May, 2023
May 31, 2023 – Criminals
Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining Full Text
Abstract
A financially motivated threat actor is actively scouring the internet for unprotected Apache NiFi instances to covertly install a cryptocurrency miner and facilitate lateral movement. The findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for "/nifi" on May 19, 2023. "Persistence is achieved via timed processors or entries to cron," said Dr. Johannes Ullrich, dean of research for SANS Technology Institute. "The attack script is not saved to the system. The attack scripts are kept in memory only." A honeypot setup allowed the ISC to determine that the initial foothold is weaponized to drop a shell script that removes the "/var/log/syslog" file, disables the firewall, and terminates competing crypto-mining tools, before downloading and launching the Kinsing malware from a remote server. It's worth pointing out that Kinsing has a track record of leveraging publicly disclosed vulnerabilities in publicly accessible web applicatiThe Hacker News
May 31, 2023 – Vulnerabilities
Experts warn of backdoor-like behavior within Gigabyte systems Full Text
Abstract
Researchers discovered a suspected backdoor-like behavior within Gigabyte systems that exposes devices to compromise. Researchers from firmware security firm Eclypsium have discovered a suspected backdoor-like behavior within Gigabyte systems. The...Security Affairs
May 31, 2023 – Vulnerabilities
Critical Firmware Vulnerability in Gigabyte Systems Exposes ~7 Million Devices Full Text
Abstract
Cybersecurity researchers have found "backdoor-like behavior" within Gigabyte systems, which they say enables the UEFI firmware of the devices to drop a Windows executable and retrieve updates in an unsecure format. Firmware security firm Eclypsium said it first detected the anomaly in April 2023. Gigabyte has since acknowledged and addressed the issue. "Most Gigabyte firmware includes a Windows Native Binary executable embedded inside of the UEFI firmware," John Loucaides, senior vice president of strategy at Eclypsium, told The Hacker News. "The detected Windows executable is dropped to disk and executed as part of the Windows startup process, similar to the LoJack double agent attack . This executable then downloads and runs additional binaries via insecure methods." "Only the intention of the author can distinguish this sort of vulnerability from a malicious backdoor," Loucaides added. The executable, per Eclypsium, is embedded inThe Hacker News
May 31, 2023 – Hacker
Threat actors are exploiting Barracuda Email Security Gateway bug since October 2022 Full Text
Abstract
Recently disclosed zero-day flaw in Barracusa Email Security Gateway (ESG) appliances had been actively exploited by attackers since October 2022. The network security solutions provider Barracuda recently warned customers that some of its Email Security...Security Affairs
May 31, 2023 – Vulnerabilities
Beware of Ghost Sites: Silent Threat Lurking in Your Salesforce Communities Full Text
Abstract
Improperly deactivated and abandoned Salesforce Sites and Communities (aka Experience Cloud) could pose severe risks to organizations, leading to unauthorized access to sensitive data. Data security firm Varonis dubbed the abandoned, unprotected, and unmonitored resources " ghost sites ." "When these Communities are no longer needed, though, they are often set aside but not deactivated," Varonis Threat Labs researchers said in a new report shared with The Hacker News. "Because these unused sites are not maintained, they aren't tested against vulnerabilities, and Admins fail to update the site's security measures according to newer guidelines." Varonis said it found many of these deactivated (but still active) sites still fetching new data, thereby allowing threat actors to extract data by manipulating the host header in the HTTP request. Identifying the complete internal URLs associated with the sites is challenging but not impossible, as an adversary could leverage tooThe Hacker News
May 31, 2023 – Breach
Swiss real estate agency Neho fails to put a password on its systems Full Text
Abstract
A misconfiguration of Swiss real estate agency Neho’s systems exposed sensitive credentials to the public. Neho, a Switzerland-based real estate agency, leaked credentials recently, potentially allowing threat actors to prey on sensitive data about...Security Affairs
May 31, 2023 – Vulnerabilities
Microsoft Details Critical Apple macOS Vulnerability Allowing SIP Protection Bypass Full Text
Abstract
Microsoft has shared details of a now-patched flaw in Apple macOS that could be abused by threat actors with root access to bypass security enforcements and perform arbitrary actions on affected devices. Specifically, the flaw – dubbed Migraine and tracked as CVE-2023-32369 – could be abused to get around a key security measure called System Integrity Protection ( SIP ), or "rootless," which limits the actions the root user can perform on protected files and folders. "The most straight-forward implication of a SIP bypass is that [...] an attacker can create files that are protected by SIP and therefore undeletable by ordinary means," Microsoft researchers Jonathan Bar Or, Michael Pearse, and Anurag Bohra said . Even worse, it could be exploited to gain arbitrary kernel code execution and even access sensitive data by replacing databases that manage Transparency, Consent, and Control (TCC) policies. The bypass is made possible by leveraging a built-in macOS tool called MigratThe Hacker News
May 31, 2023 – Vulnerabilities
Microsoft found a new bug that allows bypassing SIP root restrictions in macOS Full Text
Abstract
Apple fixed a vulnerability discovered by Microsoft researchers that lets attackers with root privileges bypass System Integrity Protection (SIP). Researchers from Microsoft discovered a vulnerability, tracked as CVE-2023-32369 and dubbed Migraine,...Security Affairs
May 31, 2023 – Education
6 Steps to Effectively Threat Hunting: Safeguard Critical Assets and Fight Cybercrime Full Text
Abstract
Finding threat actors before they find you is key to beefing up your cyber defenses. How to do that efficiently and effectively is no small task – but with a small investment of time, you can master threat hunting and save your organization millions of dollars. Consider this staggering statistic. Cybersecurity Ventures estimates that cybercrime will take a $10.5 trillion toll on the global economy by 2025. Measuring this amount as a country, the cost of cybercrime equals the world's third-largest economy after the U.S. and China. But with effective threat hunting, you can keep bad actors from wreaking havoc on your organization. This article offers a detailed explanation of threat hunting – what it is, how to do it thoroughly and effectively, and how cyber threat intelligence (CTI) can bolster your threat-hunting efforts. What is threat hunting? Cyber threat hunting is gathering evidence that a threat is materializing. It's a continuous process that helps you find the threats thatThe Hacker News
May 31, 2023 – APT
Dark Pink APT Group Leverages TelePowerBot and KamiKakaBot in Sophisticated Attacks Full Text
Abstract
The threat actor known as Dark Pink has been linked to five new attacks aimed at various entities in Belgium, Brunei, Indonesia, Thailand, and Vietnam between February 2022 and April 2023. This includes educational institutions, government agencies, military bodies, and non-profit organizations, indicating the adversarial crew's continued focus on high-value targets. Dark Pink, also called Saaiwc Group, is an advanced persistent threat (APT) actor believed to be of Asia-Pacific origin, with attacks targeting entities primarily located in East Asia and, to a lesser extent, in Europe. The group employs a set of custom malware tools such as TelePowerBot and KamiKakaBot that provide various functions to exfiltrate sensitive data from compromised hosts. "The group uses a range of sophisticated custom tools, deploys multiple kill chains relying on spear-phishing emails," Group-IB security researcher Andrey Polovinkin said in a technical report shared with The Hacker News. "OncThe Hacker News
May 31, 2023 – Malware
RomCom RAT Using Deceptive Web of Rogue Software Sites for Covert Attacks Full Text
Abstract
The threat actors behind RomCom RAT are leveraging a network of fake websites advertising rogue versions of popular software at least since July 2022 to infiltrate targets. Cybersecurity firm Trend Micro is tracking the activity cluster under the name Void Rabisu, which is also known as Tropical Scorpius (Unit 42) and UNC2596 (Mandiant). "These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult," security researchers Feike Hacquebord, Stephen Hilt, Fernando Merces, and Lord Alfred Remorin said . Some of the impersonated apps spotted so far include AstraChat, Devolutions' Remote Desktop Manager, Gimp, GoTo Meeting, KeePass, OpenAI ChatGPT, Signal, Veeam Backup & Replication, and WinDirStat. RomCom RAT was first chronicled by Palo Alto Networks Unit 42 in August 2022, linking it to a financially motivated group deploying Cuba Ransomware (aka COLDDRAW). It's worth noting that there is noThe Hacker News
May 31, 2023 – Hacker
Alert: Hackers Exploit Barracuda Email Security Gateway 0-Day Flaw for 7 Months Full Text
Abstract
Enterprise security firm Barracuda on Tuesday disclosed that a recently patched zero-day flaw in its Email Security Gateway (ESG) appliances had been abused by threat actors since October 2022 to backdoor the devices. The latest findings show that the critical vulnerability , tracked as CVE-2023-2868 (CVSS score: N/A), has been actively exploited for at least seven months prior to its discovery. The flaw, which Barracuda identified on May 19, 2023, affects versions 5.1.3.001 through 9.2.0.006 and could allow a remote attacker to achieve code execution on susceptible installations. Patches were released by Barracuda on May 20 and May 21. "CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances," the network and email security company said in an updated advisory. "Malware was identified on a subset of appliances allowing for persistent backdoor access. Evidence of data exfiltration was identified on a subset of impacted applianceThe Hacker News
May 30, 2023 – Hacker
Hackers Win $105,000 for Reporting Critical Security Flaws in Sonos One Speakers Full Text
Abstract
Multiple security flaws uncovered in Sonos One wireless speakers could be potentially exploited to achieve information disclosure and remote code execution, the Zero Day Initiative (ZDI) said in a report published last week. The vulnerabilities were demonstrated by three different teams from Qrious Secure, STAR Labs, and DEVCORE at the Pwn2Own hacking contest held in Toronto late last year, netting them $105,000 in monetary rewards. The list of four flaws, which impact Sonos One Speaker 70.3-35220, is below - CVE-2023-27352 and CVE-2023-27355 (CVSS scores: 8.8) - Unauthenticated flaws that allow network-adjacent attackers to execute arbitrary code on affected installations. CVE-2023-27353 and CVE-2023-27354 (CVSS score: 6.5) - Unauthenticated flaws that allow network-adjacent attackers to disclose sensitive information on affected installations. While CVE-2023-27352 stems from when processing SMB directory query commands, CVE-2023-27355 exists within the MPEG-TS parsThe Hacker News
May 30, 2023 – Solution
PyPI enforces 2FA authentication to prevent maintainers’ account takeover Full Text
Abstract
PyPI is going to enforce two-factor authentication (2FA) for all project maintainers by the end of this year over security concerns. Due to security concerns, PyPI will be mandating the use of two-factor authentication (2FA) for all project maintainers...Security Affairs
May 30, 2023 – Criminals
CAPTCHA-Breaking Services with Human Solvers Helping Cybercriminals Defeat Security Full Text
Abstract
Cybersecurity researchers are warning about CAPTCHA-breaking services that are being offered for sale to bypass systems designed to distinguish legitimate users from bot traffic. "Because cybercriminals are keen on breaking CAPTCHAs accurately, several services that are primarily geared toward this market demand have been created," Trend Micro said in a report published last week. "These CAPTCHA-solving services don't use [optical character recognition] techniques or advanced machine learning methods; instead, they break CAPTCHAs by farming out CAPTCHA-breaking tasks to actual human solvers." CAPTCHA – short for Completely Automated Public Turing test to tell Computers and Humans Apart – is a tool for differentiating real human users from automated users with the goal of combating spam and restricting fake account creation. While CAPTCHA mechanisms can be a disruptive user experience , they are seen as an effective means to counter attacks from bot-oriThe Hacker News
May 30, 2023 – Breach
A database containing 478,000 RaidForums members leaked online Full Text
Abstract
The database of the popular RaidForums hacking forum has been leaked on a new hacking forum, 478,000 members exposed. A database belonging to the now-defunct RaidForums cybercrime platform has been leaked on a new hacking forum called Exposed. The database...Security Affairs
May 30, 2023 – Education
Implementing Risk-Based Vulnerability Discovery and Remediation Full Text
Abstract
In this day and age, vulnerabilities in software and systems pose a considerable danger to businesses, which is why it is essential to have an efficient vulnerability management program in place. To stay one step ahead of possible breaches and reduce the damage they may cause, it is crucial to automate the process of finding and fixing vulnerabilities depending on the level of danger they pose. This post will discuss the fundamental approaches and tools to implement and automate risk-based vulnerability management. To make this process easier, consider using an all-in-one cloud-based solution right from the start. Implementing a risk-based vulnerability management program A risk-based vulnerability management program is a complex preventative approach used for swiftly detecting and ranking vulnerabilities based on their potential threat to a business. By implementing a risk-based vulnerability management approach, organizations can improve their security posture and reduce the likThe Hacker News
May 30, 2023 – Phishing
Beware of the new phishing technique “file archiver in the browser” that exploits zip domains Full Text
Abstract
"file archiver in the browser" is a new phishing technique that can be exploited by phishers when victims visit a .ZIP domain. A new phishing technique called "file archiver in the browser" can be used by phishers to "emulate" a file archiver software...Security Affairs
May 30, 2023 – Malware
Sneaky DogeRAT Trojan Poses as Popular Apps, Targets Indian Android Users Full Text
Abstract
A new open source remote access trojan (RAT) called DogeRAT targets Android users primarily located in India as part of a sophisticated malware campaign. The malware is distributed via social media and messaging platforms under the guise of legitimate applications like Opera Mini, OpenAI ChatGOT, and Premium versions of YouTube, Netflix, and Instagram. "Once installed on a victim's device, the malware gains unauthorized access to sensitive data, including contacts, messages, and banking credentials," cybersecurity firm CloudSEK said in a Monday report. "It can also take control of the infected device, enabling malicious actions such as sending spam messages, making unauthorized payments, modifying files, and even remotely capturing photos through the device's cameras." DogeRAT, like many other malware-as-a-service ( MaaS ) offerings, is promoted by its India-based developer through a Telegram channel that has more than 2,100 subscribers since it waThe Hacker News
May 30, 2023 – Attack
BrutePrint Attack allows to unlock smartphones with brute-forcing fingerprint Full Text
Abstract
Researchers devised an attack technique, dubbed BrutePrint Attack, that allows brute-forcing fingerprints on smartphones to bypass authentication. Researchers have devised an attack technique, dubbed BrutePrint, that allows to brute-force fingerprints...Security Affairs
May 29, 2023 – Breach
Jimbos Protocol Hack Results in Loss of $7.5 Million Worth of Assets Full Text
Abstract
The latest victim of a protocol hack is Jimbos Protocol, a decentralized liquidity platform operating on the Arbitrum system. The attack resulted in a loss of 4,000 Ether (ETH), valued at around $7.5 million during the incident.Cyware
May 29, 2023 – Vulnerabilities
New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force Full Text
Abstract
Researchers have discovered an inexpensive attack technique that could be leveraged to brute-force fingerprints on smartphones to bypass user authentication and seize control of the devices. The approach, dubbed BrutePrint , bypasses limits put in place to counter failed biometric authentication attempts by weaponizing two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework. The flaws, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), leverage logical defects in the authentication framework, which arises due to insufficient protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors. The result is a "hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking," researchers Yu Chen and Yiling He said in a research paper. "BrutePrint acts as a middleman between fingerprint sensor and TEE [Trusted Execution Environment]." The goal, at its core, is to beThe Hacker News
May 29, 2023 – Breach
Lockbit ransomware attack on MCNA Dental impacts 8.9M individuals Full Text
Abstract
Managed Care of North America (MCNA) Dental disclosed a data breach that impacted more than 8.9 million individuals. Managed Care of North America (MCNA) Dental suffered a data breach that impacted 8,923,662 patients. MCNA Dental is one of the largest...Security Affairs
May 29, 2023 – Privacy
UK: 20 NHS trusts shared patient details with Facebook without consent Full Text
Abstract
The data includes granular details of pages viewed, buttons clicked and keywords searched. It is matched to the user’s IP address – an identifier linked to an individual or household – and, in many cases, details of their Facebook account.Cyware
May 29, 2023 – Malware
AceCryptor: Cybercriminals’ Powerful Weapon, Detected in 240K+ Attacks Full Text
Abstract
A crypter (alternatively spelled cryptor) malware dubbed AceCryptor has been used to pack numerous strains of malware since 2016. Slovak cybersecurity firm ESET said it identified over 240,000 detections of the crypter in its telemetry in 2021 and 2022. This amounts to more than 10,000 hits per month. Some of the prominent malware families contained within AceCryptor are SmokeLoader, RedLine Stealer, RanumBot, Raccoon Stealer, Stop ransomware, and Amadey, among others. The countries with the most detections include Peru, Egypt, Thailand, Indonesia, Turkey, Brazil, Mexico, South Africa, Poland, and India. AceCryptor was first highlighted by Avast in August 2022, detailing the use of the malware to distribute Stop ransomware and RedLine Stealer on Discord in the form of 7-Zip files. Crypters are similar to packers, but instead of using compression, they are known to obfuscate the malware code with encryption to make detection and reverse engineering a lot more challenging.The Hacker News
May 29, 2023 – Malware
New Go-written GobRAT RAT targets Linux Routers in Japan Full Text
Abstract
A new Golang remote access trojan (RAT), tracked as GobRAT, is targeting Linux routers in Japan, the JPCERT Coordination Center warns. JPCERT/CC is warning of cyberattacks against Linux routers in Japan that have been infected with a new Golang remote...Security Affairs
May 29, 2023 – Policy and Law
Sports Warehouse Fined $300,000 Over Payment Card Data Theft Full Text
Abstract
Investigators found that the retailer was storing nearly 20 years' worth of payment card data on its e-commerce server in plaintext format, protected by only a password, which the attacker guessed.Cyware
May 29, 2023 – Education
3 Challenges in Building a Continuous Threat Exposure Management (CTEM) Program and How to Beat Them Full Text
Abstract
If you're a cybersecurity professional, you're likely familiar with the sea of acronyms our industry is obsessed with. From CNAPP, to CWPP, to CIEM and all of the myriad others, there seems to be a new initialism born each day. In this article, we'll look at another trending acronym – CTEM, which stands for Continuous Threat Exposure Management – and the often-surprising challenges that come along with seeing a CTEM program through to maturity. While the concept of CTEM isn't brand spanking new, having made its in-print debut in July of 2022, we are now at the point where many organizations are starting to try to operationalize the programs that they've been setting into motion over the last few months. And as organizations start to execute their carefully designed plans, they may find themselves bumping up against some unexpected challenges which can lead to setbacks. What is Continuous Threat Exposure Management (CTEM)? But first, to backtrack, let's justThe Hacker News
May 29, 2023 – Malware
Researchers analyzed the PREDATOR spyware and its loader Alien Full Text
Abstract
Cisco Talos and the Citizen Lab researchers have published a technical analysis of the powerful Android spyware Predator. Security researchers at Cisco Talos and the Citizen Lab have shared technical details about a commercial Android spyware named...Security Affairs
May 29, 2023 – Malware
Enhanced Legion Credential Harvester Targets SSH Servers and AWS Credentials Full Text
Abstract
An updated version of the Python-based, cloud-focused hack tool called Legion—which can extract credentials from vulnerable web servers—has surfaced. The updated variant incorporates the Paramiko module to exploit SSH servers. Furthermore, it can now retrieve specific AWS credentials associated wit ... Read MoreCyware
May 29, 2023 – Malware
New GobRAT Remote Access Trojan Targeting Linux Routers in Japan Full Text
Abstract
Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called GobRAT . "Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT," the JPCERT Coordination Center (JPCERT/CC) said in a report published today. The compromise of an internet-exposed router is followed by the deployment of a loader script that acts as a conduit for delivering GobRAT, which, when launched, masquerades as the Apache daemon process (apached) to evade detection. The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the .ssh/authorized_keys file for remote access. GobRAT, for its part, communicates with a remote server via the Transport Layer Security ( TLS ) protocol to receive as many as 22 different encrypted commands for execution. Some of the major commands are as follows - ObtThe Hacker News
May 29, 2023 – Phishing
Attackers use encrypted RPMSG messages in Microsoft 365 targeted phishing attacks Full Text
Abstract
Experts warn of phishing attacks that are combining the use of compromised Microsoft 365 accounts and .rpmsg encrypted emails. Trustwave researchers have observed threat actors using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts...Security Affairs
May 29, 2023 – Breach
Data Breach at Dental Health Insurer MCNA Affects Nearly Nine Million Patients Full Text
Abstract
The Fort Lauderdale, Florida-based insurance company, said it detected unauthorized access to certain systems on March 6 and discovered that certain systems within the network were infected with malicious code.Cyware
May 29, 2023 – Phishing
Don’t Click That ZIP File! Phishers Weaponizing .ZIP Domains to Trick Victims Full Text
Abstract
A new phishing technique called "file archiver in the browser" can be leveraged to "emulate" a file archiver software in a web browser when a victim visits a .ZIP domain. "With this phishing attack, you simulate a file archiver software (e.g., WinRAR) in the browser and use a .zip domain to make it appear more legitimate," security researcher mr.d0x disclosed last week. Threat actors, in a nutshell, could create a realistic-looking phishing landing page using HTML and CSS that mimics legitimate file archive software, and host it on a .zip domain, thus elevating social engineering campaigns . In a potential attack scenario, a miscreant could resort to such trickery to redirect users to a credential harvesting page when a file "contained" within the fake ZIP archive is clicked. "Another interesting use case is listing a non-executable file and when the user clicks to initiate a download, it downloads an executable file," mr.d0xThe Hacker News
May 29, 2023 – Hacker
Tortoiseshell Eyes Israeli Logistics Industry Full Text
Abstract
Alleged Iranian nation-state hacker group Tortoiseshell performed a watering hole attack on several shipping and logistics websites in Israel to collect information about their users. Attackers stay hidden by impersonating the genuine jQuery JavaScript framework. Organizations are urged to raise aw ... Read MoreCyware
May 29, 2023 – Solution
PyPI Implements Mandatory Two-Factor Authentication for Project Owners Full Text
Abstract
The Python Package Index (PyPI) announced last week that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication ( 2FA ) by the end of the year. "Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage," PyPI administrator Donald Stufft said. "In addition, we may begin selecting certain users or projects for early enforcement." The enforcement also includes organization maintainers , but does not extend to every single user of the service. The goal is to neutralize the threats posed by account takeover attacks, which an attacker can leverage to distribute trojanized versions of popular packages to poison the software supply chain and deploy malware on a large scale. PyPI, like other open source repositories such as npm, has witnessed innumerable instances of malware and package impersonation. Earlier this month, FThe Hacker News
May 28, 2023 – Breach
Industrial automation giant ABB disclosed data breach after ransomware attack Full Text
Abstract
Swiss electrification and automation technology giant ABB confirmed it has suffered a data breach after a ransomware attack. ABB has more than 105,000 employees and has $29.4 billion in revenue for 2022. On May 7, 2023, the Swiss multinational company,...Security Affairs
May 28, 2023 – Malware
New Bandit Stealer targets web browsers and cryptocurrency wallets Full Text
Abstract
Bandit Stealer is a new stealthy information stealer malware that targets numerous web browsers and cryptocurrency wallets. Trend Micro researchers discovered a new info-stealing malware, dubbed Bandit Stealer, which is written in the Go language...Security Affairs
May 28, 2023 – Vulnerabilities
CISA adds recently patched Barracuda zero-day to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added a recently patched Barracuda zero-day vulnerability to its Known Exploited...Security Affairs
May 27, 2023 – Government
AHA Tells HHS to ‘Amend or Suspend’ Web Tracking Guidance Full Text
Abstract
The AHA is urging federal regulators to back off from recent guidance that treats patient IP addresses as PHI, saying that the new rules would "reduce public access to credible health information" and create hardships for doctors and hospitals.Cyware
May 27, 2023 – Policy and Law
German Prosecutors Indict FinFisher Spyware Executives Full Text
Abstract
The indictment accuses the four FinFisher executives, identified only with an initial, of evading export controls by selling the FinSpy hacking tool to Turkey's intelligence agency in 2015 through a Bulgarian front company.Cyware
May 27, 2023 – General
Security Affairs newsletter Round 421 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Is...Security Affairs
May 27, 2023 – Outage
Is the BlackByte ransomware gang behind the City of Augusta attack? Full Text
Abstract
The city of Augusta in Georgia, U.S., admitted that the recent IT system outage was caused by a cyber attack. While the City of Augusta revealed that a cyberattack caused the recent IT outage, the BlackByte ransomware gang has claimed responsibility...Security Affairs
May 27, 2023 – Ransomware
New Buhti ransomware operation uses rebranded LockBit and Babuk payloads Full Text
Abstract
The recently identified Buhti operation targets organizations worldwide with rebranded LockBit and Babuk ransomware variants. Researchers from Symantec discovered a new ransomware operation called Buhti (aka Blacktail) that is using LockBit and Babuk...Security Affairs
May 27, 2023 – Policy and Law
Lender OneMain fined $4.25 million for cybersecurity lapses Full Text
Abstract
OneMain Financial Group, which specializes in issuing loans to people with “nonprime” credit histories, will pay a $4.25 million penalty in New York state for cybersecurity lapses found during a government investigation.Cyware
May 27, 2023 – Malware
New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets Full Text
Abstract
A new stealthy information stealer malware called Bandit Stealer has caught the attention of cybersecurity researchers for its ability to target numerous web browsers and cryptocurrency wallets. "It has the potential to expand to other platforms as Bandit Stealer was developed using the Go programming language, possibly allowing cross-platform compatibility," Trend Micro said in a Friday report. The malware is currently focused on targeting Windows by using a legitimate command-line tool called runas.exe that allows users to run programs as another user with different permissions. The goal is to escalate privileges and execute itself with administrative access, thereby effectively bypassing security measures to harvest wide swathes of data. That said, Microsoft's access control mitigations to prevent unauthorized execution of the tool means an attempt to run the malware binary as an administrator requires providing the necessary credentials. "By using theThe Hacker News
May 27, 2023 – Malware
Pegasus spyware was deployed in Armenia amid Nagorno-Karabakh war Full Text
Abstract
A number of individuals from Armenia contacted the digital rights organizations CyberHUB-AM, an Armenian organization, and Access Now to check their devices for evidence of such spyware.Cyware
May 27, 2023 – Vulnerabilities
Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking Full Text
Abstract
A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io. The shortcoming, assigned the CVE identifier CVE-2023-28131 , has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could then be used to hijack accounts and siphon sensitive data. Under certain circumstances, a threat actor could have taken advantage of the flaw to perform arbitrary actions on behalf of a compromised user on various platforms such as Facebook, Google, or Twitter. Expo, similar to Electron, is an open source platform for developing universal native apps that run on Android, iOS, and the web. It's worth noting that for the attack to be successful, sites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on (SSO) using a third-party providerThe Hacker News
May 27, 2023 – Government
DOD Submits Classified Cyber Strategy to Congress Full Text
Abstract
The Department of Defense announced on Friday that it submitted its classified 2023 cyber strategy to Congress “earlier this week” and plans to release an unclassified summary of its new cybersecurity approach “in the coming months.”Cyware
May 27, 2023 – Breach
Medical Specialty Practice Says Recent Hack Affects 224,500 Full Text
Abstract
An upstate New York medical specialty practice told regulators that hackers compromised the personal and protected health information of nearly 224,500 employees and patients in an incident discovered in March.Cyware
May 27, 2023 – Attack
Update: Latitude Financial Attack Costs Company Up to $68.5 Million Full Text
Abstract
Latitude was able to process transactions during the incident, but "account originations and collections were closed or severely restricted." The company has since fully recovered, it says.Cyware
May 26, 2023 – APT
New PowerExchange Backdoor linked to an Iranian APT group Full Text
Abstract
An alleged Iran-linked APT group targeted an organization linked to the United Arab Emirates (U.A.E.) with the new PowerExchange backdoor. Researchers from the Fortinet FortiGuard Labs observed an attack targeting a government entity in the United...Security Affairs
May 26, 2023 – Botnet
Dark Frost Botnet targets the gaming sector with powerful DDoS Full Text
Abstract
Researchers spotted a new botnet dubbed Dark Frost that is used to launch distributed denial-of-service (DDoS) attacks against the gaming industry. Researchers from Akamai discovered a new botnet called Dark Frost that was employed in distributed...Security Affairs
May 26, 2023 – Vulnerabilities
Severe Flaw in Google Cloud’s Cloud SQL Service Exposed Confidential Data Full Text
