July, 2023
July 31, 2023 – Government
White House Unveils National Cyber Workforce Strategy Full Text
Abstract
"Cyber education and workforce development have not kept pace with demand and the rapid pace of technological change," says the strategy document. "Moreover, skills in demand in the cyber workforce are evolving."Cyware
July 31, 2023 – Malware
New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods Full Text
Abstract
The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet. "The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News. "A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command." The Rust-based malware was first documented by Palo Alto Networks Unit 42, calling out the malware's ability to exploit a critical Lua sandbox escape vulnerability ( CVE-2022-0543 , CVSS score: 10.0) to obtain a foothold into Redis instances. The campaign is believed to have commenced on or after June 29, 2023. However, the latest discovery suggests thThe Hacker News
July 31, 2023 – Malware
Experts discovered a previously undocumented initial access vector used by P2PInfect worm Full Text
Abstract
Cado Security observed a new variant of the P2PInfect worm targets Redis servers with a previously undocumented initial access vector. In July, Palo Alto Networks Unit 42 researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that...Security Affairs
July 31, 2023 – General
Blocking Access to ChatGPT is a Short Term Solution to Mitigate Risk Full Text
Abstract
For every 10,000 enterprise users, an enterprise organization is experiencing approximately 183 incidents of sensitive data being posted to ChatGPT per month, according to Netskope.Cyware
July 31, 2023 – Attack
Patchwork Hackers Target Chinese Research Organizations Using EyeShell Backdoor Full Text
Abstract
Threat actors associated with the hacking crew known as Patchwork have been spotted targeting universities and research organizations in China as part of a recently observed campaign. The activity, according to KnownSec 404 Team , entailed the use of a backdoor codenamed EyeShell . Patchwork , also known by the names Operation Hangover and Zinc Emerson, is suspected to be a threat group that operates on behalf of India. Active since at least December 2015, attack chains mounted by the outfit have a narrow focus and tend to single out Pakistan and China with custom implants such as BADNEWS via spear-phishing and watering hole attacks. The adversarial collective has been found to share tactical overlaps with other cyber-espionage groups with an Indian connection, including SideWinder and the DoNot Team . Earlier this May, Meta disclosed that it took down 50 accounts on Facebook and Instagram operated by Patchwork, which took advantage of rogue messaging apps uploaded to theThe Hacker News
July 31, 2023 – Botnet
Experts link AVRecon bot to the malware proxy service SocksEscort Full Text
Abstract
The AVRecon botnet relies on compromised small office/home office (SOHO) routers since at least May 2021. In early July, researchers from Lumen Black Lotus Labs discovered the AVRecon botnet that targets small office/home office (SOHO) routers and infected...Security Affairs
July 31, 2023 – Solution
Ztna can be More Than a VPN Replacement for Application Access Full Text
Abstract
Zero Trust Network Access (ZTNA) should leverage contextual information, implement continuous authentication mechanisms, and be application-aware to make access decisions and reduce the risk of unauthorized access.Cyware
July 31, 2023 – Education
Webinar: Riding the vCISO Wave: How to Provide vCISO Services Full Text
Abstract
Demand for Virtual CISO services is soaring. According to Gartner, the use of vCISO services among small and mid-size businesses and non-regulated enterprises was expected to grow by a whopping 1900% in just one year, from only 1% in 2021 to 20% in 2022! Offering vCISO services can be especially attractive for MSPs and MSSPs. By addressing their customers' needs for proactive cyber resilience, they can generate a growing amount of recurring revenue from existing and new customers. And all while differentiating themselves from the competition. vCISO services also enable upselling of additional products and services the MSP or MSSP specializes in. However, not all MSPs and MSSPs fully understand how to provide vCISO services . Some may be unsure about which services are expected from them. Others may not realize they are already providing vCISO services and have the potential to effortlessly broaden their offerings into a complete vCISO suite or package it differently to make it moreThe Hacker News
July 31, 2023 – Vulnerabilities
Three flaws in Ninja Forms plugin for WordPress impact 900K sites Full Text
Abstract
Experts warn of vulnerabilities impacting the Ninja Forms plugin for WordPress that could be exploited for escalating privileges and data theft. The Ninja Forms plugin for WordPress is affected by multiple vulnerabilities (tracked as CVE-2023-37979,...Security Affairs
July 31, 2023 – Breach
School Accreditation Organization Exposed Sensitive Information on Students, Parents, and Teachers Online Full Text
Abstract
An unprotected database belonging to the Southern Association of Independent Schools (SAIS) was found exposing sensitive data on students, parents, and teachers, including health records, social security numbers, and confidential security reports.Cyware
July 31, 2023 – Botnet
AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service Full Text
Abstract
More details have emerged about a botnet called AVRecon , which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021. AVRecon was first disclosed by Lumen Black Lotus Labs earlier this month as malware capable of executing additional commands and stealing victim's bandwidth for what appears to be an illegal proxy service made available for other actors. It has also surpassed QakBot in terms of scale, having infiltrated over 41,000 nodes located across 20 countries worldwide. "The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying, and ad fraud," the researchers said in the report. This has been corroborated by new findings from KrebsOnSecurity and Spur.us, which last week revealed that "AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hackeThe Hacker News
July 31, 2023 – Vulnerabilities
Experts warn attackers started exploiting Citrix ShareFile RCE flaw CVE-2023-24489 Full Text
Abstract
Researchers warn that threat actors started exploiting Citrix ShareFile RCE vulnerability CVE-2023-24489 in the wild. Citrix ShareFile is a widely used cloud-based file-sharing application, which is affected by the critical remote code execution (RCE)...Security Affairs
July 31, 2023 – Policy and Law
New Jersey Supreme Court to Hear Merck Insurance Dispute Over NotPetya Attack Full Text
Abstract
The New Jersey Supreme Court agreed to review the legal fight between Merck and several of the world’s top insurance providers involving $1.4 billion in claims stemming from the 2017 NotPetya cyberattack.Cyware
July 31, 2023 – Malware
Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT Full Text
Abstract
Threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT. "Among the software in question are various instruments for fine-tuning CPUs, graphic cards, and BIOS; PC hardware-monitoring tools; and some other apps," cybersecurity vendor Doctor Web said in an analysis. "Such installers are used as a decoy and contain not only the software potential victims are interested in, but also the trojan itself with all its components." The exact initial access vector used in the campaign is unclear but it could potentially range from phishing to drive-by downloads to malicious ads. Users who land on the fake site are prompted to download a ZIP installer package. The installer, besides activating the standard installation process, stealthily drops the Fruity trojan, a Python-based malware that unpacks an MPThe Hacker News
July 31, 2023 – Ransomware
VMware ESXi Servers Face New Threat from Abyss Locker Full Text
Abstract
MalwareHunterTeam reported a new variant of the Abyss Locker ransomware designed to target Linux-based VMware ESXi servers. It employs SSH brute force attacks to gain unauthorized access to servers. The ransomware has claimed data theft ranging from 35GB to 700GB. Researchers also suspect a connect ... Read MoreCyware
July 31, 2023 – Vulnerabilities
Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable Full Text
Abstract
Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data. The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack said in a report last week. Ninja Forms is installed on over 800,000 sites. A brief description of each of the vulnerabilities is below - CVE-2023-37979 (CVSS score: 7.1) - A POST-based reflected cross-site scripting (XSS) flaw that could allow any unauthenticated user to achieve privilege escalation on a target WordPress site by tricking privileged users to visit a specially crafted website. CVE-2023-38386 and CVE-2023-38393 - Broken access control flaws in the form submissions export feature that could enable a bad actor with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site. Users of the plugin are recommended to update to versionThe Hacker News
July 30, 2023 – General
In 2022, more than 40% of zero-day exploits used in the wild were variations of previous issues Full Text
Abstract
Google’s Threat Analysis Group Google states that more than 40% of zero-day flaws discovered in 2022 were variants of previous issues. The popular Threat Analysis Group (TAG) Maddie Stone wrote Google’s fourth annual year-in-review of zero-day...Security Affairs
July 30, 2023 – Vulnerabilities
New flaw in Ivanti Endpoint Manager Mobile actively exploited in the wild Full Text
Abstract
Software firm Ivanti disclosed another security vulnerability impacting Endpoint Manager Mobile (EPMM), that it said actively exploited. Ivanti disclosed a new security vulnerability impacting Endpoint Manager Mobile (EPMM), tracked as CVE-2023-35081 (CVSS...Security Affairs
July 30, 2023 – General
Security Affairs newsletter Round 430 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Now...Security Affairs
July 29, 2023 – Vulnerabilities
Exploitation of Recent Citrix ShareFile RCE Vulnerability Begins Full Text
Abstract
The vulnerability, tracked as CVE-2023-24489 (CVSS score of 9.1), was the result of errors leading to unauthenticated file upload, which could then be exploited to obtain RCE, says security firm Assetnote, which identified and reported the bug.Cyware
July 29, 2023 – Malware
New Android Malware CherryBlos Utilizing OCR to Steal Sensitive Data Full Text
Abstract
A new Android malware strain called CherryBlos has been observed making use of optical character recognition (OCR) techniques to gather sensitive data stored in pictures. CherryBlos, per Trend Micro , is distributed via bogus posts on social media platforms and comes with capabilities to steal cryptocurrency wallet-related credentials and act as a clipper to substitute wallet addresses when a victim copies a string matching a predefined format is copied to the clipboard. Once installed, the apps seek users' permissions to grant it accessibility permissions, which allows it to automatically grant itself additional permissions as required. As a defense evasion measure, users attempting to kill or uninstall the app by entering the Settings app are redirected back to the home screen. Besides displaying fake overlays on top of legitimate crypto wallet apps to steal credentials and make fraudulent fund transfers to an attacker-controlled address, CherryBlos utilizes OCR to recogThe Hacker News
July 29, 2023 – Malware
Update: More Malicious NPM Packages Found in Wake of Jumpcloud Supply Chain Hack Full Text
Abstract
An investigation by ReversingLabs researchers has uncovered evidence of more malicious npm packages, with links to the same infrastructure that also appear to target cryptocurrency providers.Cyware
July 29, 2023 – Solution
RFP Template for Browser Security Full Text
Abstract
Increasing cyber threats and attacks have made protecting organizational data a paramount concern for businesses of all sizes. A group of experts have recognized the pressing need for comprehensive browser security solutions and collaborated to develop "The Definitive Browser Security RFP Template . " This resource helps streamline the process of evaluating and procuring browser security platforms. It provides organizations with a standardized approach to enhance their security posture by protecting the key employee workspace - the browser. The Importance of a Standardized RFP Template The RFP (Request for Proposal) template offers numerous advantages for organizations seeking robust browser security solutions. By promoting standardization, the RFP template ensures a consistent structure and format for proposals, saving time and effort for both the procurement team and vendors. Moreover, it facilitates clear and specific instructions to vendors, resulting in higher-qualitThe Hacker News
July 29, 2023 – Breach
CoinsPaid Blames North Korea-Linked APT Lazarus for Theft of $37M Worth of Cryptocurrency Full Text
Abstract
“On July 22nd, CoinsPaid experienced a hacker attack, resulting in the theft of USD 37.3M,” reads the announcement published by the company. “We believe Lazarus expected the attack on CoinsPaid to be much more successful.”Cyware
July 29, 2023 – Solution
Apple Sets New Rules for Developers to Prevent Fingerprinting and Data Misuse Full Text
Abstract
Apple has announced plans to require developers to submit reasons to use certain APIs in their apps starting later this year with the release of iOS 17, iPadOS 17, macOS Sonoma, tvOS 17, and watchOS 10 to prevent their abuse for data collection. "This will help ensure that apps only use these APIs for their intended purpose," the company said in a statement. "As part of this process, you'll need to select one or more approved reasons that accurately reflect how your app uses the API, and your app can only use the API for the reasons you've selected." The APIs that require reasons for use relate to the following - File timestamp APIs System boot time APIs Disk space APIs Active keyboard APIs, and User defaults APIs The iPhone maker said it's making the move to ensure that such APIs are not abused by app developers to collect device signals to carry out fingerprinting , which could be employed to uniquely identify users across different aThe Hacker News
July 29, 2023 – Business
Coro Buys Privatise to Infuse SASE With Network Connectivity Full Text
Abstract
The New York-based company said its acquisition of Jerusalem-based Privatise will provide Coro clients with a secure way to connect, manage and filter out malicious content, according to co-founder Dror Liwer.Cyware
July 29, 2023 – Government
Hackers Deploy “SUBMARINE” Backdoor in Barracuda Email Security Gateway Attacks Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a "novel persistent backdoor" called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances. "SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable execution with root privileges, persistence, command and control, and cleanup," the agency said . The findings come from an analysis of malware samples obtained from an unnamed organization that had been compromised by threat actors exploiting a critical flaw in ESG devices, CVE-2023-2868 (CVSS score: 9.8), which allows for remote command injection. Evidence gathered so far shows that the attackers behind the activity, a suspected China nexus-actor tracked by Mandiant as UNC4841 , leveraged the flaw as a zero-day in October 2022 to gain initial access to victim envirThe Hacker News
July 29, 2023 – Government
CISA warns about SUBMARINE Backdoor employed in Barracuda ESG attacks Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of threat actors deploying the SUBMARINE Backdoor in Barracuda ESG attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an alert on a malware variant,...Security Affairs
July 29, 2023 – Vulnerabilities
Weintek Weincloud Vulnerabilities Allowed Manipulation, Damaging of ICS Devices Full Text
Abstract
Several vulnerabilities discovered by a researcher from industrial cybersecurity firm TXOne Networks in a Weintek product could have been exploited to manipulate and damage industrial control systems (ICS).Cyware
July 29, 2023 – Vulnerabilities
Ivanti Warns of Another Endpoint Manager Mobile Vulnerability Under Active Attack Full Text
Abstract
Ivanti has disclosed yet another security flaw impacting Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, that it said has been weaponized as part of an exploit chain by malicious actors in the wild. The new vulnerability, tracked as CVE-2023-35081 (CVSS score: 7.8), impacts supported versions 11.10, 11.9, and 11.8, as well as those that are currently end-of-life (EoL). "CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server," the company said in an advisory. "This vulnerability can be used in conjunction with CVE-2023-35078 , bypassing administrator authentication and ACLs restrictions (if applicable)." A successful exploit could allow a threat actor to write arbitrary files on the appliance, thereby enabling the malicious party to execute OS commands on the appliance as the tomcat user. "As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078The Hacker News
July 29, 2023 – Malware
Now Abyss Locker also targets VMware ESXi servers Full Text
Abstract
A Linux variant of the Abyss Locker designed to target VMware ESXi servers appeared in the threat landscape, experts warn. The operators behind the Abyss Locker developed a Linux variant that targets VMware ESXi servers expanding their potential targets. VMware...Security Affairs
July 28, 2023 – Government
DOD, OMB expect September release of proposed CMMC rule Full Text
Abstract
The rule has been delayed several times as the DOD revamp its approach, including changing to the longer proposed rule-making process. Originally, the expectation was that CMMC would come out as an interim final rule to be finalized in 60 days.Cyware
July 28, 2023 – Malware
IcedID Malware Adapts and Expands Threat with Updated BackConnect Module Full Text
Abstract
The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module that's used for post-compromise activity on hacked systems, new findings from Team Cymru reveal. IcedID, also called BokBot , is a strain of malware similar to Emotet and QakBot that started off as a banking trojan in 2017, before switching to the role of an initial access facilitator for other payloads. Recent versions of the malware have been observed removing functionality related to online banking fraud to prioritize ransomware delivery. The BackConnect (BC) module, first documented by Netresec in October 2022, relies on a proprietary command-and-control (C2) protocol to exchange commands between a server and the infected host. The protocol, which comes with a VNC component for remote access, has also been identified in other malware such as the now-discontinued BazarLoader and QakBot. In December 2022, Team Cymru reported the discovery of 11 BC C2s aThe Hacker News
July 28, 2023 – APT
Russian APT BlueBravo targets diplomatic entities with GraphicalProton backdoor Full Text
Abstract
Russia-linked BlueBravo has been spotted targeting diplomatic entities in Eastern Europe with the GraphicalProton Backdoor. The Russia-linked threat-state actor BlueBravo (aka APT29, Cloaked Ursa, and Midnight Blizzard, Nobelium) has been observed...Security Affairs
July 28, 2023 – Vulnerabilities
Innovative Attack Methodology Leverages the “search-ms” URI Protocol Handler Full Text
Abstract
A legitimate Windows search feature could be exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT.Cyware
July 28, 2023 – Phishing
STARK#MULE Targets Koreans with U.S. Military-themed Document Lures Full Text
Abstract
An ongoing cyber attack campaign has set its sights on Korean-speaking individuals by employing U.S. Military-themed document lures to trick them into running malware on compromised systems. Cybersecurity firm Securonix is tracking the activity under the name STARK#MULE . "Based on the source and likely targets, these types of attacks are on par with past attacks stemming from typical North Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially its government officials," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News. APT37, also known by the names Nickel Foxcroft, Reaper, Ricochet Chollima, and ScarCruft, is a North Korean nation-state actor that's known to exclusively focus on targets in its southern counterpart, specifically those involved in reporting on North Korea and supporting defectors. Attack chains mounted by the group have historically reliThe Hacker News
July 28, 2023 – Cryptocurrency
CoinsPaid blames North Korea-linked APT Lazarus for theft of $37M worth of cryptocurrency Full Text
Abstract
Crypto-payments service provider CoinsPaid suffered a cyber attack that resulted in the theft of $37,200,000 worth of cryptocurrency. CoinsPaid, a crypto-payment service provider, fell victim to a cyber attack, leading to the theft of $37,200,000...Security Affairs
July 28, 2023 – Phishing
Nitrogen Malvertising - Sneaky Malware in Search Ads Full Text
Abstract
A recently detected malvertising campaign, known as Nitrogen, has been discovered exploiting Google Search and Bing ads to target users searching for IT tools. The Nitrogen campaign predominantly focuses on technology and non-profit organizations in North America. It operates by posing as inst ... Read MoreCyware
July 28, 2023 – Education
A Data Exfiltration Attack Scenario: The Porsche Experience Full Text
Abstract
As part of Checkmarx's mission to help organizations develop and deploy secure software, the Security Research team started looking at the security posture of major car manufacturers. Porsche has a well-established Vulnerability Reporting Policy (Disclosure Policy) [1] , it was considered in scope for our research, so we decided to start there, and see what we could find. What we found is an attack scenario that results from chaining security issues found on different Porsche's assets, a website and a GraphQL API, that could lead to data exfiltration. Data exfiltration is an attack technique that can impact businesses and organizations, regardless of size. When malicious users breach a company's or organization's systems and exfiltrate data, it can be a jarring and business-critical moment. Porsche has a diverse online presence - deploying several microsites, websites, and web applications. The Porsche Experience [2] is one website that allows registered users toThe Hacker News
July 28, 2023 – Insider Threat
Monitor Insider Threats but Build Trust First Full Text
Abstract
The issue of how to prevent insider threats without infringing on employee privacy is one that has been a hot topic of debate in recent years. Because insider threats are uniquely challenging to detect and identify, different methods are needed than...Security Affairs
July 28, 2023 – Insider Threat
CISA to Establish Network of Regional Election Advisers for 2024 Full Text
Abstract
Announced by Director Jen Easterly on Tuesday, the 10 advisers will support election officials working in their respective areas in an effort to “build even stronger connective tissue between state and local election officials and … CISA.”Cyware
July 28, 2023 – Attack
Hackers Abusing Windows Search Feature to Install Remote Access Trojans Full Text
Abstract
A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the " search-ms: " URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the " search: " application protocol, a mechanism for calling the desktop search application on Windows. "Attackers are directing users to websites that exploit the 'search-ms' functionality using JavaScript hosted on the page," security researchers Mathanraj Thangaraju and Sijo Jacob said in a Thursday write-up. "This technique has even been extended to HTML attachments, expanding the attack surface." In such attacks, threat actors have been observed creating deceptive emails that embed hyperlinks or HTML attachmeThe Hacker News
July 28, 2023 – Malware
Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns Full Text
Abstract
The CherryBlos malware steals cryptocurrency wallet credentials and replaces withdrawal addresses, while the FakeTrade malware tricks users into downloading apps that promise increased income but prevent fund withdrawals.Cyware
July 28, 2023 – Attack
BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities Full Text
Abstract
The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday. The activity was observed between March and May 2023. BlueBravo , also known by the names APT29, Cloaked Ursa, and Midnight Blizzard (formerly Nobelium), is attributed to Russia's Foreign Intelligence Service (SVR), and has in the past used Dropbox, Firebase, Google Drive, Notion, and Trello to evade detection and stealthily establish communications with infected hosts. To that end, GraphicalProton is the latest addition to a long list of malware targeting diplomatic organizations after GraphicalNeutrino (aka SNOWYAMBER), HALFRIG, and QUARTERRIG .The Hacker News
July 28, 2023 – Vulnerabilities
Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required Full Text
Abstract
Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations. Tracked as CVE-2023-38646 , the issue impacts open-source editions prior to 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1. "An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on," Metabase said in an advisory released last week. The issue has also been addressed in the following older versions - 0.45.4.1 and 1.45.4.1 0.44.7.1 and 1.44.7.1, and 0.43.7.2 and 1.43.7.2 While there is no evidence that the issue has been exploited in the wild, data gathered by the Shadowserver Foundation shows that 5,488 out of the total 6,936 Metabase instances are vulnerable as of July 26, 202The Hacker News
July 28, 2023 – Government
Cybersecurity Agencies Warn Against IDOR Bugs Exploited for Data Breaches Full Text
Abstract
Cybersecurity agencies in Australia and the U.S. have published a joint cybersecurity advisory warning against security flaws in web applications that could be exploited by malicious actors to orchestrate data breach incidents and steal confidential data. This includes a specific class of bugs called Insecure Direct Object Reference ( IDOR ), a type of access control flaw that occurs when an application utilizes user-supplied input or an identifier for direct access to an internal resource, such as a database record, without any additional validations. A typical example of an IDOR flaw is the ability of a user to trivially change the URL (e.g., https://example[.]site/details.php?id= 12345 ) to obtain unauthorized data of another transaction (i.e., https://example[.]site/details.php?id= 67890 ). "IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web appliThe Hacker News
July 27, 2023 – Policy and Law
GROUP-IB Co-Founder ILYA SACHKOV SENTENCED TO 14 YEARS IN A STRICT PRISON COLONY Full Text
Abstract
Ilya Sachkov, former CEO and co-founder of Group-IB was sentenced to 14 years in a high security prison colony according to the Moscow court announcement. As per the announcement from the Moscow court, Ilya Sachkov, the former CEO and co-founder of Group-IB,...Security Affairs
July 27, 2023 – Government
CISA Analysis Shows Most Cyberattacks on Governments, Critical Infrastructure Involve Valid Credentials Full Text
Abstract
More than half of all cyberattacks on government agencies, critical infrastructure organizations, and state-level government bodies involved the use of valid accounts, according to a new report from the CISA.Cyware
July 27, 2023 – Vulnerabilities
GameOver(lay): Two Severe Linux Vulnerabilities Impact 40% of Ubuntu Users Full Text
Abstract
Cybersecurity researchers have disclosed two high-severity security flaws in the Ubuntu kernel that could pave the way for local privilege escalation attacks. Cloud security firm Wiz, in a report shared with The Hacker News, said the easy-to-exploit shortcomings have the potential to impact 40% of Ubuntu users. "The impacted Ubuntu versions are prevalent in the cloud as they serve as the default operating systems for multiple [cloud service providers]," security researchers Sagi Tzadik and Shir Tamari said. The vulnerabilities – tracked as CVE-2023-32629 and 2023-2640 (CVSS scores: 7.8) and dubbed GameOver(lay) – are present in a module called OverlayFS and arise as a result of inadequate permissions checks in certain scenarios, enabling a local attacker to gain elevated privileges. Overlay Filesystem refers to a union mount file system that makes it possible to combine multiple directory trees or file systems into a single, unified filesystem. A brief descripThe Hacker News
