November, 2023
November 30, 2023 – General
Associated Press, ESPN, CBS among top sites serving fake virus alerts Full Text
Abstract
Threat actors dabbles in obfuscation and evasion techniques. However, as previously detailed by Confiant, they are using much more advanced tricks. Their JavaScript uses obfuscation with changing variable names, making identification harder.Cyware
November 30, 2023 – Solution
Google Unveils RETVec - Gmail’s New Defense Against Spam and Malicious Emails Full Text
Abstract
Google has revealed a new multilingual text vectorizer called RETVec (short for Resilient and Efficient Text Vectorizer) to help detect potentially harmful content such as spam and malicious emails in Gmail. "RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more," according to the project's description on GitHub. "The RETVec model is trained on top of a novel character encoder which can encode all UTF-8 characters and words efficiently." While huge platforms like Gmail and YouTube rely on text classification models to spot phishing attacks, inappropriate comments, and scams, threat actors are known to devise counter-strategies to bypass these defense measures. They have been observed resorting to adversarial text manipulations, which range from the use of homoglyphs to keyword stuffing to invisible characters. RETVec , which works on over 100 languages oThe Hacker News
November 30, 2023 – General
68% of US Websites Exposed to Bot Attacks Full Text
Abstract
As per DataDome’s report shared with Hackread.com ahead of publication on Tuesday, 72.3% of e-commerce websites and 65.2% of classified ad websites failed the bot tests, whereas 85% of DataDome’s fake Chrome bots remained undetected.Cyware
November 30, 2023 – Solution
This Free Solution Provides Essential Third-Party Risk Management for SaaS Full Text
Abstract
Wing Security recently announced that basic third-party risk assessment is now available as a free product . But it raises the questions of how SaaS is connected to third-party risk management (TPRM) and what companies should do to ensure a proper SaaS-TPRM process is in place. In this article we will share 5 tips to manage the third-party risks associated with SaaS, but first... What exactly is Third-Party Risk Management in SaaS? SaaS is rapidly growing, offering businesses convenience, swift implementations, and valuable opportunities. However, this growth introduces a security challenge where risks arise from the interconnected nature of SaaS supply chains. It is clear that before onboarding a new contractor or vendor, we need due diligence, security checks, and referrals. However, we now understand that in the SaaS domain, applications are, in fact, the go-to vendor of choice. Let's explain: Any employee can very easily connect SaaS vendors to company data, granting them peThe Hacker News
November 30, 2023 – Phishing
Hackers Using Weaponized Invoice To Deliver LUMMA Malware Full Text
Abstract
Cybersecurity analysts identified that the attacker, posing as a financial services company in this campaign, tricks the target with a fake invoice email. The attacker dodges detection using a fake page and a real link.Cyware
November 30, 2023 – Criminals
North Korea’s Lazarus Group Rakes in $3 Billion from Cryptocurrency Hacks Full Text
Abstract
Threat actors from the Democratic People's Republic of Korea (DPRK) are increasingly targeting the cryptocurrency sector as a major revenue generation mechanism since at least 2017 to get around sanctions imposed against the country. "Even though movement in and out of and within the country is heavily restricted, and its general population is isolated from the rest of the world, the regime's ruling elite and its highly trained cadre of computer science professionals have privileged access to new technologies and information," cybersecurity firm Recorded Future said in a report shared with The Hacker News. "The privileged access to resources, technologies, information, and sometimes international travel for a small set of selected individuals with promise in mathematics and computer science equips them with the necessary skills for conducting cyber attacks against the cryptocurrency industry." The disclosure comes as the U.S. Treasury Department impThe Hacker News
November 30, 2023 – Breach
Thanksgiving Hack on North Carolina City Caused Leak of Employee Data Full Text
Abstract
The attack on Hendersonville is the latest incident affecting a North Carolina government institution since the state became the first in the nation to ban payments to ransomware gangs.Cyware
November 30, 2023 – General
7 Uses for Generative AI to Enhance Security Operations Full Text
Abstract
Welcome to a world where Generative AI revolutionizes the field of cybersecurity. Generative AI refers to the use of artificial intelligence (AI) techniques to generate or create new data, such as images, text, or sounds. It has gained significant attention in recent years due to its ability to generate realistic and diverse outputs. When it comes to security operations, Generative AI can play a significant role . It can be used to detect and prevent various threats, including malware, phishing attempts, and data breaches. Analyzing patterns and behaviors in large amounts of data allows it to identify suspicious activities and alert security teams in real-time. Here are seven practical use cases that demonstrate the power of Generative AI. There are more possibilities out there of how you can achieve objectives and fortify security operations, but this list should get your creative juices flowing. 1) Information Management Information security deals with a breadth of data thatThe Hacker News
November 30, 2023 – Attack
New Jersey, Pennsylvania Hospitals Affected by Cyberattacks Full Text
Abstract
The company’s IT team said it is working to restore hospital systems and data but noted that its emergency rooms are still open to those in need of care. Some elective surgeries have been moved to later dates.Cyware
November 30, 2023 – Ransomware
CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks Full Text
Abstract
A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments. "This campaign marks the first documented instance [...] where threat actors deploying CACTUS ransomware have exploited vulnerabilities in Qlik Sense for initial access," Arctic Wolf researchers Stefan Hostetler, Markus Neis, and Kyle Pagelow said . The cybersecurity company, which said it's responding to "several instances" of exploitation of the software, noted that the attacks are likely taking advantage of three flaws that have been disclosed over the past three months - CVE-2023-41265 (CVSS score: 9.9) - An HTTP Request Tunneling vulnerability that allows a remote attacker to elevate their privilege and send requests that get executed by the backend server hosting the repository application. CVE-2023-41266 (CVSS score: 6.5) - A path trThe Hacker News
November 30, 2023 – Government
CISA Warns of Unitronics PLC Exploitation Following Water Utility Hack Full Text
Abstract
In the case of the Municipal Water Authority of Aliquippa, CISA noted that the attackers likely accessed the ICS device “by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet”.Cyware
November 30, 2023 – Policy and Law
U.S. Treasury Sanctions Sinbad Cryptocurrency Mixer Used by North Korean Hackers Full Text
Abstract
The U.S. Treasury Department on Wednesday imposed sanctions against Sinbad , a virtual currency mixer that has been put to use by the North Korea-linked Lazarus Group to launder ill-gotten proceeds. "Sinbad has processed millions of dollars' worth of virtual currency from Lazarus Group heists, including the Horizon Bridge and Axie Infinity heists," the department said . "Sinbad is also used by cybercriminals to obfuscate transactions linked to malign activities such as sanctions evasion, drug trafficking, the purchase of child sexual abuse materials, and additional illicit sales on darknet marketplaces." The development builds on prior actions undertaken by governments in Europe and the U.S. to blockade mixers such as Blender , Tornado Cash , and ChipMixer , all of which have been accused of providing "material support" to the hacking crew by laundering the stolen assets through their services. Sinbad, created by an individual who goes by tThe Hacker News
November 30, 2023 – Vulnerabilities
Claiming Zoom Rooms Service Accounts to Gain Access to Tenants Full Text
Abstract
The finding highlights the potential misuse of service accounts to gain unauthorized access to SaaS systems. Abusing the bug enabled attackers to predict service account email addresses, hijack the accounts, and collect sensitive information.Cyware
November 30, 2023 – Vulnerabilities
Zyxel Security Advisory for Authentication Bypass and Command Injection Vulnerabilities in NAS products Full Text
Abstract
Three Command injection vulnerabilities have been discovered in Zyxel NAS (Network Attached Storage) products, which could allow a threat actor to execute system commands on successful exploitation of these vulnerabilities.Cyware
November 29, 2023 – Policy and Law
British Afrobeat singer pleads guilty to stealing $6 million in hacks on financial accounts Full Text
Abstract
According to the Department of Justice, from 2011 until 2018 Mustapha and his unnamed co-conspirators siphoned funds from financial accounts whose login information they illegally accessed through phishing attacks.Cyware
November 29, 2023 – Attack
Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S. Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that it's responding to a cyber attack that involved the active exploitation of Unitronics programmable logic controllers (PLCs) to target the Municipal Water Authority of Aliquippa in western Pennsylvania. The attack has been attributed to an Iranian-backed hacktivist collective known as Cyber Av3ngers. "Cyber threat actors are targeting PLCs associated with [Water and Wastewater Systems] facilities, including an identified Unitronics PLC, at a U.S. water facility," the agency said . "In response, the affected municipality's water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality's drinking water or water supply." According to news reports quoted by the Water Information Sharing & Analysis Center (WaterISAC), CyberAv3ngers is alleged to have seized control of the booster station that monitors and regulatesThe Hacker News
November 29, 2023 – Business
BlueVoyant Acquires Conquest Cyber to Help Clients Mitigate Risks Full Text
Abstract
BlueVoyant will integrate Conquest Cyber’s technology into its existing products and services to create the first solution to deliver comprehensive internal and external cyber defense mapped to risk maturity.Cyware
November 29, 2023 – Malware
200+ Malicious Android Apps Targeting Iranian Banks: Experts Warn Full Text
Abstract
An Android malware campaign targeting Iranian banks has expanded its capabilities and incorporated additional evasion tactics to fly under the radar. That's according to a new report from Zimperium, which discovered more than 200 malicious apps associated with the malicious operation, with the threat actor also observed carrying out phishing attacks against the targeted financial institutions. The campaign first came to light in late July 2023 when Sophos detailed a cluster of 40 credential-harvesting apps targeting customers of Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran. The primary goal of the bogus apps is to trick victims into granting them extensive permissions as well as harvest banking login credentials and credit card details by abusing Android's accessibility services . "The corresponding legitimate versions of the malicious apps are available at Cafe Bazaar, an Iranian Android marketplace, and have millions of downloads," SophosThe Hacker News
November 29, 2023 – Vulnerabilities
PoCs for Critical Arcserve UDP Vulnerabilities Released Full Text
Abstract
Arcserve UDP is a popular enterprise data protection, backup and disaster recovery solution. The flaws were unearthed by Tenable researchers and privately disclosed to Arcserve in late August 2023.Cyware
November 29, 2023 – Solution
Discover Why Proactive Web Security Outsmarts Traditional Antivirus Solutions Full Text
Abstract
In a rapidly evolving digital landscape, it's crucial to reevaluate how we secure web environments. Traditional antivirus-approach solutions have their merits, but they're reactive. A new report delves into the reasons for embracing proactive web security solutions, ensuring you stay ahead of emerging threats. To learn more, download the full report here . The New Paradigm If you've been relying on the old-style antivirus-based approach to website security up to now, then we could summarize why you need to update to the more proactive approach simply by saying — prevention is always preferable to cure. That's the overarching rationale for adopting a proactive web security solution, but let's break it down into a few more detailed reasons for updating to the newer and more effective proactive approach. To be clear, we're not denying that an antivirus-approach solution is ideal for detecting and responding to threats, but there's no escaping the fact that it's limitedThe Hacker News
November 29, 2023 – Breach
Egyptian E-Payment Vendor Recovering From LockBit Ransomware Attack Full Text
Abstract
Fawry remains confident that this data will not impact financial transactions on its platform, but the company believes it may have included the personal details of some customers whose information had been on the testing platform.Cyware
November 29, 2023 – Breach
Okta Discloses Broader Impact Linked to October 2023 Support System Breach Full Text
Abstract
Identity services provider Okta has disclosed that it detected "additional threat actor activity" in connection with the October 2023 breach of its support case management system. "The threat actor downloaded the names and email addresses of all Okta customer support system users," the company said in a statement shared with The Hacker News. "All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was not impacted by this incident." On top of that, the adversary is believed to have accessed reports containing contact information of all Okta certified users, some Okta Customer Identity Cloud (CIC) customers, and unspecified Okta employee information. However, it emphasized that the data does not include user credentiThe Hacker News
November 29, 2023 – Attack
Japan’s Space Agency Suffers Cyber Attack Full Text
Abstract
JAXA got to know about the attack after an external organization conducted an internal audit. A detailed investigation is going on into the hacking attempt and it was not revealed who could be orchestrating this.Cyware
November 29, 2023 – Ransomware
DJVU Ransomware’s Latest Variant ‘Xaro’ Disguised as Cracked Software Full Text
Abstract
A variant of a ransomware strain known as DJVU has been observed to be distributed in the form of cracked software. "While this attack pattern is not new, incidents involving a DJVU variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers," Cybereason security researcher Ralph Villanueva said . The new variant has been codenamed Xaro by the American cybersecurity firm. DJVU, in itself a variant of the STOP ransomware , typically arrives on the scene masquerading as legitimate services or applications. It's also delivered as a payload of SmokeLoader . A significant aspect of DJVU attacks is the deployment of additional malware, such as information stealers (e.g., RedLine Stealer and Vidar), making them more damaging in nature. In the latest attack chain documented by Cybereason, Xaro is propagated as an archive file from a dubThe Hacker News
November 29, 2023 – Malware
Unveiling the Persisting Threat: Iranian Mobile Banking Malware Campaign Extends Its Reach Full Text
Abstract
The primary goal of the bogus apps is to trick victims into granting them extensive permissions as well as harvest banking login credentials and credit card details by abusing Android's accessibility services.Cyware
November 29, 2023 – Botnet
GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability Full Text
Abstract
The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Rat that's capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) that has been weaponized by various hacking crews, including the Lazarus Group , in recent weeks. Following a successful breach, the threat actors have been observed to drop next-stage payloads from a remote server, one of which is GoTitan, a botnet designed for orchestrating distributed denial-of-service (DDoS) attacks via protocols such as HTTP, UDP, TCP, and TLS. "The attacker only provides binaries for x64 architectures, and the malware performs some checks before running," Fortinet Fortiguard Labs researcher Cara Lin said in a Tuesday analysis. "It also creates a file named &#The Hacker News
November 29, 2023 – Breach
Play Ransomware Group Lists 17 Victims, 14 US-Based Companies Named Full Text
Abstract
Experts in security believe the Play ransomware group has ties to Russia. PlayCrypt is another name for the group. It was created by a team known as Balloonfly, which Symantec monitors.Cyware
November 28, 2023 – Vulnerabilities
Critical Vulnerability Found in Ray AI Framework Full Text
Abstract
CVE-2023-48023 is rooted in the fact that, in its default configuration, Ray does not enforce authentication, and does not appear to support any type of authorization model.Cyware
November 28, 2023 – Solution
Transform Your Data Security Posture – Learn from SoFi’s DSPM Success Full Text
Abstract
As cloud technology evolves, so does the challenge of securing sensitive data. In a world where data duplication and sprawl are common, organizations face increased risks of non-compliance and unauthorized data breaches. Sentra's DSPM (Data Security Posture Management) emerges as a comprehensive solution, offering continuous discovery and accurate classification of sensitive data in the cloud. This informative webinar, " Securing Sensitive Data Starts with Discovery and Classification: SoFi's DSPM Story " unveils the success story of SoFi, a pioneering cloud-native financial services provider, and its journey with Sentra's DSPM. It explores the challenges and triumphs in securing cloud data and a roadmap to implementing effective DSPM strategies in your organization. Expert Panel: Aviv Zisso: As Director of Customer Success at Sentra, Aviv brings deep insights into data security needs and solutions. Pritam H Mungse: SoFi's Director of Product Security, PrThe Hacker News
November 28, 2023 – Hacker
IMPERIAL KITTEN Deploys Novel Malware Families Full Text
Abstract
Between early 2022 and 2023, CrowdStrike Intelligence observed IMPERIAL KITTEN conduct SWC operations with a focus on targeting organizations in the transportation, logistics, and technology sectors.Cyware
November 28, 2023 – Vulnerabilities
Design Flaw in Google Workspace Could Let Attackers Gain Unauthorized Access Full Text
Abstract
Cybersecurity researchers have detailed a "severe design flaw" in Google Workspace's domain-wide delegation ( DWD ) feature that could be exploited by threat actors to facilitate privilege escalation and obtain unauthorized access to Workspace APIs without super admin privileges. "Such exploitation could result in theft of emails from Gmail, data exfiltration from Google Drive, or other unauthorized actions within Google Workspace APIs on all of the identities in the target domain," cybersecurity firm Hunters said in a technical report shared with The Hacker News. The design weakness – which remains active to this date – has been codenamed DeleFriend for its ability to manipulate existing delegations in the Google Cloud Platform (GCP) and Google Workspace without possessing super admin privileges. Domain-wide delegation, per Google, is a "powerful feature" that allows third-party and internal apps to access users' data across an organizatioThe Hacker News
November 28, 2023 – Botnet
GoTitan Botnet - Ongoing Exploitation on Apache ActiveMQ Full Text
Abstract
The attacker initiates a connection to ActiveMQ through the OpenWire protocol, typically on port 61616. By transmitting a crafted packet, the attacker triggers the system to unmarshal a class under their control.Cyware
November 28, 2023 – Phishing
How Hackers Phish for Your Users’ Credentials and Sell Them Full Text
Abstract
Account credentials, a popular initial access vector, have become a valuable commodity in cybercrime. As a result, a single set of stolen credentials can put your organization's entire network at risk. According to the 2023 Verizon Data Breach Investigation Report , external parties were responsible for 83 percent of breaches that occurred between November 2021 and October 2022. Forty-nine percent of those breaches involved stolen credentials. How are threat actors compromising credentials? Social engineering is one of the top five cybersecurity threats in 2023. Phishing, which accounts for %of social engineering attempts, is the go-to method for stealing credentials. It's a relatively cheap tactic that yields results. As phishing and social engineering techniques become more sophisticated and the tools become more readily available, credential theft should become a top security concern for all organizations if it already isn't one. Phishing has evolved With phishing and sThe Hacker News
November 28, 2023 – Attack
Critics of Serbia’s government targeted with ‘military-grade spyware’ Full Text
Abstract
The Serbians had been targeted about a minute apart from each other on or about 16 August 2023. Researchers discovered traces of the attempted attack, which sought to take advantage of a possible vulnerability in iPhone’s HomeKit application.Cyware
November 28, 2023 – Criminals
Key Cybercriminals Behind Notorious Ransomware Families Arrested in Ukraine Full Text
Abstract
A coordinated law enforcement operation has led to the arrest of key individuals in Ukraine who are alleged to be a part of several ransomware schemes. "On 21 November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne, and Vinnytsia, resulting in the arrest of the 32-year-old ringleader," Europol said in a statement today. "Four of the ringleader's most active accomplices were also detained." The development comes more than two years after 12 people were apprehended in connection with the same operation. The individuals are primarily linked to LockerGoga, MegaCortex, and Dharma ransomware families. The suspects are estimated to have targeted over 1,800 victims across 71 countries since 2019. They have also been accused of deploying the now-defunct Hive ransomware against high-profile organizations. Some of the co-conspirators are believed to be involved in penetrating IT networks by orchestrating brute-force attacks, SQL injectioThe Hacker News