Abstract
A new security flaw has been disclosed in the Google Cloud Platform's (GCP) Cloud SQL service that could be potentially exploited to obtain access to confidential data. "The vulnerability could have enabled a malicious actor to escalate from a basic Cloud SQL user to a full-fledged sysadmin on a container, gaining access to internal GCP data like secrets, sensitive files, passwords, in addition to customer data," Israeli cloud security firm Dig said . Cloud SQL is a fully-managed solution to build MySQL, PostgreSQL, and SQL Server databases for cloud-based applications. The multi-stage attack chain identified by Dig, in a nutshell, leveraged a gap in the cloud platform's security layer associated with SQL Server to escalate the privileges of a user to that of an administrator role. The elevated permissions subsequently made it possible to abuse another critical misconfiguration to obtain system administrator rights and take full control of the database server.The Hacker News
May 26, 2023 – Malware
New CosmicEnergy ICS malware threatens energy grid assets Full Text
Abstract
Experts detailed a new piece of malware, named CosmicEnergy, that is linked to Russia and targets industrial control systems (ICS). Researchers from Mandiant discovered a new malware, named CosmicEnergy, designed to target operational technology...Security Affairs
May 26, 2023 – Malware
Predator Android Spyware: Researchers Uncover New Data Theft Capabilities Full Text
Abstract
Security researchers have detailed the inner workings of the commercial Android spyware called Predator, which is marketed by the Israeli company Intellexa (previously Cytrox). Predator was first documented by Google's Threat Analysis Group (TAG) in May 2022 as part of attacks leveraging five different zero-day flaws in the Chrome web browser and Android. The spyware, which is delivered by means of another loader component called Alien, is equipped to record audio from phone calls and VoIP-based apps as well as gather contacts and messages, including from Signal, WhatsApp, and Telegram. Its other functionalities allow it to hide applications and prevent applications from being executed upon rebooting the handset. "A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims," Cisco Talos said in a technical report. Spyware like PredaThe Hacker News
May 26, 2023 – 5G
5 Must-Know Facts about 5G Network Security and Its Cloud Benefits Full Text
Abstract
5G is a game changer for mobile connectivity, including mobile connectivity to the cloud. The technology provides high speed and low latency when connecting smartphones and IoT devices to cloud infrastructure. 5G networks are a critical part of all infrastructure layers between the end user and the end service; these networks transmit sensitive data that can be vital for governments and businesses, not to mention individuals. As a result, 5G networks are a prime target for attackers. For this reason, cybersecurity has been a key consideration in developing the 5G standard. 5G encompasses robust security features that guarantee confidentiality, integrity, and availability of network services and user data. In this article, Seva Vayner, Product Owner of Gcore's Edge Cloud service , gives a deep dive into five of 5 G's cutting-edge security measures. He also delves into the pivotal performance capabilities of 5G, accompanied by use cases that demonstrate how contemporary, cloudThe Hacker News
May 26, 2023 – Attack
WinTapix Attack Campaign Targets Middle East Nations Full Text
Abstract
An unidentified threat actor group has been observed employing a malicious Windows kernel driver in targeted attacks, primarily focusing on the Middle East region. Fortinet security experts have dubbed the artifact as WINTAPIX (WinTapix.sys). To stay protected, users are suggested to immediately im ... Read MoreCyware
May 26, 2023 – Malware
New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids Full Text
Abstract
A new strain of malicious software that's engineered to penetrate and disrupt critical systems in industrial environments has been unearthed. Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY , adding it was uploaded to the VirusTotal public malware scanning utility in December 2021 by a submitter in Russia. There is no evidence that it has been put to use in the wild. "The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units ( RTUs ), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia," the company said . COSMICENERGY is the latest addition to specialized malware like Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, which are capable of sabotaging critical systems and wreaking havoc. Mandiant said that there are circumstantial links that it may have beeThe Hacker News
May 26, 2023 – General
Ahead of summer holiday weekends, IT security leaders brace for deliberate cyber mischief Full Text
Abstract
Memorial Day weekend marks the start of the summer travel season. U.S. authorities and network defenders in the private sector are quietly paying attention to potential threats that may emerge during key holiday weekends over the next three months.Cyware
May 26, 2023 – Vulnerabilities
Barracuda Warns of Zero-Day Exploited to Breach Email Security Gateway Appliances Full Text
Abstract
Email protection and network security services provider Barracuda is warning users about a zero-day flaw that it said has been exploited to breach the company's Email Security Gateway (ESG) appliances. The zero-day is being tracked as CVE-2023-2868 and has been described as a remote code injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006. The California-headquartered firm said the issue is rooted in a component that screens the attachments of incoming emails. "The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives)," according to an advisory from the NIST's national vulnerability database. "The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely exeThe Hacker News
May 26, 2023 – Government
Italy’s Industry Ministry reports ‘heavy’ cyberattack Full Text
Abstract
Technicians were working to "mitigate the consequences" of the attack, the ministry wrote in a statement, adding that initial checks showed no evidence of data theft. It was too early to predict when activities would be back to normal, it said.Cyware
May 25, 2023 – Malware
Operation “Total Exchange”: New PowerExchange Backdoor Discovered in the UAE Full Text
Abstract
While investigating attacks targeting a government entity in the UAE, Fortinet researchers also discovered an implant on Microsoft Exchange servers which was a novel web shell, dubbed ExchangeLeech, due to its unique ability to harvest credentials.Cyware
May 25, 2023 – Botnet
Dark Frost Botnet Launches Devastating DDoS Attacks on Gaming Industry Full Text
Abstract
A new botnet called Dark Frost has been observed launching distributed denial-of-service (DDoS) attacks against the gaming industry. "The Dark Frost botnet, modeled after Gafgyt, QBot, Mirai, and other malware strains, has expanded to encompass hundreds of compromised devices," Akamai security researcher Allen West said in a new technical analysis shared with The Hacker News. Targets include gaming companies, game server hosting providers, online streamers, and even other gaming community members with whom the threat actor has interacted directly. As of February 2023, the botnet comprises 414 machines running various instruction set architectures such as ARMv4, x86, MIPSEL, MIPS, and ARM7. Botnets are usually made up of a vast network of compromised devices around the world. The operators tend to use the enslaved hosts to mine cryptocurrency, steal sensitive data, or harness the collective internet bandwidth from these bots to knock down other websites and internThe Hacker News
May 25, 2023 – Government
U.S. and Partners Release Joint Cybersecurity Advisory on Volt Typhoon Full Text
Abstract
The joint advisory warns of the tactics, techniques, and procedures used by a China state-sponsored cyber actor targeting U.S. critical infrastructure organizations.Lawfare
May 25, 2023 – Vulnerabilities
D-Link fixes two critical flaws in D-View 8 network management suite Full Text
Abstract
D-Link fixed two critical flaws in its D-View 8 network management suite that could lead to authentication bypass and arbitrary code execution. D-Link has addressed two critical vulnerabilities (CVSS score: 9.8) in its D-View 8 network management...Security Affairs
May 25, 2023 – Malware
YouTube Pirated Software Videos Deliver Triple Threat: Vidar Stealer, Laplas Clipper, XMRig Miner Full Text
Abstract
FortiGuard Labs came across an ongoing threat campaign targeting YouTube users searching for pirated software earlier this month. Videos advertising downloads of pirated software are uploaded by verified YouTube channels with large subscriber counts.Cyware
May 25, 2023 – Vulnerabilities
Zyxel Issues Critical Security Patches for Firewall and VPN Products Full Text
Abstract
Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution. Both the flaws – CVE-2023-33009 and CVE-2023-33010 – are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system. A brief description of the two issues is below - CVE-2023-33009 - A buffer overflow vulnerability in the notification function that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution. CVE-2023-33010 - A buffer overflow vulnerability in the ID processing function that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution. The following devices are impacted - ATP (versions ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2) USG FLEX (versions ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2) USG FLEX50(W) / USG20(WThe Hacker News
May 25, 2023 – Vulnerabilities
Zyxel firewall and VPN devices affected by critical flaws Full Text
Abstract
Zyxel fixed two critical flaws in multiple firewall and VPN products that can lead to remote code execution or cause a DoS condition. Zyxel addressed two critical buffer overflow vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, that...Security Affairs
May 25, 2023 – Privacy
Broad coalition of advocacy groups urges Slack to protect users’ messages from eavesdropping Full Text
Abstract
While there are no reported instances of Slack messages being weaponized, the trove of communications the platform collects from clients ranging from government agencies to activists has made user communications a target of both lawsuits and hackers.Cyware
May 25, 2023 – Solution
Cynet Protects Hospital From Lethal Infection Full Text
Abstract
A hospital with 2,000 employees in the E.U. deployed Cynet protections across its environment. The hospital was in the process of upgrading several expensive imaging systems that were still supported by Windows XP and Windows 7 machines. Cynet protections were in place on most of the Windows XP and Windows 7 machines during the upgrade process, ensuring that legacy operating systems would not cause vulnerabilities or delay the activation of an incident response plan . The hospital's I.T. security team appreciated this coverage after their previous provider abandoned support for Windows XP and Windows 7. "One of the many reasons we chose Cynet was their support of legacy Windows machines. It's expensive, difficult and time consuming to upgrade our imaging system software, but we needed protections as we slowly migrated to more current Windows environments. Cynet was one of the few providers that continue to protect these older Windows environments." The Attack AloThe Hacker News
May 25, 2023 – APT
China-linked APT Volt Typhoon targets critical infrastructure organizations Full Text
Abstract
A China-linked APT group, tracked as Volt Typhoon, breached critical infrastructure organizations in the U.S. and Guam without being detected. China-linked APT cyber espionage group Volt Typhoon infiltrated critical infrastructure organizations in the U.S....Security Affairs
May 25, 2023 – Hacker
Brazilian hackers target Portuguese financial institutions Full Text
Abstract
A Brazilian hacking crew targeted users of over 30 Portuguese financial institutions earlier this year in a campaign that provides the latest example of financially motivated hackers in Brazil hitting foreign targets, according to SentinelLabs.Cyware
May 25, 2023 – Breach
New PowerExchange Backdoor Used in Iranian Cyber Attack on UAE Government Full Text
Abstract
An unnamed government entity associated with the United Arab Emirates (U.A.E.) was targeted by a likely Iranian threat actor to breach the victim's Microsoft Exchange Server with a "simple yet effective" backdoor dubbed PowerExchange . According to a new report from Fortinet FortiGuard Labs, the intrusion relied on email phishing as an initial access pathway, leading to the execution of a .NET executable contained with a ZIP file attachment. The binary, which masquerades as a PDF document, functions as a dropper to execute the final payload, which then launches the backdoor. PowerExchange, written in PowerShell, employs text files attached to emails for command-and-control (C2) communication. It allows the threat actor to run arbitrary payloads and upload and download files from and to the system. The custom implant achieves this by making use of the Exchange Web Services ( EWS ) API to connect to the victim's Exchange Server and uses a mailbox on the server toThe Hacker News
May 25, 2023 – APT
North Korea-linked Lazarus APT targets Microsoft IIS servers to deploy malware Full Text
Abstract
North Korea-linked APT group Lazarus actor has been targeting vulnerable Microsoft IIS servers to deploy malware. AhnLab Security Emergency response Center (ASEC) researchers reported that the Lazarus APT Group is targeting vulnerable versions of Microsoft...Security Affairs
May 25, 2023 – Ransomware
New Buhti Ransomware Operation Relies on Repurposed Payloads Full Text
Abstract
While the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types.Cyware
May 25, 2023 – Attack
Alert: Brazilian Hackers Targeting Users of Over 30 Portuguese Banks Full Text
Abstract
A Brazilian threat actor is targeting more than 30 Portuguese financial institutions with information-stealing malware as part of a long-running campaign that commenced in 2021. "The attackers can steal credentials and exfiltrate users' data and personal information, which can be leveraged for malicious activities beyond financial gain," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a new report shared with The Hacker News. The cybersecurity firm, which began tracking "Operation Magalenha" earlier this year, said the intrusions culminate in the deployment of two variants of a backdoor called PeepingTitle so as to "maximize attack potency." The links to Brazil stem from the use of the Brazilian-Portuguese language within the detected artifacts as well as source code overlaps with another banking trojan known as Maxtrilha , which was first disclosed in September 2021. PeepingTitle, like Maxtrilha, is written in the DelphiThe Hacker News
May 25, 2023 – APT
Iran-linked Tortoiseshell APT behind watering hole attacks on shipping and logistics Israeli websites Full Text
Abstract
Iran-linked threat actor Tortoiseshell targeted shipping, logistics, and financial services companies in Israel with watering hole attacks. ClearSky Cyber Security uncovered a watering hole attack on at least eight Israeli websites belonging to shipping,...Security Affairs
May 25, 2023 – Government
CISA and Partners Update the #StopRansomware Guide Developed Through the Joint Ransomware Task Force Full Text
Abstract
The updated guide, developed through the Joint Ransomware Task Force, reflects lessons learned in the last few years, adding the FBI and NSA as co-authors. It offers recommendations to prevent initial intrusion and protect data using cloud backups.Cyware
May 25, 2023 – Education
Webinar with Guest Forrester: Browser Security New Approaches Full Text
Abstract
In today's digital landscape, browser security has become an increasingly pressing issue, making it essential for organizations to be aware of the latest threats to browser security. That's why the Browser Security platform LayerX is hosting a webinar featuring guest speaker Paddy Harrington, a senior analyst at Forrester and the lead author of Forrester's browser security report "Securing The Browser In The World Of Anywhere Work ". During this webinar, Harrington will join LayerX CEO, to discuss the emergence of the browser security category, the browser security risk and threat landscape, and why addressing browser security can wait no longer. The webinar will also cover browser security solutions, explaining their pros, cons, and differences, and how organizations can work more securely in the browser. Additionally, the session will focus on using browser security solutions as a cost-saver for security teams. Participants will also get an exclusive opportThe Hacker News
May 25, 2023 – General
Reality check: What will generative AI really do for cybersecurity? Full Text
Abstract
Recent rapid advances in ML have made the potential power of AI blindingly obvious. What’s much less obvious is how it is going to be usefully deployed in security contexts and whether it will deliver the major breakthroughs its proponents promise.Cyware
May 25, 2023 – Criminals
Buhti Ransomware Gang Switches Tactics, Utilizes Leaked LockBit and Babuk Code Full Text
Abstract
The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. "While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a report shared with The Hacker News. The cybersecurity firm is tracking the cybercrime group under the name Blacktail . Buhti was first highlighted by Palo Alto Networks Unit 42 in February 2023, describing it as a Golang ransomware targeting the Linux platform. Later that same month, Bitdefender revealed the use of a Windows variant that was deployed against Zoho ManageEngine products that were vulnerable to critical remote code execution flaws ( CVE-2022-47966 ). The operators have since been observed swiftly exploiting other severe bugs impacting IBM's Aspera FaspThe Hacker News
May 25, 2023 – Breach
Free VPN Service SuperVPN Exposes 360 Million User Records Full Text
Abstract
The exposed database contained a staggering 360,308,817 records, totaling 133 GB in size. These records included a wide range of sensitive information, including user email addresses, original IP addresses, geolocation data, and server usage records.Cyware
May 25, 2023 – Breach
China’s Stealthy Hackers Infiltrate U.S. and Guam Critical Infrastructure Undetected Full Text
Abstract
A stealthy China-based group managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam without being detected, Microsoft and the "Five Eyes" nations said on Wednesday. The tech giant's threat intelligence team is tracking the activity, which includes post-compromise credential access and network system discovery, under the name Volt Typhoon . The state-sponsored actor is geared towards espionage and information gathering, with the cluster active since June 2021 and obscuring its intrusion footprint by taking advantage of tools already installed or built into infected machines. Some of the prominent sectors targeted include communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education. The company further assessed with moderate confidence that the campaign is "pursuing development of capabilities that could disrupt critical communications iThe Hacker News
May 25, 2023 – Hacker
Iranian Agrius Hackers Targeting Israeli Organizations with Moneybird Ransomware Full Text
Abstract
The Iranian threat actor known as Agrius is leveraging a new ransomware strain called Moneybird in its attacks targeting Israeli organizations. Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections. Microsoft has attributed the threat actor to Iran's Ministry of Intelligence and Security (MOIS), which also operates MuddyWater . It's known to be active since at least December 2020. In December 2022, the hacking crew was attributed to a set of attempted disruptive intrusions that were directed against diamond industries in South Africa, Israel, and Hong Kong. These attacks involved the use of a .NET-based wiper-turned-ransomware called Apostle and its successor known as Fantasy. Unlike Apostle, Moneybird is programmed in C++. "The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group's expanding capabilThe Hacker News
May 24, 2023 – Phishing
Scammers Use Residential IP Addresses to Launch BEC Attacks Full Text
Abstract
The Cyber Signals report revealed that Microsoft detected 35 million BEC attempts with an average of 156,000 attempts daily between April 2022 and April 2023. Microsoft also noticed a pattern in which attackers used a phishing-as-a-service platform, BulletProftLink, to obtain login credentials. To ... Read MoreCyware
May 24, 2023 – Attack
Iranian Tortoiseshell Hackers Targeting Israeli Logistics Industry Full Text
Abstract
At least eight websites associated with shipping, logistics, and financial services companies in Israel were targeted as part of a watering hole attack. Tel Aviv-based cybersecurity company ClearSky attributed the attacks with low confidence to an Iranian threat actor tracked as Tortoiseshell , which is also called Crimson Sandstorm (previously Curium), Imperial Kitten, and TA456. "The infected sites collect preliminary user information through a script," ClearSky said in a technical report published Tuesday. Most of the impacted websites have been stripped of the rogue code. Tortoiseshell is known to be active since at least July 2018, with early attacks targeting IT providers in Saudi Arabia. It has also been observed setting up fake hiring websites for U.S. military veterans in a bid to trick them into downloading remote access trojans. That said, this is not the first time Iranian activity clusters have set their sights on the Israeli shipping sector with waThe Hacker News
May 24, 2023 – Breach
Barracuda Email Security Gateway (ESG) hacked via zero-day bug Full Text
Abstract
Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were breached exploiting a zero-day vulnerability. Network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances...Security Affairs
May 24, 2023 – Malware
Windows Kernel Drivers Used in BlackCat Attacks Full Text
Abstract
Trend Micro revealed that the BlackCat ransomware group is using a signed kernel driver for evasion tactics. The driver was utilized in conjunction with a separate user client executable, with the intention of manipulating, pausing, and terminating specific processes associated with the security on ... Read MoreCyware
May 24, 2023 – Solution
What to Look for When Selecting a Static Application Security Testing (SAST) Solution Full Text
Abstract
If you're involved in securing the applications your organization develops, there is no question that Static Application Security Testing (SAST) solutions are an important part of a comprehensive application security strategy. SAST secures software, supports business more securely, cuts down on costs, reduces risk, and speeds time to development, delivery, and deployment of mission-critical applications. SAST scans code early during development, so your AppSec team won't be scrambling to fix unexpected vulnerabilities right before that big launch is planned. You'll avoid surprises and launch delays without inadvertently releasing risky software to customers — or into production. But if you consider SAST as a part of a larger AppSec platform, crucial for those who wish to shift security everywhere possible in the software development life cycle (SDLC), some SAST solutions outshine others. Knowing what to focus on With a plethora of players in the market, sometimesThe Hacker News
May 24, 2023 – Government
The US government sanctioned four entities and one individual for supporting cyber operations conducted by North Korea Full Text
Abstract
The US Department of the Treasury sanctioned four entities and one individual for their role in cyber operations conducted by North Korea. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against four...Security Affairs
May 24, 2023 – Cryptocurrency
Sharp Decline in Crypto Hacks in Q1 2023 Unlikely to Last Full Text
Abstract
Law enforcement and regulatory action over the past year in the US most likely dissuaded hackers from stealing cryptocurrency, making the amount stolen in the first quarter of the year the lowest compared to each of the four quarters in 2022.Cyware
May 24, 2023 – Malware
Data Stealing Malware Discovered in Popular Android Screen Recorder App Full Text
Abstract
Google has removed a screen recording app named "iRecorder - Screen Recorder" from the Play Store after it was found to sneak in information stealing capabilities nearly a year after the app was published as an innocuous app. The app (APK package name "com.tsoft.app.iscreenrecorder"), which accrued over 50,000 installations, was first uploaded on September 19, 2021. The malicious functionality is believed to have been introduced in version 1.3.8, which was released on August 24, 2022. "It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code," ESET security researcher Lukáš Štefanko said in a technical report. "The malicious code that was added to the clean version of iRecorder is based on the open source AhMyth Android RAT (remote access trojan) and has been customized into what we named AhRat." iRecorder was first flagged as harboring the AhMyth trojan on October 28, 2022, byThe Hacker News
May 24, 2023 – Government
Ukraine’s CERT-UA warns of espionage activity conducted by UAC-0063 Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) warns of a cyberespionage campaign targeting state bodies in the country. The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting state bodies in the country...Security Affairs
May 24, 2023 – Vulnerabilities
OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers Full Text
Abstract
OAuth-related vulnerabilities found in the widely used application development framework Expo could have been exploited to take control of user accounts, according to API security firm Salt Security.Cyware
May 24, 2023 – Malware
Legion Malware Upgraded to Target SSH Servers and AWS Credentials Full Text
Abstract
An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch. "This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications," Cado Labs researcher Matt Muir said in a report shared with The Hacker News. "It's clear that the developer's targeting of cloud services is advancing with each iteration." Legion, a Python-based hack tool, was first documented last month by the cloud security firm, detailing its ability to breach vulnerable SMTP servers in order to harvest credentials. It's also known to exploit web servers running content management systems (CMS), leverage Telegram as a data exfiltration point, and send spam SMS messages to a list of dynamically-generated U.S. mobile numThe Hacker News
May 24, 2023 – Malware
AhRat Android RAT was concealed in iRecorder app in Google Play Full Text
Abstract
ESET found a new remote access trojan (RAT), dubbed AhRat, on the Google Play Store that was concealed in an Android screen recording app. ESET researchers have discovered an Android app on Google Play that was hiding a new remote access trojan (RAT)...Security Affairs
May 24, 2023 – Business
Memcyco raises $10 million to deliver real-time brandjacking protection Full Text
Abstract
The Israel-based real-time website impersonation detection and prevention solution provider has completed a $10 million seed round led by Capri Ventures and Venture Guides.Cyware
May 24, 2023 – Hacker
N. Korean Lazarus Group Targets Microsoft IIS Servers to Deploy Espionage Malware Full Text
Abstract
The infamous Lazarus Group actor has been targeting vulnerable versions of Microsoft Internet Information Services ( IIS ) servers as an initial breach route to deploy malware on targeted systems. The findings come from the AhnLab Security Emergency response Center (ASEC), which detailed the advanced persistent threat's (APT) continued abuse of DLL side-loading techniques to run arbitrary payloads. "The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe," ASEC explained . "They then execute the normal application to initiate the execution of the malicious DLL." DLL side-loading , similar to DLL search-order hijacking, refers to the proxy execution of a rogue DLL via a benign binary planted in the same directory. Lazarus , a highly-capable and relentless nation-state group linked to North Korea, was most recently spotted leveraging the same tThe Hacker News
May 24, 2023 – Vulnerabilities
Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own Full Text
Abstract
Latvian network equipment manufacturer MikroTik has shipped a patch for a major security defect in its RouterOS product and confirmed the vulnerability was exploited five months ago at the Pwn2Own Toronto hacking contest.Cyware
May 24, 2023 – Attack
Cyber Attacks Strike Ukraine’s State Bodies in Espionage Operation Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting state bodies in the country as part of an espionage campaign. The intrusion set , attributed to a threat actor tracked by the authority as UAC-0063 since 2021, leverages phishing lures to deploy a variety of malicious tools on infected systems. The origins of the hacking crew are presently unknown. In the attack chain described by the agency, the emails targeted an unspecified ministry and purported to be from the Embassy of Tajikistan in Ukraine. It's suspected that the messages were sent from a previously compromised mailbox. The emails come attached with a Microsoft Word document that, upon enabling macros, launches an encoded VBScript called HATVIBE, which is then used to drop additional malware. This includes a keylogger (LOGPIE), a Python-based backdoor capable of running commands sent from a remote server (CHERRYSPY), and a tool focused on exfiltrating files with specific eThe Hacker News
May 24, 2023 – Breach
Apria Sends IT Security Breach Notifications to Nearly Two Million People Full Text
Abstract
An "unauthorized third party" broke into "select Apria systems" containing personal information from April 5, 2019, to May 7, 2019, and then a second time from August 27, 2021, to October 10, 2021, according to the alert.Cyware
May 23, 2023 – Phishing
Fake CapCut Websites Spread Information Stealers Full Text
Abstract
Cybercriminals are distributing a fake version of CapCut, ByteDance's official video editor tool, to infect users with different malware. In most cases, they employ SEO poisoning techniques, utilize search ads, and leverage social media platforms to promote the tool via malicious websites created b ... Read MoreCyware
May 23, 2023 – APT
GoldenJackal: New Threat Group Targeting Middle Eastern and South Asian Governments Full Text
Abstract
Government and diplomatic entities in the Middle East and South Asia are the target of a new advanced persistent threat actor named GoldenJackal . Russian cybersecurity firm Kaspersky, which has been keeping tabs on the group's activities since mid-2020, characterized the adversary as both capable and stealthy. The targeting scope of the campaign is focused on Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, infecting victims with tailored malware that steals data, propagates across systems via removable drives, and conducts surveillance. GoldenJackal is suspected to have been active for at least four years, although little is known about the group. Kaspersky said it has been unable to determine its origin or affiliation with known threat actors, but the actor's modus operandi suggests an espionage motivation. What's more, the threat actor's attempts to maintain a low profile and disappear into the shadows bears all the hallmarks of a state-sponsored gThe Hacker News
May 23, 2023 – Education
Hacking and Cybersecurity: Class 1, Practical Cybersecurity Full Text
Abstract
The first class of Lawfare's cybersecurity and hacking course is now available to the public.Lawfare
May 23, 2023 – APT
The previously undocumented GoldenJackal APT targets Middle East, South Asia entities Full Text
Abstract
A previously undocumented APT group tracked as GoldenJackal has been targeting government and diplomatic entities in the Middle East and South Asia since 2019. Kaspersky researchers shared details about the activity of a previously undocumented APT group,...Security Affairs
May 23, 2023 – Government
Treasury Department sanctions entities tied to North Korean IT scams, hacking Full Text
Abstract
The Treasury Department issued sanctions on Tuesday cracking down on four entities and one individual involved in malicious cyber activities supporting the Democratic People’s Republic of Korea and its weapons programs.Cyware
May 23, 2023 – APT
North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware Full Text
Abstract
