October, 2023
October 31, 2023 – Breach
Largest Indian Data Leak Involving 815 Million People’s COVID Test Data on Sale; Samples Verified Full Text
Abstract
The personal data of nearly 815 million citizens of India, including names, phone numbers, addresses, passport information, and Aadhaar card details, has been found for sale on the dark web.Cyware
October 31, 2023 – Attack
Arid Viper Targeting Arabic Android Users with Spyware Disguised as Dating App Full Text
Abstract
The threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, or TAG-63) has been attributed as behind an Android spyware campaign targeting Arabic-speaking users with a counterfeit dating app designed to harvest data from infected handsets. "Arid Viper's Android malware has a number of features that enable the operators to surreptitiously collect sensitive information from victims' devices and deploy additional executables," Cisco Talos said in a Tuesday report. Active since at least 2017, Arid Viper is a cyber espionage that's aligned with Hamas , an Islamist militant movement that governs the Gaza Strip. The cybersecurity firm said there is no evidence connecting the campaign to the ongoing Israel-Hamas war . The activity is believed to have commenced no earlier than April 2022. Interestingly, the mobile malware shares source code similarities with a non-malicious online dating application called Skipped, suggesting that the operators are eitThe Hacker News
October 31, 2023 – Malware
Malicious NuGet Packages Exploit Loophole in MSBuild Integrations Full Text
Abstract
Cybersecurity firm ReversingLabs has discovered a coordinated and ongoing malicious campaign on the NuGet package manager. The campaign involves the publishing of hundreds of malicious packages since August.Cyware
October 31, 2023 – Malware
Malicious NuGet Packages Caught Distributing SeroXen RAT Malware Full Text
Abstract
Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment. Software supply chain security firm ReversingLabs described the campaign as coordinated and ongoing since August 1, 2023, while linking it to a host of rogue NuGet packages that were observed delivering a remote access trojan called SeroXen RAT . "The threat actors behind it are tenacious in their desire to plant malware into the NuGet repository, and to continuously publish new malicious packages," Karlo Zanki, reverse engineer at ReversingLabs, said in a report shared with The Hacker News. The names of some of the packages are below - Pathoschild.Stardew.Mod.Build.Config KucoinExchange.Net Kraken.Exchange DiscordsRpc SolanaWallet Monero Modern.Winform.UI MinecraftPocket.Server IAmRoot ZendeskApi.Client.V2 Betalgo.Open.AI Forge.Open.AI Pathoschild.Stardew.Mod.BuildConfig CData.NetSuite.Net.The Hacker News
October 31, 2023 – Policy and Law
Florida SIM Swapper Sentenced to Prison for Cryptocurrency Theft Full Text
Abstract
The perpetrator and his co-conspirators targeted dozens of victims, gaining access to their cryptocurrency accounts by hijacking their phone numbers and initiating password resets.Cyware
October 31, 2023 – Solution
PentestPad: Platform for Pentest Teams Full Text
Abstract
In the ever-evolving cybersecurity landscape, the game-changers are those who adapt and innovate swiftly. Pen test solutions not only supercharge productivity but also provide a crucial layer of objectivity, ensuring efficiency and exceptional accuracy. The synergy between a skilled penetration tester and the precision of pen testing solutions are crucial for staying on top of today's high demand of security audits and daily rise of vulnerabilities and exploits. How PentestPad Helps Pentest Teams PentestPad is revolutionizing the way pentest teams operate, offering a comprehensive platform that enhances collaboration, and speeds up the process. From automated report generation to real-time collaboration and integrations with leading tools, PentestPad empowers teams to work efficiently, deliver high-quality results, and exceed client expectations. With customizable templates and a user-friendly interface, it's the ultimate solution for pentest teams looking to elevate their pThe Hacker News
October 31, 2023 – Malware
Arid Viper Disguising Mobile Spyware as Updates for Non-Malicious Android Applications Full Text
Abstract
The malware used by Arid Viper shares similarities with a non-malicious dating app called Skipped, indicating a possible connection between the APT group and the app's developers.Cyware
October 31, 2023 – Vulnerabilities
Atlassian Warns of New Critical Confluence Vulnerability Threatening Data Loss Full Text
Abstract
Atlassian has warned of a critical security flaw in Confluence Data Center and Server that could result in "significant data loss if exploited by an unauthenticated attacker." Tracked as CVE-2023-22518 , the vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described as an instance of "improper authorization vulnerability." All versions of Confluence Data Center and Server are susceptible to the bug, and it has been addressed in the following versions - 7.19.16 or later 8.3.4 or later 8.4.4 or later 8.5.3 or later, and 8.6.1 or later That said, the Australian company emphasized that "there is no impact to confidentiality as an attacker cannot exfiltrate any instance data." No other details about the flaw and the exact method by which an adversary can take advantage of it have been made available, likely owing to the fact that doing so could enable threat actors to devise an exploit. Atlassian is also uThe Hacker News
October 31, 2023 – Government
Russia to Launch its Own Version of Virustotal Due to US Snooping Fears Full Text
Abstract
The Russian government is developing its own malware scanning platform, Multiscanner, due to concerns that the U.S. government could access data from the popular VirusTotal service.Cyware
October 31, 2023 – Phishing
Trojanized PyCharm Software Version Delivered via Google Search Ads Full Text
Abstract
A new malvertising campaign has been observed capitalizing on a compromised website to promote spurious versions of PyCharm on Google search results by leveraging Dynamic Search Ads. "Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it," Jérôme Segura, director of threat intelligence at Malwarebytes, said in a report. "Victims who clicked on the ad were taken to a hacked web page with a link to download the application, which turned out to install over a dozen different pieces of malware instead." The infected website in question is an unnamed online portal that specializes in wedding planning, which had been injected with malware to serve bogus links to the PyCharm software. Per Malwarebytes, targets are directed to the website using Dynamic Search Ads, an ad offering from Google that programmatically uses the site's content toThe Hacker News
October 31, 2023 – Attack
Dallas County Confirms Cybersecurity Incident After Ransomware Gang Claims Attack Full Text
Abstract
The incident affected a portion of the county's network. The county is currently investigating the incident after ransomware gang, Play, claimed responsibility and threatened to leak stolen data by November 3.Cyware
October 31, 2023 – Government
Canada Bans WeChat and Kaspersky Apps On Government Devices Full Text
Abstract
Canada on Monday announced a ban on the use of apps from Tencent and Kaspersky on government mobile devices, citing an "unacceptable level of risk to privacy and security." "The Government of Canada is committed to keeping government information and networks secure," the Canadian government said . "We regularly monitor potential threats and take immediate action to address risks." To that end, Tencent's WeChat and Kaspersky's suite of applications have been removed from government-issued mobile devices effective October 30, 2023. Going forward, users of these devices will be blocked from downloading the apps. "We are taking a risk-based approach to cyber security by removing access to these applications on government mobile devices," Anita Anand, President of the Treasury Board, said in a statement, adding the apps "provide considerable access to the device's contents." WeChat is a Chinese instant messaging, social medThe Hacker News
October 31, 2023 – Criminals
Five Guys Discloses Hack of Two Employee Email Accounts Full Text
Abstract
The breach, discovered on June 7, was the result of business email compromise. While the total number of individuals impacted was not disclosed, only three residents of Maine were affected.Cyware
October 31, 2023 – Solution
Meta Launches Paid Ad-Free Subscription in Europe to Satisfy Privacy Laws Full Text
Abstract
Meta on Monday announced plans to offer an ad-free option to access Facebook and Instagram for users in the European Union (EU), European Economic Area (EEA), and Switzerland to comply with "evolving" data protection regulations in the region. The ad-free subscription, which costs €9.99/month on the web or €12.99/month on iOS and Android, is expected to be officially available starting next month. The company's proposal for a subscription version of its service was first reported by The Wall Street Journal earlier this month. "In November, we will be offering people who use Facebook or Instagram and reside in these regions the choice to continue using these personalized services for free with ads, or subscribe to stop seeing ads," the company said . "While people are subscribed, their information will not be used for ads." While the fee covers all linked accounts for a user, beginning March 1, 2024, the company plans to levy an additional feeThe Hacker News
October 30, 2023 – Phishing
Remcos RAT Disguises as Payslip to Infect Users Full Text
Abstract
Researchers uncovered a phishing campaign distributing the Remcos remote access trojan. Cybercriminals disguised the malware as a payslip in a deceptive email. Remcos RAT can perform a range of malicious activities, including keylogging, capturing screenshots, controlling webcams and microphones, a ... Read MoreCyware
October 30, 2023 – Attack
Pro-Hamas Hacktivists Targeting Israeli Entities with Wiper Malware Full Text
Abstract
A pro-Hamas hacktivist group has been observed using a new Linux-based wiper malware dubbed BiBi-Linux Wiper , targeting Israeli entities amidst the ongoing Israeli-Hamas war. "This malware is an x64 ELF executable, lacking obfuscation or protective measures," Security Joes said in a new report published today. "It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions." Some of its other capabilities include multithreading to corrupt files concurrently to enhance its speed and reach, overwriting files, renaming them with an extension containing the hard-coded string "BiBi" (in the format "[RANDOM_NAME].BiBi[NUMBER]"), and excluding certain file types from being corrupted. "While the string "bibi" (in the filename), may appear random, it holds significant meaning when mixed with topics such as politics in the Middle East, as it is a common nickname usThe Hacker News
October 30, 2023 – General
QR Code-based Phishing Attains 587% Hike, Reports Check Point Full Text
Abstract
QR code phishing attacks, including quishing and QRLJacking, have seen a dramatic 587% increase from August to September 2023, with threat actors extracting login information from users. This social engineering tactic takes advantage of the trust in QR codes and the routine nature of security updat ... Read MoreCyware
October 30, 2023 – Education
New Webinar: 5 Must-Know Trends Impacting AppSec Full Text
Abstract
Modern web app development relies on cloud infrastructure and containerization. These technologies scale on demand, handling millions of daily file transfers – it's almost impossible to imagine a world without them. However, they also introduce multiple attack vectors that exploit file uploads when working with public clouds, vulnerabilities in containers hosting web applications, and many other persistent threats. We surveyed organizations responsible for securing critical web applications used by healthcare, financial services, technology, and other critical infrastructure verticals to learn how they tackle the most destructive threats and summarized our findings in the OPSWAT 2023 State of Web Application Security Report. The survey report revealed that: 97% of organizations use or will deploy containers in their web hosting environments. 75% use cloud storage access solutions and want to prevent malware, secure sensitive data, and mitigate security compliance risks. 94% cThe Hacker News
October 30, 2023 – Attack
Attackers Can Use Modified Wikipedia Pages to Mount Redirection Attacks on Slack Full Text
Abstract
The Wiki-Slack attack relies on crafting a legitimate footnote in a Wikipedia article and exploiting Slack's rendering of the shared page's preview to generate a hidden malicious link.Cyware
October 30, 2023 – Insider Threat
ServiceNow Data Exposure: A Wake-Up Call for Companies Full Text
Abstract
Earlier this week, ServiceNow announced on its support site that misconfigurations within the platform could result in "unintended access" to sensitive data. For organizations that use ServiceNow, this security exposure is a critical concern that could have resulted in major data leakage of sensitive corporate data. ServiceNow has since taken steps to fix this issue . This article fully analyzes the issue, explains why this critical application misconfiguration could have had serious consequences for businesses, and remediation steps companies would take, if not for the ServiceNow fix. (Although, recommended to double check that the fix has closed the organization's exposure.) In a Nutshell ServiceNow is a cloud-based platform used for automating IT service management, IT operations management, and IT business management for customer service, as well as HR, security operations, and a wide variety of additional domains. This SaaS application is considered to be one of the top buThe Hacker News
October 30, 2023 – Outage
Toronto Public Library Facing Disruptions Due to Cyberattack Full Text
Abstract
The organization has confirmed that it is a cybersecurity incident, and while there is no evidence of compromised personal information, it may take several days to fully restore normal operations.Cyware
October 30, 2023 – Cryptocurrency
EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub Full Text
Abstract
A new ongoing campaign dubbed EleKtra-Leak has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities. "As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said in a technical report shared with The Hacker News. The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023. A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are programmatically cloning and scanning the repositories to capture the exposed keys.The Hacker News
October 30, 2023 – IOT
IoT Security Threats Highlight the Need for Zero Trust Principles Full Text
Abstract
The manufacturing sector is particularly vulnerable to IoT malware attacks, experiencing an average of 6,000 attacks per week according to Zscaler, which can disrupt critical OT processes and pose long-term challenges for security teams.Cyware
October 30, 2023 – Vulnerabilities
Urgent: New Security Flaws Discovered in NGINX Ingress Controller for Kubernetes Full Text
Abstract
Three unpatched high-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster. The vulnerabilities are as follows - CVE-2022-4886 (CVSS score: 8.8) - Ingress-nginx path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller CVE-2023-5043 (CVSS score: 7.6) - Ingress-nginx annotation injection causes arbitrary command execution CVE-2023-5044 (CVSS score: 7.6) - Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation "These vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret credentials from the cluster," Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, said of CVE-2023-5043 and CVE-2023-5044. Successful exploitation of the flaws could allow an adversary to inject arbitrary code into the ingress controller proceThe Hacker News
October 30, 2023 – Government
White House Issues Sweeping Executive Order to Secure AI Full Text
Abstract
The order directs the National Institute of Standards and Technology to establish new standards for red-team testing and the Department of Health and Human Services to create a safety program for AI in healthcare.Cyware
October 30, 2023 – Attack
Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware Full Text
Abstract
A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE . "MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users," Elastic Security Labs researcher Joe Desimone said in a technical report published last week. "However, MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources." Based on the installers used as lures, it's suspected that potential targets are enticed into downloading the MSIX packages through known techniques such as compromised websites, search engine optimization (SEO) poisoning, or malvertising. Launching the MSIX file opens a Windows prompting the users to click the Install button, doing so which resThe Hacker News
October 30, 2023 – Phishing
Malvertising via Dynamic Search Ads Delivers Malware Bonanza Full Text
Abstract
The compromised website injected malicious content, including overlays promoting software serial keys, which resulted in misleading ads being automatically generated by Google Ads.Cyware
October 30, 2023 – Government
CISA Launches Logging Tool for Resource-Poor Organizations Full Text
Abstract
The tool provides step-by-step installation instructions, prebuilt elastic security detection rules, and coding to reduce cost barriers, making it accessible for organizations aiming to implement basic logging and monitoring capabilities.Cyware
October 28, 2023 – Breach
CCleaner Says Hackers Stole Users’ Personal Data During MOVEit Mass-Hack Full Text
Abstract
The hackers exploited a vulnerability in the MOVEit file transfer tool, used by CCleaner, to access sensitive data. The stolen information includes names, contact details, and product purchase information. Less than 2% of users were affected.Cyware
October 28, 2023 – Privacy
Researchers Uncover Wiretapping of XMPP-Based Instant Messaging Service Full Text
Abstract
New findings have shed light on what's said to be a lawful attempt to covertly intercept traffic originating from jabber[.]ru (aka xmpp[.]ru), an XMPP -based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany. "The attacker has issued several new TLS certificates using Let's Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent [man-in-the-middle] proxy," a security researcher who goes by the alias ValdikSS said earlier this week. "The attack was discovered due to the expiration of one of the MiTM certificates, which haven't been reissued." Evidence gathered so far points to the traffic redirection being configured on the hosting provider network, ruling out other possibilities, such as a server breach or a spoofing attack. The wiretapping is estimated to have lasted for as long as six months, from April 18 through to October 19, although it&The Hacker News
October 28, 2023 – Outage
Update: Kansas Court System Down Nearly Two Weeks in ‘Security Incident’ That Has Hallmarks of Ransomware Full Text
Abstract
The outage has hindered electronic filings, payment processing, case management, public access to records, and applications for various legal services, leading to delays and a reliance on paper-based processes.Cyware
October 28, 2023 – Criminals
LockBit Ransomware Gang Claims to Have Stolen Data From Boeing Full Text
Abstract
The LockBit group has a history of listing companies as victims, even if it was actually a vendor to the compromised company, so further investigation is needed to confirm the extent of the breach.Cyware
October 28, 2023 – Attack
Stanford University Investigating Cyberattack After Akira Ransomware Claims Full Text
Abstract
Stanford University is currently investigating a cybersecurity incident within its Department of Public Safety after a ransomware gang claimed to have attacked the school. The Akira ransomware gang has claimed to have stolen 430 GB of data.Cyware
October 27, 2023 – Attack
N. Korean Lazarus Group Targets Software Vendor Using Known Flaws Full Text
Abstract
The North Korea-aligned Lazarus Group has been attributed as behind a new campaign in which an unnamed software vendor was compromised through the exploitation of known security flaws in another high-profile software. The attack sequences, according to Kaspersky, culminated in the deployment of malware families such as SIGNBT and LPEClient , a known hacking tool used by the threat actor for victim profiling and payload delivery. "The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim control," security researcher Seongsu Park said . "The SIGNBT malware used in this attack employed a diverse infection chain and sophisticated techniques." The Russian cybersecurity vendor said the company that developed the exploited software had been a victim of a Lazarus attack several times, indicating an attempt to steal source code or poison the software supply chain, as in the case of theThe Hacker News
October 27, 2023 – Education
How to Keep Your Business Running in a Contested Environment Full Text
Abstract
When organizations start incorporating cybersecurity regulations and cyber incident reporting requirements into their security protocols, it's essential for them to establish comprehensive plans for preparation, mitigation, and response to potential threats. At the heart of your business lies your operational technology and critical systems. This places them at the forefront of cybercriminal interest, as they seek to exploit vulnerabilities, compromise your data, and demand ransoms. In today's landscape, characterized by the ever-present risk of ransomware attacks and the challenges posed by fragmented security solutions, safeguarding your organization is paramount. This is where The National Institute of Standards and Technology (NIST) advocates for the development of resilient, reliable security systems capable of foreseeing, enduring, and rebounding from cyberattacks. In this guide, we'll explore strategies to fortify your defenses against cyber threats and ensureThe Hacker News