November 28, 2023 – Breach
Hackers Spent Over Two Years Stealing Secrets of Chipmaker NXP Full Text
Abstract
The breach wasn’t uncovered until Chimera intruders were detected in a separate company network that connected to compromised NXP systems on several occasions. Details of the breach remained a closely guarded secret until now.Cyware
November 28, 2023 – Education
Stop Identity Attacks: Discover the Key to Early Threat Detection Full Text
Abstract
Identity and Access Management (IAM) systems are a staple to ensure only authorized individuals or entities have access to specific resources in order to protect sensitive information and secure business assets. But did you know that today over 80% of attacks now involve identity, compromised credentials or bypassing the authentication mechanism? Recent breaches at MGM and Caesars have underscored that, despite best efforts, it is not "if" but "when" a successful attack will have bypassed authentication and authorization controls. Account takeover, when an unauthorized individual gains access to a legitimate user account, is now the number one attack vector of choice for malicious actors. With so much focus on controls for prevention, the necessary detection and rapid response to identity-based attacks is often overlooked. And since these attacks use stolen or compromised credentials, it can be difficult to distinguish from legitimate users without a layer of detection. Dive deep iThe Hacker News
November 28, 2023 – Vulnerabilities
DeleFriend: Severe Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover Full Text
Abstract
The vulnerability is rooted in the fact that a domain delegation configuration is determined by the service account resource identifier (OAuth ID), and not the specific private keys associated with the service account identity object.Cyware
November 28, 2023 – Vulnerabilities
Hackers Can Exploit ‘Forced Authentication’ to Steal Windows NTLM Tokens Full Text
Abstract
Cybersecurity researchers have discovered a case of "forced authentication" that could be exploited to leak a Windows user's NT LAN Manager (NTLM) tokens by tricking a victim into opening a specially crafted Microsoft Access file. The attack takes advantage of a legitimate feature in the database management system solution that allows users to link to external data sources , such as a remote SQL Server table. "This feature can be abused by attackers to automatically leak the Windows user's NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80," Check Point security researcher Haifei Li said . "The attack can be launched as long as the victim opens an .accdb or .mdb file. In fact, any more-common Office file type (such as a .rtf ) can work as well." NTLM, an authentication protocol introduced by Microsoft in 1993, is a challenge-response protocol that's used to authenticate users during sign-in. Over the years,The Hacker News
November 28, 2023 – Outage
Hospital Chain Hit With Ransomware Attack Full Text
Abstract
Ardent proactively took its network offline, suspending all user access. Some facilities are rescheduling non-emergent, elective procedures and diverting some emergency room patients to other area hospitals until systems are back online.Cyware
November 28, 2023 – Criminals
Update: Daixin Team Claimed the Hack of North Texas Municipal Water District Full Text
Abstract
The Daixin Team group added NTMWD to the list of victims on its Tor leak site. The gang claims to have stolen a huge amount of sensitive data from the company and threatens to publish it.Cyware
November 28, 2023 – Breach
Ethyrial: Echoes of Yore hacked! 17,000 game accounts “lost” Full Text
Abstract
All 17,000 user accounts and characters have been lost in this hack. BUT We will personally, manually restore every item, level, title, pet, etc. that was lost during this event when the servers are back up.Cyware
November 27, 2023 – Criminals
Rhysida Ransomware Group Claimed China Energy Hack Full Text
Abstract
The ransomware group claims to have stolen a substantial trove of ‘impressive data’ and is auctioning it for 50 BTC. The gang announced to publicly release the data over the seven days following the announcement.Cyware
November 27, 2023 – Education
How to Handle Retail SaaS Security on Cyber Monday Full Text
Abstract
If forecasters are right, over the course of today, consumers will spend $13.7 billion . Just about every click, sale, and engagement will be captured by a CRM platform. Inventory applications will trigger automated re-orders; communication tools will send automated email and text messages confirming sales and sharing shipping information. SaaS applications supporting retail efforts will host nearly all of this behind-the-scenes activity. While retailers are rightfully focused on sales during this time of year, they need to ensure that the SaaS apps supporting their business operations are secure. No one wants a repeat of one of the biggest retail cyber-snafus in history, like when one U.S.-based national retailer had 40 million credit card records stolen. The attack surface is vast and retailers must remain vigilant in protecting their entire SaaS app stack. For example, many often use multiple instances of the same application. They may use a different Salesforce tenant for eveThe Hacker News
November 27, 2023 – Breach
Rivers Casino Joins the Club of Hacked Casinos Full Text
Abstract
Rivers Casino Des Plaines is the most profitable casino in the state of Illinois. Currently, there is no information on who is behind the attack. The number of people potentially affected by the breach is also unknown.Cyware
November 27, 2023 – Vulnerabilities
Experts Uncover Passive Method to Extract Private RSA Keys from SSH Connections Full Text
Abstract
A new study has demonstrated that it's possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing when naturally occurring computational faults that occur while the connection is being established. The Secure Shell (SSH) protocol is a method for securely transmitting commands and logging in to a computer over an unsecured network. Based on a client-server architecture, SSH uses cryptography to authenticate and encrypt connections between devices. A host key is a cryptographic key used for authenticating computers in the SSH protocol. Host keys are key pairs that are typically generated using public-key cryptosystems like RSA . "If a signing implementation using CRT-RSA has a fault during signature computation, an attacker who observes this signature may be able to compute the signer's private key," a group of academics from the University of California, San Diego, and Massachusetts Institute of Technology saidThe Hacker News
November 27, 2023 – Outage
Portneuf Medical Center Latest In a String of Cyberattacks Full Text
Abstract
The hospital’s IT team is working to determine the impact of the outage and restore access to the network. Meanwhile, the healthcare provider is following established downtime protocols, revealed a spokesperson for Portneuf Medical Center.Cyware
November 27, 2023 – Government
U.S., U.K., and Global Partners Release Secure AI System Development Guidelines Full Text
Abstract
The U.K. and U.S., along with international partners from 16 other countries, have released new guidelines for the development of secure artificial intelligence (AI) systems. "The approach prioritizes ownership of security outcomes for customers, embraces radical transparency and accountability, and establishes organizational structures where secure design is a top priority," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said . The goal is to increase cyber security levels of AI and help ensure that the technology is designed, developed, and deployed in a secure manner, the National Cyber Security Centre (NCSC) added . The guidelines also build upon the U.S. government's ongoing efforts to manage the risks posed by AI by ensuring that new tools are tested adequately before public release, there are guardrails in place to address societal harms, such as bias and discrimination, and privacy concerns, and setting up robust methods for consumerThe Hacker News
November 27, 2023 – Attack
Municipal Water Authority of Aliquippa Hacked by Iranian-backed Cyber Group Full Text
Abstract
The machine that was hacked uses a system called Unitronics, which contains software or has components that are Israeli-owned. The system has since been disabled. Authorities stressed that there is no known risk to the drinking water or water supply.Cyware
November 27, 2023 – Attack
Lazarus Group Exploit MagicLine4NX Flaw to Launch Supply Chain Attacks Full Text
Abstract
The NCSC and South Korea’s NIS issued a joint warning against the Lazarus hacking group leveraging a zero-day flaw in the MagicLine4NX software. The zero-day exploit allowed Lazarus to conduct a series of supply-chain attacks, starting with a watering hole attack on a media outlet's website. Organi ... Read MoreCyware
November 27, 2023 – Cryptocurrency
KyberSwap Says $54.7 Million in Cryptocurrency Stolen During Attack Full Text
Abstract
The company is now trying to recover the funds but argued that the incident “stands out as one of the most sophisticated in the history of DeFi.” The company advised users to “promptly withdraw their funds.”Cyware
November 27, 2023 – Attack
East Texas Hospital Network Affected by Potential Cybersecurity Incident Full Text
Abstract
The East Texas healthcare system is just the latest hospital group that has been forced to turn ambulances away because of an apparent cybersecurity incident. The cyber incident at UT Health East Texas began on Thursday.Cyware
November 27, 2023 – Breach
Gulf Air Exposed to Data Breach, ‘Vital Operations Not Affected’ Full Text
Abstract
The agency quoted the company as saying that "as a result of this illegal breach some information from the company's email system and customers' database could be compromised."Cyware
November 25, 2023 – Breach
App Used by Hundreds of Schools Leaking Children’s Data Full Text
Abstract
The leaked data poses a significant threat to children, as it can be exploited by malicious actors for extortion, impersonation, identity theft, fraud, and even potential child abuse.Cyware
November 25, 2023 – Attack
New ‘HrServ.dll’ Web Shell Detected in APT Attack Targeting Afghan Government Full Text
Abstract
An unspecified government entity in Afghanistan was targeted by a previously undocumented web shell called HrServ in what's suspected to be an advanced persistent threat (APT) attack. The web shell, a dynamic-link library (DLL) named "hrserv.dll," exhibits "sophisticated features such as custom encoding methods for client communication and in-memory execution," Kaspersky security researcher Mert Degirmenci said in an analysis published this week. The Russian cybersecurity firm said it identified variants of the malware dating all the way back to early 2021 based on the compilation timestamps of these artifacts. Web shells are typically malicious tools that provide remote control over a compromised server. Once uploaded, it allows threat actors to carry out a range of post-exploitation activities, including data theft, server monitoring, and lateral advancement within the network. The attack chain involves the PAExec remote administration tool, an alternative to PsExec tThe Hacker News
November 25, 2023 – Attack
Vanderbilt University Medical Center Investigating Cybersecurity Incident Full Text
Abstract
The hospital system was added to the leak site of the Meow ransomware gang. VUMC has confirmed the incident but has not provided details on when it occurred or the effects of the attack.Cyware
November 25, 2023 – Vulnerabilities
Warning: 3 Critical Vulnerabilities Expose ownCloud Users to Data Breaches Full Text
Abstract
The maintainers of the open-source file-sharing software ownCloud have warned of three critical security flaws that could be exploited to disclose sensitive information and modify files. A brief description of the vulnerabilities is as follows - Disclosure of sensitive credentials and configuration in containerized deployments impacting graphapi versions from 0.2.0 to 0.3.0. (CVSS score: 10.0) WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6.0 to 10.13.0 (CVSS score: 9.8) Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1 (CVSS score: 9.0) "The 'graphapi' app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo)," the company said of the first flaw. "This information includes all the environment variables of the web server. In containerized deployments, these environment variables may include sensitivThe Hacker News
November 24, 2023 – Government
North Korean Supply Chain Attacks Prompt Joint Warning From South Korea and the UK Full Text
Abstract
The United Kingdom and South Korea have issued a joint advisory warning about software supply chain attacks carried out by North Korean state-linked hackers, highlighting the increasing volume and sophistication of such attacks.Cyware
November 24, 2023 – Phishing
Cybercriminals Using Telekopye Telegram Bot to Craft Phishing Scams on a Grand Scale Full Text
Abstract
More details have emerged about a malicious Telegram bot called Telekopye that's used by threat actors to pull off large-scale phishing scams. "Telekopye can craft phishing websites, emails, SMS messages, and more," ESET security researcher Radek Jizba said in a new analysis. The threat actors behind the operation – codenamed Neanderthals – are known to run the criminal enterprise as a legitimate company, spawning a hierarchical structure that encompasses different members who take on various roles. Once aspiring Neanderthals are recruited via advertisements on underground forums, they are invited to join designated Telegram channels that are used for communicating with other Neanderthals and keeping track of transaction logs. The ultimate goal of the operation is to pull off one of the three types of scams: seller, buyer, or refund. In the case of the former, Neanderthals pose as sellers and try to lure unwary Mammoths into purchasing a non-existent item. BuThe Hacker News
November 24, 2023 – Outage
Bahrain Government Websites Briefly Inaccessible After Cyberattack Over Israel-Hamas War Full Text
Abstract
The Al-Toufan hacker group targeted the Foreign Ministry and the Information Affairs Ministry's websites and also released scans of passports allegedly obtained from the hack.Cyware
November 24, 2023 – General
Tell Me Your Secrets Without Telling Me Your Secrets Full Text
Abstract
The title of this article probably sounds like the caption to a meme. Instead, this is an actual problem GitGuardian's engineers had to solve in implementing the mechanisms for their new HasMySecretLeaked service . They wanted to help developers find out if their secrets (passwords, API keys, private keys, cryptographic certificates, etc.) had found their way into public GitHub repositories. How could they comb a vast library of secrets found in publicly available GitHub repositories and their histories and compare them to your secrets without you having to expose sensitive information? This article will tell you how. First, if we were to set a bit's mass as equal to that of one electron, a ton of data would be around 121.9 quadrillion petabytes of data at standard Earth gravity or $39.2 billion billion billion US dollars in MacBook Pro storage upgrades (more than all the money in the world). So when this article claims GitGuardian scanned a "ton" of GitHub public commit data, tThe Hacker News
November 24, 2023 – Criminals
Hackers Demand $60M From TransUnion and Experian in South Africa, Claiming Data Theft Full Text
Abstract
The hacker group, known as N4ughtySecTU, demanded a ransom of $30 million from both the credit reporting agencies and claims to have direct access to their data and infrastructure.Cyware
November 24, 2023 – Attack
Hamas-Linked Cyberattacks Using Rust-Powered SysJoker Backdoor Against Israel Full Text
Abstract
Cybersecurity researchers have shed light on a Rust version of a cross-platform backdoor called SysJoker , which is assessed to have been used by a Hamas-affiliated threat actor to target Israel amid the ongoing war in the region. "Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities," Check Point said in a Wednesday analysis. "In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command-and-control server) URLs." SysJoker was publicly documented by Intezer in January 2022, describing it as a backdoor capable of gathering system information and establishing contact with an attacker-controlled server by accessing a text file hosted on Google Drive that contains a hard-coded URL. "Being cross-platform allows the malware authors to gain advantage of wide infection on all major platforms," VMware said last year. "SysJoThe Hacker News
November 24, 2023 – Breach
Taj Hotel Data Breach Potentially Impacts 1.5 Million Customers Full Text
Abstract
The breach occurred in November and a threat actor named "Dnacookies" is demanding $5,000 for the full dataset, which includes customers' addresses, mobile numbers, and membership IDs.Cyware
November 24, 2023 – Breach
Kubernetes Secrets of Fortune 500 Companies Exposed in Public Repositories Full Text
Abstract
Cybersecurity researchers are warning of publicly exposed Kubernetes configuration secrets that could put organizations at risk of supply chain attacks. "These encoded Kubernetes configuration secrets were uploaded to public repositories," Aqua security researchers Yakir Kadkoda and Assaf Morag said in a new research published earlier this week. Some of those impacted include two top blockchain companies and various other fortune-500 companies, according to the cloud security firm, which leveraged the GitHub API to fetch all entries containing .dockerconfigjson and .dockercfg types that store credentials for accessing a container image registry. Of the 438 records that potentially held valid credentials for registries, 203 records – about 46% – contained valid credentials that provided access to the respective registries. Ninety-three of the passwords were manually set by individuals, as opposed to the 345 that were computer-generated. "In the majority of cases, these credenThe Hacker News
November 24, 2023 – Government
Australia’s Cybersecurity Strategy Focuses on Protecting Small Businesses and Critical Infrastructure Full Text
Abstract
The strategy includes financial investments to support small and medium businesses, strengthen critical infrastructure, and enhance cyber capabilities, but critics argue that the allocated funds are insufficient.Cyware
November 23, 2023 – Business
Kiteworks’ Maytech Acquisition Reaffirms Commitment to UK Market Full Text
Abstract
Kiteworks has announced its merger with Maytech, combining their data privacy and compliance solutions with data file transfer capabilities. The acquisition strengthens Kiteworks' position in the UK market.Cyware
November 23, 2023 – Phishing
Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks Full Text
Abstract
A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni , which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices," Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published this week. The cyber espionage group is notable for its targeting of Russia , with the modus operandi involving the use of spear-phishing emails and malicious documents as entry points for their attacks. Recent attacks documented by Knowsec and ThreatMon have leveraged the WinRAR vulnerability (CVE-2023-38831) as well as obfuscated Visual Basic scripts to drop Konni RAT and a Windows Batch script capable ofThe Hacker News
November 23, 2023 – Breach
Cyberattackers Leaked Data of 27,000 NYC Bar Association Members Full Text
Abstract
The Clop ransomware gang claimed responsibility for the attack, highlighting the increasing threat posed by ransomware groups to bar associations and other organizations.Cyware
November 23, 2023 – Malware
Alert: New WailingCrab Malware Loader Spreading via Shipping-Themed Emails Full Text
Abstract
Delivery- and shipping-themed email messages are being used to deliver a sophisticated malware loader known as WailingCrab . "The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage," IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick said . WailingCrab, also called WikiLoader, was first documented by Proofpoint in August 2023, detailing campaigns targeting Italian organizations that used the malware to ultimately deploy the Ursnif (aka Gozi) trojan. It was spotted in the wild in late December 2022. The malware is the handiwork of a threat actor known as TA544, which is also tracked as Bamboo Spider and Zeus Panda. IBM X-Force has named the cluster Hive0133. Actively maintained by its operators, the malware has been observed incorporating features that prioritize stealth and allows it to resist anThe Hacker News
November 23, 2023 – Attack
Microsoft Warns of North Korean Attack on CyberLink Impacting Devices Around the World Full Text
Abstract
Microsoft has discovered a supply chain attack carried out by North Korean hackers. The attack involved attaching a malicious file to a legitimate software installer. The attack was attributed to the hacking group known as Diamond Sleet.Cyware
November 23, 2023 – Education
6 Steps to Accelerate Cybersecurity Incident Response Full Text
Abstract
Modern security tools continue to improve in their ability to defend organizations' networks and endpoints against cybercriminals. But the bad actors still occasionally find a way in. Security teams must be able to stop threats and restore normal operations as quickly as possible. That's why it's essential that these teams not only have the right tools but also understand how to effectively respond to an incident. Resources like an incident response template can be customized to define a plan with roles and responsibilities, processes and an action item checklist. But preparations can't stop there. Teams must continuously train to adapt as threats rapidly evolve. Every security incident must be harnessed as an educational opportunity to help the organization better prepare for — or even prevent — future incidents. SANS Institute defines a framework with six steps to a successful IR. Preparation Identification Containment Eradication Recovery Lessons learned While these pThe Hacker News
