September, 2023
September 30, 2023 – Vulnerabilities
Researchers Extract Sounds From Still Images on Smartphone Cameras Full Text
Abstract
A group of academic researchers has devised a technique to extract sounds from still images captured using smartphone cameras with rolling shutters and movable lens structures.Cyware
September 30, 2023 – Government
FBI Warns of Rising Trend of Dual Ransomware Attacks Targeting U.S. Companies Full Text
Abstract
The U.S. Federal Bureau of Investigation (FBI) is warning of a new trend of dual ransomware attacks targeting the same victims, at least since July 2023. "During these attacks, cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal," the FBI said in an alert. "Variants were deployed in various combinations." Not much is known about the scale of such attacks, although it's believed that they happen in close proximity to one another, ranging from anywhere between 48 hours to within 10 days. Another notable change observed in ransomware attacks is the increased use of custom data theft, wiper tools, and malware to exert pressure on victims to pay up. "This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments," the agency said. "Second ranThe Hacker News
September 30, 2023 – Attack
Large Michigan Healthcare Provider Confirms Ransomware Attack Full Text
Abstract
McLaren HealthCare, one of the largest healthcare systems in Michigan, has confirmed a ransomware attack, potentially impacting patient data and causing disruptions in their computer network.Cyware
September 30, 2023 – APT
Iranian APT Group OilRig Using New Menorah Malware for Covert Operations Full Text
Abstract
Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy said in a Friday report. The victimology of the attacks is not immediately known, although the use of decoys indicates at least one of the targets is an organization located in Saudi Arabia. Also tracked under the names APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, OilRig is an Iranian advanced persistent threat (APT) group that specializes in covert intelligence gathering operations to infiltrate and maintain access within targeted networks. The revelation builds on recent findings from NSFOCUS, which uncovered an OilRig phishing attack resulting in the deploymenThe Hacker News
September 30, 2023 – Government
FBI Warns Energy Sector of Likely Increase in Targeting by Chinese, Russian Hackers Full Text
Abstract
The FBI warns that changes in the global energy supply, including US exports of liquefied natural gas and shifts in the crude oil supply chain, are likely to boost the targeting of critical energy infrastructure by Chinese and Russian hackers.Cyware
September 30, 2023 – Vulnerabilities
New Critical Security Flaws Expose Exim Mail Servers to Remote Attacks Full Text
Abstract
Multiple security vulnerabilities have been disclosed in the Exim mail transfer agent that, if successfully exploited, could result in information disclosure and remote code execution. The list of flaws, which were reported anonymously way back in June 2022, is as follows - CVE-2023-42114 (CVSS score: 3.7) - Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability CVE-2023-42115 (CVSS score: 9.8) - Exim AUTH Out-Of-Bounds Write Remote Code Execution Vulnerability CVE-2023-42116 (CVSS score: 8.1) - Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability CVE-2023-42117 (CVSS score: 8.1) - Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability CVE-2023-42118 (CVSS score: 7.5) - Exim libspf2 Integer Underflow Remote Code Execution Vulnerability CVE-2023-42119 (CVSS score: 3.1) - Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability The most severe of the vulnerabilities is CVE-2023-The Hacker News
September 30, 2023 – Phishing
APT34 Deploys Phishing Attack With New Menorah Malware Full Text
Abstract
The Menorah malware is designed for cyberespionage and possesses capabilities such as machine identification, file reading and uploading, shell command execution, and file downloading.Cyware
September 30, 2023 – Government
CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks Full Text
Abstract
The flaw, tracked as CVE-2018-14667, was added by CISA on Thursday to its Known Exploited Vulnerabilities (KEV) Catalog, with federal agencies being instructed to apply mitigations or discontinue the use of the product by October 19.Cyware
September 29, 2023 – Criminals
Cybercriminals Using New ASMCrypt Malware Loader to Fly Under the Radar Full Text
Abstract
Threat actors are selling a new crypter and loader called ASMCrypt , which has been described as an "evolved version" of another loader malware known as DoubleFinger. "The idea behind this type of malware is to load the final payload without the loading process or the payload itself being detected by AV/EDR, etc.," Kaspersky said in an analysis published this week. DoubleFinger was first documented by the Russian cybersecurity company, detailing infection chains leveraging the malware to propagate a cryptocurrency stealer dubbed GreetingGhoul to victims in Europe, the U.S., and Latin America. ASMCrypt, once purchased and launched by the customers, is designed to establish contact with a backend service over the TOR network using hard-coded credentials, thereby enabling the buyers to build payloads of their choice for use in their campaigns. "The application creates an encrypted blob hidden inside a .PNG file," Kaspersky said. "This image musThe Hacker News
September 29, 2023 – Attack
Lazarus Group Impersonates Recruiter from Meta to Target Spanish Aerospace Firm Full Text
Abstract
The North Korea-linked Lazarus Group has been linked to a cyber espionage attack targeting an unnamed aerospace company in Spain in which employees of the firm were approached by the threat actor posing as a recruiter for Meta. "Employees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into opening a malicious executable file presenting itself as a coding challenge or quiz," ESET security researcher Peter Kálnai said in a technical report shared with The Hacker News. The attack is part of a long-standing spear-phishing campaign called Operation Dream Job that's orchestrated by the hacking crew in an attempt to lure employees working at prospective targets that are of strategic interest, enticed them with lucrative job opportunities to activate the infection chain. Earlier this March, the Slovak cybersecurity company detailed an attack wave aimed at Linux users that involved the use of bogus HSBC job offers to launch a backdooThe Hacker News
September 29, 2023 – Phishing
City of Fort Lauderdale, Florida, Taken for $1.2m in Email Scam Full Text
Abstract
The payment, intended for a new police headquarters building, was made to a scammer who posed as the legitimate contractor, Moss Construction. The incident underscores the need for increased cybersecurity measures against business email compromise.Cyware
September 29, 2023 – Encryption
Post-Quantum Cryptography: Finally Real in Consumer Apps? Full Text
Abstract
Most people are barely thinking about basic cybersecurity, let alone post-quantum cryptography. But the impact of a post-quantum world is coming for them regardless of whether or not it's keeping them up tonight. Today, many rely on encryption in their daily lives to protect their fundamental digital privacy and security, whether for messaging friends and family, storing files and photos, or simply browsing the web. The question experts have been asking for a long time, with their eye on the advances in quantum computing, is, "How long before these defenses fail?" The ticking clock of quantum computing One set of researchers is already sounding the alarms, claiming that they've found a way to break 2048-bit RSA encryption with a quantum computer. While the claims may be premature, they hint toward a scary future that is perhaps closer than we once thought. Breaking RSA encryption would represent a massive privacy and security vulnerability for virtually everyThe Hacker News
September 29, 2023 – General
What Happens to Government Devices During a Shutdown? Full Text
Abstract
Government-issued devices face heightened security risks during a federal shutdown, as furloughed employees are typically restricted from using them, leaving networks and devices vulnerable.Cyware
September 29, 2023 – Malware
Microsoft’s AI-Powered Bing Chat Ads May Lead Users to Malware-Distributing Sites Full Text
Abstract
Malicious ads served inside Microsoft Bing's artificial intelligence (AI) chatbot are being used to distribute malware when searching for popular tools. The findings come from Malwarebytes, which revealed that unsuspecting users can be tricked into visiting booby-trapped sites and installing malware directly from Bing Chat conversations. Introduced by Microsoft in February 2023, Bing Chat is an interactive search experience that's powered by OpenAI's large language model called GPT-4 . A month later, the tech giant began exploring placing ads in the conversations. But the move has also opened the doors for threat actors who resort to malvertising tactics and propagate malware. "Ads can be inserted into a Bing Chat conversation in various ways," Jérôme Segura, director of threat intelligence at Malwarebytes, said . "One of those is when a user hovers over a link and an ad is displayed first before the organic result." In an example highlighThe Hacker News
September 29, 2023 – Phishing
Lazarus APT Lures Employees of Spanish Aerospace Company with Trojanized Coding Challenges Full Text
Abstract
The attack involved the deployment of a sophisticated backdoor called LightlessCan, which mimics native Windows commands and implements techniques to avoid detection by security monitoring software.Cyware
September 29, 2023 – Vulnerabilities
Progress Software Releases Urgent Hotfixes for Multiple Security Flaws in WS_FTP Server Full Text
Abstract
Progress Software has released hotfixes for a critical security vulnerability, alongside seven other flaws, in the WS_FTP Server Ad hoc Transfer Module and in the WS_FTP Server manager interface. Tracked as CVE-2023-40044 , the flaw has a CVSS score of 10.0, indicating maximum severity. All versions of the software are impacted by the flaw. "In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system," the company said in an advisory. Assetnote security researchers Shubham Shah and Sean Yeoh have been credited with discovering and reporting the vulnerability. The list of remaining flaws, impacting WS_FTP Server versions prior to 8.8.2, is as follows - CVE-2023-42657 (CVSS score: 9.9) - A directory traversal vulnerability that could be exploited to perform file operations. CVE-2023-40045The Hacker News
September 29, 2023 – Government
FBI Warns Organizations of Dual Ransomware, Wiper Attacks Full Text
Abstract
As part of this trend, which was observed in July 2023, the FBI notes in a new private industry notification, threat actors deploy two ransomware variants in close date proximity to one another.Cyware
September 29, 2023 – Vulnerabilities
Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts Full Text
Abstract
Cisco is warning of attempted exploitation of a security flaw in its IOS Software and IOS XE Software that could permit an authenticated remote attacker to achieve remote code execution on affected systems. The medium-severity vulnerability is tracked as CVE-2023-20109 , and has a CVSS score of 6.6. It impacts all versions of the software that have the GDOI or G-IKEv2 protocol enabled. The company said the shortcoming "could allow an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash." It further noted that the issue is the result of insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature and it could be weaponized by either compromising an installed key server or modifying the configuration of a group member to point to a key server that is controlled by the attacker.The Hacker News
September 28, 2023 – Ransomware
Unraveling the CACTUS Ransomware Group’s Recent Exploits Full Text
Abstract
The CACTUS ransomware group employs unique encryption techniques, including hiding the decryption key within a file named ntuser.dat, to evade detection by anti-virus software.Cyware
September 28, 2023 – Vulnerabilities
Misconfigured TeslaMate Instances Put Tesla Car Owners at Risk Full Text
Abstract
Improper configuration of third-party software like TeslaMate can result in privacy breaches, compromising the owner's daily routine and posing risks such as planned robberies.Cyware
September 28, 2023 – Attack
GitHub Repositories Hit by Password-Stealing Commits Disguised as Dependabot Contributions Full Text
Abstract
A new deceptive campaign has been observed hijacking GitHub accounts and committing malicious code disguised as Dependabot contributions with an aim to steal passwords from developers. "The malicious code exfiltrates the GitHub project's defined secrets to a malicious C2 server and modify any existing javascript files in the attacked project with a web-form password-stealer malware code effecting any end-user submitting its password in a web form," Checkmarx said in a technical report. The malware is also designed to capture GitHub secrets and variables to a remote server by means of a GitHub Action. The software supply chain security firm said it observed the atypical commits to hundreds of public and private GitHub repositories between July 8 and 11, 2023. It has emerged that the victims had their GitHub personal access tokens stolen and used by the threat actors to make falsified code commits to users' repositories by posing as Dependabot. Dependabot is dThe Hacker News
September 28, 2023 – Education
Are Developers Giving Enough Thought to Prompt Injection Threats When Building Code? Full Text
Abstract
Prompt injection attacks manipulate LLMs by introducing malicious commands into free text inputs, posing a significant threat to cybersecurity and potentially leading to unauthorized activities or data leaks.Cyware
September 28, 2023 – Attack
China’s BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies Full Text
Abstract
Cybersecurity agencies from Japan and the U.S. have warned of attacks mounted by a state-backed hacking group from China to stealthily tamper with branch routers and use them as jumping-off points to access the networks of various companies in the two countries. The attacks have been tied to a malicious cyber actor dubbed BlackTech by the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC). "BlackTech has demonstrated capabilities in modifying router firmware without detection and exploiting routers' domain-trust relationships to pivot from international subsidiaries to headquarters in Japan and the United States, which are the primary targets," the agencies said in a joint alert. Targeted sectors encompass government, industrial, technology, media, electronicsThe Hacker News
September 28, 2023 – Breach
Millions of Files With Potentially Sensitive Information Exposed Online, Researchers Say Full Text
Abstract
A recent analysis by Censys has uncovered about 314,000 internet-connected devices and web servers that are exposing millions of files, potentially containing sensitive data.Cyware
September 28, 2023 – General
The Dark Side of Browser Isolation – and the Next Generation Browser Security Technologies Full Text
Abstract
The landscape of browser security has undergone significant changes over the past decade. While Browser Isolation was once considered the gold standard for protecting against browser exploits and malware downloads, it has become increasingly inadequate and insecure in today's SaaS-centric world. The limitations of Browser Isolation, such as degraded browser performance and inability to tackle modern web-borne threats like phishing and malicious extensions, necessitate a shift towards more advanced solutions. These are the findings of a new report, titled " The Dark Side of Browser Isolation and the Next Generation of Browser Security " ( Download here ). The Roots of Browser Isolation In the past, traditional signature-based antiviruses were commonly used to protect against on-device malware infections. However, they failed to block two main types of threats. The first, browser exploit, especially in Microsoft's Internet Explorer. The second, drive-by malware downThe Hacker News