October 27, 2023 – General
Google Expands Its Bug Bounty Program to Tackle Artificial Intelligence Threats Full Text
Abstract
Google has announced that it's expanding its Vulnerability Rewards Program ( VRP ) to compensate researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security . "Generative AI raises new and different concerns than traditional digital security, such as the potential for unfair bias, model manipulation or misinterpretations of data (hallucinations)," Google's Laurie Richardson and Royal Hansen said . Some of the categories that are in scope include prompt injections, leakage of sensitive data from training datasets, model manipulation, adversarial perturbation attacks that trigger misclassification, and model theft. It's worth noting that Google earlier this July instituted an AI Red Team to help address threats to AI systems as part of its Secure AI Framework ( SAIF ). Also announced as part of its commitment to secure AI are efforts to strengthen the AI supply chainThe Hacker News
October 27, 2023 – Government
CISA: Agencies Seeing Steep Decrease in Known Exploited Vulnerabilities on Federal Networks Full Text
Abstract
Federal civilian agencies have remediated over 7 million Known Exploited Vulnerabilities findings this year, resulting in a 72% decrease in the percentage of vulnerabilities exposed for 45 or more days.Cyware
October 27, 2023 – Vulnerabilities
F5 Issues Warning: BIG-IP Vulnerability Allows Remote Code Execution Full Text
Abstract
F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution. The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747 , and carries a CVSS score of 9.8 out of a maximum of 10. "This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands," F5 said in an advisory released Thursday. "There is no data plane exposure; this is a control plane issue only." The following versions of BIG-IP have been found to be vulnerable - 17.1.0 (Fixed in 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG) 16.1.0 - 16.1.4 (Fixed in 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG) 15.1.0 - 15.1.10 (Fixed in 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG) 14.1.0 - 14.1.5 (Fixed in 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG) 13.1.0 -The Hacker News
October 27, 2023 – Policy and Law
US Senator Quizzes 23andMe Over Credential-Stuffing Hack Full Text
Abstract
Genetics testing firm 23andMe is facing multiple class action lawsuits and congressional scrutiny following a credential-stuffing hacking incident that exposed sensitive customer data.Cyware
October 27, 2023 – Breach
California City Warns of Data Breach After Attack Claim by NoEscape Ransomware Full Text
Abstract
The breach, which occurred from August 12 to September 26, involved the theft of personal information such as names, Social Security numbers, driver's license numbers, medical information, and health insurance policy numbers.Cyware
October 26, 2023 – Education
What Is Operational Risk and Why Should You Care? Assessing SEC Rule Readiness for OT and IoT Full Text
Abstract
The newly released SEC cyber incident disclosure rules have raised concerns about whether public companies are prepared to fully define operational risk and disclose material business risk from cyber incidents.Cyware
October 26, 2023 – Malware
iLeakage: New Safari Exploit Impacts Apple iPhones and Macs with A and M-Series CPUs Full Text
Abstract
A group of academics has devised a novel side-channel attack dubbed iLeakage that exploits a weakness in the A- and M-series CPUs running on Apple iOS, iPadOS, and macOS devices, enabling the extraction of sensitive information from the Safari web browser. "An attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution," researchers Jason Kim, Stephan van Schaik, Daniel Genkin, and Yuval Yarom said in a new study. In a practical attack scenario, the weakness could be exploited using a malicious web page to recover Gmail inbox content and even recover passwords that are autofilled by credential managers. iLeakage, besides being the first case of a Spectre-style speculative execution attack against Apple Silicon CPUs, also works against all third-party web browsers available for iOS and iPadOS owing to Apple's App Store policy that mandates browser vendors to use Safari&The Hacker News
October 26, 2023 – Vulnerabilities
Firefox, Chrome Updates Patch High-Severity Vulnerabilities Full Text
Abstract
The updates patch multiple flaws, including an insufficient activation-delay bug in Firefox and a use-after-free issue in Chrome, but there is no evidence of these vulnerabilities being exploited in the wild.Cyware
October 26, 2023 – Criminals
Microsoft Warns as Scattered Spider Expands from SIM Swaps to Ransomware Full Text
Abstract
The prolific threat actor known as Scattered Spider has been observed impersonating newly hired employees in targeted firms as a ploy to blend into normal on-hire processes and takeover accounts and breach organizations across the world. Microsoft, which disclosed the activities of the financially motivated hacking crew, described the adversary as "one of the most dangerous financial criminal groups," calling out its operational fluidity and its ability to incorporate SMS phishing, SIM swapping, and help desk fraud into its attack model. "Octo Tempest is a financially motivated collective of native English-speaking threat actors known for launching wide-ranging campaigns that prominently feature adversary-in-the-middle ( AiTM ) techniques, social engineering, and SIM swapping capabilities," the company said . It's worth noting that the activity represented by Octo Tempest is tracked by other cybersecurity companies under various monikers, including 0ktaThe Hacker News
October 26, 2023 – Government
Australia Focuses on Threat of Chinese Attack on Solar Power Full Text
Abstract
The Australian government is introducing standards to address the cybersecurity vulnerabilities of internet-connected solar inverters amid concerns of potential Chinese state-sponsored hacking.Cyware
October 26, 2023 – Denial Of Service
Record-Breaking 100 Million RPS DDoS Attack Exploits HTTP/2 Rapid Reset Flaw Full Text
Abstract
Cloudflare on Thursday said it mitigated thousands of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks that exploited a recently disclosed flaw called HTTP/2 Rapid Reset , 89 of which exceeded 100 million requests per second (RPS). "The campaign contributed to an overall increase of 65% in HTTP DDoS attack traffic in Q3 compared to the previous quarter ," the web infrastructure and security company said in a report shared with The Hacker News. "Similarly, L3/4 DDoS attacks also increased by 14%." The total number of HTTP DDoS attack requests in the quarter surged to 8.9 trillion, up from 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023. The number of attack requests in Q4 2022 stood at 6.5 trillion. HTTP/2 Rapid Reset (CVE-2023-44487) came to light earlier this month following an industry-wide coordinated disclosure that delved into DDoS attacks orchestrated by an unknown actor by leveraging the flaw to target various providers such asThe Hacker News
October 26, 2023 – Hacker
The Rise and Tactics of Octo Tempest: A Cyber Threat Analysis Full Text
Abstract
Octo Tempest, a financially motivated threat group known for extensive social engineering campaigns and SIM-swapping techniques, has become a major concern for businesses worldwide. It has been affiliated with ALPHV/BlackCat and began deploying ransomware payloads as well. Given Octo Tempest's rele ... Read MoreCyware
October 26, 2023 – Education
The Danger of Forgotten Pixels on Websites: A New Case Study Full Text
Abstract
While cyberattacks on websites receive much attention, there are often unaddressed risks that can lead to businesses facing lawsuits and privacy violations even in the absence of hacking incidents. A new case study highlights one of these more common cases. Download the full case study here . It's a scenario that could have affected any type of company, from healthcare to finance, e-commerce to insurance, or any other industry. Recently, Reflectiz, an advanced website security solution provider, released a case study focusing on a forgotten and misconfigured pixel that had been associated with a leading global healthcare provider. This overlooked piece of code surreptitiously gathered private data without user consent, potentially exposing the company to substantial fines and damage to its reputation. Nowadays, it has become common practice for companies to embed such pixels into their websites. For instance, the TikTok Pixel is a typical example, added to websites to trackThe Hacker News
October 26, 2023 – Vulnerabilities
Nine Vulnerabilities Found in VPN Software, Including One Critical RCE Issue Full Text
Abstract
Cisco Talos has disclosed multiple vulnerabilities in popular VPN software, including a critical heap-based buffer overflow vulnerability, posing a significant risk to users' connections and allowing for arbitrary code execution.Cyware
October 26, 2023 – Attack
Iranian Group Tortoiseshell Launches New Wave of IMAPLoader Malware Attacks Full Text
Abstract
The Iranian threat actor known as Tortoiseshell has been attributed to a new wave of watering hole attacks that are designed to deploy a malware dubbed IMAPLoader. "IMAPLoader is a .NET malware that has the ability to fingerprint victim systems using native Windows utilities and acts as a downloader for further payloads," the PwC Threat Intelligence said in a Wednesday analysis. "It uses email as a [command-and-control] channel and is able to execute payloads extracted from email attachments and is executed via new service deployments." Active since at least 2018, Tortoiseshell has a history of using strategic website compromises as a ploy to facilitate the distribution of malware. Earlier this May, ClearSky linked the group to the breach of eight websites associated with shipping, logistics, and financial services companies in Israel. The threat actor is aligned with the Islamic Revolutionary Guard Corps ( IRGC ) and is also tracked by the broader cybThe Hacker News
October 26, 2023 – Vulnerabilities
Critical Flaw in NextGen’s Mirth Connect Could Expose Healthcare Data Full Text
Abstract
Users of Mirth Connect , an open-source data integration platform from NextGen HealthCare, are being urged to update to the latest version following the discovery of an unauthenticated remote code execution vulnerability. Tracked as CVE-2023-43208 , the vulnerability has been addressed in version 4.4.1 released on October 6, 2023. "This is an easily exploitable, unauthenticated remote code execution vulnerability," Horizon3.ai's Naveen Sunkavally said in a Wednesday report. "Attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data." Called the "Swiss Army knife of healthcare integration," Mirth Connect is a cross-platform interface engine used in the healthcare industry to communicate and exchange data between disparate systems in a standardized manner . Additional technical details about the flaw have been withheld in light of the fact that Mirth Connect versions going as far bacThe Hacker News
October 26, 2023 – Hacker
YoroTrooper: Researchers Warn of Kazakhstan’s Stealthy Cyber Espionage Group Full Text
Abstract
A relatively new threat actor known as YoroTrooper is likely made up of operators originating from Kazakhstan. The assessment, which comes from Cisco Talos, is based on their fluency in Kazakh and Russian, use of Tenge to pay for operating infrastructure, and very limited targeting of Kazakhstani entities, barring the government's Anti-Corruption Agency. "YoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its malicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region," security researchers Asheer Malhotra and Vitor Ventura said . First documented by the cybersecurity company in March 2023, the adversary is known to be active since at least June 2022, singling out various state-owned entities in the Commonwealth of Independent States (CIS) countries. Slovak cybersecurity firm ESET is tracking the activity under the name SturgeonPhisher . YoroTrooper's attack cyclesThe Hacker News
October 25, 2023 – Attack
Nation State Hackers Exploiting Zero-Day in Roundcube Webmail Software Full Text
Abstract
The threat actor known as Winter Vivern has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023, to harvest email messages from victims' accounts. "Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET security researcher Matthieu Faou said in a new report published today. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs-of-concept are available online." Winter Vivern, also known as TA473 and UAC-0114, is an adversarial collective whose objectives align with that of Belarus and Russia. Over the past few months, it has been attributed to attacks against Ukraine and Poland, as well as government entities across Europe and India. The group is also assessed to have exploited another flaw Roundcube as recently as August and September (CVE-2020-35730), making it the second nation-state group after APT28 to target the open-source webmail soThe Hacker News
October 25, 2023 – Vulnerabilities
Critical OAuth Flaws Uncovered in Grammarly, Vidio, and Bukalapak Platforms Full Text
Abstract
Critical security flaws have been disclosed in the Open Authorization (OAuth) implementation of popular online services such as Grammarly, Vidio, and Bukalapak, building upon previous shortcomings uncovered in Booking[.]com and Expo . The weaknesses, now addressed by the respective companies following responsible disclosure between February and April 2023, could have allowed malicious actors to obtain access tokens and potentially hijack user accounts. OAuth is a standard that's commonly used as a mechanism for cross-application access, granting websites or applications access to their information on other websites, such as Facebook, but without giving them the passwords. "When OAuth is used to provide service authentication, any security breach in it can lead to identity theft, financial fraud, and access to various personal information including credit card numbers, private messages, health records, and more, depending on the specific service being attacked," SaThe Hacker News
October 25, 2023 – Ransomware
The Rise of S3 Ransomware: How to Identify and Combat It Full Text
Abstract
In today's digital landscape, around 60% of corporate data now resides in the cloud, with Amazon S3 standing as the backbone of data storage for many major corporations. Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for threat actors. It remains susceptible to ransomware attacks which are often initiated using leaked access keys that have accidentally been exposed by human error and have access to the organization's buckets. To effectively combat these evolving threats, it is vital to ensure that your organization has visibility into your S3 environment, that you are aware of how threat actors can compromise data for ransom and most importantly, best practices for minimizing the risk of cyber criminals successfully executing such an attack. Ensuring Visibility: CloudTrail and Server Access Logs VThe Hacker News
October 24, 2023 – Disinformation
Canadian Lawmakers Targeted by China-Linked ‘Spamouflage’ Disinformation Campaign Full Text
Abstract
Canada has warned of a disinformation campaign linked to China, dubbed "Spamouflage," involving deepfake videos and online posts aimed at discrediting Canadian lawmakers and silencing criticism of the Chinese Communist Party.Cyware
October 24, 2023 – Policy and Law
Ex-NSA Employee Pleads Guilty to Leaking Classified Data to Russia Full Text
Abstract
A former employee of the U.S. National Security Agency (NSA) has pleaded guilty to charges accusing him of attempting to transmit classified defense information to Russia. Jareh Sebastian Dalke, 31, served as an Information Systems Security Designer for the NSA from June 6, 2022, to July 1, 2022, where he had Top Secret clearance to access sensitive documents. The latest development comes more than a year after his arrest. "Dalke admitted that between August and September 2022, in order to demonstrate both his 'legitimate access and willingness to share,' he used an encrypted email account to transmit excerpts of three classified documents to an individual he believed to be a Russian agent," the U.S. Department of Justice (DoJ) said in a Monday press release. In reality, the purported agent was an online covert employee working for the U.S. Federal Bureau of Investigation (FBI). Dalke is also alleged to have requested $85,000 in exchange for sharing the inforThe Hacker News
October 24, 2023 – Business
Blockaid Emerges From Stealth With $33 Million Investment Full Text
Abstract
The investment round was led by Ribbit Capital and Variant, with participation from Cyberstarts, Greylock Partners, and Sequoia Capital. The new funds will be used to scale the company's products and team and expand its customer base.Cyware
October 24, 2023 – Criminals
34 Cybercriminals Arrested in Spain for Multi-Million Dollar Online Scams Full Text
Abstract
Spanish law enforcement officials have announced the arrest of 34 members of a criminal group that carried out various online scams, netting the gang about €3 million ($3.2 million) in illegal profits. Authorities conducted searches across 16 locations Madrid, Malaga, Huelva, Alicante, and Murcia, seizing two simulated firearms, a katana sword, a baseball bat, €80,000 in cash, four high-end vehicles, and computer and electronic material worth thousands of euros. The operation also uncovered a database with cross-referenced information on four million people that was collated after infiltrating databases belonging to financial and credit institutions. The scams, which were conducted via email, SMS, and phone calls, entailed the threat actors masquerading as banks and electricity supply companies to defraud victims, in some cases even perpetrating "son in distress" calls and manipulating delivery notes from technology firms. In one instance, the miscreants reportedlyThe Hacker News
October 24, 2023 – Breach
Norway Issues Warning After ‘Important Businesses’ Affected by Cisco Zero-Days Full Text
Abstract
The attacks were described as more potent than a previous incident that affected Norway's government support agency, resulting in hackers accessing the data of several government ministries.Cyware
October 24, 2023 – Education
Make API Management Less Scary for Your Organization Full Text
Abstract
While application development has evolved rapidly, the API management suites used to access these services remain a spooky reminder of a different era. Introducing new API management infrastructure with these legacy models still poses challenges for organizations as they modernize. Transitioning from monolithic architectures to agile microservices empowers developers to make quick changes. Using serverless technologies and containers enables rapid scalability. Adopting cloud-native API management further enhances developer productivity and leaves the ghosts of outdated operations behind. This blog uncovers the risks of neglecting API modernization and highlights how Gloo Gateway enhances upstream projects like Envoy with essential enterprise features like security, observability, and API controls. What's more, as a Kubernetes-native solution, Gloo Gateway seamlessly integrates with the Kubernetes API for easy deployment. Gloo Gateway adds enterprise capabilities to upstream open souThe Hacker News
October 24, 2023 – General
The Double-Edged Sword of Heightened Regulation for Financial Services Full Text
Abstract
The financial services industry faces unique cybersecurity challenges, including the need to protect sensitive data, navigate complex regulations, and manage partnerships and interconnectedness.Cyware
October 24, 2023 – Attack
iOS Zero-Day Attacks: Experts Uncover Deeper Insights into Operation Triangulation Full Text
Abstract
The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location. The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed Operation Triangulation , went to conceal and cover up its tracks while clandestinely hoovering sensitive information from the compromised devices. The sophisticated attack first came to light in June 2023, when it emerged that iOS have been targeted by a zero-click exploit weaponizing then zero-day security flaws (CVE-2023-32434 and CVE-2023-32435) that leverages the iMessage platform to deliver a malicious attachment that can gain complete control over the device and user data. The scale and the identity of the threat actor is presently unknown, although Kaspersky itself became one of the targets at the start of the year, prompting iThe Hacker News
October 24, 2023 – Vulnerabilities
OAuth Implementation Issues Allows Full Online Account Takeover for Millions of Users Full Text
Abstract
Flaws in the implementation of OAuth across various online services, including Grammarly, Vidio, and Bukalapak, could have exposed hundreds of millions of user accounts to credential theft and other cybercriminal activities.Cyware
October 24, 2023 – Malware
Backdoor Implant on Hacked Cisco Devices Modified to Evade Detection Full Text
Abstract
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said . "Thus, for a lot of devices, the implant is still active, but now only responds if the correct Authorization HTTP header is set." The attacks entail fashioning CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) into an exploit chain that grants the threat actor the ability to gain access to the devices, create a privileged account, and ultimately deploy a Lua-based implant on the devices. The development comes as Cisco began rolling out security updates to address the issues , with more updates to come at an as-yet-undisclosed date. The exact identity of the threatThe Hacker News