November 23, 2023 – Botnet
New InfectedSlurs Mirai-based Botnet Exploits Two Zero-Days Full Text
Abstract
A new Mirai-based botnet called InfectedSlurs has been discovered by Akamai, using two zero-day vulnerabilities to infect routers and video recorder devices. First observed in October 2023, the botnet is believed to be active since at least 2022.Cyware
November 23, 2023 – Denial Of Service
Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks Full Text
Abstract
An active malware campaign is leveraging two zero-day vulnerabilities with remote code execution (RCE) functionality to rope routers and video recorders into a Mirai-based distributed denial-of-service (DDoS) botnet. "The payload targets routers and network video recorder (NVR) devices with default admin credentials and installs Mirai variants when successful," Akamai said in an advisory published this week. Details of the flaws are currently under wraps to allow the two vendors to publish patches and prevent other threat actors from abusing them. The fixes for one of the vulnerabilities are expected to be shipped next month. The attacks were first discovered by the web infrastructure and security company against its honeypots in late October 2023. The perpetrators of the attacks have not been identified as yet. The botnet, which has been codenamed InfectedSlurs due to the use of racial and offensive language in the command-and-control (C2) servers and hard-coded strings, is aThe Hacker News
November 23, 2023 – Attack
New Relic Notifies Customers of a Cyber Incident Full Text
Abstract
The company has not provided any specific details about the nature of the incident, but customers are advised to monitor their accounts for suspicious activity. It is unclear whether all or a few selected New Relic customers are at risk.Cyware
November 23, 2023 – Attack
N. Korean Hackers Distribute Trojanized CyberLink Software in Supply Chain Attack Full Text
Abstract
A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack. "This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload," the Microsoft Threat Intelligence team said in an analysis on Wednesday. The poisoned file, the tech giant said, is hosted on the update infrastructure owned by the company while also including checks to limit the time window for execution and bypass detection by security products. The campaign is estimated to have impacted over 100 devices across Japan, Taiwan, Canada, and the U.S. Suspicious activity associated with the modified CyberLink installer file was observed as early as October 20, 2023. The links to North Korea stem fromThe Hacker News
November 22, 2023
Windows Hello Fingerprint Authentication Bypassed on Popular Laptops Full Text
Abstract
Researchers from Blackwing Intelligence and Microsoft's MORSE have discovered a way to bypass fingerprint authentication on three popular laptops with Windows Hello, namely the Dell Inspiron 15, Lenovo ThinkPad T14s, and Microsoft Surface Pro X.Cyware
November 22, 2023
New Flaws in Fingerprint Sensors Let Attackers Bypass Windows Hello Login Full Text
Abstract
A new research has uncovered multiple vulnerabilities that could be exploited to bypass Windows Hello authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops. The flaws were discovered by researchers at hardware and software product security and offensive research firm Blackwing Intelligence, who found the weaknesses in the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded into the devices. A prerequisite for the fingerprint reader exploits is that the users of the targeted laptops have fingerprint authentication already set up. All the three fingerprint sensors are a type of sensor called "match on chip" ( MoC ), which integrates the matching and other biometric management functions directly into the sensor's integrated circuit. "While MoC prevents replaying stored fingerprint data to the host for matching, it does not, in itself, prevent a malicious sensor from spoofing a legitimate sensor's commuThe Hacker News
November 22, 2023
US Authorities Trace and Return Nearly $9M Stolen by Scammers Full Text
Abstract
The US Secret Service and various reporting portals tied the criminals' laundering efforts to multiple wallet addresses. The seized proceeds were returned in the stablecoin Tether.Cyware
November 21, 2023 – Government
CISA Releases Cybersecurity Guidance for Healthcare, Public Health Organizations Full Text
Abstract
The guide incorporates vulnerability data, known exploited vulnerabilities, and the MITRE ATT&CK framework. It covers topics such as asset management, identity management, device security, vulnerabilities, patching, and secure design principles.Cyware
November 21, 2023 – Ransomware
Play Ransomware Goes Commercial - Now Offered as a Service to Cybercriminals Full Text
Abstract
The ransomware strain known as Play is now being offered to other threat actors "as a service," new evidence unearthed by Adlumin has revealed. "The unusual lack of even small variations between attacks suggests that they are being carried out by affiliates who have purchased the ransomware-as-a-service (RaaS) and are following step-by-step instructions from playbooks delivered with it," the cybersecurity company said in a report shared with The Hacker News. The findings are based on various Play ransomware attacks tracked by Adlumin spanning different sectors that incorporated almost identical tactics and in the same sequence. This includes the use of the public music folder (C:\...\public\music) to hide the malicious file, the same password to create high-privilege accounts, and both attacks, and the same commands. Play , also called Balloonfly and PlayCrypt, first came to light in June 2022, leveraging security flaws in Microsoft Exchange Server – i.e.,The Hacker News
November 21, 2023 – Ransomware
8Base Group Found Deploying a New Phobos Ransomware Variant Full Text
Abstract
The 8Base ransomware attackers have incorporated a new variant of the Phobos ransomware and publicly available tools for financially motivated attacks. The variant used by the 8Base group includes features that can enable attackers to establish persistence on victims’ systems, perform speedy encryp ... Read MoreCyware
November 21, 2023 – Malware
New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks Full Text
Abstract
A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. "ZPAQ is a file compression format that offers a better compression ratio and journaling function compared to widely used formats like ZIP and RAR," G Data malware analyst Anna Lvova said in a Monday analysis. "That means that ZPAQ archives can be smaller, saving storage space and bandwidth when transferring files. However, ZPAQ has the biggest disadvantage: limited software support." First appearing in 2014, Agent Tesla is a keylogger and remote access trojan (RAT) written in .NET that's offered to other threat actors as part of a malware-as-a-service (MaaS) model. It's often used as a first-stage payload, providing remote access to a compromised system and utilized to download more sophisticated second-stage tools such as ransomware. Agent Tesla is typThe Hacker News
November 21, 2023 – Attack
Greater Paris Wastewater Agency Dealing with Cyberattack Full Text
Abstract
The attack prompted SIAAP to file a complaint with authorities and take immediate measures to secure their systems to prevent further spread. It has prioritized maintaining the public sanitation service and is working to ensure a return to normalcy.Cyware
November 21, 2023 – Phishing
How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography Full Text
Abstract
Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them. Quishing Quishing, a phishing technique resulting from the combination of "QR" and "phishing," has become a popular weapon for cybercriminals in 2023. By concealing malicious links within QR codes, attackers can evade traditional spam filters, which are primarily geared towards identifying text-based phishing attempts. The inability of many security tools to decipher the content of QR codes further makes this method a go-to choice for cybercriminals. An email containing a QR code with a malicious link Analyzing a QR code with an embedded malicious link in a safe environment is easy with ANY.RUN : Simply open this task in thThe Hacker News
November 21, 2023 – Breach
MOVEit Mass-Hack Victim Count Grows to Over 2,600 Firms, 77 Million People Full Text
Abstract
Welltok, a patient communication services provider, has notified over 1.6 million patients that their private healthcare data may have been stolen in the MOVEit breach, affecting healthcare providers such as Stanford Health Care and Sutter Health.Cyware
November 21, 2023 – Attack
Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits Full Text
Abstract
The Kinsing threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. "Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the host's resources to mine cryptocurrencies like Bitcoin, resulting in significant damage to the infrastructure and a negative impact on system performance," Trend Micro security researcher Peter Girnus said . Kinsing refers to a Linux malware with a history of targeting misconfigured containerized environments for cryptocurrency mining, often utilizing compromised server resources to generate illicit profits for the threat actors. The group is also known to quickly adapt its tactics to include newly disclosed flaws in web applications to breach target networks and deliver crypto miners. Earlier this month, Aqua disclosed the threat actor's attempts to exploit a Linux privilege escalation flaThe Hacker News
November 21, 2023 – Breach
Hacker Leaks Vaccination Records of Over Two Million Turkish Citizens Full Text
Abstract
The leaked data, which includes birth dates, vaccination dates and types, hospitals, and partial Turkish Identification Numbers, was likely obtained through an information disclosure vulnerability.Cyware
November 21, 2023 – Phishing
Malicious Apps Disguised as Banks and Government Agencies Targeting Indian Android Users Full Text
Abstract
Android smartphone users in India are the target of a new malware campaign that employs social engineering lures to install fraudulent apps that are capable of harvesting sensitive data. "Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities," Microsoft threat intelligence researchers Abhishek Pustakala, Harshita Tripathi, and Shivang Desai said in a Monday analysis. The ultimate goal of the operation is to capture banking details, payment card information, account credentials, and other personal data. The attack chains involve sharing malicious APK files via social media messages sent on WhatsApp and Telegram by falsely presenting them as banking apps and inducing a sense of urgency by claiming that the targets' bank accounts will be blocked unless they update their permanent aThe Hacker News
November 21, 2023 – Attack
Mustang Panda Hackers Targets Philippines Government Amid South China Sea Tensions Full Text
Abstract
The China-linked Mustang Panda actor has been linked to a cyber attack targeting a Philippines government entity amid rising tensions between the two countries over the disputed South China Sea. Palo Alto Networks Unit 42 attributed the adversarial collective to three campaigns in August 2023, primarily singling out organizations in the South Pacific. "The campaigns leveraged legitimate software including Solid PDF Creator and SmadavProtect (an Indonesian-based antivirus solution) to sideload malicious files," the company said . "Threat authors also creatively configured the malware to impersonate legitimate Microsoft traffic for command-and-control (C2) connections." Mustang Panda, also tracked under the names Bronze President, Camaro Dragon, Earth Preta, RedDelta, and Stately Taurus, is assessed to be a Chinese advanced persistent threat (APT) active since at least 2012, orchestrating cyber espionage campaigns targeting non-governmental organizationThe Hacker News
November 20, 2023 – Policy and Law
Israeli Private Investigator Gets 80-Month Sentence for Global Hack-for-Hire Scheme Full Text
Abstract
The investigator's victims included high-profile climate change activists, and their hacked communications were leaked to media outlets to undermine investigations into Exxon's knowledge about climate change risks.Cyware
November 20, 2023 – Attack
NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors Full Text
Abstract
Threat actors are targeting the education, government and business services sectors with a remote access trojan called NetSupport RAT . "The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE ), and various forms of phishing campaigns," VMware Carbon Black researchers said in a report shared with The Hacker News. The cybersecurity firm said it detected no less than 15 new infections related to NetSupport RAT in the last few weeks. While NetSupport Manager started off as a legitimate remote administration tool for technical assistance and support, malicious actors have misappropriated the tool to their own advantage, using it as a beachhead for subsequent attacks. NetSupport RAT is typically downloaded onto a victim's computer via deceptive websites and fake browser updates. In August 2022, Sucuri detailed a campaign in which compromised WordPress sites were being usThe Hacker News
November 20, 2023 – Criminals
Actions to Take to Defeat Initial Access Brokers Full Text
Abstract
Access-as-a-service (AaaS) is a new underground business model in cybercrime where threat actors steal enterprise user credentials and sell them to other attack groups, leading to the exfiltration of confidential data.Cyware
November 20, 2023 – Phishing
DarkGate and PikaBot Malware Resurrect QakBot’s Tactics in New Phishing Attacks Full Text
Abstract
Phishing campaigns delivering malware families such as DarkGate and PikaBot are following the same tactics previously used in attacks leveraging the now-defunct QakBot trojan. "These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery," Cofense said in a report shared with The Hacker News. "The malware families used also follow suit to what we would expect QakBot affiliates to use." QakBot, also called QBot and Pinkslipbot, was shut down as part of a coordinated law enforcement effort codenamed Operation Duck Hunt earlier this August. The use of DarkGate and PikaBot in these campaigns is not surprising as they can both act as conduits to deliver additional payloads to compromised hosts, making them both an attractive option for cybercriminals. PikaBot's parallels to QakBot were previously highlighted by Zscaler in its analysis of the malwThe Hacker News
November 20, 2023 – Vulnerabilities
Johnson Controls Patches Critical Vulnerability in Industrial Refrigeration Products Full Text
Abstract
Johnson Controls has released patches for a critical vulnerability found in some of its industrial refrigeration products. The flaw, known as CVE-2023-4804, could allow unauthorized access to debug features.Cyware
November 20, 2023 – Solution
Product Walkthrough: Silverfort’s Unified Identity Protection Platform Full Text
Abstract
In this article, we will provide a brief overview of Silverfort's platform, the first (and currently only) unified identity protection platform on the market. Silverfort's patented technology aims to protect organizations from identity-based attacks by integrating with existing identity and access management solutions, such as AD (Active Directory) and cloud-based services, and extending secure access controls like Risk-Based Authentication and MFA (Multi-Factor Authentication) to all their resources. This includes on-prem and cloud resources, legacy systems, command-line tools and service accounts. A recent report by Silverfort and Osterman Research revealed that 83% of organizations worldwide have experienced data breaches due to compromised credentials . Many organizations admit that they are underprotected against identity-based attacks, such as lateral movement and ransomware. Resources like command-line access tools and legacy systems, which are widely used, are particularThe Hacker News
November 20, 2023 – Government
US Announces $70 Million Cybersecurity Boost for Rural, Municipal Utilities Full Text
Abstract
The funding opportunity includes investments in technologies, tools, training, and processes to strengthen cybersecurity, as well as increasing access to technical assistance and training for organizations with limited resources.Cyware
November 20, 2023 – Education
Why Defenders Should Embrace a Hacker Mindset Full Text
Abstract
Today's security leaders must manage a constantly evolving attack surface and a dynamic threat environment due to interconnected devices, cloud services, IoT technologies, and hybrid work environments. Adversaries are constantly introducing new attack techniques, and not all companies have internal Red Teams or unlimited security resources to stay on top of the latest threats. On top of that, today's attackers are indiscriminate and every business - big or small - needs to be prepared. It is no longer enough for security teams to detect and respond ; we must now also predict and prevent . To handle today's security environment, defenders need to be agile and innovative. In short, we need to start thinking like a hacker. Taking the mindset of an opportunistic threat actor allows you to not only gain a better understanding of potentially exploitable pathways, but also to more effectively prioritize your remediation efforts. It also helps you move past potentially harmful biases, suThe Hacker News
November 20, 2023 – Phishing
Konni Campaign Distributed via Malicious Document Full Text
Abstract
FortiGuard Labs has identified a Russian-language Word document with a malicious macro in the ongoing Konni campaign. The campaign uses a remote access trojan (RAT) to gain control of infected systems.Cyware
November 20, 2023 – Malware
LummaC2 Malware Deploys New Trigonometry-Based Anti-Sandbox Technique Full Text
Abstract
The stealer malware known as LummaC2 (aka Lumma Stealer) now features a new anti-sandbox technique that leverages the mathematical principle of trigonometry to evade detection and exfiltrate valuable information from infected hosts. The method is designed to "delay detonation of the sample until human mouse activity is detected," Outpost24 security researcher Alberto Marín said in a technical report shared with The Hacker News. Written in the C programming language, LummaC2 has been sold in underground forums since December 2022. The malware has since received iterative updates that make it harder to analyze via control flow flattening and even allow it to deliver additional payloads. The current version of LummaC2 (v4.0) also requires its customers to use a crypter as an added concealing mechanism, not to mention prevent it from being leaked in its raw form. Another noteworthy update is the reliance on trigonometry to detect human behavior on the infiltratedThe Hacker News
November 20, 2023 – Policy and Law
US Teen Pleads Guilty to Credential Stuffing Attack on Fantasy Sports Website Full Text
Abstract
Along with others, Joseph Garrison stole approximately $600,000 from 1,600 victim accounts by adding a new payment method, depositing $5 into each account, and then withdrawing the funds.Cyware
November 20, 2023 – Vulnerabilities
Randstorm Exploit: Bitcoin Wallets Created b/w 2011-2015 Vulnerable to Hacking Full Text
Abstract
Bitcoin wallets created between 2011 and 2015 are susceptible to a new kind of exploit called Randstorm that makes it possible to recover passwords and gain unauthorized access to a multitude of wallets spanning several blockchain platforms. "Randstorm() is a term we coined to describe a collection of bugs, design decisions, and API changes that, when brought in contact with each other, combine to dramatically reduce the quality of random numbers produced by web browsers of a certain era (2011-2015)," Unciphered disclosed in a report published last week. It's estimated that approximately 1.4 million bitcoins are parked in wallets that were generated with potentially weak cryptographic keys. Customers can check whether their wallets are vulnerable at www.keybleed[.]com. The cryptocurrency recovery company said it re-discovered the problem in January 2022 while it was working for an unnamed customer who had been locked out of its Blockchain.com wallet. The issueThe Hacker News
November 20, 2023 – Phishing
Are DarkGate and PikaBot the New QakBot? Full Text
Abstract
Phishing campaigns are using tactics previously seen in attacks involving the QakBot trojan to deliver malware families such as DarkGate and PikaBot. These campaigns utilize hijacked email threads, unique URL patterns, and a similar infection chain.Cyware
November 20, 2023 – Business
AT&T Forms Joint Venture for Managed Cybersecurity Business Full Text
Abstract
AT&T is forming a joint venture with investor WillJam Ventures to separate its managed cybersecurity services from its core connectivity business. WillJam Ventures will make a capital investment into the stand-alone cybersecurity services unit.Cyware
November 20, 2023 – Breach
Public Service, RCMP, CAF Members Affected in Canadian Federal Government Data Breach Full Text
Abstract
The personal and financial information of current and former public service employees and members of the RCMP and Canadian Armed Forces may have been accessed in a data breach.Cyware
November 18, 2023 – Outage
Multiple Colleges, K-12 Schools Facing Outages After Cyberattacks Full Text
Abstract
Schools like North Carolina Central University and Glendale Community College experienced significant disruptions to their IT systems, leading to the temporary suspension of online courses and the interruption of critical processes.Cyware
November 18, 2023 – Ransomware
8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader Full Text
Abstract
The threat actors behind the 8Base ransomware are leveraging a variant of the Phobos ransomware to conduct their financially motivated attacks. The findings come from Cisco Talos, which has recorded an increase in activity carried out by cybercriminals. "Most of the group's Phobos variants are distributed by SmokeLoader, a backdoor trojan," security researcher Guilherme Venere said in an exhaustive two-part analysis published Friday. "This commodity loader typically drops or downloads additional payloads when deployed. In 8Base campaigns, however, it has the ransomware component embedded in its encrypted payloads, which is then decrypted and loaded into the SmokeLoader process' memory." 8Base came into sharp focus in mid-2023, when a similar spike in activity was observed by the cybersecurity community. It's said to be active at least since March 2022. A previous analysis from VMware Carbon Black in June 2023 identified parallels between 8Base and RansomHouThe Hacker News