September 28, 2023 – Government
CISA Rolls Dice on Public Service Campaign to Raise Cyber Awareness Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) has launched a national public service campaign called "Secure our World" to raise awareness of cybersecurity in local communities.Cyware
September 28, 2023 – Attack
China-Linked Budworm Targeting Middle Eastern Telco and Asian Government Agencies Full Text
Abstract
Government and telecom entities have been subjected to a new wave of attacks by a China-linked threat actor tracked as Budworm using an updated malware toolset. The intrusions, targeting a Middle Eastern telecommunications organization and an Asian government, took place in August 2023, with the adversary deploying an improved version of its SysUpdate toolkit, the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. Budworm , also referred to by the names APT27, Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, and Red Phoenix, is known to be active since at least 2013, targeting a wide range of industry verticals in pursuit of its intelligence gathering goals. The nation-state group leverages various tools such as China Chopper web shell, Gh0st RAT, HyperBro, PlugX, SysUpdate, and ZXShell to exfiltrate high-value information and maintain access to sensitive systems over a long period of time. A previous report from SecureWorks inThe Hacker News
September 28, 2023 – Policy and Law
Caesars Entertainment Faces Class Action Lawsuits Following Rewards Database Hack Full Text
Abstract
At least four separate plaintiffs allege the company was negligent for allowing their sensitive personal data to be stolen in a social engineering attack by criminal threat groups.Cyware
September 28, 2023 – Vulnerabilities
Update Chrome Now: Google Releases Patch for Actively Exploited Zero-Day Vulnerability Full Text
Abstract
Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser. Tracked as CVE-2023-5217 , the high-severity vulnerability has been described as a heap-based buffer overflow in the VP8 compression format in libvpx , a free software video codec library from Google and the Alliance for Open Media (AOMedia). Exploitation of such buffer overflow flaws can result in program crashes or execution of arbitrary code, impacting its availability and integrity. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 25, 2023, with fellow researcher Maddie Stone noting on X (formerly Twitter) that it has been abused by a commercial spyware vendor to target high-risk individuals. No additional details have been disclosed by the tech giant other than to acknowledge that it's "aware that an exploit for CVE-2023-5217 exists in the wild." The latest discovery bThe Hacker News
September 28, 2023 – Attack
Russian Hackers Target Ukrainian Government Systems Involved in War Crimes Investigations Full Text
Abstract
Ukrainian cybersecurity officials have reported that the recent espionage campaigns targeted entities involved in investigating war crimes, such as the prosecutor general's office and courts.Cyware
September 28, 2023 – Attack
Swan Retail Cyberattack Woes Continue for Independent UK Retailers Full Text
Abstract
The attacks have caused significant problems for retailers, with issues such as inventory management and order fulfillment still not resolved. Retailers have reported glitches and loss of sales due to the cyberattack.Cyware
September 28, 2023 – Attack
Campbell Soup Says Summer Cyberattack Caused Limited Business Impact Full Text
Abstract
The incident did not affect systems that connect with customers or suppliers, and the company is working with its insurer to make claims under its cyber insurance coverage.Cyware
September 27, 2023 – Ransomware
ShadowSyndicate: New RaaS Connected to Multiple Ransomware Families Full Text
Abstract
Researchers have discovered the infrastructure linked to a threat group called ShadowSyndicate, believed to have launched attacks using seven distinct ransomware families in the last year. ShadowSyndicate has been identified as using a consistent SSH fingerprint across 85 servers.Cyware
September 27, 2023 – Phishing
Red Cross-Themed Phishing Attacks Distributing DangerAds and AtlasAgent Backdoors Full Text
Abstract
A new threat actor known as AtlasCross has been observed leveraging Red Cross-themed phishing lures to deliver two previously undocumented backdoors named DangerAds and AtlasAgent. NSFOCUS Security Labs described the adversary as having a "high technical level and cautious attack attitude," adding that "the phishing attack activity captured this time is part of the attacker's targeted strike on specific targets and is its main means to achieve in-domain penetration." The attack chains start with a macro-laced Microsoft document that purports to be about a blood donation drive from the American Red Cross that, when launched, runs the malicious macro to set up persistence, exfiltrate system metadata to a remote server (data.vectorse[.]com) that's a sub-domain of a legitimate website belonging to a structural and engineering firm based in the U.S. It also extracts a file named KB4495667.pkg (codenamed DangerAds), which, subsequently acts as a loader toThe Hacker News
September 27, 2023 – Malware
Newly Discovered ZenRAT Malware Targets Windows Users Full Text
Abstract
A new malware strain called ZenRAT has emerged in the wild to steal information from Windows systems. It was initially discovered on a website pretending to be associated with the open-source password manager Bitwarden. People should be wary of ads in search engine results as they remain a major dr ... Read MoreCyware
September 27, 2023 – Vulnerabilities
Researchers Uncover New GPU Side-Channel Vulnerability Leaking Sensitive Data Full Text
Abstract
A novel side-channel attack called GPU.zip renders virtually all modern graphics processing units (GPU) vulnerable to information leakage. "This channel exploits an optimization that is data dependent, software transparent, and present in nearly all modern GPUs: graphical data compression," a group of academics from the University of Texas at Austin, Carnegie Mellon University, University of Washington, and the University of Illinois Urbana-Champaign said . Graphical data compression is a feature in integrated GPUs (iGPUs) that allows for saving memory bandwidth and improving performance when rendering frames, compressing visual data losslessly even when it's not requested by software. The study found that the compression, which happens in various vendor-specific and undocumented ways, induces data-dependent DRAM traffic and cache occupancy that can be measured using a side-channel. "An attacker can exploit the iGPU-based compression channel to perform croThe Hacker News
September 27, 2023 – General
The CISO Carousel and its Effect on Enterprise Cybersecurity Full Text
Abstract
CISOs often face being used as scapegoats for security incidents, leading to high turnover rates in the role. Lack of board support and prioritization of cybersecurity contributes to CISO churn.Cyware
September 27, 2023 – General
New Survey Uncovers How Companies Are Confronting Data Security Challenges Head-On Full Text
Abstract
Data security is in the headlines often, and it's almost never for a positive reason. Major breaches, new ways to hack into an organization's supposedly secure data, and other threats make the news because well, it's scary — and expensive. Data breaches, ransomware and malware attacks, and other cybercrime might be pricey to prevent, but they are even more costly when they occur, with the average cost of a data breach reaching $4.35 million and counting. Accordingly, companies are investing in solutions that combat these problems and focusing on their Data security and protection more than ever, based on the results of the WinZip Enterprise survey of leading industry professionals responsible for implementing and maintaining security at their organizations. Confidence is Up Among Data Security Pros While the media is reporting on a wide range of security threats, many of those surveyed reported a certain level of confidence in their organization's data security. For instanThe Hacker News
September 27, 2023 – Breach
Canadian Flair Airlines Leaked MySQL Database Credentials, SMTP Configs, and Other Sensitive Data Full Text
Abstract
The leak consisted of publicly accessible environment files hosted on the airline's website. It included MySQL database credentials, SMTP configuration, and other sensitive information, potentially allowing unauthorized access and phishing attacks.Cyware
September 27, 2023 – Malware
New ZenRAT Malware Targeting Windows Users via Fake Password Manager Software Full Text
Abstract
A new malware strain called ZenRAT has emerged in the wild that's distributed via bogus installation packages of the Bitwarden password manager. "The malware is specifically targeting Windows users and will redirect people using other hosts to a benign web page," enterprise security firm Proofpoint said in a technical report. "The malware is a modular remote access trojan (RAT) with information stealing capabilities." ZenRAT is hosted on fake websites pretending to be associated with Bitwarden, although it's uncertain as to how traffic is being directed to the domains. Such malware has been propagated via phishing, malvertising, or SEO poisoning attacks in the past. The payload (Bitwarden-Installer-version-2023-7-1.exe), downloaded from crazygameis[.]com, is a trojanized version of the standard Bitwarden installation package that contains a malicious .NET executable (ApplicationRuntimeMonitor.exe). A noteworthy aspect of the campaign is that users whThe Hacker News
September 27, 2023 – Attack
New GPU Side-Channel Attack Allows Malicious Websites to Steal Data Full Text
Abstract
The new attack method, named GPU.zip, was discovered and detailed by representatives of the University of Texas at Austin, Carnegie Mellon University, University of Washington, and University of Illinois Urbana-Champaign.Cyware
September 27, 2023 – Vulnerabilities
Critical libwebp Vulnerability Under Active Exploitation - Gets Maximum CVSS Score Full Text
Abstract
Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild. Tracked as CVE-2023-5129 , the issue has been given the maximum severity score of 10.0 on the CVSS rating system. It has been described as an issue rooted in the Huffman coding algorithm - With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit (MAX_ALLOWED_CODE_LENGTH). When BuildHuffmanTable() attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized arThe Hacker News
September 27, 2023 – Breach
DarkBeam Leaks Billions of Credentials via Unsecured Elasticsearch and Kibana Interface Full Text
Abstract
The leaked data, including email and password pairs, provides cybercriminals with almost limitless attack capabilities, making affected users vulnerable to targeted phishing campaigns.Cyware
September 26, 2023 – Attack
ALPHV Ransomware Group Targets Clarion, Phil-Data Business Systems, and MNGI Digestive Health Full Text
Abstract
The ALPHV ransomware group, also known as the BlackCat hacker collective, has recently targeted three new victims in their cyberattacks. The group has demonstrated adaptability and employed advanced technical methods in their attacks.Cyware
September 26, 2023 – Solution
Microsoft is Rolling out Support for Passkeys in Windows 11 Full Text
Abstract
Microsoft is officially rolling out support for passkeys in Windows 11 today as part of a major update to the desktop operating system. The feature allows users to login to websites and applications without having to provide a username and password, instead relying on their device PIN or biometric information to complete the step. Based on FIDO standards , Passkeys were first announced in May 2022 as a replacement for passwords in a manner that's both strong and phishing-resistant. It has since been adopted by Apple , Google , and a number of other services in recent months. While the tech giant added passkey management in the Windows Insider program back in June 2023, the development marks the feature's general availability. "Passkeys are the cross-platform future of secure sign-in management," David Weston, vice president of enterprise and OS Security, said . "A passkey creates a unique, unguessable cryptographic credential that is securely storedThe Hacker News
September 26, 2023 – Criminals
Smishing Triad Stretches its Tentacles into the United Arab Emirates Full Text
Abstract
"Smishing Triad" is leveraging compromised Apple iCloud accounts and illegally obtained databases containing personally identifiable information (PII) to carry out their attacks.Cyware
September 26, 2023 – Criminals
ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families Full Text
Abstract
Cybersecurity experts have shed light on a new cybercrime group known as ShadowSyndicate (formerly Infra Storm) that may have leveraged as many as seven different ransomware families over the past year. "ShadowSyndicate is a threat actor that works with various ransomware groups and affiliates of ransomware programs," Group-IB and Bridewell said in a new joint report. The actor, active since July 16, 2022, has linked to ransomware activity related to Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play strains, while also deploying off-the-shelf post-exploitation tools like Cobalt Strike and Sliver as well as loaders such as IcedID and Matanbuchus . The findings are based on a distinct SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) discovered on 85 servers, 52 of which have been used as command-and-control (C2) for Cobalt Strike. Among those servers are eight different Cobalt Strike license keys (or watermarks). A majority of the servers (23) are locThe Hacker News
September 26, 2023 – Breach
Decade Worth of Newborn Child Registry Data Stolen in MOVEit Hack at BORN Ontario Full Text
Abstract
The stolen data includes names, addresses, health card numbers, and clinical information related to fertility, pregnancy, newborn, and child healthcare, with potential impacts on individuals from January 2010 to May 2023.Cyware
September 26, 2023 – Education
Essential Guide to Cybersecurity Compliance Full Text
Abstract
SOC 2, ISO, HIPAA, Cyber Essentials – all the security frameworks and certifications today are an acronym soup that can make even a compliance expert's head spin. If you're embarking on your compliance journey, read on to discover the differences between standards, which is best for your business, and how vulnerability management can aid compliance. What is cybersecurity compliance? Cybersecurity compliance means you have met a set of agreed rules regarding the way you protect sensitive information and customer data. These rules can be set by law, regulatory authorities, trade associations or industry groups. For example, the GDPR is set by the EU with a wide range of cybersecurity requirements that every organization within its scope must comply with, while ISO 27001 is a voluntary (but internationally recognized) set of best practices for information security management. Customers increasingly expect the assurance that compliance brings, because breaches and data disclosure willThe Hacker News
September 26, 2023 – Attack
Kuwait Isolates Some Government Systems Following Attack on its Finance Ministry Full Text
Abstract
The attack started on September 18, and officials immediately took steps to isolate and shut down affected systems. The Ministry of Finance assured that payment and payroll systems were on a separate network and that workers would be paid.Cyware
September 26, 2023 – Malware
Xenomorph Banking Trojan: A New Variant Targeting 35+ U.S. Financial Institutions Full Text
Abstract
