenced no later than August 2023, leverages two different infection sequences to deliver the malware, which is a customized variant of Gh0st RAT (aka Farfli). It comes with features to "facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code," Cisco Talos researchers Ashley Shen and Chetan Raghuprasad said . The attacks commence with a phishing email bearing decoy documents, opening which activates a multi-stage process that leads to the deployment of SugarGh0st RAT. The decoy documents are incorporated within a heavily obfuscated JavaScript dropper that's contained within a Windows Shortcut file embedThe Hacker News
December 1, 2023 – Vulnerabilities
Simple Hacking Technique can Extract ChatGPT Training Data Full Text
Abstract
Researchers from Google DeepMind, Cornell University, and other institutions have discovered that the popular AI chatbot ChatGPT is susceptible to leaking data when prompted to repeat certain words.Cyware
December 01, 2023 – Denial Of Service
Discover How Gcore Thwarted Powerful 1.1Tbps and 1.6Tbps DDoS Attacks Full Text
Abstract
The most recent Gcore Radar report and its aftermath have highlighted a dramatic increase in DDoS attacks across multiple industries. At the beginning of 2023, the average strength of attacks reached 800 Gbps , but now, even a peak as high as 1.5+ Tbps is unsurprising. To try and break through Gcore's defenses, perpetrators made two attempts with two different strategies. Read on to discover what happened and learn how the security provider stopped the attackers in their tracks without affecting end users' experiences. A Powerful DDoS Attacks In November 2023, one of Gcore's customers from the gaming industry was targeted by two massive DDoS attacks, peaking at 1.1 and 1.6 Tbps respectively. The attackers deployed various techniques in an unsuccessful attempt to compromise Gcore's protective mechanisms. Attack #1: 1.1 Tbps UDP-based DDoS In the first cyber assault, the attackers sent a barrage of UDP traffic to a target server, peaking at 1.1 Tbps. Two methods were employed:The Hacker News
December 1, 2023 – Business
BlueVoyant Raises $140M, Buys Resilience Firm Conquest Cyber Full Text </p>
Abstract
The integration of BlueVoyant and Conquest Cyber will provide customers with more self-service capabilities and autonomous operations through the use of AI, machine learning, and virtual data lakes.Cyware
December 1, 2023 – Attack
Hackers Use new Tool Set in Targeted Attacks Against Middle East, Africa and the US Full Text
Abstract
A new set of tools, including a backdoor, a credential-stealing module, and a customized version of Mimikatz, has been used in targeted attacks against organizations in the Middle East, Africa, and the U.S.Cyware