November 18, 2023 – Breach
Stanley Steemer Hack Breached Data of Almost 67K Customers Full Text
Abstract
The breach went undetected for almost a month, highlighting the importance of proactive monitoring and timely detection of suspicious activities to prevent data breaches.Cyware
November 18, 2023 – Vulnerabilities
Over a Dozen Exploitable Vulnerabilities Found in AI/ML Tools Full Text
Abstract
The Huntr bug bounty platform has discovered multiple vulnerabilities in popular AI/ML tools, including H2O-3, MLflow, and Ray, which could lead to system takeover and data theft.Cyware
November 18, 2023 – Attack
Yamaha and WellLife Network Confirm Cyber Incidents After Ransomware Gang Claims Attacks Full Text
Abstract
Japanese manufacturer Yamaha Motor and healthcare organization WellLife Network have both confirmed being victims of cyberattacks. The ransomware group responsible for the attacks, possibly the INC gang, has been targeting various industries.Cyware
November 18, 2023 – Breach
More Than 330,000 Medicare Recipients Affected by MOVEit Breach Full Text
Abstract
The breach highlights the importance of implementing the "Secure By Design" initiative and ensuring that software used by organizations is secure to prevent supply chain attacks.Cyware
November 18, 2023 – Attack
Russian Cyber Espionage Group Deploys LitterDrifter USB Worm in Targeted Attacks Full Text
Abstract
Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called LitterDrifter in attacks targeting Ukrainian entities. Check Point, which detailed Gamaredon's (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) latest tactics, branded the group as engaging in large-scale campaigns that are followed by "data collection efforts aimed at specific targets, whose selection is likely motivated by espionage goals." The LitterDrifter worm packs in two main features: automatically spreading the malware via connected USB drives as well as communicating with the threat actor's command-and-control (C&C) servers. It's also suspected to be an evolution of a PowerShell-based USB worm that was previously disclosed by Symantec in June 2023. Written in VBS, the spreader module is responsible for distributing the worm as a hidden file in a USB drive together with a decoThe Hacker News
November 17, 2023 – Breach
‘Sex Life Data’ Stolen From UK Government Among Record Number of Ransomware Attacks Full Text
Abstract
Up to 10,000 people's data on their sex lives was stolen in a ransomware attack on a British government department. It is unclear why the government was holding this data.Cyware
November 17, 2023 – Phishing
Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware Full Text
Abstract
Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead. Cybersecurity company Securonix is tracking the ongoing activity under the name SEO#LURKER . "The malicious advertisement directs the user to a compromised WordPress website gameeweb[.]com, which redirects the user to an attacker-controlled phishing site," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News. The threat actors are believed to leverage Google's Dynamic Search Ads ( DSAs ), which automatically generates ads based on a site's content to serve the malicious ads that take the victims to the infected site. The ultimate goal of the complex multi-stage attack chain is to entice users into clicking on the fake, lookalike WinSCP website, winccp[.]net, and download the malware. "Traffic from the gaweeweb[.]com website to the fakeThe Hacker News
November 17, 2023 – Breach
Bangladesh’s NTMC Exposed Database Containing Personal Information to Open Web Full Text
Abstract
The National Telecommunication Monitoring Centre in Bangladesh exposed a database containing extensive personal information, including names, phone numbers, and passport details.Cyware
November 17, 2023 – Government
FCC Enforces Stronger Rules to Protect Customers Against SIM Swapping Attacks Full Text
Abstract
The U.S. Federal Communications Commission (FCC) is adopting new rules that aim to protect consumers from cell phone account scams that make it possible for malicious actors to orchestrate SIM-swapping attacks and port-out fraud. "The rules will help protect consumers from scammers who target data and personal information by covertly swapping SIM cards to a new device or porting phone numbers to a new carrier without ever gaining physical control of a consumer's phone," FCC said this week. While SIM swapping refers to transferring a user's account to a SIM card controlled by the scammer by convincing the victim's wireless carrier, port-out fraud occurs when the bad actor, posing as the victim, transfers their phone number from one service provider to another without their knowledge. The new rules, first proposed in July 2023 , mandate wireless providers to adopt secure methods of authenticating a customer before redirecting a customer's phone number to a new device or provideThe Hacker News
November 17, 2023 – Breach
FTC Targets Telecom Provider for Inmates After Massive Data Breach Full Text
Abstract
The proposed order by the FTC requires Global Tel*Link to implement a comprehensive data security program, notify customers of future breaches, and minimize the data it collects and retains, among other measures, to prevent further incidents.Cyware
November 17, 2023 – Education
Discover 2023’s Cloud Security Strategies in Our Upcoming Webinar - Secure Your Spot Full Text
Abstract
In 2023, the cloud isn't just a technology—it's a battleground. Zenbleed, Kubernetes attacks, and sophisticated APTs are just the tip of the iceberg in the cloud security warzone. In collaboration with the esteemed experts from Lacework Labs, The Hacker News proudly presents an exclusive webinar: ' Navigating the Cloud Attack Landscape: 2023 Trends, Techniques, and Tactics .' Join us for an insightful session led by Jose Hernandez of Lacework Labs, where we dissect and analyze the year's most pressing cloud security issues. This webinar is not just about theory; it's a practical guide filled with actionable strategies to shield your organization from advanced threats in the cloud. Highlights include: Kubernetes Security Breaches: Explore the surge in Kubernetes-related vulnerabilities and the concerning increase in administrative plane abuses. Zenbleed in Focus: Understand the far-reaching impact of the Zenbleed vulnerability and how Lacework Labs isThe Hacker News
November 17, 2023 – Policy and Law
SEC Aims to Avoid Cyber Disclosure Rule ‘Compliance Burdens’ Full Text
Abstract
The rule includes exceptions for cases where public disclosure of a cyber incident could pose significant risks to public safety or national security, allowing companies to work with law enforcement agencies to address secret cybersecurity events.Cyware
November 17, 2023 – Malware
27 Malicious PyPI Packages with Thousands of Downloads Found Targeting IT Experts Full Text
Abstract
An unknown threat actor has been observed publishing typosquat packages to the Python Package Index (PyPI) repository for nearly six months with an aim to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets for financial gain. The 27 packages, which masqueraded as popular legitimate Python libraries, attracted thousands of downloads, Checkmarx said in a new report. A majority of the downloads originated from the U.S., China, France, Hong Kong, Germany, Russia, Ireland, Singapore, the U.K., and Japan. "A defining characteristic of this attack was the utilization of steganography to hide a malicious payload within an innocent-looking image file, which increased the stealthiness of the attack," the software supply chain security firm said . Some of the packages are pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool, the last of which was planted on May 13, 2023. A common denominator to these packages is tThe Hacker News
November 17, 2023 – General
Threat Intel: To Share or Not to Share is Not the Question Full Text
Abstract
Regulatory compliance and upcoming regulations, such as the Digital Operational Resilience Act, are driving the need for organizations to engage in threat intelligence sharing.Cyware
November 17, 2023 – Government
U.S. Cybersecurity Agencies Warn of Scattered Spider’s Gen Z Cybercrime Ecosystem Full Text
Abstract
U.S. cybersecurity and intelligence agencies have released a joint advisory about a cybercriminal group known as Scattered Spider that's known to employ sophisticated phishing tactics to infiltrate targets. "Scattered Spider threat actors typically engage in data theft for extortion using multiple social engineering techniques and have recently leveraged BlackCat/ALPHV ransomware alongside their usual TTPs," the agencies said . The threat actor, also tracked under the monikers Muddled Libra, Octo Tempest, 0ktapus, Scatter Swine, Star Fraud, and UNC3944, was the subject of an extensive profile from Microsoft last month, with the tech giant calling it "one of the most dangerous financial criminal groups." Considered as experts in social engineering, Scattered Spider is known to rely on phishing, prompt bombing, and SIM swapping attacks to obtain credentials, install remote access tools, and bypass multi-factor authentication (MFA). Scattered Spider, liThe Hacker News
November 16, 2023 – Phishing
Hundreds of Websites Cloned to Run Ads for Chinese Gambling Full Text
Abstract
The motive behind these cloned sites is likely to generate traffic for gambling operators, as they can serve third-party ads that publishers may be reluctant to carry on their own sites.Cyware
November 16, 2023 – Vulnerabilities
Zero-Day Flaw in Zimbra Email Software Exploited by Four Hacker Groups Full Text
Abstract
A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens. "Most of this activity occurred after the initial fix became public on GitHub," Google Threat Analysis Group (TAG) said in a report shared with The Hacker News. The flaw, tracked as CVE-2023-37580 (CVSS score: 6.1), is a reflected cross-site scripting (XSS) vulnerability impacting versions before 8.8.15 Patch 41. It was addressed by Zimbra as part of patches released on July 25, 2023. Successful exploitation of the shortcoming could allow execution of malicious scripts on the victims' web browser simply by tricking them into clicking on a specially crafted URL, effectively initiating the XSS request to Zimbra and reflecting the attack back to the user. Google TAG, whose researcher Clément Lecigne was credited with discovering and reporting the bug, said it discovered multiplThe Hacker News
November 16, 2023 – Vulnerabilities
21 Vulnerabilities Discovered in Crucial IT-OT Connective Routers Full Text
Abstract
These vulnerabilities, including critical and high-severity bugs, can enable attackers to compromise networks, deploy malware, and disrupt services, highlighting the need for improved security measures in OT and IoT devices.Cyware
November 16, 2023 – APT
Experts Uncover DarkCasino: New Emerging APT Threat Exploiting WinRAR Flaw Full Text
Abstract
A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT). Cybersecurity company NSFOCUS has described DarkCasino as an "economically motivated" actor that first came to light in 2021. "DarkCasino is an APT threat actor with strong technical and learning ability, who is good at integrating various popular APT attack technologies into its attack process," the company said in an analysis. "Attacks launched by the APT group DarkCasino are very frequent, demonstrating a strong desire to steal online property." DarkCasino was most recently linked to the zero-day exploitation of CVE-2023-38831 (CVSS score: 7.8), a security flaw that can be weaponized to launch malicious payloads. In August 2023, Group-IB disclosed real-world attacks weaponizing the vulnerability and aimed at online trading forums at least since April 2023 to deliThe Hacker News
November 16, 2023 – Phishing
BlackCat Ransomware Gang is Attacking Organizations Using Google Ads Laced with Malware Full Text
Abstract
Russian-speaking affiliates of the ALPHV/BlackCat ransomware gang are using malvertising for popular software to distribute the Nitrogen malware and infect organizations with ransomware.Cyware
November 16, 2023 – Government
CISA and FBI Issue Warning About Rhysida Ransomware Double Extortion Attacks Full Text
Abstract
The threat actors behind the Rhysida ransomware engage in opportunistic attacks targeting organizations spanning various industry sectors. The advisory comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). "Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates," the agencies said . "Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network." First detected in May 2023, Rhysida makes use of the time-tested tactic of double extortion, demanding a ransom payment to decrypt victim daThe Hacker News
November 16, 2023 – Breach
Hackers Claim Major Data Breach at Smart WiFi Provider Plume Full Text
Abstract
Hackers claiming responsibility for the breach have announced it on the Breach Forums. They allege to have stolen over 20GB of Plume's Wi-Fi database, containing 15 million lines of information.Cyware
November 16, 2023 – Education
How to Automate the Hardest Parts of Employee Offboarding Full Text
Abstract
According to recent research on employee offboarding , 70% of IT professionals say they've experienced the negative effects of incomplete IT offboarding, whether in the form of a security incident tied to an account that wasn't deprovisioned, a surprise bill for resources that aren't in use anymore, or a missed handoff of a critical resource or account. This is despite an average of five hours spent per departing employee on activities like finding and deprovisioning SaaS accounts. As the SaaS footprint within most organizations continues to expand, it is becoming exponentially more difficult (and time-consuming) to ensure all access is deprovisioned or transferred when an employee leaves the organization. How Nudge Security can help Nudge Security is a SaaS management platform for modern IT governance and security. It discovers every cloud and SaaS account ever created by anyone in your organization, including generative AI apps, giving you a single source of truth for depaThe Hacker News
November 16, 2023 – Government
State-Backed Hackers a Threat to Australia, Agency Warns Full Text
Abstract
Critical infrastructure, including water supplies and electricity grids, are likely targets for cyberattacks, along with the theft of military secrets and intellectual property.Cyware
November 16, 2023 – Vulnerabilities
Hackers Could Exploit Google Workspace and Cloud Platform for Ransomware Attacks Full Text
Abstract
A set of novel attack methods has been demonstrated against Google Workspace and the Google Cloud Platform that could be potentially leveraged by threat actors to conduct ransomware, data exfiltration, and password recovery attacks. "Starting from a single compromised machine, threat actors could progress in several ways: they could move to other cloned machines with GCPW installed, gain access to the cloud platform with custom permissions, or decrypt locally stored passwords to continue their attack beyond the Google ecosystem," Martin Zugec, technical solutions director at Bitdefender, said in a new report. A prerequisite for these attacks is that the bad actor has already gained access to a local machine through other means, prompting Google to mark the bug as not eligible for fixing "since it's outside of our threat model and the behavior is in line with Chrome's practices of storing local data." However, the Romanian cybersecurity firm has waThe Hacker News
November 16, 2023 – Government
CISA Outlines AI-Related Cybersecurity Efforts Full Text
Abstract
CISA's roadmap outlines five key areas of focus, including responsible use of AI, secure adoption of AI-based software, protection against malicious use of AI, collaboration with partners, and workforce education on AI systems and techniques.Cyware
November 16, 2023 – Attack
Russian Hackers Linked to ‘Largest Ever Cyber Attack’ on Danish Critical Infrastructure Full Text
Abstract
Russian threat actors have been possibly linked to what's been described as the "largest cyber attack against Danish critical infrastructure," in which 22 companies associated with the operation of the country's energy sector were targeted in May 2023. "22 simultaneous, successful cyberattacks against Danish critical infrastructure are not commonplace," Denmark's SektorCERT said [PDF]. "The attackers knew in advance who they were going to target and got it right every time. Not once did a shot miss the target." The agency said it found evidence connecting one or more attacks to Russia's GRU military intelligence agency, which is also tracked under the name Sandworm and has a track record of orchestrating disruptive cyber assaults on industrial control systems. This assessment is based on artifacts communicating with IP addresses that have been traced to the hacking crew. The unprecedented and coordinated cyber attacks took place onThe Hacker News
November 15, 2023 – Policy and Law
Google Suing Cybercriminals Who Delivered Malware via Fake Bard Downloads Full Text
Abstract
Google is taking legal action against cybercriminals who used fake websites to deliver malware and gain control of social media accounts through a scam involving its chat-based AI tool, Bard.Cyware
November 15, 2023 – Botnet
U.S. Takes Down IPStorm Botnet, Russian-Moldovan Mastermind Pleads Guilty Full Text
Abstract
The U.S. government on Tuesday announced the takedown of the IPStorm botnet proxy network and its infrastructure, as the Russian and Moldovan national behind the operation pleaded guilty. "The botnet infrastructure had infected Windows systems then further expanded to infect Linux, Mac, and Android devices, victimizing computers and other electronic devices around the world, including in Asia, Europe, North America and South America," the Department of Justice (DoJ) said in a press statement. Sergei Makinin, who developed and deployed the malicious software to infiltrate thousands of internet-connected devices from June 2019 through December 2022, faces a maximum of 30 years in prison. The Golang-based botnet malware, prior to its dismantling, turned the infected devices into proxies as part of a for-profit scheme, which was then offered to other customers via proxx[.]io and proxx[.]net. "IPStorm is a botnet that abuses a legitimate peer-to-peer (p2p) network cThe Hacker News
November 15, 2023 – Government
NY Governor Wants New Cybersecurity Rules for Hospitals After Multiple Attacks Full Text
Abstract
New York Governor Kathy Hochul has proposed new cybersecurity rules for hospitals in the state to establish robust cybersecurity programs, assess risks, and implement protective measures to combat the rising threat of cyberattacks.Cyware
November 15, 2023 – Malware
New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar Full Text
Abstract
Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory. Tracked as CVE-2023-46604 (CVSS score: 10.0), the vulnerability is a remote code execution bug that could permit a threat actor to run arbitrary shell commands. It was patched by Apache in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month. The vulnerability has since come under active exploitation by ransomware outfits to deploy ransomware such as HelloKitty and a strain that shares similarities with TellYouThePass as well as a remote access trojan called SparkRAT. According to new findings from VulnCheck, threat actors weaponizing the flaw are relying on a public proof-of-concept ( PoC ) exploit originally disclosed on October 25, 2023. The attacks have been found to use ClassPathXmlApplicationContext , a class that's part of the Spring framework and available within ActiveThe Hacker News
November 15, 2023 – Skimming
Credit Card Skimming on the Rise for the Holiday Shopping Season Full Text
Abstract
A credit card skimming campaign called Kritec has recently picked up in activity, compromising numerous online stores and stealing credit card information from unsuspecting shoppers.Cyware
November 15, 2023 – Insider Threat
Three Ways Varonis Helps You Fight Insider Threats Full Text
Abstract
What do basketball teams, government agencies, and car manufacturers have in common? Each one has been breached, having confidential, proprietary, or private information stolen and exposed by insiders. In each case, the motivations and methods varied, but the risk remained the same: insiders have access to too much data with too few controls. Insider threats continue to prove difficult for organizations to combat because — unlike an outsider — insiders can navigate sensitive data undetected and typically without suspicion. Cybersecurity is not the first industry to tackle insider threats, however. Espionage has a long history of facing and defending against insiders by using the "CIA Triad" principles of confidentiality, integrity, and availability. Varonis' modern cybersecurity answer to insider risk is the data security triad of "sensitivity, access, and activity." Using these three dimensions of data security, you can help reduce the risk and impact of an insider attack. SenThe Hacker News
November 15, 2023 – Breach
Cyberattack on North Carolina County Allowed Hackers to Access Data Full Text
Abstract
Although the nature of the attack was not specified, the county's IT staff discovered irregularities in their system and called in external cybersecurity experts to investigate and secure their servers.Cyware
November 15, 2023 – Vulnerabilities
Reptar: New Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments Full Text
Abstract
Intel has released fixes to close out a high-severity flaw codenamed Reptar that impacts its desktop, mobile, and server CPUs. Tracked as CVE-2023-23583 (CVSS score: 8.8), the issue has the potential to "allow escalation of privilege and/or information disclosure and/or denial of service via local access." Successful exploitation of the vulnerability could also permit a bypass of the CPU's security boundaries, according to Google Cloud, which described it as an issue stemming from how redundant prefixes are interpreted by the processor. "The impact of this vulnerability is demonstrated when exploited by an attacker in a multi-tenant virtualized environment, as the exploit on a guest machine causes the host machine to crash resulting in a Denial of Service to other guest machines running on the same host," Google Cloud's Phil Venables said . "Additionally, the vulnerability could potentially lead to information disclosure or privilege escalaThe Hacker News