An updated version of an Android banking trojan called Xenomorph has set its sights on more than 35 financial institutions in the U.S. The campaign, according to Dutch security firm ThreatFabric, leverages phishing web pages that are designed to entice victims into installing malicious Android apps that target a broader list of apps than its predecessors. Some of the other targeted prominent countries targeted comprise Spain, Canada, Italy, and Belgium. "This new list adds dozens of new overlays for institutions from the United States, Portugal, and multiple crypto wallets, following a trend that has been consistent amongst all banking malware families in the last year," the company said in an analysis published Monday. Xenomorph is a variant of another banker malware called Alien which first emerged in 2022. Later that year, the financial malware was propagated via a new dropper dubbed BugDrop , which bypassed security features in Android 13. A subsequent iterThe Hacker News
September 26, 2023 – Business
Stratascale Acquires VECTOR0 To Strengthen Its Cybersecurity Services Full Text
Abstract
Through the acquisition, Stratascale professionals and their customers gain visibility of attack vectors and points of vulnerability, enhancing Stratascale’s ability to deliver proactive cybersecurity services.Cyware
September 26, 2023 – General
Threat Report: The High Tech Industry Targeted the Most with 46% of NLX-Tagged Attack Traffic Full Text
Abstract
How To Use This Report Enhance situational awareness of techniques used by threat actors Identify potential attacks targeting your industry Gain insights to help improve and accelerate your organization's threat response Summary of Findings The Network Effect Threat Report offers insights based on unique data from Fastly's Next-Gen WAF from Q2 2023 (April 1, 2023 to June 30, 2023). This report looks at traffic originating from IP addresses tagged by Fastly's Network Learning Exchange (NLX), our collective threat intelligence feed that anonymously shares attack source IP addresses across all Next-Gen WAF customer networks. Before diving deeper into the attack observations, here are five key takeaways that we found most significant in our research, covering global traffic across multiple industries, including High Tech, Financial Services, Commerce, Education, and Media and entertainment. Multi-customer attacks: 69% of IPs tagged by NLX targeted multiple customers, and 6The Hacker News
September 26, 2023 – Outage
Update: Royal Lurked in Dallas’ Systems Weeks Before Ransomware Attack Full Text
Abstract
The Royal ransomware group infiltrated Dallas' systems, surveilled and exfiltrated data for a month before launching a ransomware attack, causing widespread disruption to critical city services.Cyware
September 26, 2023 – Attack
Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign Full Text
Abstract
A "multi-year" Chinese state-sponsored cyber espionage campaign has been observed targeting South Korean academic, political, and government organizations. Recorded Future's Insikt Group, which is tracking the activity under the moniker TAG-74, said the adversary has been linked to "Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia." The cybersecurity firm characterized the targeting of South Korean academic institutions as in alignment with China's broader efforts to conduct intellectual property theft and expand its influence, not to mention motivated by the country's strategic relations with the U.S. Social engineering attacks mounted by the adversary make use of Microsoft Compiled HTML Help (CHM) file lures to drop a custom variant of an open-source Visual Basic Script backdoor called ReVBShell , which subsequently serThe Hacker News
September 26, 2023 – APT
Sandman APT Brings LuaDream, Targets Telcos in Middle East Full Text
Abstract
SentinelOne found the Sandman APT group targeting telecommunications companies in the Middle East, Western Europe, and South Asia using a novel backdoor called LuaDream. The researchers noted that the campaign began in August and demonstrates advanced tactics. With this, the Middle East is onc ... Read MoreCyware
September 26, 2023 – Vulnerabilities
Critical JetBrains TeamCity Flaw Could Expose Source Code and Build Pipelines to Attackers Full Text
Abstract
A critical security vulnerability in the JetBrains TeamCity continuous integration and continuous deployment (CI/CD) software could be exploited by unauthenticated attackers to achieve remote code execution on affected systems. The flaw, tracked as CVE-2023-42793 , carries a CVSS score of 9.8 and has been addressed in TeamCity version 2023.05.4 following responsible disclosure on September 6, 2023. "Attackers could leverage this access to steal source code, service secrets, and private keys, take control over attached build agents, and poison build artifacts," Sonar security researcher Stefan Schiller said in a report last week. Successful exploitation of the bug could also permit threat actors to access the build pipelines and inject arbitrary code, leading to an integrity breach and supply chain compromise. Additional details of the bug have been withheld due to the fact that it's trivial to exploit, with Sonar noting that it's likely to be weaponized inThe Hacker News
September 26, 2023 – Insider Threat
Despite Rising Insider Risk Costs, Budgets are Being Wasted in the Wrong Places Full Text
Abstract
The cost of insider risks for organizations is at an all-time high, with the average annual cost reaching $16.2 million, a 40% increase in four years, according to DTEX Systems.Cyware
September 25, 2023 – Business
WatchGuard Announces its Acquisition of CyGlass Full Text
Abstract
The acquisition will offer WatchGuard's partners and customers access to cutting-edge security solutions, improved XDR insights, and simplified compliance with regulatory and cyber-insurance requirements.Cyware
September 25, 2023 – Phishing
Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals Full Text
Abstract
Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. "Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News. The cybersecurity company is tracking the campaign under the name STARK#VORTEX . The starting point of the attack is a Microsoft Compiled HTML Help (CHM) file that, when opened, runs malicious JavaScript embedded inside one of the HTML pages to execute PowerShell code designed to contact a remote server to fetch an obfuscated binary. The Windows-based payload is decoded to extract the Merlin Agent , which, in turn, is configured to communicate with a command-and-control (C2) server for post-exploitaThe Hacker News
September 25, 2023 – Breach
Personal Data of 25,000 Hongkongers at Risk After Cyberattack Against Consumer Council Full Text
Abstract
The council has restored its computer systems but anticipates delays in addressing complaints, and is taking extra precautions by notifying individuals who may have been affected by the data leak.Cyware
September 25, 2023 – Education
Webinar — AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks Full Text
Abstract
Generative AI is a double-edged sword, if there ever was one. There is broad agreement that tools like ChatGPT are unleashing waves of productivity across the business, from IT, to customer experience, to engineering. That's on the one hand. On the other end of this fencing match: risk. From IP leakage and data privacy risks to the empowering of cybercriminals with AI tools, generative AI presents enterprises with concrete concerns. For example, the mass availability of AI tools was the second most-reported Q2 risk among senior enterprise risk executives — appearing in the top 10 for the first time — according to a Gartner survey . In this escalating AI arms race, how can enterprises separate fact from hype and comprehensively manage generative AI risk while accelerating productivity? Register here and join Zscaler's Will Seaton, Product Marketing Manager, ThreatLabz, to: Uncover the tangible risks of generative AI — both for employee AI usage and by threat actors bThe Hacker News
September 25, 2023 – Education
For Security to Benefit From AI, Companies Need to Shore up Their Data Full Text
Abstract
CISOs and cybersecurity practitioners should focus on addressing the challenges of data structure, management, and curation to fully leverage the benefits of AI for cyber defense.Cyware
September 25, 2023 – General
Are You Willing to Pay the High Cost of Compromised Credentials? Full Text
Abstract
Weak password policies leave organizations vulnerable to attacks. But are the standard password complexity requirements enough to secure them? 83% of compromised passwords would satisfy the password complexity and length requirements of compliance standards. That's because bad actors already have access to billions of stolen credentials that can be used to compromise additional accounts by reusing those same credentials. To strengthen password security, organizations need to look beyond complexity requirements and block the use of compromised credentials. Need stolen credentials? There's a market for that Every time an organization gets breached or a subset of customers' credentials is stolen, there's a high possibility all those passwords end up for sale on the dark web. Remember the Dropbox and LinkedIn hack that resulted in 71 million and 117 million stolen passwords? There is an underground market that sells those credentials to hackers which they can then use in creThe Hacker News
September 25, 2023 – Insider Threat
Average Insider Cyberthreat Cost Spikes 40% in Four Years: Report Full Text
Abstract
Containment and remediation after an insider incident are the most expensive areas, with an average cost of $179,209 and $125,221 per incident respectively, and the average time to contain an incident has increased to 86 days.Cyware
September 25, 2023 – Attack
From Watering Hole to Spyware: EvilBamboo Targets Tibetans, Uyghurs, and Taiwanese Full Text
Abstract
Tibetan, Uyghur, and Taiwanese individuals and organizations are the targets of a persistent campaign orchestrated by a threat actor codenamed EvilBamboo to gather sensitive information. "The attacker has created fake Tibetan websites, along with social media profiles, likely used to deploy browser-based exploits against targeted users," Volexity security researchers Callum Roxan, Paul Rascagneres, and Thomas Lancaster said in a report published last week. "Partly through impersonating existing popular communities, the attacker has built communities on online platforms, such as Telegram, to aid in distribution of their malware." EvilBamboo, formerly tracked by the cybersecurity firm under the name Evil Eye, has been linked to multiple attack waves since at least 2019 , with the threat actor leveraging watering hole attacks to deliver spyware targeting Android and iOS devices. It's also known as Earth Empusa and POISON CARP. The intrusions directed agaiThe Hacker News
September 25, 2023 – Vulnerabilities
Incomplete Disclosures by Apple and Google Create “Huge Blindspot” for Zero-Day Hunters Full Text
Abstract
Google's limited disclosure and the separate CVE designations for the vulnerability by Apple, Google, and Citizen Lab have hindered the detection and patching of the critical vulnerability in other software relying on libwebp.Cyware
September 25, 2023 – Cryptocurrency
Hong Kong-Based Cryptocurrency Firm Mixin Says Hackers Stole $200 Million in Assets Full Text
Abstract
The incident follows a recent trend of cryptocurrency hacks, with North Korean hackers being suspected in multiple attacks, highlighting the growing threat posed by cybercriminals targeting the industry.Cyware
September 25, 2023 – Malware
Xenomorph Malware Returns to Strike Customers of Over 30 American Banks Full Text
Abstract
The Xenomorph malware family, known for its advanced capabilities and distribution campaigns, has resurfaced with new overlays targeting institutions and crypto wallets in the United States and Portugal.Cyware
September 25, 2023 – General
SANS Survey Shows Drop in 2023 ICS/OT Security Budgets Full Text
Abstract
The budgets allocated for the security of industrial control systems (ICS) and operational technology (OT) have decreased in 2023 compared to the previous year, with over 21% of organizations reporting not having a cybersecurity budget at all.Cyware
September 25, 2023 – Attack
New Zealand University Operating Despite Cyberattack Full Text
Abstract
Despite a cyberattack on Auckland University of Technology, the university has been able to continue normal operations with minimal disruption. The Monti ransomware gang claimed responsibility for the attack and demanded an undisclosed ransom.Cyware
September 25, 2023 – Attack
New Report Uncovers Three Distinct Clusters of China-Nexus Attacks on Southeast Asian Government Full Text
Abstract
An unnamed Southeast Asian government has been targeted by multiple China-nexus threat actors as part of espionage campaigns targeting the region over extended periods of time. "While this activity occurred around the same time and in some instances even simultaneously on the same victims' machines, each cluster is characterized by distinct tools, modus operandi and infrastructure," Palo Alto Networks Unit 42 researchers Lior Rochberger, Tom Fakterman, and Robert Falcone said in an exhaustive three-part report. The attacks, which targeted different governmental entities such as critical infrastructure, public healthcare institutions, public financial administrators and ministries, have been attributed with moderate confidence to three disparate clusters tracked as Stately Taurus (aka Mustang Panda), Alloy Taurus (aka Granite Typhoon), and Gelsemium . Mustang Panda uses TONESHELL variant and ShadowPad "The attackers conducted a cyberespionage operation thaThe Hacker News
September 25, 2023 – General
Hidden Dangers Loom for Subsea Cables, the Invisible Infrastructure of the Internet Full Text
Abstract
Subsea cables are a critical component of the global internet infrastructure, and protecting them from accidental damage, natural phenomena, physical attacks, and cyberattacks is crucial.Cyware
September 25, 2023 – General
LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in First Half of 2023 Full Text
Abstract
In the first half of 2023, small businesses were the most targeted victims of LockBit and BlackCat, while large enterprises were the primary targets of Clop ransomware attacks.Cyware
September 25, 2023 – Breach
Update: T-Mobile Denies Rumors of a Breach Affecting Employee Data Full Text
Abstract
The stolen data, believed to be from an authorized retailer called Connectivity Source, includes employee IDs, login information, Social Security numbers, and service account details.Cyware
September 25, 2023 – Attack
Outer Space and Juicy Mix: OilRig Campaigns Targeting Israeli Organizations Full Text
Abstract
ESET revealed details on two cyberespionage campaigns conducted by the OilRig APT group against Israeli organizations, using spear-phishing emails. The Outer Space campaign utilized the Solar backdoor and the SC5k downloader, while the Juicy Mix campaign featured the Mango backdoor and additional b ... Read MoreCyware
September 23, 2023 – Government
Chinese, North Korean Nation-State Groups Target Health Data Full Text
Abstract
Financially motivated groups originating in North Korea and China "have all the sophistication of many other cybercriminal gangs but also have the resources - technological, financial and diplomatic - of a state behind them," HHS HC3 warned.Cyware
September 23, 2023 – Malware
Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics Full Text
Abstract
Cybersecurity researchers have discovered a previously undocumented advanced backdoor dubbed Deadglyph employed by a threat actor known as Stealth Falcon as part of a cyber espionage campaign. "Deadglyph's architecture is unusual as it consists of cooperating components – one a native x64 binary, the other a .NET assembly," ESET said in a new report shared with The Hacker News. "This combination is unusual because malware typically uses only one programming language for its components. This difference might indicate separate development of those two components while also taking advantage of unique features of the distinct programming languages they utilize." It's also suspected that the use of different programming languages is a deliberate tactic to hinder analysis, making it a lot more challenging to navigate and debug. Unlike other traditional backdoors of its kind, the commands are received from an actor-controlled server in the form of additiThe Hacker News