October 24, 2023 – Attack
Hackers Hit Secure File Transfer Software Again and Again Full Text
Abstract
File transfer software have been a target for hackers, with the Clop ransomware operation being one of the most prominent attackers. They have exploited vulnerabilities in secure file transfer software, resulting in data leaks and ransom demands.Cyware
October 24, 2023 – Breach
1Password Detects Suspicious Activity Following Okta Support Breach Full Text
Abstract
Popular password management solution 1Password said it detected suspicious activity on its Okta instance on September 29 following the support system breach, but reiterated that no user data was accessed. "We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing," Pedro Canahuati, 1Password CTO, said in a Monday notice. The breach is said to have occurred using a session cookie after a member of the IT team shared a HAR file with Okta Support, with the threat actor performing the below set of actions - Attempted to access the IT team member's user dashboard, but was blocked by Okta Updated an existing IDP tied to our production Google environment Activated the IDP Requested a report of administrative users The company said it was alerted to the malicious activity after the IT team member received an email about the "requested" administrative user reporThe Hacker News
October 24, 2023 – Attack
Ukraine Security Services Involved in Hack of Russia’s Largest Private Bank Full Text
Abstract
The hackers responsible for breaching Alfa-Bank plan to share the obtained data with investigative journalists and have publicized an alleged conversation with the bank's owner, who claimed he couldn't do anything about the hack.Cyware
October 24, 2023 – General
Legacy Authentication Leads to Growing Consumer Frustration Full Text
Abstract
Despite the popularity of biometrics as an authentication method, passwords are still widely used, with consumers manually entering them about four times a day, according to the FIDO Alliance.Cyware
October 23, 2023 – Criminals
Threat Actor Found Selling Access to Facebook and Instagram’s Police Portal Full Text
Abstract
Researchers suspect that Meta was either tricked into providing access to the threat actor or the threat actor obtained credentials for a legitimate law enforcement account.Cyware
October 23, 2023 – General
Who’s Experimenting with AI Tools in Your Organization? Full Text
Abstract
With the record-setting growth of consumer-focused AI productivity tools like ChatGPT, artificial intelligence—formerly the realm of data science and engineering teams—has become a resource available to every employee. From a productivity perspective, that's fantastic. Unfortunately for IT and security teams, it also means you may have hundreds of people in your organization using a new tool in a matter of days, with no visibility of what type of data they're sending to that tool or how secure it might be. And because many of these tools are free or offer free trials, there's no barrier to entry and no way of discovering them through procurement or expense reports. Organizations need to understand and (quickly) evaluate the benefits and risks of AI productivity tools in order to create a scalable, enforceable, and reasonable policy to guide their employees' behavior. How Nudge Security can help Nudge Security discovers all generative AI accounts ever created by any employThe Hacker News
October 23, 2023 – Malware
From Copacabana to Barcelona: The Cross-Continental Threat of Brazilian Banking Malware Full Text
Abstract
Proofpoint researchers have discovered a new version of the Grandoreiro malware that is targeting victims in both Mexico and Spain. This is unusual as the malware has historically only targeted Portuguese and Spanish speakers in Brazil and Mexico.Cyware
October 23, 2023 – Attack
DoNot Team’s New Firebird Backdoor Hits Pakistan and Afghanistan Full Text
Abstract
The threat actor known as DoNot Team has been linked to the use of a novel .NET-based backdoor called Firebird targeting a handful of victims in Pakistan and Afghanistan. Cybersecurity company Kaspersky, which disclosed the findings in its APT trends report Q3 2023, said the attack chains are also configured to deliver a downloader named CSVtyrei, so named for its resemblance to Vtyrei. "Some code within the examples appeared non-functional, hinting at ongoing development efforts," the Russian firm said . Vtyrei (aka BREEZESUGAR) refers to a first-stage payload and downloader strain previously harnessed by the adversary to deliver a malware framework known as RTY . DoNot Team, also known by the names APT-C-35, Origami Elephant, and SECTOR02, is suspected to be of Indian origin, with its attacks employing spear-phishing emails and rogue Android apps to propagate malware. The latest assessment from Kaspersky builds on an analysis of the threat actor's twin attThe Hacker News
October 23, 2023 – Malware
Quasar RAT Employs DLL Sideloading to Stay Under the Radar Full Text
Abstract
Quasar RAT, an open-source remote access trojan also known as CinaRAT or Yggdrasil, has been spotted leveraging a new Microsoft file as part of its DLL sideloading process to stealthily drop malicious payloads on compromised Windows systems. Once the Quasar RAT payload is executed in the computer' ... Read MoreCyware
October 23, 2023 – Malware
Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar Full Text
Abstract
The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts. "This technique capitalizes on the inherent trust these files command within the Windows environment," Uptycs researchers Tejaswini Sandapolla and Karthickkumar Kathiresan said in a report published last week, detailing the malware's reliance on ctfmon.exe and calc.exe as part of the attack chain. Also known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands. DLL side-loading is a popular technique adopted by many threat actors to execute their own payloads by planting a spoofed DLL file with a name that a benign executable is known to be looking for. "Adversaries likely use side-loading as aThe Hacker News
October 23, 2023 – Breach
DC Voter Data Breach May Have Exposed Personal Information Full Text
Abstract
The personal information of D.C. voters, including partial Social Security numbers and driver's license numbers, may have been exposed in a data breach affecting the Board of Elections' voter roll.Cyware
October 23, 2023 – Attack
The DarkGate Menace: Tracing the Vietnamese Connection Full Text
Abstract
A recent report from WithSecure has highlighted a surge in DarkGate malware infection attempts. Multiple Vietnamese threat groups have been found to deploy info-stealer campaigns using Malware-as-a-Service (MaaS), honing in on specific sectors or groups. Their modus operandi displays notable s ... Read MoreCyware
October 21, 2023 – Criminals
Europol Dismantles Ragnar Locker Ransomware Infrastructure, Nabs Key Developer Full Text
Abstract
Europol on Friday announced the takedown of the infrastructure associated with Ragnar Locker ransomware, alongside the arrest of a "key target" in France. "In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain, and Latvia," the agency said . "The main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court." Five other accomplices associated with the ransomware gang are said to have been interviewed in Spain and Latvia, with the servers and the data leak portal seized in the Netherlands, Germany, and Sweden. The effort is the latest coordinated exercise involving authorities from Czechia, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the U.S. Two suspects associated with the ransomware crew were previously arrested from Ukraine in 2021. A year later, another member was apprehended inThe Hacker News
October 21, 2023 – Breach
Okta’s Support System Breach Exposes Customer Data to Unidentified Threat Actors Full Text
Abstract
Identity services provider Okta on Friday disclosed a new security incident that allowed unidentified threat actors to leverage stolen credentials to access its support case management system. "The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases," David Bradbury, Okta's chief security officer, said . "It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted." The company also emphasized that its Auth0/CIC case management system was not impacted by the breach, noting it has directly notified customers who have been affected. However, it said that the customer support system is also used to upload HTTP Archive (HAR) files to replicate end user or administrator errors for troubleshooting purposes. "HAR files can also contain sensitive data, including cookies and session tokens, that maliciThe Hacker News
October 21, 2023 – Attack
Business-Oriented Threat Involving ‘Several Types of Malware All at Once’ Remains Active Full Text
Abstract
The campaign involves various types of malware, including cryptominers and keyloggers, and primarily targets enterprises that provide business-to-business (B2B) products and services.Cyware
October 21, 2023 – Vulnerabilities
Cisco Zero-Day Exploited to Implant Malicious Lua Backdoor on Thousands of Devices Full Text
Abstract
Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices. Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 as part of an exploit chain. "The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination," Cisco said in an updated advisory published Friday. "This allowed the user to log in with normal user access." "The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system," a shortcoming that has been assigned the identifier CVE-2023-20273. A Cisco spokesperson told The Hacker News that a fix that covers both vulnerabiliThe Hacker News
October 21, 2023 – Government
FBI: Thousands of Remote IT Workers Sent Wages to North Korea to Help Fund Weapons Program Full Text
Abstract
The workers used false identities to secure remote IT jobs and funneled their earnings to North Korea, while also infiltrating and stealing information from the companies they worked for.Cyware
October 20, 2023 – Phishing
Malvertisers Using Google Ads to Target Users Searching for Popular Software Full Text
Abstract
Details have emerged about a malvertising campaign that leverages Google Ads to direct users searching for popular software to fictitious landing pages and distribute next-stage payloads. Malwarebytes, which discovered the activity, said it's "unique in its way to fingerprint users and distribute time sensitive payloads." The attack singles out users searching for Notepad++ and PDF converters to serve bogus ads on the Google search results page that, when clicked, filters out bots and other unintended IP addresses by showing a decoy site. Should the visitor be deemed of interest to the threat actor, the victim is redirected to a replica website advertising the software, while silently fingerprinting the system to determine if the request is originating from a virtual machine. Users who fail the check are taken to the legitimate Notepad++ website, while a potential target is assigned a unique ID for "tracking purposes but also to make each download unique and tThe Hacker News
October 20, 2023 – Breach
Exploited SSH Servers Offered in the Dark web as Proxy Pools Full Text
Abstract
Researchers at Aqua Nautilus have uncovered a threat to SSH in cloud environments. Attackers are using SSH tunneling to exploit SSH servers and gain access to organizations' networks.Cyware
October 20, 2023 – Attack
Vietnamese Hackers Target U.K., U.S., and India with DarkGate Malware Full Text
Abstract
Attacks leveraging the DarkGate commodity malware targeting entities in the U.K., the U.S., and India have been linked to Vietnamese actors associated with the use of the infamous Ducktail stealer . "The overlap of tools and campaigns is very likely due to the effects of a cybercrime marketplace," WithSecure said in a report published today. "Threat actors are able to acquire and use multiple different tools for the same purpose, and all they have to do is come up with targets, campaigns, and lures." The development comes amid an uptick in malware campaigns using DarkGate in recent months, primarily driven by its author's decision to rent it out on a malware-as-a-service (MaaS) basis to other threat actors after using it privately since 2018. It's not just DarkGate and Ducktail, for the Vietnamese threat actor cluster responsible for these campaigns is leveraging same or very similar lures, themes, targeting, and delivery methods to also deliver LThe Hacker News
October 20, 2023 – Government
CISA, NSA, FBI, MS-ISAC Publish Guide on Preventing Phishing Intrusions Full Text
Abstract
The guide categorizes phishing into two common tactics: obtaining login credentials and deploying malware, and provides details on techniques used by malicious actors, such as impersonation and spoofing, to carry out these attacks.Cyware
October 20, 2023 – General
Unleashing the Power of the Internet of Things and Cyber Security Full Text
Abstract
Due to the rapid evolution of technology, the Internet of Things (IoT) is changing the way business is conducted around the world. This advancement and the power of the IoT have been nothing short of transformational in making data-driven decisions, accelerating efficiencies, and streamlining operations to meet the demands of a competitive global marketplace. IoT At a Crossroads IoT, in its most basic terms, is the intersection of the physical and digital world with distinct applications and purposes. It is devices, sensors, and systems of all kinds harnessing the power of interconnectivity through the internet to provide seamless experiences for business. Up until today, we, as security professionals, have been very good at writing about the numerous and varying IoT applications and uses and have agreed upon the fact that the security of the IoT is important. However, have we really understood the big picture? And that is for IoT to really reach its full potential as a fully interThe Hacker News
October 20, 2023 – Breach
Almost 42,000 Cisco IOS XE Devices Exploited, No Patch Available Full Text
Abstract
Security researchers have discovered tens of thousands of exploited devices with a backdoor installed due to a critical zero-day vulnerability in Cisco IOS XE software's web user interface.Cyware
October 20, 2023 – Malware
ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges Full Text
Abstract
A new information stealer named ExelaStealer has become the latest entrant to an already crowded landscape filled with various off-the-shelf malware designed to capture sensitive data from compromised Windows systems. "ExelaStealer is a largely open-source infostealer with paid customizations available from the threat actor," Fortinet FortiGuard Labs researcher James Slaughter said in a technical report. Written in Python and incorporating support for JavaScript, it comes fitted with capabilities to siphon passwords, Discord tokens, credit cards, cookies and session data, keystrokes, screenshots, and clipboard content. ExelaStealer is offered for sale via cybercrime forums as well as a dedicated Telegram channel set up by its operators who go by the online alias quicaxd. The paid-for version costs $20 a month, $45 for three months, or $120 for a lifetime license. The low cost of the commodity malware makes it a perfect hacking tool for newbies, effectively lowerinThe Hacker News
October 20, 2023 – Government
CISA Launches New Phase of Secure by Design to Push Global Industry on Software Security Full Text
Abstract
CISA plans to issue a request for information to address Secure by Design engineering and is urging software manufacturers to demonstrate evidence of security incorporation through artifacts.Cyware
October 20, 2023 – Policy and Law
U.S. DoJ Cracks Down on North Korean IT Scammers Defrauding Global Businesses Full Text
Abstract
The U.S. government has announced the seizure of 17 website domains used by North Korean information technology (IT) workers as part of an illicit scheme to defraud businesses across the world, evade sanctions, and fund the country's ballistic missile program. The Department of Justice (DoJ) said the U.S. confiscated approximately $1.5 million of the revenue that these IT workers collected from unwitting victims using the deceptive scheme in October 2022 and January 2023. It also called out North Korea for flooding the "global marketplace with ill-intentioned information technology workers." Court documents allege that the dispatched workers primarily live in China and Russia with an aim to deceive companies in the U.S. and elsewhere into hiring them under fake identities, and ultimately generating "millions of dollars a year" in illicit revenues. The development comes amid continued warnings from the U.S. about North Korea's reliance on its armyThe Hacker News
October 20, 2023 – Attack
Vietnamese Hackers Hit Digital Marketers With Info-stealer Malware Full Text
Abstract
Vietnamese cybercrime groups are targeting the digital marketing sectors in the United Kingdom, United States, and India with various malware strains, including the DarkGate information stealer.Cyware
October 19, 2023 – Criminals
BlackCat Group Adopts a New Tactic to Circumvent Security Solutions Full Text
Abstract
The BlackCat ransomware group has introduced a new evasion tool called Munchkin, distributed as an ISO file, allowing them to run ransomware on remote machines. The controller malware is written in Rust and resembles the BlackCat malware family. Organizations are recommended to leverage ... Read MoreCyware
October 19, 2023 – Attack
Sophisticated MATA Framework Strikes Eastern European Oil and Gas Companies Full Text
Abstract
An updated version of a sophisticated backdoor framework called MATA has been used in attacks aimed at over a dozen Eastern European companies in the oil and gas sector and defense industry as part of a cyber espionage operation that took place between August 2022 and May 2023. "The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows executable malware by downloading files through an internet browser," Kaspersky said in a new exhaustive report published this week. "Each phishing document contains an external link to fetch a remote page containing a CVE-2021-26411 exploit." CVE-2021-26411 (CVSS score: 8.8) refers to a memory corruption vulnerability in Internet Explorer that could be triggered to execute arbitrary code by tricking a victim into visiting a specially crafted site. It was previously exploited by the Lazarus Group in early 2021 to target security researchers. The cross-platform MATA fThe Hacker News
October 19, 2023 – Policy and Law
Former Navy IT Manager Sentenced to Prison for Hacking, Selling PII Full Text
Abstract
The IT manager and his wife stole the personally identifiable information of over 9,000 individuals and sold it for $160,000 in Bitcoin, which was later used for criminal activities.Cyware
October 19, 2023 – General
Vulnerability Scanning: How Often Should I Scan? Full Text
Abstract
The time between a vulnerability being discovered and hackers exploiting it is narrower than ever – just 12 days . So it makes sense that organizations are starting to recognize the importance of not leaving long gaps between their scans, and the term "continuous vulnerability scanning" is becoming more popular. Hackers won't wait for your next scan One-off scans can be a simple 'one-and-done' scan to prove your security posture to customers, auditors or investors, but more commonly they refer to periodic scans kicked off at semi-regular intervals – the industry standard has traditionally been quarterly. These periodic scans give you a point-in-time snapshot of your vulnerability status – from SQL injections and XSS to misconfigurations and weak passwords. Great for compliance if they only ask for a quarterly vulnerability scan, but not so good for ongoing oversight of your security posture, or a robust attack surface management program. With a fresh CVE created everThe Hacker News
October 19, 2023 – Breach
Californian IT Company DNA Micro Leaks Private Mobile Phone Data of Over 820,000 Customers Full Text
Abstract
The leaked data poses serious risks, as threat actors could potentially disrupt services, launch phishing campaigns, and engage in "doxxing" and "swatting" activities, putting customers at risk.Cyware
October 19, 2023 – Solution
Google Play Protect Introduces Real-Time Code-Level Scanning for Android Malware Full Text
Abstract
Google has announced an update to its Play Protect with support for real-time scanning at the code level to tackle novel malicious apps prior to downloading and installing them on Android devices. "Google Play Protect will now recommend a real-time app scan when installing apps that have never been scanned before to help detect emerging threats," the tech giant said . Google Play Protect is a built-in, free threat detection service that scans Android devices for any potentially harmful apps downloaded from the Play Store as well as other external sources. In extreme cases, an app may be blocked from being installed. The check expands on previous existing protections that alerted users when it identified an app known to be malicious from existing scanning intelligence or was identified as suspicious from heuristics gathered via on-device machine learning. With the latest safeguards, important signals from the app are extracted and sent to the Play Protect backend infrThe Hacker News
October 19, 2023 – Government
UK Warns Nuclear Power Plant Operator of Cybersecurity Failings Full Text
Abstract
EDF, the company operating nuclear power plants in the UK, is facing increased regulatory attention after an inspection of its cybersecurity practices. The company failed to provide a comprehensive cybersecurity improvement plan.Cyware
October 19, 2023 – Attack
Iran-Linked OilRig Targets Middle East Governments in 8-Month Cyber Campaign Full Text
Abstract