November 15, 2023 – Attack
File-Transfer Services, Rich With Sensitive Data, are Under Attack Full Text
Abstract
Compliance requirements drive the use of these services, making them attractive targets for ransomware groups looking to exploit the systems used for sending sensitive data.Cyware
November 15, 2023 – Vulnerabilities
Alert: Microsoft Releases Patch Updates for 5 New Zero-Day Vulnerabilities Full Text
Abstract
Microsoft has released fixes to address 63 security bugs in its software for the month of November 2023, including three vulnerabilities that have come under active exploitation in the wild. Of the 63 flaws, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. Two of them have been listed as publicly known at the time of the release. The updates are in addition to more than 35 security shortcomings addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for October 2023. The five zero-days that are of note are as follows - CVE-2023-36025 (CVSS score: 8.8) - Windows SmartScreen Security Feature Bypass Vulnerability CVE-2023-36033 (CVSS score: 7.8) - Windows DWM Core Library Elevation of Privilege Vulnerability CVE-2023-36036 (CVSS score: 7.8) - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability CVE-2023-36038 (CVSS score: 8.2) - ASP.NET Core Denial of Service Vulnerability CVThe Hacker News
November 15, 2023 – Business
Cyble Raises $6.2M; Expands Series B to $30.2M Full Text
Abstract
The round, which brought the total amount to $30.2M, was led by Summit Peak Ventures (US) and King River Capital (US), with participation from Care Super (Australia) and BlackBird Ventures (Australasia), along with other investors.Cyware
November 15, 2023 – Vulnerabilities
Urgent: VMware Warns of Unpatched Critical Cloud Director Vulnerability Full Text
Abstract
VMware is warning of a critical and unpatched security flaw in Cloud Director that could be exploited by a malicious actor to get around authentication protections. Tracked as CVE-2023-34060 (CVSS score: 9.8), the vulnerability impacts instances that have been upgraded to version 10.5 from an older version. "On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console)," the company said in an alert. "This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present." The virtualization services company further noted that the impact is due to the fact that it utilizes a version of sssd from the underlying Photon OS that is affected by CVE-2023-34060 . Dustin Hartle from IT solutions provider IdeaThe Hacker News
November 15, 2023 – Attack
Cyber Espionage Operation on Embassies Linked to Russia’s Cozy Bear Hackers Full Text
Abstract
The Cozy Bear APT utilized a legitimate tool called Ngrok to obfuscate their activities and communicate with compromised systems, making detection and attribution more challenging.Cyware
November 15, 2023 – Breach
Rackspace Records $5M in Expenses Related to 2022 Ransomware Attack Full Text
Abstract
The attack disrupted email access for customers, leading to the discontinuation of the Hosted Exchange product. Rackspace expects to receive $5.4 million in insurance reimbursement, but the timing may differ from expense recognition.Cyware
November 14, 2023 – Attack
Researchers Uncover Info-Stealing Campaign Targeting Gaming Community Full Text
Abstract
A targeted campaign against the gaming community exploits Discord channels and fake download sites to distribute types of information-stealing malware. Multiple information stealer families, including BBy Stealer, Nova Sentinel, Doenerium, and Epsilon Stealer, were identified. To counter similar th ... Read MoreCyware
November 14, 2023 – Vulnerabilities
CacheWarp Attack: New Vulnerability in AMD SEV Exposes Encrypted VMs Full Text
Abstract
A group of academics has disclosed a new "software fault attack" on AMD's Secure Encrypted Virtualization ( SEV ) technology that could be potentially exploited by threat actors to infiltrate encrypted virtual machines (VMs) and even perform privilege escalation. The attack has been codenamed CacheWarp (CVE-2023-20592) by researchers from the CISPA Helmholtz Center for Information Security. It impacts AMD CPUs supporting all variants of SEV. "For this research, we specifically looked at AMD's newest TEE, AMD SEV-SNP, relying on the experience from previous attacks on Intel's TEE," security researcher Ruiyi Zhang told The Hacker News. "We found the 'INVD' instruction [flush a processor's cache contents] could be abused under the threat model of AMD SEV." SEV, an extension to the AMD-V architecture and introduced in 2016, is designed to isolate VMs from the hypervisor by encrypting the memory contents of the VM with a uniqueThe Hacker News
November 14, 2023 – Government
Royal Ransomware Rebrands as BlackSuit - Warn FBI and CISA Full Text
Abstract
The Royal ransomware gang, now known as BlackSuit, has undergone a strategic rebranding, unveiled in a joint advisory by CISA and the FBI. This shift, observed since November 2022, involves advanced encryption methods and sophisticated attack vectors, emphasizing the exploitation of vulnerabilities ... Read MoreCyware
November 14, 2023 – Education
The Importance of Continuous Security Monitoring for a Robust Cybersecurity Strategy Full Text
Abstract
In 2023, the global average cost of a data breach reached $4.45 million . Beyond the immediate financial loss, there are long-term consequences like diminished customer trust, weakened brand value, and derailed business operations. In a world where the frequency and cost of data breaches are skyrocketing, organizations are coming face-to-face with a harsh reality: traditional cybersecurity measures might not be cutting it anymore. Against this backdrop, businesses must find ways to strengthen their measures to safeguard precious data and critical assets. At the heart of this shift lies a key strategy: continuous monitoring. Understanding Continuous Security Monitoring in Cybersecurity Continuous monitoring is a dynamic approach that encompasses several techniques to fulfil a multi-layered defense strategy. These techniques can include: Risk-Based Vulnerability Management (RBVM): Continuous vulnerability assessments across your network with remediation prioritization based onThe Hacker News
November 14, 2023 – Attack
TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities Full Text
Abstract
TA402 has recently employed a new initial access downloader called IronWind, using various infection chains and delivery methods such as Dropbox links, XLL and RAR file attachments, in order to evade detection.Cyware
November 14, 2023 – Denial Of Service
Alert: OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers Full Text
Abstract
Publicly-accessible Docker Engine API instances are being targeted by threat actors as part of a campaign designed to co-opt the machines into a distributed denial-of-service (DDoS) botnet dubbed OracleIV . "Attackers are exploiting this misconfiguration to deliver a malicious Docker container, built from an image named 'oracleiv_latest' and containing Python malware compiled as an ELF executable," Cado researchers Nate Bill and Matt Muir said . The malicious activity starts with attackers using an HTTP POST request to Docker's API to retrieve a malicious image from Docker Hub, which, in turn, runs a command to retrieve a shell script (oracle.sh) from a command-and-control (C&C) server. Oracleiv_latest purports to be a MySQL image for docker and has been pulled 3,500 times to date. In a perhaps not-so-surprising twist, the image also includes additional instructions to fetch an XMRig miner and its configuration from the same server. That said, the cloThe Hacker News
November 14, 2023 – Attack
Canadian Banking Tech Giant Moneris Says It Prevented Ransomware Attack Full Text
Abstract
The Medusa ransomware gang demanded a $6 million ransom, but Moneris stated that its security team stopped access to critical data and no ransom request was made. The company didn't disclose when the breach was attempted or whether it paid a ransom.Cyware
November 14, 2023 – Solution
CI/CD Risks: Protecting Your Software Development Pipelines Full Text
Abstract
Have you heard about Dependabot? If not, just ask any developer around you, and they'll likely rave about how it has revolutionized the tedious task of checking and updating outdated dependencies in software projects. Dependabot not only takes care of the checks for you, but also provides suggestions for modifications that can be approved with just a single click. Although Dependabot is limited to GitHub-hosted projects, it has set a new standard for continuous providers to offer similar capabilities. This automation of "administrative" tasks has become a norm, enabling developers to integrate and deploy their work faster than ever before. Continuous integration and deployment workflows have become the cornerstone of software engineering, propelling the DevOps movement to the forefront of the industry. But a recent advisory by security firm Checkmarx sheds light on a concerning incident. Malicious actors have recently attempted to exploit the trust associated with DThe Hacker News
November 14, 2023 – Attack
Denmark Hit With Largest Cyberattack on Record by Exploiting Firewall Vulnerabilities Full Text
Abstract
Hackers linked to the Russian GRU targeted Danish critical infrastructure, exploiting vulnerabilities in Zyxel firewalls and demonstrating meticulous planning and coordination.Cyware
November 14, 2023 – Phishing
New Campaign Targets Middle East Governments with IronWind Malware Full Text
Abstract
Government entities in the Middle East are the target of new phishing campaigns that are designed to deliver a new initial access downloader dubbed IronWind . The activity, detected between July and October 2023, has been attributed by Proofpoint to a threat actor it tracks under the name TA402 , which is also known as Molerats, Gaza Cyber Gang, and shares tactical overlaps with a pro-Hamas hacking crew known as APT-C-23 (aka Arid Viper). "When it comes to state-aligned threat actors, North Korea, Russia, China, and Iran generally reap the lion's share of attention," Joshua Miller, senior threat researcher at Proofpoint, said in a statement shared with The Hacker News. "But TA402, a Middle Eastern advanced persistent threat (APT) group that historically has operated in the interests of the Palestinian Territories, has consistently proven to be an intriguing threat actor capable of highly sophisticated cyber espionage with a focus on intelligence collectionThe Hacker News
November 14, 2023 – Outage
Ransomware Attack on Ohio City Impacts Multiple Services Full Text
Abstract
The ransomware attack on the city of Huber Heights, Ohio, affected various city divisions but not public safety services. City services are expected to be down for at least a week, and residents are advised to check the city website for updates.Cyware
November 14, 2023 – Attack
Vietnamese Hackers Using New Delphi-Powered Malware to Target Indian Marketers Full Text
Abstract
The Vietnamese threat actors behind the Ducktail stealer malware have been linked to a new campaign that ran between March and early October 2023, targeting marketing professionals in India with an aim to hijack Facebook business accounts. "An important feature that sets it apart is that, unlike previous campaigns, which relied on .NET applications, this one used Delphi as the programming language," Kaspersky said in a report published last week. Ducktail , alongside Duckport and NodeStealer , is part of a cybercrime ecosystem operating out of Vietnam, with the attackers primarily using sponsored ads on Facebook to propagate malicious ads and deploy malware capable of plundering victims' login cookies and ultimately taking control of their accounts. Such attacks primarily single out users who may have access to a Facebook Business account. The fraudsters then use the unauthorized access to place advertisements for financial gain, perpetuating the infections furThe Hacker News
November 14, 2023 – Government
US Agencies Warn Royal Ransomware Gang May Rebrand as ‘BlackSuit’ Full Text
Abstract
There are indications that Royal may be preparing for a re-branding effort and/or a spinoff variant. Blacksuit ransomware shares a number of identified coding characteristics similar to Royal.Cyware
November 13, 2023 – Attack
Lorenz Ransomware Gang Hit Texas-Based Cogdell Memorial Hospital Full Text
Abstract
The Lorenz extortion group has targeted and leaked data from the Texas-based Cogdell Memorial Hospital, adding to the rising number of ransomware attacks on healthcare organizations in the US.Cyware
November 13, 2023 – Ransomware
New Ransomware Group Emerges with Hive’s Source Code and Infrastructure Full Text
Abstract
The threat actors behind a new ransomware group called Hunters International have acquired the source code and infrastructure from the now-dismantled Hive operation to kick-start its own efforts in the threat landscape. "It appears that the leadership of the Hive group made the strategic decision to cease their operations and transfer their remaining assets to another group, Hunters International," Martin Zugec, technical solutions director at Bitdefender, said in a report published last week. Hive, once a prolific ransomware-as-a-service (RaaS) operation, was taken down as part of a coordinated law enforcement operation in January 2023. While it's common for ransomware actors to regroup, rebrand, or disband their activities following such seizures, what can also happen is that the core developers can pass on the source code and other infrastructure in their possession to another threat actor. Reports about Hunters International as a possible Hive rebrand surThe Hacker News
November 13, 2023 – Breach
Chess.com Faces Second Data Leak; 476,000 Scraped User Records Leaked Full Text
Abstract
The leaked data includes personal details such as full names, email addresses, usernames, and profile links, posing a significant threat to Chess.com users for potential identity theft and phishing attacks.Cyware
November 13, 2023 – General
Top 5 Marketing Tech SaaS Security Challenges Full Text
Abstract
Effective marketing operations today are driven by the use of Software-as-a-Service (SaaS) applications. Marketing apps such as Salesforce, Hubspot, Outreach, Asana, Monday, and Box empower marketing teams, agencies, freelancers, and subject matter experts to collaborate seamlessly on campaigns and marketing initiatives. These apps serve as the digital command centers for marketing professionals. They house essential go-to-market strategies, and are often connected to live payment systems authorized to spend substantial budgets. Ensuring their security is a complex task, given the multitude of applications, application owners, configurations within each app, users, interconnected apps and more. In this article, we explore the top Marketing SaaS application use cases, from external users and publicly shared links to connected apps and credit cards — and how to ensure the security and integrity of the data stored within them. 1 . External Users Marketing departments frequently grantThe Hacker News
November 13, 2023 – Cryptocurrency
More Than $100 Million Stolen From Poloniex Crypto Platform Full Text
Abstract
The platform confirmed the theft and plans to reimburse affected users. Poloniex offered a 5% bounty to the hacker for the return of the funds and urged a response within 7 days.Cyware
November 13, 2023 – Attack
Chinese Hackers Launch Covert Espionage Attacks on 24 Cambodian Organizations Full Text
Abstract
Cybersecurity researchers have discovered what they say is malicious cyber activity orchestrated by two prominent Chinese nation-state hacking groups targeting 24 Cambodian government organizations. "This activity is believed to be part of a long-term espionage campaign," Palo Alto Networks Unit 42 researchers said in a report last week. "The observed activity aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong relations with Cambodia to project their power and expand their naval operations in the region." Targeted organizations include defense, election oversight, human rights, national treasury and finance, commerce, politics, natural resources, and telecommunications. The assessment stems from the persistent nature of inbound network connections originating from these entities to a China-linked adversarial infrastructure that masquerades as cloud backup and storage services over a "period of several months.&quThe Hacker News
November 13, 2023 – APT
North Korea-Linked APT Sapphire Sleet Targets IT Job Seekers Full Text
Abstract
They have created fake skills assessment portals to trick recruiters into registering for an account. Previously, they used platforms like LinkedIn and employed lures related to skills assessment.Cyware
November 13, 2023 – Phishing
Major Phishing-as-a-Service Syndicate ‘BulletProofLink’ Dismantled by Malaysian Authorities Full Text
Abstract
Malaysian law enforcement authorities have announced the takedown of a phishing-as-a-service (PhaaS) operation called BulletProofLink . The Royal Malaysia Police said the effort, which was carried out with assistance from the Australian Federal Police (AFP) and the U.S. Federal Bureau of Investigation (FBI) on November 6, 2023, was based on information that the threat actors behind the platform were based out of the country. To that end, eight individuals aged between 29 and 56, including the syndicate's mastermind, have been arrested across different locations in Sabah, Selangor, Perak, and Kuala Lumpur, New Straits Times reported . Along with the arrests, authorities confiscated servers, computers, jewelry, vehicles, and cryptocurrency wallets containing approximately $213,000. BulletProofLink , also called BulletProftLink, is known for offering ready-to-use phishing templates on a subscription basis to other actors for conducting credential harvesting campaigns. TheseThe Hacker News
November 13, 2023 – Malware
CherryBlos Malware Steals Cryptocurrency via Your Photos Full Text
Abstract
CherryBlos is a family of Android malware that can steal cryptocurrency by extracting sensitive information from photos on a user's phone. This includes details related to cryptocurrency wallets, such as recovery phrases.Cyware
November 13, 2023 – Malware
New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks Full Text
Abstract
Cybersecurity researchers have warned about a Windows version of a wiper malware that was previously observed targeting Linux systems in cyber attacks aimed at Israel. Dubbed BiBi-Windows Wiper by BlackBerry, the wiper is the Windows counterpart of BiBi-Linux Wiper , which has been put to use by a pro-Hamas hacktivist group in the wake of the Israel-Hamas war last month. "The Windows variant [...] confirms that the threat actors who created the wiper are continuing to build out the malware, and indicates an expansion of the attack to target end user machines and application servers," the Canadian company said Friday. Slovak cybersecurity firm is tracking the actor behind the wiper under the name BiBiGun, noting that the Windows variant (bibi.exe) is designed to overwrite data in the C:\Users directory recursively with junk data and appends .BiBi to the filename. The BiBi-Windows Wiper artifact is said to have been compiled on October 21, 2023, two weeks after theThe Hacker News
November 13, 2023 – Breach
Personal Information Impacted in Breach of Computer Network, Butler County Says Full Text
Abstract
The county is conducting a review to determine the extent of the breach, identify those affected, and will provide written notice and credit monitoring services to impacted individuals.Cyware
November 11, 2023 – Phishing
Microsoft Warns of Fake Skills Assessment Portals Targeting IT Job Seekers Full Text
Abstract
A sub-cluster within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns. Microsoft attributed the activity to a threat actor it calls Sapphire Sleet , describing it as a "shift in the persistent actor's tactics." Sapphire Sleet, also called APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a track record of orchestrating cryptocurrency theft via social engineering. Earlier this week, Jamf Threat Labs implicated the threat actor to a new macOS malware family called ObjCShellz that's assessed to be a late-stage payload delivered in connection with another macOS malware known as RustBucket. "Sapphire Sleet typically finds targets on platforms like LinkedIn and uses lures related to skills assessment," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter). "The threat actor then moves successful communicationThe Hacker News
November 11, 2023 – Phishing
Spammers Abuse Google Forms Quizzes to Perform Scams Full Text
Abstract
Cisco's Talos Intelligence blog reveals a sophisticated spam exploit using Google Forms' quiz results feature, collecting email addresses subtly via a quiz template. The spammer leverages Google's infrastructure to send phishing emails, bypassing spam blockers until Google addresses this method, ul ... Read MoreCyware
November 11, 2023 – Outage
Cyberattack Continues to Affect Operations at Tri-City Medical Center in San Diego Full Text
Abstract
The hospital has taken its information systems offline and is working with cybersecurity specialists and law enforcement to restore functionality, but it is unclear if a ransom has been demanded or if patient data has been compromised.Cyware
November 11, 2023 – Outage
After ChatGPT, Anonymous Sudan Took Down Cloudflare Website Full Text
Abstract
The attack caused intermittent connectivity issues for a few minutes but did not impact any services or products provided by Cloudflare. The group claims to have used the Skynet and Godzilla botnets for the recent attacks.Cyware
November 11, 2023 – Breach
Update: McLaren Health Care Revealed That a Data Breach Impacted 2.2 Million People Full Text
Abstract
The ALPHV/BlackCat ransomware group claimed responsibility for the breach and accused McLaren of attempting to cover it up, stating that they still have access to the organization's network.Cyware
November 11, 2023 – Outage
Washington State Department of Transportation Working To Recover From Cyberattack Full Text