September 23, 2023 – Attack
New Apple Zero-Days Exploited to Target Egyptian ex-MP with Predator Spyware Full Text
Abstract
The three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an iPhone exploit chain in an attempt to deliver a spyware strain called Predator targeting former Egyptian member of parliament Ahmed Eltantawy between May and September 2023. "The targeting took place after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections," the Citizen Lab said , attributing the attack with high confidence to the Egyptian government owing to it being a known customer of the commercial spying tool. According to a joint investigation conducted by the Canadian interdisciplinary laboratory and Google's Threat Analysis Group (TAG), the mercenary surveillance tool is said to have been delivered via links sent on SMS and WhatsApp. "In August and September 2023, Eltantawy's Vodafone Egypt mobile connection was persistently selected for targeting via network injection; when Eltantawy visited certain websites notThe Hacker News
September 22, 2023 – Breach
The FTC, 1Health.io, and Genetic Data Privacy and Security Full Text
Abstract
The Federal Trade Commission (FTC) has finalized an order with 1Health.io (formerly Vitagene), a genetic testing company that was the subject of a June 2023 FTC complaint. 1Health.io, to quote the FTC’s recent press release, “left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying consumers and obtaining their consent.”Cyware
September 22, 2023 – Phishing
BBTok Banking Trojan Impersonates Over 40 Banks to Hijack Victim Accounts Full Text
Abstract
The campaign uses advanced obfuscation techniques, phishing links, and geofencing to ensure victims are located only in Brazil and Mexico, demonstrating an evolution in the attackers' tactics.Cyware
September 22, 2023 – Malware
New Variant of Banking Trojan BBTok Targets Over 40 Latin American Banks Full Text
Abstract
An active malware campaign targeting Latin America is dispensing a new variant of a banking trojan called BBTok , particularly users in Brazil and Mexico. "The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number," Check Point said in research published this week. The payloads are generated by a custom server-side PowerShell script and are unique for each victim based on the operating system and country, while being delivered via phishing emails that leverage a variety of file types. BBTok is a Windows-based banking malware that first surfaced in 2020. It's equipped with features that run the typical trojan gamut, allowing it to enumerate and kill processes, issue remote commands, manipulate keyboard, and serve fake login pages for banks operating in the two countries. The attack chaThe Hacker News
September 22, 2023 – Breach
Ohio Community College Data Theft Breach Affects Nearly 300K Full Text
Abstract
In a breach notification on Wednesday, Lakeland Community College didn't provide any details on the attack, which occurred between March 7 and March 31, but the Vice Society ransomware group had earlier listed the college on its data leak site.Cyware
September 22, 2023 – Education
How to Interpret the 2023 MITRE ATT&CK Evaluation Results Full Text
Abstract
Thorough, independent tests are a vital resource for analyzing provider's capabilities to guard against increasingly sophisticated threats to their organization. And perhaps no assessment is more widely trusted than the annual MITRE Engenuity ATT&CK Evaluation . This testing is critical for evaluating vendors because it's virtually impossible to evaluate cybersecurity vendors based on their own performance claims. Along with vendor reference checks and proof of value evaluations (POV) — a live trial — the MITRE results add additional objective input to holistically assess cybersecurity vendors. Let's dive into the 2023 MITRE ATT&CK Evaluation results. In this blog, we'll unpack MITRE's methodology to test security vendors against real-world threats, offer our interpretation of the results and identify top takeaways emerging from Cynet's evaluation. How does MITRE Engenuity test vendors during the evaluation? The MITRE ATT&CK Evaluation is performed by MITRE EngenuityThe Hacker News
September 22, 2023 – Cryptocurrency
Attacker Unleashes Stealthy Crypto Mining via Malicious Python Package Full Text
Abstract
The Python package "Culturestreak" is a malicious software that hijacks system resources for unauthorized cryptocurrency mining. The package utilizes obfuscated code and random filenames to evade detection, making it a persistent threat.Cyware
September 22, 2023 – Attack
Iranian Nation-State Actor OilRig Targets Israeli Organizations Full Text
Abstract
Israeli organizations were targeted as part of two different campaigns orchestrated by the Iranian nation-state actor known as OilRig in 2021 and 2022. The campaigns, dubbed Outer Space and Juicy Mix, entailed the use of two previously documented first-stage backdoors called Solar and Mango, which were deployed to collect sensitive information from major browsers and the Windows Credential Manager. "Both backdoors were deployed by VBS droppers, presumably spread via spear-phishing emails," ESET security researcher Zuzana Hromcová said in a Thursday analysis. OilRig (aka APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten) is the name assigned to an intrusion set affiliated with Iran's Ministry of Intelligence and Security (MOIS). Active since 2014, the threat actor has used a wide range of tools at its disposal to carry out information theft. Earlier this February, Trend Micro discovered OilRig's use of a simple backdoor to steal users' credentialThe Hacker News
September 22, 2023 – APT
Sandman APT Infiltrates Telecommunications Companies Using LuaDream Backdoor Full Text
Abstract
The activities of Sandman suggest espionage motivations, with a focus on telecommunications providers and a potential connection to a private contractor or mercenary group.Cyware
September 22, 2023 – Vulnerabilities
High-Severity Flaws Uncovered in Atlassian Products and ISC BIND Server Full Text
Abstract
Atlassian and the Internet Systems Consortium (ISC) have disclosed several security flaws impacting their products that could be exploited to achieve denial-of-service (DoS) and remote code execution. The Australian software services provider said that the four high-severity flaws were fixed in new versions shipped last month. This includes - CVE-2022-25647 (CVSS score: 7.5) - A deserialization flaw in the Google Gson package impacting Patch Management in Jira Service Management Data Center and Server CVE-2023-22512 (CVSS score: 7.5) - A DoS flaw in Confluence Data Center and Server CVE-2023-22513 (CVSS score: 8.5) - A RCE flaw in Bitbucket Data Center and Server CVE-2023-28709 (CVSS score: 7.5) - A DoS flaw in Apache Tomcat server impacting Bamboo Data Center and Server The flaws have been addressed in the following versions - Jira Service Management Server and Data Center (versions 4.20.25, 5.4.9, 5.9.2, 5.10.1, 5.11.0, or later) Confluence Server and Data Center (vThe Hacker News
September 22, 2023 – General
Rising OT/ICS Cybersecurity Incidents Reveal Alarming Trend Full Text
Abstract
Approximately 60% of cyberattacks on the industrial sector are carried out by state-affiliated actors, often with the unintentional assistance of internal personnel (about 33% of the time), according to Rockwell Automation.Cyware
September 22, 2023 – Vulnerabilities
Apple Rushes to Patch 3 New Zero-Day Flaws: iOS, macOS, Safari, and More Vulnerable Full Text
Abstract
Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16. The list of security vulnerabilities is as follows - CVE-2023-41991 - A certificate validation issue in the Security framework that could allow a malicious app to bypass signature validation. CVE-2023-41992 - A security flaw in Kernel that could allow a local attacker to elevate their privileges. CVE-2023-41993 - A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content. Apple did not provide additional specifics barring an acknowledgement that the "issue may have been actively exploited against versions of iOS before iOS 16.7." The updates are available for the following devices and operating systems - iOS 16.7 and iPadOS 16.7 - iPhone 8 and later, iPad Pro (all models), iPThe Hacker News
September 22, 2023 – Breach
Air Canada Says Hackers Accessed Limited Employee Records During Cyberattack Full Text
Abstract
Canada’s largest airline, Air Canada, announced a data breach this week that involved the information of employees, but said its operations and customer data were not impacted.Cyware
September 22, 2023 – Criminals
Chinese-speaking Users Targeted with ValleyRAT and Sainbox RAT Full Text
Abstract
Proofpoint has identified a notable rise in cybercrime activity aimed at Chinese-speaking individuals. It noted that ValleyRAT and a Gh0stRAt variant named Sainbox RAT targeted global organizations with Chinese operations. These are being distributed via Excel and PDF attachments containing infecte ... Read MoreCyware
September 21, 2023 – Phishing
Singapore Police Warn of New Scam Campaign Spreading Android Malware Full Text
Abstract
The Singapore police, on Wednesday, issued an advisory about a new variant of Android malware scams, where scammers would initiate a factory reset on infected devices after the malware executes unauthorized transactions on the phone’s i-banking app.Cyware
September 21, 2023 – Attack
Mysterious ‘Sandman’ Threat Actor Targets Telecom Providers Across Three Continents Full Text
Abstract
A previously undocumented threat actor dubbed Sandman has been attributed to a set of cyber attacks targeting telecommunic koation providers in the Middle East, Western Europe, and the South Asian subcontinent. Notably, the intrusions leverage a just-in-time (JIT) compiler for the Lua programming language known as LuaJIT as a vehicle to deploy a novel implant called LuaDream . "The activities we observed are characterized by strategic lateral movement to specific targeted workstations and minimal engagement, suggesting a deliberate approach aimed at achieving the set objectives while minimizing the risk of detection," SentinelOne security researcher Aleksandar Milenkoski said in an analysis published in collaboration with QGroup. "The implementation of LuaDream indicates a well-executed, maintained, and actively developed project of a considerable scale." Neither the campaign nor its tactics have been correlated with any known threat actor or group, althougThe Hacker News
September 21, 2023 – Business
Cisco Acquiring Cybersecurity Company Splunk in Cash Deal Worth $28 Billion Full Text
Abstract
The acquisition is one of Cisco’s largest, and continues an acquisition streak that has built out the company’s cybersecurity offerings. The company will finance the deal with a combination of cash and debt, Cisco CEO Chuck Robbins said.Cyware
September 21, 2023 – Malware
Researchers Raise Red Flag on P2PInfect Malware with 600x Activity Surge Full Text
Abstract
The peer-to-peer (P2) worm known as P2PInfect has witnessed a surge in activity since late August 2023, witnessing a 600x jump between September 12 and 19, 2023. "This increase in P2PInfect traffic has coincided with a growing number of variants seen in the wild, suggesting that the malware's developers are operating at an extremely high development cadence," Cado Security researcher Matt Muir said in a report published Wednesday. A majority of the compromises have been reported in China, the U.S., Germany, the U.K., Singapore, Hong Kong, and Japan. P2PInfect first came to light in July 2023 for its ability to breach poorly secured Redis instances. The threat actors behind the campaign have since resorted to different approaches for initial access, including the abuse of the database's replication feature to deliver the malware. Cado Security said it has observed an increase in initial access events attributable to P2PInfect in which the Redis SLAVEOF commandThe Hacker News
September 21, 2023 – Outage
Canada Blames Border Airport Check-in and Electronic Gate Outages on DDoS Attack Full Text
Abstract
The Canada Border Services Agency (CBSA) confirmed to Recorded Future News that the connectivity issues that affected check-in kiosks and electronic gates at airports last week are the result of a distributed denial of service (DDoS) attack.Cyware
September 21, 2023 – Solution
The Rise of the Malicious App Full Text
Abstract
Security teams are familiar with threats emanating from third-party applications that employees add to improve their productivity. These apps are inherently designed to deliver functionality to users by connecting to a "hub" app, such as Salesforce, Google Workspace, or Microsoft 365. Security concerns center on the permission scopes that are granted to the third party apps, and the potential for a threat actor to take over the core apps and abuse those permissions. There's no real concern that the app, on its own, will start deleting files or sharing data. As such, SaaS Security Posture Management (SSPM) solutions are able to identify integrated third party applications and present their permission scopes. The security team then makes a risk assessment, balancing the benefits the app offers with its permission scopes before deciding whether to keep or decouple the applications. However, threat actors have changed the playing field with the introduction of malicious apps. These applThe Hacker News
September 21, 2023 – Education
Balancing Budget and System Security: Approaches to Risk Tolerance Full Text
Abstract
Organizations should prioritize revisiting their security readiness and up-leveling their cyber vulnerability and risk management programs by learning from data breaches and understanding the potential impact of compromised data.Cyware
September 21, 2023 – Government
China Accuses U.S. of Decade-Long Cyber Espionage Campaign Against Huawei Servers Full Text
Abstract
China's Ministry of State Security (MSS) has accused the U.S. of breaking into Huawei's servers, stealing critical data, and implanting backdoors since 2009, amid mounting geopolitical tensions between the two countries. In a message posted on WeChat, the government authority said U.S. intelligence agencies have "done everything possible" to conduct surveillance, secret theft, and intrusions on many countries around the world, including China, using a "powerful cyber attack arsenal." Specifics about the alleged hacks were not shared. It explicitly singled out the U.S. National Security Agency's (NSA) Computer Network Operations (formerly the Office of Tailored Access Operations or TAO) as having "repeatedly carried out systematic and platform-based attacks" against the country to plunder its "important data resources." The post went on to claim that the cyber-warfare intelligence-gathering unit hacked Huawei's servers in 200The Hacker News
September 21, 2023 – Education
Never Use Your Master Password as a Password on Other Accounts Full Text
Abstract
One in three Americans now use password managers, up from one in five in 2022, according to an online poll by Security.org that quizzed 1,051 American adults on how they use passwords and password managers.Cyware
September 21, 2023 – Criminals
Cyber Group ‘Gold Melody’ Selling Compromised Access to Ransomware Attackers Full Text
Abstract
A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody , which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers," the cybersecurity company said . "The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage, destruction, or disruption." Gold Melody has been previously linked to attacks exploiting security flaws in JBoss Messaging (CVE-2017-7504), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750 and CVE-2020-14882), GitLab (CVE-20The Hacker News
September 21, 2023 – Government
Cyber Experts Urge House Committee to Avoid Federal Shutdown Full Text
Abstract
Cybersecurity experts urged Congress to avoid a government shutdown on October 1 - the start of the new federal fiscal year - telling a House panel that a lapse would damage efforts to keep the nation secure.Cyware