The North Korean advanced persistent threat (APT) group known as Kimsuky has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation. "Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report published today. The ongoing targeted campaign, per the cybersecurity firm, is primarily geared towards information services as well as organizations supporting human rights activists and North Korean defectors. Kimsuky, active since 2012, has exhibited targeting patterns that align with North Korea's operational mandates and priorities. The intelligence collection missions have involved the use of a diverse set of malware, including another reconnaissance program called ReconShark , as detailed by SentinelOne earlier this month. The latest activityThe Hacker News
May 23, 2023 – Vulnerabilities
Google announced its Mobile VRP (vulnerability rewards program) Full Text
Abstract
Google introduced Mobile VRP (vulnerability rewards program), a new bug bounty program for reporting vulnerabilities in its mobile applications. Google announced a new bug bounty program, named Mobile VRP (vulnerability rewards program), that covers...Security Affairs
May 23, 2023 – Vulnerabilities
AT&T resolves issue that would allow account takeover through ZIP code and phone number Full Text
Abstract
The issue allowed security researcher Joseph Harris to effectively merge his own account with anyone else’s, giving him the ability to update that account’s password and take control of it.Cyware
May 23, 2023 – Education
The Rising Threat of Secrets Sprawl and the Need for Action Full Text
Abstract
The most precious asset in today's information age is the secret safeguarded under lock and key. Regrettably, maintaining secrets has become increasingly challenging, as highlighted by the 2023 State of Secrets Sprawl report, the largest analysis of public GitHub activity. The report shows a 67% year-over-year increase in the number of secrets found, with 10 million hard-coded secrets detected in 2022 alone. This alarming surge in secrets sprawl highlights the need for action and underscores the importance of secure software development. Secrets sprawl refers to secrets appearing in plaintext in various sources, such as source code, build scripts, infrastructure as code, logs, etc. While secrets like API tokens and private keys securely connect the components of the modern software supply chain, their widespread distribution among developers, machines, applications, and infrastructure systems heightens the likelihood of leaks. Cybersecurity Incidents Highlight the DangerThe Hacker News
May 23, 2023 – Attack
German arms manufacturer Rheinmetall suffered Black Basta ransomware attack Full Text
Abstract
The German automotive and arms manufacturer Rheinmetall announced it was victim of a Black Basta ransomware attack that took place last month. Rheinmetall is a German automotive and arms manufacturer that is listed on the Frankfurt stock exchange....Security Affairs
May 23, 2023 – Vulnerabilities
Samsung Patches Memory Address Randomization Bypass Flaw Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency on Friday gave federal agencies until June 9 to patch affected Samsung-made Android devices and added the flaw to its Known Exploited Vulnerabilities Catalog.Cyware
May 23, 2023 – Malware
New WinTapix.sys Malware Engages in Multi-Stage Attack Across Middle East Full Text
Abstract
An unknown threat actor has been observed leveraging a malicious Windows kernel driver in attacks likely targeting the Middle East since at least May 2020. Fortinet Fortiguard Labs, which dubbed the artifact WINTAPIX (WinTapix.sys), attributed the malware with low confidence to an Iranian threat actor. "WinTapix.sys is essentially a loader," security researchers Geri Revay and Hossein Jazi said in a report published on Monday. "Thus, its primary purpose is to produce and execute the next stage of the attack. This is done using a shellcode." Samples and telemetry data analyzed by Fortinet show that the campaign's primary focus is on Saudi Arabia, Jordan, Qatar, and the United Arab Emirates. The activity has not been tied to a known threat actor or group. By using a malicious kernel mode driver, the idea is to subvert or disable security mechanisms and gain entrenched access to the targeted host. Such drivers run within the kernel memory and can, thereThe Hacker News
May 23, 2023 – APT
A deeper insight into the CloudWizard APT’s activity revealed a long-running activity Full Text
Abstract
Experts warn of a threat actor, tracked as CloudWizard APT, that is targeting organizations involved in the region of the Russo-Ukrainian conflict. On March 2023, researchers from Kaspersky spotted a previously unknown APT group, tracked as Bad...Security Affairs
May 23, 2023 – Attack
Cyberespionage Campaign Targets Ukraine, Israel, India, Kazakhstan, and Other Nations Full Text
Abstract
Apart from targeting Ukrainian government entities, a threat actor identified by researchers as UAC-0063 “has also shown interest” in targeting Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India, according to the report published on Monday.Cyware
May 23, 2023 – Government
China Bans U.S. Chip Giant Micron, Citing “Serious Cybersecurity Problems” Full Text
Abstract
China has banned U.S. chip maker Micron from selling its products to Chinese companies working on key infrastructure projects, citing national security risks. The development comes nearly two months after the country's cybersecurity authority initiated a probe in late March 2023 to assess potential network security risks. "The purpose of this network security review of Micron's products is to prevent product network security problems from endangering the security of national critical information infrastructure, which is a necessary measure to maintain national security," the Cyberspace Administration of China (CAC) said . The CAC further said the investigation found "serious cybersecurity problems" in Micron's products, endangering the country's critical information infrastructure supply chain. As a result, operators involved in such critical information infrastructure projects should stop purchasing products from Micron, it added. The authoThe Hacker News
May 23, 2023 – Ransomware
BlackCat Ransomware affiliate uses signed kernel driver to evade detection Full Text
Abstract
Experts spotted the ALPHV/BlackCat ransomware group using signed malicious Windows kernel drivers to evade detection. Trend Micro researchers shared details about ALPHV/BlackCat ransomware incident that took place on February 2023. A BlackCat affiliate...Security Affairs
May 23, 2023 – Vulnerabilities
Vulnerability in Zyxel firewalls may soon be widely exploited Full Text
Abstract
The command injection vulnerability (CVE-2023-28771) affects Zyxel APT, USG FLEX, and VPN firewalls running versions v4.60 to v5.35 of the ZDL firmware, and Zyxel ZyWALL/USG gateways/firewalls running ZLD v4.60 to v4.73.Cyware
May 23, 2023 – Outage
Suzuki Motorcycle India Manufacturing Plant Shut Down by Cyberattack Full Text
Abstract
Since May 10, the production of bikes and scooters at Suzuki Motorcycle's Indian plant has reportedly been temporarily suspended with the loss of an estimated 20,000 vehicles.Cyware
May 22, 2023 – General
Google launches bug bounty program for its Android applications Full Text
Abstract
Google has launched the Mobile Vulnerability Rewards Program (Mobile VRP), a new bug bounty program that will pay security researchers for flaws found in the company's Android applications.BleepingComputer
May 22, 2023 – Criminals
Guerrilla Campaign: Lemon Group’s Business of Pre-infected Devices Full Text
Abstract
The Lemon Group gained control over millions of smartphones globally through the preinstallation of a malware called Guerrilla, reported Trend Micro. The campaign has been active since 2018. Lemon Group conducts business for marketing and advertising companies and utilizes big data. This highl ... Read MoreCyware
May 22, 2023 – Policy and Law
EU Regulators Hit Meta with Record $1.3 Billion Fine for Data Transfer Violations Full Text
Abstract
Facebook's parent company Meta has been fined a record $1.3 billion by European Union data protection regulators for transferring the personal data of users in the region to the U.S. In a binding decision taken by the European Data Protection Board (EDPB), the social media giant has been ordered to bring its data transfers into compliance with the GDPR and delete unlawfully stored and processed data within six months. Additionally, Meta has been given five months to suspend any future transfer of Facebook users' data to the U.S. Instagram and WhatsApp, which are also owned by the company, are not subject to the order. "The EDPB found that Meta IE's infringement is very serious since it concerns transfers that are systematic, repetitive, and continuous," Andrea Jelinek, EDPB Chair, said in a statement. "Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organizatiThe Hacker News
May 22, 2023 – Government
CISA adds iPhone bugs to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added three zero-day vulnerabilities affecting iPhones, Macs, and iPads to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added three zero-day vulnerabilities affecting iPhones, Macs,...Security Affairs
May 22, 2023 – Ransomware
Malicious Windows kernel drivers used in BlackCat ransomware attacks Full Text
Abstract
The ALPHV ransomware group (aka BlackCat) was observed employing signed malicious Windows kernel drivers to evade detection by security software during attacks.BleepingComputer
May 22, 2023 – Government
GAO Tells Federal Agencies to Fully Implement Key Cloud Security Practices Full Text
Abstract
A new US Government Accountability Office (GAO) report shows that the Departments of Agriculture, Homeland Security (DHS), Labor, and the Treasury have not fully implemented six key cloud security practices for their systems.Cyware
May 22, 2023 – Criminals
Indonesian Cybercriminals Exploit AWS for Profitable Crypto Mining Operations Full Text
Abstract
A financially motivated threat actor of Indonesian origin has been observed leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out illicit crypto mining operations. Cloud security company's Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker GUI-vil (pronounced Goo-ee-vil). "The group displays a preference for Graphical User Interface (GUI) tools, specifically S3 Browser (version 9.5.5) for their initial operations," the company said in a report shared with The Hacker News. "Upon gaining AWS Console access, they conduct their operations directly through the web browser." Attack chains mounted by GUI-vil entail obtaining initial access by weaponizing AWS keys in publicly exposed source code repositories on GitHub or scanning for GitLab instances that are vulnerable to remote code execution flaws (e.g., CVE-2021-22205 ). A successful ingress is followed by privilege escalation andThe Hacker News
May 22, 2023 – General
EU hits Meta with $1.3 billion fine for transferring European user data to the US Full Text
Abstract
The European Union condemned Meta with a record $1.3 billion fine for transferring European user data to the US. The European Union fined Meta $1.3 billion for transferring user data to the US. This is the biggest fine since the adoption of the General...Security Affairs
May 22, 2023 – Disinformation
Pentagon explosion hoax goes viral after verified Twitter accounts push Full Text
Abstract
Highly realistic AI-generated images depicting an explosion near the Pentagon that went viral on Twitter caused the stock market to dip briefly earlier today.BleepingComputer
May 22, 2023 – Phishing
Malicious links and misaddressed emails slip past security controls Full Text
Abstract
The majority of organizations use six or more communication tools, across channels, with email remaining the channel seen as the most vulnerable to attacks (38%), according to Armorblox.Cyware
May 22, 2023 – Hacker
Bad Magic’s Extended Reign in Cyber Espionage Goes Back Over a Decade Full Text
Abstract
New findings about a hacker group linked to cyber attacks targeting companies in the Russo-Ukrainian conflict area reveal that it may have been around for much longer than previously thought. The threat actor, tracked as Bad Magic (aka Red Stinger), has not only been linked to a fresh sophisticated campaign, but also to an activity cluster that first came to light in May 2016. "While the previous targets were primarily located in the Donetsk, Luhansk, and Crimea regions, the scope has now widened to include individuals, diplomatic entities, and research organizations in Western and Central Ukraine," Russian cybersecurity firm Kaspersky said in a technical report published last week. The campaign is characterized by the use of a novel modular framework codenamed CloudWizard, which features capabilities to take screenshots, record microphone, log keystrokes, grab passwords, and harvest Gmail inboxes. Bad Magic was first documented by the company in March 2023, detailThe Hacker News
May 22, 2023 – Breach
Dish Network says the February ransomware attack impacted +300,000 individuals Full Text
Abstract
Satellite TV giant Dish Network disclosed a data breach after the February ransomware attack and started notifying impacted individuals. The American satellite broadcast provider Dish Network went offline on February 24, 2023, the outage impacted...Security Affairs
May 22, 2023 – Cryptocurrency
Crypto phishing service Inferno Drainer defrauds thousands of victims Full Text
Abstract
A cryptocurrency phishing and scam service called 'Inferno Drainer' has reportedly stolen over $5.9 million worth of crypto from 4,888 victims.BleepingComputer
May 22, 2023 – Breach
Update: Dallas under pressure as Royal ransomware group threatens leak Full Text
Abstract
The ransomware attack against Dallas entered a new and all-too-common phase Friday as Royal, the threat actor behind the attack, listed the city on its leak site almost three weeks after the city was first made aware of the attack.Cyware
May 22, 2023 – Education
Are Your APIs Leaking Sensitive Data? Full Text
Abstract
It's no secret that data leaks have become a major concern for both citizens and institutions across the globe. They can cause serious damage to an organization's reputation, induce considerable financial losses, and even have serious legal repercussions. From the infamous Cambridge Analytica scandal to the Equifax data breach, there have been some pretty high-profile leaks resulting in massive consequences for the world's biggest brands. Breaches can also have a huge impact on individuals as well – ultimately leading to the loss of personal information, such as passwords or credit card details, which could be used by criminals for malicious purposes. Most notably victims are left vulnerable to identity theft or financial fraud. When you think about the sheer volume of these leaks, one would imagine that the world would stop and focus on the attack vector(s) being exploited. The unfortunate reality is the world didn't stop. To make things more interesting, the mostThe Hacker News
May 22, 2023 – Government
China bans chip maker Micron from its key information infrastructure Full Text
Abstract
The Chinese government announced the ban on the products made by the US memory chip giant Micron Technology over national security concerns. The Cyberspace Administration of China announced the ban on products made by US memory chip giant Micron Technology...Security Affairs
May 22, 2023 – Government
CISA orders govt agencies to patch iPhone bugs exploited in attacks Full Text
Abstract
Today, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ordered federal agencies to address three recently patched zero-day flaws affecting iPhones, Macs, and iPads known to be exploited in attacks.BleepingComputer
May 22, 2023 – Business
Onfido acquires Airside to boost identity verification for individuals and businesses Full Text
Abstract
Cybersecurity firm Onfido acquired Airside Mobile to deliver user-controlled, shareable digital identity designed with data privacy and time-saving convenience at its core.Cyware
May 22, 2023 – Policy and Law
U.K. Fraudster Behind iSpoof Scam Receives 13-Year Jail Term for Cyber Crimes Full Text
Abstract
A U.K. national responsible for his role as the administrator of the now-defunct iSpoof online phone number spoofing service has been sentenced to 13 years and 4 months in prison. Tejay Fletcher, 35, of Western Gateway, London, was awarded the sentence on May 18, 2023. He pleaded guilty last month to a number of cyber offenses, including facilitating fraud and possessing and transferring criminal property. iSpoof , which was available as a paid service, allowed fraudsters to mask their phone numbers and masquerade as representatives from banks, tax offices, and other official bodies to defraud victims. The help desk scam purported to warn targets of suspicious activity on their accounts and tricked them into disclosing sensitive financial information or transferring money to accounts under the threat actor's control. According to the U.K. Metropolitan Police, the criminals assumed false identities as representatives of various banks such as Barclays, Santander, HSBC, LloyThe Hacker News
May 22, 2023 – Phishing
BatLoader campaign impersonates ChatGPT and Midjourney to deliver Redline Stealer Full Text
Abstract
Researchers identified an ongoing BatLoader campaign relying on Google Search Ads to deliver rogue web pages for ChatGPT and Midjourney. In early May, researchers at eSentire Threat Response Unit (TRU) spotted an ongoing BatLoader campaign using Google...Security Affairs
May 22, 2023 – Government
EU slaps Meta with $1.3 billion fine for moving data to US servers Full Text
Abstract
The Irish Data Protection Commission (DPC) has announced a $1.3 billion fine on Facebook after claiming that the company violated Article 46(1) of the GDPR (General Data Protection Regulation).BleepingComputer
May 22, 2023 – Breach
UK Councils Caught in Capita Unsecured AWS Bucket Data Leak Full Text
Abstract
The bad news train keeps rolling for Capita, with more local British councils surfacing to say their data was put on the line by an unsecured AWS bucket, and, separately, pension clients warning of possible data theft in March's mega breach.Cyware
May 22, 2023 – Malware
KeePass Exploit Allows Attackers to Recover Master Passwords from Memory Full Text
Abstract
A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim's master password in cleartext under specific circumstances. The issue, tracked as CVE-2023-32784 , impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early next month. "Apart from the first password character, it is mostly able to recover the password in plaintext," security researcher "vdohney," who discovered the flaw and devised a PoC, said . "No code execution on the target system is required, just a memory dump." "It doesn't matter where the memory comes from," the researcher added, stating, "it doesn't matter whether or not the workspace is locked. It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down wThe Hacker News
May 22, 2023 – Solution
An AI-based Chrome Extension Against Phishing, Malware, and Ransomware Full Text
Abstract
Criminal IP's Chrome extension offers real-time scanning of websites worldwide, using AI-based detection to identify recently created phishing sites.BleepingComputer
May 22, 2023 – Solution
DarkBERT could help automate dark web mining for cyber threat intelligence Full Text
Abstract
Researchers have developed DarkBERT, a language model pre-trained on dark web data, to help cybersecurity pros extract cyber threat intelligence (CTI) from the Internet’s virtual underbelly.Cyware
May 22, 2023 – Ransomware
BlackCat Ransomware Deploys New Signed Kernel Driver Full Text
Abstract
Trend Micro researchers reported on an incident involving the BlackCat ransomware that took place in February 2023. The researchers highlighted a new capability, which involved the utilization of a signed kernel driver for evasion.Cyware
May 22, 2023 – Business
Facebook Parent Meta Hit With Record Fine for Transferring European User Data to US Full Text
Abstract
The European Union slapped Meta with a record $1.3 billion privacy fine Monday and ordered it to stop transferring user data across the Atlantic, the latest salvo in a decadelong case sparked by U.S. cyberespionage fears.Cyware
May 21, 2023 – General
Google will delete accounts inactive for more than 2 years Full Text
Abstract
Google has updated its policy for personal accounts across its services to allow a maximum period of inactivity of two years.BleepingComputer
May 21, 2023 – Vulnerabilities
Android phones are vulnerable to fingerprint brute-force attacks Full Text
Abstract
Researchers at Tencent Labs and Zhejiang University have presented a new attack called 'BrutePrint,' which brute-forces fingerprints on modern smartphones to bypass user authentication and take control of the device.BleepingComputer
May 21, 2023 – Outage
PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted Full Text
Abstract
The maintainers of Python Package Index (PyPI), the official third-party software repository for the Python programming language, have temporarily disabled the ability for users to sign up and upload new packages until further notice. "The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave," the admins said in a notice published on May 20, 2023. No additional details about the nature of the malware and threat actors involved in publishing those rogue packages to PyPI were disclosed. The decision to freeze new user and project registrations comes as software registries such as PyPI have proven time and time again to be a popular target for attackers looking to poison the software supply chain and compromise developer environments. Earlier this week, Israeli cybersecurity startup Phylum uncovered an active malwaThe Hacker News
May 21, 2023 – Attack
PyPI Repository temporarily suspends user sign-ups and package uploads due to ongoing attacks Full Text
Abstract
The Python Package Index (PyPI) maintainers have temporarily disabled the sign up and package upload processes due to an ongoing attack. The maintainers of Python Package Index (PyPI), the Python software repository, have temporarily disabled the sign...Security Affairs
May 21, 2023 – General
Security Affairs newsletter Round 420 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. We...Security Affairs
May 20, 2023 – APT
CommonMagic Implants Linked to CloudWizard Full Text
Abstract
The APT campaign employs a modular framework called CloudWizard. This framework is capable of taking screenshots, keylogging, and recording audio from the microphone. The CloudWizard framework comprises nine modules that enable a variety of hacking capabilities.Cyware
May 20, 2023 – Malware
Malicious VSCode Extensions: Password Theft and Remote Shell Exploits Full Text
Abstract
Check Point took the wraps off of three malicious Microsoft Visual Studio extensions on May 4, 2023, aimed at exploiting VSCode Marketplace visitors. These extensions named Theme Darcula dark, python-vscode, and prettiest java, were downloaded by Windows developers nearly 46,000 times. Actors could ... Read MoreCyware
May 20, 2023 – Malware
Meet ‘Jack’ from Romania! Mastermind Behind Golden Chickens Malware Full Text
Abstract
The identity of the second threat actor behind the Golden Chickens malware has been uncovered courtesy of a "fatal" operational security blunder, cybersecurity firm eSentire said. The individual in question, who lives in Bucharest, Romania, has been given the codename Jack. He is one of the two criminals operating an account on the Russian-language Exploit.in forum under the name "badbullzvenom," the other being " Chuck from Montreal ." eSentire characterized Jack as the true mastermind behind Golden Chickens. Evidence unearthed by the Canadian company shows that he is also listed as the owner of a vegetable and fruit import and export business. "Like 'Chuck from Montreal,' 'Jack' uses multiple aliases for the underground forums, social media, and Jabber accounts, and he too has gone to great lengths to disguise himself," eSentire researchers Joe Stewart and Keegan Keplinger said . "'Jack' has taken great paThe Hacker News
May 20, 2023 – Ransomware
Newcomer MalasLocker Group Demands Ransom as Donation for Charity Full Text
Abstract
MalasLocker emerged as a new ransomware operation, since the end of March, targeting Zimbra servers. The group gains access to servers by exploiting vulnerabilities in Zimbra software. Instead of demanding a ransom payment, MalasLocker demands a donation to a charity to provide a decryptor and prev ... Read MoreCyware
May 20, 2023 – General
2021 data breach exposed data of 70 Million Luxottica customers Full Text
Abstract
Luxottica has finally confirmed the 2021 data breach that exposed the personal information of 70 million customers. Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry. As a vertically...Security Affairs
May 20, 2023 – Criminals
Researchers tie FIN7 cybercrime family to Clop ransomware Full Text
Abstract
Long-running cybercrime cartel FIN7, which has made use of ransomware variants developed by groups including REvil and Maze, has added another strain to its arsenal. This time, its the Cl0p ransomware.Cyware
May 20, 2023 – Criminals
Cybercrime gang FIN7 returned and was spotted delivering Clop ransomware Full Text
Abstract
Cybercriminal gang FIN7 returned with a new wave of attacks aimed at deploying the Clop ransomware on victims' networks. Researchers at Microsoft Security Intelligence team published a series of tweets to warn of a new wave of attacks aimed at distributing...Security Affairs
May 20, 2023 – Phishing
Phishing Vendor Sells IP Addresses to Duck Anomaly Detection Full Text
Abstract
BulletProofLink, also referred to as BulletProftLink or Anthrax, sells access to phishing kits, email templates, hosting, and automated series "at a relatively low cost".Cyware
May 20, 2023 – Government
US CISA warns of a Samsung vulnerability under active exploitation Full Text
Abstract
US CISA added the vulnerability CVE-2023-21492 flaw affecting Samsung devices to its Known Exploited Vulnerabilities Catalog. US CISA added the vulnerability CVE-2023-21492 vulnerability (CVSS score: 4.4) affecting Samsung devices to its Known Exploited...Security Affairs
May 20, 2023 – Hacker
UNC3944 Threat Group Uses Azure Built-in Tools to Abuse Azure VMs Full Text
Abstract
Financially-motivated UNC3944 gang was found using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines to steal data from victim organizations. The threat actor gains initial access to an Azure administrator's account by using stolen creden ... Read MoreCyware
May 20, 2023 – Criminals
Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks Full Text
Abstract
The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest . "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network," the company's threat intelligence team said . "They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware." FIN7 (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks. Active since at least 2012, the group has a track record of targeting a broad spectrum of organizations spanning software, consulting, fThe Hacker News
May 20, 2023 – Attack
Mustang Panda Hijacks TP-Link Routers of European Foreign Affairs Entities Full Text
Abstract
European foreign affairs organizations are being targeted by a Chinese state-sponsored Camaro Dragon hacking group with a custom malware variant. This group has been found infecting residential TP-Link routers with a specialized malware called Horse Shell. Attackers can execute arbitrary commands, ... Read MoreCyware
May 20, 2023 – Vulnerabilities
Warning: Samsung Devices Under Attack! New Security Flaw Exposed Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a medium-severity flaw affecting Samsung devices. The issue, tracked as CVE-2023-21492 (CVSS score: 4.4), impacts select Samsung devices running Android versions 11, 12, and 13. The South Korean electronics giant described the issue as an information disclosure flaw that could be exploited by a privileged attacker to bypass address space layout randomization ( ASLR ) protections. ASLR is a security technique that's designed to thwart memory corruption and code execution flaws by obscuring the location of an executable in a device's memory. Samsung, in an advisory released this month, said it was "notified that an exploit for this issue had existed in the wild," adding it was privately disclosed to the company on January 17, 2023. Other details about how the flaw is being exploited are currently not known, but vulnerabilities in Samsung phones have been weaponThe Hacker News
May 20, 2023 – Malware
Golang Variant of Cobalt Strike ‘Geacon’ Targets macOS Full Text
Abstract
There is a growing trend in utilizing Geacon (a Golang implementation of the Cobalt Strike beacon), to target macOS devices, revealed SentinelOne. The package appeared specifically crafted to first verify its execution on a macOS system and subsequently retrieve an unsigned 'Geacon Plus' payload fr ... Read MoreCyware
May 20, 2023 – Vulnerabilities
Pimcore Platform Flaws Exposed Users to Code Execution Full Text
Abstract
Security researchers are warning that vulnerabilities patched in the open-source Pimcore platform could have led to the execution of arbitrary code when clicking on a link.Cyware
May 20, 2023 – Cryptocurrency
Minas — a multi-stage cryptocurrency miner infection Full Text
Abstract
In June 2022, Kaspersky researchers found a suspicious shellcode running in the memory of a system process. Based on their reconstruction of the infection chain, they determined that it originated from running an encoded PowerShell script as a task.Cyware
May 19, 2023 – Attack
February cyber incident will cost molten metal flow engineering firm Vesuvius £3.5 million Full Text
Abstract
Vesuvius, a leader in molten metal flow engineering and technology, revealed that the February cyber incident will cost it £3.5 million Vesuvius is a global leader in molten metal flow engineering and technology, it employs more than 10,000 people...Security Affairs
May 19, 2023 – Malware
NPM packages found containing the TurkoRat infostealer Full Text
Abstract
Experts discovered two malicious packages in the npm package repository, both were laced with an open-source info-stealer called TurkoRat. ReversingLabs discovered two malicious packages, respectively named nodejs-encrypt-agent and nodejs-cookie-proxy-agent,...Security Affairs
May 19, 2023 – Privacy
Privacy Sandbox Initiative: Google to Phase Out Third-Party Cookies Starting 2024 Full Text
Abstract
Google has announced plans to officially flip the switch on its twice-delayed Privacy Sandbox initiatives as it slowly works its way to deprecate support for third-party cookies in Chrome browser. To that end, the search and advertising giant said it intends to phase out third-party cookies for 1% of Chrome users globally in the first quarter of 2024. "This will support developers in conducting real world experiments that assess the readiness and effectiveness of their products without third-party cookies," Anthony Chavez, vice president of Privacy Sandbox at Google, said . Prior to rolling this out, Google said it would introduce the ability for third-party developers to simulate the process for a configurable subset of their users (up to 10%) in Q4 2023. Google further emphasized that the plans have been designed and developed with regulatory oversight and input from the U.K.'s Competition and Markets Authority ( CMA ), which is overseeing the implementation toThe Hacker News
May 19, 2023 – Criminals
Lemon Group gang pre-infected 9 million Android devices for fraudulent activities Full Text
Abstract
The Lemon Group cybercrime ring has reportedly pre-installed malware known as Guerilla on almost 9 million Android devices. A cybercrime group tracked has Lemon Group has reportedly pre-installed malware known as Guerilla on almost 9 million...Security Affairs
May 19, 2023 – Vulnerabilities
Dr. Active Directory vs. Mr. Exposed Attack Surface: Who’ll Win This Fight? Full Text
Abstract
Active Directory (AD) is among the oldest pieces of software still used in the production environment and can be found in most organizations today. This is despite the fact that its historical security gaps have never been amended. For example, because of its inability to apply any security measures beyond checking for a password and username match, AD (as well the resources it manages) is dangerously exposed to the use of compromised credentials. Furthermore, this exposure is not confined to the on-prem environment. The common practice of syncing passwords between AD and the cloud identity provider means any AD breach is a potential risk to the SaaS environment as well. In this article, we'll explore AD's inherent security weaknesses and examine their scope and potential impact. We'll then learn how Silverfort's Unified Identity Protection platform can address these weaknesses at their root and provide organizations using AD with the resiliency they need to thwart identity threaThe Hacker News