July 27, 2023 – Vulnerabilities
Zimbra fixed actively exploited zero-day CVE-2023-38750 in ZCS Full Text
Abstract
Zimbra addressed a zero-day vulnerability exploited in attacks aimed at Zimbra Collaboration Suite (ZCS) email servers. Two weeks ago Zimbra urged customers to manually install updates to fix a zero-day vulnerability, now tracked as CVE-2023-38750,...Security Affairs
July 27, 2023 – Outage
CardioComm Takes Systems Offline Following Cyberattack Full Text
Abstract
The attack, the company says, impacted its production server environments and has an impact on its business operations. Visitors to the company’s website are informed that CardioComm services are currently offline.Cyware
July 27, 2023 – Phishing
New Malvertising Campaign Distributing Trojanized IT Tools via Google and Bing Search Ads Full Text
Abstract
A new malvertising campaign has been observed leveraging ads on Google Search and Bing to target users seeking IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP, and trick them into downloading trojanized installers with an aim to breach enterprise networks and likely carry out future ransomware attacks. Dubbed Nitrogen , the "opportunistic" activity is designed to deploy second-stage attack tools such as Cobalt Strike, Sophos said in a Wednesday analysis. Nitrogen was first documented by eSentire in June 2023, detailing an infection chain that redirects users to compromised WordPress sites hosting malicious ISO image files that ultimately culminate in the delivery of Python scripts and Cobalt Strike Beacons onto the targeted system. Then earlier this month, Trend Micro uncovered a similar attack sequence in which a fraudulent WinSCP application functioned as a stepping stone for a BlackCat ransomware attack. "Throughout the infection chain, the threatThe Hacker News
July 27, 2023 – Breach
DepositFiles exposed config file, jeopardizing user security Full Text
Abstract
DepositFiles, a popular web hosting service, left its environment configuration file accessible, revealing a trove of highly sensitive credentials. The recent tsunami of Cl0p-driven ransomware attacks via the MOVEit Transfer exploit is a painful...Security Affairs
July 27, 2023 – Breach
Up to 11 Million People Hit by MOVEit Hack at Government Services Firm Maximus Full Text
Abstract
According to Maximus, the attackers stole files containing personal information and protected health information, including Social Security numbers, “of at least 8 to 11 million individuals”.Cyware
July 27, 2023 – Education
The 4 Keys to Building Cloud Security Programs That Can Actually Shift Left Full Text
Abstract
As cloud applications are built, tested and updated, they wind their way through an ever-complex series of different tools and teams. Across hundreds or even thousands of technologies that make up the patchwork quilt of development and cloud environments, security processes are all too often applied in only the final phases of software development. Placing security at the very end of the production pipeline puts both devs and security on the back foot. Developers want to build and ship secure apps; security teams want to support this process by strengthening application security. However, today's security processes are legacy approaches that once worked brilliantly for the tight constraints of on-prem production, but struggle in quasi-public, ever-shifting cloud environments. As a result, security is an afterthought, and any attempt to squeeze siloed security into agile SDLC can swell the cost of patching by 600% . A new cloud security operating model is long overdue. Shift-leThe Hacker News
July 27, 2023 – Policy and Law
Group-IB CEO Ilya Sachkov sentenced to 14 years in a strict prison colony Full Text
Abstract
Ilya Sachkov, CEO and co-founder of Group-IB was sentenced to 14 years in a high security prison colony according to the Moscow court announcement. As per the announcement from the Moscow court, Ilya Sachkov, the CEO and co-founder of Group-IB, has been...Security Affairs
July 27, 2023 – Criminals
China Allegedly Turns to Transnational Criminals to Spread Disinformation in Australia Full Text
Abstract
Australian researchers have found evidence that China is using fake social media accounts linked to transnational criminal groups to spread online propaganda and disinformation.Cyware
July 27, 2023 – Attack
Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining Full Text
Abstract
Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the Mirai botnet malware and cryptocurrency miners. The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet. Of these attack attempts, 20% (or 152) entailed the use of a web shell script dubbed "neww" that originated from 24 unique IP addresses, with 68% of them originating from a single IP address (104.248.157[.]218). "The threat actor scanned for Tomcat servers and launched a brute force attack against it, attempting to gain access to the Tomcat web application manager by trying different combinations of credentials associated with it," Aqua security researcher Nitzan Yaakov said . Upon gaining a successful foothold, the threat actors have been observed deploying a WAR file that contains a malicious web sThe Hacker News
July 27, 2023 – General
Two flaws in Linux Ubuntu affect 40% of Ubuntu users Full Text
Abstract
Wiz researchers discovered two Linux vulnerabilities in the Ubuntu kernel that can allow an unprivileged local user to gain elevated privileges. Wiz Research discovered two privilege escalation vulnerabilities, tracked as CVE-2023-2640 and CVE-2023-32629,...Security Affairs
July 27, 2023 – Malware
Introducing FraudGPT: The Latest AI Cybercrime Tool in the Dark Web Full Text
Abstract
In the wake of WormGPT's success, threat actors have now introduced another AI-powered cybercrime tool called FraudGPT . This AI bot is being promoted on numerous dark web marketplaces and Telegram channels, and is capable of designing spear-phishing emails, generating cracking tools, and facilit ... Read MoreCyware
July 27, 2023 – Policy and Law
Group-IB Co-Founder Sentenced to 14 Years in Russian Prison for Alleged High Treason Full Text
Abstract
A city court in Moscow on Wednesday convicted Group-IB co-founder and CEO Ilya Sachkov of "high treason" and jailed him for 14 years in a "strict regime colony" over accusations of passing information to foreign spies. "The court found Sachkov guilty under Article 275 of the Russian Criminal Code (high treason) sentencing him to 14 years of incarceration in a maximum-security jail, restriction of freedom for one year and a fine of 500,000 rubles (about $5,550)," state news agency TASS reported . Sachkov, who has been in custody since September 2021 and denied wrongdoing, had been accused of handing over classified information to foreign intelligence in 2011, which the prosecutors said caused reputational damage to Russia's national interests. The exact nature of the charges is unclear. The 37-year-old is expected to appeal the decision, Bloomberg said , adding, "Sachkov was alleged to have given the U.S. government information regardinThe Hacker News
July 27, 2023 – Malware
Decoy Dog Malware Evolves to Expand its Reach Full Text
Abstract
An unidentified nation-state appears to be preparing for a new hacking campaign, according to researchers at Infoblox. The campaign uses the relatively new Decoy Dog malware toolkit. Decoy Dog has undergone a major upgrade from Pupy , an open-source remote access tool, to disguise its activities ... Read MoreCyware
July 27, 2023 – Policy and Law
New SEC Rules Require U.S. Companies to Reveal Cyber Attacks Within 4 Days Full Text
Abstract
The U.S. Securities and Exchange Commission (SEC) on Wednesday approved new rules that require publicly traded companies to publicize details of a cyber attack within four days of identifying that it has a "material" impact on their finances, marking a major shift in how computer breaches are disclosed. "Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," SEC chair Gary Gensler said . "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way." To that end, the new obligations mandate that companies reveal the incident's nature, scope, and timing, as well as its impact. This disclosure, however, may be delayed by an additional period of up to 60 days should it be determined that giving out such specificThe Hacker News
July 27, 2023 – Government
DOJ Reorganizes Units to Better Fight Ransomware Full Text
Abstract
The U.S. Justice Department is merging its National Cryptocurrency Enforcement Team with its Crime and Intellectual Property Section to strengthen its capabilities in investigating cryptocurrency-related criminal cases and cybercrime.Cyware
July 26, 2023 – Business
Protect AI Raises $35M to Build a Suite of AI-Defending Tools Full Text
Abstract
Protect AI announced that it raised $35 million in a Series A round led by Evolution Equity Partners with participation from Salesforce Ventures, Acrew Capital, boldstart ventures, Knollwood Capital and Pelion Ventures.Cyware
July 26, 2023 – Malware
Decoy Dog: New Breed of Malware Posing Serious Threats to Enterprise Networks Full Text
Abstract
A deeper analysis of a recently discovered malware called Decoy Dog has revealed that it's a significant upgrade over the Pupy RAT , an open-source remote access trojan it's modeled on. "Decoy Dog has a full suite of powerful, previously unknown capabilities – including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time," Infoblox said in a Tuesday report. "Some victims have actively communicated with a Decoy Dog server for over a year." Other new features allow the malware to execute arbitrary Java code on the client and connect to emergency controllers using a mechanism that's similar to a traditional DNS domain generation algorithm ( DGA ), with the Decoy Dog domains engineered to respond to replayed DNS queries from breached clients. The sophisticated toolkit was first discovered by the cybersecurity firm in early April 2023 afterThe Hacker News
July 26, 2023 – Outage
Two ambulance services in UK lost access to patient records after a cyber attack on software provider Full Text
Abstract
Swedish software firm Ortivus suffered a cyberattack that has resulted in at least two British ambulance services losing access to electronic patient records. Two British ambulance services were not able to access electronic patient records after...Security Affairs
July 26, 2023 – Outage
UK Ambulance Services Disrupted by Infosec Fiends Full Text
Abstract
Several UK NHS ambulance organizations have been struggling to record patient data and pass it to other providers following a cyberattack aimed at health software company Ortivus.Cyware
July 26, 2023 – General
The Alarming Rise of Infostealers: How to Detect this Silent Threat Full Text
Abstract
A new study conducted by Uptycs has uncovered a stark increase in the distribution of information stealing (a.k.a. infostealer or stealer) malware. Incidents have more than doubled in Q1 2023, indicating an alarming trend that threatens global organizations. According to the new Uptycs' whitepaper, Stealers are Organization Killers , a variety of new info stealers have emerged this year, preying on Windows, Linux, and macOS systems. Telegram has notably been used extensively by these malware authors for command, control, and data exfiltration. What is a Stealer? A stealer is a type of malware that targets its victim by stealing sensitive information that can include passwords, login credentials, and other personal data. After collecting such data, the stealer sends it to the threat actor's command and control (C2) system. RedLine and Vidar, two well-known stealers, took advantage of log-providing services to infiltrate private systems. RedLine primarily targets credentiThe Hacker News
July 26, 2023 – Malware
FraudGPT, a new malicious generative AI tool appears in the threat landscape Full Text
Abstract
FraudGPT is another cybercrime generative artificial intelligence (AI) tool that is advertised in the hacking underground. Generative AI models are becoming attractive for crooks, Netenrich researchers recently spotted a new platform dubbed FraudGPT...Security Affairs
July 26, 2023 – Government
To Execute the National Cyber Strategy, It’s Going to Take the Whole US Government Full Text
Abstract
The implementation plan for the national cybersecurity strategy assigns specific tasks and responsibilities to various government agencies, highlighting the need for coordination and collaboration.Cyware
July 26, 2023 – Criminals
Fenix Cybercrime Group Poses as Tax Authorities to Target Latin American Users Full Text
Abstract
Tax-paying individuals in Mexico and Chile have been targeted by a Mexico-based cybercrime group that goes by the name Fenix to breach targeted networks and steal valuable data. A key hallmark of the operation entails cloning official portals of the Servicio de Administración Tributaria (SAT) in Mexico and the Servicio de Impuestos Internos (SII) in Chile and redirecting potential victims to those sites. "These fake websites prompt users to download a supposed security tool, claiming it will enhance their portal navigation safety," Metabase Q security researchers Gerardo Corona and Julio Vidal said in a recent analysis. "However, unbeknownst to the victims, this download actually installs the initial stage of malware, ultimately enabling the theft of sensitive information such as credentials." The goal of Fenix, according to the Latin America-focused cybersecurity firm, is to act as an initial access broker and get a foothold into different companies in tThe Hacker News
July 26, 2023 – Government
CISA adds Ivanti EPMM flaw to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added actively exploited Ivanti 's Endpoint Manager Mobile (EPMM) vulnerability to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added actively exploited Ivanti 's Endpoint Manager...Security Affairs
July 26, 2023 – Criminals
FraudGPT: The Villain Avatar of ChatGPT Full Text
Abstract
Cybercriminals are using artificial intelligence tools like FraudGPT to create sophisticated phishing attacks and other malicious activities, posing a significant threat to organizations.Cyware
July 26, 2023 – Malware
New AI Tool ‘FraudGPT’ Emerges, Tailored for Sophisticated Attacks Full Text
Abstract
Following the footsteps of WormGPT , threat actors are advertising yet another cybercrime generative artificial intelligence (AI) tool dubbed FraudGPT on various dark web marketplaces and Telegram channels. "This is an AI bot, exclusively targeted for offensive purposes, such as crafting spear phishing emails, creating cracking tools, carding, etc.," Netenrich security researcher Rakesh Krishnan said in a report published Tuesday. The cybersecurity firm said the offering has been circulating since at least July 22, 2023, for a subscription cost of $200 a month (or $1,000 for six months and $1,700 for a year). "If your [sic] looking for a Chat GPT alternative designed to provide a wide range of exclusive tools, features, and capabilities tailored to anyone's individuals with no boundaries then look no further!," claims the actor, who goes by the online alias CanadianKingpin. The author also states that the tool could be used to write malicious code, cThe Hacker News
July 26, 2023 – Vulnerabilities
Over 500K MikroTik RouterOS systems potentially exposed to hacking due to critical flaw Full Text
Abstract
Experts warn of a severe privilege escalation, tracked as CVE-2023-30799, in MikroTik RouterOS that can be exploited to hack vulnerable devices. VulnCheck researchers warn of a critical vulnerability, tracked as CVE-2023-30799 (CVSS score:...Security Affairs
July 26, 2023 – Policy and Law
Federal Privacy Bill Would Strip FCC’s Role as Telecom Industry’s Privacy Cop Full Text
Abstract
Sweeping federal privacy legislation now under debate in Congress is expected to move oversight of the telecom industry’s privacy practices from the FCC to the FTC, a shift that has long been a priority for telecom companies.Cyware
July 26, 2023 – Malware
Rust-based Realst Infostealer Targeting Apple macOS Users’ Cryptocurrency Wallets Full Text
Abstract
A new malware family called Realst has become the latest to target Apple macOS systems, with a third of the samples already designed to infect macOS 14 Sonoma, the upcoming major release of the operating system. Written in the Rust programming language, the malware is distributed in the form of bogus blockchain games and is capable of "emptying crypto wallets and stealing stored password and browser data" from both Windows and macOS machines. Realst was first discovered in the wild by security researcher iamdeadlyz . "Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend," SentinelOne security researcher Phil Stokes said in a report. "Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts." The cybersecurity firm, which identifThe Hacker News
July 26, 2023 – General
Supply Chain, Open Source Pose Major Challenge to AI Systems Full Text
Abstract
Supply chain compromise, open source technology, and rapid advances in artificial intelligence capabilities pose significant challenges to safeguarding AI, experts told a Senate panel Tuesday.Cyware
July 26, 2023 – Vulnerabilities
Critical MikroTik RouterOS Vulnerability Exposes Over Half a Million Devices to Hacking Full Text
Abstract
A severe privilege escalation issue impacting MikroTik RouterOS could be weaponized by remote malicious actors to execute arbitrary code and seize full control of vulnerable devices. Cataloged as CVE-2023-30799 (CVSS score: 9.1), the shortcoming is expected to put approximately 500,000 and 900,000 RouterOS systems at risk of exploitation via their web and/or Winbox interfaces, respectively, VulnCheck disclosed in a Tuesday report. "CVE-2023-30799 does require authentication," security researcher Jacob Baines said . "In fact, the vulnerability itself is a simple privilege escalation from admin to 'super-admin' which results in access to an arbitrary function. Acquiring credentials to RouterOS systems is easier than one might expect." This is because the Mikrotik RouterOS operating system does not offer any protection against password brute-force attacks and ships with a well-known default "admin" user, with its password being an empty stringThe Hacker News
July 26, 2023 – Malware
New Realst Info-stealer Targets MacOS, Empties Crypto Wallets Full Text
Abstract
In the ever-evolving information-stealer landscape, a new malware dubbed Realst has emerged. Realst is designed to target macOS systems and is capable of emptying crypto wallets and stealing stored passwords and browser data. A ttackers are using tricks to lure gamers with money, which is a red ... Read MoreCyware
July 25, 2023 – Malware
Spyhide Stalkerware is Spying on Tens of Thousands of Phones Full Text
Abstract
Spyhide is secretly collecting private data from tens of thousands of Android devices worldwide. The app is often installed on a victim's phone by someone who knows their passcode, and it remains hidden on the home screen.Cyware
July 25, 2023 – APT
North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder Full Text
Abstract
North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been attributed to the JumpCloud hack following an operational security (OPSEC) blunder that exposed their actual IP address. Google-owned threat intelligence firm Mandiant attributed the activity to a threat actor it tracks under the name UNC4899, which likely shares overlaps with clusters already being monitored as Jade Sleet and TraderTraitor, a group with a history of striking blockchain and cryptocurrency sectors. UNC4899 also overlaps with APT43 , another hacking crew associated with the Democratic People's Republic of Korea (DPRK) that was unmasked earlier this March as conducting a series of campaigns to gather intelligence and siphon cryptocurrency from targeted companies. The adversarial collective's modus operandi is characterized by the use of Operational Relay Boxes ( ORBs ) using L2TP IPsec tunnels along with commercial VPN providers to disguise the attacker'sThe Hacker News
July 25, 2023 – Vulnerabilities
Atlassian addressed 3 flaws in Confluence and Bamboo products Full Text
Abstract
Atlassian addressed three vulnerabilities in its Confluence Server, Data Center, and Bamboo Data Center products that can lead to remote code execution. Atlassian has addressed three critical and high severity vulnerabilities impacting...Security Affairs
July 25, 2023 – Business
Thales Acquiring Imperva From Thoma Bravo for $3.6 Billion Full Text
Abstract
Thales will buy Imperva for an enterprise value of $3.6 billion ($3.7 billion gross value minus $0.1 billion tax benefits). The transaction is expected to close by the beginning of 2024.Cyware
July 25, 2023 – Malware
Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique Full Text
Abstract
The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control ( UAC ) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets. "They are still heavily focused on Latin American financial institutions, but the changes in their techniques represent a significant risk to multi-regional financial organizations as well," Sygnia said in a statement shared with The Hacker News. Casbaneiro , also known as Metamorfo and Ponteiro, is best known for its banking trojan, which first emerged in mass email spam campaigns targeting the Latin American financial sector in 2018. Infection chains typically begin with a phishing email pointing to a booby-trapped attachment that, when launched, activates a series of steps that culminate in the deployment of the banking malwareThe Hacker News
July 25, 2023 – Vulnerabilities
VMware addressed an information disclosure flaw in VMware Tanzu Application Service for VMs and Isolation Segment Full Text
Abstract
VMware fixed an information disclosure flaw in VMware Tanzu Application Service for VMs and Isolation Segment that exposed CF API admin credentials in audit logs. VMware has addressed an information disclosure vulnerability, tracked as CVE-2023-20891...Security Affairs
July 25, 2023 – APT
Chinese Cyberespionage Group APT31 Targets Eastern European Entities Full Text
Abstract
A China-linked group APT31 (aka Zirconium) has been linked to a cyberespionage campaign targeting industrial organizations in Eastern Europe. The attackers abused DLL hijacking vulnerabilities in cloud-based data storage systems such as Dropbox or Yandex, as well as a temporary file-sharing serv ... Read MoreCyware
July 25, 2023 – General
macOS Under Attack: Examining the Growing Threat and User Perspectives Full Text
Abstract
As the number of people using macOS keeps going up, so does the desire of hackers to take advantage of flaws in Apple's operating system. What Are the Rising Threats to macOS? There is a common misconception among macOS fans that Apple devices are immune to hacking and malware infection. However, users have been facing more and more dangers recently. Inventive attackers are specifically targeting Mac systems, as seen with the "Geacon" Cobalt Strike tool attack. This tool enables them to perform malicious actions such as data theft, privilege elevation, and remote device control, placing the security and privacy of Mac users at grave risk. Earlier this year, researchers also uncovered the MacStealer malware, which also stole sensitive data from Apple users. Documents, iCloud keychain data, browser cookies, credit card credentials – nothing is safe from the prying eyes. But that's not all. CloudMensis is malicious software that specifically targets macOS systems,The Hacker News
July 25, 2023 – Vulnerabilities
Apple addressed a new actively exploited zero-day tracked as CVE-2023-38606 Full Text
Abstract
Apple released security updates to address an actively exploited zero-day flaw in iOS, iPadOS, macOS, tvOS, watchOS, and Safari. Apple released urgent security updates to address multiple flaws in iOS, iPadOS, macOS, tvOS, watchOS, and Safari, including...Security Affairs
July 25, 2023 – General
RaaS proliferation: 14 new ransomware groups target organizations worldwide Full Text
Abstract
In the second quarter of 2023, GuidePoint Research and Intelligence Team (GRIT) tracked 1,177 total publicly posted ransomware victims claimed by 41 different threat groups.Cyware
July 25, 2023 – Vulnerabilities
TETRA:BURST — 5 New Vulnerabilities Exposed in Widely Used Radio Communication System Full Text
Abstract
A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio ( TETRA ) standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information. The issues, discovered by Midnight Blue in 2021 and held back until now, have been collectively called TETRA:BURST . There is no conclusive evidence to determine that the vulnerabilities have been exploited in the wild to date. "Depending on infrastructure and device configurations, these vulnerabilities allow for real time decryption, harvest-now-decrypt-later attacks, message injection, user deanonymization, or session key pinning," the Netherlands-based cybersecurity company said . Standardized by the European Telecommunications Standards Institute (ETSI) in 1995, TETRA is used in more than 100 countries and as a police radio communication systemThe Hacker News
July 25, 2023 – Attack
Twelve Norwegian ministries were hacked using a zero-day vulnerability Full Text
Abstract
Threat actors exploited a zero-day flaw in third-party software in attacks against the ICT platform used by 12 Norwegian ministries. The ICT platform used by twelve ministries of the Norwegian government was hacked, and threat actors have exploited...Security Affairs
July 25, 2023 – Education
How MDR Helps Solve the Cybersecurity Talent Gap Full Text
Abstract
How do you overcome today's talent gap in cybersecurity? This is a crucial issue — particularly when you find executive leadership or the board asking pointed questions about your security team's ability to defend the organization against new and current threats. This is why many security leaders find themselves turning to managed security services like MDR ( managed detection and response ), which can offer an immediate solution. The right MDR partner can act as an extension of your existing team, while offering a fast and budget-friendly option for uplevelling security at organizations of virtually any size. Here's a look at common staffing challenges that MDR helps solve: Overcoming Cybersecurity Talent Challenges From stopping ransomware to securing the attack surface of the environment, most security teams have more to do than they can manage. This leads to security gaps that increase both cyber risk and frustration for stakeholders across the business. The challThe Hacker News
July 25, 2023 – Vulnerabilities
Zenbleed: New Flaw in AMD Zen 2 Processors Puts Encryption Keys and Passwords at Risk Full Text
Abstract
A new security vulnerability has been discovered in AMD's Zen 2 architecture-based processors that could be exploited to extract sensitive data such as encryption keys and passwords. Discovered by Google Project Zero researcher Tavis Ormandy, the flaw – codenamed Zenbleed and tracked as CVE-2023-20593 (CVSS score: 6.5) – allows data exfiltration at the rate of 30 kb per core, per second. The issue is part of a broader category of weaknesses called speculative execution attacks , in which the optimization technique widely used in modern CPUs is abused to access cryptographic keys from CPU registers. "Under specific microarchitectural circumstances, a register in 'Zen 2' CPUs may not be written to 0 correctly," AMD explained in an advisory. "This may cause data from another process and/or thread to be stored in the YMM register , which may allow an attacker to potentially access sensitive information." Web infrastructure company Cloudflare noteThe Hacker News
July 25, 2023 – Vulnerabilities
Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo Full Text
Abstract
Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems. The list of the flaws is below - CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and 8.4.0) CVE-2023-22508 (CVSS score: 8.5) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 7.19.8 and 8.2.0) CVE-2023-22506 (CVSS score: 7.5) - Injection, RCE (Remote Code Execution) in Bamboo (Fixed in versions 9.2.3 and 9.3.1) CVE-2023-22505 and CVE-2023-22508 allow an "authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction," the company said. While the first bug was introduced in version 8.0.0, CVE-2023-22508 was introducThe Hacker News
July 25, 2023 – Vulnerabilities
Ivanti Releases Urgent Patch for EPMM Zero-Day Vulnerability Under Active Exploitation Full Text