September 21, 2023 – Attack
Ukrainian Hacker Suspected to be Behind “Free Download Manager” Malware Attack Full Text
Abstract
The maintainers of Free Download Manager (FDM) have acknowledged a security incident dating back to 2020 that led to its website being used to distribute malicious Linux software. "It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software," it said in an alert last week. "Only a small subset of users, specifically those who attempted to download FDM for Linux between 2020 and 2022, were potentially exposed." Less than 0.1% of its visitors are estimated to have encountered the issue, adding it may have been why the problem went undetected until now. The disclosure comes as Kaspersky revealed that the project's website was infiltrated at some point in 2020 to redirect select Linux users who attempted to download the software to a malicious site hosting a Debian package. The package was further configured to deploy a DNS-based backdoor and ultimately serve a Bash stealer malThe Hacker News
September 21, 2023 – Vulnerabilities
Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis Full Text
Abstract
Japanese electronics giant Omron recently patched programmable logic controller (PLC) and engineering software vulnerabilities that were discovered by industrial cybersecurity firm Dragos during the analysis of a sophisticated piece of malware.Cyware
September 21, 2023 – Vulnerabilities
Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with Venom RAT Full Text
Abstract
A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with Venom RAT malware. "The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as CVE-2023-25157 ," Palo Alto Networks Unit 42 researcher Robert Falcone said . While bogus PoCs have become a well-documented gambit for targeting the research community , the cybersecurity firm suspected that the threat actors are opportunistically targeting other crooks who may be adopting the latest vulnerabilities into their arsenal. whalersplonk, the GitHub account that hosted the repository, is no longer accessible. The PoC is said to have been committed on August 21, 2023, four days after the vulnerability was publicly announced. CVE-2023-40477 relates to an impThe Hacker News
September 21, 2023 – General
Companies Still Don’t Know How to Handle Generative AI Risks Full Text
Abstract
Energized by the hype around generative AI, enterprises are aggressively pursuing practical applications of this new technology while remaining cautious about the risks, according to ISG.Cyware
September 20, 2023 – Vulnerabilities
Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems Full Text
Abstract
The flaws were found in the unified communications and collaboration solution by researchers at SEC Consult, an Austria-based cybersecurity consulting firm that is part of the Atos Group’s Eviden business.Cyware
September 20, 2023 – Criminals
Finnish Authorities Dismantle Notorious PIILOPUOTI Dark Web Drug Marketplace Full Text
Abstract
Finnish law enforcement authorities have announced the takedown of PIILOPUOTI, a dark web marketplace that specialized in illegal narcotics trade since May 2022. "The site operated as a hidden service in the encrypted TOR network," the Finnish Customs (aka Tulli) said in a brief announcement on Tuesday. "The site has been used in anonymous criminal activities such as narcotics trade." The agency said that the drugs sold on the site were smuggled to Finland from abroad, adding a criminal investigation is underway in coordination with international partners from Germany and Lithuania, along with Europol and Eurojust. It's not immediately clear if any arrests were made. Romanian cybersecurity firm Bitdefender said it provided additional support that helped with the seizure of PIILOPUOTI. "We are extremely pleased that PIILOPUOTI has been seized and would like to congratulate law enforcement, Finnish Customs, and everyone involved," Alexandru CatalThe Hacker News
September 20, 2023 – Breach
Data Breach at Pizza Hut Australia Exposes Customer Information and Order Details Full Text
Abstract
In an email to customers on Wednesday, Pizza Hut Australia’s chief executive, Phil Reed, said the company became aware in early September that there had been “unauthorised third party” access to some of the company’s data.Cyware
September 20, 2023 – Vulnerabilities
Critical Security Flaws Exposed in Nagios XI Network Monitoring Software Full Text
Abstract
Multiple security flaws have been disclosed in the Nagios XI network monitoring software that could result in privilege escalation and information disclosure. The four security vulnerabilities, tracked from CVE-2023-40931 through CVE-2023-40934, impact Nagios XI versions 5.11.1 and lower. Following responsible disclosure on August 4, 2023, They have been patched as of September 11, 2023, with the release of version 5.11.2. "Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections," Outpost24 researcher Astrid Tedenbrant said . "The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data such as password hashes and API tokens." CVE-2023-40932, on the other hand, relates to a cross-site scripting (XSS) flaw in the Custom Logo component that could be used to read sensitiThe Hacker News
September 20, 2023 – Government
DHS: Ransomware attackers headed for second most profitable year Full Text
Abstract
Ransomware attackers remain a major threat to the United States and are on pace to have their second most profitable year ever, the Department of Homeland Security said in an annual report.Cyware
September 20, 2023 – General
Do You Really Trust Your Web Application Supply Chain? Full Text
Abstract
Well, you shouldn't. It may already be hiding vulnerabilities. It's the modular nature of modern web applications that has made them so effective. They can call on dozens of third-party web components, JS frameworks, and open-source tools to deliver all the different functionalities that keep their customers happy, but this chain of dependencies is also what makes them so vulnerable. Many of those components in the web application supply chain are controlled by a third party—the company that created them. This means that no matter how rigorous you were with your own static code analysis, code reviews, penetration testing, and other SSDLC processes, most of your supply chain's security is in the hands of whoever built its third-party components. With their huge potential for weak spots, and their widespread use in the lucrative ecommerce, financial and medical industries, web application supply chains present a juicy target for cyber attackers. They can target any one of the dozThe Hacker News
September 20, 2023 – Business
CrowdStrike to Buy AppSec Startup Bionic for Reported $350M Full Text
Abstract
CrowdStrike plans to purchase a Silicon Valley application security startup founded by two Israel Defense Forces veterans in a bid to expand risk visibility and protection across entire cloud computing environments.Cyware
September 20, 2023 – Malware
Fresh Wave of Malicious npm Packages Threaten Kubernetes Configs and SSH Keys Full Text
Abstract
Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server. Sonatype said it has discovered 14 different npm packages so far: @am-fe/hooks, @am-fe/provider, @am-fe/request, @am-fe/utils, @am-fe/watermark, @am-fe/watermark-core, @dynamic-form-components/mui, @dynamic-form-components/shineout, @expue/app, @fixedwidthtable/fixedwidthtable, @soc-fe/use, @spgy/eslint-plugin-spgy-fe, @virtualsearchtable/virtualsearchtable, and shineouts. "These packages [...] attempt to impersonate JavaScript libraries and components, such as ESLint plugins and TypeScript SDK tools," the software supply chain security firm said . "But, upon installation, multiple versions of the packages were seen running obfuscated code to collect and siphon sensitive files from the target machine." Along with Kubernetes config and SSH keThe Hacker News
September 20, 2023 – Attack
Chinese-Language Speakers Targeted with Sainbox RAT, ValleyRAT, and Gh0stRAT Full Text
Abstract
The increase in activity suggests increased availability or ease of access to payloads and target lists, as well as potentially increased activity by Chinese-speaking cybercrime operators.Cyware
September 20, 2023 – Phishing
Sophisticated Phishing Campaign Targeting Chinese Users with ValleyRAT and Gh0st RAT Full Text
Abstract
Chinese-language speakers have been increasingly targeted as part of multiple email phishing campaigns that aim to distribute various malware families such as Sainbox RAT, Purple Fox, and a new trojan called ValleyRAT. "Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity," enterprise security firm Proofpoint said in a report shared with The Hacker News. The activity, observed since early 2023, entails sending email messages containing URLs pointing to compressed executables that are responsible for installing the malware. Other infection chains have been found to leverage Microsoft Excel and PDF attachments that embed these URLs to trigger malicious activity. These campaigns demonstrate variation in the use of infrastructure, sender domains, email content, targeting, and payloads, indicating that different threat clusters are mounting the attacks. Over 30 such campaigns have been detected in 2023 that employ malwaThe Hacker News
September 20, 2023 – Malware
Malicious NPM Packages Caught Exfiltrating Kubernetes Config, SSH Keys Full Text
Abstract
The malicious software packages impersonate legitimate JavaScript libraries and components, but upon installation, they run obfuscated code to collect and siphon sensitive files.Cyware
September 20, 2023 – Encryption
Signal Messenger Introduces PQXDH Quantum-Resistant Encryption Full Text
Abstract
Encrypted messaging app Signal has announced an update to the Signal Protocol to add support for quantum resistance by upgrading the Extended Triple Diffie-Hellman ( X3DH ) specification to Post-Quantum Extended Diffie-Hellman ( PQXDH ). "With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current encryption standards," Signal's Ehren Kret said . The development comes weeks after Google added support for quantum-resistant encryption algorithms in its Chrome web browser and announced a quantum-resilient FIDO2 security key implementation as part of its OpenSK security keys initiative last month. The Signal Protocol is a set of cryptographic specifications that provides end-to-end encryption (E2EE) for private text and voice communications. It's used in various messaging apps like WhatsApp and Google's encrypted RCS messages for Android. While quantum cThe Hacker News
September 20, 2023 – Breach
Cyberattack on Kansas Town Affects Email, Phone, Payment Systems Full Text
Abstract
The city’s incident response team “took proactive measures to protect city data and network systems” while also hiring forensic experts to “ fully understand the extent and implications” of the attack.Cyware
September 20, 2023 – Vulnerabilities
GitLab Releases Urgent Security Patches for Critical Vulnerability Full Text
Abstract
GitLab has shipped security patches to resolve a critical flaw that allows an attacker to run pipelines as another user. The issue, tracked as CVE-2023-5009 (CVSS score: 9.6), impacts all versions of GitLab Enterprise Edition (EE) starting from 13.12 and prior to 16.2.7 as well as from 16.3 and before 16.3.4. "It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies," GitLab said in an advisory. "This was a bypass of CVE-2023-3932 showing additional impact." Successful exploitation of CVE-2023-5009 could allow a threat actor to access sensitive information or leverage the elevated permissions of the impersonated user to modify source code or run arbitrary code on the system, leading to severe consequences. Security researcher Johan Carlsson (aka joaxcar) has been credited with discovering and reporting the flaw. CVE-2023-3932 was addressed by GitLab in early August 2023. The vulnerability has been addreThe Hacker News
September 20, 2023 – Business
HiddenLayer Raises Hefty $50M Round for AI Security Tech Full Text
Abstract
HiddenLayer, which emerged from stealth in July 2022 with $6 million in funding, said the latest financing was led by M12, Microsoft’s Venture Fund, and Moore Strategic Ventures.Cyware
September 20, 2023 – Vulnerabilities
Trend Micro Releases Urgent Fix for Actively Exploited Critical Security Vulnerability Full Text
Abstract
Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted products is as follows - Apex One - version 2019 (on-premise), fixed in SP1 Patch 1 (B12380) Apex One as a Service - fixed in SP1 Patch 1 (B12380) and Agent version 14.0.12637 Worry-Free Business Security - version 10.0 SP1, fixed in 10.0 SP1 Patch 2495 Worry-Free Business Security Services - fixed in July 31, 2023, Monthly Maintenance Release Trend Micro said that a successful exploitation of the flaw could allow an attacker to manipulate the component to execute arbitrary commands on an affected installation. However, it requires that the adversary already has administrativeThe Hacker News
September 19, 2023 – Attack
‘ShroudedSnooper’ Backdoors Use Ultra-Stealth in Mideast Telecom Attacks Full Text
Abstract
ShroudedSnooper has targeted Middle East-based telecom firms using two stealthy backdoors, HTTPSnoop and PipeSnoop, which employ advanced anti-detection techniques and can give cyberattackers persistent access to networks.Cyware
September 19, 2023 – Attack
ShroudedSnooper’s HTTPSnoop Backdoor Targets Middle East Telecom Companies Full Text
Abstract
Telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a stealthy backdoor called HTTPSnoop. "HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint," Cisco Talos said in a report shared with The Hacker News. Also part of the threat actor's arsenal is a sister implant codenamed PipeSnoop that can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. It's suspected that ShroudedSnooper exploits internet-facing servers and deploys HTTPSnoop to gain initial access to target environments, with both the malware strains impersonating components of Palo Alto Networks' Cortex XDR application (" CyveraConsole.exe ") to fly under the radar. Three different HTTPThe Hacker News
September 19, 2023 – Skimming
Payment Card-Skimming Campaign Now Targeting Websites in North America Full Text
Abstract
A Chinese-speaking threat actor known for skimming credit card numbers off e-commerce sites and point-of-sale service providers in the Asia/Pacific region for more than a year has begun aiming at similar targets in North and Latin America as well.Cyware
September 19, 2023 – Attack
Operation Rusty Flag: Azerbaijan Targeted in New Rust-Based Malware Campaign Full Text
Abstract
Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers Simon Kenin, Ron Ben Yizhak, and Mark Vaitzman said in an analysis published last week. "One of the lures used in the operation is a modified document that was used by the Storm-0978 group. This could be a deliberate 'false flag.'" The attack chain leverages an LNK file named 1.KARABAKH.jpg.lnk as a launchpad to retrieve a second-stage payload, an MSI installer, hosted on Dropbox. The installer file, for its part, drops an implant written in Rust, an XML file for a scheduled task to execute the implant, and a decoy image file that features watermarks of theThe Hacker News
September 19, 2023 – Attack
German Spy Chief Warns of Cyberattacks Targeting Liquefied Natural Gas Terminals Full Text
Abstract
Bruno Kahl, the head of Germany’s foreign intelligence service, warned that liquefied natural gas (LNG) terminals in the country could be targeted by state-sponsored hackers.Cyware
September 19, 2023 – Malware
Inside the Code of a New XWorm Variant Full Text
Abstract