May 19, 2023 – Malware
Developer Alert: NPM Packages for Node.js Hiding Dangerous TurkoRat Malware Full Text
Abstract
Two malicious packages discovered in the npm package repository have been found to conceal an open source information stealer malware called TurkoRat . The packages – named nodejs-encrypt-agent and nodejs-cookie-proxy-agent – were collectively downloaded approximately 1,200 times and were available for more than two months before they were identified and taken down. ReversingLabs, which broke down the details of the campaign, described TurkoRat as an information stealer capable of harvesting sensitive information such as login credentials, website cookies, and data from cryptocurrency wallets. While nodejs-encrypt-agent came fitted with the malware inside, nodejs-cookie-proxy-agent was found to disguise the trojan as a dependency under the name axios-proxy. nodejs-encrypt-agent was also engineered to masquerade as another legitimate npm module known as agent-base , which has been downloaded over 25 million times to date. The list of the rogue packages and their associated versThe Hacker News
May 19, 2023 – Attack
Dole incurs $10.5M in direct costs from February ransomware attack Full Text
Abstract
About $4.8 million of those costs were related to continuing operations. The attack had a limited overall impact on its operations, with the main disruption occurring in its fresh vegetables and Chilean business.Cyware
May 19, 2023 – General
Searching for AI Tools? Watch Out for Rogue Sites Distributing RedLine Malware Full Text
Abstract
Malicious Google Search ads for generative AI services like OpenAI ChatGPT and Midjourney are being used to direct users to sketchy websites as part of a BATLOADER campaign designed to deliver RedLine Stealer malware. "Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord)," eSentire said in an analysis. "This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps." BATLOADER is a loader malware that's propagated via drive-by downloads where users searching for certain keywords on search engines are displayed bogus ads that, when clicked, redirect them to rogue landing pages hosting malware. The installer file, per eSentire, is rigged with an executable file (ChatGPT.exe or midjourney.exe) and a PowerShell script (Chat.ps1 or Chat-Ready.ps1) that downloads and loads RedLine StealerThe Hacker News
May 19, 2023 – Breach
Update: Food distributor Sysco says cyberattack potentially leaked 125,000 Social Security numbers Full Text
Abstract
A cyberattack on Sysco, one of the world’s largest food distributors, gave hackers access to the sensitive personal information of more than 125,000 current and former employees.Cyware
May 19, 2023 – Vulnerabilities
WebKit Under Attack: Apple Issues Emergency Patches for 3 New Zero-Day Vulnerabilities Full Text
Abstract
Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address dozens of flaws, including three new zero-days that it said are being actively exploited in the wild. The three security shortcomings are listed below - CVE-2023-32409 - A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with improved bounds checks. CVE-2023-28204 - An out-of-bounds read issue in WebKit that could be abused to disclose sensitive information when processing web content. It was addressed with improved input validation. CVE-2023-32373 - A use-after free bug in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. It was addressed with improved memory management. The iPhone maker credited Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab for reporting CThe Hacker News
May 19, 2023 – Malware
Researchers Identify Second Developer of ‘Golden Chickens’ Malware Full Text
Abstract
Offered under a malware-as-a-service (MaaS) model since 2018, Golden Chickens has been used by the Russia-based Cobalt Group and FIN6 cybercrime rings to target organizations in various industries, causing financial losses or more than $1.4 billion.Cyware
May 18, 2023 – Malware
Qualys Discovers New Sotdas Malware Variant Full Text
Abstract
The latest iteration of the Sotdas malware has emerged, showcasing a variety of innovative features and advanced techniques for evading detection. This malware family is written in C++. After achieving persistence and collecting system information, Sotdas leverages this data for optimizing resource ... Read MoreCyware
May 18, 2023 – Criminals
This Cybercrime Syndicate Pre-Infected Over 8.9 Million Android Phones Worldwide Full Text
Abstract
A cybercrime enterprise known as Lemon Group is leveraging millions of pre-infected Android smartphones worldwide to carry out their malicious operations, posing significant supply chain risks. "The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud," cybersecurity firm Trend Micro said . The activity encompasses no fewer than 8.9 million compromised Android devices, particularly budget phones, with a majority of the infections discovered in the U.S., Mexico, Indonesia, Thailand, Russia, South Africa, India, Angola, the Philippines, and Argentina. The findings were presented by researchers Fyodor Yarochkin, Zhengyu Dong, Vladimir Kropotov, and Paul Pajares at the Black Hat Asia conference held in Singapore last week. Describing it as a continuously evolving problem , the cybersecurity firm said the threat actors are branching oThe Hacker News
May 18, 2023 – Vulnerabilities
Apple fixed three new actively exploited zero-day vulnerabilities Full Text
Abstract
Apple released security updates to address three zero-day vulnerabilities in iPhones, Macs, and iPads that are actively exploited in attacks. Apple has addressed three new zero-day vulnerabilities that are actively exploited in attacks in the wild...Security Affairs
May 18, 2023 – Outage
Patients angered after Oklahoma allergy clinic blames cyberattack for shutdown Full Text
Abstract
The Oklahoma Institute of Allergy Asthma and Immunology posted a notice on its doors this month saying it will be closing "effective immediately due to a cybersecurity event.” Clinics in the towns of Norman and Yukon were both closed.Cyware
May 18, 2023 – Education
Zero Trust + Deception: Join This Webinar to Learn How to Outsmart Attackers! Full Text
Abstract
Cybersecurity is constantly evolving, but complexity can give hostile actors an advantage. To stay ahead of current and future attacks, it's essential to simplify and reframe your defenses. Zscaler Deception is a state-of-the-art next-generation deception technology seamlessly integrated with the Zscaler Zero Trust Exchange. It creates a hostile environment for attackers and enables you to track the entire attack sequence. We're hosting a session where we'll demonstrate how you can set up Zscaler Deception to detect advanced attacks, investigate threats, and contain them. Join us to learn about the latest advances and best practices directly from our technical product experts. Don't let lateral threats compromise your environment. Why attend? Learn how Zscaler Deception can help you generate private threat intelligence, detect compromised users, stop lateral movement, and secure Active Directory. Discover automated deception campaigns that can be launched withinThe Hacker News
May 18, 2023 – Vulnerabilities
KeePass 2.X Master Password Dumper allows retrieving the KeePass master password Full Text
Abstract
A researcher published a PoC tool to retrieve the master password from KeePass by exploiting the CVE-2023-32784 vulnerability. Security researcher Vdohney released a PoC tool called KeePass 2.X Master Password Dumper that allows retrieving the master...Security Affairs
May 18, 2023 – Phishing
Leveraging Dropbox to Soar Into Inbox Full Text
Abstract
The new way that hackers originate BEC 3.0 attacks is through legitimate services. In this attack, hackers create free Dropbox accounts and leverage their domain legitimacy to create pages with phishing embedded within them.Cyware
May 18, 2023 – Education
How to Reduce Exposure on the Manufacturing Attack Surface Full Text
Abstract
Digitalization initiatives are connecting once-isolated Operational Technology (OT) environments with their Information Technology (IT) counterparts. This digital transformation of the factory floor has accelerated the connection of machinery to digital systems and data. Computer systems for managing and monitoring digital systems and data have been added to the hardware and software used for managing and monitoring industrial devices and machines, connecting OT to IT. Such connectivity enhances productivity, reduces operational costs and speeds up processes. However, this convergence has also increased organizations' security risk, making manufacturers more susceptible to attacks. In fact, in 2022 alone, there were 2,337 security breaches of manufacturing systems, 338 with confirmed data disclosure (Verizon, 2022 DBIR Report). Ransomware: A Growing Threat for Manufacturers The nature of attacks has also changed. In the past, attackers may have been espionage-driven, targetingThe Hacker News
May 18, 2023 – Policy and Law
Admin of the darknet carding platform Skynet Market pleads guilty Full Text
Abstract
A US national has pleaded guilty to operating the carding site Skynet Market and selling financial information belonging to tens of thousands of US victims. The U.S. national Michael D. Mihalo, aka Dale Michael Mihalo Jr. and ggmccloud1, pleaded guilty...Security Affairs
May 18, 2023 – Hacker
Russian Hackers Target Ukrainians’ Personal Data, Says Kyiv Full Text
Abstract
Ukraine's top cybersecurity agency says Russian hackers took a sudden interest in obtaining personal data and mounted successful attacks against more than one-third of the country's largest insurers.Cyware
May 18, 2023 – Attack
Escalating China-Taiwan Tensions Fuel Alarming Surge in Cyber Attacks Full Text
Abstract
The rising geopolitical tensions between China and Taiwan in recent months have sparked a noticeable uptick in cyber attacks on the East Asian island country. "From malicious emails and URLs to malware, the strain between China's claim of Taiwan as part of its territory and Taiwan's maintained independence has evolved into a worrying surge in attacks," the Trellix Advanced Research Center said in a new report. The attacks, which have targeted a variety of sectors in the region, are mainly designed to deliver malware and steal sensitive information, the cybersecurity firm said, adding it detected a four-fold jump in the volume of malicious emails between April 7 and April 10, 2023. Some of the most impacted industry verticals during the four-day time period were networking, manufacturing, and logistics. What's more, the spike in malicious emails targeting Taiwan has been followed by a 15x increase in PlugX detections between April 10 and April 12, 2023,The Hacker News
May 18, 2023 – Vulnerabilities
Critical fixed critical flaws in Cisco Small Business Switches Full Text
Abstract
Cisco fixed nine flaws in its Small Business Series Switches that could be exploited to execute arbitrary code or cause a DoS condition. Cisco has released security updates to address nine security vulnerabilities in the web-based user interface of certain...Security Affairs
May 18, 2023 – Malware
Millions of Smartphones Distributed Worldwide With Preinstalled ‘Guerrilla’ Malware Full Text
Abstract
Since 2021, Trend Micro has been tracking a different operation that appears to be linked to Triada. The group behind the campaign is tracked by the cybersecurity firm as Lemon Group and the malware preloaded on devices is called Guerrilla.Cyware
May 18, 2023 – Criminals
8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency Full Text
Abstract
The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware. The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely. "This allows attackers to gain unauthorized access to sensitive data or compromise the entire system," Trend Micro researcher Sunil Bharti said in a report published this week. 8220 Gang, first documented by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications. "8220 Gang identifies targets via scanning for misconfigured or vulnerable hosts on the public internet," SentinelOne noted last year. "8220 Gang is known to make use of SSH brute force attacks post-infection for the purpThe Hacker News
May 18, 2023 – Government
Ukraine, Ireland, Japan and Iceland join NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) Full Text
Abstract
The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) announced that Ukraine, Ireland, Japan and Iceland joined the organization. The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) is a multinational organization established...Security Affairs
May 18, 2023 – Criminals
Royal Ransomware Group Builds Its Own Malware Loader Full Text
Abstract
The Royal ransomware group, which spun off from Conti in early 2022, is refining its downloader using tactics and techniques that appear to draw directly from other post-Conti groups, says Yelisey Bohuslavskiy, chief research officer at Red Sense.Cyware
May 18, 2023 – Policy and Law
Darknet Carding Kingpin Pleads Guilty: Sold Financial Info of Tens of Thousands Full Text
Abstract
A U.S. national has pleaded guilty in a Missouri court to operating a darknet carding site and selling financial information belonging to tens of thousands of victims in the country. Michael D. Mihalo , aka Dale Michael Mihalo Jr. and ggmccloud1, has been accused of setting up a carding site called Skynet Market that specialized in the trafficking of credit and debit card data. Mihalo and his associates also peddled their warez on other dark web marketplaces such as AlphaBay Market, Wall Street Market, and Hansa Market between February 22, 2016, and October 1, 2019. "Mihalo assembled and directed the team that helped him sell this stolen financial information on the darknet," the U.S. Department of Justice (DoJ) said in a press statement released on May 16, 2023. "Mihalo personally possessed, sent, and received the information associated with 49,084 stolen payment cards with the intent that the payment card information would be trafficked on darknet sites, all iThe Hacker News
May 18, 2023 – Policy and Law
Lawmakers advance cyber bills aimed at open-source, satellite vulnerabilities Full Text
Abstract
The House Homeland Security Committee on Wednesday easily advanced legislation to ensure the federal government and critical infrastructure can tap open-source software securely.Cyware
May 18, 2023 – General
Apple Thwarts $2 Billion in App Store Fraud, Rejects 1.7 Million App Submissions Full Text
Abstract
Apple has announced that it prevented over $2 billion in potentially fraudulent transactions and rejected roughly 1.7 million app submissions for privacy and security violations in 2022. The computing giant said it terminated 428,000 developer accounts for potential fraudulent activity, blocked 105,000 fake developer account creations, and deactivated 282 million bogus customer accounts. It further noted that it thwarted 198 million attempted fraudulent new accounts prior to their creation. In contrast, Apple is estimated to have booted out 802,000 developer accounts in 2021. The company attributed the decline to new App Store "methods and protocols" that prevent the creation of such accounts in the first place. "In 2022, Apple protected users from nearly 57,000 untrustworthy apps from illegitimate storefronts," the company emphasized . "These unauthorized marketplaces distribute harmful software that can imitate popular apps or alter them without the consThe Hacker News
May 18, 2023 – Attack
China-Taiwan Tensions Spark Surge in Cyberattacks on Taiwan Full Text
Abstract
Trellix has observed a surge in malicious emails targeted toward Taiwan, starting April 7 and continuing until April 10. The number of malicious emails during this time increased to over four times the usual amount.Cyware
May 18, 2023 – Vulnerabilities
Critical Flaws in Cisco Small Business Switches Could Allow Remote Attacks Full Text
Abstract
Cisco has released updates to address a set of nine security flaws in its Small Business Series Switches that could be exploited by an unauthenticated, remote attacker to run arbitrary code or cause a denial-of-service (DoS) condition. "These vulnerabilities are due to improper validation of requests that are sent to the web interface," Cisco said , crediting an unnamed external researcher for reporting the issues. Four of the nine vulnerabilities are rated 9.8 out of 10 on the CVSS scoring system, making them critical in nature. The nine flaws affect the following product lines - 250 Series Smart Switches (Fixed in firmware version 2.5.9.16) 350 Series Managed Switches (Fixed in firmware version 2.5.9.16) 350X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16) 550X Series Stackable Managed Switches (Fixed in firmware version 2.5.9.16) Business 250 Series Smart Switches (Fixed in firmware version 3.3.0.16) Business 350 Series Managed Switches (FThe Hacker News
May 17, 2023 – Ransomware
MalasLocker ransomware targets Zimbra servers, demands charity donation Full Text
Abstract
A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking.BleepingComputer
May 17, 2023 – Hacker
ESXi Servers Face New Threats From MichaelKors RaaS Affiliates Full Text
Abstract
Group-IB infiltrated the infrastructure of MichaelKors RaaS to divulge never-before-heard secrets of its affiliate nexus, which would often target critical sector entities. For instance, affiliates take back 80-85% of the ransomware payments. The common attack tactics used by MichaelKors include ph ... Read MoreCyware
May 17, 2023 – Criminals
Monitoring the dark web to identify threats to energy sector organizations Full Text
Abstract
Searchlight Cyber researchers warn of threat actors that are offering on the dark web access to energy sector organizations. Dark web intelligence firm Searchlight Cyber published a report that analyzes how threat actors in the dark web prepare their...Security Affairs
May 17, 2023 – Vulnerabilities
Cisco warns of critical switch bugs with public exploit code Full Text
Abstract
Cisco warned customers today of four critical remote code execution vulnerabilities with public exploit code affecting multiple Small Business Series Switches.BleepingComputer
May 17, 2023 – APT
Lancefly APT Group Uses ‘Merdoor’ In Espionage Campaign Full Text
Abstract
The Lancefly APT group is targeting government, aviation, education, and telecom sectors in South and Southeast Asia using a powerful backdoor called Merdoor for intelligence gathering. The exact initial intrusion vector is not clear at present, though attackers are believed to have used SSH brute- ... Read MoreCyware
May 17, 2023 – Hacker
OilAlpha: Emerging Houthi-linked Cyber Threat Targets Arabian Android Users Full Text
Abstract
A hacking group dubbed OilAlpha with suspected ties to Yemen's Houthi movement has been linked to a cyber espionage campaign targeting development, humanitarian, media, and non-governmental organizations in the Arabian peninsula. "OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets," cybersecurity company Recorded Future said in a technical report published Tuesday. "It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices." OilAlpha is the new cryptonym given by Recorded Future to two overlapping clusters previously tracked by the company under the names TAG-41 and TAG-62 since April 2022. TAG-XX (short for Threat Activity Group) is the temporary moniker assigned to emerging threat groups. The assessment that the adversary is acting in the interest of the Houthi movement is baseThe Hacker News
May 17, 2023 – Government
US Gov offers a $10M reward for a Russian ransomware actor Full Text
Abstract
The US government is offering a $10M reward for Russian national Mikhail Pavlovich Matveev (30) charged for his role in ransomware attacks The US Justice Department charged Russian national Mikhail Pavlovich Matveev (30), aka Wazawaka, m1x, Boriselcin,...Security Affairs
May 17, 2023 – Vulnerabilities
Microsoft pulls Defender update fixing Windows LSA Protection bug Full Text
Abstract
Microsoft has pulled a recent Microsoft Defender update that was supposed to fix a known issue triggering persistent restart alerts and Windows Security warnings that Local Security Authority (LSA) Protection is off.BleepingComputer
May 17, 2023 – Government
Justice and Commerce Department ‘strike force’ target theft of quantum, autonomous technologies Full Text
Abstract
The newly formed Justice and Commerce Department’s joint Disruptive Technology Strike Force announced five coordinated enforcement actions taking aim at individuals seeking to help China, Russia and Iran gain access to sensitive U.S. technologies.Cyware
May 17, 2023 – Solution
Identifying a Patch Management Solution: Overview of Key Criteria Full Text
Abstract
Software is rarely a one-and-done proposition. In fact, any application available today will likely need to be updated – or patched – to fix bugs, address vulnerabilities , and update key features at multiple points in the future. With the typical enterprise relying on a multitude of applications, servers, and end-point devices in their day-to-day operations, the acquisition of a robust patch management platform to identify, test, deploy, install, and document all appropriate patches are critical for ensuring systems remain stable and secure. As with most tech tools, not all patch management solutions are created equal, and what's seen as robust by one organization may prove inadequate for another. However, an evaluation that begins with a focus on specific key criteria – essential attributes and functionality likely to be offered by many vendors but not all – will allow IT teams to narrow down their options as they work to identify the best solution for their organization&The Hacker News
May 17, 2023 – Vulnerabilities
Multiple flaws in Teltonika industrial cellular router expose OT networks to hack Full Text
Abstract
Experts found multiple vulnerabilities in Teltonika industrial cellular routers that could expose OT networks to cyber attacks. A joint analysis conducted by industrial cybersecurity firms Claroty and Otorio discovered multiple flaws in Teltonika...Security Affairs
May 17, 2023 – Malware
Malicious Microsoft VSCode extensions steal passwords, open remote shells Full Text
Abstract
Cybercriminals are starting to target Microsoft's VSCode Marketplace, uploading three malicious Visual Studio extensions that Windows developers downloaded 46,600 times.BleepingComputer
May 17, 2023 – Vulnerabilities
Chrome 113 Security Update Patches Critical Vulnerability Full Text
Abstract
Google this week announced the release of a Chrome 113 security update that resolves a total of 12 vulnerabilities, including one rated ‘critical’. Six of the flaws were reported by external researchers.Cyware
May 17, 2023 – Hacker
Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover Full Text
Abstract
A financially motivated cyber actor has been observed abusing Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools within compromised environments. Google-owned Mandiant attributed the activity to a threat group it tracks under the name UNC3944 , which is also known as Roasted 0ktapus and Scattered Spider. "This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM," the threat intelligence firm said . The emerging adversary, which first came to light late last year, is known to leverage SIM swapping attacks to breach telecommunications and business process outsourcing (BPO) companies since at least May 2022. Subsequently, Mandiant also found UNC3944 utilizing a loader named STONESTOP to install a malicious signed driver dubbed POORTRY that's designed to terminate processes associatedThe Hacker News
May 17, 2023 – Breach
University admission platform Leverage EDU exposed student passports Full Text
Abstract
The popular university admission platform Leverage EDU leaked almost 240,000 sensitive files, including students’ passports, financial documents, certificates, and exam results. The Cybernews research team discovered that Leverage EDU leaked extremely...Security Affairs
May 17, 2023 – Outage
ScanSource says ransomware attack behind multi-day outages Full Text
Abstract
Technology provider ScanSource has announced it has fallen victim to a ransomware attack impacting some of its systems, business operations, and customer portals.BleepingComputer
May 17, 2023 – Policy and Law
Skynet Carder Market Founder Pleads Guilty Full Text
Abstract
An Illinois man pleaded guilty Monday to eight criminal counts stemming from the three years he spent leading a conspiracy to sell stolen financial information on darknet markets.Cyware
May 17, 2023 – Vulnerabilities
Serious Unpatched Vulnerability Uncovered in Popular Belkin Wemo Smart Plugs Full Text
Abstract
The second generation version of Belkin's Wemo Mini Smart Plug has been found to contain a buffer overflow vulnerability that could be weaponized by a threat actor to inject arbitrary commands remotely. The issue, assigned the identifier CVE-2023-27217 , was discovered and reported to Belkin on January 9, 2023, by Israeli IoT security company Sternum , which reverse-engineered the device and gained firmware access. Wemo Mini Smart Plug V2 ( F7C063 ) offers convenient remote control, allowing users to turn electronic devices on or off using a companion app installed on a smartphone or tablet. The heart of the problem lies in a feature that makes it possible to rename the smart plug to a more " FriendlyName ." The default name assigned is " Wemo mini 6E9 ." "The name length is limited to 30 characters or less, but this rule is only enforced by the app itself," security researchers Amit Serper and Reuven Yakar said in a report shared with The HacThe Hacker News
May 17, 2023 – Government
FBI confirms BianLian ransomware switch to extortion only attacks Full Text
Abstract
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) have published a joint advisory to inform organizations of the latest tactics, techniques, and procedures (TTPs) and known indicators of compromise (IOCs) of the BianLian ransomware group.BleepingComputer
May 17, 2023 – Government
Transportation Needs to Improve Cyber Policy Implementation, Watchdog Finds Full Text
Abstract
The Department of Transportation should better implement its policies for established cyber roles, including improving training and role expectations, according to a recent GAO report.Cyware
May 17, 2023 – Hacker
State-Sponsored Sidewinder Hacker Group’s Covert Attack Infrastructure Uncovered Full Text
Abstract
Cybersecurity researchers have unearthed previously undocumented attack infrastructure used by the prolific state-sponsored group SideWinder to strike entities located in Pakistan and China. This comprises a network of 55 domains and IP addresses used by the threat actor, cybersecurity companies Group-IB and Bridewell said in a joint report shared with The Hacker News. "The identified phishing domains mimic various organizations in the news, government, telecommunications, and financial sectors," researchers Nikita Rostovtsev, Joshua Penny, and Yashraj Solanki said . SideWinder has been known to be active since at least 2012, with attack chains primarily leveraging spear-phishing as an intrusion mechanism to obtain a foothold into targeted environments. The target range of the group is widely believed to be associated with Indian espionage interests. The most frequently attacked nations include Pakistan, China, Sri Lanka, Afghanistan, Bangladesh, Myanmar, the PhilippiThe Hacker News
May 17, 2023 – Attack
Franklin County Public Schools Hit by Ransomware Attack Full Text
Abstract
According to a statement from schools Superintendent Bernice Cobbs, the decision was made to cancel classes Monday in the interest of on-campus security as the impact of the cyberattack was being reviewed.Cyware
May 17, 2023 – Government
U.S. Offers $10 Million Bounty for Capture of Notorious Russian Ransomware Operator Full Text
Abstract
A Russian national has been charged and indicted by the U.S. Department of Justice (DoJ) for launching ransomware attacks against "thousands of victims" in the country and across the world. Mikhail Pavlovich Matveev (aka Wazawaka , m1x, Boriselcin, and Uhodiransomwar), the 30-year-old individual in question, is alleged to be a "central figure" in the development and deployment of LockBit , Babuk , and Hive ransomware variants since at least June 2020. "These victims include law enforcement and other government agencies, hospitals, and schools," DoJ said . "Total ransom demands allegedly made by the members of these three global ransomware campaigns to their victims amount to as much as $400 million, while total victim ransom payments amount to as much as $200 million." LockBit, Babuk, and Hive operate alike, leveraging unlawfully obtained access to exfiltrate valuable data and deploy ransomware on compromised networks. The threat actorThe Hacker News
May 17, 2023 – Business
IBM snags Polar Security to boost cloud data practice Full Text
Abstract
In an effort to grow its hybrid cloud and artificial intelligence capabilities, IBM announced on Tuesday that it was acquiring Polar Security, an Israel-based company specializing in data security posture management.Cyware
May 16, 2023 – Hacker
Hackers use Azure Serial Console for stealthy access to VMs Full Text
Abstract
A financially motivated cybergang tracked by Mandiant as 'UNC3944' is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.BleepingComputer
May 16, 2023 – Vulnerabilities
New ZIP domains spark debate among cybersecurity experts Full Text
Abstract
Cybersecurity researchers and IT admins have raised concerns over Google's new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery.BleepingComputer
May 16, 2023 – Hacker
Hackers infect TP-Link router firmware to attack EU entities Full Text
Abstract
A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organizations.BleepingComputer
May 16, 2023 – Policy and Law
Russian ransomware affiliate charged with attacks on critical infrastructure Full Text
Abstract
The U.S. Justice Department has filed charges against a Russian citizen named Mikhail Pavlovich Matveev (also known as Wazawaka or Boriselcin) for involvement in three ransomware operations that targeted victims across the United States.BleepingComputer
May 16, 2023 – General
Ransomware Prevention – Are Meeting Password Security Requirements Enough Full Text
Abstract
As ransomware attacks continue to wreak havoc on organizations worldwide, many official standards and regulations have been established to address this pressing issue. Explore whether these regulated standards are sufficient or if organizations should strive for more robust security measures.BleepingComputer
May 16, 2023 – Vulnerabilities
Parental control app with 5 million downloads vulnerable to attacks Full Text
Abstract
Kiddowares 'Parental Control - Kids Place' app for Android is impacted by multiple vulnerabilities that could enable attackers to upload arbitrary files on protected devices, steal user credentials, and allow children to bypass restrictions without the parents noticing.BleepingComputer
May 16, 2023 – Malware
Open-source Cobalt Strike port ‘Geacon’ used in macOS attacks Full Text
Abstract
Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices.BleepingComputer
May 16, 2023 – Hacker
Pro-Houthi hacking group linked to spyware operation on Arabian Peninsula Full Text
Abstract
From April to May 2022, as Saudi Arabia hosted negotiations between Yemeni leaders involved in the nearly decade-long civil war, OilAlpha sent malicious Android files through WhatsApp to political representatives and journalists, researchers noted.Cyware
May 16, 2023 – Hacker
China’s Mustang Panda Hackers Exploit TP-Link Routers for Persistent Attacks Full Text
Abstract
The Chinese nation-state actor known as Mustang Panda has been linked to a new set of sophisticated and targeted attacks aimed at European foreign affairs entities since January 2023. An analysis of these intrusions, per Check Point researchers Itay Cohen and Radoslaw Madej, has revealed a custom firmware implant designed explicitly for TP-Link routers. "The implant features several malicious components, including a custom backdoor named 'Horse Shell' that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks," the company said . "Due to its firmware-agnostic design, the implant's components can be integrated into various firmware by different vendors." The Israeli cybersecurity firm is tracking the threat group under the name Camaro Dragon, which is also known as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich. The exact method usedThe Hacker News
May 16, 2023 – Outage
Lacroix Group shut down three facilities after a ‘targeted cyberattack’ Full Text
Abstract