Abstract
Ivanti is warning users to update their Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core) to the latest version that fixes an actively exploited zero-day vulnerability. Dubbed CVE-2023-35078 , the issue has been described as a remote unauthenticated API access vulnerability that impacts currently supported version 11.4 releases 11.10, 11.9, and 11.8 as well as older releases. It has the maximum severity rating of 10 on the CVSS scale. "An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication," the company said in a terse advisory. "If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server." The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said anThe Hacker News
July 25, 2023 – Vulnerabilities
Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs Full Text
Abstract
Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as CVE-2023-38606 , the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1," the tech giant noted in its advisory. It's worth noting that CVE-2023-38606 is the third security vulnerability discovered in connection with Operation Triangulation , a sophisticated mobile cyber espionage campaign targeting iOS devices since 2019 using a zero-click exploit chain. The other two zero-days, CVE-2023-32434 and CVE-2023-32435 , were patched by Apple last month. Kaspersky researchers Valentin Pashkov, Mikhail Vinogradov, Georgy KucThe Hacker News
July 24, 2023 – Vulnerabilities
Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo Full Text
Abstract
The most severe of these issues, tracked as CVE-2023-22508 (CVSS score of 8.5), was introduced in Confluence version 7.4.0. The second bug, tracked as CVE-2023-22505 (CVSS score of 8.0), was introduced in Confluence version 8.0.0.Cyware
July 24, 2023 – Vulnerabilities
Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks Full Text
Abstract
Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks. The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078 , with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and June 26, 2023, respectively. "The ability to initiate an operation from a NT AUTHORITY\SYSTEM context can present potential security risks if not properly managed," security researcher Andrew Oliveau said . "For instance, misconfigured Custom Actions running as NT AUTHORITY\SYSTEM can be exploited by attackers to execute local privilege escalation attacks." Successful exploitation of such weaknesses could pave the way for the execution of arbitrary code with elevated privileges. Both the flaws reside in the MSI installer's repair functionality, potentially creaThe Hacker News
July 24, 2023 – Vulnerabilities
A flaw in OpenSSH forwarded ssh-agent allows remote code execution Full Text
Abstract
A new flaw in OpenSSH could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions. Researchers from the Qualys Threat Research Unit (TRU) have discovered a remote code execution vulnerability in OpenSSH’s...Security Affairs
July 24, 2023 – APT
Lazarus Targets Windows IIS Web Servers for Malware Distribution Full Text
Abstract
ASEC discovered that the North Korean state-sponsored Lazarus APT group is attacking Windows Internet Information Service (IIS) web servers and using them to distribute malware. It is imperative for organizations to adopt stringent measures, including attack surface management, to identify expo ... Read MoreCyware
July 24, 2023 – Solution
Google Messages Getting Cross-Platform End-to-End Encryption with MLS Protocol Full Text
Abstract
Google has announced that it intends to add support for Message Layer Security ( MLS ) to its Messages service for Android and open source implementation of the specification. "Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but users today are limited to communicating with contacts who use the same platform," Giles Hogben, privacy engineering director at Google, said . "This is why Google is strongly supportive of regulatory efforts that require interoperability for large end-to-end messaging platforms." The development comes as the Internet Engineering Task Force (IETF) released the core specification of the Messaging Layer Security (MLS) protocol as a Request for Comments ( RFC 9420 ). Some of the other major companies that have thrown their weight behind the protocol are Amazon Web Services (AWS) Wickr, Cisco, Cloudflare, The Matrix.org Foundation, Mozilla, Phoenix R&D, and Wire. Notably missing fromThe Hacker News
July 24, 2023 – General
Experts warn of OSS supply chain attacks against the banking sector Full Text
Abstract
Checkmark researchers have uncovered the first known targeted OSS supply chain attacks against the banking sector. In the first half of 2023, Checkmarx researchers detected multiple open-source software supply chain attacks aimed at the banking sector....Security Affairs
July 24, 2023 – Vulnerabilities
Over 20,000 Citrix Appliances Vulnerable to New Exploit Full Text
Abstract
A new exploit technique targeting a recent Citrix Application Delivery Controller (ADC) and Gateway vulnerability can be used against thousands of unpatched devices, cybersecurity firm Bishop Fox claims.Cyware
July 24, 2023 – Education
How to Protect Patients and Their Privacy in Your SaaS Apps Full Text
Abstract
The healthcare industry is under a constant barrage of cyberattacks. It has traditionally been one of the most frequently targeted industries, and things haven't changed in 2023. The U.S. Government's Office for Civil Rights reported 145 data breaches in the United States during the first quarter of this year. That follows 707 incidents a year ago, during which over 50 million records were stolen. Health records often include names, birth dates, social security numbers, and addresses. This treasure trove of data is used in identity theft, tax fraud, and other crimes. It is the high value of the data that makes healthcare applications such a promising target. The healthcare industry was hesitant to adopt SaaS applications. However, SaaS applications lead to better collaboration among medical professionals, leading to improved patient outcomes. That, combined with SaaS's ability to reduce costs and improve financial performance, has led to the industry fully embracing SaaS solutionsThe Hacker News
July 24, 2023 – Privacy
Apple could opt to stop iMessage and FaceTime services due to the government’s surveillance demands Full Text
Abstract
Apple could opt to pull iMessage and FaceTime services in the U.K. in response to the government's surveillance demands. In light of the government's surveillance demands, Apple might consider withdrawing iMessage and FaceTime services from the U.K. The...Security Affairs
July 24, 2023 – General
Banking Sector Witnesses First-Ever OSS Supply Chain Attack Full Text
Abstract
For the first time, the banking sector has been explicitly targeted by two distinct Open-Source Software (OSS) supply chain attacks that enabled attackers to stealthily overlay the banking sites. O rganizations must equip themselves with the best early threat alerting and sharing platforms that c ... Read MoreCyware
July 24, 2023 – Vulnerabilities
New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection Full Text
Abstract
Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions. "This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent," Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week. The vulnerability is being tracked under the CVE identifier CVE-2023-38408 (CVSS score: N/A). It impacts all versions of OpenSSH before 9.3p2 . OpenSSH is a popular connectivity tool for remote login with the SSH protocol that's used for encrypting all traffic to eliminate eavesdropping, connection hijacking, and other attacks. Successful exploitation requires the presence of certain libraries on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system. SSH agent is a background program that maintains users' keysThe Hacker News
July 24, 2023 – Attack
Norwegian Government Security and Service Organisation Hit by Cyberattack Full Text
Abstract
Twelve Norwegian government ministries have been hit by a cyberattack, the Norwegian government said on Monday, the latest attack to hit the public sector of Europe's largest gas supplier and NATO's northernmost member.Cyware
July 24, 2023 – Attack
Banking Sector Targeted in Open-Source Software Supply Chain Attacks Full Text
Abstract
Cybersecurity researchers said they have discovered what they say is the first open-source software supply chain attacks specifically targeting the banking sector. "These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it," Checkmarx said in a report published last week. "The attackers employed deceptive tactics such as creating a fake LinkedIn profile to appear credible and customized command-and-control (C2) centers for each target, exploiting legitimate services for illicit activities." The npm packages have since been reported and taken down. The names of the packages were not disclosed. In the first attack, the malware author is said to have uploaded a couple of packages to the npm registry in early April 2023 by posing as an employee of the target bank. The modules came with a preinstall script to activate the infection sequence. To complete the rusThe Hacker News
July 24, 2023 – Vulnerabilities
Perimeter81 Vulnerability Disclosed After Botched Disclosure Process Full Text
Abstract
Cybersecurity researcher Erhad Husovic published a blog post in late June to disclose the details of a local privilege escalation vulnerability discovered in Perimeter81’s macOS application.Cyware
July 24, 2023 – General
CISOs are making cybersecurity a business problem Full Text
Abstract
U.S. enterprises are responding to growing cybersecurity threats by working to make the best use of tools and services to ensure business resilience, according to an ISG report.Cyware
July 24, 2023 – Attack
First Known Targeted OSS Supply Chain Attacks Against the Banking Sector Full Text
Abstract
The attackers employed deceptive tactics such as creating fake LinkedIn profiles to appear credible and using customized command and control (C2) centers for each target, exploiting legitimate services for illicit activities.Cyware
July 23, 2023 – General
Security Affairs newsletter Round 429 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Multiple...Security Affairs
July 23, 2023 – Vulnerabilities
Shadowserver reported that +15K Citrix servers are likely vulnerable to attacks exploiting the flaw CVE-2023-3519 Full Text
Abstract
Researchers reported that more than 15000 Citrix servers exposed online are likely vulnerable to attacks exploiting the vulnerability CVE-2023-3519. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week warned of cyber attacks...Security Affairs
July 22, 2023 – Botnet
Multiple DDoS botnets were observed targeting Zyxel devices Full Text
Abstract
Researchers warn of several DDoS botnets exploiting a critical flaw tracked as CVE-2023-28771 in Zyxel devices. Fortinet FortiGuard Labs researchers warned of multiple DDoS botnets exploiting a vulnerability impacting multiple Zyxel firewalls. The...Security Affairs
July 22, 2023 – Breach
Global CDN Service ‘jsdelivr’ Exposed Users to Phishing Attacks Full Text
Abstract
The malicious NPM package, which masqueraded as a legitimate alternative to a popular package, downloaded a phishing HTML code from the jsdelivr CDN service to steal users' credentials.Cyware
July 22, 2023 – Privacy
Apple Threatens to Pull iMessage and FaceTime from U.K. Amid Surveillance Demands Full Text
Abstract
Apple has warned that it would rather stop offering iMessage and FaceTime services in the U.K. than bowing down to government pressure in response to new proposals that seek to expand digital surveillance powers available to state intelligence agencies. The development, first reported by BBC News, makes the iPhone maker the latest to join the chorus of voices protesting against forthcoming legislative changes to the Investigatory Powers Act ( IPA ) 2016 in a manner that would effectively render encryption protections ineffective. Specifically, the Online Safety Bill requires companies to install technology to scan for child sex exploitation and abuse (CSEA) material and terrorism content in encrypted messaging apps and other services. It also mandates that messaging services clear security features with the Home Office before releasing them and take immediate action to disable them if required without informing the public. While the fact does not explicitly call out for the rThe Hacker News
July 22, 2023 – Breach
DHL Investigating MOVEit Breach as Number of Victims Surpasses 20 Million Full Text
Abstract
The United Kingdom arm of shipping giant DHL said it is investigating a data breach sourced back to its use of the MOVEit software, which has been exploited by a Russia-based ransomware group for nearly two months.Cyware
July 22, 2023 – Outage
Coastal Mississippi County Recovering From Ransomware Attack Full Text
Abstract
The local government in George County, Mississippi, was thrown into chaos this weekend when ransomware actors used a discrete phishing email to gain deep access to the county’s systems.Cyware
July 21, 2023 – Government<br
CISA warns of attacks against Citrix NetScaler ADC and Gateway Devices Full Text
Abstract
The US CISA warns of cyber attacks targeting Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warning of cyber attacks against Citrix NetScaler Application...Security Affairs
July 21, 2023 – Attack
Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports Full Text
Abstract
The recent attack against Microsoft's email infrastructure by a Chinese nation-state actor referred to as Storm-0558 is said to have a broader scope than previously thought. According to cloud security company Wiz, the inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (Azure AD or AAD) tokens to gain illicit access to Outlook Web Access (OWA) and Outlook.com could also have allowed the adversary to forge access tokens for various types of Azure AD applications. This includes every application that supports personal account authentication, such as OneDrive, SharePoint, and Teams; customers applications that support the "Login with Microsoft functionality," and multi-tenant applications in certain conditions. "Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access," Ami Luttwak, chief technology officer and co-founder of Wiz, said in a statement. "An attacker with an AAD siThe Hacker News
July 21, 2023 – Attack
Experts believe North Korea behind JumpCloud supply chain attack Full Text
Abstract
SentinelOne researchers attribute the recent supply chain attacks on JumpCloud to North Korea-linked threat actors. JumpCloud is a cloud-based directory service platform designed to manage user identities, devices, and applications in a seamless and secure...Security Affairs
July 21, 2023 – Malware
HotRat: New Variant of AsyncRAT Malware Spreading Through Pirated Software Full Text
Abstract
A new variant of AsyncRAT malware dubbed HotRat is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office. "HotRat malware equips attackers with a wide array of capabilities, such as stealing login credentials, cryptocurrency wallets, screen capturing, keylogging, installing more malware, and gaining access to or altering clipboard data," Avast security researcher Martin a Milánek said . The Czech cybersecurity firm said the trojan has been prevalent in the wild since at least in October 2022, with a majority of the infections concentrated in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India. The attacks entail bundling the cracked software available online via torrent sites with a malicious AutoHotkey ( AHK ) script that initiates an infection chain designed to deactivate antivirus solutions on the compromised host and ultimately laThe Hacker News
July 21, 2023 – Breach
Nice Suzuki, sport: shame dealer left your data up for grabs Full Text
Abstract
Cybernews research team discovered that two Suzuki-authorized dealer websites were leaking customers' sensitive information. Suzuki or otherwise, buying a new vehicle is an intense experience with complicated credit, insurance, documentation, and contracts....Security Affairs
July 21, 2023 – Malware
HotRat as Hidden Script in Cracked Software Full Text
Abstract
In a recent encounter, security researchers stumbled across a HotRat malware distribution campaign that cybercriminals were offering bundled as cracked programs and games. HotRat is an offshoot of the open-source AsyncRAT framework. Implement strict software policies, regularly update and patch sys ... Read MoreCyware
July 21, 2023 – Malware
Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities Full Text
Abstract
A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of .NET single-file deployment techniques , enabling threat actors to capture sensitive information from compromised hosts. "BundleBot is abusing the dotnet bundle (single-file), self-contained format that results in very low or no static detection at all," Check Point said in a report published this week, adding it is "commonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular program utilities, AI tools, and games." Some of these websites aim to mimic Google Bard, the company's conversational generative artificial intelligence chatbot, enticing victims into downloading a bogus RAR archive ("Google_AI.rar") hosted on legitimate cloud storage services such as Dropbox. The archive file, when unpacked, contains an executable file ("GoogleAI.exe"), which is the .NET single-file, self-conThe Hacker News
July 21, 2023 – Attack
Android SpyNote Attacks Electric and Water Public Utility Users in Japan Full Text
Abstract
A smishing campaign is targeting Japanese Android users by posing as a power and water infrastructure company and luring victims to a phishing website to download the SpyNote malware.Cyware
July 21, 2023 – Education
Local Governments Targeted for Ransomware – How to Prevent Falling Victim Full Text
Abstract
Regardless of the country, local government is essential in most citizens' lives. It provides many day-to-day services and handles various issues. Therefore, their effects can be far-reaching and deeply felt when security failures occur. In early 2023, Oakland, California, fell victim to a ransomware attack . Although city officials have not disclosed how the attack occurred, experts suspect a phishing email is the most likely cause. As a result, city officials brought down their servers to contain the attack. Governments have been the target to many ransomware attacks and breaches. As most local governments maintain a small IT staff, there is potential for shared passwords, reused credentials, and a lack of multi-factor authentication security, exposing vulnerabilities for a breach. Oakland is Breached It was first noticed on a Wednesday evening in early February; when Oakland, California city officials quickly took most services' backend servers offline and posted a mThe Hacker News
July 21, 2023 – Ransomware
Mallox Ransomware Activity Surges by 174% Full Text
Abstract
Mallox ransomware activity surged by nearly 174% in 2023, using the new variant Xollam, employing the double extortion tactic to demand ransom from victims. The development is also being perceived as more affiliate groups coming together in this mission. Organizations must remain vigilant and adapt ... Read MoreCyware
July 21, 2023 – Denial Of Service
DDoS Botnets Hijacking Zyxel Devices to Launch Devastating Attacks Full Text
Abstract
Several distributed denial-of-service (DDoS) botnets have been observed exploiting a critical flaw in Zyxel devices that came to light in April 2023 to gain remote control of vulnerable systems. "Through the capture of exploit traffic, the attacker's IP address was identified, and it was determined that the attacks were occurring in multiple regions, including Central America, North America, East Asia, and South Asia," Fortinet FortiGuard Labs researcher Cara Lin said . The flaw, tracked as CVE-2023-28771 (CVSS score: 9.8), is a command injection bug affecting multiple firewall models that could potentially allow an unauthorized actor to execute arbitrary code by sending a specifically crafted packet to the targeted appliance. Last month, the Shadowserver Foundation warned that the flaw was being "actively exploited to build a Mirai-like botnet" at least since May 26, 2023, an indication of how abuse of servers running unpatched software is on the rise.The Hacker News
July 21, 2023 – Government
Citrix NetScaler ADC and Gateway Devices Under Attack: CISA Urges Immediate Action Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Thursday warning that the newly disclosed critical security flaw in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices is being abused to drop web shells on vulnerable systems. "In June 2023, threat actors exploited this vulnerability as a zero-day to drop a web shell on a critical infrastructure organization's non-production environment NetScaler ADC appliance," the agency said . "The web shell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement." The shortcoming in question is CVE-2023-3519 (CVSS score: 9.8), a code injection bug that could result in unauthenticated remote code execution. Citrix, earlier this week, released patches for the issue andThe Hacker News
July 20, 2023 – General
Renewable technologies add risk to the US electric grid, experts warn Full Text
Abstract
Technologies that underpin solar and wind energy storage systems, which are central to transferring renewable power to the grid, are potential hacking risks, experts noted at a congressional hearing Tuesday.Cyware
July 20, 2023 – Vulnerabilities
Critical Flaws in AMI MegaRAC BMC Software Expose Servers to Remote Attacks Full Text
Abstract
Two more security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software that, if successfully exploited, could allow threat actors to remotely commandeer vulnerable servers and deploy malware. "These new vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions," Eclypsium researchers Vlad Babkin and Scott Scheferman said in a report shared with The Hacker News. "They can be exploited by remote attackers having access to Redfish remote management interfaces, or from a compromised host operating system." To make matters worse, the shortcomings could also be weaponized to drop persistent firmware implants that are immune to operating system reinstalls and hard drive replacements, brick motherboard components, cause physical damage through overvolting attacks, and induce indefinite reboot loops. "As attackers shift theirThe Hacker News
July 20, 2023 – APT
Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group Full Text
Abstract
China-linked group APT41 was spotted using two previously undocumented Android spyware called WyrmSpy and DragonEgg China-linked APT group APT41 has been observed using two previously undocumented Android spyware called WyrmSpy and DragonEgg. The...Security Affairs
July 20, 2023 – Phishing
Phishing via Google Ads Full Text
Abstract
Hackers are using URL redirects within Google ads to lead users to malicious sites, leveraging the trust and legitimacy of Google Ads. This technique, known as BEC 3.0, involves referencing legitimate sites instead of spoofed ones.Cyware
July 20, 2023 – Ransomware
Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks Full Text
Abstract
Mallox ransomware activities in 2023 have witnessed a 174% increase when compared to the previous year, new findings from Palo Alto Networks Unit 42 reveal. "Mallox ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data before encrypting an organization's files, and then threatening to publish the stolen data on a leak site as leverage to convince victims to pay the ransom fee," security researchers Lior Rochberger and Shimi Cohen said in a new report shared with The Hacker News. Mallox is linked to a threat actor that's also linked to other ransomware strains , such as TargetCompany, Tohnichi, Fargo, and, most recently, Xollam. It first burst onto the scene in June 2021. Some of the prominent sectors targeted by Mallox are manufacturing, professional and legal services, and wholesale and retail. A notable aspect of the group is its pattern of exploiting poorly secured MS-SQL servers via dictionary attacks asThe Hacker News
July 20, 2023 – Attack
ALPHV/BlackCat and Clop gangs claim to have hacked cosmetics giant Estée Lauder Full Text
Abstract
The American cosmetics giant company Estée Lauder was hacked by two distinct ransomware groups, the ALPHV/BlackCat and Clop gangs. Yesterday the cybersecurity expert @sonoclaudio first alerted me about a strange circumstance, two ransomware actors,...Security Affairs
July 20, 2023 – Breach
Tampa General Hospital Says Hackers Exfiltrated the Data of 1.2 Million Patients Full Text
Abstract
A security breach was detected on May 31, 2023, when suspicious activity was identified within its network. The affected systems were immediately taken offline to prevent further unauthorized access.Cyware
July 20, 2023 – Vulnerabilities
Apache OpenMeetings Web Conferencing Tool Exposed to Critical Vulnerabilities Full Text
Abstract
Multiple security flaws have been disclosed in Apache OpenMeetings, a web conferencing solution, that could be potentially exploited by malicious actors to seize control of admin accounts and run malicious code on susceptible servers. "Attackers can bring the application into an unexpected state, which allows them to take over any user account, including the admin account," Sonar vulnerability researcher Stefan Schiller said in a report shared with The Hacker News. "The acquired admin privileges can further be leveraged to exploit another vulnerability allowing attackers to execute arbitrary code on the Apache OpenMeetings server." Following responsible disclosure on March 20, 2023, the vulnerabilities were addressed with the release of Openmeetings version 7.1.0 that was released on May 9, 2023. The list of three flaws is as follows - CVE-2023-28936 (CVSS score: 5.3) - Insufficient check of invitation hash CVE-2023-29032 (CVSS score: 8.1) - An authentiThe Hacker News
July 20, 2023 – Malware
P2PInfect, a Rusty P2P worm targets Redis Servers on Linux and Windows systems Full Text
Abstract
Cybersecurity researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers. Palo Alto Networks Unit 42 researchers have discovered a new peer-to-peer (P2P) worm called P2PInfect that targets...Security Affairs
July 20, 2023 – Outage
Russian Medical Lab Suspends Some Services After Ransomware Attack Full Text
Abstract
Customers of the Russian medical laboratory Helix have been unable to receive their test results for several days due to a “serious” cyberattack that crippled the company's systems over the weekend.Cyware
July 20, 2023 – Attack
North Korean State-Sponsored Hackers Suspected in JumpCloud Supply Chain Attack Full Text
Abstract
An analysis of the indicators of compromise ( IoCs ) associated with the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups, in a style that's reminiscent of the supply chain attack targeting 3CX . The findings come from SentinelOne, which mapped out the infrastructure pertaining to the intrusion to uncover underlying patterns. It's worth noting that JumpCloud, last week, attributed the attack to an unnamed "sophisticated nation-state sponsored threat actor." "The North Korean threat actors demonstrate a high level of creativity and strategic awareness in their targeting strategies," SentinelOne security researcher Tom Hegel told The Hacker News. "The research findings reveal a successful and multifaceted approach employed by these actors to infiltrate developer environments." "They actively seek access to tools and networks that can serve as gateways to more extensive opportunitieThe Hacker News
July 20, 2023 – Vulnerabilities
Adobe out-of-band update addresses an actively exploited ColdFusion zero-day Full Text
Abstract
Adobe released an emergency update to address critical vulnerabilities in ColdFusion, including an actively exploited zero-day. Adobe released an out-of-band update to address critical and moderate vulnerabilities in ColdFusion, including a zero-day...Security Affairs
July 20, 2023 – Outage
Estée Lauder Takes Down Some Systems Following Cyberattack Full Text
Abstract
The ALPHV group claims Estée Lauder has not responded and listed the company on its leak site Tuesday, according to activity observed by Emsisoft Threat Analyst Brett Callow.Cyware
July 20, 2023 – General
A Few More Reasons Why RDP is Insecure (Surprise!) Full Text
Abstract