The Iran-linked OilRig threat actor targeted an unnamed Middle East government between February and September 2023 as part of an eight-month-long campaign. The attack led to the theft of files and passwords and, in one instance, resulted in the deployment of a PowerShell backdoor called PowerExchange, the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The cybersecurity firm is tracking the activity under the name Crambus , noting that the adversary used the implant to "monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers." Malicious activity is said to have been detected on no less than 12 computers, with backdoors and keyloggers installed on a dozen other machines, indicating a broad compromise of the target. The use of PowerExchange was first highlighted by Fortinet FortiGuard Labs in MayThe Hacker News
October 19, 2023 – APT
New Campaign by Iranian APT Group Targets Middle Eastern Government Full Text
Abstract
The attackers made use of legitimate tools like Plink to configure port-forwarding rules, enabling remote access via the Remote Desktop Protocol (RDP), and modified Windows firewall rules to facilitate their activities.Cyware
October 19, 2023 – Attack
Microsoft Warns of North Korean Attacks Exploiting JetBrains TeamCity Flaw Full Text
Abstract
North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft. The attacks, which entail the exploitation of CVE-2023-42793 (CVSS score: 9.8), have been attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). It's worth noting that both the threat activity clusters are part of the infamous North Korean nation-state actor known as Lazarus Group . In one of the two attack paths employed by Diamond Sleet, a successful compromise of TeamCity servers is followed by the deployment of a known implant called ForestTiger from legitimate infrastructure previously compromised by the threat actor. A second variant of the attacks leverages the initial foothold to retrieve a malicious DLL (DSROLE.dll aka RollSling or Version.dll or FeedLoad) that's loaded by means of a technique referred to as DLL search-order hijacking to eitheThe Hacker News
October 19, 2023 – General
Lost and Stolen Devices: A Gateway to Data Breaches and Leaks Full Text
Abstract
To mitigate the risk, organizations should implement strategies such as employee training, geolocation and geofencing, endpoint data encryption, and secure storage solutions.Cyware
October 19, 2023 – Vulnerabilities
Google TAG Detects State-Backed Threat Actors Exploiting WinRAR Flaw Full Text
Abstract
A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations. The vulnerability in question is CVE-2023-38831 (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively exploited since at least April 2023. Google Threat Analysis Group (TAG), which detected the activities in recent weeks, attributed them to three different clusters it tracks under the geological monikers FROZENBARENTS (aka Sandworm), FROZENLAKE (aka APT28), and ISLANDDREAMS (aka APT40). The phishing attack linked to Sandworm impersonated a Ukrainian drone warfare training school in early September and distributed a malicious ZIP file exploiting CVE-2023-38831 to deliver Rhadamanthys, a commodity stealer malware which is offered for sale for $250 for a monthly subscription. APT28,The Hacker News
October 19, 2023 – Attack
Eastern European Energy and Defense Firms Targeted With MATA Backdoor Full Text
Abstract
The attackers employed sophisticated techniques, including exploiting a vulnerability in Internet Explorer and using specialized malware modules for data exfiltration, highlighting the increasing complexity of targeted attacks.Cyware
October 19, 2023 – Criminals
Moldovan Accused of Running Cybercrime Marketplace to Face Charges in US Full Text
Abstract
The marketplace, which used an online payment system called Perfect Money, offered illicit cryptocurrency exchange services and listed credentials belonging to 350,000 devices for sale globally.Cyware
October 18, 2023 – Attack
Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps Full Text
Abstract
The North Korea-linked Lazarus Group (aka Hidden Cobra or TEMP.Hermit) has been observed using trojanized versions of Virtual Network Computing (VNC) apps as lures to target the defense industry and nuclear engineers as part of a long-running campaign known as Operation Dream Job . "The threat actor tricks job seekers on social media into opening malicious apps for fake job interviews," Kaspersky said in its APT trends report for Q3 2023. "To avoid detection by behavior-based security solutions, this backdoored application operates discreetly, only activating when the user selects a server from the drop-down menu of the trojanized VNC client." Once launched by the victim, the counterfeit app is designed to retrieve additional payloads, including a known Lazarus Group malware dubbed LPEClient , which comes fitted with capabilities to profile compromised hosts. Also deployed by the adversary is an updated version of COPPERHEDGE , a backdoor known for runnThe Hacker News
October 18, 2023 – Vulnerabilities
Critical Citrix NetScaler Flaw Exploited to Target from Government, Tech Firms Full Text
Abstract
Citrix is warning of exploitation of a recently disclosed critical security flaw in NetScaler ADC and Gateway appliances that could result in exposure of sensitive information. Tracked as CVE-2023-4966 (CVSS score: 9.4), the vulnerability impacts the following supported versions - NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19 NetScaler ADC and NetScaler Gateway 12.1 (currently end-of-life) NetScaler ADC 13.1-FIPS before 13.1-37.164 NetScaler ADC 12.1-FIPS before 12.1-55.300, and NetScaler ADC 12.1-NDcPP before 12.1-55.300 However, for exploitation to occur, it requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server. While patches for the flaw were released on October 10, 2023, Citrix has now revised the advisory to note that "exploits of CVE-20The Hacker News
October 18, 2023 – General
Unraveling Real-Life Attack Paths – Key Lessons Learned Full Text
Abstract
In the ever-evolving landscape of cybersecurity, attackers are always searching for vulnerabilities and exploits within organizational environments. They don't just target single weaknesses; they're on the hunt for combinations of exposures and attack methods that can lead them to their desired objective. Despite the presence of numerous security tools, organizations often have to deal with two major challenges; First, these tools frequently lack the ability to effectively prioritize threats, leaving security professionals in the dark about which issues need immediate attention. Second, these tools often fail to provide context about how individual issues come together and how they can be leveraged by attackers to access critical assets. This lack of insight can lead organizations to either attempt to fix everything or, more dangerously, address nothing at all. In this article, we delve into 7 real-life attack path scenarios that our in-house experts encountered while utilizThe Hacker News
October 18, 2023 – Attack
Qubitstrike Targets Jupyter Notebooks with Crypto Mining and Rootkit Campaign Full Text
Abstract
A threat actor, presumably from Tunisia, has been linked to a new campaign targeting exposed Jupyter Notebooks in a two-fold attempt to illicitly mine cryptocurrency and breach cloud environments. Dubbed Qubitstrike by Cado, the intrusion set utilizes Telegram API to exfiltrate cloud service provider credentials following a successful compromise. "The payloads for the Qubitstrike campaign are all hosted on codeberg.org – an alternative Git hosting platform, providing much of the same functionality as GitHub," security researchers Matt Muir and Nate Bill said in a Wednesday write-up. In the attack chain documented by the cloud security firm, publicly accessible Jupyter instances are breached to execute commands to retrieve a shell script (mi.sh) hosted on Codeberg. The shell script, which acts as the primary payload, is responsible for executing a cryptocurrency miner, establishing persistence by means of a cron job, inserting an attacker-controlled key to the .ssh/aThe Hacker News
October 17, 2023 – Malware
Researchers Warn of Increased Malware Delivery via Fake Browser Updates Full Text
Abstract
The threat group behind the SocGholish campaigns is likely responsible for the ClearFake malware delivery campaign, which uses compromised WordPress sites to push malicious fake browser updates.Cyware
October 17, 2023 – General
Discord: A Playground for Nation-State Hackers Targeting Critical Infrastructure Full Text
Abstract
In what's the latest evolution of threat actors abusing legitimate infrastructure for nefarious ends, new findings show that nation-state hacking groups have entered the fray in leveraging the social platform for targeting critical infrastructure. Discord, in recent years, has become a lucrative target, acting as a fertile ground for hosting malware using its content delivery network (CDN) as well as allowing information stealers to siphon sensitive data off the app and facilitating data exfiltration by means of webhooks. "The usage of Discord is largely limited to information stealers and grabbers that anyone can buy or download from the Internet," Trellix researchers Ernesto Fernández Provecho and David Pastor Sanz said in a Monday report. But that may be changing, for the cybersecurity firm said it found evidence of an artifact targeting Ukrainian critical infrastructures. There is currently no evidence linking it to a known threat group. ""TheThe Hacker News
October 17, 2023 – Vulnerabilities
Critical Vulnerabilities Expose Weintek HMIs to Attacks Full Text
Abstract
The US cybersecurity agency, CISA, has warned organizations about critical vulnerabilities found in a human-machine interface (HMI) product made by the Taiwan-based Weintek. The impacted product is used globally, including in critical manufacturing.Cyware
October 17, 2023 – Vulnerabilities
Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software Full Text
Abstract
Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems. The vulnerabilities, tracked as CVE-2023-37265 and CVE-2023-37266 , both carry a CVSS score of 9.8 out of a maximum of 10. Sonar security researcher Thomas Chauchefoin, who discovered the bugs, said they "allow attackers to get around authentication requirements and gain full access to the CasaOS dashboard." Even more troublingly, CasaOS' support for third-party applications could be weaponized to run arbitrary commands on the system to gain persistent access to the device or pivot into internal networks. Following responsible disclosure on July 3, 2023, the flaws were addressed in version 0.4.4 released by its maintainers IceWhale on July 14, 2023. A brief description of the two flaws is as follows - CVE-2023-37265 - Incorrect identification of the sThe Hacker News
October 17, 2023 – Attack
TV Advertising Sales Giant Affected by Ransomware Attack Full Text
Abstract
The Black Basta ransomware gang claimed responsibility for the attack, but the extent of the data stolen is unknown. The company confirmed the incident and stated that they are working with law enforcement to address the issue.Cyware
October 17, 2023 – Education
Webinar: Locking Down Financial and Accounting Data — Best Data Security Strategies Full Text
Abstract
Financial data is much more than just a collection of numbers; it is a crucial component of any business and a prime target for cybercriminals. It's important to understand that financial records can be a veritable treasure trove for digital pirates. A security breach not only puts customers' personal information in jeopardy but also enables fraudsters to drain company funds and exploit clients. Data threats can arise from a variety of sources, ranging from malicious actors with harmful intentions to simple mistakes, such as sending a confidential email to the wrong recipient. The methods used to compromise data are diverse and constantly evolving, including ransomware attacks and inadvertent leaks in cloud storage. Navigating this complex landscape can be daunting, but knowledge is empowering. We're excited to announce that we are hosting an exclusive webinar in collaboration with experts from Win Zip. Titled " Locking Down Financial and Accounting Data — Best DatThe Hacker News
October 17, 2023 – Criminals
Operators Behind Worldwide Linux XorDDoS Campaign Evolve Their Attack Infrastructure Full Text
Abstract
The attackers behind the XorDDoS campaign have migrated their offensive infrastructure to legitimate public hosting services, making it harder to block their command and control (C2) traffic.Cyware
October 17, 2023 – General
Exploring the Realm of Malicious Generative AI: A New Digital Security Challenge Full Text
Abstract
Recently, the cybersecurity landscape has been confronted with a daunting new reality – the rise of malicious Generative AI, like FraudGPT and WormGPT. These rogue creations, lurking in the dark corners of the internet, pose a distinctive threat to the world of digital security. In this article, we will look at the nature of Generative AI fraud, analyze the messaging surrounding these creations, and evaluate their potential impact on cybersecurity. While it's crucial to maintain a watchful eye, it's equally important to avoid widespread panic, as the situation, though disconcerting, is not yet a cause for alarm. Interested in how your organization can protect against generative AI attacks with an advanced email security solution? Get an IRONSCALES demo . Meet FraudGPT and WormGPT FraudGPT represents a subscription-based malicious Generative AI that harnesses sophisticated machine learning algorithms to generate deceptive content. In stark contrast to ethical AI models, FrThe Hacker News
October 17, 2023 – Attack
Knight Ransomware Group Claims Cyberattack on BMW Munique Motors Full Text
Abstract
The Knight group threatened to release stolen files and provided countdown links. However, the parent company, BMW, has not confirmed the attack. The website for BMW Munique Motors is still operational.Cyware
October 17, 2023 – Vulnerabilities
Experts Warn of Severe Flaws Affecting Milesight Routers and Titan SFTP Servers Full Text
Abstract
A severity flaw impacting industrial cellular routers from Milesight may have been actively exploited in real-world attacks, new findings from VulnCheck reveal. Tracked as CVE-2023-43261 (CVSS score: 7.5), the vulnerability has been described as a case of information disclosure that affects UR5X, UR32L, UR32, UR35, and UR41 routers before version 35.3.0.7 that could enable attackers to access logs such as httpd.log as well as other sensitive credentials. As a result, this could permit remote and unauthenticated attackers to gain unauthorized access to the web interface, thereby making it possible to configure VPN servers and even drop firewall protections. "This vulnerability becomes even more severe as some routers allow the sending and receiving of SMS messages," security researcher Bipin Jitiya, who discovered the issue, said earlier this month. "An attacker could exploit this functionality for fraudulent activities, potentially causing financial harm to theThe Hacker News
October 17, 2023 – Vulnerabilities
Multiple Vulnerabilities in South River Technologies’ Titan MFT and Titan SFTP Servers Fixed Full Text
Abstract
These include authenticated remote code execution via "zip slip" and WebDAV path traversal, session fixation on the remote administration server, information disclosure via path traversal on FTP, and information disclosure in the admin interface.Cyware
October 17, 2023 – Attack
CERT-UA Reports: 11 Ukrainian Telecom Providers Hit by Cyberattacks Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that threat actors "interfered" with at least 11 telecommunication service providers in the country between May and September 2023. The agency is tracking the activity under the name UAC-0165, stating the intrusions led to service interruptions for customers. The starting point of the attacks is a reconnaissance phase in which a telecom company's network is scanned to identify exposed RDP or SSH interfaces and potential entry points. "It should be noted that reconnaissance and exploitation activities are carried out from previously compromised servers located, in particular, in the Ukrainian segment of the internet," CERT-UA said . "To route traffic through such nodes, Dante, SOCKS5, and other proxy servers are used." The attacks are notable for the use of two specialized programs called POEMGATE and POSEIDON that enable credential theft and remote control of the infected hoThe Hacker News
October 17, 2023 – Education
Quantum Risk is Real Now: How to Navigate the Evolving Data Harvesting Threat Full Text
Abstract
Data transmission faces a looming threat from Harvest Now, Decrypt Later (HNDL) attacks, where encrypted data is collected and stored with the intention of decrypting it in the future using advancements in computing or quantum technologies.Cyware
October 17, 2023 – Vulnerabilities
Warning: Unpatched Cisco Zero-Day Vulnerability Actively Targeted in the Wild Full Text
Abstract
Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that's under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is tracked as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It's worth pointing out that the shortcoming only affects enterprise networking gear that have the Web UI feature enabled and when it's exposed to the internet or to untrusted networks. "This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access ," Cisco said in a Monday advisory. "The attacker can then use that account to gain control of the affected system." The problem impacts both physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS server feature enabled. As a mitigation, it's recommended to disable the HTTP server feature on internet-facing systems. The networkThe Hacker News
October 17, 2023 – General
Stronger Ransomware Protection Finally Pays Off Full Text
Abstract
A recent survey by Hornetsecurity reveals that 60% of companies are highly concerned about ransomware attacks, highlighting the urgency for robust protection measures and the active involvement of leadership in preventing such incidents.Cyware
October 16, 2023 – Vulnerabilities
Dozens of Squid Proxy Vulnerabilities Remain Unpatched Two Years After Disclosure Full Text
Abstract
Dozens of vulnerabilities in the Squid caching and forwarding web proxy, a widely used open-source proxy, remain unpatched two years after being discovered by researcher Joshua Rogers.Cyware
October 16, 2023 – Attack
Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign Full Text
Abstract
Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems. "The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831," Cluster25 said in a report published last week. The archive contains a booby-trapped PDF file that, when clicked, causes a Windows Batch script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker remote access to the targeted host. Also deployed is a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers. The captured information is exfiltrated via a legitimate web service webhook[.]site. CVE-2023-38831 refers to a high-severity flaw in WinRAR that allows atThe Hacker News
October 16, 2023 – Policy and Law
EPA Withdraws Water Sector Cybersecurity Rules Due to Lawsuits Full Text
Abstract
The US EPA has withdrawn cybersecurity rules for public water systems due to lawsuits filed by states and non-profit water associations, citing concerns about financial burden and cybersecurity vulnerabilities.Cyware
October 16, 2023 – Malware
SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls Full Text
Abstract
The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features. Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure. Besides requesting invasive permissions to access call logs, camera, SMS messages, and external storage, SpyNote is known for hiding its presence from the Android home screen and the Recents screen in a bid to make it difficult to avoid detection. "The SpyNote malware app can be launched via an external trigger," F-Secure researcher Amit Tambe said in an analysis published last week. "Upon receiving the intent, the malware app launches the main activity." But most importantly, it seeks accessibility permissions, subsequently leveraging it to grant itself additional permissions to record audio and phone calls, log keystrokes, as well as capture screenshots oThe Hacker News
October 16, 2023 – Vulnerabilities
Milesight Industrial Router Vulnerability Possibly Exploited in Attacks Full Text
Abstract
The vulnerability exposes system log files containing passwords, which can be used by attackers to gain unauthorized access. Security firm VulnCheck discovered evidence of small-scale exploitation of the vulnerability.Cyware
October 16, 2023 – General
The Fast Evolution of SaaS Security from 2020 to 2024 (Told Through Video) Full Text
Abstract
SaaS Security's roots are in configuration management. An astounding 35% of all security breaches begin with security settings that were misconfigured. In the past 3 years, the initial access vectors to SaaS data have widened beyond misconfiguration management. " SaaS Security on Tap " is a new video series that takes place in Eliana V's bar making sure that the only thing that leaks is beer (maximum), and not SaaS data. This series takes a look at the key concepts within SaaS security and educates organizations on what new threat vectors need to be addressed. The Annual SaaS Security Survey Report: 2024 Plans and Priorities With the increase in SaaS application use, it's no surprise that incidents are up. The SaaS Security on Tap series covers this year's SaaS Security report which found that 55% of organizations have experienced a SaaS security incident within the last two years, including data leaks, data breaches, ransomware attacks, and malicious applications. The reportThe Hacker News
October 16, 2023 – Criminals
Update: LockBit Ransomware Gang Demanded an $80 Million Ransom From CDW Full Text
Abstract