French electronics manufacturer Lacroix Group shut down three plants after a cyber attack, experts believe it was the victim of a ransomware attack. The French electronics manufacturer Lacroix Group shut down three facilities in France, Germany, and Tunisia...Security Affairs
May 16, 2023
8220 Gang Evolves With New Strategies Full Text
Abstract
Trend Micro researchers observed a recent attack from the 8220 Gang exploiting the Oracle WebLogic vulnerability CVE-2017-3506 (CVSS score of 7.4) captured by one of their honeypots.Cyware
May 16, 2023 – Ransomware
Inside Qilin Ransomware: Affiliates Take Home 85% of Ransom Payouts Full Text
Abstract
Ransomware affiliates associated with the Qilin ransomware-as-a-service (RaaS) scheme earn anywhere between 80% to 85% of each ransom payment, according to new findings from Group-IB. The cybersecurity firm said it was able to infiltrate the group in March 2023, uncovering details about the affiliates' payment structure and the inner workings of the RaaS program following a private conversation with a Qilin recruiter who goes by the online alias Haise. "Many Qilin ransomware attacks are customized for each victim to maximize their impact," the Singapore-headquartered company said in an exhaustive report. "To do this, the threat actors can leverage such tactics as changing the filename extensions of encrypted files and terminating specific processes and services." Qilin, also known as Agenda, was first documented by Trend Micro in August 2022, starting off as a Go-based ransomware before switching to Rust in December 2022. The adoption of Rust is alsoThe Hacker News
May 16, 2023 – APT
China-linked APT Mustang Panda targets TP-Link routers with a custom firmware implant Full Text
Abstract
China-linked APT group Mustang Panda employed a custom firmware implant targeting TP-Link routers in targeted attacks since January 2023. Since January 2023, Check Point Research monitored a series of targeted attacks aimed at European foreign...Security Affairs
May 16, 2023 – Business
Huntress Closes $60M Series C for MDR Expansion Full Text
Abstract
The $60 million Series C was led by Sapphire Ventures and brings the total raised by Huntress to a whopping $118 million. Existing investors JMI Equity and Forgepoint Capital expanded their equity stake.Cyware
May 16, 2023 – Solution
Cyolo Product Overview: Secure Remote Access to All Environments Full Text
Abstract
Operational technology (OT) cybersecurity is a challenging but critical aspect of protecting organizations' essential systems and resources. Cybercriminals no longer break into systems, but instead log in – making access security more complex and also more important to manage and control than ever before. In an effort to solve the access-related challenges facing OT and critical infrastructure operators, the team at Cyolo built a zero-trust access platform designed to meet the unique safety, security, and uptime requirements of OT and industrial control systems (ICS) environments. Let's look under the hood: The Cyolo solution is a high-powered combination of Zero Trust Network Access (ZTNA), Identity Provider (IdP), and Privileged Access Management (PAM). What makes this approach stand out from the pack is that other ZTNA solutions do not offer IdP or PAM capabilities, while Identity and Access Management tools (IdPs and PAMs) do not extend connectivity. And unlike other plThe Hacker News
May 16, 2023 – Government
President Zelensky imposes sanctions against the Russian IT sector Full Text
Abstract
Ukraine’s President Zelensky and the country’s Council of National Security introduced new sanctions against individuals and businesses. Ukraine’s President Volodymyr Zelensky and the country’s Council of National Security introduced new sanctions...Security Affairs
May 16, 2023 – Outage
Update: Dallas says it ‘will likely take weeks to get back to full functionality’ after ransomware attack Full Text
Abstract
For the last two weeks, the city has been engulfed in a massive recovery effort after the Royal ransomware gang caused significant damage to systems that manage the city’s police, fire department, courts, critical infrastructure, and more.Cyware
May 16, 2023 – Malware
CopperStealer Malware Crew Resurfaces with New Rootkit and Phishing Kit Modules Full Text
Abstract
The threat actors behind the CopperStealer malware resurfaced with two new campaigns in March and April 2023 that are designed to deliver two novel payloads dubbed CopperStealth and CopperPhish. Trend Micro is tracking the financially motivated group under the name Water Orthrus . The adversary is also assessed to be behind another campaign known as Scranos , which was detailed by Bitdefender in 2019. Active since at least 2021, Water Orthrus has a track record of leveraging pay-per-install (PPI) networks to redirect victims landing on cracked software download sites to drop an information stealer codenamed CopperStealer . Another campaign spotted in August 2022 entailed the use of CopperStealer to distribute Chromium-based web browser extensions that are capable of performing unauthorized transactions and transferring cryptocurrency from victims' wallets to ones under attackers' control. The latest attack sequences documented by Trend Micro don't mark muThe Hacker News
May 16, 2023 – Government
CISA adds Ruckus bug and another six flaws to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US Cybersecurity and Infrastructure Security Agency (CISA) added seven new flaws to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following three new issues to its Known...Security Affairs
May 16, 2023 – APT
Water Orthrus APT Re-Emerges with Two New Malware Families Full Text
Abstract
The threat actor known as Water Orthrus was spotted with two new campaigns in March and April 2023 that intended to deliver CopperStealth and CopperPhish payloads. The new malware have been upgraded for different purposes, such as injecting network advertisements, acquiring personal informatio ... Read MoreCyware
May 16, 2023 – Hacker
Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems Full Text
Abstract
A Golang implementation of Cobalt Strike called Geacon is likely to garner the attention of threat actors looking to target Apple macOS systems. That's according to findings from SentinelOne, which observed an increase in the number of Geacon payloads appearing on VirusTotal in recent months. "While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks," security researchers Phil Stokes and Dinesh Devadoss said in a report. Cobalt Strike is a well-known red teaming and adversary simulation tool developed by Fortra. Owing to its myriad capabilities, illegally cracked versions of the software have been abused by threat actors over the years. While post-exploitation activity associated with Cobalt Strike has primarily singled out Windows, such attacks against macOS are something of a rarity. In May 2022, software supply chain firm Sonatype disclosed details of a rogue Python package called " pymafka "The Hacker News
May 16, 2023 – APT
Lancefly APT uses powerful Merdoor backdoor in attacks on Asian orgs Full Text
Abstract
The Lancefly APT group is using a custom powerful backdoor called Merdoor in attacks against organizations in South and Southeast Asia. Symantec researchers reported that the Lancefly APT group is using a custom-written backdoor in attacks targeting...Security Affairs
May 16, 2023 – General
Is human threat hunting a fool’s errand? Full Text
Abstract
As the rate of cyberattacks steadily increases, automated threat hunting processes are being integrated to help stem the tide by providing quicker security insights, more efficient operations, and human error reductions.Cyware
May 15, 2023 – Malware
BPFDoor Backdoor Gets Stealthier with New Variant Full Text
Abstract
Cybersecurity experts took the wraps off of a newer variant of BPFDoor (BPF stands for Berkeley Packet Filter), which is capable of maintaining persistent access to breached systems for extended periods. The new variant has remained entirely undetected by all the virus-detection engines on VirusTot ... Read MoreCyware
May 15, 2023 – Vulnerabilities
Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks Full Text
Abstract
Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks. The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week. The 11 vulnerabilities allow "remote code execution and full control over hundreds of thousands of devices and OT networks - in some cases, even those not actively configured to use the cloud." Specifically, the shortcomings reside in the cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks to remotely manage and operate devices. Successful exploitation of the vulnerabilities could pose severe risks to industrial environments, allowing adversaries to sidestep security layers as well as exfiltrate sensitive information and achieve code execution remotely on the internal networks. Even wThe Hacker News
May 15, 2023 – Breach
PharMerica data breach impacts more than 5.8 million individuals Full Text
Abstract
National pharmacy network PharMerica discloses a data breach that impacted more than 5.8 million individuals. National pharmacy network PharMerica disclosed a data breach that exposed the personal information of 5,815,591 individuals. The incident...Security Affairs
May 15, 2023 – Ransomware
Rise in Attacks Against ESXi: Babuk Source Code Inspires Nine Different Ransomware Strains Full Text
Abstract
SentinelLabs detected 10 ransomware families employing VMware ESXi lockers, derived from the leaked 2021 Babuk source code. These variants emerged between H2 2022 and H1 2023. The report also highlights similarities between Babuk's source code and the ESXi encrypters used by Conti and REvil, indica ... Read MoreCyware
May 15, 2023 – Criminals
New Ransomware Gang RA Group Hits U.S. and South Korean Organizations Full Text
Abstract
A new ransomware group known as RA Group has become the latest threat actor to leverage the leaked Babuk ransomware source code to spawn its own locker variant. The cybercriminal gang, which is said to have been operating since at least April 22, 2023, is rapidly expanding its operations, according to cybersecurity firm Cisco Talos. "To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals," security researcher Chetan Raghuprasad said in a report shared with The Hacker News. RA Group is no different from other ransomware gangs in that it launches double extortion attacks and runs a date leak site to apply additional pressure on victims into paying ransoms. The Windows-based binary employs intermittent encryption to speed up the process and evade detection, not to mention delete volume shadow copies and contents of tThe Hacker News
May 15, 2023 – Criminals
New RA Group ransomware gang is the latest group using leaked Babuk source code Full Text
Abstract
A previously unknown ransomware group known as RA Group is targeting companies in U.S. and South Korea with leaked Babuk source code. Cisco Talos researchers recently discovered a new ransomware operation called RA Group that has been active since...Security Affairs
May 15, 2023 – Breach
Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code Full Text
Abstract
The group is swiftly expanding its operations. To date, it has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers, and pharmaceuticals.Cyware
May 15, 2023 – General
Why High Tech Companies Struggle with SaaS Security Full Text
Abstract
It's easy to think high-tech companies have a security advantage over other older, more mature industries. Most are unburdened by 40 years of legacy systems and software. They draw some of the world's youngest, brightest digital natives to their ranks, all of whom consider cybersecurity issues their entire lives. Perhaps it is due to their familiarity with technology that causes them to overlook SaaS security configurations. During the last Christmas holiday season, Slack had some private code stolen from its GitHub repository. According to Slack, the stolen code didn't impact production, and no customer data was taken. Still, the breach should serve as a warning sign to other tech companies. Stolen tokens allowed threat actors to access the GitHub instance and download the code. If this type of attack can happen to Slack on GitHub, it can happen to any high-tech company. Tech companies must take SaaS security seriously to prevent resources from leaking or being stolen. App BreThe Hacker News
May 15, 2023 – Ransomware
Introducing the DRM-Report Q1 2023: Unveiling the Current State of Ransomware Full Text
Abstract
DRM Dashboard Ransomware Monitor released the first quarterly report for the year 2023 about the activities of ransomware groups globally. DRM Dashboard Ransomware Monitor, an independent platform of cybersecurity monitoring, is pleased to release...Security Affairs
May 15, 2023 – Breach
Illinois Data Breach Exposes Private Information of Medicaid, SNAP, and TANF Recipients Full Text
Abstract
The Illinois Department of Healthcare and Family Services (HFS) and Department of Human Services (IDHS) have disclosed a data breach within the State of Illinois Application for Benefits Eligibility (ABE) system’s Manage My Case (MMC) portal.Cyware
May 15, 2023 – Attack
Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign Full Text
Abstract
Government, aviation, education, and telecom sectors located in South and Southeast Asia have come under the radar of a new hacking group as part of a highly-targeted campaign that commenced in mid-2022 and continued into the first quarter of 2023. Symantec, by Broadcom Software, is tracking the activity under its insect-themed moniker Lancefly , with the attacks making use of a "powerful" backdoor called Merdoor. Evidence gathered so far points to the custom implant being utilized as far back as 2018. The ultimate goal of the campaign, based on the tools and the victimology pattern, is assessed to be intelligence gathering. "The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted," Symantec said in an analysis shared with The Hacker News. "The attackers in this campaign also have access to an updated version of the ZXShell rootkit."The Hacker News
May 15, 2023 – Policy and Law
Former Ubiquiti employee gets 6 years in jail for stealing confidential data and extorting company Full Text
Abstract
A former Ubiquiti employee has been sentenced to six years in jail for the theft of confidential data and extorting company for ransom. NICKOLAS SHARP, a former Ubiquiti employee was sentenced today to six years in prison. In December...Security Affairs
May 15, 2023 – General
Insured companies more likely to be ransomware victims, sometimes more than once Full Text
Abstract
Although threat actors may not be directly correlating the insurance factor to find targets, a reason for this may be that as insurers require more from companies those able to pay for insurance are also likely to be able to afford bigger ransoms.Cyware
May 15, 2023 – Ransomware
New ‘MichaelKors’ Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems Full Text
Abstract
A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023. The development points to cybercriminal actors increasingly setting their eyes on the ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News. "This trend is especially noteworthy given the fact that ESXi, by design, does not support third-party agents or AV software," the company said. "In fact, VMware goes as far as to claim it's not required. This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries." The targeting of VMware ESXi hypervisors with ransomware to scale such campaigns is a technique known as hypervisor jackpotting . Over the years, the approach has been adopted by several ransomware groups, including Royal. What's more,The Hacker News
May 15, 2023 – Business
Former ByteDance executive alleges TikTok of wrongful conduct Full Text
Abstract
A former ByteDance executive revealed that the China government has access to TikTok data, including data stored in the United. Yintao Yu, the head of engineering for ByteDance’s U.S. operations from August 2017 to November 2018, revealed that the Chinese...Security Affairs
May 15, 2023 – Breach
PharMerica Discloses Data Breach Impacting 5.8 Million Individuals Full Text
Abstract
PharMerica’s letter does not provide details on the type of cyberattack that it suffered, but it appears that the Money Message ransomware group is responsible for the incident the group started leaking PII and PHI allegedly stolen from PharMerica.Cyware
May 15, 2023 – Ransomware
Russia-Affiliated CheckMate Ransomware Quietly Targets Popular File-Sharing Protocol Full Text
Abstract
After gaining access to SMB shares, threat actors behind CheckMate ransomware encrypt all files and leave a ransom note demanding payment in exchange for the decryption key.Cyware
May 15, 2023 – Malware
CLR SqlShell Malware Targets MS SQL Servers for Crypto Mining and Ransomware Full Text
Abstract
Poorly managed Microsoft SQL (MS SQL) servers are the target of a new campaign that's designed to propagate a category of malware called CLR SqlShell that ultimately facilitates the deployment of cryptocurrency miners and ransomware. "Similar to web shell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior," AhnLab Security Emergency response Center (ASEC) said in a report published last week. A stored procedure is a subroutine that contains a set of Structured Query Language (SQL) statements for use across multiple programs in a relational database management system (RDBMS). CLR (short for common language runtime) stored procedures – available in SQL Server 2005 and later – refer to stored procedures that are written in a .NET language such as C# or Visual Basic. The attack meThe Hacker News
May 15, 2023 – Insider Threat
Former Ubiquiti Employee Gets 6 Years in Jail for $2 Million Crypto Extortion Case Full Text
Abstract
A former employee of Ubiquiti has been sentenced to six years in jail after he pleaded guilty to posing as an anonymous hacker and a whistleblower in an attempt to extort almost $2 million worth of cryptocurrency while working at the company. Nickolas Sharp, 37, was arrested in December 2021 for using his insider access as a senior developer to steal confidential data and sending an anonymous email asking the network technology provider to pay 50 bitcoin (about $2 million at the time) in exchange for the siphoned information. Ubiquiti, however, didn't yield to the ransom attempt and instead looped in law enforcement, which eventually identified Sharp as the hacker after tracing a VPN connection to a Surfshark account purchased with his PayPal account. "Sharp repeatedly misused his administrative access to download gigabytes of confidential data from his employer," the U.S. Justice Department said, adding he "modified session file names to attempt to make it apThe Hacker News
May 14, 2023 – Botnet
The latest variant of the RapperBot botnet adds cryptojacking capabilities Full Text
Abstract
FortiGuard Labs Researchers spotted new samples of the RapperBot botnet that support cryptojacking capabilities. FortiGuard Labs researchers have discovered new samples of the RapperBot bot that added cryptojacking capabilities. Researchers from...Security Affairs
May 14, 2023 – Breach
Capita warns customers to assume that their data was stolen Full Text
Abstract
UK outsourcing giant Capita is informing customers that their data may have been stolen in the cyberattack that hit the company in early April. In early April, the UK outsourcing giant Capita confirmed that its staff was locked out of their accounts...Security Affairs
May 14, 2023 – General
Security Affairs newsletter Round 419 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. We are in the final! Please vote for Security Affairs (https://securityaffairs.com/) as the best...Security Affairs
May 13, 2023 – Vulnerabilities
WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers Full Text
Abstract
Security researchers noticed that the ‘media.ferrari.com’ domain is powered by WordPress and it was running a very old version of W3 Total Cache, a plugin installed on more than a million websites.Cyware
May 13, 2023 – Phishing
New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing Phishing Pages Full Text
Abstract
A new phishing-as-a-service (PhaaS or PaaS) platform named Greatness has been leveraged by cybercriminals to target business users of the Microsoft 365 cloud service since at least mid-2022, effectively lowering the bar to entry for phishing attacks. "Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages," Cisco Talos researcher Tiago Pereira said . "It contains features such as having the victim's email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization's real Microsoft 365 login page." Campaigns involving Greatness have mainly manufacturing, health care, and technology entities located in the U.S., the U.K., Australia, South Africa, and Canada, with a spike in activity detected in December 2022 and March 2023. Phishing kits like Greatness offer thThe Hacker News
May 13, 2023 – Breach
Data of 237,000 US government employees breached Full Text
Abstract
The personal information of 237,000 current and former federal government employees has been exposed in a data breach at the U.S. Transportation Department (USDOT), sources briefed on the matter said on Friday.Cyware
May 13, 2023 – Breach
Personal info of 90k hikers leaked by French tourism company La Malle Postale Full Text
Abstract
La Malle Postale, a transportation company serving hikers on popular hiking trails in France, leaked personal data and private messages of their clients. The Cybernews research team has discovered a data leak on La Malle Postale’s system that exposed...Security Affairs
May 13, 2023 – Breach
Data of more than 2M Toyota customers exposed in ten years-long data breach Full Text
Abstract
A data breach disclosed by Toyota Motor Corporation exposed info of more than 2 million customers for ten years Toyota Motor Corporation disclosed a data breach that exposed the car-location information of 2,150,000 customers between November 6, 2013,...Security Affairs
May 13, 2023 – Breach
Discord suffered a data after third-party support agent was hacked Full Text
Abstract
Discord disclosed a data breach, the security breach was caused by the compromise of a third-party support agent's account. Discord, the popular VoIP and instant messaging social platform, disclosed a data breach and is notifying the impacted users....Security Affairs
May 13, 2023 – Ransomware
Russia-affiliated CheckMate ransomware quietly targets popular file-sharing protocol Full Text
Abstract
The CheckMate ransomware operators have been targeting the Server Message Block (SMB) communication protocol used for file sharing to compromise their victims’ networks. Unlike most ransom campaigns, CheckMate, discovered in 2022, has been quiet...Security Affairs
May 12, 2023 – Breach
Amtel, LLC dba Connectivity Source Notifies 17,835 Current and Former Employees of Recent Data Breach Full Text
Abstract
On May 10, the firm filed a notice of data breach with the Maine Attorney General after learning that an unauthorized party had gained access to the company’s IT network and accessed sensitive information belonging to current and former employees.Cyware
May 12, 2023 – Malware
XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks Full Text
Abstract
Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN , said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. "The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new analysis shared with The Hacker News. The report builds on recent findings from Elastic Security Labs, which revealed the threat actor's reservation-themed lures to deceive victims into opening malicious documents capable of delivering XWorm and Agent Tesla payloads. The attacks begin with phishing attacks to distribute decoy Microsoft Word documents that, instead of using macros, weaponiThe Hacker News
May 12, 2023 – Criminals
Bl00dy Ransomware Gang actively targets the education sector exploiting PaperCut RCE Full Text
Abstract
U.S. CISA and FBI warned of attacks conducted by the Bl00dy Ransomware Gang against the education sector in the country. The FBI and CISA issued a joint advisory warning that the Bl00dy Ransomware group is actively targeting the education sector...Security Affairs
May 12, 2023 – Vulnerabilities
Organizations Informed of Over a Dozen Vulnerabilities in Rockwell Automation Products Full Text
Abstract
Rockwell Automation published six new security advisories this week and four of them have also been distributed by the US Cybersecurity and Infrastructure Security Agency (CISA). The advisories describe a total of more than a dozen vulnerabilities.Cyware
May 12, 2023 – Vulnerabilities
Netgear Routers’ Flaws Expose Users to Malware, Remote Attacks, and Surveillance Full Text
Abstract
As many as five security flaws have been disclosed in Netgear RAX30 routers that could be chained to bypass authentication and achieve remote code execution. "Successful exploits could allow attackers to monitor users' internet activity, hijack internet connections, and redirect traffic to malicious websites or inject malware into network traffic," Claroty security researcher Uri Katz said in a report. Additionally, a network-adjacent threat actor could also weaponize the flaws to access and control networked smart devices like security cameras, thermostats, smart locks; tamper with router settings, and even use a compromised network to launch attacks against other devices or networks. The list of flaws, which were demonstrated at the Pwn2Own hacking competition held at Toronto in December 2022, is as follows - CVE-2023-27357 (CVSS score: 6.5) - Missing Authentication Information Disclosure Vulnerability CVE-2023-27368 (CVSS score: 8.8) - Stack-based BufferThe Hacker News
May 12, 2023 – Ransomware
Leaked source code of Babuk ransomware used by 10 different ransomware families targeting VMware ESXi Full Text
Abstract
The leak of the source code of the Babuk ransomware allowed 9 ransomware gangs to create their own ransomware targeting VMware ESXi systems. SentinelLabs researchers have identified 10 ransomware families using VMware ESXi lockers based on the source...Security Affairs
May 12, 2023 – Attack
Tennessee, Georgia colleges respond to cyberattacks as school year wraps up Full Text
Abstract
Tennessee’s Chattanooga State Community College has been responding to a cyberattack since Saturday, forcing the school to cancel classes on Monday and modify schedules for staff members. The school serves more than 11,000 students.Cyware
May 12, 2023 – Malware
New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows Full Text
Abstract
A previously undocumented and mostly undetected variant of a Linux backdoor called BPFDoor has been spotted in the wild, cybersecurity firm Deep Instinct said in a technical report published this week. " BPFDoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration," security researchers Shaul Vilkomir-Preisman and Eliran Nissan said . BPFDoor (aka JustForFun), first documented by PwC and Elastic Security Labs in May 2022, is a passive Linux backdoor associated with a Chinese threat actor called Red Menshen (aka DecisiveArchitect or Red Dev 18), which is known to single out telecom providers across the Middle East and Asia since at least 2021. The malware is specifically geared towards establishing persistent remote access to compromised target environments for extended periods of time, with evidence pointing to the hacking crew operating the backdoor undetected for years. BPFDoor gets its name from the uThe Hacker News
May 12, 2023 – General
What the Email Security Landscape Looks Like in 2023 Full Text
Abstract
Email-based threats have become increasingly sophisticated, how is changing the Email Security Landscape? For over a decade, email has been a common source of cybersecurity threats. During that time, email-based threats have become increasingly sophisticated....Security Affairs
May 12, 2023 – Criminals
Israeli Threat Group Uses Fake Company Acquisitions in CEO Fraud Schemes Full Text
Abstract
A group of cybercriminals based in Israel has launched more than 350 business email compromise (BEC) campaigns over the past two years, targeting large multinational companies from around the world.Cyware
May 12, 2023 – General
Solving Your Teams Secure Collaboration Challenges Full Text
Abstract
In today's interconnected world, where organisations regularly exchange sensitive information with customers, partners and employees, secure collaboration has become increasingly vital. However, collaboration can pose a security risk if not managed properly. To ensure that collaboration remains secure, organisations need to take steps to protect their data. Since collaborating is essential for almost any team to succeed, shouldn't you be able to do it securely? Whether you're sharing a Wi-Fi password, a social media account, or the passwords to a financial account, you deserve peace of mind. The risks of not protecting your sensitive data can be disastrous, from data breaches and reputational damage to legal ramifications and financial loss. But let's face it: Secure collaboration can be a real nightmare. Challenges of Secure Collaboration and Password Sharing It's another day in the office, and your team needs to share a ridiculous amount of sensitive informatiThe Hacker News
May 12, 2023 – Criminals
The Black Basta ransomware gang hit multinational company ABB Full Text
Abstract
Swiss electrification and automation technology giant ABB suffered a Black Basta ransomware attack that impacted its business operations. Swiss multinational company ABB, a leading electrification and automation technology provider, it the last victim...Security Affairs
May 12, 2023 – General
Millions of mobile phones come pre-infected with malware Full Text
Abstract
The malware turns the devices into proxies which are used to steal and sell SMS messages, take over social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.Cyware
May 12, 2023 – Attack
Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability Full Text
Abstract
U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday. "The Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet," the agencies said . "Ultimately, some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files." CVE-2023-27350 is a now-patched critical security flaw affecting some versions of PaperCut MF aThe Hacker News
May 12, 2023 – Vulnerabilities
A flaw in the Essential ‘Addons for Elementor’ WordPress plugin poses 1M sites at risk of hacking Full Text
Abstract
Experts warn of an unauthenticated privilege escalation flaw in the popular Essential 'Addons for Elementor' WordPress plugin. Essential 'Addons for Elementor' WordPress plugin is a collection of 90+ creative elements and extensions Enhance that allow...Security Affairs
May 12, 2023 – Vulnerabilities
One Million WordPress Sites Impacted by Exploited Plugin Vulnerability Full Text
Abstract
The exploitation of a critical vulnerability in the Essential Addons for Elementor WordPress plugin began immediately after a patch was released, WordPress security firm Defiant warns.Cyware
May 12, 2023 – Vulnerabilities
New Flaw in WordPress Plugin Used by Over a Million Sites Under Active Exploitation Full Text
Abstract
A security vulnerability has been disclosed in the popular WordPress plugin Essential Addons for Elementor that could be potentially exploited to achieve elevated privileges on affected sites. The issue, tracked as CVE-2023-32243, has been addressed by the plugin maintainers in version 5.7.2 that was shipped on May 11, 2023. Essential Addons for Elementor has over one million active installations. "This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site," Patchstack researcher Rafie Muhammad said . Successful exploitation of the flaw could permit a threat actor to reset the password of any arbitrary user as long as the malicious party is aware of their username. The shortcoming is believed to have existed since version 5.4.0. This can have serious ramifications as the flaw could be weaponized to reset the password associated with an administThe Hacker News
May 11, 2023 – Vulnerabilities
Experts share details of five flaws that can be chained to hack Netgear RAX30 Routers Full Text
Abstract
Researchers disclosed the details of five vulnerabilities that can be chained to take over some Netgear router models. Industrial and IoT cybersecurity firm Claroty disclosed technical details of five vulnerabilities that be exploited to hack some...Security Affairs
May 11, 2023 – APT
New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe Full Text
Abstract