If it seems like Remote Desktop Protocol (RDP) has been around forever, it's because it has (at least compared to the many technologies that rise and fall within just a few years.) The initial version, known as "Remote Desktop Protocol 4.0," was released in 1996 as part of the Windows NT 4.0 Terminal Server edition and allowed users to remotely access and control Windows-based computers over a network connection. In the intervening decades, RDP has become a widely used protocol for remote access and administration of Windows-based systems. RDP plays a crucial role in enabling remote work, IT support, and system management and has served as the foundation for various remote desktop and virtual desktop infrastructure (VDI) solutions. The downside of RDP's widespread use is that a Remote Code Execution (RCE) vulnerability in an RDP gateway can have severe consequences, potentially leading to significant damage and compromising the security and integrity of the affecThe Hacker News
July 20, 2023 – Solution
Microsoft Set to Expand Access to Detailed Logs in the Wake of Chinese Hacking Operation Full Text
Abstract
Microsoft said in a blog post on Wednesday that it will include “access to wider cloud security logs for our worldwide customers at no additional cost” starting in September and that it would increase default log retention from 90 to 180 days.Cyware
July 20, 2023 – Breach
Turla’s New DeliveryCheck Backdoor Breaches Ukrainian Defense Sector Full Text
Abstract
The defense sector in Ukraine and Eastern Europe has been targeted by a novel .NET-based backdoor called DeliveryCheck (aka CAPIBAR or GAMEDAY) that's capable of delivering next-stage payloads. The Microsoft threat intelligence team, in collaboration with the Computer Emergency Response Team of Ukraine (CERT-UA), attributed the attacks to a Russian nation-state actor known as Turla , which is also tracked under the names Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug. It's linked to Russia's Federal Security Service (FSB). "DeliveryCheck is distributed via email as documents with malicious macros," the company said in a series of tweets. "It persists via a scheduled task that downloads and launches it in memory. It also contacts a C2 server to retrieve tasks, which can include the launch of arbitrary payloads embedded in XSLT stylesheets." Successful initial access is also accompanied in some cases by tThe Hacker News
July 20, 2023 – Malware
New P2PInfect Worm Targeting Redis Servers on Linux and Windows Systems Full Text
Abstract
Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for follow-on exploitation. "P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said . "This worm is also written in Rust, a highly scalable and cloud-friendly programming language." It's estimated that as many as 934 unique Redis systems may be vulnerable to the threat. The first known instance of P2PInfect was detected on July 11, 2023. A notable characteristic of the worm is its ability to infects vulnerable Redis instances by exploiting a critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0), which has been previously exploited to deliver multiple malware families such as Muhstik , Redigo , and HeadCrab over the past yeThe Hacker News
July 20, 2023 – General
Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats Full Text
Abstract
Microsoft on Wednesday announced that it's expanding cloud logging capabilities to help organizations investigate cybersecurity incidents and gain more visibility after facing criticism in the wake of a recent espionage attack campaign aimed at its email infrastructure. The tech giant said it's making the change in direct response to increasing frequency and evolution of nation-state cyber threats. It's expected to roll out starting in September 2023 to all government and commercial customers. "Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost," Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, said . "As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise." As part of this change, users are expected to receive access toThe Hacker News
July 20, 2023 – Vulnerabilities
Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability Full Text
Abstract
Adobe has released a fresh round of updates to address an incomplete fix for a recently disclosed ColdFusion flaw that has come under active exploitation in the wild. The critical shortcoming, tracked as CVE-2023-38205 (CVSS score: 7.5), has been described as an instance of improper access control that could result in a security bypass. It impacts the following versions: ColdFusion 2023 (Update 2 and earlier versions) ColdFusion 2021 (Update 8 and earlier versions), and ColdFusion 2018 (Update 18 and earlier versions) "Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," the company said . The update also addresses two other flaws, including a critical deserialization bug ( CVE-2023-38204 , CVSS score: 9.8) that could lead to remote code execution and a second improper access control flaw that could also pave the way for a security bypass ( CVE-2023-38206 , CVSS score: 5.3). The disclosure arrives daysThe Hacker News
July 19, 2023 – Policy and Law
Legislators say HHS is failing to adequately protect health records from law enforcement Full Text
Abstract
Lawmakers are demanding the Department of Health and Human Services (HHS) to prevent law enforcement from accessing reproductive and other health records without a warrant.Cyware
July 19, 2023 – Education
How to Manage Your Attack Surface? Full Text
Abstract
Attack surfaces are growing faster than security teams can keep up. To stay ahead, you need to know what's exposed and where attackers are most likely to strike. With cloud migration dramatically increasing the number of internal and external targets, prioritizing threats and managing your attack surface from an attacker's perspective has never been more important. Let's look at why it's growing, and how to monitor and manage it properly with tools like Intruder . What is your attack surface? First, it's important to understand that your attack surface is the sum of your digital assets that are 'exposed' – whether the digital assets are secure or vulnerable, known or unknown, in active use or not. This attack surface changes continuously over time, and includes digital assets that are on-premises, in the cloud, in subsidiary networks, and in third-party environments. In short, it's anything that a hacker can attack. What is attack surface managemenThe Hacker News
July 19, 2023 – Botnet
Ukraine’s cyber police dismantled a massive bot farm spreading propaganda Full Text
Abstract
The Cyber Police Department of the National Police of Ukraine dismantled a massive bot farm and seized 150,000 SIM cards. A gang of more than 100 individuals used fake social network accounts to conduct disinformation and psychological operations...Security Affairs
July 19, 2023 – Attack
DangerousPassword Attacks Targeting Developers’ Windows, macOS, and Linux Environments Full Text
Abstract
The targeted attack group DangerousPassword has been continuously attacking cryptocurrency exchange developers since June 2019, using malware that infects Windows, macOS, and Linux environments with Python and Node.js installed.Cyware
July 19, 2023 – Government
CISA and NSA Issue New Guidance to Strengthen 5G Network Slicing Against Threats Full Text
Abstract
U.S. cybersecurity and intelligence agencies have released a set of recommendations to address security concerns with 5G standalone network slicing and harden them against possible threats. "The threat landscape in 5G is dynamic; due to this, advanced monitoring, auditing, and other analytical capabilities are required to meet certain levels of network slicing service level requirements over time," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) said . 5G is the fifth-generation technology standard for broadband cellular networks, offering increased data speeds and lower latency. Network slicing is an architectural model that allows mobile service providers to partition their network up into several independent "slices" in order to create virtual networks that cater to different clients and use cases. The latest advisory builds upon guidance previously issued by the agencies in December 2022, warningThe Hacker News
July 19, 2023 – Government
US Gov adds surveillance firms Cytrox and Intellexa to Entity List for trafficking in cyber exploits Full Text
Abstract
The U.S. government added surveillance technology vendors Cytrox and Intellexa to an economic blocklist for trafficking in cyber exploits. The Commerce Department’s Bureau of Industry and Security (BIS) added surveillance technology vendors Intellexa...Security Affairs
July 19, 2023 – Attack
New Attack Campaign Enters the ‘FakeUpdates’ Arena to Deliver NetSupport RAT Full Text
Abstract
A new campaign called FakeSG, similar to SocGholish, is using hacked WordPress websites to distribute the NetSupport RAT and deliver additional payloads. FakeSG utilizes different layers of obfuscation and delivery techniques.Cyware
July 19, 2023 – APT
Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware Full Text
Abstract
The prolific China-linked nation-state actor known as APT41 has been linked to two previously undocumented strains of Android spyware called WyrmSpy and DragonEgg. "Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT 41 including mobile in its arsenal of malware shows how mobile endpoints are high-value targets with coveted corporate and personal data," Lookout said in a report shared with The Hacker News. APT41, also tracked under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, is known to be operational since at least 2007, targeting a wide range of industries to conduct intellectual property theft. Recent attacks mounted by the adversarial collective have leveraged an open-source red teaming tool known as Google Command and Control (GC2) as part of attacks aimed at media and job platforms in Taiwan and Italy. The initThe Hacker News
July 19, 2023 – Vulnerabilities
Citrix warns of actively exploited zero-day in ADC and Gateway Full Text
Abstract
Citrix is warning customers of an actively exploited critical vulnerability in NetScaler Application Delivery Controller (ADC) and Gateway. Citrix is warning customers of a critical vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), in NetScaler...Security Affairs
July 19, 2023 – Outage
Norwegian Mining and Recycling Company TOMRA Experiences Disruptive Cyberattack Full Text
Abstract
The cyberattack on TOMRA highlights the ongoing threat to companies involved in critical infrastructure, with potential significant financial and social damage if operations are disrupted.Cyware
July 19, 2023 – Criminals
Exploring the Dark Side: OSINT Tools and Techniques for Unmasking Dark Web Operations Full Text
Abstract
On April 5, 2023, the FBI and Dutch National Police announced the takedown of Genesis Market , one of the largest dark web marketplaces. The operation, dubbed "Operation Cookie Monster," resulted in the arrest of 119 people and the seizure of over $1M in cryptocurrency. You can read the FBI's warrant here for details specific to this case. In light of these events, I'd like to discuss how OSINT can assist with dark web investigations. The Dark Web's anonymity attracts a variety of users, from whistleblowers and political activists to cybercriminals and terrorists. There are several techniques that can be used to try and identify the individuals behind these sites and personas. Technical Vulnerabilities While not considered OSINT, there have been instances when technical vulnerabilities have existed in the technology used to host dark websites. These vulnerabilities may exist in the software itself or be due to misconfigurations, but they can sometimes reveaThe Hacker News
July 19, 2023 – Breach
FIA World Endurance Championship driver passports leaked Full Text
Abstract
Le Mans Endurance Management, operating the FIA World Endurance Championship’s website, exposed the data of hundreds of drivers by leaking their IDs and drivers’ licenses, the Cybernews research team has discovered. On June 16th, our researchers...Security Affairs
July 19, 2023 – General
Trends in Ransomware-as-a-Service and Cryptocurrency to Monitor Full Text
Abstract
To defend against RaaS groups, organizations need a holistic, defense-in-depth approach that includes measures like multi-factor authentication, email security, patch management, and comprehensive asset management.Cyware
July 19, 2023 – Vulnerabilities
Bad.Build Flaw in Google Cloud Build Raises Concerns of Privilege Escalation Full Text
Abstract
Cybersecurity researchers have uncovered a privilege escalation vulnerability in Google Cloud that could enable malicious actors tamper with application images and infect users, leading to supply chain attacks. The issue, dubbed Bad.Build , is rooted in the Google Cloud Build service , according to cloud security firm Orca, which discovered and reported the issue. "By abusing the flaw and enabling an impersonation of the default Cloud Build service, attackers can manipulate images in the Google Artifact Registry and inject malicious code," the company said in a statement shared with The Hacker News. "Any applications built from the manipulated images are then affected and, if the malformed applications are meant to be deployed on customer's environments, the risk crosses from the supplying organization's environment to their customers' environments, constituting a major supply chain risk." Following responsible disclosure, Google has issued aThe Hacker News
July 19, 2023 – Criminals
Ukraine Police Bust Another Bot Farm Accused of Pro-Russia Propaganda, Internet Fraud Full Text
Abstract
Ukraine's Cyber Police shut down yet another bot farm that was reportedly spreading disinformation about the war in Ukraine on social media, just one month after a similar illicit operation was raided in west-central Ukraine.Cyware
July 19, 2023 – Privacy
U.S. Government Blacklists Cytrox and Intellexa Spyware Vendors for Cyber Espionage Full Text
Abstract
The U.S. government on Tuesday added two foreign commercial spyware vendors, Cytrox and Intellexa, to an economic blocklist for weaponizing cyber exploits to gain unauthorized access to devices and "threatening the privacy and security of individuals and organizations worldwide." This includes the companies' corporate holdings in Hungary (Cytrox Holdings Crt), North Macedonia (Cytrox AD), Greece (Intellexa S.A.), and Ireland (Intellexa Limited). By adding to the economic denylist, it prohibits U.S. companies from transacting with these businesses. "Recognizing the increasingly key role that surveillance technology plays in enabling campaigns of repression and other human rights abuses, the Commerce Department's action today targets these entities' ability to access commodities, software, and technology that could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights," the Bureau of IndusThe Hacker News
July 19, 2023 – Insider Threat
FIA World Endurance Championship Driver Passports Left Unsecured Full Text
Abstract
On June 16th, Cybernews researchers came across two misconfigured, meaning publicly exposed, Google Cloud Storage buckets. Both combined, they contained over 1.1 million files.Cyware
July 19, 2023 – Vulnerabilities
Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway Full Text
Abstract
Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild. Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions - NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life) NetScaler ADC 13.1-FIPS before 13.1-37.159 NetScaler ADC 12.1-FIPS before 12.1-55.297, and NetScaler ADC 12.1-NDcPP before 12.1-55.297 The company did not give further details on the flaw tied to CVE-2023-3519 other than to say that exploits for the flaw have been observed on "unmitigated appliances." However, successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDThe Hacker News
July 18, 2023 – APT
Gamaredon APT Steals Data Within an Hour Full Text
Abstract
Once again, the Gamaredon APT is carrying out a new wave of phishing attacks targeting Ukrainian government agencies, stealing data within an hour of the attack. The campaign is aimed at entities in Ukraine, including security services, military, and government organizations. It is advised tha ... Read MoreCyware
July 18, 2023 – Attack
Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware Full Text
Abstract
An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad , a successor to the PlugX backdoor that's commonly associated with Chinese hacking crews . Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022. The cybersecurity company said the incident could be the result of a supply-chain attack, in which a legitimate piece of software used by targets of interest is trojanized to deploy malware capable of gathering sensitive information from compromised systems. The attack chain takes the form of a malicious installer for E-Office , an application developed by the National Information Technology Board (NITB) of Pakistan to help government departments go paperless. It's currently not clear how the backdoored E-Office installer was delivered to the targets. That said, there&The Hacker News
July 18, 2023 – Breach
Virustotal data leak exposed data of some registered customers, including intelligence members Full Text
Abstract
The online malware scanning service VirusTotal leaked data associated with some registered customers, German newspapers reported. German newspapers Der Spiegel and Der Standard reported that the online malware scanning service VirusTotal leaked...Security Affairs
July 18, 2023 – Policy and Law
Update: UKG Agrees to Pay Up to $6M in Lawsuit Tied to 2021 Breach Full Text
Abstract
The ransomware attack, which impacted multiple UKG customers such as Tesla, PepsiCo, Whole Foods, and New York City’s Metropolitan Transportation Authority, hindered some customers’ ability to process payroll.Cyware
July 18, 2023 – Insider Threat
VirusTotal Data Leak Exposes Some Registered Customers’ Details Full Text
Abstract
Data associated with a subset of registered customers of VirusTotal, including their names and email addresses, were exposed after an employee inadvertently uploaded the information to the malware scanning platform. The security incident, which comprises a database of 5,600 names in a 313KB file, was first disclosed by Der Spiegel and Der Standard yesterday. Launched in 2004, VirusTotal is a popular service that analyzes suspicious files and URLs to detect types of malware and malicious content using antivirus engines and website scanners. It was acquired by Google in 2012 and became a subsidiary of Google Cloud's Chronicle unit in 2018. When reached for comment, Google confirmed the leak and said it took immediate steps to remove the data. "We are aware of the unintentional distribution of a small segment of customer group administrator emails and organization names by one of our employees on the VirusTotal platform," a Google Cloud spokesperson told The HackerThe Hacker News
July 18, 2023 – Criminals
FIN8 Group spotted delivering the BlackCat Ransomware Full Text
Abstract
The cybercrime group FIN8 is using a revamped version of the Sardonic backdoor to deliver the BlackCat ransomware. The financially motivated group FIN8 (aka Syssphinx) was spotted using a revamped version of a backdoor tracked as Sardonic to deliver...Security Affairs
July 18, 2023 – Criminals
Black Hat Hacker Exposes Real Identity After Infecting Own Computer With Malware Full Text
Abstract
Using the online moniker ‘La_Citrix’, the threat actor has been active on Russian-speaking cybercrime forums since 2020, offering access to hacked companies and info-stealer logs from active infections.Cyware
July 18, 2023 – Criminals
Go Beyond the Headlines for Deeper Dives into the Cybercriminal Underground Full Text
Abstract
Discover stories about threat actors' latest tactics, techniques, and procedures from Cybersixgill's threat experts each month. Each story brings you details on emerging underground threats, the threat actors involved, and how you can take action to mitigate risks. Learn about the top vulnerabilities and review the latest ransomware and malware trends from the deep and dark web. Stolen ChatGPT credentials flood dark web markets Over the past year, 100,000 stolen credentials for ChatGPT were advertised on underground sites, being sold for as little as $5 on dark web marketplaces in addition to being offered for free. Stolen ChatGPT credentials include usernames, passwords, and other personal information associated with accounts. This is problematic because ChatGPT accounts may store sensitive information from queries, including confidential data and intellectual property. Specifically, companies increasingly incorporate ChatGPT into daily workflows, which means employees may discloseThe Hacker News
July 18, 2023 – Attack
Hacking campaign targets sites using WordPress WooCommerce Payments Plugin Full Text
Abstract
Threat actors are actively exploiting a critical flaw, tracked as CVE-2023-28121, in the WooCommerce Payments WordPress plugin. Threat actors are actively exploiting a recently disclosed critical vulnerability, tracked as CVE-2023-28121 (CVSS score:...Security Affairs
July 18, 2023 – Government
White House Unveils Consumer Labeling Program to Strengthen IoT Security Full Text
Abstract
The Biden administration has considered an Energy Star type of consumer labeling program a key part of an effort to strengthen the nation’s cyber infrastructure following the SolarWinds and Colonial Pipeline attacks.Cyware
July 18, 2023 – Criminals
FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks Full Text
Abstract
The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware . According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. The intrusion attempt took place in December 2022. FIN8 is being tracked by the cybersecurity company under the name Syssphinx. Known to be active since at least 2016, the adversary was originally attributed to attacks targeting point-of-sale (PoS) systems using malware such as PUNCHTRACK and BADHATCH. The group resurfaced after more than a year in March 2021 with an updated version of BADHATCH, following it up with a completely new bespoke implant called Sardonic , which was disclosed by Bitdefender in August 2021. "The C++-based Sardonic backdoor has the ability to harvest system information and execute coThe Hacker News
July 18, 2023 – Attack
JumpCloud revealed it was hit by a sophisticated attack by a nation-state actor Full Text
Abstract
Software firm JumpCloud announced it was the victim of a sophisticated cyber attack carried out by a nation-state actor. JumpCloud is a cloud-based directory service platform designed to manage user identities, devices, and applications in a seamless...Security Affairs
July 18, 2023 – Breach
Phoenician Medical Center Cyberattack Affects Up to 162,500 Patients Full Text
Abstract
The forensic investigation confirmed that there had been unauthorized access to files containing the protected health information of patients, some of which may have been obtained by the hackers.Cyware
July 18, 2023 – Policy and Law
Owner of BreachForums Pleads Guilty to Cybercrime and Child Pornography Charges Full Text
Abstract
Conor Brian Fitzpatrick , the owner of the now-defunct BreachForums website, has pleaded guilty to charges related to his operation of the cybercrime forum as well as having child pornography images. The development, first reported by DataBreaches.net last week, comes nearly four months after Fitzpatrick (aka pompompurin) was formally charged in the U.S. with conspiracy to commit access device fraud and possession of child pornography. BreachForums, launched in March 2022, operated as an illegal marketplace that allowed its members to trade hacked or stolen databases, enabling other criminal actors to gain unauthorized access to target systems. It was shut down in March 2023 shortly after Fitzpatrick's arrest in New York. As many as 888 databases consisting of 14 billion individual records are estimated to have been found in total. The forum had over 333,000 members prior to its takedown. "The purpose of BreachForums, and Fitzpatrick's intent in operating the fThe Hacker News
July 18, 2023 – Breach
‘Millions of emails’ for US military sent to .ml addresses Full Text
Abstract
For the past decade, millions of emails destined for .mil US military addresses were actually directed at .ml addresses, that being the top-level domain for the African nation of Mali, it's claimed.Cyware
July 18, 2023 – Criminals
Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites Full Text
Abstract
Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign. The flaw, tracked as CVE-2023-28121 (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an administrator, potentially leading to site takeover. "Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," Wordfence security researcher Ram Gall said in a Monday post. Versions 4.8.0 through 5.6.1 of WooCommerce Payments are vulnerable. The plugin is installed on over 600,000 sites. Patches for the bug were released by WooCommerce back in March 2023, with WordPress issuing auto-updates to sites using affected versions ofThe Hacker News
July 18, 2023 – General
Growing Scam Activity Linked to Social Media and Automation Full Text
Abstract
The average number of scam resources per brand across all regions and industries more than doubled year-on-year in 2022, up 162%, according to Group-IB. Additionally, the total number of scam pages detected in 2022 was more than thrice in 2021.Cyware
July 18, 2023 – Breach
JumpCloud Blames ‘Sophisticated Nation-State’ Actor for Security Breach Full Text
Abstract
A little over a week after JumpCloud reset API keys of customers impacted by a security incident, the company said the intrusion was the work of a sophisticated nation-state actor. The adversary "gained unauthorized access to our systems to target a small and specific set of our customers," Bob Phan, chief information security officer (CISO) at JumpCloud, said in a post-mortem report. "The attack vector used by the threat actor has been mitigated." The U.S. enterprise software firm said it identified anomalous activity on June 27, 2023, on an internal orchestration system, which it traced back to a spear-phishing campaign mounted by the attacker on June 22. While JumpCloud said it took security steps to shield its network by rotating credentials and rebuilding its systems, it wasn't until July 5 when it detected "unusual activity" in the commands framework for a small set of customers, prompting a forced-rotation of all admin API keys. The numThe Hacker News
July 18, 2023 – Breach
Dating App That Claims 50 Million Users Suffered a Data Breach Full Text
Abstract
Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database containing approximately 2.3 million records associated with multiple dating applications.Cyware
July 17, 2023 – Phishing
Meta’s Threads App Used as a Lure Full Text
Abstract
Researchers with Veriti are warning about “over 700 domains related to Threads being registered daily” in recent weeks, offering an Android version of the app for download outside of Google’s official app store.Cyware
July 17, 2023 – Phishing
Hackers Exploit WebAPK to Deceive Android Users into Installing Malicious Apps Full Text
Abstract
Threat actors are taking advantage of Android's WebAPK technology to trick unsuspecting users into installing malicious web apps on Android phones that are designed to capture sensitive personal information. "The attack began with victims receiving SMS messages suggesting the need to update a mobile banking application," researchers from CSIRT KNF said in an analysis released last week. "The link contained in the message led to a site that used WebAPK technology to install a malicious application on the victim's device." The application impersonates PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. Details of the campaign were first shared by Polish cybersecurity firm RIFFSEC. WebAPK allows users to install progressive web apps (PWAs) to their home screen on Android devices without having to use the Google Play Store. "When a user installs a PWA from Google Chrome and a WebAPK is used, the mintiThe Hacker News
July 17, 2023 – Vulnerabilities
Adobe warns customers of a critical ColdFusion RCE exploited in attacks Full Text
Abstract
Adobe is warning customers of a critical ColdFusion pre-authentication RCE bug, tracked as CVE-2023-29300, which is actively exploited. Adobe warns customers of a critical ColdFusion pre-authentication remote code execution vulnerability, tracked...Security Affairs
July 17, 2023 – Vulnerabilities
Exploitation of ColdFusion Vulnerability Reported as Adobe Patches Another Critical Flaw Full Text
Abstract