The ransomware group demanded an $80 million ransom, but CDW only offered $1 million. CDW states that the affected servers are isolated and not customer-facing, and its systems remain fully operational.Cyware
October 16, 2023 – Vulnerabilities
Signal Debunks Zero-Day Vulnerability Reports, Finds No Evidence Full Text
Abstract
Encrypted messaging app Signal has pushed back against "viral reports" of an alleged zero-day flaw in its software, stating it found no evidence to support the claim. "After responsible investigation *we have no evidence that suggests this vulnerability is real* nor has any additional info been shared via our official reporting channels," it said in a series of messages posted in X (formerly Twitter). Signal said it also checked with the U.S. government and that it found no information to suggest "this is a valid claim." It's also urging those with legitimate information to send reports to security@signal[.]org. The development comes as reports circulated over the weekend about a zero-day vulnerability in Signal that could be exploited to gain complete access to a targeted mobile device. As a security precaution, it's been advised to turn off link previews in the app. The feature can be disabled by going to Signal Settings > ChatsThe Hacker News
October 16, 2023 – Breach
Decathlon Data Leak Exposes Personal Information of 8,000 Employees on Dark Web Full Text
Abstract
The leaked data also included information from Bluenove, a technology and consulting firm, suggesting a broader cyberattack targeting multiple organizations. Neither Decathlon nor Bluenove have issued an official statement regarding the data leak.Cyware
October 16, 2023 – Attack
Binance’s Smart Chain Exploited in New ‘EtherHiding’ Malware Campaign Full Text
Abstract
Threat actors have been observed serving malicious code by utilizing Binance's Smart Chain (BSC) contracts in what has been described as the "next level of bulletproof hosting." The campaign, detected two months ago, has been codenamed EtherHiding by Guardio Labs. The novel twist marks the latest iteration in an ongoing malware campaign that leverages compromised WordPress sites to serve unsuspecting visitors a fake warning to update their browsers before the sites can be accessed, ultimately leading to the deployment of information stealer malware such as Amadey, Lumma, or RedLine. "While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they've quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain," security researchers Nati Tal and Oleg Zaytsev said . "This campaign is up and harder than ever to detect and take down." It's no surprise that threat actThe Hacker News
October 16, 2023 – Criminals
ALPHV Gang Stole 5TB of Data From Illinois’ Morrison Community Hospital Full Text
Abstract
The group claims to have stolen 5TB of patients’ and employee’s information, backups, PII documents, and more. The gang also published a sample as proof of the stolen data.Cyware
October 16, 2023 – Breach
BlackCat Allegedly Stole 5TB Data From Major ATM Solutions Provider Full Text
Abstract
The ALPHV ransomware group has claimed to have attacked QSI Inc., a major ITM and ATM solutions provider that works with NCR Corporation. The cyberattack could potentially expose sensitive data from various sectors.Cyware
October 14, 2023 – Phishing
Voice Phishing Campaigns Using Access Keys Full Text
Abstract
The phishing attack starts with an HTML file disguised as a voice message, which leads to the download of a file hosted on a disguised AWS URL. The attackers initially impersonate Zoom but later switch to spoofing Outlook and Teams login pages.Cyware
October 14, 2023 – Solution
Microsoft to Phase Out NTLM in Favor of Kerberos for Stronger Authentication Full Text
Abstract
Microsoft has announced that it plans to eliminate NT LAN Manager ( NTLM ) in Windows 11 in the future, as it pivots to alternative methods for authentication and bolster security. "The focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and reducing reliance on NT LAN Manager (NTLM)," the tech giant said. "New features for Windows 11 include Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center ( KDC ) for Kerberos." IAKerb enables clients to authenticate with Kerberos across a diverse range of network topologies. The second feature, a local Key Distribution Center (KDC) for Kerberos, extends Kerberos support to local accounts. First introduced in the 1990s, NTLM is a suite of security protocols intended to provide authentication, integrity, and confidentiality to users. It is a single sign-on (SSO) tool that relies on a challenge-response protocol that provesThe Hacker News
October 14, 2023 – Malware
“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts Full Text
Abstract
A new malware campaign called "EtherHiding" has emerged, using BSC contracts to host parts of a malicious code chain. The campaign starts by hijacking WordPress sites and tricking users into downloading fake browser updates that are actually malware.Cyware
October 13, 2023 – Attack
New PEAPOD Cyberattack Campaign Targeting Women Political Leaders Full Text
Abstract
European Union military personnel and political leaders working on gender equality initiatives have emerged as the target of a new campaign that delivers an updated version of RomCom RAT called PEAPOD . Cybersecurity firm Trend Micro attributed the attacks to a threat actor it tracks under the name Void Rabisu , which is also known as Storm-0978, Tropical Scorpius, and UNC2596, and is also believed to be associated with Cuba ransomware. The adversarial collective is something of an unusual group in that it conducts both financial motivated and espionage attacks, blurring the line between their modes of operation. It's also exclusively linked to the use of RomCom RAT. Attacks involving the use of the backdoor have singled out Ukraine and countries that support Ukraine in its war against Russia over the past year. Earlier this July, Microsoft implicated Void Rabisu to the exploitation of CVE-2023-36884 , a remote code execution flaw in Office and Windows HTML, by using speThe Hacker News
October 13, 2023 – Vulnerabilities
Juniper Networks Patches Over 30 Vulnerabilities in Junos OS Full Text
Abstract
Six high-severity vulnerabilities, including five that can be exploited remotely, have been addressed by the patches, which could potentially lead to denial of service (DoS) attacks.Cyware
October 13, 2023 – APT
Researchers Unveil ToddyCat’s New Set of Tools for Data Exfiltration Full Text
Abstract
The advanced persistent threat (APT) actor known as ToddyCat has been linked to a new set of malicious tools that are designed for data exfiltration, offering a deeper insight into the hacking crew's tactics and capabilities. The findings come from Kaspersky, which first shed light on the adversary last year, linking it to attacks against high-profile entities in Europe and Asia for nearly three years. While the group's arsenal prominently features Ninja Trojan and a backdoor called Samurai, further investigation has uncovered a whole new set of malicious software developed and maintained by the actor to achieve persistence, conduct file operations, and load additional payloads at runtime. This comprises a collection of loaders that comes with capabilities to launch the Ninja Trojan as a second stage, a tool called LoFiSe to find and collect files of interest, a DropBox uploader to save stolen data to Dropbox, and Pcexter to exfiltrate archive files to Microsoft OneDrThe Hacker News
October 13, 2023 – Government
CISA Now Flagging Vulnerabilities, Misconfigurations Exploited by Ransomware Full Text
Abstract
Through its Ransomware Vulnerability Warning Pilot (RVWP) program, the CISA has released two new resources to help identify and fix vulnerabilities exploited by ransomware groups.Cyware
October 13, 2023 – General
Ransomware Attacks Double: Are Companies Prepared for 2024’s Cyber Threats? Full Text
Abstract
Ransomware attacks have only increased in sophistication and capabilities over the past year. From new evasion and anti-analysis techniques to stealthier variants coded in new languages, ransomware groups have adapted their tactics to effectively bypass common defense strategies. Cyble, a renowned cyber threat intelligence company recognized for its research and findings, recently released its Q3 Ransomware Report . This article delves into the significant developments from the third quarter of 2023, as detailed in the Q3 Ransomware Report, and offers predictions for upcoming quarters. The primary objective is to provide a comprehensive recap of the major targets, both sector-wise and by nation and region. Additionally, the article will highlight new techniques used, emphasizing major incidents and developments that potential targets should be aware of. We will also discuss anticipated trends in the future evolution of ransomware. The increased weaponization of Vulnerabilities toThe Hacker News
October 13, 2023 – Business
Conveyor Raises $12.5m to Automate Security Reviews Using LLMs Full Text
Abstract
Conveyor, a startup using large language models (LLMs) like OpenAI's ChatGPT, has raised $12.5 million in funding led by Cervin Ventures to automate the security review response process for companies.Cyware
October 13, 2023 – Malware
DarkGate Malware Spreading via Messaging Services Posing as PDF Files Full Text
Abstract
A piece of malware known as DarkGate has been observed being spread via instant messaging platforms such as Skype and Microsoft Teams. In these attacks, the messaging apps are used to deliver a Visual Basic for Applications ( VBA ) loader script that masquerades as a PDF document, which, when opened, triggers the download and execution of an AutoIt script designed to launch the malware. "It's unclear how the originating accounts of the instant messaging applications were compromised, however it is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization," Trend Micro said in a new analysis published Thursday. DarkGate, first documented by Fortinet in November 2018, is a commodity malware that incorporates a wide range of features to harvest sensitive data from web browsers, conduct cryptocurrency mining, and allow its operators to remotely control the infected hosts. It alsoThe Hacker News
October 13, 2023 – Vulnerabilities
Indian State Government Fixes Website Bug That Revealed Aadhaar Numbers and Fingerprints Full Text
Abstract
The website bug allowed unauthorized access to land deed records by guessing sequential application numbers, highlighting the lack of robust security measures on the website.Cyware
October 13, 2023 – Government
FBI, CISA Warn of Rising AvosLocker Ransomware Attacks Against Critical Infrastructure Full Text
Abstract
The AvosLocker ransomware gang has been linked to attacks against critical infrastructure sectors in the U.S., with some of them detected as recently as May 2023. That's according to a new joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) detailing the ransomware-as-a-service (RaaS) operation's tactics, techniques, and procedures (TTPs). "AvosLocker affiliates compromise organizations' networks by using legitimate software and open-source remote system administration tools," the agencies said . "AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data." The ransomware strain first emerged on the scene in mid-2021, and has since leveraged sophisticated techniques to disable antivirus protection as a detection evasion measure. It affects Windows, Linux, and VMware ESXi environmentThe Hacker News
October 13, 2023 – Attack
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant Full Text
Abstract
Void Rabisu employs various tactics, such as signing malware with bought certificates, using malicious advertisements, and exploiting vulnerabilities, including zero-day vulnerabilities.Cyware
October 13, 2023 – Government
State’s Cyber Overhaul Bets Big on Zero Trust to Tackle Emerging Threats Full Text
Abstract
The State Department has undergone a significant cybersecurity overhaul, prioritizing a zero-trust security architecture and implementing key performance indicators and guidance from various federal agencies.Cyware
October 12, 2023 – Phishing
Phishing Campaigns Affecting Italy Witness a Surge Full Text
Abstract
The Italian Postal Police and CERT-AgID have recently reported numerous phishing campaigns impersonating popular brands such as Poste Italiane, Intesa Sanpaolo, and Zimbra.Cyware
October 12, 2023 – Malware
Malicious NuGet Package Targeting .NET Developers with SeroXen RAT Full Text
Abstract
A malicious package hosted on the NuGet package manager for the .NET Framework has been found to deliver a remote access trojan called SeroXen RAT. The package, named Pathoschild.Stardew.Mod.Build.Config and published by a user named Disti , is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig , software supply chain security firm Phylum said in a report today. While the real package has received nearly 79,000 downloads to date, the malicious variant is said to have artificially inflated its download count after being published on October 6, 2023, to surpass 100,000 downloads. The profile behind the package has published six other packages that have attracted no less than 2.1 million downloads cumulatively, four of which masquerade as libraries for various crypto services like Kraken, KuCoin, Solana, and Monero, but are also designed to deploy SeroXen RAT. The attack chain is initiated during installation of the package by means of a tools/init.ps1The Hacker News
October 12, 2023 – Business
SYN Ventures Announces $75 Million Seed Fund for US Cybersecurity Firms Full Text
Abstract
The venture capital firm, led by former Fortune 500 CISOs and security executives, plans to focus on the seed stage to help early-stage companies develop next-generation cyber solutions and find product-market fit faster.Cyware
October 12, 2023 – Botnet
ShellBot Uses Hex IPs to Evade Detection in Attacks on Linux SSH Servers Full Text
Abstract
The threat actors behind ShellBot are leveraging IP addresses transformed into its hexadecimal notation to infiltrate poorly managed Linux SSH servers and deploy the DDoS malware. "The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value," the AhnLab Security Emergency response Center (ASEC) said in a new report published today. ShellBot, also known by the name PerlBot, is known to breach servers that have weak SSH credentials by means of a dictionary attack , with the malware used as a conduit to stage DDoS attacks and deliver cryptocurrency miners . Developed in Perl, the malware uses the IRC protocol to communicate with a command-and-control (C2) server. The latest set of observed attacks involving ShellBot has been found to install the malware using hexadecimal IP addresses – hxxp://0x2763da4e/ which corresponds to 39.99.218[.]78 – in what's seen as an attThe Hacker News
October 12, 2023 – Malware
Researchers Discover SeroXen RAT in Typosquatted NuGet Package Full Text
Abstract
The package contains a malicious install script that executes covertly during installation, downloading an obfuscated batch script that ultimately constructs and executes a PowerShell script.Cyware
October 12, 2023 – Education
How to Guard Your Data from Exposure in ChatGPT Full Text
Abstract
ChatGPT has transformed the way businesses generate textual content, which can potentially result in a quantum leap in productivity. However, Generative AI innovation also introduces a new dimension of data exposure risk, when employees inadvertently type or paste sensitive business data into ChatGPT, or similar applications. DLP solutions, the go-to solution for similar challenges, are ill-equipped to handle these challenges, since they focus on file-based data protection. A new report by LayerX, "Browser Security Platform: Guard your Data from Exposure in ChatGPT" ( Download here ), sheds light on the challenges and risks of ungoverned ChatGPT usage. It paints a comprehensive picture of the potential hazards for businesses and then offers a potential solution: browser security platforms. Such platforms provide real-time monitoring and governance over web sessions, effectively safeguarding sensitive data. ChatGPT Data Exposure: By the Numbers Employee usage of GenAI apps has surgeThe Hacker News
October 12, 2023 – General
R2R Stomping – Are You Ready to Run? Full Text
Abstract
ReadyToRun (R2R) stomping is a new method that allows for hidden implanted code in .NET binaries, altering the original intermediate language (IL) code and prioritizing pre-compiled native code for execution.Cyware
October 12, 2023 – Attack
Microsoft Defender Thwarts Large-Scale Akira Ransomware Attack Full Text
Abstract
Microsoft on Wednesday said that a user containment feature in Microsoft Defender for Endpoint helped thwart a "large-scale remote encryption attempt" made by Akira ransomware actors targeting an unknown industrial organization in early June 2023. The tech giant's threat intelligence team is tracking the operator as Storm-1567. The attack leveraged devices that were not onboarded to Microsoft Defender for Endpoint as a defense evasion tactic, while also conducting a series of reconnaissance and lateral movement activities prior to encrypting the devices using a compromised user account. But the new automatic attack disruption capability meant that the breached accounts are prevented from "accessing endpoints and other resources in the network, limiting attackers' ability to move laterally regardless of the account's Active Directory state or privilege level." In other words, the idea is to cut off all inbound and outbound communication and prohThe Hacker News
October 12, 2023 – General
Most CISOs Confront Ransomware — and Pay Ransoms Full Text
Abstract
According to a survey by Splunk, 9 out of 10 CISOs reported experiencing a major cyberattack in the past year, with almost half stating that their organizations were hit by multiple disruptive cyberattacks.Cyware
October 12, 2023 – Malware
Researchers Uncover Malware Posing as WordPress Caching Plugin Full Text
Abstract
Cybersecurity researchers have shed light on a new sophisticated strain of malware that masquerades a WordPress plugin to stealthily create administrator accounts and remotely control a compromised site. "Complete with a professional looking opening comment implying it is a caching plugin, this rogue code contains numerous functions, adds filters to prevent itself from being included in the list of activated plugins, and has pinging functionality that allows a malicious actor to check if the script is still operational, as well as file modification capabilities," Wordfence said . The plugin also offers the ability to activate and deactivate arbitrary plugins on the site remotely as well as create rogue admin accounts with the username superadmin and a hard-coded password. In what's seen as an attempt to erase traces of compromise, it features a function named "_pln_cmd_hide" that's designed to remove the superadmin account when it's no longer requirThe Hacker News
October 12, 2023 – Vulnerabilities
Critical SOCKS5 Vulnerability in cURL Puts Enterprise Systems at Risk Full Text
Abstract
Organizations using cURL and libcurl are urged to apply the patches in cURL 8.4.0 to mitigate the vulnerability that potentially impacts all software projects relying on libcurl.Cyware
October 12, 2023
Researchers Uncover Ongoing Attacks Targeting Asian Governments and Telecom Giants Full Text
Abstract
High-profile government and telecom entities in Asia have been targeted as part of an ongoing campaign since 2021 that's designed to deploy basic backdoors and loaders for delivering next-stage malware. Cybersecurity company Check Point is tracking the activity under the name Stayin' Alive . Targets include organizations located in Vietnam, Uzbekistan, Pakistan, and Kazakhstan. "The simplistic nature of the tools [...] and their wide variation suggests they are disposable, mostly utilized to download and run additional payloads," it said in a report published Wednesday. "These tools share no clear code overlaps with products created by any known actors and do not have much in common with each other." What's notable about the campaign is that the infrastructure shares overlaps with that used by ToddyCat , a China-linked threat actor known for orchestrating cyber assaults against government and military agencies in Europe and Asia since at leastThe Hacker News
October 12, 2023 – Vulnerabilities
Two High-Risk Security Flaws Discovered in Curl Library - New Patches Released Full Text
Abstract
Patches have been released for two security flaws impacting the Curl data transfer library, the most severe of which could potentially result in code execution. The list of vulnerabilities is as follows - CVE-2023-38545 (CVSS score: 7.5) - SOCKS5 heap-based buffer overflow vulnerability CVE-2023-38546 (CVSS score: 5.0) - Cookie injection with none file CVE-2023-38545 is the more severe of the two, and has been described by the project's lead developer, Daniel Stenberg, as "probably the worst Curl security flaw in a long time." It affects libcurl versions 7.69.0 to and including 8.3.0. "This flaw makes Curl overflow a heap-based buffer in the SOCKS5 proxy handshake," the maintainers said in an advisory. "When Curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by Curl itself, the maximum length that hostname can be is 255 bytes." "If the hostname is detectedThe Hacker News
October 11, 2023 – Botnet
IZ1H9 Mirai-Based Botnet Enhances its Arsenal with 13 New Exploits Full Text
Abstract
FortiGuard Labs found that the IZ1H9 Mirai-based DDoS botnet campaign has strengthened its arsenal with 13 exploits for D-Link devices, Netis wireless routers, TOTOLINK routers, Zyxel devices, and others. As the botnet expands its arsenal with new exploit triggers, it underscores the importance of ... Read MoreCyware
October 11, 2023 – Breach
Over 17,000 WordPress Sites Compromised by Balada Injector in September 2023 Full Text
Abstract