A previously undetected advanced persistent threat (APT) actor dubbed Red Stinger has been linked to attacks targeting Eastern Europe since 2020. "Military, transportation, and critical infrastructure were some of the entities being targeted, as well as some involved in the September East Ukraine referendums ," Malwarebytes disclosed in a report published today. "Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings." Red Stinger overlaps with a threat cluster Kaspersky revealed under the name Bad Magic last month as having targeted government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea last year. While there were indications that the APT group may have been active since at least September 2021, the latest findings from Malwarebytes push the group's origins back by nearly a year, with the first operation taking place in December 2020.The Hacker News
May 11, 2023 – General
We are in the final! Please vote for Security Affairs and Pierluigi Paganini Full Text
Abstract
Dear readers and friends, once again we are in the final of the European Cybersecurity Blogger Awards 2022 and I need your support. Please help me in reaching this new target. I work hard every day to provide updated news to students, passionate readers,...Security Affairs
May 11, 2023 – Solution
How Attack Surface Management Supports Continuous Threat Exposure Management Full Text
Abstract
According to Forrester, External Attack Surface Management (EASM) emerged as a market category in 2021 and gained popularity in 2022. In a different report, Gartner concluded that vulnerability management vendors are expanding their offerings to include Attack Surface Management (ASM) for a suite of comprehensive offensive security solutions. Recognition from global analysts has officially put ASM on the map, evolving the way security leaders approach their cybersecurity. Why Now is the Right Time for Attack Surface Management Businesses today rely more on digital assets than ever before. Shifts over time include more use of the cloud, an increase in remote workforces, and greater expansion of digital assets in part because of mergers and acquisitions. This resulted in an expansion of both known and unknown attack surfaces that businesses manage, presenting a greater number of pathways for malicious actors to gain entry to an environment. Consider this analogy for example: IThe Hacker News
May 11, 2023 – Solution
Google will provide dark web monitoring to all US Gmail users and more Full Text
Abstract
Google announced the opening of the dark web monitoring report security feature to all Gmail users in the United States. Google is going to offer dark web monitoring to all U.S. Gmail users, the feature allows them to search for their email addresses...Security Affairs
May 11, 2023 – Criminals
Spanish Police Takes Down Massive Cybercrime Ring, 40 Arrested Full Text
Abstract
The National Police of Spain said it arrested 40 individuals for their alleged involvement in an organized crime gang called Trinitarians . Among those apprehended include two hackers who carried out bank scams through phishing and smishing techniques and 15 other members of the crime syndicate, who have all been charged with a number of offenses such as bank fraud, forging documents, identity theft, and money laundering. In all, the nefarious scheme is believed to have defrauded more than 300,000 victims, resulting in losses of over €700,000. "The criminal organization used hacking tools and business logistics to carry out computer scams," officials said . To pull off the attacks, the cybercriminals sent bogus links via SMS that, when clicked, redirected users to a phishing panel masquerading as legitimate financial institutions to steal their credentials and abuse the access to request for loans and link the cards to cryptocurrency wallets under their control. TheseThe Hacker News
May 11, 2023 – APT
North Korea-linked APT breached the Seoul National University Hospital Full Text
Abstract
The Korean National Police Agency (KNPA) warns that a North Korea-linked APT group had breached the Seoul National University Hospital (SNUH). The Korean National Police Agency (KNPA) revealed that a North Korea-linked APT group has breached one of the largest...Security Affairs
May 11, 2023 – Solution
Twitter now supports Encrypted Direct Messages, with some limitations Full Text
Abstract
Twitter is rolling out support for encrypted direct messages (DMs), the security feature will be initially available for the verified users. Twitter is rolling out support for encrypted direct messages (DMs), the feature is initially limited to verified users...Security Affairs
May 10, 2023 – Vulnerabilities
Researchers Find Bypass for a Fixed Bug; MSFT Patches Again Full Text
Abstract
Microsoft patched the modified attack - tracked as CVE-2023-29324 - during this month's dump of fixes, rating the bug as "important" but not "critical." Researchers from Akamai, which found and disclosed the bug, say it merits a critical rating.Cyware
May 10, 2023 – Solution
Google Announces New Privacy, Safety, and Security Features Across Its Services Full Text
Abstract
Google unveiled a slew of new privacy, safety, and security features today at its annual developer conference, Google I/O. The tech giant's latest initiatives are aimed at protecting its users from cyber threats, including phishing attacks and malicious websites, while providing more control and transparency over their personal data. Here is a short list of the newly introduced features - Improved data control and transparency Gmail Dark Web Scan Report Effortlessly Delete Maps Search History AI-Powered Safe Browsing Content Safety API Expansion About this Image Spam View in Google Drive Among the newly introduced features, the first on the list is improved data control and transparency. Google has unveiled an update for its Android operating system that allows users to better control location sharing through apps installed on their devices. "Starting with location data, you will be informed in permission requests when an app shares your information with third-parThe Hacker News
May 10, 2023 – Policy and Law
Cybercrime Disruption through Civil Litigation and Equitable Remedies Full Text
Abstract
No single tool, legal or technical, is able to fight cybercrime. But civil action litigation, however imperfect, is an effective tool to disrupt cybercrime that is available now.Lawfare
May 10, 2023 – Attack
Cybersecurity firm Dragos shared details about a failed extortion attempt it suffered Full Text
Abstract
Industrial cybersecurity firm Dragos revealed that a ransomware group attempted to breach its infrastructure and extort it. Industrial cybersecurity firm Dragos revealed that on May 8, 2023, a known ransomware group attempted and failed to breach...Security Affairs
May 10, 2023 – Vulnerabilities
Siemens, Schneider Electric Address Few Dozen ICS Vulnerabilities Full Text
Abstract
Siemens has published six new advisories describing 26 vulnerabilities in Siveillance Video products, Cloud Connect 7, and more. Schneider Electric has published four new advisories that describe half a dozen vulnerabilities.Cyware
May 10, 2023 – Vulnerabilities
Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft Full Text
Abstract
Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines. The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023. Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange servers with the March update omit the vulnerable feature. "An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server," Barnea said in a report shared with The Hacker News. "This results in NTLM credentials theft. It is a zero-click vulnerability, meaning it can be triggered with no user interaction." It's also worth noting that CVE-2023-The Hacker News
May 10, 2023 – Hacker
DownEx cyberespionage operation targets Central Asia Full Text
Abstract
A new sophisticated malware strain, dubbed DownEx, was involved in attacks aimed at Government organizations in Central Asia. In late 2022, Bitdefender Labs researchers first observed a highly targeted cyberattack targeting foreign government...Security Affairs
May 10, 2023 – Breach
Smashing Pumpkins frontman paid ransom to a hacker who threatened to leak the band’s songs Full Text
Abstract
The frontman of the alternative rock band Smashing Pumpkins, Billy Corgan, revealed that he paid a ransom after a hacker stole the band’s songs and threatened to leak them.Cyware
May 10, 2023 – Malware
Sophisticated DownEx Malware Campaign Targeting Central Asian Governments Full Text
Abstract
Government organizations in Central Asia are the target of a sophisticated espionage campaign that leverages a previously undocumented strain of malware dubbed DownEx . Bitdefender, in a report shared with The Hacker News, said the activity remains active, with evidence likely pointing to the involvement of Russia-based threat actors. The Romanian cybersecurity firm said it first detected the malware in a highly targeted attack aimed at foreign government institutions in Kazakhstan in late 2022. Subsequently, another attack was observed in Afghanistan. The use of a diplomat-themed lure document and the campaign's focus on data exfiltration suggests the involvement of a state-sponsored group, although the exact identity of the hacking outfit remains indeterminate at this stage. The initial intrusion vector for the campaign is suspected to be a spear-phishing email bearing a booby-trapped payload, which is a loader executable that masquerades as a Microsoft Word file. OpeniThe Hacker News
May 10, 2023 – Attack
Smashing Pumpkins frontman paid ransom to a hacker who threatened to leak the band’s songs Full Text
Abstract
The frontman of the American alternative rock band Smashing Pumpkins, Billy Corgan, has revealed he paid hackers who stole the band's songs The frontman of the alternative rock band Smashing Pumpkins, Billy Corgan, revealed he paid a ransom after...Security Affairs
May 10, 2023 – Vulnerabilities
Adobe Patches 14 Vulnerabilities in Substance 3D Painter Full Text
Abstract
Adobe has announced security updates for its Substance 3D Painter product to address more than a dozen vulnerabilities. This is the only product for which the software giant released updates this Patch Tuesday.Cyware
May 10, 2023 – Education
Why Honeytokens Are the Future of Intrusion Detection Full Text
Abstract
A few weeks ago, the 32nd edition of RSA, one of the world's largest cybersecurity conferences, wrapped up in San Francisco. Among the highlights, Kevin Mandia, CEO of Mandiant at Google Cloud, presented a retrospective on the state of cybersecurity . During his keynote, Mandia stated: "There are clear steps organizations can take beyond common safeguards and security tools to strengthen their defenses and increase their chances of detecting, thwarting or minimizing attack [...] Honeypots , or fake accounts deliberately left untouched by authorized users, are effective at helping organizations detect intrusions or malicious activities that security products can't stop ". "Build honeypots" was one of his seven pieces of advice to help organizations avoid some of the attacks that might require engagement with Mandiant or other incident response firms. As a reminder, honeypots are decoy systems that are set up to lure attackers and divert their attentioThe Hacker News
May 10, 2023 – Outage
US disrupts Russia-linked Snake implant’s network Full Text
Abstract
The US government announced to have disrupted the peer-to-peer (P2P) network of computers compromised by the Snake malware. The Snake implant is one of the most sophisticated implants used by Russia-linked threat actors for cyberespionage purposes....Security Affairs
May 10, 2023 – Outage
Australia’s TechnologyOne halts trading after being hit by cyberattack Full Text
Abstract
Australia's TechnologyOne Ltd said on Wednesday it had detected an unauthorised third-party access to its back-office systems, becoming the latest target in a series of cyberattacks that has bogged companies in the country since last year.Cyware
May 10, 2023 – Policy and Law
Mastermind Behind Twitter 2020 Hack Pleads Guilty and Faces up to 70 Years in Prison Full Text
Abstract
A U.K. national has pleaded guilty in connection with the July 2020 Twitter attack affecting numerous high-profile accounts and defrauding other users of the platform. Joseph James O'Connor, who also went by the online alias PlugwalkJoe , admitted to "his role in cyberstalking and multiple schemes that involve computer hacking, including the July 2020 hack of Twitter," the U.S. Department of Justice (DoJ) said. The 23-year-old individual was extradited from Spain on April 26 after the Spanish National Court, in February, approved the DoJ request to hand over O'Connor to face 14 criminal charges in the U.S. The massive hack , which took on July 15, 2020, involved O'Connor and his co-conspirators seizing control of 130 Twitter accounts, including those belonging to Barack Obama, Bill Gates, and Elon Musk, to perpetrate a cryptocurrency scam that netted them $120,000 in a few hours. The attack was made possible by using social engineering techniques to obtainThe Hacker News
May 10, 2023 – Vulnerabilities
Microsoft Patch Tuesday for May 2023 fixed 2 actively exploited zero-day flaws Full Text
Abstract
Microsoft Patch Tuesday Security updates for May 2023 address a total of 40 vulnerabilities, including two zero-day actively exploited in attacks. Microsoft’s May 2023 security updates address 40 vulnerabilities, including two zero-day flaws actively...Security Affairs
May 10, 2023 – Vulnerabilities
Intel, AMD Address Over 100 Vulnerabilities on Patch Tuesday Full Text
Abstract
Intel has released 38 advisories covering over 80 vulnerabilities. The company has addressed nearly two dozen issues rated ‘high severity’ — the remaining bugs have been rated ‘medium severity’ and one is ‘low severity’.Cyware
May 10, 2023 – Government
U.S. Government Neutralizes Russia’s Most Sophisticated Snake Cyber Espionage Tool Full Text
Abstract
The U.S. government on Tuesday announced the court-authorized disruption of a global network compromised by an advanced malware strain known as Snake wielded by Russia's Federal Security Service (FSB). Snake, dubbed the "most sophisticated cyber espionage tool," is the handiwork of a Russian state-sponsored group called Turla (aka Iron Hunter, Secret Blizzard, SUMMIT, Uroburos, Venomous Bear, and Waterbug), which the U.S. government attributes to a unit within Center 16 of the FSB. The threat actor has a track record of heavily focusing on entities in Europe, the Commonwealth of Independent States (CIS), and countries affiliated with NATO, with recent activity expanding its footprint to incorporate Middle Eastern nations deemed a threat to countries supported by Russia in the region. "For nearly 20 years, this unit [...] has used versions of the Snake malware to steal sensitive documents from hundreds of computer systems in at least 50 countries, which haveThe Hacker News
May 10, 2023 – Malware
Fake Windows System Update Drops Aurora Stealer via Invalid Printer Loader Full Text
Abstract
Attackers are using malicious ads to redirect users to what looks like a Windows security update. The scheme is very well designed as it relies on the web browser to display a full-screen animation resembling what you'd expect from Microsoft.Cyware
May 10, 2023 – Vulnerabilities
Microsoft’s May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug Full Text
Abstract
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and 32 are rated Important in severity. Eight of the flaws have been tagged with "Exploitation More Likely" assessment by Microsoft. This is aside from 18 flaws – including 11 bugs since the start of May – the Windows maker resolved in its Chromium-based Edge browser following the release of April Patch Tuesday updates. Topping the list is CVE-2023-29336 (CVSS score: 7.8), a privilege escalation flaw in Win32k that has come under active exploitation. It's not immediately clear how widespread the attacks are. "An attacker who successfully exploited thiThe Hacker News
May 10, 2023 – Attack
More Than 45,000 Affected by December Cyberattack on Metropolitan Opera Full Text
Abstract
The organization notified that the names, financial account information, tax identification numbers, Social Security numbers, payment card information, and driver’s license numbers of 45,094 people were leaked during the cyberattack.Cyware
May 9, 2023 – Outage
Update: Dallas restores core emergency dispatch systems Full Text
Abstract
The city continues to recover and restore access to its computer-assisted dispatch system. The city’s municipal court system remains offline, and court hearings and trials have been suspended since Wednesday.Cyware
May 09, 2023 – Criminals
U.S. Authorities Seize 13 Domains Offering Criminal DDoS-for-Hire Services Full Text
Abstract
U.S. authorities have announced the seizure of 13 internet domains that offered DDoS-for-hire services to other criminal actors. The takedown is part of an ongoing international initiative dubbed Operation PowerOFF that's aimed at dismantling criminal DDoS-for-hire infrastructures worldwide. The development comes almost five months after a "sweep" in December 2022 dismantled 48 similar services for abetting paying users to launch distributed denial-of-service (DDoS) attacks against targets of interest. This includes school districts, universities, financial institutions, and government websites, according to the U.S. Department of Justice (DoJ). Ten of the 13 illicit domains seized are "reincarnations" of booter or stresser services that were previously shuttered towards the end of last year. "In recent years, booter services have continued to proliferate, as they offer a low barrier to entry for users looking to engage in cybercriminal activity,The Hacker News
May 9, 2023 – Breach
The global food distribution giant Sysco discloses a data breach Full Text
Abstract
Sysco, the global food distribution giant, disclosed a data breach, the compromised data includes customer and employee data. Sysco Corporation is an American multinational corporation involved in marketing and distributing food products, smallwares,...Security Affairs
May 9, 2023 – Privacy
Nationwide push to require social media age verification raises questions about privacy, industry standards Full Text
Abstract
Lawmakers in Washington and in statehouses around the country are seeking to compel tech companies to prove the age of their users, part of a growing national effort to better protect young children from the harms of the internet.Cyware
May 09, 2023 – Hacker
Operation ChattyGoblin: Hackers Targeting Gambling Firms via Chat Apps Full Text
Abstract
A gambling company in the Philippines was the target of a China-aligned threat actor as part of a campaign that has been ongoing since October 2021. Slovak cybersecurity firm ESET is tracking the series of attacks against Southeast Asian gambling companies under the name Operation ChattyGoblin . "These attacks use a specific tactic: targeting the victim companies' support agents via chat applications – in particular, the Comm100 and LiveHelp100 apps," ESET said in a report shared with The Hacker News. The use of a trojanized Comm100 installer to deliver malware was first documented by CrowdStrike in October 2022. The company attributed the supply chain compromise to a threat actor likely with associations to China. The attack chains leverage the aforementioned chat apps to distribute a C# dropper that, in turn, deploys another C# executable, which ultimately serves as a conduit to drop a Cobalt Strike beacon on hacked workstations. Also highlighted in ESET'The Hacker News
May 9, 2023 – Vulnerabilities
A Linux NetFilter kernel flaw allows escalating privileges to ‘root’ Full Text
Abstract
A Linux NetFilter kernel flaw, tracked as CVE-2023-32233, can be exploited by unprivileged local users to escalate their privileges to root. Netfilter is a framework provided by the Linux kernel that allows various networking-related operations...Security Affairs
May 9, 2023 – General
State-Sponsored Actors Leading Cause of Cyber Concern in Public Sector Full Text
Abstract
A new SolarWinds report details how foreign hackers have become the largest concern among government entities, and how zero-trust strategies have become the most popular defense.Cyware
May 09, 2023 – Education
Product Security: Harnessing the Collective Experience and Collaborative Tools in DevSecOps Full Text
Abstract
In the fast-paced cybersecurity landscape, product security takes center stage. DevSecOps swoops in, seamlessly merging security practices into DevOps, empowering teams to tackle challenges. Let's dive into DevSecOps and explore how collaboration can give your team the edge to fight cyber villains. Application security and product security Regrettably, application security teams often intervene late in the development process. They maintain the security level of exposed software, ensuring the integrity and confidentiality of consumed or produced data. They focus on securing data flows, isolating environments with firewalls, and implementing strong user authentication and access control. Product security teams aim to guarantee the intrinsic reliability of applications. They recommend tools and resources, making them available to developers and operations. In the DevSecOps approach, each team is responsible for the security of the applications they create. These teams apply securThe Hacker News
May 9, 2023 – Botnet
Fortinet warns of a spike of the activity linked to AndoryuBot DDoS botnet Full Text
Abstract
A DDoS botnet dubbed AndoryuBot has been observed exploiting an RCE, tracked as CVE-2023-25717, in Ruckus access points. FortiGuard Labs researchers have recently observed a spike in attacks attempting to exploit the Ruckus Wireless Admin remote code...Security Affairs
May 9, 2023 – Malware
Building Automation System Exploit Brings KNX Security Back in Spotlight Full Text
Abstract
A public exploit targeting building automation systems has brought KNX security back into the spotlight, with industrial giant Schneider Electric releasing a security bulletin to warn customers about the potential risks.Cyware
May 09, 2023 – APT
Researchers Uncover SideWinder’s Latest Server-Based Polymorphism Technique Full Text
Abstract
The advanced persistent threat (APT) actor known as SideWinder has been accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022. "In this campaign, the SideWinder advanced persistent threat (APT) group used a server-based polymorphism technique to deliver the next stage payload," the BlackBerry Research and Intelligence Team said in a technical report published Monday. Another campaign discovered by the Canadian cybersecurity company in early March 2023 shows that Turkey has also landed in the crosshairs of the threat actor's collection priorities. SideWinder has been on the radar since at least 2012 and it's primarily known to target various Southeast Asian entities located across Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka. Suspected to be an Indian state-sponsored group, SideWinder is also tracked under the monikers APT-C-17, APT-Q-39, HaThe Hacker News
May 9, 2023 – Denial Of Service
FBI seized 13 domains linked to DDoS-for-hire platforms Full Text
Abstract
The U.S. DoJ announced the seizure of 13 new domains associated with DDoS-for-hire platforms as part of Operation PowerOFF. The U.S. Justice Department announced the seizure of 13 domains linked to DDoS-for-hire services as part of a coordinated international...Security Affairs
May 9, 2023 – Breach
LockBit 3.0 Leaks 600 GB of Data Stolen From Indian Lender Full Text
Abstract
The LockBit 3.0 ransomware group on Monday leaked 600 gigabytes of critical data stolen from Indian lender Fullerton India, two weeks after the group demanded a $3 million ransom from the company.Cyware
May 09, 2023 – Attack
Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability Full Text
Abstract
Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft disclosed over the weekend. The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access. "This activity shows Mint Sandstorm's continued ability to rapidly incorporate [proof-of-concept] exploits into their operations," Microsoft said in a series of tweets. On the other hand, CVE-2023-27350 exploitation activity associated with Mango Sandstorm is said to be on the lower end of the spectrum, with the state-sponsored group "using tools from prior intrusions to connect to their C2 infrastructure." It's worth noting that Mango Sandstorm is linked to Iran's Ministry of Intelligence and Security (MOIS) and Mint Sandstorm is associated with the IslamicThe Hacker News
May 9, 2023 – Ransomware
New CACTUS ransomware appeared in the threat landscape Full Text
Abstract
Researchers warn of a new ransomware family called CACTUS that exploits known vulnerabilities in VPN appliances to gain initial access to victims' networks. Researchers from cybersecurity firm Kroll have analyzed on a new ransomware family called...Security Affairs
May 9, 2023 – Malware
DrIBAN Toolkit Targets Italian Corporate Banking Full Text
Abstract
Experts at Cleafy disclosed nearly a four-year-long online fraud campaign that infected Windows systems in organizations using drIBAN, a web inject kit. Criminals attempted to alter legitimate banking transfers by changing the beneficiary details and redirecting the funds to their accounts. Organiz ... Read MoreCyware
May 09, 2023 – Ransomware
New Ransomware Strain ‘CACTUS’ Exploits VPN Flaws to Infiltrate Networks Full Text
Abstract
Cybersecurity researchers have shed light on a new ransomware strain called CACTUS that has been found to leverage known flaws in VPN appliances to obtain initial access to targeted networks. "Once inside the network, CACTUS actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks," Kroll said in a report shared with The Hacker News. The ransomware has been observed targeting large commercial entities since March 2023, with attacks employing double extortion tactics to steal sensitive data prior to encryption. No data leak site has been identified to date. Following a successful exploitation of vulnerable VPN devices, an SSH backdoor is set up to maintain persistent access and a series of PowerShell commands are executed to conduct network scanning and identify a list of machines foThe Hacker News
May 9, 2023 – APT
Iran-linked APT groups started exploiting Papercut flaw Full Text
Abstract
Microsoft warns of Iran-linked APT groups that are targeting vulnerable PaperCut MF/NG print management servers. Microsoft warns that Iran-linked APT groups have been observed exploiting the CVE-2023-27350 flaw in attacks against PaperCut MF/NG print...Security Affairs
May 8, 2023 – Business
HUB Security Raises Up to $16 Million in Growth Investment from The Lind Partners Full Text
Abstract
This investment is expected to provide HUB Security with additional resources to fuel its rapid growth and development, enhance its financial stability, and enable the company to pursue its future plans.Cyware
May 08, 2023 – Education
Join Our Webinar: Learn How to Defeat Ransomware with Identity-Focused Protection Full Text
Abstract
Are you concerned about ransomware attacks? You're not alone. In recent years, these attacks have become increasingly common and can cause significant damage to organizations of all sizes. But there's good news - with the right security measures in place, such as real-time MFA and service account protection, you can effectively protect yourself against these types of attacks. That's why we're excited to invite you to our upcoming webinar with Yiftach Keshet, cybersecurity expert and Chief Marketing Officer at Silverfort. During this webinar, Yiftach will share his insights on how real-time MFA and service account protection can defeat ransomware attacks, and why identity-focused protection is the only way to stop lateral movement and ransomware spread. Some of the key topics that will be covered in this webinar include: The increasing risk of lateral movement and how it's become one of the most critical risks facing organizations today. The blind spots in MFAThe Hacker News
May 8, 2023 – Criminals
Money Message gang leaked private code signing keys from MSI data breach Full Text
Abstract
The ransomware gang behind the attack on Taiwanese PC maker MSI leaked the company's private code signing keys on their darkweb leak site. In early April, the ransomware gang Money Message announced to have hacked the Taiwanese multinational IT corporation...Security Affairs
May 8, 2023 – Business
Immuta Receives Investment from Databricks Ventures Full Text
Abstract
Immuta, a Boston, MA-based leader in data security, received a strategic investment from Databricks Ventures, the investment arm of Databricks, a data and AI company and pioneer of the lakehouse. The amount of the deal was not disclosed.Cyware
May 08, 2023 – Breach
MSI Data Breach: Private Code Signing Keys Leaked on the Dark Web Full Text
Abstract
The threat actors behind the ransomware attack on Taiwanese PC maker MSI last month have leaked the company's private code signing keys on their dark website. "Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem," Alex Matrosov, founder and CEO of firmware security firm Binarly, said in a tweet over the weekend. "It appears that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake." Present in the leaked data are firmware image signing keys associated with 57 PCs and private signing keys for Intel Boot Guard used on 116 MSI products. The Boot Guard keys from MSI are believed to impact several device vendors, including Intel, Lenovo and Supermicro. Intel Boot Guard is a hardware-based security technology that's designed to protect computers against executing tampered UEFI firmware. The development comes a month after MSI fell victim to a doubleThe Hacker News
May 8, 2023 – Breach
NextGen Healthcare suffered a data breach that impacted +1 Million individuals Full Text
Abstract
NextGen Healthcare suffered a data breach, the security incident exposed the personal information of approximately 1 million individuals. Healthcare solutions provider NextGen Healthcare suffered a data breach that exposed the personal information...Security Affairs
May 8, 2023 – Breach
Kenya: Kabarak University ICT Manager suspended as hackers table their demand Full Text
Abstract
Kabarak University's Facebook account was seized by hackers who have been using it to spread malicious and misleading images and content that contravenes the institution’s Christian values and have since tabled their demands.Cyware
May 08, 2023 – Breach
Western Digital Confirms Customer Data Stolen by Hackers in March Breach Full Text
Abstract
Digital storage giant Western Digital confirmed that an "unauthorized third party" gained access to its systems and stole personal information belonging to the company's online store customers. "This information included customer names, billing and shipping addresses, email addresses and telephone numbers," the San Jose-based company said in a disclosure last week. "In addition, the database contained, in encrypted format, hashed and salted passwords and partial credit card numbers. We will communicate directly with impacted customers." The development comes a little over a month after Western Digital divulged a "network security incident" on March 26, 2023, prompting the company to take its cloud services offline. A subsequent report from TechCrunch last month revealed that the threat actors behind the attack were allegedly in possession of "around 10 terabytes of data," and were negotiating with Western Digital for a rThe Hacker News
May 8, 2023 – Breach
Western Digital notifies customers of data breach after March cyberattack Full Text
Abstract
Western Digital is notifying its customers of a data breach that exposed their sensitive personal information, the incident took place in March. In March 2022, Western Digital was hit by a ransomware attack and in response to the incident, it shut...Security Affairs
May 8, 2023 – Attack
Cyberattack at Hong Kong healthcare group may have exposed 100,000 patients’ data Full Text
Abstract
OT&P Healthcare CEO Robin Green on Monday said the cyberattack took place within the clinic’s management and operating system. “That system holds both patient identity and medical records. We have no idea … how much data was taken,” he said.Cyware
May 08, 2023 – Hacker
SideCopy Using Action RAT and AllaKore RAT to infiltrate Indian Organizations Full Text
Abstract
The suspected Pakistan-aligned threat actor known as SideCopy has been observed leveraging themes related to the Indian military research organization as part of an ongoing phishing campaign. This involves using a ZIP archive lure pertaining to India's Defence Research and Development Organization ( DRDO ) to deliver a malicious payload capable of harvesting sensitive information, Fortinet FortiGuard Labs said in a new report. The cyber espionage group, with activity dating back to at least 2019, targets entities that align with Pakistan government interests. It's believed to share overlaps with another Pakistani hacking crew called Transparent Tribe . SideCopy's use of DRDO-related decoys for malware distribution was previously flagged by Cyble and Chinese cybersecurity firm QiAnXin in March 2023, and again by Team Cymru last month. Interestingly, the same attack chains have been observed to load and execute Action RAT as well as an open source remote acThe Hacker News