Tracked as CVE-2023-38203 (CVSS score of 9.8), the flaw is described as “deserialization of untrusted data” in ColdFusion versions 2023, 2021, and?2018. This allows an attacker to use specially crafted data to trigger the execution of arbitrary code.Cyware
July 17, 2023 – Solution
These 6 Questions Will Help You Choose the Best Attack Surface Management Platform Full Text
Abstract
The hype around different security categories can make it difficult to discern features and capabilities from bias when researching new platforms. You want to advance your security measures, but what steps actually make sense for your business? For anyone ready to find an attack surface management (ASM) vendor , review these six questions before getting started to understand the key features to look for in an ASM platform and the qualities of the vendor who supports it. Refer to these as your quick guide for interviewing vendors to walk away with the most suitable ASM platform for your needs. Checklist: 6 Questions to Ask Attack Surface Management Vendors Does your platform have the capability to discover the unknown? How do you prevent alert fatigue, prioritize alerts and remove false positives? Can you track attack surface changes over time? How do you plan to evolve the platform going forward? What services related to ASM do you offer? Can we demo or test run the plThe Hacker News
July 17, 2023 – Criminals
Admins of Genesis Market marketplace sold their infrastructure on a hacker forum Full Text
Abstract
The admins of the darkweb Genesis Market announced the sale of their platform to a threat actor that will restart operations next month. In April, the FBI seized the Genesis Market, a black marketplace for stolen credentials that was launched in 2017....Security Affairs
July 17, 2023 – Malware
Update: Google Removes Swing VPN Android App Exposed as DDoS Botnet Full Text
Abstract
The incident serves as a reminder that even seemingly legitimate apps can harbor dangerous intentions, highlighting the importance of staying informed and vigilant against cyber threats.Cyware
July 17, 2023 – General
Malicious USB Drives Targetinging Global Targets with SOGU and SNOWYDRIVE Malware Full Text
Abstract
Cyber attacks using infected USB infection drives as an initial access vector have witnessed a three-fold increase in the first half of 2023, That's according to new findings from Mandiant, which detailed two such campaigns – SOGU and SNOWYDRIVE – targeting both public and private sector entities across the world. SOGU is the "most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals," the Google-owned threat intelligence firm said . The activity has been attributed to a China-based cluster called TEMP.Hex, which is also tracked under the names Camaro Dragon, Earth Preta, and Mustang Panda. Targets include construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the U.S. The infection chain detailed by Mandiant exhibits tactical commonalities withThe Hacker News
July 17, 2023 – Attack
Hackers Target Pakistani Government, Bank, and Telecom Provider With China-Made Malware Full Text
Abstract
Cybersecurity firm Trend Micro identified three entities in Pakistan targeted by Shadowpad last year: an unnamed government agency, a state bank, and a telecommunications provider.Cyware
July 17, 2023 – Criminals
Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware Full Text
Abstract
Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. "LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said . "It primarily targets Windows systems and aims to gather sensitive information from infected machines." The cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution. The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot. The injector also features evasion techniques to check for the presence of debuggers aThe Hacker News
July 17, 2023 – Breach
Global Data Breach Could Impact 70,000 Residents, Vendor Employees With Hillsborough County Full Text
Abstract
Hillsborough County said they've mailed notification letters to 70,636 people who are clients of Healthcare services and vendors of aging services who they know were impacted.Cyware
July 17, 2023 – APT
Russia-Linked Gamaredon APT Starts Stealing Data From Victims Between 30 and 50 Minutes After the Initial Compromise Full Text
Abstract
The Russia-linked APT group employs spear-phishing emails and messages, such as on Telegram and Signal, to trick victims into opening malicious attachments. Gamaredon uses malware and PowerShell scripts for reconnaissance and executing commands.Cyware
July 17, 2023 – Malware
New AVrecon Malware Infects 70,000 Linux Routers Across 20 Countries Full Text
Abstract
A stealthy Linux malware, dubbed AVrecon, was found targeting more than 70,000 Linux-based SOHO routers at least since May 2021. It reportedly hijacked these devices to form a botnet that could steal bandwidth and provide a hidden residential proxy service. A total of 15 second-stage control server ... Read MoreCyware
July 17, 2023 – Attack
Hackers Target Reddit Alternative Lemmy via Zero-Day Vulnerability Full Text
Abstract
A few days ago, an attacker leveraged a cross-site scripting (XSS) vulnerability to deface pages on some popular instances, including Lemmy.world, the most popular instance, which has over 100,000 users.Cyware
July 17, 2023 – Hacker
CERT-UA Uncovers Gamaredon’s Rapid Data Exfiltration Tactics Following Initial Compromise Full Text
Abstract
The Russia-linked threat actor known as Gamaredon has been observed conducting data exfiltration activities within an hour of the initial compromise. "As a vector of primary compromise, for the most part, emails and messages in messengers (Telegram, WhatsApp, Signal) are used, in most cases, using previously compromised accounts," the Computer Emergency Response Team of Ukraine (CERT-UA) said in an analysis of the group published last week. Gamaredon , also called Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010, is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014. The group is estimated to have infected thousands of government computers. It is also one of the many Russian hacking crews that have maintained an active presence since the start of the Russo-Ukrainian war in February 2022, leveraging phishing campaigns to deliver PowerShell backdoors such as GammaSteel to conduct reconThe Hacker News
July 17, 2023 – Vulnerabilities
Cisco fixed a critical flaw in SD-WAN vManage Full Text
Abstract
Cisco warns of a critical unauthenticated REST API access vulnerability, tracked as CVE-2023-20214, impacting its SD-WAN vManage. Cisco addressed a critical unauthenticated REST API access vulnerability, tracked as CVE-2023-20214 (CVSS Score 9.1),...Security Affairs
July 17, 2023 – Government
FCC Chair Proposes $200M Investment to Boost K-12 Cybersecurity Full Text
Abstract
The move follows urgent calls for the FCC to update its E-rate program to cover advanced firewalls and other network security measures. The pilot program is part of FCC Chairwoman Jessica Rosenworcel’s Learn Without Limits initiative.Cyware
July 17, 2023 – Policy and Law
Pompompurin, the BreachForums owner, pleads guilty to hacking charges and possession of child pornography Full Text
Abstract
The owner of the BreachForums Conor Brian Fitzpatrick, aka Pompompurin, pleads guilty to hacking charges. The owner of the BreachForums Conor Brian Fitzpatrick agrees to plead guilty to a three-count criminal information charging the defendant with...Security Affairs
July 16, 2023 – Malware
WormGPT, the generative AI tool to launch sophisticated BEC attacks Full Text
Abstract
The WormGPT case: How Generative artificial intelligence (AI) can improve the capabilities of cybercriminals and allows them to launch sophisticated attacks. Researchers from SlashNext warn of the dangers related to a new generative AI cybercrime...Security Affairs
July 15, 2023 – Criminals
WormGPT: New AI Tool Allows Cybercriminals to Launch Sophisticated Cyber Attacks Full Text
Abstract
With generative artificial intelligence (AI) becoming all the rage these days, it's perhaps not surprising that the technology has been repurposed by malicious actors to their own advantage, enabling avenues for accelerated cybercrime. According to findings from SlashNext, a new generative AI cybercrime tool called WormGPT has been advertised on underground forums as a way for adversaries to launch sophisticated phishing and business email compromise ( BEC ) attacks. "This tool presents itself as a blackhat alternative to GPT models, designed specifically for malicious activities," security researcher Daniel Kelley said . "Cybercriminals can use such technology to automate the creation of highly convincing fake emails, personalized to the recipient, thus increasing the chances of success for the attack." The author of the software has described it as the "biggest enemy of the well-known ChatGPT" that "lets you do all sorts of illegal stuff.The Hacker News
July 15, 2023 – General
USB Flash Drives for Malware Attack Surges Full Text
Abstract
Mandiant experts have observed a significant rise in malware attacks aimed at stealing sensitive information through the use of USB drives. The attacks targeted a variety of industries including those in construction, engineering, government, manufacturing, retail, media, and pharmaceutical. Organi ... Read MoreCyware
July 15, 2023 – Breach
Microsoft Bug Allowed Hackers to Breach Over Two Dozen Organizations via Forged Azure AD Tokens Full Text
Abstract
Microsoft on Friday said a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by a malicious actor known as Storm-0558 using a Microsoft account (MSA) consumer signing key to breach two dozen organizations. "Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com," the tech giant said in a deeper analysis of the campaign. "The method by which the actor acquired the key is a matter of ongoing investigation." "Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected." It's not immediately clear if the token validation issue was exploited as a "zero-day vulnerability" or if Microsoft was already aware of the problem before it came under in-the-wild abuse. The attacks singlThe Hacker News
July 15, 2023 – Malware
Meet CustomerLoader: A Multifaceted Malware Unleashing Diverse Payloads Full Text
Abstract
An unreported .NET loader referred to as CustomerLoader is being distributed through deceptive phishing emails, YouTube videos, and web pages that mimicked genuine websites. This loader possesses the capability to retrieve, decrypt, and execute additional payloads.Cyware
July 15, 2023 – General
Security Affairs newsletter Round 428 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Russia-linked...Security Affairs
July 15, 2023 – General
Satellites lack standard security mechanisms found in mobile phones and laptops Full Text
Abstract
Researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security in Saarbrücken have assessed the security mechanisms of satellites currently orbiting the Earth from an IT perspective.Cyware
July 15, 2023 – APT
Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise Full Text
Abstract
Ukraine's Computer Emergency Response Team (CERT-UA) states that Russia-linked APT Gamaredon starts stealing data 30 minutes after the initial compromise. Ukraine's Computer Emergency Response Team (CERT-UA) is warning that the Russia-linked APT group...Security Affairs
July 15, 2023 – Privacy
Three Tax Prep Firms Shared ‘Extraordinarily Sensitive’ Data About Taxpayers With Meta, Lawmakers Say Full Text
Abstract
A group of congressional Democrats reported that three large tax preparation firms sent “extraordinarily sensitive” information on tens of millions of taxpayers to Facebook parent company Meta over the course of at least two years.Cyware
July 14, 2023 – Vulnerabilities
Popular WordPress Security Plugin Caught Logging Plaintext Passwords Full Text
Abstract
It was discovered that AIOS version 5.1.9 writes plaintext passwords from login attempts to the database, which essentially provides any privileged user with access to the login credentials of all other administrator users.Cyware
July 14, 2023 – Vulnerabilities
Critical Security Flaws Uncovered in Honeywell Experion DCS and QuickBlox Services Full Text
Abstract
Multiple security vulnerabilities have been discovered in various services, including Honeywell Experion distributed control system (DCS) and QuickBlox, that, if successfully exploited, could result in severe compromise of affected systems. Dubbed Crit.IX, the nine flaws in the Honeywell Experion DCS platform allow for "unauthorized remote code execution, which means an attacker would have the power to take over the devices and alter the operation of the DCS controller, whilst also hiding the alterations from the engineering workstation that manages the controller," Armis said in a statement shared with The Hacker News. Put differently, the issues relate to lack of encryption and adequate authentication mechanisms in a proprietary protocol called Control Data Access (CDA) that's used to communicate between Experion Servers and C300 controllers, effectively enabling a threat actor to take over the devices and alter the operation of the DCS controller. "As aThe Hacker News
July 14, 2023 – Breach
The source code of the BlackLotus UEFI Bootkit was leaked on GitHub Full Text
Abstract
The source code for the BlackLotus UEFI bootkit has been published on GitHub and experts warn of the risks of proliferation of custom versions. Researchers from ESET discovered in March a new stealthy Unified Extensible Firmware Interface (UEFI) bootkit,...Security Affairs
July 14, 2023 – Breach
BlackLotus UEFI Bootkit Source Code Leaked on GitHub Full Text
Abstract
The BlackLotus source code that was published on GitHub on Wednesday has been stripped of the ‘Baton Drop’ exploit targeting CVE-2022-21894, and uses the bootlicker UEFI firmware rootkit, but contains the rest of the original code.Cyware
July 14, 2023 – Insider Threat
Defend Against Insider Threats: Join this Webinar on SaaS Security Posture Management Full Text
Abstract
As security practices continue to evolve, one primary concern persists in the minds of security professionals—the risk of employees unintentionally or deliberately exposing vital information. Insider threats, whether originating from deliberate actions or accidental incidents, pose a significant challenge to safeguarding sensitive data. To effectively address insider risks, organizations must adopt a holistic approach that encompasses technical, procedural, and human elements. While access controls, encryption, and monitoring systems are crucial for identifying and mitigating unauthorized access and suspicious activities, the increasing prevalence of cloud-based environments and the surge in SaaS application usage demand a fresh perspective on Insider Risk Management from a SaaS security standpoint. Stay ahead of the game by embracing the SaaS security lens. Join us for an enlightening webinar where we will demonstrate how security practitioners can proactively adapt their approachThe Hacker News
July 14, 2023 – Government
US CISA warns of Rockwell Automation ControlLogix flaws Full Text
Abstract
The U.S. CISA warns of two flaws impacting Rockwell Automation ControlLogix that can lead to remote code execution and DoS attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of two vulnerabilities affecting Rockwell...Security Affairs
July 14, 2023 – Government
CISA Gives US Civilian Agencies Until August 1 to Resolve Four Microsoft Vulnerabilities Full Text
Abstract
The inclusion of the four vulnerabilities — CVE-2023-32046, CVE-2023-32049, CVE-2023-35311, and CVE-2023-36874 — into CISA’s catalog means the bugs are already being exploited by hackers.Cyware
July 14, 2023 – Insider Threat
AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plain Text Full Text
Abstract
All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users' passwords being added to the database in plaintext format. "A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them," UpdraftPlus, the maintainers of AIOS, said . "This would be a problem if those site administrators were to try out those passwords on other services where your users might have used the same password. If those other services' logins are not protected by two-factor authentication, this could be a risk to the affected website." The issue surfaced nearly three weeks ago when a user of the plugin reported the behavior, stating they were "absolutely shocked that a security plugin is making such a basic security 101 error." AIOS also noted that the updates remove the existing logged data from thThe Hacker News
July 14, 2023 – Vulnerabilities
Indexing Over 15 Million WordPress Websites with PWNPress Full Text
Abstract
Sicuranex's PWNPress platform indexed over 15 million WordPress websites, it collects data related to vulnerabilities and misconfigurations Leveraging the extensive Common Crawl dataset and pushing the boundaries of data analysis, cybersecurity firm...Security Affairs
July 14, 2023 – Business
Secure Code Warrior Lands $50M to Educate Developers on Best Cyber Practices Full Text
Abstract
With a recent $50 million Series C funding round led by Paladin Capital Group, Secure Code Warrior plans to improve its platform and expand its workforce to meet the growing demand for cybersecurity skills training.Cyware
July 14, 2023 – Attack
TeamTNT’s Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud Full Text
Abstract
A malicious actor has been linked to a cloud credential stealing campaign in June 2023 that's focused on Azure and Google Cloud Platform (GCP) services, marking the adversary's expansion in targeting beyond Amazon Web Services (AWS). The findings come from SentinelOne and Permiso , which said the "campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew," although it emphasized that "attribution remains challenging with script-based tools." They also overlap with an ongoing TeamTNT campaign disclosed by Aqua called Silentbob that leverages misconfigured cloud services to drop malware as part of what's said to be a testing effort, while also linking SCARLETEEL attacks to the threat actor, citing infrastructure commonalities. "TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP," Aqua noted. The attacks, which single out public-facing Docker instancThe Hacker News
July 14, 2023 – Botnet
New AVrecon botnet remained under the radar for two years while targeting SOHO Routers Full Text
Abstract
A new malware dubbed AVrecon targets small office/home office (SOHO) routers, it infected over 70,000 devices from 20 countries. Lumen Black Lotus Labs uncovered a long-running hacking campaign targeting SOHO routers with a strain of malware dubbed AVrecon. The...Security Affairs
July 14, 2023 – Vulnerabilities
Hardcoded Accounts Allow Full Takeover of Technicolor Routers Full Text
Abstract
Multiple hardcoded credentials found on the Technicolor TG670 DSL gateway router allow attackers to completely take over devices, the CERT Coordination Center (CERT/CC) warns.Cyware
July 14, 2023 – Malware
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries Full Text
Abstract
A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware AVrecon , making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year. "This makes AVrecon one of the largest SOHO router-targeting botnets ever seen," the company said . "The purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud." A majority of the infections are located in the U.K. and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa, among others. AVrecon was first highlighted by Kaspersky senior security researcher Ye (Seth) Jin in May 2021, indicating that the malware hasThe Hacker News
July 14, 2023 – Attack
Norwegian Refugee Council hit by cyberattack Full Text
Abstract
The NRC said it immediately suspended the database to protect the data and prevent further attacks. They also launched an external forensic investigation to determine the scope and impact of the cyberattack.Cyware
July 14, 2023 – Vulnerabilities
Zimbra Warns of Critical Zero-Day Flaw in Email Software Amid Active Exploitation Full Text
Abstract
Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild. "A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced," the company said in an advisory. It also said that the issue has been addressed and that it's expected to be delivered in the July patch release. Additional details about the flaw are currently unavailable. In the interim, it is urging customers to apply a manual fix to eliminate the attack vector - Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto Edit this file and go to line number 40 Update the parameter value as: Before the update, the line appeared as: WhiThe Hacker News
July 13, 2023 – Vulnerabilities
Juniper Networks Patches High-Severity Vulnerabilities in Junos OS Full Text
Abstract
The company published 17 advisories detailing roughly a dozen Junos OS-specific security defects, and nearly three times as many issues in third-party components used in its products.Cyware
July 13, 2023 – Malware
PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland Full Text
Abstract
Government entities, military organizations, and civilian users in Ukraine and Poland have been targeted as part of a series of campaigns designed to steal sensitive data and gain persistent remote access to the infected systems. The intrusion set, which stretches from April 2022 to July 2023, leverages phishing lures and decoy documents to deploy a downloader malware called PicassoLoader, which acts as a conduit to launch Cobalt Strike Beacon and njRAT. "The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats," Cisco Talos researcher Vanja Svajcer said in a new report. "This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult." Some of the activities have been attributed to a threat actor called GhostWriter (aka UAC-0057 or UNC1151), whose priorities are said to align with the BeThe Hacker News
July 13, 2023 – Vulnerabilities
Apple re-released Rapid Security Response to fix recently disclosed zero-day Full Text
Abstract
Apple re-released its Rapid Security Response updates for iOS and macOS after fixing browsing issues on certain websites caused by the first RSR. Apple has re-released its Rapid Security Response updates to address the CVE-2023-37450 flaw in iOS and macOS...Security Affairs
July 13, 2023 – Attack
Tampa Bay Zoo Targeted in Cyberattack by Apparent Offshoot of Royal Ransomware Full Text
Abstract
One of the U.S.’s most popular zoos has been hit with a cyberattack involving the theft of employee and vendor information, and a likely offshoot of the Royal ransomware gang is taking credit.Cyware
July 13, 2023 – Botnet
TeamTNT’s Silentbob Botnet Infecting 196 Hosts in Cloud Attack Campaign Full Text
Abstract
As many as 196 hosts have been infected as part of an aggressive cloud campaign mounted by the TeamTNT group called Silentbob . "The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications," Aqua security researchers Ofek Itach and Assaf Morag said in a report shared with The Hacker News. "The focus this time seems to be more on infecting systems and testing the botnet, rather than deploying cryptominers for profit." The development arrives a week after the cloud security company detailed an intrusion set linked to the TeamTNT group that targets exposed JupyterLab and Docker APIs to deploy the Tsunami malware and hijack system resources to run a cryptocurrency miner. The latest findings suggest a broader campaign and the use of a larger attack infrastructure than previously thought, including various shell scriptThe Hacker News
July 13, 2023 – Vulnerabilities
Zimbra urges customers to manually fix actively exploited zero-day reported by Google TAG Full Text
Abstract
Zimbra has released updates to address a zero-day vulnerability actively exploited in attacks aimed at Zimbra Collaboration Suite (ZCS) email servers. Zimbra urges customers to manually install updates to fix a zero-day vulnerability that is actively...Security Affairs
July 13, 2023 – Criminals
Criminals Target Businesses With Malicious Extension for Meta’s Ads Manager and Accidentally Leak Stolen Accounts Full Text
Abstract
The Vietnamese threat actors are using malicious Chrome extensions to steal Facebook account credentials, with over 800 victims worldwide and $180K in compromised ad budget.Cyware
July 13, 2023 – Vulnerabilities
Fake PoC for Linux Kernel Vulnerability on GitHub Exposes Researchers to Malware Full Text
Abstract
In a sign that cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a "crafty" persistence method. "In this instance, the PoC is a wolf in sheep's clothing, harboring malicious intent under the guise of a harmless learning tool," Uptycs researchers Nischay Hegde and Siddartha Malladi said . "Operating as a downloader, it silently dumps and executes a Linux bash script, all the while disguising its operations as a kernel-level process." The repository masquerades as a PoC for CVE-2023-35829 , a recently disclosed high-severity flaw in the Linux kernel. It has since been taken down, but not before it was forked 25 times. Another PoC shared by the same account, ChriSanders22, for CVE-2023-20871 , a privilege escalation bug impacting VMware Fusion, was forked twice. Uptypcs also identified a second GitHub profile containing a bogus PoC fThe Hacker News
July 13, 2023 – Breach
Chinese hackers compromised emails of U.S. Government agencies Full Text
Abstract
Chinese hackers have compromised the emails of an unnamed US Federal Civilian Executive Branch (FCEB) agency. In Mid-June a malicious email activity was reported by an unnamed US Federal Civilian Executive Branch (FCEB) agency. Microsoft experts who investigated...Security Affairs
July 13, 2023 – General
Ransomware Crypto Payments Poised to Set New Record in 2023 Full Text
Abstract
While overall crypto proceeds, including from crimes such as scams, fell dramatically over the past year, ransomware funds are expected to hit $899 million in 2023, according to Chainalysis.Cyware
July 13, 2023 – Vulnerabilities
Rockwell Automation ControlLogix Bugs Expose Industrial Systems to Remote Attacks Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted of two security flaws impacting Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module models that could be exploited to achieve remote code execution and denial-of-service (DoS). "The results and impact of exploiting these vulnerabilities vary depending on the ControlLogix system configuration, but they could lead to denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control for disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible," Draogos said . The list of flaws is as follows - CVE-2023-3595 (CVSS score: 9.8) - An out-of-bounds write flaw impacting 1756 EN2* and 1756 EN3* products that could result in arbitrary code execution with persistence on the target system through maliciously crafted common industrial protocol ( CIP ) messages. CVE-2023-3596 (CVSS score: 7.5The Hacker News
July 13, 2023 – Vulnerabilities
SonicWall urges organizations to fix critical flaws in GMS/Analytics products Full Text
Abstract
SonicWall fixed multiple critical vulnerabilities impacting its GMS firewall management and Analytics management and reporting engine. SonicWall addressed multiple critical vulnerabilities in its Global Management System (GMS) firewall management...Security Affairs
July 13, 2023 – Vulnerabilities
APT Exploit Targeting Rockwell Automation Flaws Threatens Critical Infrastructure Full Text
Abstract
The 1756 EN2 and 1756 EN3 products are impacted by CVE-2023-3595, a critical flaw that can allow attackers to achieve remote code execution with persistence on targeted systems by using specially crafted Common Industrial Protocol (CIP) messages.Cyware
July 13, 2023 – Breach
U.S. Government Agencies’ Emails Compromised in China-Backed Cyber Attack Full Text
Abstract
An unnamed Federal Civilian Executive Branch (FCEB) agency in the U.S. detected anomalous email activity in mid-June 2023, leading to Microsoft's discovery of a new China-linked espionage campaign targeting two dozen organizations. The details come from a joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) on July 12, 2023. "In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment," the authorities said . "Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data." While the name of the government agency was not revealed, CNN and the Washington Post reported it was the U.S. State Department, citing people familiar with the matter. Also targeted were the Commerce Department as well as the email accouThe Hacker News
July 13, 2023 – Attack
Unpatched Office Zero-Day CVE-2023-36884 Actively Exploited in Targeted Attacks Full Text
Abstract