Abstract
The cause of the cyberattack is under investigation, and while some parts of the website are back up, certain features such as the travel map and online freight permits remain out of service.Cyware
November 11, 2023 – APT
New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits Full Text
Abstract
DarkCasino exploited a WinRAR 0-day vulnerability (CVE-2023-38831) to launch phishing attacks against forum users, posing a significant threat due to the large installed base and difficulty in identifying and defending against these attacks.Cyware
November 10, 2023 – APT
Russian Hackers Sandworm Cause Power Outage in Ukraine Amidst Missile Strikes Full Text
Abstract
The notorious Russian hackers known as Sandworm targeted an electrical substation in Ukraine last year, causing a brief power outage in October 2022. The findings come from Google's Mandiant, which described the hack as a "multi-event cyber attack" leveraging a novel technique for impacting industrial control systems (ICS). "The actor first used OT-level living-off-the-land ( LotL ) techniques to likely trip the victim's substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine," the company said . "Sandworm later conducted a second disruptive event by deploying a new variant of CaddyWiper in the victim's IT environment." The threat intelligence firm did not reveal the location of the targeted energy facility, the duration of the blackout, and the number of people who were impacted by the incident. The development marks Sandworm's continuousThe Hacker News
November 10, 2023 – General
The New 80/20 Rule for SecOps: Customize Where it Matters, Automate the Rest Full Text
Abstract
There is a seemingly never-ending quest to find the right security tools that offer the right capabilities for your organization. SOC teams tend to spend about a third of their day on events that don't pose any threat to their organization, and this has accelerated the adoption of automated solutions to take the place of (or augment) inefficient and cumbersome SIEMs. With an estimated 80% of these threats being common across most organizations, today's SOCs are able to confidently rely on automation to cover this large percentage of threat signals. But, while it is true that automation can greatly improve the efficiency and effectiveness of security teams, it will never be able to cover all detection and response use cases infallibly. In the recently released GigaOm Radar for Autonomous Security Operations Center (SOC) , they accurately state that "the SOC will not—and should not—be fully autonomous." As more vendors attempt to challenge the dominant players in the SIEM cThe Hacker News
November 10, 2023 – Vulnerabilities
Alert: ‘Effluence’ Backdoor Persists Despite Patching Atlassian Confluence Servers Full Text
Abstract
Cybersecurity researchers have discovered a stealthy backdoor named Effluence that's deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server. "The malware acts as a persistent backdoor and is not remediated by applying patches to Confluence," Aon's Stroz Friedberg Incident Response Services said in an analysis published earlier this week. "The backdoor provides capability for lateral movement to other network resources in addition to exfiltration of data from Confluence. Importantly, attackers can access the backdoor remotely without authenticating to Confluence." The attack chain documented by the cybersecurity entity entailed the exploitation of CVE-2023-22515 (CVSS score: 10.0), a critical bug in Atlassian that could be abused to create unauthorized Confluence administrator accounts and access Confluence servers. Atlassian has since disclosed a second flaw known as CVThe Hacker News
November 10, 2023 – Hacker
Iran-Linked Imperial Kitten Cyber Group Targeting Middle East’s Tech Sectors Full Text
Abstract
A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war. The attacks have been attributed by CrowdStrike to a threat actor it tracks under the name Imperial Kitten , and which is also known as Crimson Sandstorm (previously Curium), TA456, Tortoiseshell, and Yellow Liderc. The latest findings from the company build on prior reports from Mandiant , ClearSky , and PwC , the latter of which also detailed instances of strategic web compromises (aka watering hole attacks) leading to the deployment of IMAPLoader on infected systems. "The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations," CrowdStrike said in a technical report. "Its activity is characterized by its use of social engineering, particularly job recruitment-themed content, to deliThe Hacker News
November 10, 2023 – Malware
Stealthy Kamran Spyware Targeting Urdu-speaking Users in Gilgit-Baltistan Full Text
Abstract
Urdu-speaking readers of a regional news website that caters to the Gilgit-Baltistan region have likely emerged as a target of a watering hole attack designed to deliver a previously undocumented Android spyware dubbed Kamran . The campaign, ESET has discovered , leverages Hunza News (urdu.hunzanews[.]net), which, when opened on a mobile device, prompts visitors of the Urdu version to install its Android app directly hosted on the website. The app, however, incorporates malicious espionage capabilities, with the attack compromising at least 20 mobile devices to date. It has been available on the website since sometime between January 7, and March 21, 2023, around when massive protests were held in the region over land rights, taxation, and extensive power cuts. The malware, activated upon package installation, requests for intrusive permissions, allowing it to harvest sensitive information from the devices. This includes contacts, call logs, calendar events, location informaThe Hacker News
November 10, 2023 – Attack
Industrial and Commercial Bank of China Dealing With LockBit Ransomware Attack Full Text
Abstract
ICBC informed clients that a cybersecurity issue would require them to reroute trades and temporarily stop accepting orders. The attack highlights the vulnerability of critical infrastructure providers, such as the financial sector.Cyware
November 9, 2023 – Breach
Medical Transcription Hack Affects 1.2 Million Chicagoans Full Text
Abstract
The breach exposed sensitive patient data, including names, birthdates, addresses, medical information, and potentially Social Security numbers, emphasizing the risk of identity theft and healthcare fraud.Cyware
November 09, 2023 – Attack
Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability Full Text
Abstract
The threat actor known as Lace Tempest has been linked to the exploitation of a zero-day flaw in SysAid IT support software in limited attacks, according to new findings from Microsoft. Lace Tempest, which is known for distributing the Cl0p ransomware, has in the past leveraged zero-day flaws in MOVEit Transfer and PaperCut servers . The issue, tracked as CVE-2023-47246 , concerns a path traversal flaw that could result in code execution within on-premise installations. It has been patched by SysAid in version 23.3.36 of the software. "After exploiting the vulnerability, Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware," Microsoft said . "This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment." According to SysAid, the threat actor has been observed uploading a WAR archive containing a web shell and other payloads into the webrootThe Hacker News
November 9, 2023 – Phishing
Threat Actors Impersonate Windows News Portal to Distribute RedLine Stealer Full Text
Abstract
A new malvertising campaign has been observed wherein threat actors are copying a legitimate Windows news portal to promote a malicious installer for the popular processor tool CPU-Z. Based on the infrastructure, domain names, and cloaking templates used, researchers believe the incident is part o ... Read MoreCyware
November 09, 2023 – Malware
New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers Full Text
Abstract
A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z. "This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection," Malwarebytes' Jérôme Segura said . While malvertising campaigns are known to set up replica sites advertising widely-used software, the latest activity marks a deviation in that the website mimics WindowsReport[.]com. The goal is to trick unsuspecting users searching for CPU-Z on search engines like Google by serving malicious ads that, when clicked, redirect them to the fake portal (workspace-app[.]online). At the same time, users who are not the intended victims of the campaign are served an innocuous blog with different articles, a technique known aThe Hacker News
November 9, 2023 – Malware
New BlazeStealer Malware in PyPI Targets Developers Full Text
Abstract
A new set of malicious Python packages has been discovered on the Python Package Index (PyPI) repository. These packages masquerade as harmless obfuscation tools but contain a malware called BlazeStealer . The campaign started in January 2023 and includes eight packages. Developers must stay ale ... Read MoreCyware
November 09, 2023 – Solution
When Email Security Meets SaaS Security: Uncovering Risky Auto-Forwarding Rules Full Text
Abstract
While intended for convenience and efficient communication, email auto-forwarding rules can inadvertently lead to the unauthorized dissemination of sensitive information to external entities, putting confidential data at risk of exposure to unauthorized parties. Wing Security (Wing), a SaaS security company, announced yesterday that their SaaS shadow IT discovery methods now include a solution that solves for auto-email forwarding as well. While Wing's shadow IT solution is offered as a free tool that can be onboarded and used as a self-service, users willing to upgrade will be able to enjoy the company's new Gmail and Outlook integrations, which broaden the company's discovery capabilities and extend their data security features. The risks of email auto-forwarding rules Auto-forwarding emails is a great way to save time on repetitive tasks and are therefore very popular among employees who regularly collaborate and share information with external business partners.The Hacker News
November 9, 2023 – APT
Russian Sandworm APT Group Caused Power Outage in October 2022 Full Text
Abstract
The attack was not driven by military necessity but rather aimed to increase the psychological toll of the war, showcasing Russia's focus on disrupting and degrading military readiness through cyber means.Cyware
November 09, 2023 – Malware
MuddyC2Go: New C2 Framework Iranian Hackers Using Against Israel Full Text
Abstract
Iranian nation-state actors have been observed using a previously undocumented command-and-control (C2) framework called MuddyC2Go as part of attacks targeting Israel . "The framework's web component is written in the Go programming language," Deep Instinct security researcher Simon Kenin said in a technical report published Wednesday. The tool has been attributed to MuddyWater , an Iranian state-sponsored hacking crew that's affiliated to the country's Ministry of Intelligence and Security (MOIS). The cybersecurity firm said the C2 framework may have been put to use by the threat actor since early 2020, with recent attacks leveraging it in place of PhonyC2, another custom C2 platform from MuddyWater that came to light in June 2023 and has had its source code leaked. Typical attack sequences observed over the years have involved sending spear-phishing emails bearing malware-laced archives or bogus links that lead to the deployment of legitimateThe Hacker News
November 9, 2023 – Vulnerabilities
SysAid Zero-Day Vulnerability Exploited by Ransomware Group Full Text
Abstract
The vulnerability, tracked as CVE-2023-47246, allows for arbitrary code execution and has been exploited by a threat actor known as Lace Tempest, who is associated with the deployment of Cl0p ransomware.Cyware
November 09, 2023 – Government
CISA Alerts: High-Severity SLP Vulnerability Now Under Active Exploitation Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw in the Service Location Protocol (SLP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2023-29552 (CVSS score: 7.5), the issue relates to a denial-of-service (DoS) vulnerability that could be weaponized to launch massive DoS amplification attacks. It was disclosed by Bitsight and Curesec earlier this April. "The Service Location Protocol (SLP) contains a denial-of-service (DoS) vulnerability that could allow an unauthenticated, remote attacker to register services and use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor," CISA said . SLP is a protocol that allows systems on a local area network (LAN) to discover each other and establish communications. The exact details surrounding the nature of exploitation of the flaw are currently unknown, buThe Hacker News
November 9, 2023 – Outage
Council for Scottish Islands Faces IT Outage After ‘Incident’ Full Text
Abstract
Organizations must urgently apply the patch for the Citrix vulnerability, CitrixBleed, and actively hunt for any malicious activity to prevent session hijacking and data breaches.Cyware
November 8, 2023 – Breach
Sumo Logic Urges Users to Change Credentials Due to Security Breach Full Text
Abstract
The company revealed on Tuesday that a “potential security incident” discovered on November 3 involved unauthorized access to a Sumo Logic AWS account through the use of compromised credentials.Cyware
November 08, 2023 – Cryptocurrency
Researchers Uncover Undetectable Crypto Mining Technique on Azure Automation Full Text
Abstract
Cybersecurity researchers have developed what's the first fully undetectable cloud-based cryptocurrency miner leveraging the Microsoft Azure Automation service without racking up any charges. Cybersecurity company SafeBreach said it discovered three different methods to run the miner, including one that can be executed on a victim's environment without attracting any attention. "While this research is significant because of its potential impact on cryptocurrency mining, we also believe it has serious implications for other areas, as the techniques could be used to achieve any task that requires code execution on Azure," security researcher Ariel Gamrian said in a report shared with The Hacker News. The study mainly set out to identify an "ultimate crypto miner" that offers unlimited access to computational resources, while simultaneously requiring little-to-no maintenance, is cost-free, and undetectable. That's where Azure Automation comes in.The Hacker News
November 8, 2023 – Vulnerabilities
Royal Mail Jeopardizes Users With Open Redirect Flaw Full Text
Abstract
“The vulnerability can be exploited by attackers to trick users into visiting malicious websites or phishing pages by disguising the malicious URL as a legitimate one,” Cybernews researchers explained.Cyware
November 08, 2023 – Privacy
WhatsApp Introduces New Privacy Feature to Protect IP Address in Calls Full Text
Abstract
Meta-owned WhatsApp is officially rolling out a new privacy feature in its messaging service called "Protect IP Address in Calls" that masks users' IP addresses to other parties by relaying the calls through its servers. "Calls are end-to-end encrypted, so even if a call is relayed through WhatsApp servers, WhatsApp cannot listen to your calls," the company said in a statement shared with The Hacker News. The core idea is to make it harder for bad actors in the call to infer a user's location by securely relaying the connection through WhatsApp servers. However, a tradeoff to enabling the privacy option is a slight dip in call quality. Viewed in that light, it's akin to Apple's iCloud Private Relay , which adds an anonymity layer by routing users' Safari browsing sessions through two secure internet relays. It's worth noting that the "Protect IP Address in Calls" feature has been under development since at least late AuguThe Hacker News
November 8, 2023 – APT
Chinese APTs Targeting Cambodian Government Full Text
Abstract
By monitoring telemetry associated with two prominent Chinese APT groups, researchers observed network connections predominately originating from Cambodia, including inbound connections originating from at least 24 Cambodian government organizations.Cyware
November 08, 2023 – Malware
Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI Full Text
Abstract
A new set of malicious Python packages has slithered their way to the Python Package Index (PyPI) repository with the ultimate aim of stealing sensitive information from compromised developer systems. The packages masquerade as seemingly innocuous obfuscation tools, but harbor a piece of malware called BlazeStealer , Checkmarx said in a report shared with The Hacker News. "[BlazeStealer] retrieves an additional malicious script from an external source, enabling a Discord bot that gives attackers complete control over the victim's computer," security researcher Yehuda Gelb said. The campaign, which commenced in January 2023, entails a total of eight packages named Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood, the last of which was published in October. These modules come with setup.py and init.py files that are designed to retrieve a Python script hosted on transfer[.]sh, which gets executed immediately uponThe Hacker News
November 8, 2023 – Breach
Japan Aviation Electronics Says Servers Accessed During Cyberattack Full Text
Abstract
On Monday evening, the maker of electronics and aerospace products replaced its website with a static message indicating some of its servers were accessed by hackers last Thursday.Cyware
November 08, 2023 – Education
Guide: How vCISOs, MSPs and MSSPs Can Keep their Customers Safe from Gen AI Risks Full Text
Abstract
Download the free guide , "It's a Generative AI World: How vCISOs, MSPs and MSSPs Can Keep their Customers Safe from Gen AI Risks." ChatGPT now boasts anywhere from 1.5 to 2 billion visits per month. Countless sales, marketing, HR, IT executive, technical support, operations, finance and other functions are feeding data prompts and queries into generative AI engines. They use these tools to write articles, create content, compose emails, answer customer questions and generate plans and strategies. However, gen AI usage is happening far in advance of efforts to implement safeguards and cybersecurity constraints. Three primary areas of security concern associated with generative AI are: sensitive data included in gen AI scripts, outcomes produced by these tools that may put an organization at risk, and potential hazards related to utilizing third-party generative AI tools. Unchecked AI usage in organizations can lead to: Major data breaches. Compromised identitiesThe Hacker News
November 8, 2023 – Breach
Hacker Leaks 35 Million Scraped LinkedIn User Records Full Text
Abstract
The contents of the leaked database on BreachForums, as observed by Hackread.com, include publicly available information from LinkedIn profiles, containing full names and profile bios.Cyware
November 08, 2023 – Education
Webinar: Kickstarting Your SaaS Security Strategy & Program Full Text
Abstract
SaaS applications make up 70% of total company software usage, and as businesses increase their reliance on SaaS apps, they also increase their reliance on those applications being secure. These SaaS apps store an incredibly large volume of data so safeguarding the organization's SaaS app stack and data within is paramount. Yet, the path to implementing an effective SaaS security program is not straightforward. There are numerous potential attack vectors. Security teams need to handle the challenge of gaining control over a diverse range of applications, each having its own unique characteristics. Additionally, the SaaS app environments are dynamic and the proactive configurations needing adjustments from updates, onboarding, deprovisioning, changing roles and permissions and much more, is endless. If that's not enough complexity, these applications are managed by various business departments, making it impractical for the security team to exercise complete control. JoThe Hacker News
November 8, 2023 – Encryption
Outdated Cryptographic Protocols Put Vast Amounts of Network Traffic at Risk Full Text
Abstract
A recent study by Quantum Xchange reveals that a large percentage of network traffic has encryption flaws due to the use of older protocols like TLS 1.0 and SSL v3 and is unencrypted, posing a significant risk to businesses.Cyware
November 08, 2023 – Ransomware
Experts Expose Farnetwork’s Ransomware-as-a-Service Business Model Full Text
Abstract
Cybersecurity researchers have unmasked a prolific threat actor known as farnetwork, who has been linked to five different ransomware-as-a-service (RaaS) programs over the past four years in various capacities. Singapore-headquartered Group-IB, which attempted to infiltrate a private RaaS program that uses the Nokoyawa ransomware strain, said it underwent a "job interview" process with the threat actor, learning several valuable insights into their background and role within those RaaS programs. "Throughout the threat actor's cybercriminal career, which began in 2019, farnetwork has been involved in several connected ransomware projects, including JSWORM, Nefilim, Karma, and Nemty, as part of which they helped develop ransomware and manage the RaaS programs before launching their own RaaS program based on Nokoyawa ransomware," Nikolay Kichatov, threat intelligence analyst at Group-IB, said . The latest disclosure comes nearly six months after the cyberThe Hacker News
November 7, 2023 – Outage
Pro-Palestinian Hackers Group ‘Soldiers of Solomon’ Disrupted the Production Cycle of the Largest Israeli Flour Production Plant Full Text
Abstract
This attack on the flour plant is part of a series of cyber attacks by the group on Israeli organizations, including a successful attack on the Ashalim Power Station and taking control of military servers and systems.Cyware
November 07, 2023 – APT
N. Korea’s BlueNoroff Blamed for Hacking macOS Machines with ObjCShellz Malware Full Text
Abstract
The North Korea-linked nation-state group called BlueNoroff has been attributed to a previously undocumented macOS malware strain dubbed ObjCShellz . Jamf Threat Labs, which disclosed details of the malware, said it's used as part of the RustBucket malware campaign, which came to light earlier this year. "Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering," security researcher Ferdous Saljooki said in a report shared with The Hacker News. BlueNoroff, also tracked under the names APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, is a subordinate element of the infamous Lazarus Group that specializes in financial crime, targeting banks and the crypto sector as a way to evade sanctions and generate illicit profits for the regime. The development arrives days after Elastic Security Labs disclosed the Lazarus Group's use of a new maThe Hacker News