XWorm is a relatively new representative of the remote access trojan cohort that has already earned its spot among the most persistent threats across the globe. Since 2022, when it was first observed by researchers, it has undergone a number of major updates that have significantly enhanced its functionality and solidified its staying power. The analyst team at ANY.RUN came across the newest version of the malware and could not refuse the opportunity of taking it apart to examine XWorm mechanics configurations. Here is how they did it and what they found. The XWorm sample's source The sample in question was discovered in ANY. RUN's database of malware, a repository containing detailed analysis reports on all files and links that have been uploaded by users of the sandbox in public mode. A quick look at the results of the analysis revealed that the sample was initially distributed via MediaFire, a file-hosting service. The malware was packaged in a RAR archive and pThe Hacker News
September 19, 2023 – Breach
Update: Australian Law Firm Hack Affected 65 Government Agencies Full Text
Abstract
An April ransomware attack against one of Australia's largest law firms swept up the data of 65 Australian government agencies, the country's newly appointed national cybersecurity coordinator said Monday.Cyware
September 19, 2023 – Attack
Earth Lusca’s New SprySOCKS Linux Backdoor Targets Government Entities Full Text
Abstract
The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America. Active since 2021, the group has relied on spear-phishing and watering hole attacks to pull off its cyber espionage schemes. Some activities of the group overlap with another threat cluster tracked by Recorded Future under the name RedHotel . The latest findings from the cybersecurity firm show that Earth Lusca continues to be an active group, even expanding its operations to target organizations across the world during the first half of 2023. Primary targets include government departments that are involved in foreign affairs, technology, and telecommunications. The attacks are concentrated in Southeast Asia, Central Asia, and theThe Hacker News
September 19, 2023 – Education
Live Webinar: Overcoming Generative AI Data Leakage Risks Full Text
Abstract
As the adoption of generative AI tools, like ChatGPT, continues to surge, so does the risk of data exposure. According to Gartner's "Emerging Tech: Top 4 Security Risks of GenAI" report, privacy and data security is one of the four major emerging risks within generative AI. A new webinar featuring a multi-time Fortune 100 CISO and the CEO of LayerX, a browser extension solution, delves into this critical risk. Throughout the webinar, the speakers will explain why data security is a risk and explore the ability of DLP solutions to protect against them, or lack thereof. Then, they will delineate the capabilities required by DLP solutions to ensure businesses benefit from the productivity GenAI applications have to offer without compromising security. The Business and Security Risks of Generative AI Applications GenAI security risks occur when employees insert sensitive texts into these applications. These actions warrant careful consideration, because the inserted data bThe Hacker News
September 19, 2023 – Insider Threat
Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data Full Text
Abstract
Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data. The leak was discovered on the company's AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees' workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages. The repository, named " robust-models-transfer ," is no longer accessible. Prior to its takedown, it featured source code and machine learning models pertaining to a 2020 research paper titled "Do Adversarially Robust ImageNet Models Transfer Better?" "The exposure came as the result of an overly permissive SAS token – an Azure feature that allows users to share data in a manner that is both hard to track and hard to revoke," Wiz said in a report. The issue was reported to Microsoft on JThe Hacker News
September 19, 2023 – Vulnerabilities
Nearly 12,000 Juniper Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability Full Text
Abstract
New research has found that close to 12,000 internet-exposed Juniper firewall devices are vulnerable to a recently disclosed remote code execution flaw. VulnCheck, which discovered a new exploit for CVE-2023-36845, said it could be exploited by an "unauthenticated and remote attacker to execute arbitrary code on Juniper firewalls without creating a file on the system." CVE-2023-36845 refers to a medium-severity flaw in the J-Web component of Junos OS that could be weaponized by a threat actor to control certain, important environment variables. It was patched by Juniper Networks last month alongside CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847 in an out-of-cycle update. A subsequent proof-of-concept (PoC) exploit devised by watchTowr combined CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution. The latest exploit, on the other hand, impacts older systems and can be written using a single cURL commaThe Hacker News
September 19, 2023 – APT
Transparent Tribe Uses Fake YouTube Android Apps to Spread CapraRAT Malware Full Text
Abstract
The suspected Pakistan-linked threat actor known as Transparent Tribe is using malicious Android apps mimicking YouTube to distribute the CapraRAT mobile remote access trojan (RAT), demonstrating the continued evolution of the activity. "CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects," SentinelOne security researcher Alex Delamotte said in a Monday analysis. Transparent Tribe , also known as APT36, is known to target Indian entities for intelligence-gathering purposes, relying on an arsenal of tools capable of infiltrating Windows, Linux, and Android systems. A crucial component of its toolset is CapraRAT , which has been propagated in the form of trojanized secure messaging and calling apps branded as MeetsApp and MeetUp. These weaponized apps are distributed using social engineering lures. The latest set of Android package (APK) files discovered by SentinelOne are engineered to masThe Hacker News
September 18, 2023 – Cryptocurrency
Lazarus APT Stole Almost $240 Million in Crypto Assets Since June Full Text
Abstract
According to a report by Elliptic, the North Korea-linked APT group Lazarus has stolen most of $240 million in crypto assets from multiple businesses, including Atomic Wallet ($100m), CoinsPaid ($37.3M), Alphapo ($60M), and Stake.com ($41M).Cyware
September 18, 2023 – Cryptocurrency
New AMBERSQUID Cryptojacking Operation Targets Uncommon AWS Services Full Text
Abstract
A novel cloud-native cryptojacking operation has set its eyes on uncommon Amazon Web Services (AWS) offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to illicitly mine cryptocurrency. The malicious cyber activity has been codenamed AMBERSQUID by cloud and container security firm Sysdig. "The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances," Sysdig security researcher Alessandro Brucato said in a report shared with The Hacker News. "Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service." Sysdig said it discovered the campaign following an analysis of 1.7 million images on Docker Hub, attributing it with moderate confidence to Indonesian attackers based on the use of Indonesian language in scripts and useThe Hacker News
September 18, 2023 – Breach
ETH Founder Vitalik Buterin’s X (Twitter) Hacked, $700k Stolen Full Text
Abstract
Regarding how the hacking was successful, it is reported that the hacker compromised Buterin’s account and shared a post on his behalf, celebrating the arrival of Proto-Danksharding to the Ethereum platform.Cyware
September 18, 2023 – Education
Think Your MFA and PAM Solutions Protect You? Think Again Full Text
Abstract
When you roll out a security product, you assume it will fulfill its purpose. Unfortunately, however, this often turns out not to be the case. A new report, produced by Osterman Research and commissioned by Silverfort, reveals that MFA (Multi-Factor Authentication) and PAM (Privileged Access Management) solutions are almost never deployed comprehensively enough to provide resilience to identity threats. As well, service accounts – which are typically beyond the scope of protection of these controls – are alarmingly exposed to malicious compromise. These findings and many more can be found in "The State of the Identity Attack Surface: Insights Into Critical Protection Gaps ," the first report that analyzes organizational resilience to identity threats. What is the "Identity Attack Surface"? The identity attack surface is any organizational resource that can be accessed via username and password. The main way that attackers target this attack surface is through the use of compromiThe Hacker News
September 18, 2023 – Malware
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement Full Text
Abstract
Earth Lusca, a China-linked threat actor, has developed a Linux variant of the backdoor malware SprySOCKS, which originated from the open-source Windows backdoor Trochilus, indicating their continued active operations and expansion.Cyware
September 18, 2023 – Malware
Hook: New Android Banking Trojan That Expands on ERMAC’s Legacy Full Text
Abstract
A new analysis of the Android banking trojan known as Hook has revealed that it's based on its predecessor called ERMAC. "The ERMAC source code was used as a base for Hook," NCC Group security researchers Joshua Kamp and Alberto Segura said in a technical analysis published last week. "All commands (30 in total) that the malware operator can send to a device infected with ERMAC malware, also exist in Hook. The code implementation for these commands is nearly identical." Hook was first documented by ThreatFabric in January 2023, describing it as a " ERMAC fork" that's offered for sale for $7,000 per month. Both the strains are the work of a malware author called DukeEugene. That said, Hook expands on ERMAC's functionalities with more capabilities, supporting as many as 38 additional commands when compared to the latter. ERMAC's core features are designed to send SMS messages, display a phishing window on top of a legitimate app, eThe Hacker News
September 18, 2023 – Breach
CardX Issues Data Leak Notification Impacting Their Customers in Thailand Full Text
Abstract
Thailand-based digital financial platform, CardX, experienced a data leak exposing personal information of customers, including names, addresses, phone numbers, and emails.Cyware
September 18, 2023 – Breach
Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients Full Text
Abstract
Software development company Retool has disclosed that the accounts of 27 of its cloud customers were compromised following a targeted and SMS-based social engineering attack. The San Francisco-based firm blamed a Google Account cloud synchronization feature recently introduced in April 2023 for making the breach worse, calling it a "dark pattern." "The fact that Google Authenticator syncs to the cloud is a novel attack vector," Snir Kodesh, Retool's head of engineering, said . "What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication." Retool said that the incident, which took place on August 27, 2023, did not allow unauthorized access to on-prem or managed accounts. It also coincided with the company migrating their logins to Okta. It all started with an SMS phishing attack aimed at iThe Hacker News
September 18, 2023 – Vulnerabilities
Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products Full Text
Abstract
Fortinet has released patches for a high-severity cross-site scripting (XSS) vulnerability impacting multiple FortiOS and FortiProxy versions. It is tracked as CVE-2023-29183 and has a CVSS score of 7.3.Cyware
September 18, 2023 – Hacker
Financially Motivated UNC3944 Threat Actor Shifts Focus to Ransomware Attacks Full Text
Abstract
The financially motivated threat actor known as UNC3944 is pivoting to ransomware deployment as part of an expansion to its monetization strategies, Mandiant has revealed. "UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group," the threat intelligence firm said . "UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums." The group, also known by the names 0ktapus, Scatter Swine, and Scattered Spider, has been active since early 2022, adopting phone-based social engineering and SMS-based phishing to obtain employees' valid credentials using bogus sign-in pages and infiltrate victim organizations, mirroring tactics adopted by another group called LAPSUS$ . While the group originallThe Hacker News
September 18, 2023 – Breach
FBI Hacker USDoD Leaks highly Sensitive TransUnion Data Full Text
Abstract
A threat actor known as “USDoD” leaked highly sensitive data allegedly stolen from the credit reporting agency. The leaked database, over 3GB in size, contains sensitive PII of 58,505 people, all across the globe, including the Americas and Europe.Cyware
September 18, 2023 – Breach
Clop Gang Stole Data From Major North Carolina Hospitals Full Text
Abstract
The Microsoft-owned healthcare technology firm Nuance revealed that the Clop extortion gang has stolen personal data on major North Carolina hospitals as part of the Progress MOVEit Transfer campaign.Cyware
September 17, 2023 – Cryptocurrency
North Korea’s Lazarus Group Suspected in $31 Million CoinEx Heist Full Text
Abstract
The North Korea-affiliated Lazarus Group has stolen nearly $240 million in cryptocurrency since June 2023, marking a significant escalation of its hacks. According to multiple reports from Certik , Elliptic , and ZachXBT , the infamous hacking group is said to be suspected behind the theft of $31 million in digital assets from the CoinEx exchange on September 12, 2023. The crypto heist aimed at CoinEx adds to a string of recent attacks targeting Atomic Wallet ($100 million), CoinsPaid ($37.3 million), Alphapo ($60 million), and Stake.com ($41 million). "Some of the funds stolen from CoinEx were sent to an address which was used by the Lazarus group to launder funds stolen from Stake.com, albeit on a different blockchain," Elliptic said. "Following this, the funds were bridged to Ethereum, using a bridge previously used by Lazarus, and then sent back to an address known to be controlled by the CoinEx hacker." The blockchain analytics firm said the lateThe Hacker News
September 16, 2023 – Policy and Law
TikTok Faces Massive €345 Million Fine Over Child Data Violations in E.U. Full Text
Abstract
The Irish Data Protection Commission (DPC) slapped TikTok with a €345 million (about $368 million) fine for violating the European Union's General Data Protection Regulation (GDPR) in relation to its handling of children's data. The investigation, initiated in September 2021, examined how the popular short-form video platform processed personal data relating to child users (those between the ages of 13 and 17) between July 31 and December 31, 2020. Some of the major findings include - The content posted by child users was set to public by default, thereby allowing any individual (with or without TikTok) to view the material and exposing them to additional risks A failure to provide transparency information to child users The implementation of dark patterns to steer users towards opting for privacy-intrusive options during the registration process, and when posting videos A weakness in the Family Sharing setting that allowed any non-child user (someone who could not beThe Hacker News
September 15, 2023 – Criminals
Cuba Ransomware Gang Continues to Evolve With Dangerous Backdoor Full Text
Abstract
Researchers have uncovered fresh malware samples attributed to ransomware group Cuba, representing new versions of BurntCigar malware, which offers next-level stealth to the group.Cyware
September 15, 2023 – Solution
The Interdependence between Automated Threat Intelligence Collection and Humans Full Text
Abstract
The volume of cybersecurity vulnerabilities is rising, with close to 30% more vulnerabilities found in 2022 vs. 2018 . Costs are also rising, with a data breach in 2023 costing $4.45M on average vs. $3.62M in 2017 . In Q2 2023, a total of 1386 victims were claimed by ransomware attacks compared with just 831 in Q1 2023. The MOVEit attack has claimed over 600 victims so far and that number is still rising. To people working in cybersecurity today, the value of automated threat intelligence is probably pretty obvious. The rising numbers specified above, combined with the lack of cybersecurity professionals availabl e, mean automation is a clear solution. When threat intelligence operations can be automated, threats can be identified and responded to, and with less effort on the part of engineers. However, a mistake that organizations sometimes make is assuming that once they've automated threat intelligence workflows, humans are out of the picture. They conflate automationThe Hacker News