“An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim," reads the advisory published by Microsoft.Cyware
July 13, 2023 – Vulnerabilities
New Vulnerabilities Disclosed in SonicWall and Fortinet Network Security Products Full Text
Abstract
SonicWall on Wednesday urged customers of Global Management System (GMS) firewall management and Analytics network reporting engine software to apply the latest fixes to secure against a set of 15 security flaws that could be exploited by a threat actor to circumvent authentication and access sensitive information. Of the 15 shortcomings (tracked from CVE-2023-34123 through CVE-2023-34137), four are rated Critical, four are rated High, and seven are rated Medium in severity. The vulnerabilities were disclosed by NCC Group. The flaws impact on-premise versions of GMS 9.3.2-SP1 and before and Analytics 2.5.0.4-R7 and before. Fixes are available in versions GMS 9.3.3 and Analytics 2.5.2. "The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve," SonicWall said . "This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or deleThe Hacker News
July 13, 2023 – Encryption
Only 45% of Cloud Data is Currently Encrypted Full Text
Abstract
About 39% of businesses experienced a data breach in their cloud environment last year, an increase from the 35% reported in 2022, according to Thales. Human error was reported as the leading cause of cloud data breaches by 55% of those surveyed.Cyware
July 13, 2023 – Malware
New Attack Drops LokiBot Malware via Malicious Macros in Word Documents Full Text
Abstract
FortiGuard Labs recently uncovered a concerning discovery in their investigation, revealing a series of malicious Microsoft Office documents designed to take advantage of well-known vulnerabilities.Cyware
July 13, 2023 – Policy and Law
Silk Road Drug Market’s ‘Mentor’ Sentenced to 20 Years in Prison Full Text
Abstract
During its operation from 2011 until 2013, Silk Road was used by thousands of drug dealers to distribute narcotics and other illicit goods and services to more than 100,000 buyers and to launder hundreds of millions from those unlawful transactions.Cyware
July 12, 2023 – Policy and Law
British Prosecutors Say Teen Lapsus$ Member Was Behind Hacks on Uber, Rockstar Full Text
Abstract
A British Crown Court on Tuesday lifted a reporting restriction, allowing the naming of teenager Arion Kurtaj who is accused of hacking Uber, Revolut, and video game developer Rockstar Games in a short period of time last September.Cyware
July 12, 2023 – General
Ransomware Extortion Skyrockets in 2023, Reaching $449.1 Million and Counting Full Text
Abstract
Ransomware has emerged as the only cryptocurrency-based crime to grow in 2023, with cybercriminals extorting nearly $175.8 million more than they did a year ago, according to findings from Chainalysis. "Ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June," the blockchain analytics firm said in a midyear crypto crime report shared with The Hacker News. "If this pace continues, ransomware attackers will extort $898.6 million from victims in 2023, trailing only 2021's $939.9 million." In contrast, crypto scams have pulled in 77% less revenue than they did through June of 2022, largely driven by the abrupt exit of VidiLook , which pays users VDL tokens in return for watching digital ads that then can be exchanged for large rewards. So have the inflows to illicit addresses associated with malware, darknet markets, child abuse material, and fraud shops. The development, following a declineThe Hacker News
July 12, 2023 – Vulnerabilities
Citrix fixed a critical flaw in Secure Access Client for Ubuntu Full Text
Abstract
Citrix fixed a critical flaw affecting the Secure Access client for Ubuntu that could be exploited to achieve remote code execution. Citrix addressed a critical vulnerability, tracked as CVE-2023-24492 (CVSS score of 9.6), affecting the Secure Access...Security Affairs
July 12, 2023 – Criminals
Staying ahead of the “professionals”: The service-oriented ransomware crime industry Full Text
Abstract
The total amount of ransom paid since 2020 is estimated to be at least $2 billion, and this has both motivated and enabled the groups who are profiting from this activity to become more professional.Cyware
July 12, 2023 – Education
The Risks and Preventions of AI in Business: Safeguarding Against Potential Pitfalls Full Text
Abstract
Artificial intelligence (AI) holds immense potential for optimizing internal processes within businesses. However, it also comes with legitimate concerns regarding unauthorized use, including data loss risks and legal consequences. In this article, we will explore the risks associated with AI implementation and discuss measures to minimize damages. Additionally, we will examine regulatory initiatives by countries and ethical frameworks adopted by companies to regulate AI. Security risks AI phishing attacks Cybercriminals can leverage AI in various ways to enhance their phishing attacks and increase their chances of success. Here are some ways AI can be exploited for phishing: - Automated Phishing Campaigns: AI-powered tools can automate the creation and dissemination of phishing emails on a large scale. These tools can generate convincing email content, craft personalized messages, and mimic the writing style of a specific individual, making phishing attempts appear more legitThe Hacker News
July 12, 2023 – Criminals
Cl0p hacker operating from Russia-Ukraine war front line – exclusive Full Text
Abstract
CyberNews researchers discovered that at least one of the Cl0p ransomware gang masterminds is still residing in Ukraine. Original post at: https://cybernews.com/security/cl0p-hacker-hides-in-ukraine/ As the Cl0p ransomware gang continues to sow anxiety...Security Affairs
July 12, 2023 – Government
Biden’s Cyber Command and NSA Nominee Seen as a Pick for Continuity Full Text
Abstract
At his first Senate confirmation hearing on Wednesday, Air Force Lt. Gen. Timothy Haugh, Cyber Command’s deputy chief, will explain how he plans to fill the shoes of Paul Nakasone.Cyware
July 12, 2023 – Attack
Microsoft Thwarts Chinese Cyber Attack Targeting Western European Governments Full Text
Abstract
Microsoft on Tuesday revealed that it repelled a cyber attack staged by a Chinese nation-state actor targeting two dozen organizations, some of which include government agencies, in a cyber espionage campaign designed to acquire confidential data. The attacks, which commenced on May 15, 2023, entailed access to email accounts affecting approximately 25 entities and a small number of related individual consumer accounts. The tech giant attributed the campaign to Storm-0558, describing it as a nation-state activity group based out of China that primarily singles out government agencies in Western Europe. "They focus on espionage, data theft, and credential access," Microsoft said . "They are also known to use custom malware that Microsoft tracks as Cigril and Bling, for credential access." The breach is said to have been detected a month later on June 16, 2023, after an unidentified customer reported the anomalous email activity to the company. Microsoft saiThe Hacker News
July 12, 2023 – Vulnerabilities
Fortinet fixed a critical flaw in FortiOS and FortiProxy Full Text
Abstract
Fortinet warns of a critical vulnerability impacting FortiOS and FortiProxy that can allow remote attackers to perform arbitrary code execution. Fortinet has disclosed a critical vulnerability, tracked as CVE-2023-33308 (CVSS score 9.8), that impacts...Security Affairs
July 12, 2023 – Criminals
Cl0p Crime Group Adds 62 Ernst & Young Clients to Leak Sites Full Text
Abstract
The growing list of MOVEit cyberattack victims has grown. Sixty-two clients of Big Four accounting firm Ernst & Young now appear on the Clop ransomware group's data leak sites.Cyware
July 12, 2023 – Hacker
Chinese Hackers Deploy Microsoft-Signed Rootkit to Target Gaming Sector Full Text
Abstract
Cybersecurity researchers have unearthed a novel rootkit signed by Microsoft that's engineered to communicate with an actor-controlled attack infrastructure. Trend Micro has attributed the activity cluster to the same actor that was previously identified as behind the FiveSys rootkit , which came to light in October 2021. "This malicious actor originates from China and their main victims are the gaming sector in China," Trend Micro's Mahmoud Zohdy, Sherif Magdy, and Mohamed Fahmy said . Their malware seems to have passed through the Windows Hardware Quality Labs ( WHQL ) process for getting a valid signature. Multiple variants of the rootkit spanning eight different clusters have been discovered, with 75 such drivers signed using Microsoft's WHQL program in 2022 and 2023. Trend Micro's analysis of some of the samples has revealed the presence of debug messages in the source code, indicating that the operation is still in the development and testing phasThe Hacker News
July 12, 2023 – Attack
Microsoft mitigated an attack by Chinese threat actor Storm-0558 Full Text
Abstract
Microsoft announced it has mitigated a cyber attack by a China-linked threat actor, tracked as Storm-0558, which targeted customer emails. Microsoft announced it has mitigated an attack conducted by a China-linked threat actor, tracked as Storm-0558,...Security Affairs
July 12, 2023 – Vulnerabilities
Fortinet Patches Critical FortiOS Vulnerability Leading to Remote Code Execution Full Text
Abstract
The vulnerability impacts FortiOS and FortiProxy versions 7.2.x and 7.0.x and was resolved in FortiOS versions 7.4.0, 7.2.4, and 7.0.11, and FortiProxy versions 7.2.3 and 7.0.10.Cyware
July 12, 2023 – Denial Of Service
DDoS Attacks Soar by 168% on Government Services, Report Warns Full Text
Abstract
According to StormWall’s Q2 2023 Report, the United States, India, and China remain the most heavily targeted countries, bearing the brunt of the escalating DDoS attacks.Cyware
July 12, 2023 – Vulnerabilities
SAP Patches Critical Vulnerability in ECC and S/4HANA Products Full Text
Abstract
German enterprise software maker SAP on Tuesday announced the release of 16 new security notes as part of its July 2023 Security Patch Day. In addition, updates were announced for two previously released notes.Cyware
July 12, 2023 – Government
Pro-Chinese Twitter Accounts Seek to Expand Beijing’s Influence in Latin America Full Text
Abstract
Three Twitter accounts that appear to have links to the Chinese government have been spreading propaganda in Latin America and successfully avoided Twitter's efforts to label state media, researchers said in an analysis published Tuesday.Cyware
July 12, 2023 – Policy and Law
Two more lawsuits filed against Scranton cardiology group over data breach Full Text
Abstract
Cybercriminals attempted to access accounts of a Scranton couple who are among clients whose personal information was exposed in a data breach at a Commonwealth Health cardiology group's practice, according to a proposed class-action lawsuit.Cyware
July 12, 2023 – Cryptocurrency
Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining Full Text
Abstract
A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner, new findings from Wiz reveal. "The attack consists of Python code that loads an XMRig Miner directly into memory using memfd , a known Linux fileless technique," security researchers Avigayil Mechtinger, Oren Ofer, and Itamar Gilad said . "This is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild." The cloud security firm said it found nearly 200 instances where the attack method was employed for cryptocurrency mining. No other details about the threat actor are currently known other than the fact that they possess sophisticated capabilities. In the infection chain documented by Wiz, initial access is achieved through the exploitation of a publicly accessible Jupyter Notebook service that allowed for the execution of system commands using Python modules. PyLoose , first detected onThe Hacker News
July 12, 2023 – Attack
Unpatched Office zero-day CVE-2023-36884 actively exploited in targeted attacks Full Text
Abstract
Microsoft warned today that an unpatched zero-day in multiple Windows and Office products was actively exploited in the wild. Microsoft disclosed an unpatched zero-day vulnerability in multiple Windows and Office products that has been actively exploited...Security Affairs
July 12, 2023 – Vulnerabilities
Update: Apple’s Rapid Security Response Patches Causing Website Access Issues Full Text
Abstract
Apple has pulled its latest Rapid Security Response updates for iOS and macOS after users complained that they were getting errors when accessing some websites through Safari.Cyware
July 12, 2023 – Vulnerabilities
Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack Full Text
Abstract
Microsoft on Tuesday released updates to address a total of 132 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. Of the 132 vulnerabilities, nine are rated Critical, 122 are rated Important in severity, and one has been assigned a severity rating of "None." This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of last month. The list of issues that have come under active exploitation is as follows - CVE-2023-32046 (CVSS score: 7.8) - Windows MSHTML Platform Elevation of Privilege Vulnerability CVE-2023-32049 (CVSS score: 8.8) - Windows SmartScreen Security Feature Bypass Vulnerability CVE-2023-35311 (CVSS score: 8.8) - Microsoft Outlook Security Feature Bypass Vulnerability CVE-2023-36874 (CVSS score: 7.8) - Windows Error Reporting Service Elevation of Privilege Vulnerability CVE-2023-36884 (CVSS score: 8.3) - Office and WindowsThe Hacker News
July 11, 2023 – Breach
HCA Healthcare data breach impacted 11 million patients Full Text
Abstract
HCA Healthcare disclosed a data breach that exposed the personal information of roughly 11 million patients. HCA Healthcare this week announced that the personal information of roughly 11 million patients was compromised in a data breach. The organization...Security Affairs
July 11, 2023 – Malware
New TOITOIN Trojan Targets LATAM Full Text
Abstract
Businesses in the Latin American region are facing a new threat from a sophisticated malicious campaign distributing the TOITOIN trojan. Moreover, the campaign uses Amazon EC2 instances to evade domain-based detections. It is crucial for organizations to maintain a high level of vigilance against e ... Read MoreCyware
July 11, 2023 – Vulnerabilities
Hackers Exploit Windows Policy Loophole to Forge Kernel-Mode Driver Signatures Full Text
Abstract
A Microsoft Windows policy loophole has been observed being exploited primarily by native Chinese-speaking threat actors to forge signatures on kernel-mode drivers. "Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates," Cisco Talos said in an exhaustive two-part report shared with The Hacker News. "This is a major threat, as access to the kernel provides complete access to a system, and therefore total compromise." Following responsible disclosure, Microsoft said it has taken steps to block all certificates to mitigate the threat. It further stated that its investigation found "the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified." The tech giant, besides suspending developer program accounts involved in the incident, emphasized that the threat aThe Hacker News
July 11, 2023 – Vulnerabilities
Apple issued Rapid Security Response updates to fix a zero-day but pulled them due to a Safari bug Full Text
Abstract
Apple released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address an actively exploited zero-day. Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address a...Security Affairs
July 11, 2023 – Malware
Purr-fectly Crafted for Macs: Charming Kitten Introduces NokNok Malware Full Text
Abstract
Security researchers uncovered a new campaign by Charming Kitten (APT42) targeting Windows and macOS systems using different malware payloads. A new type of malware called NokNok, is specifically used for targeting macOS systems. For Windows, adversaries leverage PowerShell code and an LNK file to ... Read MoreCyware
July 11, 2023 – Education
How to Apply MITRE ATT&CK to Your Organization Full Text
Abstract
Discover all the ways MITRE ATT&CK can help you defend your organization. Build your security strategy and policies by making the most of this important framework. What is the MITRE ATT&CK Framework? MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely adopted framework and knowledge base that outlines and categorizes the tactics, techniques, and procedures (TTPs) used in cyberattacks . Created by the nonprofit organization MITRE, this framework provides security professionals with insights and context that can help them comprehend, identify, and mitigate cyber threats effectively. The techniques and tactics in the framework are organized in a dynamic matrix. This makes navigation easy and also provides a holistic view of the entire spectrum of adversary behaviors. As a result, the framework is more actionable and usable than if it were a static list. The MITRE ATT&CK Framework can be found here: https://attack.mitre.org/ Look Out: MIThe Hacker News
July 11, 2023 – Vulnerabilities
VMware warns customers of exploit available for critical vRealize RCE flaw CVE-2023-20864 Full Text
Abstract
VMware warns customers of the public availability of an exploit code for the RCE vulnerability CVE-2023-20864 affecting vRealize. VMware warned customers of the availability of an exploit code for the critical RCE vulnerability CVE-2023-20864 in the VMware...Security Affairs
July 11, 2023 – Vulnerabilities
Owncast, EaseProbe Security Vulnerabilities Revealed Full Text
Abstract
Oxeye has uncovered two critical security vulnerabilities and recommends immediate action to mitigate risk. The vulnerabilities were discovered in Owncast (CVE-2023-3188) and EaseProbe (CVE-2023-33967), two open-source platforms written in Go.Cyware
July 11, 2023 – Cryptocurrency
SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign Full Text
Abstract
Cloud environments continue to be at the receiving end of an ongoing advanced attack campaign dubbed SCARLETEEL, with the threat actors now setting their sights on Amazon Web Services (AWS) Fargate. "Cloud environments are still their primary target, but the tools and techniques used have adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture," Sysdig security researcher Alessandro Brucato said in a new report shared with The Hacker News. SCARLETEEL was first exposed by the cybersecurity company in February 2023, detailing a sophisticated attack chain that culminated in the theft of proprietary data from AWS infrastructure and the deployment of cryptocurrency miners to profit off the compromised systems' resources illegally. A follow-up analysis by Cado Security uncovered potential links to a prolific cryptojacking group known as TeamTNT , although Sysdig told The Hacker News that it "could be someThe Hacker News
July 11, 2023 – Criminals
Cybercriminals Evolve Antidetect Tooling for Mobile OS-Based Fraud Full Text
Abstract
Resecurity identified the emergence of adversarial mobile Android-based Antidetect Tooling for Mobile OS-Based Fraud. Resecurity has identified the emergence of adversarial mobile Android-based tools (called "mobile anti-detects"), like Enclave and McFly,...Security Affairs
July 11, 2023 – Breach
HCA Healthcare Reports Breach of 11 Million Patients’ Personal Data Full Text
Abstract
In a website notice, HCA confirmed that the data includes “information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services.”Cyware
July 11, 2023 – Ransomware
Beware of Big Head Ransomware: Spreading Through Fake Windows Updates Full Text
Abstract
A developing piece of ransomware called Big Head is being distributed as part of a malvertising campaign that takes the form of bogus Microsoft Windows updates and Word installers. Big Head was first documented by Fortinet FortiGuard Labs last month, when it discovered multiple variants of the ransomware that are designed to encrypt files on victims' machines in exchange for a cryptocurrency payment. "One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update," Fortinet researchers said at the time. "One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software." A majority of the Big Head samples have been submitted so far from the U.S., Spain, France, and Turkey. In a new analysis of the .NET-based ransomware, Trend Micro detailed its inner workings, calling out its ability to deploy three encrypted binaries: 1.exe to propagThe Hacker News
July 11, 2023 – Malware
Six Malicious Python Packages in the PyPI Targeting Windows Users Full Text
Abstract
The attackers imitated the W4SP attack group by using custom entry points and leveraging free file hosting services to remain undetected during the installation or execution process.Cyware
July 11, 2023 – Vulnerabilities
Apple Issues Urgent Patch for Zero-Day Flaw Targeting iOS, iPadOS, macOS, and Safari Full Text
Abstract
Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address a zero-day flaw that it said has been actively exploited in the wild. The WebKit bug, cataloged as CVE-2023-37450 , could allow threat actors to achieve arbitrary code execution when processing specially crafted web content. The iPhone maker said it addressed the issue with improved checks. Credited with discovering and reporting the flaw is an anonymous researcher. As with most cases like this, there are scant details about the nature and the scale of the attacks and the identity of the threat actor behind them. But Apple noted in a terse advisory that it's "aware of a report that this issue may have been actively exploited." The updates, iOS 16.5.1 (a), iPadOS 16.5.1 (a), macOS Ventura 13.4.1 (a), and Safari 16.5.2, are available for devices running the following operating system versions: iOS 16.5.1 and iPadOS 16.5.1 macOS Ventura 13.4.1 macOS BigThe Hacker News
July 11, 2023 – Attack
Australian Infrastructure Company Ventia Hit With Cyberattack Full Text
Abstract
The Australian infrastructure services provider Ventia is dealing with a cyberattack that began this weekend. On Saturday, the company said it identified a cyber intrusion and took some “key systems” offline to contain the incident.Cyware
July 10, 2023 – Phishing
RomCom hackers target NATO Summit attendees in phishing attacks Full Text
Abstract
A threat actor referred to as 'RomCom' has been targeting organizations supporting Ukraine and guests of the upcoming NATO Summit set to start tomorrow in Vilnius, Lithuania.BleepingComputer
July 10, 2023 – Criminals
Genesis Market gang tries to sell platform after FBI disruption Full Text
Abstract
Unlike its competitors, Genesis Market did not just sell stolen data and credentials but also provided a platform to criminals that allowed them to weaponize that data using a custom browser extension to impersonate victims.Cyware
July 10, 2023 – Solution
New Mozilla Feature Blocks Risky Add-Ons on Specific Websites to Safeguard User Security Full Text
Abstract
Mozilla has announced that some add-ons may be blocked from running on certain sites as part of a new feature called Quarantined Domains . "We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns," the company said in its Release Notes for Firefox 115.0 released last week. The company said the openness afforded by the add-on ecosystem could be exploited by malicious actors to their advantage. "This feature allows us to prevent attacks by malicious actors targeting specific domains when we have reason to believe there may be malicious add-ons we have not yet discovered," Mozilla said in a separate support document. Users are expected to have more control over the setting for each add-on, starting with Firefox version 116. That said, it can be disabled by loading "about:config" in the address bar and setting "extensions.quarantineThe Hacker News
July 10, 2023 – Vulnerabilities
Experts released PoC exploit for Ubiquiti EdgeRouter flaw Full Text
Abstract
A Proof-of-Concept (PoC) exploit for the CVE-2023-31998 vulnerability in the Ubiquiti EdgeRouter has been publicly released. The CVE-2023-31998 flaw (CVSS v3 5.9) is a heap overflow issue impacting Ubiquiti EdgeRouters and Aircubes, an attacker can exploit...Security Affairs
July 10, 2023 – Malware
VMware warns of exploit available for critical vRealize RCE bug Full Text
Abstract
VMware warned customers today that exploit code is now available for a critical vulnerability in the VMware Aria Operations for Logs analysis tool, which helps admins manage terabytes worth of app and infrastructure logs in large-scale environments.BleepingComputer
July 10, 2023 – Vulnerabilities
PoC Exploit Published for Recent Ubiquiti EdgeRouter Vulnerability Full Text
Abstract
A recently patched vulnerability in Ubiquiti EdgeRouter and AirCube devices could be exploited to execute arbitrary code, vulnerability reporting firm SSD Secure Disclosure warns.Cyware
July 10, 2023 – Malware
New TOITOIN Banking Trojan Targeting Latin American Businesses Full Text
Abstract
Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023. "This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage," Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week. "These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks." The six-stage endeavor has all the hallmarks of a well-crafted attack sequence, beginning with a phishing email containing an embedded link that points to a ZIP archive hosted on an Amazon EC2 instance to evade domain-based detections. The email messages leverage an invoice-themed lure to tThe Hacker News
July 10, 2023 – Attack
RomCom RAT attackers target groups supporting NATO membership of Ukraine Full Text
Abstract
Threat actors are targeting NATO and groups supporting Ukraine in a spear-phishing campaign distributing the RomCom RAT. On July 4, the BlackBerry Threat Research and Intelligence team uncovered a spear phishing campaign aimed at an organization...Security Affairs
July 10, 2023 – Vulnerabilities
Apple releases emergency update to fix zero-day exploited in attacks Full Text
Abstract
Apple has issued a new round of Rapid Security Response (RSR) updates to address a new zero-day bug exploited in attacks and impacting fully-patched iPhones, Macs, and iPads.BleepingComputer
July 10, 2023 – Solution
Honeywell Boosting OT Cybersecurity Offering With Acquisition of SCADAfence Full Text
Abstract
Honeywell has agreed to acquire SCADAfence for an undisclosed amount and plans on integrating its solutions into the company’s Forge Cybersecurity+ suite. The deal is expected to close in the second half of the year.Cyware
July 10, 2023 – General
Global Retailers Must Keep an Eye on Their SaaS Stack Full Text
Abstract
Brick-and-mortar retailers and e-commerce sellers may be locked in a fierce battle for market share, but one area both can agree on is the need to secure their SaaS stack. From communications tools to order management and fulfillment systems, much of today's critical retail software lives in SaaS apps in the cloud. Securing those applications is crucial to ongoing operations, chain management, and business continuity. Breaches in retail send out seismic shockwaves. Ten years later, many still remember one national retailer that had 40 million credit card records stolen. Those attacks have continued. According to Verizon's Data Breach Investigations Report, last year saw 629 cybersecurity incidents in the sector. Clearly, retailers must take concrete steps to secure their SaaS stack. And yet, securing applications is complicated. Retailers tend to have multiple tenants of apps, which leads to confusion over which instances of the application were already secured and whicThe Hacker News
July 10, 2023 – Breach
A flaw in Revolut US payments resulted in the theft of $20 Million Full Text
Abstract
A zero-day vulnerability in the Revolut payment systems allowed threat actors to steal more than $20 million in early 2022. In early 2022, threat actors exploited a zero-day flaw in Revolut payment systems to steal more than $20 million, reported...Security Affairs
July 10, 2023 – Insider Threat
Former employee charged for attacking water treatment plant Full Text
Abstract
A former employee of Discovery Bay Water Treatment Facility in California was indicted by a federal grand jury for intentionally attempting to cause malfunction to the facility's safety and protection systems.BleepingComputer
July 10, 2023 – Breach
35 Million Indonesians’ Passport Data for Sale on Dark Web for $10K Full Text
Abstract
Indonesian security researcher Teguh Aprianto revealed on Twitter last week that a hacker had put up for sale Indonesian passport holders' details including their full names, birth dates, gender, passport numbers, and passport validity dates.Cyware
July 10, 2023 – Attack