More than 17,000 WordPress websites have been compromised in the month of September 2023 with malware known as Balada Injector , nearly twice the number of detections in August. Of these, 9,000 of the websites are said to have been infiltrated using a recently disclosed security flaw in the tagDiv Composer plugin ( CVE-2023-3169 , CVSS score: 6.1) that could be exploited by unauthenticated users to perform stored cross-site scripting ( XSS ) attacks. "This is not the first time that the Balada Injector gang has targeted vulnerabilities in tagDiv's premium themes," Sucuri security researcher Denis Sinegubko said . "One of the earliest massive malware injections that we could attribute to this campaign took place during the summer of 2017, where disclosed security bugs in Newspaper and Newsmag WordPress themes were actively abused." Balada Injector is a large-scale operation first discovered by Doctor Web in December 2022, wherein the threat actors expThe Hacker News
October 11, 2023 – Outage
Both Pro-Israeli and Pro-Palestinian Hacktivists Have Joined the Fight and are Targeting ICS and SCADA Systems Full Text
Abstract
The "Five Families" of hacktivist gangs, including ThreatSec, GhostSec, Stormous, Blackforums, and SiegedSec, are collaborating to launch large-scale cyberattacks, causing disruptions and chaos.Cyware
October 11, 2023 – Government
U.S. Cybersecurity Agency Warns of Actively Exploited Adobe Acrobat Reader Vulnerability Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity flaw in Adobe Acrobat Reader to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as CVE-2023-21608 (CVSS score: 7.8), the vulnerability has been described as a use-after-free bug that can be exploited to achieve remote code execution (RCE) with the privileges of the current user. A patch for the flaw was released by Adobe in January 2023. HackSys security researchers Ashfaq Ansari and Krishnakant Patil were credited with discovering and reporting the flaw. The following versions of the software are impacted - Acrobat DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310) Acrobat Reader DC - 22.003.20282 (Win), 22.003.20281 (Mac) and earlier versions (fixed in 22.003.20310) Acrobat 2020 - 20.005.30418 and earlier versions (fixed in 20.005.30436) Acrobat Reader 2020 - 20.005.30418 and earlThe Hacker News
October 11, 2023 – Privacy
TikTok Chief Summoned by EU Lawmakers for Privacy Probe Full Text
Abstract
The letter from the lawmakers follows a recent fine of 345 million euros (~$366 million) imposed on TikTok by the Irish Data Protection Commissioner for failing to adequately protect children's privacy.Cyware
October 11, 2023 – Education
Take an Offensive Approach to Password Security by Continuously Monitoring for Breached Passwords Full Text
Abstract
Passwords are at the core of securing access to an organization's data. However, they also come with security vulnerabilities that stem from their inconvenience. With a growing list of credentials to keep track of, the average end-user can default to shortcuts. Instead of creating a strong and unique password for each account, they resort to easy-to-remember passwords, or use the same password for every account and application. Password reuse is both common and risky. 65% of users admit to reusing their credentials across multiple sites. Another analysis of identity exposures among employees of Fortune 1000 companies found a 64% password reuse rate for exposed credentials. Pair these findings with the fact that a vast majority (80%) of all data breaches are sourced from lost or stolen passwords, and we have a serious problem. In short, a breached password from one system can be used to compromise another. So, what does this all mean for your organization? The real risk oThe Hacker News
October 11, 2023 – General
Cybersecurity Pros Predict Rise of Malicious AI Full Text
Abstract
A recent survey conducted by Enea reveals that 76% of cybersecurity professionals believe that malicious AI, capable of bypassing most cybersecurity measures, is a looming threat.Cyware
October 11, 2023 – Vulnerabilities
Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits Full Text
Abstract
Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September. The two vulnerabilities that been weaponized as zero-days are as follows - CVE-2023-36563 (CVSS score: 6.5) - An information disclosure vulnerability in Microsoft WordPad that could result in the leak of NTLM hashes CVE-2023-41763 (CVSS score: 5.3) - A privilege escalation vulnerability in Skype for Business that could lead to exposure of sensitive information such as IP addresses or port numbers (or both), enabling threat actors to gain access to internal networks "To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specialThe Hacker News
October 11, 2023 – Vulnerabilities
Chrome 118 Patches 20 Vulnerabilities Full Text
Abstract
Google has released Chrome 118 with fixes for 20 vulnerabilities, including a critical bug in Site Isolation that could allow for sandbox escape and arbitrary code execution.Cyware
October 11, 2023 – Vulnerabilities
Microsoft Warns of Nation-State Hackers Exploiting Critical Atlassian Confluence Vulnerability Full Text
Abstract
Microsoft has linked the exploitation of a recently disclosed critical flaw in Atlassian Confluence Data Center and Server to a nation-state actor it tracks as Storm-0062 (aka DarkShadow or Oro0lxy). The tech giant's threat intelligence team said it observed in-the-wild abuse of the vulnerability since September 14, 2023. "CVE-2023-22515 is a critical privilege escalation vulnerability in Atlassian Confluence Data Center and Server," the company noted in a series of posts on X (formerly Twitter). "Any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application." CVE-2023-22515 , rated 10.0 on the CVSS severity rating system, allows remote attackers to create unauthorized Confluence administrator accounts and access Confluence servers. The flaw has been addressed in the following versions - 8.3.3 or later 8.4.3 or later, and 8.5.2 (Long Term Support relThe Hacker News
October 11, 2023 – APT
A New Threat on the Horizon: The Grayling APT Group Full Text
Abstract
Symantec found a previously unidentified threat actor named Grayling conducting advanced persistent attacks targeting organizations in Taiwan, the Pacific Islands, Vietnam, and the U.S., with a focus on intelligence gathering. Grayling's modus operandi seems to revolve around exploiting public infr ... Read MoreCyware
October 11, 2023 – Policy and Law
Crunchyroll Resolves Class Action Lawsuit, Offers Compensation for Subscribers Full Text
Abstract
The lawsuit alleged that Crunchyroll had disclosed subscribers' personal information to third parties without proper consent. Initially denying the allegations, Crunchyroll ultimately chose to settle to avoid expenses and uncertainties.Cyware
October 11, 2023 – General
Old-School Attacks are Still a Danger, Despite Newer Techniques Full Text
Abstract
Automation and AI are being used by cybercriminals to enhance the speed and effectiveness of attacks, particularly in areas like money laundering and credential stuffing.Cyware
October 11, 2023 – Breach
Seven New Organizations Listed as Victims by PLAY Ransomware Full Text
Abstract
The victims include Hughes Gill Cochrane Tinetti, Saltire Energy, Centek Industries, NachtExpress Austria, WCM Europe, Starr Finley, and an unknown firm. These attacks are part of a wider scheme by the threat actor, targeting major firms globally.Cyware
October 10, 2023 – Attack
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits Full Text
Abstract
The campaign leverages multiple vulnerabilities, including command injection, remote code execution, and arbitrary command execution, to gain control of targeted devices and incorporate them into the botnet.Cyware
October 10, 2023 – Denial Of Service
HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks Full Text
Abstract
Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487 , and carries a CVSS score of 7.5 out of a maximum of 10. While the attacks aimed at Google's cloud infrastructure peaked at 398 million requests per second (RPS), the ones aimed at AWS and Cloudflare exceeded a volume of 155 million and 201 million requests per second (RPS), respectively. HTTP/2 Rapid Reset refers to a zero-day flaw in the HTTP/2 protocol that can be exploited to carry out DDoS attacks. A significant feature of HTTP/2 is multiplexing requests over a single TCP connection, which manifests in the form of concurrent streams. What's more, a client that wants to aThe Hacker News
October 10, 2023 – APT
Previously Unseen Grayling APT Targets Multiple Organizations in Taiwan Full Text
Abstract
Grayling employs a combination of custom malware and publicly available tools like Havoc, Cobalt Strike, and NetSpy to carry out its attacks, using DLL sideloading techniques and exploiting vulnerabilities like CVE-2019-0803.Cyware
October 10, 2023
Google Adopts Passkeys as Default Sign-in Method for All Users Full Text
Abstract
Google on Tuesday announced the ability for all users to set up passkeys by default, five months after it rolled out support for the FIDO Alliance-backed passwordless standard for Google Accounts on all platforms. "This means the next time you sign in to your account, you'll start seeing prompts to create and use passkeys, simplifying your future sign-ins," Google's Sriram Karra and Christiaan Brand said . "It also means you'll see the ' skip password when possible ' option toggled on in your Google Account settings." Passkeys are a new form of authentication that entirely eliminate the need for usernames and passwords, or even provide any additional authentication factor. In other words, it's a passwordless login mechanism that leverages public-key cryptography to authenticate users' access to websites and apps, with the private key saved securely in the device and the public key stored in the server. Each passkey is unique andThe Hacker News
October 10, 2023 – Breach
Air Europa Customers Urged to Cancel Cards Following Hack on Payment System Full Text
Abstract
Air Europa suffered a cyberattack on its online payment system. While there is no evidence of fraudulent use, customers are warned to replace their bank cards as a precautionary measure.Cyware
October 10, 2023 – General
New Report: Child Sexual Abuse Content and Online Risks to Children on the Rise Full Text
Abstract
Certain online risks to children are on the rise, according to a recent report from Thorn , a technology nonprofit whose mission is to build technology to defend children from sexual abuse. Research shared in the Emerging Online Trends in Child Sexual Abuse 2023 report , indicates that minors are increasingly taking and sharing sexual images of themselves. This activity may occur consensually or coercively, as youth also report an increase in risky online interactions with adults. "In our digitally connected world, child sexual abuse material is easily and increasingly shared on the platforms we use in our daily lives," said John Starr, VP of Strategic Impact at Thorn. "Harmful interactions between youth and adults are not isolated to the dark corners of the web. As fast as the digital community builds innovative platforms, predators are co-opting these spaces to exploit children and share this egregious content." These trends and others shared in the Emerging OThe Hacker News
October 10, 2023 – Business
Gutsy Launches With Huge $51M Seed to Bring Process Mining to Security Full Text
Abstract
Gutsy, a cybersecurity startup founded by the team behind Twistlock, has emerged from stealth with a $51 million seed round led by YL Ventures and Mayfield. The company applies process mining, a data science technique, to cybersecurity.Cyware
October 10, 2023 – APT
Researchers Uncover Grayling APT’s Ongoing Attack Campaign Across Industries Full Text
Abstract
A previously undocumented threat actor of unknown provenance has been linked to a number of attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan. The Symantec Threat Hunter Team, part of Broadcom, attributed the attacks to an advanced persistent threat (APT) it tracks under the name Grayling . Evidence shows that the campaign began in February 2023 and continued until at least May 2023. Also likely targeted as part of the activity is a government agency located in the Pacific Islands, as well as entities in Vietnam and the U.S. "This activity stood out due to the use by Grayling of a distinctive DLL side-loading technique that uses a custom decryptor to deploy payloads," the company said in a report shared with The Hacker News. "The motivation driving this activity appears to be intelligence gathering." The initial foothold to victim environments is said to have been achieved by exploiting public-facing infrastructure,The Hacker News
October 10, 2023 – Breach
Payment Gateway Provider Safexpay Technology Allegedly Hacked in a Nearly $2 Billion Scam Full Text
Abstract
As per the investigations, the ongoing fraud came to light after a complaint that some individuals had allegedly hacked into the six-year-old firm's payment gateway, and the funds were then transferred to at least 260 different bank accounts.Cyware
October 10, 2023 – Attack
New Magecart Campaign Alters 404 Error Pages to Steal Shoppers’ Credit Cards Full Text
Abstract
A sophisticated Magecart campaign has been observed manipulating websites' default 404 error page to conceal malicious code in what's been described as the latest evolution of the attacks. The activity, per Akamai, targets Magento and WooCommerce websites, with some of the victims belonging to large organizations in the food and retail industries. "In this campaign, all the victim websites we detected were directly exploited, as the malicious code snippet was injected into one of their first-party resources," Akamai security researcher Roman Lvovsky said in a Monday analysis. This involves inserting the code directly into the HTML pages or within one of the first-party scripts that were loaded as part of the website. The attacks are realized through a multi-stage chain, in which the loader code retrieves the main payload during runtime in order to capture the sensitive information entered by visitors on checkout pages and exfiltrate it to a remote server. &The Hacker News
October 10, 2023 – Criminals
Source Code of the 2020 Variant of HelloKitty Ransomware Leaked on Cybercrime Forum Full Text
Abstract
The source code for the first version of the HelloKitty ransomware has been leaked on a Russian-speaking cybercrime forum. The threat actor, known as 'kapuchin0', claims to be developing a more powerful encryptor.Cyware
October 10, 2023 – Vulnerabilities
libcue Library Flaw Opens GNOME Linux Systems Vulnerable to RCE Attacks Full Text
Abstract
A new security flaw has been disclosed in the libcue library impacting GNOME Linux systems that could be exploited to achieve remote code execution (RCE) on affected hosts. Tracked as CVE-2023-43641 (CVSS score: 8.8), the issue is described as a case of memory corruption in libcue, a library designed for parsing cue sheet files . It impacts versions 2.2.1 and prior. libcue is incorporated into Tracker Miners , a search engine tool that's included by default in GNOME and indexes files in the system for easy access. The problem is rooted in an out-of-bounds array access in the track_set_index function that allows for achieving code execution on the machine simply by tricking a victim into clicking a malicious link and downloading a .cue file. "A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage," according to a description of the vulnerability in the National Vulnerability Database (NVD). "Because tThe Hacker News
October 10, 2023 – Breach
Update: Caesars Entertainment Says Social-Engineering Attack Behind August Breach Full Text
Abstract
Caesars Entertainment has confirmed that a social engineering attack on an outsourced IT support vendor led to a data breach, impacting tens of thousands of its customer rewards program members.Cyware
October 10, 2023 – Vulnerabilities
Citrix Devices Under Attack: NetScaler Flaw Exploited to Capture User Credentials Full Text
Abstract
A recently disclosed critical flaw in Citrix NetScaler ADC and Gateway devices is being exploited by threat actors to conduct a credential harvesting campaign. IBM X-Force, which uncovered the activity last month, said adversaries exploited "CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials." CVE-2023-3519 (CVSS score: 9.8), addressed by Citrix in July 2023, is a critical code injection vulnerability that could lead to unauthenticated remote code execution. Over the past few months, it has been heavily exploited to infiltrate vulnerable devices and gain persistent access for follow-on attacks. In the latest attack chain discovered by IBM X-Force, the operators sent a specially crafted web request to trigger the exploitation of CVE-2023-3519 and deploy a PHP-based web shell. The access afforded by the web shell is subsequently leveraged to append custThe Hacker News
October 10, 2023 – General
Poor Cybersecurity Habits are Common Among Younger Employees Full Text
Abstract
Millennial and Gen Z workers exhibit more unsafe cybersecurity habits compared to older age groups, such as using the same passwords on multiple devices and sharing work devices with family and friends.Cyware
October 09, 2023 – Botnet
PEACHPIT: Massive Ad Fraud Botnet Powered by Millions of Hacked Android and iOS Full Text
Abstract
An ad fraud botnet dubbed PEACHPIT leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme. The botnet is part of a larger China-based operation codenamed BADBOX , which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an Android malware strain called Triada . "The PEACHPIT botnet's conglomerate of associated apps were found in 227 countries and territories, with an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS," HUMAN said . The infections are said to have been realized through a collection of 39 apps that were installed more than 15 million times. Devices fitted with the BADBOX malware allowed the operators to steal sensitive data, create residential proxy exit peers, and commit ad fraud through the bogus apps. It's currently not clear how the AndThe Hacker News
October 09, 2023 – Phishing
Cybercriminals Using EvilProxy Phishing Kit to Target Senior Executives in U.S. Firms Full Text
Abstract
Senior executives working in U.S.-based organizations are being targeted by a new phishing campaign that leverages a popular adversary-in-the-middle (AiTM) phishing toolkit named EvilProxy to conduct credential harvesting and account takeover attacks. Menlo Security said the activity started in July 2023, primarily singling out banking and financial services, insurance, property management and real estate, and manufacturing sectors. "The threat actors leveraged an open redirection vulnerability on the job search platform 'indeed.com,'redirecting victims to malicious phishing pages impersonating Microsoft," security researcher Ravisankar Ramprasad said in a report published last week. EvilProxy , first documented by Resecurity in September 2022, functions as a reverse proxy that's set up between the target and a legitimate login page to intercept credentials, two-factor authentication (2FA) codes, and session cookies to hijack accounts of interest. The thThe Hacker News
October 09, 2023 – Education
Webinar: How vCISOs Can Navigating the Complex World of AI and LLM Security Full Text
Abstract
In today's rapidly evolving technological landscape, the integration of Artificial Intelligence (AI) and Large Language Models (LLMs) has become ubiquitous across various industries. This wave of innovation promises improved efficiency and performance, but lurking beneath the surface are complex vulnerabilities and unforeseen risks that demand immediate attention from cybersecurity professionals. As the average small and medium-sized business leader or end-user is often unaware of these growing threats, it falls upon cybersecurity service providers – MSPs, MSSPs, consultants and especially vCISOs - to take a proactive stance in protecting their clients. At Cynomi, we experience the risks associated with generative AI daily, as we use these technologies internally and work with MSP and MSSP partners to enhance the services they provide to small and medium businesses. Being committed to staying ahead of the curve and empowering virtual vCISOs to swiftly implement cutting-edge securThe Hacker News
October 7, 2023 – Outage
Rhysida Ransomware Gang Claims Attacks on Governments in Portugal, Dominican Republic Full Text
Abstract
The city of Gondomar in Portugal and the Dominican Republic's Migration Agency have been targeted by the Rhysida ransomware gang, causing disruptions in services and potential data theft.Cyware
October 7, 2023 – Vulnerabilities
Balada Injector Targets Unpatched tagDiv Plugin, Themes on WordPress Sites Full Text
Abstract
The Balada Injector gang is actively exploiting vulnerabilities in tagDiv premium themes, such as the recently disclosed Unauthenticated Stored XSS vulnerability, to inject malware into websites.Cyware
October 7, 2023 – Government
CISA Reverses Course on Malicious Exploitation of Video Conferencing Device Flaws Full Text
Abstract
The Meeting Owl vulnerabilities, discovered by researchers at Modzero, include encryption flaws, hardcoded credentials, and authentication issues, which could potentially allow attackers to take control of the device.Cyware
October 7, 2023 – Criminals
Cybercrime Gangs Now Deploying Ransomware Within 24 Hours of Hacking Victims Full Text
Abstract
The median dwell time, or the time between initial access and deployment of ransomware, has significantly decreased from 4.5 days to as little as five hours, indicating cybercriminals' desire for lower detection risk, as per a Secureworks report.Cyware
October 06, 2023 – Cryptocurrency
North Korea’s Lazarus Group Launders $900 Million in Cryptocurrency Full Text
Abstract