September 15, 2023 – Business
Deduce Raises $9 Million to Tackle AI-Generated Identity Fraud Full Text
Abstract
The funding will launch its GenAI Identity fraud solution out of stealth and help the company scale to prevent large-scale SuperSynthetic identity fraud across multiple verticals, including the financial service industry, fintech, and e-commerce.Cyware
September 15, 2023 – Policy and Law
Google Agrees to $93 Million Settlement in California’s Location-Privacy Lawsuit Full Text
Abstract
Google has agreed to pay $93 million to settle a lawsuit filed by the U.S. state of California over allegations that the company's location-privacy practices misled consumers and violated consumer protection laws. "Our investigation revealed that Google was telling its users one thing – that it would no longer track their location once they opted out – but doing the opposite and continuing to track its users' movements for its own commercial gain," California Attorney General Rob Bonta said . The lawsuit is in response to disclosures that the company continued to track users' locations despite stating to the contrary that such information would not be stored if the "Location History" setting was disabled. The complaint filed by California alleged that Google collected location data through other sources and that it deceived users about their ability to opt out of personalized advertisements targeted to their location. With Google making over $220The Hacker News
September 15, 2023 – Malware
New Python NodeStealer Goes Beyond Facebook Credentials, Now Stealing All Browser Cookies and Login Credentials Full Text
Abstract
The campaign uses batch files distributed via Facebook messages, utilizing images of defective products as bait, and stealing credentials and cookies from multiple browsers, not just Facebook, increasing the risk of targeted attacks.Cyware
September 15, 2023 – IOT
DDoS 2.0: IoT Sparks New DDoS Alert Full Text
Abstract
The Internet of Things (IoT) is transforming efficiency in various sectors like healthcare and logistics but has also introduced new security risks, particularly IoT-driven DDoS attacks. This article explores how these attacks work, why they're uniquely problematic, and how to mitigate them. What Is IoT? IoT (Internet of Things) refers to online, interconnected devices that collect and exchange data. This broad category of devices includes sensors, cameras, network routers, and advanced machinery, and their integration into everyday life and work processes results in an ecosystem that can automate operations, improve decision-making, and enhance user experience. IoT: A Breeding Ground for Botnets IoT's rapid adoption amplifies its vulnerability, as poorly secured devices become easy prey for attackers and may become part of a botnet. Controlled by attackers, botnets can scale and rapidly execute various attacks, including DDoS, data theft, ad fraud, cryptocurrency mining, spam aThe Hacker News
September 15, 2023 – Government
NIST Publishes New Guidance for Access Control in Cloud-Native Applications in Multi-Location Environments Full Text
Abstract
This scenario calls for establishing trust in all enterprise access entities, data sources, and computing services through secure communication and the validation of access policies.Cyware
September 15, 2023 – Malware
NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers Full Text
Abstract
An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based NodeStealer and potentially take over their accounts for follow-on malicious activities. "The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors," Netskope Threat Labs researcher Jan Michael said in an analysis published Thursday. First documented by Meta in May 2023, NodeStealer originated as a JavaScript malware capable of pilfering cookies and passwords from web browsers to compromise Facebook, Gmail, and Outlook accounts. Palo Alto Networks Unit 42, last month, revealed a separate attack wave that took place in December 2022 using a Python version of the malware, with select iterations also designed to conduct cryptocurrency theft. The latest findings from Netskope suggest the Vietnamese threat actors beThe Hacker News
September 15, 2023 – Attack
Regional Transportation Authority in New Zealand Hit by Suspected Ransomware Attack Full Text
Abstract
The company has announced today that it's experiencing issues with its HOP services (integrated ticketing and fares system) as a cyber incident has impacted parts of its network.Cyware
September 15, 2023 – Phishing
Cybercriminals Combine Phishing and EV Certificates to Deliver Ransomware Payloads Full Text
Abstract
The threat actors behind RedLine and Vidar information stealers have been observed pivoting to ransomware through phishing campaigns that spread initial payloads signed with Extended Validation ( EV ) code signing certificates. "This suggests that the threat actors are streamlining operations by making their techniques multipurpose," Trend Micro researchers said in a new analysis published this week. In the incident investigated by the cybersecurity company, an unnamed victim is said to have first received a piece of info stealer malware with EV code signing certificates, followed by ransomware using the same delivery technique. In the past, QakBot infections have leveraged samples signed with valid code signing certificates to bypass security protections. The attacks start with phishing emails that employ well-worn lures to trick victims into running malicious attachments that masquerade as PDF or JPG images but are actually executables that jump-start the compromThe Hacker News
September 15, 2023 – Attack
Lockbit Ransomware Gang Hit the Carthage Area Hospital and the Clayton-Hepburn Medical Center in New York Full Text
Abstract
The Lockbit ransomware group claims to have hacked two major hospitals, the Carthage Area Hospital and Claxton-Hepburn Medical Center. The two hospitals serve hundreds of thousands of people in upstate New York.Cyware
September 15, 2023 – Malware
LokiBot Information Stealer Packs Fresh Infection Strategies Full Text
Abstract
The malware targets Microsoft users and steals various types of data, including email credentials, payment card information, and cryptocurrency passwords. It is particularly appealing to less technically skilled individuals due to its ease of use.Cyware
September 15, 2023 – Breach
Developer Platform Retool Breached in Vishing Attack Full Text
Abstract
A threat actor impersonating an IT staff member conducted SMS-based phishing and a successful vishing attack to obtain authentication logins that led to the total account takeover of one Retool employee.Cyware
September 15, 2023 – Attack
Iranian Nation-State Actors Employ Password Spray Attacks Targeting Multiple Sectors Full Text
Abstract
Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal. The tech giant, which is tracking the activity under the name Peach Sandstorm (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate intelligence collection in support of Iranian state interests. Should the authentication to an account be successful, the threat actor has been observed using a combination of publicly available and custom tools for discovery, persistence, and lateral movement, followed by data exfiltration in limited cases. Peach Sandstorm , also known by the names APT33, Elfin, and Refined Kitten, has been linked to spear-phishing attacks against aerospace and energy sectors in the past, some of which have entailed the use of the SHAPESHIFT wiper malware. It's said to be active since at least 2013.The Hacker News
September 14, 2023 – Attack
US-Canada International Joint Commission for Managing Lake and River Systems Suffers Cyberattack Full Text
Abstract
On Wednesday, an ICJ spokesperson confirmed that it was dealing with a cybersecurity issue but declined to elaborate on whether law enforcement has been contacted or if the organization was facing operational issues.Cyware
September 14, 2023 – Vulnerabilities
Microsoft Uncovers Flaws in ncurses Library Affecting Linux and macOS Systems Full Text
Abstract
A set of memory corruption flaws have been discovered in the ncurses (short for new curses ) programming library that could be exploited by threat actors to run malicious code on vulnerable Linux and macOS systems. "Using environment variable poisoning, attackers could chain these vulnerabilities to elevate privileges and run code in the targeted program's context or perform other malicious actions," Microsoft Threat Intelligence researchers Jonathan Bar Or, Emanuele Cozzi, and Michael Pearse said in a technical report published today. The vulnerabilities, collectively tracked as CVE-2023-29491 (CVSS score of 7.8), have been addressed as of April 2023. Microsoft said it also worked with Apple on addressing the macOS-specific issues related to these flaws. Environment variables are user-defined values that can be used by multiple programs on a system and can affect the manner in which they behave on the system. Manipulating the variables can cause applicationThe Hacker News
September 14, 2023 – General
Latest Fraud Schemes Targeting the Payments Ecosystem Full Text
Abstract
Threat actors are utilizing advanced techniques such as malvertising and SEO to conduct sophisticated fraud schemes, targeting authentication processes and exploiting technical misconfigurations, according to a report by Visa.Cyware
September 14, 2023 – Breach
Free Download Manager Site Compromised to Distribute Linux Malware to Users for 3+ Years Full Text
Abstract
A download manager site served Linux users malware that stealthily stole passwords and other sensitive information for more than three years as part of a supply chain attack. The modus operandi entailed establishing a reverse shell to an actor-controlled server and installing a Bash stealer on the compromised system. The campaign, which took place between 2020 and 2022, is no longer active. "This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)," Kaspersky researchers Georgy Kucherin and Leonid Bezvershenko said . The website in question is freedownloadmanager[.]org, which, according to the Russian cybersecurity firm, offers a legitimate Linux software called "Free Download Manager," but starting in January 2020, began redirecting some users who attempted to download it to another domain deb.fdmpkg[.]The Hacker News
September 14, 2023 – Privacy
Privacy Concerns Cast a Shadow on AI’s Potential for Software Development Full Text
Abstract
Organizations prioritize privacy and protection of intellectual property when adopting AI tools, with concerns about AI-generated code introducing security vulnerabilities and lacking copyright protection, according to GitLab.Cyware
September 14, 2023 – Education
Avoid These 5 IT Offboarding Pitfalls Full Text
Abstract
Employee offboarding is no one's favorite task, yet it is a critical IT process that needs to be executed diligently and efficiently. That's easier said than done, especially considering that IT organizations have less visibility and control over employees' IT use than ever. Today, employees can easily adopt new cloud and SaaS applications whenever and wherever they want, and the old IT offboarding playbook of "disable AD account, forward email, recover and wipe device, and call it a day" is no longer enough. Here, we'll cover five of the most common pitfalls of IT offboarding in a SaaS-first world, along with advice on how to navigate around them. Pitfall #1: Suspending or deleting the email account before completing other critical steps It may seem logical to suspend or delete the employees' Google Workspace or Microsoft 365 account as the first step in the offboarding process. However, this will make the account inaccessible to everyone, even admins, which could interfere wThe Hacker News
September 14, 2023 – Breach
Pennsylvania County Experiences Security Breach With Jail Employee Email Full Text
Abstract
A cyber event last month may have affected the security of some information maintained by Butler County. County officials say they found out on August 8th that an email account related to the County jail was sending unauthorized spam emails.Cyware
September 14, 2023 – Vulnerabilities
N-Able’s Take Control Agent Vulnerability Exposes Windows Systems to Privilege Escalation Full Text
Abstract
A high-severity security flaw has been disclosed in N-Able's Take Control Agent that could be exploited by a local unprivileged attacker to gain SYSTEM privileges. Tracked as CVE-2023-27470 (CVSS score: 8.8), the issue relates to a Time-of-Check to Time-of-Use ( TOCTOU ) race condition vulnerability, which, when successfully exploited, could be leveraged to delete arbitrary files on a Windows system. The security shortcoming, which impacts versions 7.0.41.1141 and prior, has been addressed in version 7.0.43 released on March 15, 2023, following responsible disclosure by Mandiant on February 27, 2023. Time-of-Check to Time-of-Use falls under a category of software flaws wherein a program checks the state of a resource for a specific value, but that value changes before it's actually used, effectively invalidating the results of the check. An exploitation of such a flaw can result in a loss of integrity and trick the program into performing actions that it shouldn'tThe Hacker News
September 14, 2023 – Government
White House Urging Dozens of Countries to Publicly Commit to Not Pay Ransoms Full Text
Abstract
The U.S. National Security Council (NSC) is urging the governments of all countries participating in the International Counter Ransomware Initiative (CRI) to issue a joint statement announcing they will not pay ransoms to cybercriminals.Cyware
September 14, 2023 – Government
Federal Agency Warns Healthcare Sector of Akira Ransomware Threats Full Text
Abstract
Federal authorities are warning the health sector about threats posed by Akira, a RaaS group that surfaced about six months ago and has been linked to several dozen attacks on predominately small and midsized entities across many industries.Cyware
September 14, 2023 – Malware
Exiled Russian Journalist’s Phone Hacked With Pegasus Spyware Full Text
Abstract
The notorious spyware was reportedly installed on the iPhone of Galina Timchenko, owner of the Russian independent media outlet Meduza, while she was in Berlin for a private conference with other Russian independent journalists living in exile.Cyware
September 14, 2023 – Malware
RedLine and Vidar Stealers Abuse EV Certificates, Shift to Ransomware Payloads Full Text
Abstract
Threat actors are using EV code signing certificates to distribute both information-stealing malware and ransomware, indicating a streamlining of operations and the need for stronger security measures.Cyware
September 14, 2023 – Phishing
BatLoader Unleashed in Ongoing Webex Malvertising Campaign Full Text
Abstract
A new malvertising campaign has surfaced, targeting corporate users downloading popular web conferencing software Cisco Webex with BatLoader. Webex itself has not been compromised; rather, threat actors are exploiting brand impersonation to distribute the malware. The malicious ad impersonating it ... Read MoreCyware
September 14, 2023 – General
Record Number of Cyberattacks Targeting Critical IT Infrastructure Reported to UK Government This Year Full Text
Abstract
While the total count of attacks might seem low — just 13 that affected organizations operating critical technology services — the number marks a significant increase from the four disruptions the sector recorded in 2022 and 2021.Cyware
September 14, 2023 – Breach
Russian Journalist’s iPhone Compromised by NSO Group’s Zero-Click Spyware Full Text
Abstract