RomCom RAT Targeting NATO and Ukraine Support Groups Full Text
Abstract
The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad. The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023. RomCom, also tracked under the names Tropical Scorpius, UNC2596, and Void Rabisu, was recently observed staging cyber attacks against politicians in Ukraine who are working closely with Western countries and a U.S.-based healthcare organization involved with aiding refugees fleeing the war-torn country. Attack chains mounted by the group are geopolitically motivated and have employed spear-phishing emails to point victims to cloned websites hosting trojanized versions of popular software. Targets include militaries, food supply chains, and IT companies. The latest lure documents identified by BlackBerry impersonate UkrainiaThe Hacker News
July 10, 2023 – Privacy
France’s government is giving the police more surveillance power Full Text
Abstract
The French government is going to grant law enforcement the power to spy on suspects through smartphones and other devices. French legislators are going to approve a justice reform bill that also gives more power to law enforcement, allowing them...Security Affairs
July 10, 2023 – Breach
Razer investigates data breach claims, resets user sessions Full Text
Abstract
Gaming gear company Razer reacted to recent rumors of a massive data breach with a short statement on Twitter, letting users know that they started an investigation into the matter.BleepingComputer
July 10, 2023 – General
ISACA joins ECSO to strengthen cybersecurity and digital skills in Europe Full Text
Abstract
ISACA is joining the European Cyber Security Organisation (ECSO). The membership will work to accelerate ECSO and ISACA’s shared commitment to advancing cybersecurity, fostering collaboration and driving digital trust across Europe.Cyware
July 10, 2023 – Criminals
Hackers Steal $20 Million by Exploiting Flaw in Revolut’s Payment Systems Full Text
Abstract
Malicious actors exploited an unknown flaw in Revolut's payment systems to steal more than $20 million of the company's funds in early 2022. The development was reported by the Financial Times, citing multiple unnamed sources with knowledge of the incident. The breach has not been disclosed publicly. The fault stemmed from discrepancies between Revolut's U.S. and European systems, causing funds to be erroneously refunded using its own money when some transactions were declined. The problem was first detected in late 2021. But before it could be closed, the report said organized criminal groups leveraged the loophole by "encouraging individuals to try to make expensive purchases that would go on to be declined." The refunded amounts would then be withdrawn from ATMs. The exact technical details associated with the flaw are currently unclear. About $23 million was stolen in total, with some funds recovered by pursuing those who had withdrawn cash. The massThe Hacker News
July 10, 2023 – Solution
Streamlining security operations with automated incident response Full Text
Abstract
Automated incident response solutions help reduce the mean time to respond to incidents, address known security threats, and also minimize alert fatigue. Learn more about these solutions from Wazuh, the open source XDR/SIEM platform.BleepingComputer
July 10, 2023 – General
Midyear Health Data Breach Analysis: The Top Culprits Full Text
Abstract
The HHS HIPAA Breach Reporting Tool shows that 336 major health data breaches affected nearly 41.4 million individuals between January 1st and June 30th this year - nearly double the number affected during the same period last year.Cyware
July 10, 2023 – Phishing
New Phishing Attack Spoofs Microsoft 365 Authentication System Full Text
Abstract
According to researchers at Vade, the attack email includes a harmful HTML attachment with JavaScript code. This code is designed to gather the recipient’s email address and modify the page using data from a callback function’s variable.Cyware
July 09, 2023 – APT
Charming Kitten hackers use new ‘NokNok’ malware for macOS Full Text
Abstract
Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems.BleepingComputer
July 9, 2023 – Malware
Two spyware sending data of more than 1.5M users to China were found in Google Play Store Full Text
Abstract
Two apps on the Google Play Store with more than 1.5 million downloads have been discovered spying on users and sending data to China. Researchers from cybersecurity firm Pradeo discovered two malicious apps on Google Play hinding spyware and spying...Security Affairs
July 9, 2023 – General
Security Affairs newsletter Round 427 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Google...Security Affairs
July 8, 2023 – Ransomware
Tailing Big Head Ransomware’s Variants, Tactics, and Impact Full Text
Abstract
The Big Head ransomware displays a fake Windows update to deceive victims, communicates with the threat actor via a Telegram bot, and drops ransom notes with contact information.Cyware
July 08, 2023 – Privacy
Two Spyware Apps on Google Play with 1.5 Million Users Sending Data to China Full Text
Abstract
Two file management apps on the Google Play Store have been discovered to be spyware, putting the privacy and security of up to 1.5 million Android users at risk. These apps engage in deceptive behaviour and secretly send sensitive user data to malicious servers in China. Pradeo, a leading mobile security company, has uncovered this alarming infiltration. The report shows that both spyware apps, namely File Recovery and Data Recovery (com.spot.music.filedate) with over 1 million installs, and File Manager (com.file.box.master.gkd) with over 500,000 installs, are developed by the same group. These seemingly harmless Android apps use similar malicious tactics and automatically launch when the device reboots without user input. Contrary to what they claim on the Google Play Store, where both apps assure users that no data is collected, Pradeo's analytics engine has found that various personal information is collected without users' knowledge. Stolen data includes contact listThe Hacker News
July 8, 2023 – Malware
WISE REMOTE Stealer Unleashed : Unveiling Its Multifaceted Malicious Arsenal Full Text
Abstract
The WISE REMOTE Stealer is an advanced information stealer and Remote Access Trojan (RAT) that is coded in the Go programming language and utilizes code manipulation techniques to evade antivirus detection, making it difficult to detect and mitigate.Cyware
July 8, 2023 – Breach
Global Translation Service Exposed Highly Sensitive Records Online Full Text
Abstract
Website Planet‘s security researcher Jeremiah Fowler discovered a non-password-protected database that contained over 25,000 records, all publicly exposed, including ‘highly sensitive’ documents.Cyware
July 8, 2023 – Vulnerabilities
Google addressed 3 actively exploited flaws in Android Full Text
Abstract
Google released July security updates for Android that addressed tens of vulnerabilities, including three actively exploited flaws. July security updates for Android addressed more than 40 vulnerabilities, including three flaws that were actively...Security Affairs
July 8, 2023 – Government
Vulnerabilities in PiiGAB Product Could Expose Industrial Organizations to Attacks Full Text
Abstract
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday published an advisory describing the vulnerabilities discovered by researchers at Radboud University in PiiGAB M-Bus 900s gateway/converter.Cyware
July 8, 2023 – APT
Iran-linked APT TA453 targets Windows and macOS systems Full Text
Abstract
Iran-linked APT group tracked TA453 has been linked to a new malware campaign targeting both Windows and macOS systems. The Iran-linked threat actor TA453 has been linked to a malware campaign that targets both Windows and macOS. TA453 is a nation-state...Security Affairs
July 7, 2023 – Government
TMF announces five new digital services and cybersecurity investments Full Text
Abstract
The Labor Department will use the $15.2 million in the most recent batch of funding for zero-trust architecture. The EPA will put its $2.5 million toward the cybersecurity of its analytical radiation data system.Cyware
July 07, 2023 – Phishing
Vishing Goes High-Tech: New ‘Letscall’ Malware Employs Voice Traffic Routing Full Text
Abstract
Researchers have issued a warning about an emerging and advanced form of voice phishing ( vishing ) known as " Letscall ." This technique is currently targeting individuals in South Korea. The criminals behind "Letscall" employ a multi-step attack to deceive victims into downloading malicious apps from a counterfeit Google Play Store website. Once the malicious software is installed, it redirects incoming calls to a call center under the control of the criminals. Trained operators posing as bank employees then extract sensitive information from unsuspecting victims. To facilitate the routing of voice traffic, "Letscall" utilizes cutting-edge technologies such as voice over IP (VOIP) and WebRTC. It also makes use of Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) protocols, including Google STUN servers, to ensure high-quality phone or video calls and bypass NAT and firewall restrictions. The "Letscall&quoThe Hacker News
July 7, 2023 – Breach
Bangladesh government website leaked data of millions of citizens Full Text
Abstract
A researcher recently discovered that a Bangladesh government website leaks the personal data of citizens. The researcher Viktor Markopoulos discovered a Bangladeshi government website that was leaking the personal information of millions of Bangladesh...Security Affairs
July 7, 2023 – General
Cybercriminals can Break Voice Authentication with 99% Success Rate Full Text
Abstract
Computer scientists at the University of Waterloo have discovered a method of attack that can successfully bypass voice authentication security systems with up to a 99% success rate after only six tries.Cyware
July 07, 2023 – Vulnerabilities
Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software Full Text
Abstract
Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer. In addition, Progress Software has patched two other high-severity vulnerabilities. The identified SQL injection vulnerability, tagged as CVE-2023-36934 , could potentially allow unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database. SQL injection vulnerabilities are a well-known and dangerous security flaw that allows attackers to manipulate databases and run any code they want. Attackers can send specifically designed payloads to certain endpoints of the affected application, which could change or expose sensitive data in the database. The reason CVE-2023-36934 is so critical is that it can be exploited without having to be logged in. This means that even attackers without valid credentials can potentially exploit the vulnerability. However, as of now, there have been no reports ofThe Hacker News
July 7, 2023 – Policy and Law
A man has been charged with a cyber attack on the Discovery Bay water treatment facility Full Text
Abstract
A man from Tracy, California, has been charged with a computer attack on the Discovery Bay water treatment facility. Rambler Gallo (53), a man from Tracy (California) has been charged with intentionally causing damage to a computer after he allegedly...Security Affairs
July 7, 2023 – Government
Truebot’s Activity Spikes, U.S and Canada Authorities Issue Warning Full Text
Abstract
A joint advisory from the CISA, the FBI, the MS-ISAC, and the Canadian Centre for Cyber Security (CCCS) discovered a rise in the use of the Truebot malware by threat actors. Notably, these actors are increasingly exploiting the CVE-2022-31199 flaw to target organizations in the U.S. and Canada with ... Read MoreCyware
July 07, 2023 – Vulnerabilities
Mastodon Social Network Patches Critical Flaws Allowing Server Takeover Full Text
Abstract
Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks. Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460 , allows hackers to exploit a flaw in the media attachments feature, creating and overwriting files in any location the software could access on an instance. This software vulnerability could be used for DoS and arbitrary remote code execution attacks, posing a significant threat to users and the broader Internet ecosystem. If an attacker gains control over multiple instances, they could cause harm by instructing users to download malicious applications or even bring down the entire Mastodon infrastructure. Fortunately, there is no evidence of this vulnerability being exploited so faThe Hacker News
July 7, 2023 – Vulnerabilities
Progress warns customers of a new critical flaw in MOVEit Transfer software Full Text
Abstract
Progress released security patches for a new critical SQL injection vulnerability affecting its MOVEit Transfer software. Progress is informing customers of a new critical SQL injection vulnerability, tracked as CVE-2023-36934, in its MOVEit Transfer...Security Affairs
July 7, 2023 – General
ChatGPT’s unknown potential keeps us guessing Full Text
Abstract
A survey by Malwarebytes revealed that a majority of respondents do not trust the information produced by ChatGPT and believe it poses potential safety and security risks.Cyware
July 07, 2023 – Solution
Close Security Gaps with Continuous Threat Exposure Management Full Text
Abstract
CISOs, security leaders, and SOC teams often struggle with limited visibility into all connections made to their company-owned assets and networks. They are hindered by a lack of open-source intelligence and powerful technology required for proactive, continuous, and effective discovery and protection of their systems, data, and assets. As advanced threat actors constantly search for easily exploitable vulnerabilities around the clock, CISOs are in pursuit of improved methods to reduce threat exposures and safeguard their assets, users, and data from relentless cyber-attacks and the severe consequences of breaches. In response to this need, an emerging solution addressing the most critical priorities at the initial stage of the attack chain has provided security leaders with a new tool to manage their most pressing threat exposures at their origin. Leading analyst firm Gartner Research describes the solution: "By 2026, organizations prioritizing their security investments basedThe Hacker News
July 7, 2023 – Government
CISA and FBI warn of Truebot infecting US and Canada based organizations Full Text
Abstract
CISA and the FBI warned today of a new Truebot variant employed in attacks against organizations in the United States and Canada. A new variant of the Truebot malware was used in attacks against organizations in the United States and Canada. Threat...Security Affairs
July 7, 2023 – Vulnerabilities
CISA, FBI, MS-ISAC, and CCCS Warn of Truebot Infecting US and Canadian Organizations Full Text
Abstract
The threat actors behind the attacks compromised target networks by exploiting a critical remote code execution (RCE) vulnerability in the Netwrix Auditor software tracked as CVE-2022-31199.Cyware
July 07, 2023 – Ransomware
BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days Full Text
Abstract
Ransomware attacks are a major problem for organizations everywhere, and the severity of this problem continues to intensify. Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature. The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it. This shortened timeline poses a significant challenge for organizations trying to protect themselves against these harmful operations. BlackByte ransomware is used in the final stage of the attack, using an 8-digit number key to encrypt the data. To carry out these attacks, hackers use a powerful combination of tools and techniques. The investigation revealed that they take advantage of unpatched Microsoft Exchange Servers—anThe Hacker News
July 07, 2023 – Vulnerabilities
Google Releases Android Patch Update for 3 Actively Exploited Vulnerabilities Full Text
Abstract
Google has released its monthly security updates for the Android operating system, addressing 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as actively exploited in targeted attacks. One of the vulnerabilities tracked as CVE-2023-26083 is a memory leak flaw affecting the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips. This particular vulnerability was exploited in a previous attack that enabled spyware infiltration on Samsung devices in December 2022. This vulnerability was regarded as serious enough to prompt the Cybersecurity and Infrastructure Security Agency (CISA) to issue a patching order for federal agencies in April 2023. Another significant vulnerability, identified as CVE-2021-29256, is a high-severity issue that affects specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers. This flaw permits an unprivileged user to gain unauthorized access to sensitive data and escalate privileges to the root levThe Hacker News
July 07, 2023 – Attack
JumpCloud Resets API Keys Amid Ongoing Cybersecurity Incident Full Text
Abstract
JumpCloud, a provider of cloud-based identity and access management solutions, has swiftly reacted to an ongoing cybersecurity incident that impacted some of its clients. As part of its damage control efforts, JumpCloud has reset the application programming interface (API) keys of all customers affected by this event, aiming to protect their valuable data. The company has informed the concerned clients about the critical nature of this move, reinforcing its commitment to safeguarding their operations and organizations. This API key reset will, however, disrupt certain functionalities like AD import, HRIS integrations, JumpCloud PowerShell modules, JumpCloud Slack apps, Directory Insights Serverless apps, ADMU, third-party zero-touch MDM packages, Command Triggers, Okta SCIM integration, Azure AD SCIM integration, Workato, Aquera, Tray, and more. Despite the potential disruptions, JumpCloud maintains that the key reset is for the greater good of its clients. For those needing assisThe Hacker News
July 07, 2023 – Malware
Cybersecurity Agencies Sound Alarm on Rising TrueBot Malware Attacks Full Text
Abstract
Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems. These sophisticated attacks exploit a critical vulnerability ( CVE-2022-31199 ) in the widely used Netwrix Auditor server and its associated agents. This vulnerability enables unauthorized attackers to execute malicious code with the SYSTEM user's privileges, granting them unrestricted access to compromised systems. The TrueBot malware , linked with cybercriminal collectives Silence and FIN11, is deployed to siphon off data and disseminate ransomware, jeopardising the safety of numerous infiltrated networks. The cybercriminals gain their initial foothold by exploiting the cited vulnerability, then proceed to install TrueBot. Once they have breached the networks, they install the FlawedGrace Remote Access Trojan (RAT) to escalate their pThe Hacker News
July 6, 2023 – Malware
TeamsPhisher Tool Exploits Microsoft Teams to Deploy Malware Full Text
Abstract
A new tool available on GitHub can enable attackers to misuse a recently disclosed vulnerability in Microsoft Teams and automatically deliver malicious files to users' systems.Cyware
July 06, 2023 – Malware
Iranian Hackers’ Sophisticated Malware Targets Windows and macOS Users Full Text
Abstract
The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware. "TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report. "When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest." TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran's Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary's use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR). In the attack sequence discoveThe Hacker News
July 6, 2023 – Vulnerabilities
Cisco warns of a flaw in Nexus 9000 series switches that allows modifying encrypted traffic Full Text
Abstract
Cisco warns of a high-severity vulnerability in Nexus 9000 series switches that can allow attackers to read or modify encrypted traffic. Cisco disclosed a high-severity vulnerability, tracked as CVE-2023-20185 (CVSS Score 7.4), in the Cisco ACI Multi-Site...Security Affairs
July 6, 2023 – Ransomware
RedEnergy: New Stealer-as-a-Ransomware Out in the Wild Full Text
Abstract
The recent detection of RedEnergy stealer-as-a-ransomware represents an advanced threat that combines stealthy data theft and encryption techniques to cause significant damage and seize control over its targets.Cyware
July 06, 2023 – Denial Of Service
Surviving the 800 Gbps Storm: Gain Insights from Gcore’s 2023 DDoS Attack Statistics Full Text
Abstract
Gcore Radar is a quarterly report prepared by Gcore that provides insights into the current state of the DDoS protection market and cybersecurity trends. This report offers you an understanding of the evolving threat landscape and highlights the measures required to protect against attacks effectively. It serves as an insight for businesses and individuals seeking to stay informed about the latest developments in cybersecurity. As we entered 2023, the cybersecurity landscape witnessed an increase in sophisticated, high-volume attacks. Here, we present the current state of the DDoS protection market based on Gcore's statistics. Key Highlights from Q1–Q2 The maximum attack power rose from 600 to 800 Gbps. UDP flood attacks were most common and amounted to 52% of total attacks, while SYN flood accounted for 24%. In third place was TCP flood. The most-attacked business sectors are gaming, telecom, and financial. The longest attack duration in the year's first half was seveThe Hacker News
July 6, 2023 – Vulnerabilities
StackRot, a new Linux Kernel privilege escalation vulnerability Full Text
Abstract
StackRot is s new security vulnerability in the Linux kernel that could be exploited to gain elevated privileges on a target system. A security vulnerability, dubbed StackRot was found impacting Linux versions 6.1 through 6.4. The issue, tracked...Security Affairs
July 6, 2023 – Breach
28,000 Employees Impacted by Data Breach at Pepsi Bottling Ventures Full Text
Abstract
Discovered on January 10, the data breach occurred between December 23, 2022, and January 19, 2023, and resulted in the personal, financial, and health information of the company’s employees being accessed by an unauthorized party.Cyware
July 06, 2023 – Vulnerabilities
Researchers Uncover New Linux Kernel ‘StackRot’ Privilege Escalation Vulnerability Full Text
Abstract
Details have emerged about a newly identified security flaw in the Linux kernel that could allow a user to gain elevated privileges on a target host. Dubbed StackRot ( CVE-2023-3269 , CVSS score: 7.8), the flaw impacts Linux versions 6.1 through 6.4. There is no evidence that the shortcoming has been exploited in the wild to date. "As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger," Peking University security researcher Ruihan Li said . "However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging." Following responsible disclosure on June 15, 2023, it has been addressed in stable versions 6.1.37, 6.3.11, and 6.4.1 as of July 1, 2023, after a two-week effort led by Linus TorThe Hacker News
July 6, 2023 – General
Ransomware accounts for 54% of cyber threats in the health sector Full Text
Abstract
The European Union Agency for Cybersecurity (ENISA) releases its first cyber threat landscape report for the health sector. The European Union Agency for Cybersecurity (ENISA) releases today its first cyber threat landscape report for the health...Security Affairs
July 6, 2023 – Hacker
Crysis Threat Actors Use RDP Connections to Distribute Venus Ransomware Full Text
Abstract
ASEC recently discovered that Crysis ransomware attackers were scanning the internet, via brute force or dictionary attacks, for vulnerable RDP endpoints to install Venus ransomware on systems.Cyware
July 06, 2023 – Education
How Pen Testing can Soften the Blow on Rising Costs of Cyber Insurance Full Text
Abstract
As technology advances and organizations become more reliant on data, the risks associated with data breaches and cyber-attacks also increase. The introduction of data privacy laws, such as the GDPR, has made it mandatory for organizations to disclose breaches of personal data to those affected. As such, it has become essential for businesses to protect themselves from the financial and reputational costs of cyber incidents. One solution to help organizations protect themselves is cyber insurance, despite the rising costs of cyber insurance, where the average price in the U.S. rose 79% in the second quarter of 2022. Also, with strict eligibility requirements that have emerged in response to risk and sharp spikes in successful breaches during and post-COVID-19, cyber insurance remains essential for organizations to protect sensitive customer information and their own data from falling into the wrong hands. While cyber insurance is not a one-size-fits-all solution and may not coverThe Hacker News
July 6, 2023 – Vulnerabilities
CVE-2022-29303 flaw in SolarView product can be exploited in attacks against the energy sector Full Text
Abstract
A vulnerability in SolarView product can be exploited in attacks targeting organizations in the energy sector. Researchers from the cybersecurity firm VulnCheck reported that the vulnerability CVE-2022-29303 in the solar power monitoring Contec SolarView...Security Affairs
July 6, 2023 – Business
Node4 acquires ThreeTwoFour to strengthen its security capabilities Full Text
Abstract
The acquisition is Node4’s third significant growth purchase in the last 18 months, having also bought risual, an IT managed services and solutions provider and Tisski, a leading UK-based independent Microsoft Business applications partner.Cyware
July 06, 2023 – Attack
Silentbob Campaign: Cloud-Native Environments Under Attack Full Text
Abstract
Cybersecurity researchers have unearthed an attack infrastructure that's being used as part of a "potentially massive campaign" against cloud-native environments. "This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware , cloud credentials hijack, resource hijack, and further infestation of the worm," cloud security firm Aqua said . The activity, dubbed Silentbob in reference to an AnonDNS domain set up by the attacker, is said to be linked to the infamous cryptojacking group tracked as TeamTNT , citing overlaps in tactics, techniques, and procedures (TTPs). However, the involvement of an "advanced copycat" hasn't been ruled out. Aqua's investigation was prompted in the aftermath of an attack targeting its honeypot in early June 2023, leading to the discovery of four malicious contThe Hacker News
July 6, 2023 – General
Small organizations face security threats on a limited budget Full Text
Abstract
Small organizations face the same security threats as organizations overall but have fewer resources to address them, according to Netwrix. The most common security incidents are phishing, ransomware, and user account compromise.Cyware
July 06, 2023 – Criminals
INTERPOL Nabs Hacking Crew OPERA1ER’s Leader Behind $11 Million Cybercrime Full Text
Abstract
A suspected senior member of a French-speaking hacking crew known as OPERA1ER has been arrested as part of an international law enforcement operation codenamed Nervone, Interpol has announced. "The group is believed to have stolen an estimated USD 11 million -- potentially as much as 30 million -- in more than 30 attacks across 15 countries in Africa, Asia, and Latin America," the agency said . The arrest was made by authorities in Côte d'Ivoire early last month. Additional insight was provided by the U.S. Secret Service's Criminal Investigative Division and Booz Allen Hamilton DarkLabs. The financially motivated collective is also known by the aliases Common Raven, DESKTOP-GROUP, and NX$M$. Its modus operandi was first exposed by Group-IB and Orange CERT Coordination Center (Orange-CERT-CC) in November 2022, detailing its intrusions on banks, financial services, and telecom companies between March 2018 and October 2022. Earlier this January, Broadcom's SThe Hacker News
July 6, 2023 – Breach
Large Indian Tech Retailer Exposes Employee and Customer Data Full Text
Abstract
The tech retailer Poorvika had a non-password-protected data breach exposing sensitive employee and customer data. The breach included a vast number of records, including personal information, email addresses, tax invoices, and payment receipts.Cyware
July 5, 2023 – Ransomware
Ransomware Redefined: RedEnergy Stealer-as-a-Ransomware Full Text
Abstract
RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers while also incorporating different modules for carrying out ransomware activities.Cyware