As much as $7 billion in cryptocurrency has been illicitly laundered through cross-chain crime, with the North Korea-linked Lazarus Group linked to the theft of roughly $900 million of those proceeds between July 2022 and July of this year. "As traditional entities such as mixers continue to be subject to seizures and sanctions scrutiny, the crypto crime displacement to chain- or asset-hopping typologies is also on the rise," blockchain analytics firm Elliptic said in a new report published this week. Cross-chain crime refers to the conversion of crypto assets from one token or blockchain to another, often in rapid succession, in an attempt to obfuscate their origin, making it a lucrative method for money laundering for crypto thefts and an alternative to Acc approaches like mixers. According to data gathered by Elliptic, the Lazarus Group's use of cross-chain bridges contributed to a majority of the 111% increase in the proportion of funds sent via such services.The Hacker News
October 06, 2023 – Attack
Chinese Hackers Target Semiconductor Firms in East Asia with Cobalt Strike Full Text
Abstract
Threat actors have been observed targeting semiconductor companies in East Asia with lures masquerading as Taiwan Semiconductor Manufacturing Company (TSMC) that are designed to deliver Cobalt Strike beacons. The intrusion set, per EclecticIQ , leverages a backdoor called HyperBro, which is then used as a conduit to deploy the commercial attack simulation software and post-exploitation toolkit. An alternate attack sequence is said to have utilized a previously undocumented malware downloader to deploy Cobalt Strike, indicating that the threat actors devised multiple approaches to infiltrate targets of interest. The Dutch cybersecurity firm attributed the campaign to a China-linked threat actor owing to the use of HyperBro, which has been almost exclusively put to use by a threat actor known as Lucky Mouse (aka APT27, Budworm, and Emissary Panda). Tactical overlaps have also been unearthed between the adversary behind the attacks and another cluster tracked by RecordedFuture unThe Hacker News
October 06, 2023 – Solution
New OS Tool Tells You Who Has Access to What Data Full Text
Abstract
Ensuring sensitive data remains confidential, protected from unauthorized access, and compliant with data privacy regulations is paramount. Data breaches result in financial and reputational damage but also lead to legal consequences. Therefore, robust data access security measures are essential to safeguard an organization's assets, maintain customer trust, and meet regulatory requirements. A comprehensive Data Security Platform is essential for full visibility and control of sensitive data. One example is Satori's Universal Data Permissions Scanner (UDPS), an open-source authorization analysis tool. UDPS , available on GitHub, enables universal visibility into data access permissions across various data stores. With this tool, it's easier to identify who has the potential to access sensitive data, which can help organizations take a proactive approach to enhancing their security posture, streamline compliance, and ensure well-governed data access. Understanding the Need for UThe Hacker News
October 06, 2023 – Solution
GitHub’s Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack Full Text
Abstract
GitHub has announced an improvement to its secret scanning feature that extends validity checks to popular services such as Amazon Web Services (AWS), Microsoft, Google, and Slack. Validity checks, introduced by the Microsoft subsidiary earlier this year, alert users whether exposed tokens found by secret scanning are active, thereby allowing for effective remediation measures. It was first enabled for GitHub tokens. The cloud-based code hosting and version control service said it intends to support more tokens in the future. To toggle the setting, enterprise or organization owners and repository administrators can head to Settings > Code security and analysis > Secret scanning and check the option "Automatically verify if a secret is valid by sending it to the relevant partner." Earlier this year, GitHub also expanded secret scanning alerts for all public repositories and announced the availability of push protection to help developers and maintainers prThe Hacker News
October 6, 2023 – Breach
Data of 900 Hongkongers Exposed in Hacking Attack Against WhatsApp Accounts Full Text
Abstract
The data breach involved impersonation tactics and phishing traps on instant messaging platforms, highlighting the importance of verifying URLs and avoiding unknown sources.Cyware
October 06, 2023 – Vulnerabilities
Supermicro’s BMC Firmware Found Vulnerable to Multiple Critical Vulnerabilities Full Text
Abstract
Multiple security vulnerabilities have been disclosed in the Intelligent Platform Management Interface ( IPMI ) firmware for Supermicro baseboard management controllers (BMCs) that could result in privilege escalation and execution of malicious code on affected systems. The seven flaws, tracked from CVE-2023-40284 through CVE-2023-40290, vary in severity from High to Critical, according to Binarly, enabling unauthenticated actors to gain root access to the BMC system. Supermicro has shipped a BMC firmware update to patch the bugs. BMCs are special processors on server motherboards that support remote management, enabling administrators to monitor hardware indicators such as temperature, set fan speed, and update the UEFI system firmware. What's more, BMC chips remain operational even if the host operating system is offline, making them lucrative attack vectors to deploy persistent malware . A brief explainer of each of the vulnerabilities is below - CVE-2023-40284, CVE-20The Hacker News
October 6, 2023 – Outage
Florida Court Pauses Many Proceedings Following Cyberattack Full Text
Abstract
The attack highlights the ongoing vulnerability of courts in the US to various types of cyber threats, including ransomware campaigns, data leaks, and distributed denial-of-service attacks.Cyware
October 6, 2023 – Breach
DNA Testing Service 23andMe Investigating Theft of User Data Full Text
Abstract
The data obtained by the attacker may include personal information, genetic ancestry results, and potential relatives' details of 23andMe customers who opted-in to the "DNA Relatives" service.Cyware
October 5, 2023 – Attack
PLAY Ransomware Group Added Six New Organizations to its Victim List Full Text
Abstract
The organizations targeted by PLAY include Roof Management, Security Instrument Corp, Filtration Control Ltd, Cinépolis Cinemas, CHARMANT Group, and Stavanger Municipality.Cyware
October 05, 2023 – Criminals
QakBot Threat Actors Still in Action, Using Ransom Knight and Remcos RAT in Latest Attacks Full Text
Abstract
Despite the disruption to its infrastructure, the threat actors behind the QakBot malware have been linked to an ongoing phishing campaign since early August 2023 that led to the delivery of Ransom Knight (aka Cyclops) ransomware and Remcos RAT. This indicates that "the law enforcement operation may not have impacted Qakbot operators' spam delivery infrastructure but rather only their command-and-control (C2) servers," Cisco Talos researcher Guilherme Venere said in a new report published today. The activity has been attributed with moderate confidence by the cybersecurity firm to QakBot affiliates. There is no evidence to date that the threat actors have resumed distributing the malware loader itself post-infrastructure takedown. QakBot, also called QBot and Pinkslipbot, originated as a Windows-based banking trojan in 2007 and subsequently developed capabilities to deliver additional payloads, including ransomware. In late August 2023, the notorious malware operation was dealtThe Hacker News
October 5, 2023 – Phishing
Stream-Jacking Attacks on YouTube Steal From Victims via Cryptocurrency Scams Full Text
Abstract
Attackers redirect victims to scams that involve QR codes and phishing websites promising to double their cryptocurrency investments, often using deep fake videos of Elon Musk to add credibility.Cyware
October 05, 2023 – Vulnerabilities
Cisco Releases Urgent Patch to Fix Critical Flaw in Emergency Responder Systems Full Text
Abstract
Cisco has released updates to address a critical security flaw impacting Emergency Responder that allows unauthenticated, remote attackers to sign into susceptible systems using hard-coded credentials. The vulnerability, tracked as CVE-2023-20101 (CVSS score: 9.8), is due to the presence of static user credentials for the root account that the company said is usually reserved for use during development. "An attacker could exploit this vulnerability by using the account to log in to an affected system," Cisco said in an advisory. "A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user." The issue impacts Cisco Emergency Responder Release 12.5(1)SU4 and has been addressed in version 12.5(1)SU5. Other releases of the product are not impacted. The networking equipment major said it discovered the problem during internal security testing and that it's not aware of any malicious use of the vulnerability in theThe Hacker News
October 5, 2023 – Attack
Operation Jacana Targets Governmental Entity in Guyana with DinodasRAT Full Text
Abstract
While the specific APT group behind the campaign could not be identified, there is medium confidence that it is a China-aligned threat group based on the use of a variant of Korplug, which is commonly associated with such groups.Cyware
October 05, 2023 – Malware
Analysis and Config Extraction of Lu0Bot, a Node.js Malware with Considerable Capabilities Full Text
Abstract
Nowadays, more malware developers are using unconventional programming languages to bypass advanced detection systems. The Node.js malware Lu0Bot is a testament to this trend. By targeting a platform-agnostic runtime environment common in modern web apps and employing multi-layer obfuscation, Lu0Bot is a serious threat to organizations and individuals. Although currently, the malware has low activity, the attackers are likely waiting for the right moment to strike. To be prepared for any future scenario, a team of analysts conducted an in-depth technical analysis of one of the recent samples of Lu0Bot and published an article documenting their process. Here's an overview of their research. Static analysis of the Lu0Bot sample The sample under investigation used an SFX packer, a self-extracting archive that can be opened with any archive utility. Its contents were explored individually. Archive contents 1. BAT-file The content of the BAT file The first line in theThe Hacker News
October 5, 2023 – General
Threats in Cloud Top List of Executive Cyber Concerns, Pwc Finds Full Text
Abstract
Despite the focus on cloud security, many organizations still have risk management lapses, such as not addressing disaster recovery and backup with their cloud service provider.Cyware
October 05, 2023 – Attack
Guyana Governmental Entity Hit by DinodasRAT in Cyber Espionage Attack Full Text
Abstract
A governmental entity in Guyana has been targeted as part of a cyber espionage campaign dubbed Operation Jacana . The activity , which was detected by ESET in February 2023, entailed a spear-phishing attack that led to the deployment of a hitherto undocumented implant written in C++ called DinodasRAT. The Slovak cybersecurity firm said it could link the intrusion to a known threat actor or group, but attributed with medium confidence to a China-nexus adversary owing to the use of PlugX (aka Korplug), a remote access trojan common to Chinese hacking crews. "This campaign was targeted, as the threat actors crafted their emails specifically to entice their chosen victim organization," ESET said in a report shared with The Hacker News. "After successfully compromising an initial but limited set of machines with DinodasRAT, the operators proceeded to move inside and breach the target's internal network, where they again deployed this backdoor." The infecThe Hacker News
October 5, 2023 – Breach
Global CRM Provider Exposed Millions of Clients’ Files Online Full Text
Abstract
Really Simple Systems exposed a non-password-protected database with over 3 million records, including highly sensitive customer information such as medical records and tax documents.Cyware
October 05, 2023 – Malware
GoldDigger Android Trojan Targets Banking Apps in Asia Pacific Countries Full Text
Abstract
A new Android banking trojan named GoldDigger has been found targeting several financial applications with an aim to siphon victims' funds and backdoor infected devices. "The malware targets more than 50 Vietnamese banking, e-wallet and crypto wallet applications," Group-IB said . "There are indications that this threat might be poised to extend its reach across the wider APAC region and to Spanish-speaking countries." The malware was first detected by the Singapore-headquartered company in August 2023, although there is evidence to suggest that it has been active since June 2023. While the exact scale of the infections is currently not known, the malicious apps have been found to impersonate a Vietnamese government portal and an energy company to request intrusive permissions to meet its data-gathering goals. This primarily includes abusing Android's accessibility services , which is intended to assist users with disabilities to use the apps, inThe Hacker News
October 5, 2023 – Education
Why Stream-Jacking is Taking Over YouTube: A Comprehensive Analysis Full Text
Abstract
Stream-jacking attacks on YouTube are increasing, targeting popular channels to spread deceptive content. Cybercriminals hijack these channels, often impersonating famous figures or brands like Elon Musk and Tesla, promoting scams like crypto doubling. Viewers should be cautious of videos with ... Read MoreCyware
October 05, 2023 – Government
CISA Warns of Active Exploitation of JetBrains and Windows Vulnerabilities Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog due to active exploitation, while removing five bugs from the list due to lack of adequate evidence. The vulnerabilities newly added are below - CVE-2023-42793 (CVSS score: 9.8) - JetBrains TeamCity Authentication Bypass Vulnerability CVE-2023-28229 (CVSS score: 7.0) - Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability CVE-2023-42793 relates to a critical authentication bypass vulnerability that allows for remote code execution on TeamCity Server. Data gathered by GreyNoise has revealed exploitation attempts targeting the flaw from 74 unique IP addresses to date. On the other hand, CVE-2023-28229 is a high-severity flaw in the Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service that allows an attacker to gain specific limited SYSTEM privileges. There are currenThe Hacker News
October 5, 2023 – General
Coalition to give NGOs free access to cybersecurity services to protect against attacks Full Text
Abstract
The CyberPeace Institute, in collaboration with other organizations, will establish a portal to provide free training and support to help NGOs in the Netherlands enhance their cybersecurity resilience.Cyware
October 05, 2023 – Vulnerabilities
Apple Rolls Out Security Patches for Actively Exploited iOS Zero-Day Flaw Full Text
Abstract
Apple on Wednesday rolled out security patches to address a new zero-day flaw in iOS and iPadOS that it said has come under active exploitation in the wild. Tracked as CVE-2023-42824 , the kernel vulnerability could be abused by a local attacker to elevate their privileges. The iPhone maker said it addressed the problem with improved checks. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," the company noted in a terse advisory. While additional details about the nature of the attacks and the identity of the threat actors perpetrating them are currently unknown, successful exploitation likely hinges on an attacker already obtaining an initial foothold by some other means. Apple's latest update also resolves CVE-2023-5217 impacting the WebRTC component, which Google last week described as a heap-based buffer overflow in the VP8 compression format in libvpx. The patches, iOS 17.0.3 and iPadOS 1The Hacker News
October 5, 2023 – Malware
Attacker Deployed Hundreds of Rogue Python Packages with 75,000 Downloads to Steal Sensitive Data Full Text
Abstract
The malicious packages aim to steal sensitive data from systems, applications, browsers, and users. They also target cryptocurrency users by redirecting transactions to the attacker's account.Cyware
October 05, 2023 – Vulnerabilities
Atlassian Confluence Hit by New Actively Exploited Zero-Day – Patch Now Full Text
Abstract
Atlassian has released fixes to contain an actively exploited critical zero-day flaw impacting publicly accessible Confluence Data Center and Server instances. The vulnerability, tracked as CVE-2023-22515 , is remotely exploitable and allows external attackers to create unauthorized Confluence administrator accounts and access Confluence servers. It does not impact Confluence versions prior to 8.0.0. Confluence sites accessed via an atlassian.net domain are also not vulnerable to this issue. The enterprise software services provider said it was made aware of the issue by "a handful of customers." It has been addressed in the following versions of Confluence Data Center and Server - 8.3.3 or later 8.4.3 or later, and 8.5.2 (Long Term Support release) or later The company, however, did not disclose any further specifics about the nature and scale of the exploitation, or the root cause of the vulnerability. Customers who are unable to apply the updates are advisedThe Hacker News
October 4, 2023 – Malware
Mozilla Warns of Fake Thunderbird Downloads Delivering Ransomware Full Text
Abstract
The Snatch cybercrime group has been using paid Google ads to distribute their malware, posing as trusted software like Adobe Reader, Discord, Microsoft Teams, and Mozilla Thunderbird.Cyware
October 04, 2023 – Malware
Researchers Link DragonEgg Android Spyware to LightSpy iOS Surveillanceware Full Text
Abstract
New findings have identified connections between an Android spyware called DragonEgg and another sophisticated modular iOS surveillanceware tool named LightSpy . DragonEgg , alongside WyrmSpy (aka AndroidControl), was first disclosed by Lookout in July 2023 as a strain of malware capable of gathering sensitive data from Android devices. It was attributed to the Chinese nation-state group APT41. On the other hand, details about LightSpy came to light in March 2020 as part of a campaign dubbed Operation Poisoned News in which Apple iPhone users in Hong Kong were targeted with watering hole attacks to install the spyware. Now, according to Dutch mobile security firm ThreatFabric, the attack chains involve the use of a trojanized Telegram app that's designed to download a second-stage payload (smallmload.jar), which, in turn, is configured to download a third component codenamed Core. Further analysis of the artifacts has revealed that the implant has been actively maintaineThe Hacker News
October 4, 2023 – Breach
Arietis Health Announces MOVEit Data Breach Impacting Patients of NorthStar Anesthesia Facilities Full Text
Abstract
The breach was discovered on May 31, 2023, and unauthorized actors were able to access Arietis Health's MOVEit server, potentially acquiring confidential files belonging to patients at NorthStar Anesthesia.Cyware
October 04, 2023 – Solution
Wing Disrupts the Market by Introducing Affordable SaaS Security Full Text
Abstract
Today, mid-sized companies and their CISOs are struggling to handle the growing threat of SaaS security with limited manpower and tight budgets. Now, this may be changing. By focusing on the critical SaaS security needs of these companies, a new approach has emerged that can be launched for $1,500 a year . If the name Wing Security (Wing) rings a bell, it is probably because earlier this year, they made waves by offering SaaS shadow IT discovery completely for free . Today, Wing is once again aiming to disrupt the SaaS security market by offering a new tier that the company claims to be 'The essential SaaS security level that every company should achieve.' The new product tier focuses on SaaS shadow IT discovery, automated vendor risk assessments, and the ability to easily perform user access reviews on dozens of critical business applications. Wing also provides the ability to generate compliance-ready access reports that customers can then send to their auditor. The cThe Hacker News
October 4, 2023 – Outage
Lyca Mobile Suffers Disruptive Cyberattack; Investigates Ransomware Possibility Full Text
Abstract
The cyberattack caused disruptions to national and international calling, as well as customers' and retailers' access to top-ups, indicating a potential ransomware attack.Cyware
October 04, 2023 – Malware
Rogue npm Package Deploys Open-Source Rootkit in New Supply Chain Attack Full Text
Abstract
A new deceptive package hidden within the npm package registry has been uncovered deploying an open-source rootkit called r77 , marking the first time a rogue package has delivered rootkit functionality. The package in question is node-hide-console-windows , which mimics the legitimate npm package node-hide-console-window in what's an instance of a typosquatting campaign. It was downloaded 704 times over the past two months before it was taken down. ReversingLabs, which first detected the activity in August 2023, said the package "downloaded a Discord bot that facilitated the planting of an open-source rootkit, r77," adding it "suggests that open-source projects may increasingly be seen as an avenue by which to distribute malware." The malicious code, per the software supply chain security firm, is contained within the package's index.js file that, upon execution, fetches an executable that's automatically run. The executable in question isThe Hacker News
October 4, 2023 – Attack
Typosquatting Campaign Delivers R77 Rootkit Through Malicious JavaScript Package Full Text
Abstract
The typosquatting attack involved a malicious package called node-hide-console-windows that downloaded a Discord bot, which then planted an open-source rootkit called r77.Cyware
October 04, 2023 – Attack
Microsoft Warns of Cyber Attacks Attempting to Breach Cloud via SQL Server Instance Full Text
Abstract