May 8, 2023 – Government
CERT-UA warns of an ongoing SmokeLoader campaign Full Text
Abstract
Ukraine's CERT-UA warns of an ongoing phishing campaign aimed at distributing the SmokeLoader malware in the form of a polyglot file. CERT-UA warns of an ongoing phishing campaign that is distributing the SmokeLoader malware in the form of a polyglot...Security Affairs
May 8, 2023 – Government
White House official says Counter Ransomware Initiative focused on ‘expanding the tent,’ with Jordan, Costa Rica, Colombia joining Full Text
Abstract
According to White House Deputy National Security Adviser Anne Neuberger, there were more than 6,500 ransomware attacks across the globe between 2020 and 2022, prompting difficult discussions about ways to disrupt the ecosystem.Cyware
May 08, 2023 – Education
How to Set Up a Threat Hunting and Threat Intelligence Program Full Text
Abstract
Threat hunting is an essential component of your cybersecurity strategy. Whether you're getting started or in an advanced state, this article will help you ramp up your threat intelligence program. What is Threat Hunting? The cybersecurity industry is shifting from a reactive to a proactive approach. Instead of waiting for cybersecurity alerts and then addressing them, security organizations are now deploying red teams to actively seek out breaches, threats and risks, so they can be isolated. This is also known as "threat hunting." Why is Threat Hunting Required? Threat hunting complements existing prevention and detection security controls. These controls are essential for mitigating threats. However, they are optimized for low false positive alerting. Hunt solutions, on the other hand, are optimized for low false negatives. This means that the anomalies and outliers that are considered false positives for detection solutions, are hunting solutions' leads, to bThe Hacker News
May 8, 2023 – General
SEC issued a record award of $279 million to a whistleblower Full Text
Abstract
The Securities and Exchange Commission (SEC) announced the largest-ever award, approximately $279 million, to a whistleblower. The Securities and Exchange Commission (SEC) paid a record sum of approximately $279 million to a whistleblower. The...Security Affairs
May 8, 2023 – Breach
One Million Impacted by Data Breach at NextGen Healthcare Full Text
Abstract
Headquartered in Atlanta, Georgia, the company makes and sells electronic health records software and provides doctors and medical professionals with practice management services.Cyware
May 08, 2023 – Attack
CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine Full Text
Abstract
An ongoing phishing campaign with invoice-themed lures is being used to distribute the SmokeLoader malware in the form of a polyglot file, according to the Computer Emergency Response Team of Ukraine (CERT-UA). The emails, per the agency , are sent using compromised accounts and come with a ZIP archive that, in reality, is a polyglot file containing a decoy document and a JavaScript file. The JavaScript code is then used to launch an executable that paves for the execution of the SmokeLoader malware . SmokeLoader, first detected in 2011, is a loader whose main objective is to download or load a stealthier or more effective malware onto infected systems. CERT-UA attributed the activity to a threat actor it calls UAC-0006 and characterized it as a financially motivated operation carried out with the goal of stealing credentials and making unauthorized fund transfers. In a related advisory, Ukraine's cybersecurity authority also revealed details of destructive attacks orchThe Hacker News
May 7, 2023 – Breach
San Bernardino County Sheriff’s Department paid a $1.1M ransom Full Text
Abstract
The San Bernardino County Sheriff’s Department confirmed that it has paid a $1.1-million ransom after the April ransomware attack. The San Bernardino County Sheriff’s Department opted to pay a $1.1-million ransom after a ransomware attack infected...Security Affairs
May 7, 2023 – APT
Dragon Breath APT uses double-dip DLL sideloading strategy Full Text
Abstract
An APT group tracked as Dragon Breath has been observed employing a new DLL sideloading technique. Sophos researchers observed an APT group, tracked as Dragon Breath (aka APT-Q-27 and Golden Eye), that is using a new DLL sideloading technique that...Security Affairs
May 6, 2023 – Hacker
Kimsuky Enhances its BabyShark Recon Tool in a Global Campaign Full Text
Abstract
North Korean hacking group Kimsuky is distributing a new version of its reconnaissance malware called ReconShark. The cyberespionage campaign involves sending emails containing a link to a password-protected doc hosted on Microsoft OneDrive. The malware can steal sensitive data from the infected sy ... Read MoreCyware
May 6, 2023 – Attack
Drone Goggles Maker Orqa Hit with ‘Time-bomb’ Ransomware Attack Full Text
Abstract
Orqa, a maker of FPV drone racing goggles, claimed that a contractor introduced code into the firmware of the devices, designed to brick them as a time bomb. Findings say that the contractor had been in business relations with Orqa for several years and had waited for the code bomb to detonate ... Read MoreCyware
May 6, 2023 – Hacker
Russian actor Uses WinRAR and DD Command to Destroy Ukrainian Data Full Text
Abstract
CERT-UA confirmed the discovery of a malicious script dubbed RoarBat that is most probably being used by the Russian threat group Sandworm to wipe off data from Ukrainian state networks. The script uses the WinRaR application for archiving and compressing applications and then deleting specific fil ... Read MoreCyware
May 6, 2023 – General
Security Affairs newsletter Round 418 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. We are in the final! Please vote for Security Affairs (https://securityaffairs.com/) as the best...Security Affairs
May 6, 2023 – Breach
Twitter confirmed that a security incident publicly exposed Circle tweets Full Text
Abstract
A security problem caused the public sharing of private tweets sent to Twitter Circles to users outside of the Circle, the company admitted. Since August 2022, the Twitter Circle feature allows users to send tweets to a restricted circle of users,...Security Affairs
May 6, 2023 – Criminals
FBI seized other domains used by the shadow eBook library Z-Library Full Text
Abstract
The FBI disrupted once again the illegal eBook library Z-Library the authorities seized several domains used by the service. The Federal Bureau of Investigation (FBI) seized multiple domains used by the illegal shadow eBook library Z-Library. Z-Library...Security Affairs
May 6, 2023 – Hacker
Meta Cracks Down on South Asian Cyberespionage Groups Full Text
Abstract
Social media giant Meta took down hundreds of fake Facebook and Instagram accounts used by South Asia advanced persistent threat groups to glean sensitive information and coax users into installing malware.Cyware
May 06, 2023 – APT
Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry Full Text
Abstract
An advanced persistent threat (APT) actor known as Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism. "The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time," Sophos researcher Gabor Szappanos said . "The latest campaigns add a twist in which a first-stage clean application 'side'-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL. After that, the malicious loader DLL executes the final payload." Operation Dragon Breath, also tracked under the names APT-Q-27 and Golden Eye, was first documented by QiAnXin in 2020, detailing a watering hole campaign designed to trick users into downloading a trojanized Windows installer for Telegram. A subsequent campaign deThe Hacker News
May 6, 2023 – Vulnerabilities
WordPress Advanced Custom Fields plugin XSS exposes +2M sites to attacks Full Text
Abstract
A reflected cross-site scripting vulnerability is the Advanced Custom Fields plugin for WordPress exposed over 2 million sites to hacking. Assetnote researchers discovered a reflected cross-site scripting vulnerability, tracked as CVE-2023-29489 (CVSS...Security Affairs
May 06, 2023 – Vulnerabilities
New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks Full Text
Abstract
Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw. The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites. The plugin, which is available both as a free and pro version, has over two million active installations . The issue was discovered and reported to the maintainers on May 2, 2023. "This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path," Patchstack researcher Rafie Muhammad said . Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects theThe Hacker News
May 05, 2023 – Ransomware
The Week in Ransomware - May 5th 2023 - Targeting the public sector Full Text
Abstract
This week's ransomware news has been dominated by a Royal ransomware attack on the City of Dallas that took down part of the IT infrastructure.BleepingComputer
May 05, 2023 – Malware
New Android FluHorse malware steals your passwords, 2FA codes Full Text
Abstract
A new Android malware called 'FluHorse' has been discovered, targeting users in Eastern Asia with malicious apps that imitate legitimate versions.BleepingComputer
May 5, 2023 – Attack
Pro-Russian Hackers Claim Downing of French Senate Website Full Text
Abstract
“Access to the site has been disrupted since this morning,” the upper house of Parliament said on Twitter shortly before midday, saying a team was busy fixing the problem.Cyware
May 5, 2023 – Vulnerabilities
Fortinet fixed two severe issues in FortiADC and FortiOS Full Text
Abstract
Fortinet has addressed a couple of high-severity vulnerabilities impacting FortiADC, FortiOS, and FortiProxy. Fortinet addressed nine security vulnerabilities affecting multiple products, including two high-severity issues, tracked as CVE-2023-27999...Security Affairs
May 05, 2023 – Vulnerabilities
New Android updates fix kernel bug exploited in spyware attacks Full Text
Abstract
Android security updates released this month patch a high-severity vulnerability exploited as a zero-day to install commercial spyware on compromised devices.BleepingComputer
May 5, 2023 – Vulnerabilities
Azure API Management Vulnerabilities Allowed Unauthorized Access Full Text
Abstract
Three security vulnerabilities in the Azure API Management service could be exploited to perform various types of malicious actions, cloud security company Ermetic reveals.Cyware
May 05, 2023 – Malware
New Android Malware ‘FluHorse’ Targeting East Asian Markets with Deceptive Tactics Full Text
Abstract
Various sectors in East Asian markets have been subjected to a new email phishing campaign that distributes a previously undocumented strain of Android malware called FluHorse that abuses the Flutter software development framework. "The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs," Check Point said in a technical report. "These malicious apps steal the victims' credentials and two-factor authentication (2FA) codes." The malicious apps have been found to imitate popular apps like ETC and VPBank Neo, which are widely used in Taiwan and Vietnam. Evidence gathered so far shows that the activity has been active since at least May 2022. The phishing scheme in itself is fairly straightforward, wherein victims are lured with emails that contain links to a bogus website that hosts malicious APK files. Also added to the website are checks that aim to screen victims anThe Hacker News
May 5, 2023 – Outage
Pro-Russia group NoName took down multiple France sites, including the French Senate one Full Text
Abstract
The French Senate’s website was taken offline by a DDoS attack launched by the pro-Russian hacker group NoName. The pro-Russia hacker group NoName is claiming responsibility for a DDoS attack that took the website of the French Senate offline. "Access...Security Affairs
May 05, 2023 – Attack
ALPHV gang claims ransomware attack on Constellation Software Full Text
Abstract
Canadian diversified software company Constellation Software confirmed on Thursday that some of its systems were breached by threat actors who also stole personal information and business data.BleepingComputer
May 5, 2023 – Vulnerabilities
Fortinet Patches High-Severity Vulnerabilities in FortiADC, FortiOS Full Text
Abstract
Fortinet this week announced its monthly set of security updates that address nine vulnerabilities in multiple products, including two high-severity bugs in FortiADC, FortiOS, and FortiProxy.Cyware
May 05, 2023 – Hacker
Hackers Targeting Italian Corporate Banking Clients with New Web-Inject Toolkit DrIBAN Full Text
Abstract
Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019. "The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter legitimate banking transfers performed by the victims by changing the beneficiary and transferring money to an illegitimate bank account," Cleafy researchers Federico Valentini and Alessandro Strino said . The bank accounts, per the Italian cybersecurity firm, are either controlled by the threat actors themselves or their affiliates, who are then tasked with laundering the stolen funds. The use of web injects is a time-tested tactic that makes it possible for malware to inject custom scripts on the client side by means of a man-in-the-browser ( MitB ) attack and intercept traffic to and from the server. The fraudulent transactions are often realized by means of a technique callThe Hacker News
May 5, 2023 – APT
North Korea-linked Kimsuky APT uses new recon tool ReconShark Full Text
Abstract
North Korea-linked APT group Kimsuky has been observed using a new reconnaissance tool dubbed ReconShark in a recent campaign. SentinelOne researchers observed an ongoing campaign from North Korea-linked Kimsuky Group that is using...Security Affairs
May 05, 2023 – Vulnerabilities
WordPress custom field plugin bug exposes over 1M sites to XSS attacks Full Text
Abstract
Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks (XSS).BleepingComputer
May 5, 2023 – Vulnerabilities
Vulnerability Could Have Been Exploited for ‘Unlimited’ Free Credit on OpenAI Accounts Full Text
Abstract
A vulnerability in OpenAI’s account validation process allowed anyone to obtain virtually unlimited free credit for the company’s services by registering new accounts using the same phone number, application security firm Checkmarx says.Cyware
May 05, 2023 – Hacker
N. Korean Kimsuky Hackers Using New Recon Tool ReconShark in Latest Cyberattacks Full Text
Abstract
The North Korean state-sponsored threat actor known as Kimsuky has been discovered using a new reconnaissance tool called ReconShark as part of an ongoing global campaign. "[ReconShark] is actively delivered to specifically targeted individuals through spear-phishing emails, OneDrive links leading to document downloads, and the execution of malicious macros," SentinelOne researchers Tom Hegel and Aleksandar Milenkoski said . Kimsuky is also known by the names APT43, ARCHIPELAGO, Black Banshee, Nickel Kimball, Emerald Sleet (previously Thallium), and Velvet Chollima. Active since at least 2012, the prolific threat actor has been linked to targeted attacks on non-governmental organizations (NGOs), think tanks, diplomatic agencies, military organizations, economic groups, and research entities across North America, Asia, and Europe. The latest intrusion set documented by SentinelOne leverages geopolitical themes related to North Korea's nuclear proliferatThe Hacker News
May 5, 2023 – Malware
Fleckpe Android malware totaled +620K downloads via Google Play Store Full Text
Abstract
Fleckpe is a new Android subscription Trojan that was discovered in the Google Play Store, totaling more than 620,000 downloads since 2022. Fleckpe is a new Android subscription Trojan that spreads via Google Play, the malware discovered by Kaspersky...Security Affairs
May 05, 2023 – General
Lack of Visibility: The Challenge of Protecting Websites from Third-Party Scripts Full Text
Abstract
Third-party apps such as Google Analytics, Meta Pixel, HotJar, and JQuery have become critical tools for businesses to optimize their website performance and services for a global audience. However, as their importance has grown, so has the threat of cyber incidents involving unmanaged third-party apps and open-source tools. Online businesses increasingly struggle to maintain complete visibility and control over the ever-changing third-party threat landscape, with sophisticated threats like evasive skimmers, Magecart attacks, and unlawful tracking practices potentially causing severe damage. This article explores the challenges of protecting modern websites from third-party scripts and the security risks associated with a lack of visibility over these scripts. Invisible to Standard Security Controls Third-party scripts are often invisible to standard security controls like Web Application Firewalls (WAFs) because they are loaded from external sources that are not under the controlThe Hacker News
May 05, 2023 – Breach
Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Installs Compromised Full Text
Abstract
PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," Packagist's Nils Adermann said . "The package URLs were then changed to point to the forked repositories." The four user accounts are said to have had access to a total of 14 packages, including multiple Doctrine packages. The incident took place on May 1, 2023. The complete list of impacted packages is as follows - acmephp/acmephp acmephp/core acmephp/ssl doctrine/doctrine-cache-bundle doctrine/doctrine-module doctrine/doctrine-mongo-odm-module doctrine/doctrine-orm-module doctrine/instantiator growthbook/growthbook jdorn/file-system-cache jdorn/sql-formatter khanamiryan/The Hacker News
May 05, 2023 – Malware
Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads Full Text
Abstract
A new Android subscription malware named Fleckpe has been unearthed on the Google Play Store, amassing more than 620,000 downloads in total since 2022. Kaspersky, which identified 11 apps on the official app storefront, said the malware masqueraded as legitimate photo editing apps, camera, and smartphone wallpaper packs. The apps have since been taken down. The operation primarily targets users from Thailand, although telemetry data gathered by the Russian cybersecurity firm has revealed victims in Poland, Malaysia, Indonesia, and Singapore. The apps further offer the promised functionality to avoid raising red flags, but conceal their real purpose under the hood. The list of the offending apps is as follows - Beauty Camera Plus (com.beauty.camera.plus.photoeditor) Beauty Photo Camera (com.apps.camera.photos) Beauty Slimming Photo Editor (com.beauty.slimming.pro) Fingertip Graffiti (com.draw.graffiti) GIF Camera Editor (com.gif.camera.editor) HD 4K Wallpaper (com.hd.h4ks.The Hacker News
May 05, 2023 – Vulnerabilities
Cisco Warns of Vulnerability in Popular Phone Adapter, Urges Migration to Newer Model Full Text
Abstract
Cisco has warned of a critical security flaw in SPA112 2-Port Phone Adapters that it said could be exploited by a remote attacker to execute arbitrary code on affected devices. The issue, tracked as CVE-2023-20126 , is rated 9.8 out of a maximum of 10 on the CVSS scoring system. The company credited Catalpa of DBappSecurity for reporting the shortcoming. The product in question makes it possible to connect analog phones and fax machines to a VoIP service provider without requiring an upgrade. "This vulnerability is due to a missing authentication process within the firmware upgrade function," the company said in a bulletin. "An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges." Despite the severity of the flaw, the networking equipment maker said it does not intend to release fixesThe Hacker News
May 04, 2023 – Hacker
Kimsuky hackers use new recon tool to find security gaps Full Text
Abstract
The North Korean Kimsuky hacking group has been observed employing a new version of its reconnaissance malware, now called 'ReconShark,' in a cyberespionage campaign with a global reach.BleepingComputer
May 04, 2023 – General
Get 50% off Malwarebytes Premium + Privacy in this limited-time deal Full Text
Abstract
If you are concerned about the security and privacy of your online activities, this new 50% off Malwarebytes deal can bring you peace of mind.BleepingComputer
May 04, 2023 – Malware
New Fleckpe Android malware installed 600K times on Google Play Full Text
Abstract
A new Android subscription malware named 'Fleckpe' has been spotted on Google Play, the official Android app store, disguised as legitimate apps downloaded over 620,000 times.BleepingComputer
May 04, 2023 – Vulnerabilities
Cisco phone adapters vulnerable to RCE attacks, no fix available Full Text
Abstract
Cisco has disclosed a vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters, allowing an unauthenticated, remote attacker to execute arbitrary code on the devices.BleepingComputer
May 04, 2023 – Criminals
Ransomware gang hijacks university alert system to issue threats Full Text
Abstract
The Avos ransomware gang hijacked Bluefield University's emergency broadcast system, "RamAlert," to send students and staff SMS texts and email alerts that their data was stolen and would soon be released.BleepingComputer
May 04, 2023 – Education
How To Create Seamless Digital Experiences For Web And Mobile Full Text
Abstract
There are simple steps to follow when an organization is developing a web application or needs to lift its digital experience and match a customer's expectations. Learn more here from LambdaTest.BleepingComputer
May 4, 2023 – Botnet
An Overview of Malicious Activities in Q1; Telegram Bots in Spotlight Full Text
Abstract
A new report by Cofense revealed that the volume of malicious campaigns utilizing Telegram bots in Q1 2023 exceeded that of Q4 2022 by 397% and surpassed the entire volume of 2022 by 310%. Additionally, YouTube was listed in the top 10 domains being used by threat actors to launch redirect phishing ... Read MoreCyware
May 04, 2023 – Vulnerabilities
Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service Full Text
Abstract
Three new security flaws have been disclosed in Microsoft Azure API Management service that could be abused by malicious actors to gain access to sensitive information or backend services. This includes two server-side request forgery (SSRF) flaws and one instance of unrestricted file upload functionality in the API Management developer portal, according to Israeli cloud security firm Ermetic. "By abusing the SSRF vulnerabilities, attackers could send requests from the service's CORS Proxy and the hosting proxy itself, access internal Azure assets, deny service and bypass web application firewalls," security researcher Liv Matan said in a report shared with The Hacker News. "With the file upload path traversal, attackers could upload malicious files to Azure's hosted internal workload." Azure API Management is a multicloud management platform that allows organizations to securely expose their APIs to external and internal customers and enable a wideThe Hacker News
May 4, 2023 – Vulnerabilities
Cisco EoL SPA112 2-Port Phone Adapters are affected by critical RCE Full Text
Abstract
Cisco is warning customers of a critical remote code execution vulnerability affecting its EoL SPA112 2-Port Phone Adapters. Cisco is warning of a critical remote code execution (RCE) vulnerability, tracked as CVE-2023-20126 (CVSS score of 9.8), impacting...Security Affairs
May 4, 2023 – APT
Dragon Breath APT Uses Double DLL Sideloading Tactic Full Text
Abstract
A group of advanced persistent hackers, who go by the alias Dragon Breath, has adopted a new strategy of utilizing multiple sophisticated versions of the conventional DLL sideloading method to avoid detection. Its attack strategy involves using an initial vector that exploits a legitimate applicati ... Read MoreCyware
May 04, 2023 – Vulnerabilities
Researchers Uncover New Exploit for PaperCut Vulnerability That Can Bypass Detection Full Text
Abstract
Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections. Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. While the flaw was patched by the Australian company on March 8, 2023, the first signs of active exploitation emerged on April 13, 2023. Since then, the vulnerability has been weaponized by multiple threat groups, including ransomware actors , with post-exploitation activity resulting in the execution of PowerShell commands designed to drop additional payloads. Now, VulnCheck has published a proof-of-concept (PoC) exploit that sidesteps existing detection signatures by leveraging the fact that "PaperCut NG and MF offer multiple paths to code execution." It's worth noting that public exploits for the flaThe Hacker News
May 4, 2023 – Malware
Experts devised a new exploit for the PaperCut flaw that can bypass all current detection Full Text
Abstract
VulnCheck researchers devised a new exploit for a recently disclosed critical flaw in PaperCut servers that bypasses all current detections. Cybersecurity researchers from VulnCheck have developed a new exploit for the recently disclosed critical...Security Affairs
May 4, 2023 – Attack
Researchers Observe a Spike in Attacks Against TBK DVR Camera Devices Full Text
Abstract
FortiGuard Labs warned of attackers exploiting a five-year-old authentication bypass vulnerability in TBK DVR devices, that has over 600,000 cameras and 50,000 recorders installed globally, providing a significant threat to camera video feeds. A remote attacker can also exploit the flaw to bypass a ... Read MoreCyware
May 04, 2023 – General
Why the Things You Don’t Know about the Dark Web May Be Your Biggest Cybersecurity Threat Full Text
Abstract
IT and cybersecurity teams are so inundated with security notifications and alerts within their own systems, it's difficult to monitor external malicious environments – which only makes them that much more threatening. In March, a high-profile data breach hit national headlines when personally identifiable information connected to hundreds of lawmakers and staff was leaked on the dark web. The cybersecurity incident involved the DC Health Link, an online marketplace that administers health plans for members of Congress and Capitol Hill staff. According to news reports, the FBI had successfully purchased a portion of the data – which included social security numbers and other sensitive information – on the dark web. Because of the prominence of the victims, the story was picked up by a slew of media outlets that rarely cover dark web-related cybersecurity crimes. The story not only shed light on one of the most dangerous aspects of the internet, it reminded us that the dark web conThe Hacker News
May 4, 2023 – Malware
Facebook warns of a new information-stealing malware dubbed NodeStealer Full Text
Abstract
Facebook discovered a new information-stealing malware, dubbed 'NodeStealer,' that is being distributed on Meta. NodeStealer is a new information-stealing malware distributed on Meta that allows stealing browser cookies to hijack accounts on multiple...Security Affairs
May 4, 2023 – General
Fake Websites and ChatGPT - Recipe for High Risk Full Text
Abstract
Security experts are cautioning against malware impersonating a ChatGPT Windows desktop client that is capable of copying login credentials from the Google Chrome login data directory. Users are advised to not click on random emails or links without prior knowledge or idea.Cyware
May 04, 2023 – General
Meta Uncovers Massive Social Media Cyber Espionage Operations Across South Asia Full Text
Abstract
Three different threat actors leveraged hundreds of elaborate fictitious personas on Facebook and Instagram to target individuals located in South Asia as part of disparate attacks. "Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information across the internet," Guy Rosen, chief information security officer at Meta, said . "This investment in social engineering meant that these threat actors did not have to invest as much on the malware side." The fake accounts, in addition to using traditional lures like women looking for a romantic connection, masqueraded as recruiters, journalists, or military personnel. At least two of the cyber espionage efforts entailed the use of low-sophistication malware with reduced capabilities, likely in an attempt to get past app verification checks established by Apple and Google. One of the groups that came under Meta's rThe Hacker News
May 4, 2023 – APT
Russia-linked Sandworm APT uses WinRAR in destructive attacks on Ukraine’s public sector Full Text
Abstract
CERT-UA is warning of destructive cyberattacks conducted by the Russia-linked Sandworm APT group against the Ukraine public sector. Russia-linked APT group Sandworm is behind destructive cyberattacks against Ukrainian state networks, the Ukrainian...Security Affairs
May 4, 2023 – APT
APT28APT28 Uses ‘Windows Update’ Phishing Emails to Target Ukrainian Agencies Full Text
Abstract
Russian state-sponsored hacking group APT28 is targeting Ukrainian government entities with malicious emails disguised as Windows update instructions - warned CERT-UA. The attack begins with phishing emails sent to employees in government bodies, masquerading as system administrators of their depar ... Read MoreCyware
May 04, 2023 – Attack
Meta Takes Down Malware Campaign That Used ChatGPT as a Lure to Steal Accounts Full Text
Abstract
Meta said it took steps to take down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI's ChatGPT as a lure to propagate about 10 malware families since March 2023. The development comes against the backdrop of fake ChatGPT web browser extensions being increasingly used to steal users' Facebook account credentials with an aim to run unauthorized ads from hijacked business accounts. "Threat actors create malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools," Meta said . "They would then promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware." The social media giant said it has blocked several iterations of a multi-pronged malware campaign dubbed Ducktail over the years, adding it issued a cease and desist letter to individuals behind the operation who are located in VietnaThe Hacker News
May 4, 2023 – Outage
City of Dallas shut down IT services after ransomware attack Full Text
Abstract
The City of Dallas, Texas, was hit by a ransomware attack that forced it to shut down some of its IT systems. The IT systems at the City of Dallas, Texas, have been targeted by a ransomware attack. To prevent the threat from spreading within the network,...Security Affairs
May 4, 2023 – Hacker
Iranian Surveillance Operations Use BouldSpy to Track Minority Groups Full Text
Abstract
The law enforcement command of the Islamic Republic of Iran (FARAJA) is allegedly physically deploying a malware strain known as BouldSpy on the devices of a section of people. As per reports, it is in use since at least 2020 and has claimed more than 300 victims to date. The malware serves the pur ... Read MoreCyware
May 4, 2023 – Malware
AresLoader Masquerades as Citrix Project to Drop Multiple Payloads Full Text
Abstract
Experts at Cyble laid bare AresLoader, a new type of loader that distributes multiple malware strains, including IcedID, Aurora Stealer, and Laplas Clipper. A GitHub repository masquerading as a Citrix project was being used to distribute the malware. Experts recommend creating multiple lines ... Read MoreCyware
May 4, 2023 – General
Google opens up passkeys to personal account holders Full Text
Abstract
Google wants to take us further into a passwordless future by allowing personal account holders to login using passkeys rather than using passphrases and multifactor authentication (MFA).Cyware
May 4, 2023 – Vulnerabilities
Now-Patched Vulnerability in TikTok Could Have Revealed User Activity and Information Full Text
Abstract
The vulnerability, which has now been fixed, was caused by a window message event handler that does not properly validate the message origin, providing attackers access to sensitive user information.Cyware
May 3, 2023 – Vulnerabilities
KEV Catalog Adds Vulnerabilities Affecting TP-Link, Apache, and Oracle WebLogic Server Full Text
Abstract
Watch out for bugs in TP-Link, Apache Log4j2, and Oracle WebLogic Server that are under active exploitation by different cybercriminal groups, warns CISA. FCEB agencies are required to apply vendor-provided fixes by May 22, 2023.Cyware
May 03, 2023 – Solution
Google Introduces Passwordless Secure Sign-In with Passkeys for Google Accounts Full Text
Abstract