November 7, 2023 – Breach
Update: Ransomware Gang Leaks Data Allegedly Stolen From Canadian Hospitals Full Text
Abstract
Five Canadian hospitals have confirmed that patient and employee data stolen in a ransomware attack has been leaked online, impacting millions of patient visits and employee information.Cyware
November 07, 2023 – Malware
New GootLoader Malware Variant Evades Detection and Spreads Rapidly Full Text
Abstract
A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection. "The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole Villadsen said . "This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads." GootLoader, as the name implies, is a malware capable of downloading next-stage malware after luring potential victims using search engine optimization (SEO) poisoning tactics. It's linked to a threat actor tracked as Hive0127 (aka UNC2565). The use of GootBot points to a tactical shift, with the implant downloaded as a payload after a Gootloader infection in lieu of post-exploitation frameworks suchThe Hacker News
November 7, 2023 – Vulnerabilities
37 Vulnerabilities Patched in Android With November 2023 Security Updates Full Text
Abstract
The November 2023 Android security update addresses high-severity vulnerabilities in the System component, with additional fixes for Arm, MediaTek, and Qualcomm components.Cyware
November 07, 2023 – General
Confidence in File Upload Security is Alarmingly Low. Why? Full Text
Abstract
Numerous industries—including technology, financial services, energy, healthcare, and government—are rushing to incorporate cloud-based and containerized web applications. The benefits are undeniable; however, this shift presents new security challenges. OPSWAT's 2023 Web Application Security report reveals: 75% of organizations have modernized their infrastructure this year. 78% have increased their security budgets. Yet just 2% are confident in their security posture. Let's explore why confidence in security lags infrastructure upgrades and how OPSWAT closes that gap. Evolving Infrastructure Outpaces Security Upgrades. The pace of security upgrades struggles to keep up with technological advancements. This gap is especially visible in file upload security. Companies are updating their infrastructure by embracing distributed, scalable applications that leverage microservices and cloud solutions—creating new avenues of attack for criminals. Cloud Hosting BusinesseThe Hacker News
November 7, 2023 – Breach
Online Store Zhefengle Exposed Millions of Chinese Citizen IDs Full Text
Abstract
The database contained over 3.3 million orders from 2015 to 2020, many of which included uploaded copies of customers' government-issued identity cards. The vulnerability was addressed after a security researcher notified the store owners.Cyware
November 07, 2023 – General
Offensive and Defensive AI: Let’s Chat(GPT) About It Full Text
Abstract
ChatGPT: Productivity tool, great for writing poems, and… a security risk?! In this article, we show how threat actors can exploit ChatGPT, but also how defenders can use it for leveling up their game. ChatGPT is the most swiftly growing consumer application to date. The extremely popular generative AI chatbot has the ability to generate human-like, coherent and contextually relevant responses. This makes it very valuable for applications like content creation, coding, education, customer support, and even personal assistance. However, ChatGPT also comes with security risks. ChatGPT can be used for data exfiltration, spreading misinformation, developing cyber attacks and writing phishing emails. On the flip side, it can help defenders who can use it for identifying vulnerabilities and learning about various defenses. In this article, we show numerous ways attackers can exploit ChatGPT and the OpenAI Playground. Just as importantly, we show ways that defenders can leverage ChatGPT tThe Hacker News
November 7, 2023 – General
How Global Password Practices are Changing Full Text
Abstract
Password health and hygiene have improved globally over the past year, reducing the risk of account takeover. However, password reuse remains prevalent, making user accounts vulnerable to password-spraying attacks.Cyware
November 07, 2023 – Attack
SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities Full Text
Abstract
The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat. Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a compatible version of Ares RAT. SideCopy, active since at least 2019, is known for its attacks on Indian and Afghanistan entities. It's suspected to be a sub-group of the Transparent Tribe (aka APT36) actor. "Both SideCopy and APT36 share infrastructure and code to aggressively target India," SEQRITE researcher Sathwik Ram Prakki said in a Monday report. Earlier this May, the group was linked to a phishing campaign that took advantage of lures related to India's Defence Research and Development Organization (DRDO) to deliver information-stealing malware. SinceThe Hacker News
November 07, 2023 – Attack
Experts Warn of Ransomware Hackers Exploiting Atlassian and Apache Flaws Full Text
Abstract
Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Cybersecurity firm Rapid7 said it observed the exploitation of CVE-2023-22518 and CVE-2023-22515 in multiple customer environments, some of which have been leveraged for the deployment of Cerber (aka C3RB3R ) ransomware. Both vulnerabilities are critical, allowing threat actors to create unauthorized Confluence administrator accounts and lead to data loss. Atlassian, on November 6, updated its advisory to note that it observed "several active exploits and reports of threat actors using ransomware" and that it is revising the CVSS score of the flaw from 9.8 to 10.0, indicating maximum severity. The escalation, the Australian company said, is due to the change in the scope of the attack. Attack chains involve mass exploitation of vulnerable internet-facing Atlassian Confluence servers to fetch a malicious payload hosted on a remote sThe Hacker News
November 7, 2023 – Botnet
Socks5Systemz Proxy Botnet Infects Around 10,000 Systems Worldwide Full Text
Abstract
Security experts took the wraps off of Socks5Systemz, a proxy botnet distributed through PrivateLoader and Amadey, affecting approximately 10,000 systems globally. BitSight mapped at least 53 servers of Socks5Systemz, all located in Europe and distributed across France, Bulgaria, Netherlands, and ... Read MoreCyware
November 07, 2023 – Vulnerabilities
Critical Flaws Discovered in Veeam ONE IT Monitoring Software – Patch Now Full Text
Abstract
Veeam has released security updates to address four flaws in its ONE IT monitoring and analytics platform, two of which are rated critical in severity. The list of vulnerabilities is as follows - CVE-2023-38547 (CVSS score: 9.9) - An unspecified flaw that can be leveraged by an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database, resulting in remote code execution on the SQL server. CVE-2023-38548 (CVSS score: 9.8) - A flaw in Veeam ONE that allows an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service. CVE-2023-38549 (CVSS score: 4.5) - A cross-site scripting (XSS) vulnerability that allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role. CVE-2023-41723 (CVSS score: 4.3) - A vulnerability in Veeam ONE that permits a user with the Veeam ONE ReaThe Hacker News
November 6, 2023 – APT
SideCopy APT’s Multi-Platform Onslaught Targets Indian Government and Defense Entities Full Text
Abstract
SideCopy is employing phishing tactics and using compromised domains with reused IP addresses to distribute malicious files and deploy malware, including a Linux variant of the Ares RAT, indicating a multi-platform approach in their attacks.Cyware
November 06, 2023 – Malware
New Jupyter Infostealer Version Emerges with Sophisticated Stealth Tactics Full Text
Abstract
An updated version of an information stealer malware known as Jupyter has resurfaced with "simple yet impactful changes" that aim to stealthily establish a persistent foothold on compromised systems. "The team has discovered new waves of Jupyter Infostealer attacks which leverage PowerShell command modifications and signatures of private keys in attempts to pass off the malware as a legitimately signed file," VMware Carbon Black researchers said in a report shared with The Hacker News. Jupyter Infostealer, also known as Polazert, SolarMarker, and Yellow Cockatoo, has a track record of leveraging manipulated search engine optimization (SEO) tactics and malvertising as an initial access vector to trick users searching for popular software into downloading it from dubious websites. It comes with capabilities to harvest credentials as well as establish encrypted command-and-control (C2) communication to exfiltrate data and execute arbitrary commands. The lateThe Hacker News
November 6, 2023 – Breach
Cyber Intrusion Delays Poll Worker Training in Mississippi’s Largest County Before the Statewide Vote Full Text
Abstract
Election officials in Hinds County, Mississippi, had to rush to complete poll worker training after a breach in early September compromised county computers. This caused a delay in processing voter registration forms.Cyware
November 06, 2023 – Vulnerabilities
QNAP Releases Patch for 2 Critical Flaws Threatening Your NAS Devices Full Text
Abstract
QNAP has released security updates to address two critical security flaws impacting its operating system that could result in arbitrary code execution. Tracked as CVE-2023-23368 (CVSS score: 9.8), the vulnerability is described as a command injection bug affecting QTS, QuTS hero, and QuTScloud. "If exploited, the vulnerability could allow remote attackers to execute commands via a network," the company said in an advisory published over the weekend. The shortcoming spans the below versions - QTS 5.0.x (Fixed in QTS 5.0.1.2376 build 20230421 and later) QTS 4.5.x (Fixed in QTS 4.5.4.2374 build 20230416 and later) QuTS hero h5.0.x (Fixed in QuTS hero h5.0.1.2376 build 20230421 and later) QuTS hero h4.5.x (Fixed in QuTS hero h4.5.4.2374 build 20230417 and later) QuTScloud c5.0.x (Fixed in QuTScloud c5.0.1.2374 and later) Also fixed by QNAP is another command injection flaw in QTS, Multimedia Console, and Media Streaming add-on ( CVE-2023-23369 , CVSS score: 9.0) thThe Hacker News
November 6, 2023 – Encryption
UK’s NCSC Publishes Guidance to Help Firms Prepare for Post-Quantum Cryptography Full Text
Abstract
Post-quantum cryptography (PQC) algorithms should be implemented to replace vulnerable traditional public key cryptography (PKC) algorithms to mitigate the threat of quantum computers.Cyware
November 06, 2023 – Malware
SecuriDropper: New Android Dropper-as-a-Service Bypasses Google’s Defenses Full Text
Abstract
Cybersecurity researchers have shed light on a new dropper-as-a-service (DaaS) for Android called SecuriDropper that bypasses new security restrictions imposed by Google and delivers the malware. Dropper malware on Android is designed to function as a conduit to install a payload on a compromised device, making it a lucrative business model for threat actors, who can advertise the capabilities to other criminal groups. What's more, doing so also allows adversaries to separate the development and execution of an attack from the installation of the malware. "Droppers and the actors behind them are in a constant state of evolution as they strive to outwit evolving security measures," Dutch cybersecurity firm ThreatFabric said in a report shared with The Hacker News. One such security measure introduced by Google with Android 13 is what's called the Restricted Settings, which prevents sideloaded applications from obtaining Accessibility and Notification ListenerThe Hacker News
November 6, 2023 – Government
US, South Korea and Japan Launch Group to Tackle North Korean Hacking Full Text
Abstract
The FBI has attributed recent cryptocurrency hacks to North Korean-sponsored threat actors, highlighting the need for increased cybersecurity cooperation among liberal democracies in the Pacific.Cyware
November 06, 2023 – Attack
Iranian Hackers Launches Destructive Cyberattacks on Israeli Tech and Education Sectors Full Text
Abstract
Israeli higher education and tech sectors have been targeted as part of a series of destructive cyber attacks that commenced in January 2023 with an aim to deploy previously undocumented wiper malware. The intrusions, which took place as recently as October, have been attributed to an Iranian nation-state hacking crew it tracks under the name Agonizing Serpens, which is also known as Agrius, BlackShadow and Pink Sandstorm (previously Americium). "The attacks are characterized by attempts to steal sensitive data, such as personally identifiable information (PII) and intellectual property," Palo Alto Networks Unit 42 said in a new report shared with The Hacker News. "Once the attackers stole the information, they deployed various wipers intended to cover the attackers' tracks and to render the infected endpoints unusable." This includes three different novel wipers such as MultiLayer, PartialWasher, and BFG Agonizer, as well as a bespoke tool to extract infThe Hacker News
November 6, 2023 – APT
Iranian APT Targets Israeli Education, Tech Sectors With New Data Wipers Full Text
Abstract
An Iranian APT group known as Agrius has been targeting higher education and technology organizations in Israel with destructive attacks and wipers, including MultiLayer, PartialWasher, and BFG Agonizer, since January 2023.Cyware
November 06, 2023 – Vulnerabilities
Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel Full Text
Abstract
Google is warning of multiple threat actors sharing a public proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure. The tool, called Google Calendar RAT (GCR) , employs Google Calendar Events for C2 using a Gmail account. It was first published to GitHub in June 2023. "The script creates a 'Covert Channel' by exploiting the event descriptions in Google Calendar," according to its developer and researcher, who goes by the online alias MrSaighnal. "The target will connect directly to Google." The tech giant, in its eighth Threat Horizons report , said it has not observed the use of the tool in the wild, but noted its Mandiant threat intelligence unit has detected several threat actors sharing the PoC on underground forums. "GCR, running on a compromised machine, periodically polls the Calendar event description for new commands, executes those commands on the target device, and then updaThe Hacker News
November 6, 2023 – General
Healthcare’s Road to Redefining Cybersecurity With Modern Solutions Full Text
Abstract
According to a report by Sophos, the rate of data encryption following a ransomware attack in the healthcare sector has reached its highest level in the last three years.Cyware
November 06, 2023 – Criminals
U.S. Treasury Sanctions Russian Money Launderer in Cybercrime Crackdown Full Text
Abstract
The U.S. Department of the Treasury imposed sanctions against a Russian woman for taking part in the laundering of virtual currency for the country's elites and cybercriminal crews, including the Ryuk ransomware group. Ekaterina Zhdanova, per the department, is said to have facilitated large cross border transactions to assist Russian individuals to gain access to Western financial markets and circumvent international sanctions. "Zhdanova utilizes entities that lack Anti-Money Laundering/Combatting the Financing of Terrorism (AML/CFT) controls, such as OFAC-designated Russian cryptocurrency exchange Garantex Europe OU (Garantex)," the treasury department said last week. "Zhdanova relies on multiple methods of value transfer to move funds internationally. This includes the use of cash and leveraging connections to other international money laundering associates and organizations." It's worth noting that Garantex was previously sanctioned by the U.S.The Hacker News
November 4, 2023 – Denial Of Service
Singapore Public Health Services Hit by DDoS Attacks Full Text
Abstract
Public healthcare institutions in Singapore experienced disruptions in internet connectivity due to DDoS attacks. Synapxe, the agency overseeing these institutions, stated that there is no evidence of a compromise of healthcare or patient data.Cyware
November 04, 2023 – Malware
StripedFly Malware Operated Unnoticed for 5 Years, Infecting 1 Million Devices Full Text
Abstract
An advanced strain of malware masquerading as a cryptocurrency miner has managed to fly the radar for over five years, infecting no less than one million devices around the world in the process. That's according to findings from Kaspersky, which has codenamed the threat StripedFly , describing it as an "intricate modular framework that supports both Linux and Windows." The Russian cybersecurity vendor, which first detected the samples in 2017, said the miner is part of a much larger entity that employs a custom EternalBlue SMBv1 exploit attributed to the Equation Group in order to infiltrate publicly-accessible systems. The malicious shellcode, delivered via the exploit, has the ability to download binary files from a remote Bitbucket repository as well as execute PowerShell scripts. It also supports a collection of plugin-like expandable features to harvest sensitive data and even uninstall itself. The platform's shellcode is injected in the wininit.exe procThe Hacker News
November 4, 2023 – Policy and Law
US Sanctions Russian Accused of Laundering Virtual Currency for Ransomware Affiliate Full Text
Abstract
The US Treasury Department has sanctioned a Russian woman named Ekaterina Zhdanova for allegedly laundering virtual currency on behalf of Russian elites and cybercriminals, including a Ryuk ransomware affiliate.Cyware
November 04, 2023 – Breach
Okta’s Recent Customer Support Data Breach Impacted 134 Customers Full Text
Abstract
Identity and authentication management provider Okta on Friday disclosed that the recent support case management system breach affected 134 of its 18,400 customers. It further noted that the unauthorized intruder gained access to its systems from September 28 to October 17, 2023, and ultimately accessed HAR files containing session tokens that could be used for session hijacking attacks. "The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers," Okta's Chief Security Officer, David Bradbury, said . Three of those affected include 1Password, BeyondTrust, and Cloudflare . 1Password was the first company to report suspicious activity on September 29. Two other unnamed customers were identified on October 12 and October 18. Okta formally revealed the security event on October 20, stating that the threat actor leveraged access to a stolen credential to access Okta's support case management system. Now, theThe Hacker News
November 4, 2023 – Breach
Update: Okta Customer Support System Breach Impacted 134 Customers Full Text
Abstract
The attackers used stolen session tokens from HAR files to hijack the legitimate Okta sessions of five customers. The breach occurred from September 28 to October 17 and affected less than 1% of Okta's customers.Cyware
November 04, 2023 – Solution
Google Play Store Introduces ‘Independent Security Review’ Badge for Apps Full Text
Abstract
Google is rolling out an "Independent security review" badge in the Play Store's Data safety section for Android apps that have undergone a Mobile Application Security Assessment ( MASA ) audit. "We've launched this banner beginning with VPN apps due to the sensitive and significant amount of user data these apps handle," Nataliya Stanetsky of the Android Security and Privacy Team said . MASA allows developers to have their apps independently validated against a global security standard such as the Mobile Application Security Verification Standard ( MASVS ), thereby providing more transparency and enabling users to make informed choices prior to downloading them. The efforts are part of Google's broader push to make the Data safety section a one-stop shop that presents a "unified view of app safety," offering details about the kind of data that's being collected, for what purpose, and if it's being shared with third-parties.The Hacker News
November 4, 2023 – Breach
Hilb Group Fears Cybercriminals Stole 81,000 People’s Financial Data Full Text
Abstract
The company discovered suspicious activity in employee email accounts in January 2023 and determined that the breach occurred between December 2022 and January 2023. The stolen data includes names, SSNs, and financial account information.Cyware
November 4, 2023 – Attack
American Airlines Pilot Union Hit With Ransomware Full Text
Abstract
The American Airlines pilot union is actively working to restore their systems and prioritize the security of their operations while keeping their pilots informed about the progress.Cyware
November 4, 2023 – Vulnerabilities
Four Zero-Day Flaws Disclosed in Microsoft Exchange Full Text
Abstract
Researchers have disclosed four zero-day vulnerabilities in Microsoft Exchange that can be exploited remotely, potentially allowing attackers to execute arbitrary code or access sensitive information.Cyware
November 03, 2023 – Attack
Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments Full Text
Abstract
The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a "new experimental campaign" designed to breach cloud environments. "Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting credentials from the Cloud Service Provider (CSP)," cloud security firm Aqua said in a report shared with The Hacker News. The development marks the first publicly documented instance of active exploitation of Looney Tunables ( CVE-2023-4911 ), which could allow a threat actor to gain root privileges . Kinsing actors have a track record of opportunistically and swiftly adapting their attack chains to exploit newly disclosed security flaws to their advantage, having most recently weaponized a high-severity bug in Openfire ( CVE-2023-32315 ) to achieve remote code execution. The latest set of attacks entails exploiting aThe Hacker News
November 03, 2023 – Malware
NodeStealer Malware Hijacking Facebook Business Accounts for Malicious Ads Full Text
Abstract