July 05, 2023 – Ransomware
RedEnergy Stealer-as-a-Ransomware Threat Targeting Energy and Telecom Sectors Full Text
Abstract
A sophisticated stealer-as-a-ransomware threat dubbed RedEnergy has been spotted in the wild targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through their LinkedIn pages. The malware "possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities," Zscaler researchers Shatak Jain and Gurkirat Singh said in a recent analysis. The goal, the researchers noted, is to couple data theft with encryption with the goal of inflicting maximum damage to the victims. The starting point for the multi-stage attack is a FakeUpdates (aka SocGholish) campaign that tricks users into downloading JavaScript-based malware under the guise of web browser updates. What makes it novel is the use of reputable LinkedIn pages to target victims, redirecting users clicking on the website URLs to a bogus landing pageThe Hacker News
July 5, 2023 – Malware
RedEnergy Stealer-as-a-Ransomware employed in attacks in the wild Full Text
Abstract
RedEnergy is a sophisticated stealer-as-a-ransomware that was employed in attacks targeting energy utilities, oil, gas, telecom, and machinery sectors. Zscaler ThreatLabz researchers discovered a new Stealer-as-a-Ransomware named RedEnergy used in attacks...Security Affairs
July 5, 2023 – Attack
European Entities Targeted in SmugX Campaign Full Text
Abstract
Check Point spotted a new campaign by a Chinese threat actor targeting diplomatic entities in Europe. Dubbed SmugX, the campaign uses HTML smuggling to deploy a new variant of PlugX RAT. The campaign reportedly overlaps with the activity of RedDelta and Mustang Panda. Organizations are advised to u ... Read MoreCyware
July 05, 2023 – Education
Secrets, Secrets Are No Fun. Secrets, Secrets (Stored in Plain Text Files) Hurt Someone Full Text
Abstract
Secrets are meant to be hidden or, at the very least, only known to a specific and limited set of individuals (or systems). Otherwise, they aren't really secrets. In personal life, a secret revealed can damage relationships, lead to social stigma, or, at the very least, be embarrassing. In a developer's or application security engineer's professional life, the consequences of exposing secrets can lead to breaches of security, data leaks, and, well, also be embarrassing. And while there are tools available for detecting source code and code repositories, there are few options for identifying secrets in plain text, documents, emails, chat logs, content management systems, and more. What Are Secrets? In the context of applications, secrets are sensitive information such as passwords, API keys, cryptographic keys, and other confidential data that an application needs to function but should not be exposed to unauthorized users. Secrets are typically stored securely and accessThe Hacker News
July 5, 2023 – Attack
The Port of Nagoya, the largest Japanese port, suffered a ransomware attack Full Text
Abstract
The Port of Nagoya, the largest port in Japan, suffered a ransomware attack that severely impacted its operations. The Port of Nagoya, in the Ise Bay, is the largest and busiest trading port in Japan, accounting for about 10% of the total trade value...Security Affairs
July 5, 2023 – Criminals
Ransomware Criminals Are Dumping Kids’ Private Files Online After School Hacks Full Text
Abstract
Complete sexual assault case folios containing these details were among more than 300,000 files dumped online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom.Cyware
July 05, 2023 – Malware
Node.js Users Beware: Manifest Confusion Attack Opens Door to Malware Full Text
Abstract
The npm registry for the Node.js JavaScript runtime environment is susceptible to what's called a manifest confusion attack that could potentially allow threat actors to conceal malware in project dependencies or perform arbitrary script execution during installation. "A npm package's manifest is published independently from its tarball," Darcy Clarke, a former GitHub and npm engineering manager, said in a technical write-up published last week. "Manifests are never fully validated against the tarball's contents." "The ecosystem has broadly assumed the contents of the manifest and tarball are consistent," Clarke added. The problem, at its core, stems from the fact that the manifest and package metadata are decoupled and that they are never cross-referenced against one another, thereby leading to unexpected behavior and misuse when there is a mismatch. As a result, a threat actor could exploit this loophole to publish a module with a maThe Hacker News
July 5, 2023 – Malware
NoName(057)16’s DDoSia Project’s gets an upgrade Full Text
Abstract
The DDoSia attack tool received an upgrade, it supports a new security mechanism to conceal the list of targets. Researchers at the cybersecurity firm Sekoia analyzed an updated variant of the DDoSia attack tool that was developed and used by the pro-Russia...Security Affairs
July 5, 2023 – Outage
Poly Network Loses Millions of Dollars in Crypto Assets Full Text
Abstract
The services of the company were suspended early Sunday and during the afternoon the company shared a Google spreadsheet showing crypto assets that have been stolen by the attackers.Cyware
July 05, 2023 – Privacy
Instagram’s Twitter Alternative ‘Threads’ Launch Halted in Europe Over Privacy Concerns Full Text
Abstract
Instagram Threads, the upcoming Twitter competitor from Meta, will not be launched in the European Union due to privacy concerns, according to Ireland's Data Protection Commission (DPC). The development was reported by the Irish Independent, which said the watchdog has been in contact with the social media giant about the new product and confirmed the release won't extend to the E.U. "at this point." Threads is Meta's answer to Twitter that's set for launch on July 6, 2023. It's billed as a "text-based conversation app" that allows Instagram users to "discuss everything from the topics you care about today to what'll be trending tomorrow." It also enables users to follow the same accounts they already follow on Instagram. A listing for the app has already appeared in the Apple App Store and Google Play Store , although it's yet to be available for download. The " App Privacy " section on the App Store indicThe Hacker News
July 5, 2023 – Privacy
Swedish data protection authority rules against the use of Google Analytics Full Text
Abstract
Swedish data protection watchdog warns companies against using Google Analytics due to the risk of surveillance operated by the US government. The Swedish data protection watchdog warned businesses against using Google Analytics due to the risk of surveillance...Security Affairs
July 5, 2023 – Criminals
Teen among suspects arrested in Android banking malware scheme Full Text
Abstract
Preliminary findings suggest that seven men, two women aged 19 to 27, and a 16-year-old facilitated the scam by providing their bank accounts, Internet banking credentials, and Singpass credentials to perpetrators for monetary gain.Cyware
July 5, 2023 – General
75% of consumers prepared to ditch brands hit by ransomware Full Text
Abstract
81% of consumers report feeling “very scared or worried” about their data being held by organizations lacking robust resilience against ransomware. After an attack, one in three consumers demands evidence of resilient backup and recovery strategies.Cyware
July 5, 2023 – Vulnerabilities
Ghostscript Bug Could Allow Rogue Documents to Run System Commands Full Text
Abstract
Ghostscript reads in PostScript program code, which describes how to construct the pages in a document, and converts it, or renders it, into a format more suitable for displaying or printing, such as raw pixel data or a PNG graphics file.Cyware
July 4, 2023 – Phishing
U.S. Law Firms Targeted in New GuLoader Campaign Full Text
Abstract
GuLoader is increasingly prevalent as a malware loader within phishing campaigns. Morphisec Labs uncovered a GuLoader campaign that has been targeting law firms (46.4%), alongside investment (17.9%) and healthcare (21.4%) firms, in the U.S. The campaign has been ongoing since April.Cyware
July 04, 2023 – Government
Swedish Data Protection Authority Warns Companies Against Google Analytics Use Full Text
Abstract
The Swedish data protection watchdog has warned companies against using Google Analytics due to risks posed by U.S. government surveillance, following similar moves by Austria, France , and Italy last year. The development comes in the aftermath of an audit initiated by the Swedish Authority for Privacy Protection (IMY) against four companies CDON, Coop, Dagens Industri, and Tele2. "In its audits, IMY considers that the data transferred to the U.S. via Google's statistics tool is personal data because the data can be linked with other unique data that is transferred," IMY said . "The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA." The data protection authority also fined $1.1 million for Swedish telecom service provider Tele2 and less than $30,000 for local online marketplace CDON failing toThe Hacker News
July 4, 2023 – Breach
MOVEit attack on Aon exposed data of the staff at the Dublin Airport Full Text
Abstract
Personal data of the personnel at the Dublin Airport was compromised due to a MOVEit attack on professional service provider Aon. Data of about 3000 employees of Dublin Airport (DDA) were compromised after professional service provider Aon fell victim...Security Affairs
July 4, 2023 – General
Manufacturing companies hit by ransomware had their data encrypted: Report Full Text
Abstract
the percentage of manufacturing organizations that used back backups to recover data has increased, with 73% of the manufacturing organizations surveyed using backups this year versus 58% in the previous year.Cyware
July 04, 2023 – Hacker
DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors Full Text
Abstract
The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down. The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users," cybersecurity company Sekoia said in a technical write-up. DDoSia is attributed to a pro-Russian hacker group called NoName(057)16 . Launched in 2022 and a successor of the Bobik botnet , the attack tool is designed for staging distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan. Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland have emerged as the most targeted countries over a period ranging from May 8 to June 26, 2023. A total of 486 different wThe Hacker News
July 4, 2023 – Criminals
Neo_Net runs eCrime campaign targeting clients of banks globally Full Text
Abstract
A Mexican threat actor that goes online with the moniker Neo_Net is behind an Android malware campaign targeting banks worldwide. A joint study conducted by vx-underground and SentinelOne recently revealed that a Mexican threat actor that goes online...Security Affairs
July 4, 2023 – Malware
New Malware Alert: EarlyRAT Linked to North Korean Hacking Group Full Text
Abstract
EarlyRAT is a straightforward program that immediately starts gathering system data and sending it via a POST request to the C2 server. The execution of commands on the infected system is EarlyRAT’s second main purpose.Cyware
July 04, 2023 – Criminals
Mexico-Based Hacker Targets Global Banks with Android Malware Full Text
Abstract
An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023. The activity is being attributed to an actor codenamed Neo_Net , according to security researcher Pol Thill. The findings were published by SentinelOne following a Malware Research Challenge in collaboration with vx-underground. "Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims' bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims," Thill said . Some of the major targets include banks such as Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING. Neo_Net, linked to a Spanish-speaking actor residing in Mexico, has established themselves as aThe Hacker News
July 4, 2023 – Outage
Hackers stole millions of dollars worth of crypto assets from Poly Network platform Full Text
Abstract
Poly Network platform suspended its services during the weekend due to a cyber attack that resulted in the theft of millions of dollars in crypto assets. Threat actors have stolen millions of dollars worth of crypto assets from the Poly Network platform...Security Affairs
July 4, 2023 – Breach
Major Data Leaks on TikTok, Instagram, and Yahoo Full Text
Abstract
A SOCRadar dark web analyst recently discovered an alleged database leak for Instagram. The leaked data reportedly contains over 17 million records in JSON format. The nature of the data suggests that it may have been collected from open source.Cyware
July 04, 2023 – Vulnerabilities
Alert: 330,000 FortiGate Firewalls Still Unpatched to CVE-2023-27997 RCE Flaw Full Text
Abstract
No less than 330,000 FortiGate firewalls are still unpatched and vulnerable to CVE-2023-27997, a critical security flaw affecting Fortinet devices that has come under active exploitation in the wild. Cybersecurity firm Bishop Fox, in a report published last week, said that out of nearly 490,000 Fortinet SSL-VPN interfaces exposed on the internet, about 69 percent remain unpatched. CVE-2023-27997 (CVSS score: 9.8), also called XORtigate, is a critical vulnerability impacting Fortinet FortiOS and FortiProxy SSL-VPN appliances that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. Patches were released by Fortinet last month in versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5, although the company acknowledged that the flaw may have been "exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors. Bishop Fox's analysis further found that 153,414The Hacker News
July 4, 2023 – Vulnerabilities
335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997 Full Text
Abstract
Researchers reported that there are 490,000 Fortinet firewalls exposing SSL VPN interfaces on the internet, and roughly 69% of them are still vulnerable to CVE-2023-27997. In Mid-June Fortinet addressed a critical flaw, tracked as CVE-2023-27997...Security Affairs
July 4, 2023 – Criminals
Anonymous Sudan Claims to Have Stolen 30 Million Microsoft’s Customer Accounts Full Text
Abstract
Attackers said “We announce that we have successfully hacked Microsoft and have access to a large database containing more than 30 million Microsoft accounts, email and password. Price for full database : 50,000 USD.”Cyware
July 4, 2023 – General
Report: Fileless Attacks Increase by 1,400% Full Text
Abstract
Protecting runtime environments requires at least a monitoring approach that includes scanning for known malicious files and network communications, then blocking them and alerting when they appear. However, this is still insufficient.Cyware
July 3, 2023 – Attack
GCHQ reveals British government was hacked by foreign cyber spies 20 years ago Full Text
Abstract
This month marks the 20th anniversary of the first time cyber experts at GCHQ responded to a foreign state hacking the British government, the intelligence and security agency revealed on Friday.Cyware
July 03, 2023 – Hacker
Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX Full Text
Abstract
A Chinese nation-state group has been observed targeting Foreign Affairs ministries and embassies in Europe using HTML smuggling techniques to deliver the PlugX remote access trojan on compromised systems. Cybersecurity firm Check Point said the activity, dubbed SmugX , has been ongoing since at least December 2022. "The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors," Check Point said . "Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates, which until recently helped the campaign fly under the radar." The exact identity of the threat actor behind the operation is a little hazy, although existing clues point in the direction of Mustang Panda , which also shares overlaps with clusters tracked as Earth Preta, RedDelta, and Check Point's own dThe Hacker News
July 3, 2023 – Breach
Anonymous Sudan claims to have stolen 30 million Microsoft’s customer accounts Full Text
Abstract
Microsoft denied the data breach after the collective of hacktivists known as Anonymous Sudan claimed to have hacked the company. In early June, Microsoft suffered severe outages for some of its services, including Outlook email, OneDrive file-sharing...Security Affairs
July 3, 2023 – Attack
Hacks targeting British exam boards raise fears of students cheating Full Text
Abstract
Police in Britain are investigating multiple incidents in which national exam papers for school-leavers were stolen by hackers and sold online to students seeking to cheat on their tests.Cyware
July 03, 2023 – Solution
Improve Your Security WordPress Spam Protection With CleanTalk Anti-Spam Full Text
Abstract
Every website owner or webmaster grapples with the issue of spam on their website forms. The volume of spam can be so overwhelming that finding useful information within it becomes quite challenging. What exacerbates this issue is that spam can populate your public pages, appearing in comments and reviews. You likely understand how this can damage your website's reputation, affect search results, overload your web server, and divert your focus from website development. Website owners and webmasters need a solution to this problem. When selecting an anti-spam solution, the following requirements should be taken into account: The solution must operate automatically, eliminating the need for manual spam checks. It should provide a quick and efficient method of accuracy control. It must be universal, protecting all website forms simultaneously. It should be easy and straightforward to install and set up. It should not require any extra steps from your visitors, ensuring they doThe Hacker News
July 3, 2023 – APT
SmugX: Chinese APT uses HTML smuggling to target European Ministries and embassies Full Text
Abstract
China-linked APT group was spotted using HTML smuggling in attacks aimed at Foreign Affairs ministries and embassies in Europe. A China-linked APT group was observed using HTML smuggling in attacks against Foreign Affairs ministries and embassies...Security Affairs
July 3, 2023 – Breach
Ireland: Dublin Airport staff pay data hit by criminals Full Text
Abstract
Pay and benefits details of Dublin Airport staff were compromised in a cyberattack on professional service provider Aon, highlighting the vulnerability of supply chain attacks.Cyware
July 03, 2023 – Government
CISA Flags 8 Actively Exploited Flaws in Samsung and D-Link Devices Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a set of eight flaws to the Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. This includes six shortcomings affecting Samsung smartphones and two vulnerabilities impacting D-Link devices. All the flaws have been patched as of 2021. CVE-2021-25394 (CVSS score: 6.4) - Samsung mobile devices race condition vulnerability CVE-2021-25395 (CVSS score: 6.4) - Samsung mobile devices race condition vulnerability CVE-2021-25371 (CVSS score: 6.7) - An unspecified vulnerability in the DSP driver used in Samsung mobile devices that allows loading of arbitrary ELF libraries CVE-2021-25372 (CVSS score: 6.7) - Samsung mobile devices improper boundary check within the DSP driver in Samsung mobile devices CVE-2021-25487 (CVSS score: 7.8) - Samsung mobile devices out-of-bounds read vulnerability leading to arbitrary code execution CVE-2021-25489 (CVSS score: 5.5) - SamsungThe Hacker News
July 3, 2023 – Education
The Impacts of Data Loss on Your Organization Full Text
Abstract
What are the causes of Data Loss and which are their impact on your organization? In today's digital age, data has become the lifeblood of organizations, driving critical decision-making, improving operational efficiency, and allowing for smoother...Security Affairs
July 3, 2023 – Attack
GuLoader Campaign Targets Law Firms in the US Full Text
Abstract
The GuLoader malware campaign utilizes a multi-stage infection chain, including a PDF lure, a GuLoader VBScript, and obfuscated Powershell scripts, to deliver the Remcos RAT.Cyware
July 03, 2023 – Malware
Evasive Meduza Stealer Targets 19 Password Managers and 76 Crypto Wallets Full Text
Abstract
In yet another sign of a lucrative crimeware-as-a-service ( CaaS ) ecosystem, cybersecurity researchers have discovered a new Windows-based information stealer called Meduza Stealer that's actively being developed by its author to evade detection by software solutions. "The Meduza Stealer has a singular objective: comprehensive data theft," Uptycs said in a new report. "It pilfers users' browsing activities, extracting a wide array of browser-related data." "From critical login credentials to the valuable record of browsing history and meticulously curated bookmarks, no digital artifact is safe. Even crypto wallet extensions, password managers, and 2FA extensions are vulnerable." Despite the similarity in features, Meduza boasts of a "crafty" operational design that eschews the use of obfuscation techniques and promptly terminates its execution on compromised hosts should a connection to the attacker's server fail. It'sThe Hacker News
July 3, 2023 – Government
CISA adds Samsung and D-link bugs to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added actively exploited Samsung and D-Link vulnerabilities to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added six Samsung and two D-Link vulnerabilities to its Known Exploited...Security Affairs
July 3, 2023 – Phishing
Torrent of image-based phishing emails are harder to detect and more convincing Full Text
Abstract
Phishing mongers have released a torrent of image-based junk emails that embed QR codes into their bodies to successfully bypass security protections and provide a level of customization to more easily fool recipients, researchers said.Cyware
July 03, 2023 – Criminals
BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising Full Text
Abstract
Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application. "Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers said in an analysis published last week. "In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer." Malvertising refers to the use of SEO poisoning techniques to spread malware via online advertising. It typically involves hijacking a chosen set of keywords to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages. The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains a Cobalt Strike Beacon that connects to aThe Hacker News
July 3, 2023 – Malware
New Windows Meduza Stealer targets tens of crypto wallets and password managers Full Text
Abstract
Researchers spotted a new Windows information stealer called Meduza Stealer, the authors employ sophisticated marketing strategies to promote it. The Meduza Stealer can steal browsing activities and extract a wide array of browser-related data, including...Security Affairs
July 3, 2023 – Breach
HHS Says At Least 100,000 People’s Data Exposed After Hacks at Government Contractors Full Text
Abstract
While no HHS systems or networks were compromised, attackers gained access to HHS data by exploiting the vulnerability in the MOVEit software used by third-party vendors, the official said.Cyware
July 3, 2023 – Malware
Experts detected a new variant of North Korea-linked RUSTBUCKET macOS malware Full Text
Abstract
Researchers spotted a new version of the RustBucket Apple macOS malware that supports enhanced capabilities. Researchers from the Elastic Security Labs have spotted a new variant of the RustBucket Apple macOS malware. In April, the security firm...Security Affairs
July 3, 2023 – General
One third of security breaches go unnoticed by security professionals Full Text
Abstract
94% of global respondents believe their hybrid cloud security offers full visibility into IT infrastructure, yet almost one-third of security breaches go undetected by IT pros, according to a Gigamon report.Cyware
July 2, 2023 – General
Security Affairs newsletter Round 426 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. WordPress...Security Affairs
July 2, 2023 – Attack
WordPress sites using the Ultimate Member plugin are under attack Full Text
Abstract
Threat actors are exploiting a critical WordPress zero-day in the Ultimate Member plugin to create secret admin accounts. Hackers are actively exploiting a critical unpatched WordPress Plugin flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), to create...Security Affairs
July 1, 2023 – Vulnerabilities
200,000 WordPress Sites Exposed to Attacks Exploiting Flaw in ‘Ultimate Member’ Plugin Full Text
Abstract
Tracked as CVE-2023-3460 (CVSS score of 9.8), the recently identified security defect in Ultimate Member plugin allows attackers to add a new user account to the administrators group.Cyware
July 01, 2023 – Vulnerabilities
Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts Full Text
Abstract
As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin. The flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), impacts all versions of the Ultimate Member plugin, including the latest version (2.6.6) that was released on June 29, 2023. Ultimate Member is a popular plugin that facilitates the creation of user-profiles and communities on WordPress sites. It also provides account management features. "This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites," WordPress security firm WPScan said in an alert. Although details about the flaw have been withheld due to active abuse, it stems from an inadequate blocklist logic put in place to alter the wp_capabilities user meta value of a new user to that of an administrator aThe Hacker News
July 1, 2023 – Breach
More than 16 million people and counting have had data exposed in MOVEit breaches Full Text
Abstract
Since June 1, experts have warned of the vulnerability affecting the popular file transfer software, and dozens of the biggest organizations in the U.S. and Europe have since come forward to reveal that they were affected by the situation.Cyware
July 01, 2023 – Malware
Beware: New ‘RustBucket’ Malware Variant Targeting macOS Users Full Text
Abstract
Researchers have pulled back the curtain on an updated version of an Apple macOS malware called RustBucket that comes with improved capabilities to establish persistence and avoid detection by security software. "This variant of RustBucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed," Elastic Security Labs researchers said in a report published this week, adding it's "leveraging a dynamic network infrastructure methodology for command-and-control." RustBucket is the work of a North Korean threat actor known as BlueNoroff, which is part of a larger intrusion set tracked under the name Lazarus Group , an elite hacking unit supervised by the Reconnaissance General Bureau (RGB), the country's primary intelligence agency. The malware came to light in April 2023, when Jamf Threat Labs described it as an AppleScript-based backdoor capable of retrieving a second-stage payload from a remote server. ElasThe Hacker News
July 1, 2023 – Breach
Update: 1.1 Million NHS Patients’ Data Also Breached in the University of Manchester Attack Full Text
Abstract
The compromised NHS data includes records of major trauma patients across England and individuals treated after terror attacks, which the university collected for research purposes, according to media outlet The Independent on Thursday.Cyware
July 1, 2023 – Criminals
LockBit gang demands a $70 million ransom to the semiconductor manufacturing giant TSMC Full Text
Abstract
The LockBit ransomware gang claims to have hacked Taiwan Semiconductor Manufacturing Company (TSMC). The LockBit ransomware group this week claimed to have hacked the Taiwan Semiconductor Manufacturing Company (TSMC) and $70 million ransom. TSMC...Security Affairs
July 1, 2023 – Outage
Hackers claim to take down Russian satellite communications provider Full Text
Abstract
A group of previously unknown hackers has claimed responsibility for a cyberattack on the Russian satellite communications provider Dozor-Teleport, which is used by energy companies and the country's defense and security services.Cyware
July 1, 2023 – Ransomware
Avast released a free decryptor for the Windows version of the Akira ransomware Full Text
Abstract
Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data without paying the ransom. Cybersecurity firm Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data...Security Affairs
July 1, 2023 – Phishing
Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator Full Text
Abstract
The infection chain started with a malicious ad for the WinSCP application displayed in search engine results. Users who clicked on the ad were redirected to a cloned download webpage where they unknowingly downloaded a malware-infected ISO file.Cyware