Almost five months after Google added support for passkeys to its Chrome browser, the tech giant has begun rolling out the passwordless solution across Google Accounts on all platforms. Passkeys , backed by the FIDO Alliance, are a more secure way to sign in to apps and websites without having to use a traditional password. This, in turn, can be achieved by simply unlocking their computer or mobile device with their biometrics (e.g., fingerprint or facial recognition) or a local PIN. "And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes," Google noted . Passkeys, once created, are locally stored on the device, and are not shared with any other party. This also obviates the need for setting up two-factor authentication, as it proves that "you have access to your device and are able to unlock it." Users also have the choice of creating passkeys for every device they use toThe Hacker News
May 3, 2023 – Criminals
Authorities dismantled the card-checking platform Try2Check Full Text
Abstract
Authorities dismantled the Try2Check platform, a Card-Checking platform that generated tens of millions of dollars in revenue. The U.S. DoJ charged the Russian citizen Denis Gennadievich Kulkov with running the Card-Checking services. The platform...Security Affairs
May 3, 2023 – Phishing
Phishing Campaign Targets Romanian Telecom Users Full Text
Abstract
Heimdal Security's SOC team has discovered an ongoing phishing campaign that seems to be aimed at customers of Romanian telecom providers. The fraudulent page requests the victims to submit their credit card information to cover a tax related to changing a delivery address. Experts recommend avoidi ... Read MoreCyware
May 03, 2023 – Hacker
Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics Full Text
Abstract
A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity. Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi , which is a subgroup within APT41 (aka HOODOO or Winnti) and shares overlaps with various other clusters known as Earth Baku, SparklingGoblin, and GroupCC. Earth Longzhi was first documented by the cybersecurity firm in November 2022, detailing its attacks against various organizations located in East and Southeast Asia as well as Ukraine. Attack chains mounted by the threat actor leverage vulnerable public-facing applications as entry points to deploy the BEHINDER web shell , and then leverage that access to drop additional payloads, including a new variant of a Cobalt Strike loader called CroxLoader. "This recent campaThe Hacker News
May 3, 2023 – General
Passwordless sign-in with passkeys is now available for Google accounts Full Text
Abstract
Google announced the introduction of the passwordless secure sign-in with Passkeys for Google Accounts on all platforms. Google is rolling out the passwordless secure sign-in with Passkeys for Google Accounts on all platforms. Passwords are essential...Security Affairs
May 3, 2023 – Malware
AresLoader Malware Attacking Citrix Users Through Malicious GitLab Repo Full Text
Abstract
Cyble has recently detected AresLoader, a novel loader that is found to be disseminating numerous malware families. Malware loaders are designed to deploy and execute diverse malware strains on the targeted computer system of the victim.Cyware
May 03, 2023 – Criminals
Operation SpecTor: $53.4 Million Seized, 288 Vendors Arrested in Dark Web Drug Bust Full Text
Abstract
An international law enforcement operation has resulted in the arrest of 288 vendors who are believed to be involved in drug trafficking on the dark web, adding to a long list of criminal enterprises that have been shuttered in recent years. The effort, codenamed Operation SpecTor , also saw the authorities confiscating more than $53.4 million in cash and virtual currencies, 850 kg of drugs, and 117 firearms. The largest number of arrests were made in the U.S. (153), followed by the U.K. (55), Germany (52), the Netherlands (10), Austria (9), France (5), Switzerland (2), Poland (1), and Brazil (1). "This represents the most funds seized and the highest number of arrests in any coordinated international action," U.S. Attorney General Merrick B. Garland said . "The drug traffickers are confident that, by operating anonymously on the dark web, they can operate outside the bounds of the law. They are wrong." The arrests stem from evidence gathered after the takThe Hacker News
May 3, 2023 – Hacker
Hackers are taking advantage of the interest in generative AI to install Malware Full Text
Abstract
Threat actors are using the promise of generative AI like ChatGPT to deliver malware, Facebook parent Meta warned. Threat actors are taking advantage of the huge interest in generative AI like ChatGPT to trick victims into installing malware, Meta...Security Affairs
May 3, 2023 – Breach
Promising Jobs at the U.S. Postal Service, ‘US Job Services’ Website Leaks Customer Data Full Text
Abstract
A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers.Cyware
May 03, 2023 – Education
Download the eBook: What Does it Take to be a Full-Fledged Virtual CISO? Full Text
Abstract
Almost half of MSP clients fell victim to a cyberattack within the last 12 months. In the SMB world, the danger is especially acute as only 50% of SMBs have a dedicated internal IT person to take care of cybersecurity. No wonder cybercriminals are targeting SMBs so heavily. No wonder SMBs are increasingly willing to pay a subscription or retainer to gain access to expert C-level cyber-assistance in devising and implementing strategies to prevent breaches, reduce risk, and mitigate the consequences of attacks. Hence the popularity of Virtual Chief Information Security Officer (vCISO) services. They are especially attractive to MSPs and MSSPs as: They enable service providers to address a growing need from their SMB clients for proactive cyber resilience They offer the potential to grow recurring revenues - expand into a new customer base or sell a new service to existing customers They help service providers differentiate themselves They are an excellent vehicle from which to uThe Hacker News
May 3, 2023 – Vulnerabilities
Researchers found DoS flaws in popular BGP implementation Full Text
Abstract
Vulnerabilities in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to trigger a DoS condition on BGP peers. Forescout Vedere Labs researchers discovered multiple vulnerabilities in the software implementation...Security Affairs
May 3, 2023 – Vulnerabilities
Chrome 113 Released With 15 Security Patches Full Text
Abstract
Released roughly two weeks after Google resolved two zero-day vulnerabilities in the popular browser, the latest Chrome update only resolves medium- and low-severity flaws, despite the major version change.Cyware
May 03, 2023 – Privacy
Apple and Google Join Forces to Stop Unauthorized Location-Tracking Devices Full Text
Abstract
Apple and Google have teamed up to work on a draft industry-wide specification that's designed to tackle safety risks and alert users when they are being tracked without their knowledge or permission using devices like AirTags. "The first-of-its-kind specification will allow Bluetooth location-tracking devices to be compatible with unauthorized tracking detection and alerts across Android and iOS platforms," the companies said in a joint statement. While these trackers are primarily designed to keep tabs on personal belongings like keys, wallets, luggage, and other items, such devices have also been abused by bad actors for criminal or nefarious purposes , including instances of stalking, harassment, and theft . The goal is to standardize the alerting mechanisms and minimize opportunities for misuse across Bluetooth location-tracking devices from different vendors. To that end, Samsung, Tile, Chipolo, eufy Security, and Pebblebee have all come on board. In doiThe Hacker News
May 3, 2023 – General
Most open source maintainers still consider themselves hobbyists, despite compensation pledges Full Text
Abstract
Despite a major push to strengthen the security of the software supply chain, a report released Tuesday from Tidelift shows more than 60% of open source maintainers describe themselves as unpaid hobbyists.Cyware
May 03, 2023 – Vulnerabilities
Hackers Exploiting 5-year-old Unpatched Vulnerability in TBK DVR Devices Full Text
Abstract
Threat actors are actively exploiting an unpatched five-year-old flaw impacting TBK digital video recording (DVR) devices, according to an advisory issued by Fortinet FortiGuard Labs. The vulnerability in question is CVE-2018-9995 (CVSS score: 9.8), a critical authentication bypass issue that could be exploited by remote actors to gain elevated permissions. "The 5-year-old vulnerability (CVE-2018-9995) is due to an error when handling a maliciously crafted HTTP cookie," Fortinet said in an outbreak alert on May 1, 2023. "A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges eventually leading access to camera video feeds." The network security company said it observed over 50,000 attempts to exploit TBK DVR devices using the flaw in the month of April 2023. Despite the availability of a proof-of-concept ( PoC ) exploit, there are no fixes that address the vulnerability. The flaw impacts TBK DVR4104The Hacker News
May 3, 2023 – Outage
Murfreesboro Medical Clinic Closed for Multiple Days After Cyberattack Full Text
Abstract
The criminal cyberattack on April 22 led Murfreesboro Medical Clinic & SurgiCenter to initiate an emergency shutdown of their network to limit the spread of stolen information within their systems.Cyware
May 03, 2023 – Government
CISA Issues Advisory on Critical RCE Affecting ME RTU Remote Terminal Units Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an Industrial Control Systems (ICS) advisory about a critical flaw affecting ME RTU remote terminal units. The security vulnerability, tracked as CVE-2023-2131 , has received the highest severity rating of 10.0 on the CVSS scoring system for its low attack complexity. "Successful exploitation of this vulnerability could allow remote code execution," CISA said , describing it as a case of command injection affecting versions of INEA ME RTU firmware prior to version 3.36 . Security researcher Floris Hendriks of Radboud University has been credited with reporting the issue to CISA. Also published by CISA is an alert related to multiple known security holes in Intel(R) processors impacting Factory Automation (FA) products from Mitsubishi Electric that could result in privilege escalation and a denial-of-service (DoS) condition. The development comes as the agency recommended critiThe Hacker News
May 3, 2023 – Skimming
Card Skimmers and ATMs Used to Drain EBT Accounts in SoCal Full Text
Abstract
The suspects are accused of using card skimmers and ATMs to drain electronic benefit transfer (EBT) accounts, which are used to pay for food through the Supplemental Nutrition Assistance Program (SNAP).Cyware
May 3, 2023 – General
Attacks increasingly use malicious HTML email attachments Full Text
Abstract
Researchers warn that attackers are relying more on malicious HTML files in their attacks, with malicious files now accounting for half of all HTML attachments sent via email.Cyware
May 2, 2023 – Attack
Earth Longzhi Returns With New Tricks to Target Organizations in Taiwan, Thailand, the Philippines, and Fiji Full Text
Abstract
The campaign, which came after months of inactivity, was found to abuse a Windows Defender executable for DLL sideloading and exploit a vulnerable driver, zamguard.sys, to disable security products through a bring-your-own-vulnerable-driver attack.Cyware
May 02, 2023 – Vulnerabilities
Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software Full Text
Abstract
Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. The three vulnerabilities reside in version 8.4 of FRRouting , a popular open source internet routing protocol suite for Linux and Unix platforms. It's currently used by several vendors like NVIDIA Cumulus , DENT , and SONiC , posing supply chain risks. The discovery is the result of an analysis of seven different implementations of BGP carried out by Forescout Vedere Labs: FRRouting, BIRD, OpenBGPd, Mikrotik RouterOS, Juniper JunOS, Cisco IOS, and Arista EOS. BGP is a gateway protocol that's designed to exchange routing and reachability information between autonomous systems. It's used to find the most efficient routes for delivering internet traffic. The list of three flaws is as follows - CVE-2022-40302 (CVSS score: 6.5) - Out-of-bounds read wheThe Hacker News
May 2, 2023 – Phishing
Can Better Training Reduce the Success Rate of Phishing Attacks? Full Text
Abstract
A review of Arun Vishwanath, “The Weakest Link: How to Diagnose, Detect, and Defend Users From Phishing Attacks” (MIT Press, 2022)Lawfare
May 2, 2023 – Criminals
FBI and Ukrainian police seized 9 crypto exchanges used by cybercriminals Full Text
Abstract
A joint operation conducted by the FBI and Ukrainian police seized 9 crypto exchanges used by cybercriminal groups for money laundering. The Cyber Police Department together with the Main Investigative Department of the National Police, the Office...Security Affairs
May 2, 2023 – Criminals
Ransomware Gang Claims Data Theft From Edison Learning Full Text
Abstract
The Royal ransomware is claiming to have infiltrated public school management and virtual learning provider Edison Learning, posting on its dark web data leak site on Wednesday, April 26, that it had stolen 20GB of the company’s data.Cyware
May 02, 2023 – Malware
BouldSpy Android Spyware: Iranian Government’s Alleged Tool for Spying on Minority Groups Full Text
Abstract
A new Android surveillanceware possibly used by the Iranian government has been used to spy on over 300 individuals belonging to minority groups. The malware, dubbed BouldSpy , has been attributed with moderate confidence to the Law Enforcement Command of the Islamic Republic of Iran ( FARAJA ). Targeted victims include Iranian Kurds, Baluchis, Azeris, and Armenian Christian groups. "The spyware may also have been used in efforts to counter and monitor illegal trafficking activity related to arms, drugs, and alcohol," Lookout said , based on exfiltrated data that contained photos of drugs, firearms, and official documents issued by FARAJA. BouldSpy, like other Android malware families, abuses its access to Android's accessibility services and other intrusive permissions to harvest sensitive data such as web browser history, photos, contact lists, SMS logs, keystrokes, screenshots, clipboard content, microphone audio, and video call recordings. It's worth poinThe Hacker News
May 2, 2023 – Criminals
SpecTor operation: 288 individuals arrested in the seizure of marketplace Monopoly Market Full Text
Abstract
International law enforcement operation SpecTor resulted in the seizure of an online marketplace and the arrest of nearly 300 people. In an international law enforcement operation coordinated by Europol, codenamed 'SpecTor', the police seized the illegal...Security Affairs
May 2, 2023 – General
Data loss costs go up, and not just from ransom shakedowns Full Text
Abstract
According to BakerHostetler, the average ransom paid hit $600,688, up from $511,957 the year before, though still below the peak of $794,620 in pandemic-ravaged 2020. About 40 percent of victims paid a ransom.Cyware
May 02, 2023 – General
Why Telecoms Struggle with SaaS Security Full Text
Abstract
The telecom industry has always been a tantalizing target for cybercriminals. The combination of interconnected networks, customer data, and sensitive information allows cybercriminals to inflict maximum damage through minimal effort. It's the breaches in telecom companies that tend to have a seismic impact and far-reaching implications — in addition to reputational damage, which can be difficult to measure, telecoms are often at the receiving end of government fines for their cybersecurity and privacy failures. There are few industries in the world that collect as much sensitive data as telecom companies. In recent years, telecom companies have accelerated their digital transformation, shedding legacy systems and reducing costs. These changes, coupled with the need for stronger collaboration with third-party vendors, have led them to SaaS applications to handle their CRM. Today, telecoms are using SaaS apps for billing, HR, call management, field operations management, tracking caThe Hacker News
May 2, 2023 – Vulnerabilities
The first iPhone Rapid Security Response update released by Apple fails to install Full Text
Abstract
Apple has released its first Rapid Security Response update, but many iPhone users reported problems during the installation of the iOS Security Response. On June 2022, Apple announced that the Rapid Security Response feature would be available starting...Security Affairs
May 2, 2023 – Attack
Bluefield University, BridgeValley Community and Technical College, and Penncrest School District Suffer Cyberattacks Full Text
Abstract
This week, thousands of students at several U.S. schools, such as Bluefield University, BridgeValley Community and Technical College, Penncrest School District, and Truman State University, are feeling the impact of ransomware and other cyberattacks.Cyware
May 02, 2023 – Malware
LOBSHOT: A Stealthy, Financial Trojan and Info Stealer Delivered through Google Ads Full Text
Abstract
In yet another instance of how threat actors are abusing Google Ads to serve malware, a threat actor has been observed leveraging the technique to deliver a new Windows-based financial trojan and information stealer called LOBSHOT . "LOBSHOT continues to collect victims while staying under the radar," Elastic Security Labs researcher Daniel Stepanic said in an analysis published last week. "One of LOBSHOT's core capabilities is around its hVNC (Hidden Virtual Network Computing) component. These kinds of modules allow for direct and unobserved access to the machine." The American-Dutch company attributed the malware strain to a threat actor known as TA505 based on infrastructure historically connected to the group. TA505 is a financially motivated e-crime syndicate that overlaps with activity clusters tracked under the names Evil Corp, FIN11, and Indrik Spider. The latest development is significant because it's a sign that TA505, which is associateThe Hacker News
May 2, 2023 – Vulnerabilities
Fortinet warns of a spike in attacks against TBK DVR devices Full Text
Abstract
FortiGuard Labs researchers observed a worrisome level of attacks attempting to exploit an authentication bypass vulnerability in TBK DVR devices. FortiGuard Labs researchers are warning of a spike in malicious attacks targeting TBK DVR devices. Threat...Security Affairs
May 2, 2023 – General<br
The warning signs for security analyst burnout and ways to prevent Full Text
Abstract
Security analysts face the demanding task of investigating and resolving increasing volumes of alerts daily, while adapting to an ever-changing threat landscape and keeping up with new technology.Cyware
May 02, 2023 – Hacker
North Korea’s ScarCruft Deploys RokRAT Malware via LNK File Infection Chains Full Text
Abstract
The North Korean threat actor known as ScarCruft started experimenting with oversized LNK files as a delivery route for RokRAT malware as early as July 2022, the same month Microsoft began blocking macros across Office documents by default. "RokRAT has not changed significantly over the years, but its deployment methods have evolved, now utilizing archives containing LNK files that initiate multi-stage infection chains," Check Point said in a new technical report. "This is another representation of a major trend in the threat landscape, where APTs and cybercriminals alike attempt to overcome the blocking of macros from untrusted sources." ScarCruft , also known by the names APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a threat group that almost exclusively targets South Korean individuals and entities as part of spear-phishing attacks designed to deliver an array of custom tools. The adversarial collective, unlike the LaThe Hacker News
May 2, 2023 – APT
North Korea-linked ScarCruft APT uses large LNK files in infection chains Full Text
Abstract
North Korea-linked ScarCruft APT group started using oversized LNK files to deliver the RokRAT malware starting in early July 2022. Check Point researchers reported that the infection chains observed in the attacks attributed to North Korea-linked...Security Affairs
May 2, 2023 – Attack
Fortinet warns of a spike in attacks against TBK DVR devices Full Text
Abstract
FortiGuard Labs researchers are warning of a spike in malicious attacks targeting TBK DVR devices. Threat actors are attempting to exploit a five-year-old authentication bypass issue, tracked as CVE-2018-9995 (CVSS score of 9.8), in TBK DVR devices.Cyware
May 02, 2023 – Government
Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The security vulnerabilities are as follows - CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX-21 Command Injection Vulnerability CVE-2021-45046 (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted Data Vulnerability CVE-2023-21839 (CVSS score: 7.5) - Oracle WebLogic Server Unspecified Vulnerability CVE-2023-1389 concerns a case of command injection affecting TP-Link Archer AX-21 routers that could be exploited to achieve remote code execution. According to Trend Micro's Zero Day Initiative, the flaw has been put to use by threat actors associated with the Mirai botnet since April 11, 2023. The second flaw to be added to the KEV catalog is CVE-2021-45046, a remote code execution affecting the Apache Log4j2 logging library that came to light in December 2021. It's cuThe Hacker News
May 2, 2023 – Government
CISA adds TP-Link, Apache, and Oracle bugs to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US Cybersecurity and Infrastructure Security Agency (CISA) added TP-Link, Apache, and Oracle vulnerabilities to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following three...Security Affairs
May 2, 2023 – Solution
Data-driven insights help prevent decisions based on fear Full Text
Abstract
Organizations have strengthened security measures and become more resilient, but threat actors are still finding ways through, according to BakerHostetler. A reduction in ransomware matters in 2022 reversed course by the end of the year.Cyware
May 2, 2023 – Malware
New Lobshot hVNC malware spreads via Google ads Full Text
Abstract
The previously undetected LOBSHOT malware is distributed using Google ads and gives operators VNC access to Windows devices. Researchers from Elastic Security Labs spotted a new remote access trojan dubbed LOBSHOT was being distributed through Google...Security Affairs
May 2, 2023 – Attack
Australian Law Firm HWL Ebsworth Hit by Russian-linked Ransomware Attack Full Text
Abstract
Late last week, the ALPHV/Blackcat ransomware group posted on its website that 4TB of company data had been hacked, including employee CVs, IDs, financial reports, accounting data, client documentation, credit card data, and a complete network map.Cyware
May 2, 2023 – Privacy
UK locks horns with WhatsApp over threat to break encryption Full Text
Abstract
The Online Safety Bill, the United Kingdom’s landmark effort to regulate social media giants, gives regulator Ofcom the power to require tech companies to identify child sex abuse material in private messages.Cyware
May 1, 2023 – Breach
Update: UK pension funds warned to check on clients’ data after Capita breach Full Text
Abstract
Capita, the country’s largest outsourcing company, holds contracts to administer the payment systems for pension funds used by more than 4 million individuals in Britain.Cyware
May 01, 2023– Malware
New Decoy Dog Malware Toolkit Uncovered: Targeting Enterprise Networks Full Text
Abstract
An analysis of over 70 billion DNS records has led to the discovery of a new sophisticated malware toolkit dubbed Decoy Dog targeting enterprise networks. Decoy Dog , as the name implies, is evasive and employs techniques like strategic domain aging and DNS query dribbling, wherein a series of queries are transmitted to the command-and-control (C2) domains so as to not arouse any suspicion. "Decoy Dog is a cohesive toolkit with a number of highly unusual characteristics that make it uniquely identifiable, particularly when examining its domains on a DNS level," Infoblox said in an advisory published late last month. The cybersecurity firm, which identified the malware in early April 2023 following anomalous DNS beaconing activity, said its atypical characteristics allowed it to map additional domains that are part of the attack infrastructure. That said, the usage of Decoy Dog in the wild is "very rare," with the DNS signature matching less than 0.0000027%The Hacker News
May 1, 2023 – Breach
T-Mobile suffered the second data breach in 2023 Full Text
Abstract
T-Mobile disclosed the second data breach of 2023, threat actors had access to the personal information of hundreds of customers since February. T-Mobile suffered the second data breach of 2023, threat actors had access to the personal information...Security Affairs
May 1, 2023 – Attack
Nashua School District hit by ‘sophisticated’ cyberattack Full Text
Abstract
"We are working diligently to investigate the incident, confirm its impact on our systems, and securely restore functionality to our environment as soon as possible," the district said in a statement.Cyware
May 01, 2023 – Education
Wanted Dead or Alive: Real-Time Protection Against Lateral Movement Full Text
Abstract
Just a few short years ago, lateral movement was a tactic confined to top APT cybercrime organizations and nation-state operators. Today, however, it has become a commoditized tool, well within the skillset of any ransomware threat actor. This makes real-time detection and prevention of lateral movement a necessity to organizations of all sizes and across all industries. But the disturbing truth is that there is actually no tool in the current security stack that can provide this real-time protection, creating what is arguably the most critical security weakness in an organization's security architecture. In this article, we'll walk through the most essentials questions around the challenge of lateral movement protection, understand why multifactor authentication (MFA) and service account protection are the gaps that make it possible, and learn how Silverfort's platform turns the tables on attackers and makes lateral movement protection finally within reach. Upcoming WeThe Hacker News
May 1, 2023 – Malware
Experts spotted a new sophisticated malware toolkit called Decoy Dog Full Text
Abstract
Infoblox researchers discovered a new sophisticated malware toolkit, dubbed Decoy Dog, targeting enterprise networks. While analyzing billions of DNS records, Infoblox researchers discovered a sophisticated malware toolkit, dubbed Decoy...Security Affairs
May 1, 2023 – Breach
DeFi Protocol 0VIX Loses Nearly $2M in Flash-Loan Exploit Full Text
Abstract
A total of 1.45 million USDC, along with other tokens, was stolen before being bridged to the Ethereum mainnet on Stargate Finance, where it was eventually swapped for ether (ETH).Cyware
May 01, 2023 – Hacker
Vietnamese Threat Actor Infects 500,000 Devices Using ‘Malverposting’ Tactics Full Text
Abstract
A Vietnamese threat actor has been attributed as behind a "malverposting" campaign on social media platforms to infect over 500,000 devices worldwide over the past three months to deliver variants of information stealers such as S1deload Stealer and SYS01stealer . Malverposting refers to the use of promoted social media posts on services like Facebook and Twitter to mass propagate malicious software and other security threats. The idea is to reach a broader audience by paying for ads to "amplify" their posts. According to Guardio Labs , such attacks commence with the adversary creating new business profiles and hijacking already popular accounts to serve ads that claim to offer free adult-rated photo album downloads. Within these ZIP archive files are purported images that are actually executable files, which, when clicked, activate the infection chain and ultimately deploy the stealer malware to siphon session cookies, account data, and other information.The Hacker News
May 1, 2023 – Attack
German IT provider Bitmarck hit by cyberattack Full Text
Abstract
Bitmarck, one of the largest IT service providers for social insurance carriers in Germany, announced yesterday that it has suffered a cyber attack. The German IT service provider Bitmarck announced on April 30 it had taken all its systems offline...Security Affairs
May 1, 2023 – Breach
Court Records Expose Private Information for Thousands of Missouri Residents Full Text
Abstract
Documents containing Social Security numbers and other private information for thousands of Missourians are accessible to anyone using the Casenet website, the state’s judicial records system, the Post-Dispatch recently discovered.Cyware
May 01, 2023 – APT
APT28 Targets Ukrainian Government Entities with Fake “Windows Update” Emails Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "Windows Update" and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates. Running the script loads and executes a next-stage PowerShell script that's designed to collect basic system information through commands like tasklist and systeminfo , and exfiltrate the details via an HTTP request to a Mocky API . To trick the targets into running the command, the emails impersonated system administrators of the targeted government entities using fake Microsoft Outlook email accounts created with the employees'The Hacker News
May 1, 2023 – Malware
Iranian govt uses BouldSpy Android malware for internal surveillance operations Full Text
Abstract
Iranian authorities have been spotted using the BouldSpy Android malware to spy on minorities and traffickers. Researchers at the Lookout Threat Lab have discovered a new Android surveillance spyware, dubbed BouldSpy, that was used by the Law Enforcement...Security Affairs
May 1, 2023 – Breach
Sensitive Data Leaked From Servers Running Salesforce Community Software Full Text
Abstract
Servers running software sold by Salesforce are leaking sensitive data managed by government agencies, banks, and other organizations, according to a post published Friday by KrebsOnSecurity.Cyware
May 1, 2023 – APT
Russian APT Nomadic Octopus hacked Tajikistani carrier Full Text
Abstract
Russian APT group Nomadic Octopus hacked a Tajikistani carrier to spy on government officials and public service infrastructures. Russian cyber espionage group Nomadic Octopus (aka DustSquad) has hacked a Tajikistani telecoms provider to spy on 18 entities,...Security Affairs
May 1, 2023 – General
Using multiple solutions adds complexity to your zero trust strategy Full Text
Abstract
Companies are also now increasingly reliant on their supply chain, which means partners, suppliers, and shippers are now typically directly connected to a company’s systems.Cyware
May 1, 2023 – General
Google banned 173k developer accounts in 2022 Full Text
Abstract
In 2022, Google prevented 1.43 million policy-violating apps from being published in the official Google Play store. Google announced that it prevented 1.43 million policy-violating applications from being published on Google Play in 2022. The IT giant...Security Affairs
May 1, 2023 – Criminals
Cybercriminals use proxies to legitimize fraudulent requests Full Text
Abstract
Bot attacks were previously seen as a relatively inconsequential type of online fraud, and that mentality has persisted even as threat actors have gained the ability to cause significant damage to revenue and brand reputation, according to HUMAN.Cyware
May 1, 2023 – Malware
‘BouldSpy’ Android Malware Used in Iranian Government Surveillance Operations Full Text
Abstract
On the infected devices, BouldSpy harvests account usernames and associated application/service, a list of installed apps, browser data, call logs, clipboard content, contact lists, device information, a list of files and folders, and SMS messages.Cyware
May 01, 2023 – Malware
Google Blocks 1.43 Million Malicious Apps, Bans 73,000 Bad Accounts in 2022 Full Text
Abstract
Google disclosed that its improved security features and app review processes helped it block 1.43 million bad apps from being published to the Play Store in 2022. In addition, the company said it banned 173,000 bad accounts and fended off over $2 billion in fraudulent and abusive transactions through developer-facing features like Voided Purchases API, Obfuscated Account ID, and Play Integrity API. The addition of identity verification methods such as phone number and email address to join Google Play contributed to a reduction in accounts used to publish apps that go against its policies, Google pointed out. The search behemoth further said it "prevented about 500K submitted apps from unnecessarily accessing sensitive permissions over the past 3 years." "In 2022, the App Security Improvements program helped developers fix ~500K security weaknesses affecting ~300K apps with a combined install base of approximately 250B installs," it noted . In contrast,The Hacker News