Compromised Facebook business accounts are being used to run bogus ads that employ "revealing photos of young women" as lures to trick victims into downloading an updated version of a malware called NodeStealer . "Clicking on ads immediately downloads an archive containing a malicious .exe 'Photo Album' file which also drops a second executable written in .NET – this payload is in charge of stealing browser cookies and passwords," Bitdefender said in a report published this week. NodeStealer was first disclosed by Meta in May 2023 as a JavaScript malware designed to facilitate the takeover of Facebook accounts. Since then, the threat actors behind the operation have leveraged a Python-based variant in their attacks. The malware is part of a burgeoning cybercrime ecosystem in Vietnam, where multiple threat actors are leveraging overlapping methods that primarily involve advertising-as-a-vector on Facebook for propagation. The latest campaign discThe Hacker News
November 03, 2023 – General
Predictive AI in Cybersecurity: Outcomes Demonstrate All AI is Not Created Equally Full Text
Abstract
Here is what matters most when it comes to artificial intelligence (AI) in cybersecurity: Outcomes. As the threat landscape evolves and generative AI is added to the toolsets available to defenders and attackers alike, evaluating the relative effectiveness of various AI-based security offerings is increasingly important — and difficult. Asking the right questions can help you spot solutions that deliver value and ROI, instead of just marketing hype. Questions like, "Can your predictive AI tools sufficiently block what's new?" and, "What actually signals success in a cybersecurity platform powered by artificial intelligence?" As BlackBerry's AI and ML (machine learning) patent portfolio attests, BlackBerry is a leader in this space and has developed an exceptionally well-informed point of view on what works and why. Let's explore this timely topic. Evolution of AI in Cybersecurity Some of the earliest uses of ML and AI in cybersecurity date back to the deThe Hacker News
November 3, 2023 – Malware
Unmasking New AsyncRAT Infection Chain Full Text
Abstract
AsyncRAT is being distributed through a malicious HTML file and uses various file types like PowerShell, WSF, and VBScript to bypass detection. The infection chain begins with a spam email containing a malicious URL to download the HTML file.Cyware
November 03, 2023 – Privacy
CanesSpy Spyware Discovered in Modified WhatsApp Versions Full Text
Abstract
Cybersecurity researchers have unearthed a number of WhatsApp mods for Android that come fitted with a spyware module dubbed CanesSpy . These modified versions of the instant messaging app have been observed propagated via sketchy websites advertising such modded software as well as Telegram channels used primarily by Arabic and Azerbaijani speakers, one of which boasts of two million users. "The trojanized client manifest contains suspicious components (a service and a broadcast receiver) that cannot be found in the original WhatsApp client," Kaspersky security researcher Dmitry Kalinin said . Specifically, the new additions are designed to activate the spyware module when the phone is switched on or starts charging. It subsequently proceeds to establish contact with a command-and-control (C2) server, followed by sending information about the compromised device, such as the IMEI, phone number, mobile country code, and mobile network code. CanesSpy also transmits detThe Hacker News
November 3, 2023 – Malware
New DarkGate Variant Uses a New Loading Approach Full Text
Abstract
DarkGate is a versatile malware that includes features such as keylogging, information stealing, and downloading and executing other payloads. The DarkGate malware has been involved in multiple campaigns and continues to evolve.Cyware
November 03, 2023 – Malware
48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems Full Text
Abstract
A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. "These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said . All the counterfeit packages have been published by an npm user named hktalent ( GitHub , X ). As of writing, 39 of the packages uploaded by the author are still available for download. The attack chain is triggered post the installation of the package via an install hook in the package.json that calls a JavaScript code to establish a reverse shell to rsh.51pwn[.]com. "In this particular case, the attacker published dozens of benign-sounding packages with several layers of obfuscation and deceptive tactics in an attempt to ultimately deploy a reverse shell on any machine that simply installs one of these packages,"The Hacker News
November 3, 2023 – Criminals
Russian Reshipping Service ‘SWAT USA Drop’ Exposed Full Text
Abstract
The Russia-based criminal reshipping service SWAT USA Drop was hacked, exposing its operations and revealing the involvement of over 1,200 people in reshipping stolen goods purchased with stolen credit cards.Cyware
November 2, 2023 – Vulnerabilities
Researchers Discover 117 Vulnerabilities in Microsoft 365 Apps via the SketchUp 3D Library Full Text
Abstract
By developing a SketchUp fuzzing harness and using a dumb file format fuzzer, 20 unique vulnerabilities, including use-after-free and stack buffer overflow, were discovered in just one month.Cyware
November 02, 2023 – Botnet
Mysterious Kill Switch Disrupts Mozi IoT Botnet Operations Full Text
Abstract
The unexpected drop in malicious activity connected with the Mozi botnet in August 2023 was due to a kill switch that was distributed to the bots. "First, the drop manifested in India on August 8," ESET said in an analysis published this week. "A week later, on August 16, the same thing happened in China. While the mysterious control payload – aka kill switch – stripped Mozi bots of most functionality, they maintained persistence." Mozi is an Internet of Things (IoT) botnet that emerged from the source code of several known malware families, such as Gafgyt, Mirai, and IoT Reaper. First spotted in 2019, it's known to exploit weak and default remote access passwords as well as unpatched security vulnerabilities for initial access. In September 2021, cybersecurity firm Netlab researchers disclosed the arrest of the botnet operators by Chinese authorities. But the precipitous decline in Mozi activity – from around 13,300 hosts on August 7 to 3,500 on AThe Hacker News
November 2, 2023 – Breach
Medical Firm Reaches $100,000 Settlement With HHS Over 2017 Ransomware Attack Full Text
Abstract
The company failed to adequately protect electronic protected health information, violated HIPAA laws, and lacked sufficient monitoring and policies to prevent and address cyberattacks.Cyware
November 02, 2023 – Solution
SaaS Security is Now Accessible and Affordable to All Full Text
Abstract
This new product offers SaaS discovery and risk assessment coupled with a free user access review in a unique "freemium" model Securing employees' SaaS usage is becoming increasingly crucial for most cloud-based organizations. While numerous tools are available to address this need, they often employ different approaches and technologies, leading to unnecessary confusion and complexity. Enter Wing Security's new " Essential SSPM " (SaaS Security Posture Management) tool, which aims to simplify the process of securing SaaS usage across the organization. Its business approach is simple: self-onboard, try the product, and if impressed, upgrade to unlock more vital security capabilities. What's essential SaaS security? According to Wing, three basic yet fundamental capabilities are necessary for organizations aiming to secure their SaaS: discovery, assessment, and control. These align with regulatory security standards such as ISO 27001 and SOC, which emphasize vendoThe Hacker News
November 2, 2023 – Attack
Major Mexican Airport Confirms Experts are Working to Address Cyberattack Full Text
Abstract
Querétaro Intercontinental Airport in Mexico has experienced a cyberattack, with an employee downloading a file containing malware, but the airport's operational security was not compromised and the attack has been contained and isolated.Cyware
November 02, 2023 – Phishing
Iran’s MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign Full Text
Abstract
The Iranian nation-state actor known as MuddyWater has been linked to a new spear-phishing campaign targeting two Israeli entities to ultimately deploy a legitimate remote administration tool from N-able called Advanced Monitoring Agent . Cybersecurity firm Deep Instinct, which disclosed details of the attacks, said the campaign "exhibits updated TTPs to previously reported MuddyWater activity," which has, in the past, used similar attack chains to distribute other remote access tools like ScreenConnect, RemoteUtilities, Syncro , and SimpleHelp . While the latest development marks the first time MuddyWater has been observed using N-able's remote monitoring software, it also underscores the fact that the largely unchanged modus operandi continues to yield some level of success for the threat actor. The findings have also been separately confirmed by cybersecurity company Group-IB in a post shared on X (formerly Twitter). The state-sponsored group is a cyberThe Hacker News
November 2, 2023 – Attack
California Community College Río Hondo Dealing With Cybersecurity Incident Full Text
Abstract
Río Hondo College in Southern California experienced a cybersecurity incident that disrupted campus functions and financial aid disbursements, potentially indicating a ransomware attack.Cyware
November 02, 2023 – Vulnerabilities
Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover Full Text
Abstract
As many as 34 unique vulnerable Windows Driver Model ( WDM ) and Windows Driver Frameworks ( WDF ) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems. "By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges," Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, said . The research expands on previous studies, such as ScrewedDrivers and POPKORN that utilized symbolic execution for automating the discovery of vulnerable drivers. It specifically focuses on drivers that contain firmware access through port I/O and memory-mapped I/O. The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys ( CVE-2023-20598 ), RadHwMgr.sys, rtif.sys, rtport.sys, sThe Hacker News
November 2, 2023 – Attack
Medical Research Executive Hit in SIM-Swapping Attack by ALPHV Gang Full Text
Abstract
Ransomware gang Alphv, also known as BlackCat, claims to have stolen data from Advarra, a firm that assists with medical trials. The criminals gained access to an executive's accounts by SIM swapping their cellphone number.Cyware
November 02, 2023 – Vulnerabilities
FIRST Announces CVSS 4.0 - New Vulnerability Scoring System Full Text
Abstract
The Forum of Incident Response and Security Teams (FIRST) has officially announced CVSS v4.0 , the next generation of the Common Vulnerability Scoring System standard, more than eight years after the release of CVSS v3.0 in June 2015. "This latest version of CVSS 4.0 seeks to provide the highest fidelity of vulnerability assessment for both industry and the public," FIRST said in a statement. CVSS essentially provides a way to capture the principal technical characteristics of a security vulnerability and produce a numerical score denoting its severity. The score can be translated into various levels, such as low, medium, high, and critical, to help organizations prioritize their vulnerability management processes. One of the core updates to CVSS v3.1, released in July 2019, was to emphasize and clarify that "CVSS is designed to measure the severity of a vulnerability and should not be used alone to assess risk." CVSS v3.1 has also attracted criticisThe Hacker News
November 2, 2023 – Phishing
Threat Actors Deploy Malvertising Campaigns to Hijack Facebook Users’ Accounts Full Text
Abstract
The attackers use hijacked Facebook accounts and create multiple profiles featuring photos of young women to entice users to click on infected links. Clicking on the ads downloads a malicious file that steals browser cookies and passwords.Cyware
November 02, 2023 – Vulnerabilities
HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability Full Text
Abstract
Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. "In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," cybersecurity firm Rapid7 disclosed in a report published Wednesday. "Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October." The intrusions are said to involve the exploitation of CVE-2023-46604 , a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands. It's worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3The Hacker News
November 2, 2023 – Attack
Ransomware Attack on Texas Mental Healthcare Provider Affects 172,000 Patients Full Text
Abstract
The attack was quickly detected and contained within one segment of the network. The compromised information may include names, addresses, birthdates, Social Security numbers, diagnosis codes, insurance information, and treatment service types.Cyware
November 2, 2023 – General
Ransomware Attacks Set to Break Records in 2023 Full Text
Abstract
Ransomware attacks are increasing at a record-breaking pace, with the frequency of attacks in Q3 2023 up 11% from the previous quarter and 95% from the previous year, according to Corvus Insurance.Cyware
November 1, 2023 – Business
Chainguard Raises $61M in Series B Funding Full Text
Abstract
The Kirkland, Washington-based security company raised $61 million in Series B funding. The round was led by Spark Capital, with participation from existing investors Sequoia Capital, Amplify Partners, The Chainsmoker's Mantis VC, and Banana Capital.Cyware
November 01, 2023 – Hacker
Researchers Expose Prolific Puma’s Underground Link Shortening Service Full Text
Abstract
A threat actor known as Prolific Puma has been maintaining a low profile and operating an underground link shortening service that's offered to other threat actors for at least over the past four years. Prolific Puma creates "domain names with an RDGA [registered domain generation algorithm] and use these domains to provide a link shortening service to other malicious actors, helping them evade detection while they distribute phishing, scams, and malware," Infoblox said in a new analysis pieced together from Domain Name System ( DNS) analytics. With malicious actors known to use link shorteners for phishing attacks, the adversary plays an important role in the cybercrime supply chain, registering between 35,000 to 75,000 unique domain names since April 2022. Prolific Puma is also a DNS threat actor for leveraging DNS infrastructure for nefarious purposes. A notable aspect of the threat actor's operations is the use of an American domain registrar and webThe Hacker News
November 1, 2023 – Vulnerabilities
Chrome 119 Patches 15 Vulnerabilities Full Text
Abstract
Out of the 15 vulnerabilities patched, 13 of which were reported by external researchers. Three of the bugs are rated as high severity, while the remaining ones are medium and low severity.Cyware
November 01, 2023 – Solution
Hands on Review: LayerX’s Enterprise Browser Security Extension Full Text
Abstract
The browser has become the main work interface in modern enterprises. It's where employees create and interact with data, and how they access organizational and external SaaS and web apps. As a result, the browser is extensively targeted by adversaries. They seek to steal the data it stores and use it for malicious access to organizational SaaS apps or the hosting machine. Additionally, unintentional data leakage via the browser has become a critical concern for organizations as well. However, traditional endpoint, network, and data protection solutions fail to protect this critical resource against advanced web-borne attacks that continuously rise in sophistication and volume. This gap leaves organizations exposed to phishing attacks, malicious browser extensions, data exposure, and data loss. This is the challenge LayerX is attempting to solve. LayerX has developed a secure enterprise browser extension that can be mounted on any browser. The LayerX extension delivers comprehenThe Hacker News
November 1, 2023 – Business
Log Analysis and Security Firm Graylog Raises $9M in Equity, $30M in Debt Full Text
Abstract
Graylog has raised $39 million in its Series C funding round co-led by Silver Lake Waterman, Piper Sandler Merchant Banking, and Harbert Growth Partners. It includes $9 million in equity and $30 million in a "flex debt" facility.Cyware
November 01, 2023 – Attack
Iranian Cyber Espionage Group Targets Financial and Government Sectors in Middle East Full Text
Abstract
A threat actor affiliated with Iran's Ministry of Intelligence and Security (MOIS) has been observed waging a sophisticated cyber espionage campaign targeting financial, government, military, and telecommunications sectors in the Middle East for at least a year. Israeli cybersecurity firm Check Point, which discovered the campaign alongside Sygnia, is tracking the actor under the name Scarred Manticore , which is said to closely overlap with an emerging cluster dubbed Storm-0861 , one of the four Iranian groups linked to destructive attacks on the Albanian government last year. Victims of the operation span various countries such as Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel. Scarred Manticore also exhibits some degree of overlap with OilRig , another Iranian nation-state crew that was recently attributed to an attack on an unnamed Middle East government between February and September 2023 as part of an eight-month-long campaign. AnotherThe Hacker News
November 1, 2023 – Vulnerabilities
Latest RAT Attack Surge Bypasses Microsoft’s XLL Block Full Text
Abstract
Microsoft's block on Visual Basic for Applications (VBA) macros has led attackers to experiment with different file types, with XLL files now being used as a means to distribute malware.Cyware
November 01, 2023 – Attack
North Korean Hackers Targeting Crypto Experts with KANDYKORN macOS Malware Full Text
Abstract
State-sponsored threat actors from the Democratic People's Republic of Korea (DPRK) have been found targeting blockchain engineers of an unnamed crypto exchange platform via Discord with a novel macOS malware dubbed KANDYKORN . Elastic Security Labs said the activity, traced back to April 2023, exhibits overlaps with the infamous adversarial collective Lazarus Group , citing an analysis of the network infrastructure and techniques used. "Threat actors lured blockchain engineers with a Python application to gain initial access to the environment," security researchers Ricardo Ungureanu, Seth Goodwin, and Andrew Pease said in a report published today. "This intrusion involved multiple complex stages that each employed deliberate defense evasion techniques." This is not the first time the Lazarus Group has leveraged macOS malware in its attacks. Earlier this year, the threat actor was observed distributing a backdoored PDF application that culminated in tThe Hacker News
November 1, 2023 – Malware
Dozens of Kernel Drivers Allow Attackers to Alter Firmware, Escalate Privileges Full Text
Abstract
VMware Carbon Black's Threat Analysis Unit (TAU) has discovered numerous previously unknown vulnerable kernel drivers that could be exploited by hackers to modify firmware or gain elevated privileges.Cyware
November 01, 2023 – Malware
Turla Updates Kazuar Backdoor with Advanced Anti-Analysis to Evade Detection Full Text
Abstract
The Russia-linked hacking crew known as Turla has been observed using an updated version of a known second-stage backdoor referred to as Kazuar. The new findings come from Palo Alto Networks Unit 42, which is tracking the adversary under its constellation-themed moniker Pensive Ursa . "As the code of the upgraded revision of Kazuar reveals, the authors put special emphasis on Kazuar's ability to operate in stealth, evade detection and thwart analysis efforts," security researchers Daniel Frank and Tom Fakterman said in a technical report. "They do so using a variety of advanced anti-analysis techniques and by protecting the malware code with effective encryption and obfuscation practices." Pensive Ursa, active since at least 2004, is attributed to the Russian Federal Security Service (FSB). Earlier this July, the Computer Emergency Response Team of Ukraine (CERT-UA) implicated the threat group to attacks targeting the defense sector in Ukraine and EastThe Hacker News
November 1, 2023 – General
Public Exposure of Data Breaches is Becoming Inevitable Full Text
Abstract
The number of cyber breaches becoming public is increasing, with companies facing financial and reputational consequences and being more likely to pay ransoms for stolen data.Cyware
November 01, 2023 – Vulnerabilities
Alert: F5 Warns of Active Attacks Exploiting BIG-IP Vulnerability Full Text
Abstract
F5 is warning of active abuse of a critical security flaw in BIG-IP less than a week after its public disclosure, resulting in the execution of arbitrary system commands as part of an exploit chain. Tracked as CVE-2023-46747 (CVSS score: 9.8), the vulnerability allows an unauthenticated attacker with network access to the BIG-IP system through the management port to achieve code execution. A proof-of-concept (PoC) exploit has since been made available by ProjectDiscovery. It impacts the following versions of the software - 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG) 16.1.0 - 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG) 15.1.0 - 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG) 14.1.0 - 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG) 13.1.0 - 13.1.5 (Fixed in 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG) Now the company is alerting that it has "observed threat actors using this vulnerability to explThe Hacker News
November 1, 2023 – Denial Of Service
UserSec Takes Credit for Gatwick Cyberattack Post DDoS Assault on Manchester Airport Full Text
Abstract
The attacks were likely DDoS attacks, disrupting websites but not impacting airport operations or flights. The UK's NCSC is investigating the attacks, while Gatwick Airport officials are also dealing with spoofed Twitter accounts in their name.Cyware
November 1, 2023 – Malware
Malware ‘Meal Kits’ Serve Up No-Fuss RAT Attacks Full Text
Abstract
The Parallax RAT has seen a significant increase in usage, particularly through infected DLLs in seemingly legitimate invoices, making it harder for users to detect the attack.Cyware