Microsoft has detailed a new campaign in which attackers unsuccessfully attempted to move laterally to a cloud environment through an SQL Server instance. "The attackers initially exploited a SQL injection vulnerability in an application within the target's environment," security researchers Sunders Bruskin, Hagai Ran Kestenberg, and Fady Nasereldeen said in a Tuesday report. "This allowed the attacker to gain access and elevated permissions on a Microsoft SQL Server instance deployed in Azure Virtual Machine (VM)." In the next stage, the threat actors leveraged the new permissions to attempt to move laterally to additional cloud resources by abusing the server's cloud identity, which may possess elevated permissions to likely carry out various malicious actions in the cloud that the identity has access to. Microsoft said it did not find any evidence to suggest that the attackers successfully moved laterally to the cloud resources using the techniqueThe Hacker News
October 4, 2023 – Vulnerabilities
Dead Grandma Locket Request Tricks Bing Chat’s AI Into Solving Security Puzzle Full Text
Abstract
This incident highlights a new type of vulnerability, similar to prompt injection, where users can bypass the constraints of the AI model. Microsoft is likely to address this issue in future versions of Bing Chat.Cyware
October 04, 2023 – Vulnerabilities
Looney Tunables: New Linux Flaw Enables Privilege Escalation on Major Distributions Full Text
Abstract
A new Linux security vulnerability dubbed Looney Tunables has been discovered in the GNU C library's ld.so dynamic loader that, if successfully exploited, could lead to a local privilege escalation and allow a threat actor to gain root privileges. Tracked as CVE-2023-4911 (CVSS score: 7.8), the issue is a buffer overflow that resides in the dynamic loader's processing of the GLIBC_TUNABLES environment variable . Cybersecurity firm Qualys, which disclosed details of the bug, said it was introduced as part of a code commit made in April 2021. The GNU C library, also called glibc , is a core library in Linux-based systems that offers foundational features such as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, and exit. glibc's dynamic loader is a crucial component that's responsible for preparing and running programs, including finding the necessarily shared object dependencies required as well as loading them into memoryThe Hacker News
October 4, 2023 – Breach
Dark Web Sale of FBI LEEP Classified Data Sparks Concerns Over National Security Full Text
Abstract
The sale of these credentials puts sensitive information at risk of being misused by cybercriminals. It is unclear how many credentials are being sold or if they are genuine.Cyware
October 4, 2023 – Breach
NATO Investigates Alleged Cyberattack Affecting Some Unclassified Websites Full Text
Abstract
NATO is currently investigating claims that data was stolen from its unclassified websites by the hacking group SiegedSec. The group allegedly stole 9 GB of data, including documents from various NATO portals.Cyware
October 4, 2023 – Breach
San Francisco Metropolitan Transportation Commission Leaves 26,000 Files Publicly Accessible Full Text
Abstract
A misconfiguration in the Metropolitan Transportation Commission (MTC) systems resulted in the exposure of over 26,000 files, including clients' home addresses and vehicle plate numbers.Cyware
October 3, 2023 – Phishing
US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform Full Text
Abstract
A recent phishing campaign has exploited an open redirection vulnerability in the popular job search platform Indeed, targeting executives in senior roles to steal their Microsoft credentials.Cyware
October 03, 2023 – Vulnerabilities
Qualcomm Releases Patch for 3 new Zero-Days Under Active Exploitation Full Text
Abstract
Chipmaker Qualcomm has released security updates to address 17 vulnerabilities in various components, while warning that three other zero-days have come under active exploitation. Of the 17 flaws, three are rated Critical, 13 are rated High, and one is rated Medium in severity. "There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation," the semiconductor company said in an advisory. "Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible." CVE-2022-22071 (CVSS score: 8.4), described as a use-after-free in Automotive OS Platform, was originally patched by the company as part of its May 2022 updates. While additional specifics about the remaining other flaws are expected to be madeThe Hacker News
October 3, 2023 – Breach
Lorenz Ransomware Group Attacks Allcare Pharmacy in Major Cyber Assault Full Text
Abstract
The Allcare Pharmacy data breach, claimed by the Lorenz ransomware group, has exposed sensitive customer information, including Social Security Numbers, raising concerns about data security and patient privacy in the healthcare sector.Cyware
October 03, 2023 – Vulnerabilities
Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch Full Text
Abstract
Cybersecurity researchers have disclosed multiple critical security flaws in the TorchServe tool for serving and scaling PyTorch models that could be chained to achieve remote code execution on affected systems. Israel-based runtime application security company Oligo, which made the discovery, has coined the vulnerabilities ShellTorch . "These vulnerabilities [...] can lead to a full chain Remote Code Execution (RCE), leaving countless thousands of services and end-users — including some of the world's largest companies — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover," security researchers Idan Levcovich, Guy Kaplan, and Gal Elbaz said . The list of flaws, which have been addressed in version 0.8.2 , is as follows - No CVE - Unauthenticated Management Interface API Misconfiguration (0.0.0.0) CVE-2023-43654 (CVSS score: 7.2) - A remote server-side request forgery ( SSRF ) that leads to remote code exeThe Hacker News
October 3, 2023 – Vulnerabilities
Hackers Seen Exploiting Bugs in Browsers and Popular File Transfer Tool Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) warned on Monday that hackers are exploiting CVE-2023-5217 — a vulnerability affecting Google Chrome, Mozilla Firefox, and more.Cyware
October 03, 2023 – Malware
Over 3 Dozen Data-Stealing Malicious npm Packages Found Targeting Developers Full Text
Abstract
Nearly three dozen counterfeit packages have been discovered in the npm package repository that are designed to exfiltrate sensitive data from developer systems, according to findings from Fortinet FortiGuard Labs. One set of packages – named @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, and @virtualsearchtable/virtualsearchtable – harbored an obfuscated JavaScript file that's capable of gathering valuable secrets. This includes Kubernetes configurations, SSH keys, and system metadata such as username, IP address, and hostname. The cybersecurity firm said it also discovered another collection of four modules, i.e., binarium-crm, career-service-client-0.1.6, hh-dep-monitoring, and orbitplate, which results in the unauthorized extraction of source code and configuration files. "The targeted files and directories may contain highly valuable intellectual property and sensitive information, such as various application and service credentThe Hacker News
October 3, 2023 – Botnet
New Wave of Mirai Botnet Variants Like hailBot, kiraiBot, and catDDoS Mount a Fierce Onslaught Full Text
Abstract
These variants utilize different tactics such as modifying go-live processes, introducing new encryption algorithms, and incorporating OpenNIC domains to evade detection and enhance their malicious activities.Cyware
October 03, 2023 – Education
API Security Trends 2023 – Have Organizations Improved their Security Posture? Full Text
Abstract
APIs, also known as application programming interfaces, serve as the backbone of modern software applications, enabling seamless communication and data exchange between different systems and platforms. They provide developers with an interface to interact with external services, allowing them to integrate various functionalities into their own applications. However, this increased reliance on APIs has also made them attractive targets for cybercriminals. In recent years, the rise of API breaches has become a growing concern in the world of cybersecurity. One of the main reasons behind the rise of API breaches is inadequate security measures implemented by developers and organizations. Many APIs are not properly secured, leaving them vulnerable to attacks. Moreover, hackers have developed sophisticated techniques that specifically target weaknesses within APIs. For example, they may leverage malicious code injections into requests or manipulate responses from an API endpoint to gainThe Hacker News
October 3, 2023 – Vulnerabilities
Android’s October 2023 Security Updates Patch Two Exploited Vulnerabilities Full Text
Abstract
Google on Monday announced the release of patches for 51 vulnerabilities as part of the October 2023 security updates for Android, including fixes for two zero-day flaws exploited in malicious attacks.Cyware
October 03, 2023 – Solution
Protecting your IT infrastructure with Security Configuration Assessment (SCA) Full Text
Abstract
Security Configuration Assessment (SCA) is critical to an organization's cybersecurity strategy. SCA aims to discover vulnerabilities and misconfigurations that malicious actors exploit to gain unauthorized access to systems and data. Regular security configuration assessments are essential in maintaining a secure and compliant environment, as this minimizes the risk of cyber attacks. The assessment provides insight into your current security posture by performing configuration baseline checks on services and applications running on critical systems. How SCA works SCA is performed by checking the configurations of your IT assets against known benchmarks such as the Center for Internet Security (CIS) benchmark and compliance standards such as NIST, GDPR, and HIPPA. Regulatory standards provide a global benchmark for best practices to help organizations enhance their IT hygiene and improve customer trust. The CIS benchmark provides a guideline for best practices for security cThe Hacker News
October 3, 2023 – Attack
Medusa Ransomware Group Claims Intrusions at Two New Victims, Sets Ransom Deadline Full Text
Abstract
The Medusa ransomware group has recently targeted two companies, Karam Chand Thapar & Bros. (Coal Sales) Ltd in India and the Sweden-based Windak Group, demanding significant ransoms for the release of encrypted data.Cyware
October 03, 2023 – Vulnerabilities
Researcher Reveals New Techniques to Bypass Cloudflare’s Firewall and DDoS Protection Full Text
Abstract
Firewall and distributed denial-of-service (DDoS) attack prevention mechanisms in Cloudflare can be circumvented by exploiting gaps in cross-tenant security controls, defeating the very purpose of these safeguards, it has emerged. "Attackers can utilize their own Cloudflare accounts to abuse the per-design trust-relationship between Cloudflare and the customers' websites, rendering the protection mechanism ineffective," Certitude researcher Stefan Proksch said in a report published last week. The problem, per the Austrian consulting firm, is the result of shared infrastructure available to all tenants within Cloudflare, regardless of whether they are legitimate or otherwise, thereby making it easy for malicious actors to abuse the implicit trust associated with service and defeat the guardrails. The first issue stems from opting for a shared Cloudflare certificate to authenticate HTTP(S) requests between the service's reverse proxies and the customer's origiThe Hacker News
October 3, 2023 – Attack
Update: Some Prospect Medical Hospitals in Dire State, Post-Attack Full Text
Abstract
The hospitals are facing financial difficulties and are struggling to pay vendors. This incident highlights the vulnerability of financially unstable hospitals to cyberattacks and the potential risks to patient care.Cyware
October 03, 2023 – Vulnerabilities
Arm Issues Patch for Mali GPU Kernel Driver Vulnerability Amidst Ongoing Exploitation Full Text
Abstract
Arm has released security patches to contain a security flaw in the Mali GPU Kernel Driver that has come under active exploitation in the wild. Tracked as CVE-2023-4211 , the shortcoming impacts the following driver versions - Midgard GPU Kernel Driver: All versions from r12p0 - r32p0 Bifrost GPU Kernel Driver: All versions from r0p0 - r42p0 Valhall GPU Kernel Driver: All versions from r19p0 - r42p0 Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 - r42p0 "A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory," Arm said in a Monday advisory. "There is evidence that this vulnerability may be under limited, targeted exploitation." The issue, credited to Maddie Stone of Google's Threat Analysis Group (TAG) and Jann Horn of Google Project Zero, has been addressed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0. Google, in its own monthly AndroiThe Hacker News
October 3, 2023 – Criminals
BlackCat Ransomware Gang Allegedly Stole Over 24 Million Files From Motel One Full Text
Abstract
Motel One has been given a five-day deadline to pay the ransom or risk the public release of the stolen data, which would result in significant reputational and legal consequences for the company.Cyware
October 3, 2023 – Denial Of Service
Global Events Fuel DDoS Attack Campaigns Full Text
Abstract
Cybercriminals launched around 7.9 million DDoS attacks in the first half of 2023, a 31% increase compared to the previous year, according to NETSCOUT. These attacks have been driven by global events such as the Russia-Ukraine war and NATO bids.Cyware
October 2, 2023 – Vulnerabilities
Logic Flaws Let Attackers Bypass Cloudflare’s Firewall and DDoS Protection Full Text
Abstract
Cloudflare has been found to have vulnerabilities in its Firewall and DDoS prevention system. Hackers can exploit these flaws by creating a free Cloudflare account and knowing the IP address of a targeted web server.Cyware
October 02, 2023 – Education
APIs: Unveiling the Silent Killer of Cyber Security Risk Across Industries Full Text
Abstract
Introduction In today's interconnected digital ecosystem, Application Programming Interfaces (APIs) play a pivotal role in enabling seamless communication and data exchange between various software applications and systems. APIs act as bridges, facilitating the sharing of information and functionalities. However, as the use of APIs continues to rise, they have become an increasingly attractive target for cybercriminals and a significant cybersecurity risk across various industries. This article dives into the world of APIs, exploring why they pose substantial cybersecurity challenges and providing real-world examples of API breaches across different sectors. Download API Security Guide . The API Revolution The proliferation of cloud computing, mobile apps, and the Internet of Things (IoT) has accelerated the adoption of APIs. They serve as the building blocks of modern software applications, enabling developers to integrate third-party services, enhance functionalities, and cThe Hacker News
October 2, 2023 – Breach
Hackers Steal User Database From European Telecommunications Standards Body Full Text
Abstract
ETSI has taken immediate action, involving France's cybersecurity agency, ANSSI, to investigate and fix the vulnerability that led to the attack and has strengthened its IT security procedures.Cyware
October 02, 2023 – Hacker
LUCR-3: Scattered Spider Getting SaaS-y in the Cloud Full Text
Abstract
LUCR-3 overlaps with groups such as Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Identity Provider (IDP) as initial access into an environment with the goal of stealing Intellectual Property (IP) for extortion. LUCR-3 targets Fortune 2000 companies across various sectors, including but not limited to Software, Retail, Hospitality, Manufacturing, and Telecoms. LUCR-3 does not rely heavily on malware or even scripts; instead, LUCR-3 expertly uses victims' own tools, applications, and resources to achieve their goals. At a high level, Initial Access is gained through compromising existing identities in the IDP (Okta: Identity Cloud, Azure AD / Entra, Ping Identity: PingOne). LUCR-3 uses SaaS applications such as document portals, ticketing systems, and chat applications to learn how the victim organization operates and how to access sensitive information. Using the data they gained from reconnaissance within the SaaSThe Hacker News
October 2, 2023 – Phishing
“Phantom Hacker” Scams Target Senior Citizens and Result in Victims Losing their Life Savings Full Text
Abstract
The FBI warned about a new scam called the "Phantom Hacker" scam, which is specifically targeting senior citizens. It involves imposters posing as tech support, financial institutions, and government representatives to gain the trust of victims.Cyware
October 02, 2023 – Skimming
Silent Skimmer: A Year-Long Web Skimming Campaign Targeting Online Payment Businesses Full Text
Abstract
A financially motivated campaign has been targeting online payment businesses in the Asia Pacific, North America, and Latin America with web skimmers for more than a year. The BlackBerry Research and Intelligence Team is tracking the activity under the name Silent Skimmer , attributing it to an actor who is knowledgeable in the Chinese language. Prominent victims include online businesses and point-of-sale (PoS) service providers. "The campaign operators exploit vulnerabilities in web applications, particularly those hosted on Internet Information Services (IIS)," the Canadian cybersecurity firm said . "Their primary objective is to compromise the payment checkout page, and swipe visitors' sensitive payment data." A successful initial foothold is followed by the threat actors leveraging multiple open-source tools and living-off-the-land (LotL) techniques for privilege escalation, post-exploitation, and code execution. The attack chain leads to the deployThe Hacker News
October 2, 2023 – Breach
National Logistics Portal Leaks Sensitive Data Related to Operations at Indian Ports Full Text
Abstract
The publicly accessible AWS S3 buckets contained personal data, invoices, and internal documents, potentially disrupting trade and operations of India's ports and leading to significant ransom demands.Cyware
October 02, 2023 – Vulnerabilities
OpenRefine’s Zip Slip Vulnerability Could Let Attackers Execute Malicious Code Full Text
Abstract
A high-severity security flaw has been disclosed in the open-source OpenRefine data cleanup and transformation tool that could result in arbitrary code execution on affected systems. Tracked as CVE-2023-37476 (CVSS score: 7.8), the vulnerability is a Zip Slip vulnerability that could have adverse impacts when importing a specially crafted project in versions 3.7.3 and below. "Although OpenRefine is designed to only run locally on a user's machine, an attacker can trick a user into importing a malicious project file," Sonar security researcher Stefan Schiller said in a report published last week. "Once this file is imported, the attacker can execute arbitrary code on the user's machine." Software prone to Zip Slip vulnerabilities can pave the way for code execution by taking advantage of a directory traversal bug that an attacker can exploit to gain access to parts of the file system that should be out of reach otherwise. The attack is built on twThe Hacker News
October 2, 2023 – Vulnerabilities
Update: Mass Exploitation Attempts Against WS_FTP Have Begun Full Text
Abstract
Progress Software released fixes for eight vulnerabilities in WS_FTP, including one with a maximum severity score, but evidence of exploitation was discovered shortly after.Cyware
October 02, 2023 – Malware
BunnyLoader: New Malware-as-a-Service Threat Emerges in the Cybercrime Underground Full Text
Abstract
Cybersecurity experts have discovered yet another malware-as-a-service ( MaaS ) threat called BunnyLoader that's being advertised for sale on the cybercrime underground. "BunnyLoader provides various functionalities such as downloading and executing a second-stage payload, stealing browser credentials and system information, and much more," Zscaler ThreatLabz researchers Niraj Shivtarkar and Satyam Singh said in an analysis published last week. Among its other capabilities include running remote commands on the infected machine, a keylogger to capture keystrokes, and a clipper functionality to monitor the victim's clipboard and replace content matching cryptocurrency wallet addresses with actor-controlled addresses. A C/C++-based loader offered for $250 for a lifetime license, the malware is said to have been under continuous development since its debut on September 4, 2023, with new features and enhancements that incorporate anti-sandbox and antivirus evasionThe Hacker News
October 2, 2023 – Education
How Should Organizations Navigate the Risks and Opportunities of AI? Full Text
Abstract
As AI technology evolves rapidly, organizations need to stay vigilant, monitor the AI landscape, and adapt their cybersecurity programs to effectively defend against new threats posed by cybercriminals.Cyware
October 02, 2023 – Malware
Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users Full Text
Abstract
An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware. "Zanubis's main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device," Kaspersky said in an analysis published last week. Zanubis, originally documented in August 2022, is the latest addition to a long list of Android banker malware targeting the Latin American (LATAM) region. Targets include more than 40 banks and financial entities in Peru. It's mainly known for abusing accessibility permissions on the infected device to display fake overlay screens atop the targeted apps in an attempt to steal credentials. it's also capable of harvesting contact data, list of installed apps, and system metadata. Kaspersky said it observed recent samples of Zanubis in the wThe Hacker News