The iPhone belonging to Galina Timchenko, a prominent Russian journalist and critic of the government, was compromised with NSO Group's Pegasus spyware, a new collaborative investigation from Access Now and the Citizen Lab has revealed. The infiltration is said to have happened on or around February 10, 2023. Timchenko is the executive editor and owner of Meduza , an independent news publication based in Latvia. It's currently not clear who deployed the malware on the device. The Washington Post reported that the Russian government is not a client of NSO Group, citing an unnamed person familiar with the company's operations. "During the infection her device was localized to the GMT+1 timezone, and she reports being in Berlin, Germany," the Citizen Lab said. "The day following the infection she was scheduled to attend a private meeting with other heads of Russian independent media exiled in Europe to discuss how to manage threats and censorship by PThe Hacker News
September 13, 2023 – Breach
Caesars Reportedly Paid Cyber Ransom, MGM Credit Rating Vulnerable Following Hack Full Text
Abstract
News of cyber breaches afflicting Las Vegas Strip casino operators is getting worse. Just two days after MGM Resorts International (NYSE: MGM) confirmed it was the victim of a wide-ranging cyber attack, rival Caesars Entertainment (NASDAQ: CZR) will reportedly soon tell investors it was the target of a ransomware crime.Cyware
September 13, 2023 – Government
US Cyber Command Wrapped Second ‘Hunt Forward’ Mission to Lithuania Full Text
Abstract
Members of the command’s Cyber National Mission Force (CNMF) worked for months alongside experts from Lithuania’s Information Technology and Communications Department, which is part of the country’s Ministry of the Interior.Cyware
September 13, 2023 – Vulnerabilities
Alert: New Kubernetes Vulnerabilities Enable Remote Attacks on Windows Endpoints Full Text
Abstract
Three interrelated high-severity security flaws discovered in Kubernetes could be exploited to achieve remote code execution with elevated privileges on Windows endpoints within a cluster. The issues , tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, carry CVSS scores of 8.8 and impact all Kubernetes environments with Windows nodes. Fixes for the vulnerabilities were released on August 23, 2023, following responsible disclosure by Akamai on July 13, 2023. "The vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster," Akamai security researcher Tomer Peled said in a technical write-up shared with The Hacker News. "To exploit this vulnerability, the attacker needs to apply a malicious YAML file on the cluster." Amazon Web Services (AWS), Google Cloud , and Microsoft Azure have all released advisories for the bugs, which affect the following versions of Kubelet - kubelet < v1.28The Hacker News
September 13, 2023 – Vulnerabilities
High-Profile CVEs Turn up in Vulnerability Exploit Sales Full Text
Abstract
Three reported purchases of vulnerability exploits on the dark web during the first half of the year included high-profile, actively exploited CVEs, according to research by Flashpoint.Cyware
September 13, 2023 – Vulnerabilities
Researchers Detail 8 Vulnerabilities in Azure HDInsight Analytics Service Full Text
Abstract
More details have emerged about a set of now-patched cross-site scripting (XSS) flaws in the Microsoft Azure HDInsight open-source analytics service that could be weaponized by a threat actor to carry out malicious activities. "The identified vulnerabilities consisted of six stored XSS and two reflected XSS vulnerabilities, each of which could be exploited to perform unauthorized actions, varying from data access to session hijacking and delivering malicious payloads," Orca security researcher Lidor Ben Shitrit said in a report shared with The Hacker News. The issues were addressed by Microsoft as part of its Patch Tuesday updates for August 2023. The disclosure comes three months after similar shortcomings were reported in the Azure Bastion and Azure Container Registry that could have been exploited for unauthorized data access and modifications. The list of flaws is as follows - CVE-2023-35393 (CVSS score: 4.5) - Azure Apache Hive Spoofing Vulnerability CVThe Hacker News
September 13, 2023 – Malware
Newly Discovered MetaStealer Malware Targets macOS Users Full Text
Abstract
A new MetaStealer malware has surfaced in the wild, targeting macOS business users. Written in Golang, the malware is distributed via social engineering tactics, where attackers pose as fake design clients and lure victims into executing malicious payloads. Apple’s XProtect update v2170 contains a ... Read MoreCyware
September 13, 2023 – Solution
Webinar: Identity Threat Detection & Response (ITDR) – Rips in Your Identity Fabric Full Text
Abstract
In today's digital age, SaaS applications have become the backbone of modern businesses. They streamline operations, enhance productivity, and foster innovation. But with great power comes great responsibility. As organizations integrate more SaaS applications into their workflows, they inadvertently open the door to a new era of security threats. The stakes? Your invaluable data and the trust of your stakeholders. Historically, SaaS security was about managing misconfigurations. But the landscape has evolved. Now, it's not just about securing the software; it's about safeguarding the very essence of digital identity. Identity is the new endpoint . If you're not focusing on securing user identity, you're leaving a gaping hole in your security strategy. Traditional threat detection and identity management methods? They're just the tip of the iceberg. To truly fortify your SaaS ecosystem, you need to delve deeper. Enter Maor Bin, the visionary CEO of AdaptiveThe Hacker News
September 13, 2023 – Government
Ransomware: It Takes A Village, Says the UK NCSC Full Text
Abstract
Stopping the ransomware epidemic is less about tackling individual crypto-locking malware variants and more about combating the entire ecosystem of bad actors underpinning digital extortion, the British government said Monday.Cyware
September 13, 2023 – Ransomware
Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family Full Text
Abstract
A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit (attributed to Bitwise Spider or Syrphid ) in the target network. "3AM is written in Rust and appears to be a completely new malware family," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. "The ransomware attempts to stop multiple services on the infected computer before it begins encrypting files. Once encryption is complete, it attempts to delete Volume Shadow (VSS) copies." 3AM gets its name from the fact that it's referenced in the ransom note. It also appends encrypted files with the extension .threeamtime. That said, it's currently not known if the malware authors have any connections with known e-crime groups. In the attack spotted by Symantec, the adversary is said to have managed toThe Hacker News
September 13, 2023 – Breach
Nearly 15,000 Accounts Raided at Automaker Sites to Harvest Vehicle IDs Full Text
Abstract
Attackers appear to have deployed bots to break into customer accounts at several large automakers, then harvested important information about thousands of individual vehicles and offered it for sale in private Telegram channels, researchers said.Cyware
September 13, 2023 – Education
How Cyberattacks Are Transforming Warfare Full Text
Abstract
There is a new battlefield. It is global and challenging to defend. What began with a high-profile incident back in 2007, when Estonia was hit by hackers targeting its government and commercial sector, has evolved into cyber warfare that is being waged constantly worldwide. Today, cyberattacks have become the norm, transforming how we think about war and international conflict as a whole. From the 2009 South Korea DDoS attacks to the 2010 attacks on Burma and the 2016 US election interference attacks on the Democratic National Committee, the list of historical cyberwarfare incidents continues to expand. The main players? Nation-state-supported cybercriminal groups and organizations linked to Russia, North Korea, China, and several countries in the Middle East. This report dives into three top cyberwarfare trends in an effort to understand their impact. Russia: The Cyber Invasion of Ukraine On August 31, 2023, Five Eyes Agency — an intelligence alliance network composed of agencieThe Hacker News
September 13, 2023 – Business
CertifID, Which Develops Products To Prevent Wire Fraud, Raises $20M Full Text
Abstract
The real estate fraud prevention startup CertifID has raised $20 million in a funding round led by Arthur Ventures, bringing its valuation to over double its previous value.Cyware
September 13, 2023 – Phishing
Microsoft Warns of New Phishing Campaign Targeting Corporations via Teams Messages Full Text
Abstract
Microsoft is warning of a new phishing campaign undertaken by an initial access broker that involves using Teams messages as lures to infiltrate corporate networks. The tech giant's Threat Intelligence team is tracking the cluster under the name Storm-0324 , which is also known by the monikers TA543 and Sagrid. "Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats," the company said , adding the development marks a shift from using email-based initial infection vectors for initial access. Storm-0324 operates in the cybercriminal economy as a payload distributor, offering a service that allows for the propagation of various payloads using evasive infection chains. This includes a mix of downloaders, banking trojans, ransomware, and modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader. Attack sequences mounted by the aThe Hacker News
September 13, 2023 – Attack
Stealthy Remcos Malware Attack Campaign Takes Aim at Colombian Firms Full Text
Abstract
The attackers employed highly obfuscated BAT files and multi-layered obfuscation techniques to evade detection and load the Remcos malware into memory, bypassing traditional antivirus and endpoint security solutions.Cyware
September 13, 2023 – Cryptocurrency
CoinEx Exchange Loses $27 Million Worth of Crypto in Suspected Hack Full Text
Abstract
A CoinEx hot wallet transferred $27 million of various tokens to a wallet with no previous history in what the exchange’s team has referred to as “anomalous withdrawals."Cyware
September 13, 2023 – Vulnerabilities
Microsoft Patches a Pair of Actively Exploited Zero-Days Full Text
Abstract
In total, Microsoft released 59 new patches addressing bugs across its product gamut. They affect Microsoft Windows, Exchange Server, Office, .NET and Visual Studio, Azure, Microsoft Dynamics, and Windows Defender.Cyware
September 13, 2023 – Breach
Redfly Group Compromised National Power Grid in Six-Months-Long Campaign Full Text
Abstract
The Redfly threat actor group used the ShadowPad Trojan to compromise a national grid in an Asian country, stealing credentials and maintaining a presence for up to six months.Cyware
September 13, 2023 – Vulnerabilities
Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws Full Text
Abstract
Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's Patch Tuesday edition, which also encompasses a fix for CVE-2023-4863 , a critical heap buffer overflow flaw in the WebP image format. The two Microsoft vulnerabilities that have come under active exploitation in real-world attacks are listed below - CVE-2023-36761 (CVSS score: 6.2) - Microsoft Word Information Disclosure Vulnerability CVE-2023-36802 (CVSS score: 7.8) - Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability "Exploiting this vulnerability could allow the disclosure of NTLM hashes ," the Windows maker said in an advisory about CVE-2023-3The Hacker News
September 13, 2023 – Vulnerabilities
Update Adobe Acrobat and Reader to Patch Actively Exploited Vulnerability Full Text
Abstract
Adobe's Patch Tuesday update for September 2023 comes with a patch for a critical actively exploited security flaw in Acrobat and Reader that could permit an attacker to execute malicious code on susceptible systems. The vulnerability, tracked as CVE-2023-26369, is rated 7.8 for severity on the CVSS scoring system and impacts both Windows and macOS versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020. Described as an out-of-bounds write, successful exploitation of the bug could lead to code execution by opening a specially crafted PDF document. Adobe did not disclose any additional details about the issue or the targeting involved. "Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company acknowledged in an advisory. CVE-2023-26369 affects the below versions - Acrobat DC (23.003.20284 and earlier versions) - Fixed in 23.006.20320 Acrobat Reader DC (23.003.The Hacker News
September 13, 2023 – Vulnerabilities
Mozilla Rushes to Patch WebP Critical Zero-Day Exploit in Firefox and Thunderbird Full Text
Abstract
Mozilla on Tuesday released security updates to resolve a critical zero-day vulnerability in Firefox and Thunderbird that has been actively exploited in the wild, a day after Google released a fix for the issue in its Chrome browser. The shortcoming, assigned the identifier CVE-2023-4863 , is a heap buffer overflow flaw in the WebP image format that could result in arbitrary code execution when processing a specially crafted image. "Opening a malicious WebP image could lead to a heap buffer overflow in the content process," Mozilla said in an advisory. "We are aware of this issue being exploited in other products in the wild." According to the description on the National Vulnerability Database (NVD), the flaw could allow a remote attacker to perform an out-of-bounds memory write via a crafted HTML page. Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at the University of Toronto's Munk School have been credited with reporting the sThe Hacker News
September 12, 2023 – General
Ransomware Attacks Hit Record Level in UK, According To Neglected Official Data Full Text
Abstract
Reported ransomware attacks on organizations in the UK reached record levels last year, when criminals compromised data on potentially over 5.3 million people from over 700 organizations, according to a dataset published by the ICO.Cyware
September 12, 2023 – Vulnerabilities
Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack Full Text
Abstract
A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show. The flaw "could allow an attacker to exploit a race condition within GitHub's repository creation and username renaming operations," Checkmarx security researcher Elad Rapoport said in a technical report shared with The Hacker News. "Successful exploitation of this vulnerability impacts the open-source community by enabling the hijacking of over 4,000 code packages in languages such as Go, PHP, and Swift, as well as GitHub actions." Following responsible disclosure on March 1, 2023, the Microsoft-owned code hosting platform has addressed the issue as of September 1, 2023. Repojacking , short for repository hijacking , is a technique where a threat actor is able to bypass a security mechanism called popular repository namespace retirement and ultimately control of a repository. What the protection measure does is prevenThe Hacker News
September 12, 2023 – Business
DFIR Company Binalyze Raises $19 Million in Series A Funding Full Text
Abstract
The new funding round, which brings the total raised by Binalyze to $30.5 million, was led by Molten Ventures, with participation from Earlybird Digital East, OpenOcean, Cisco Investments, Citi Ventures, and Deutsche Bank Corporate Venture Capital.Cyware
September 12, 2023 – Education
7 Steps to Kickstart Your SaaS Security Program Full Text
Abstract
SaaS applications are the backbone of modern businesses, constituting a staggering 70% of total software usage. Applications like Box, Google Workplace, and Microsoft 365 are integral to daily operations. This widespread adoption has transformed them into potential breeding grounds for cyber threats. Each SaaS application presents unique security challenges, and the landscape constantly evolves as vendors enhance their security features. Moreover, the dynamic nature of user governance, including onboarding, deprovisioning, and role adjustments, further complicates the security equation. With great convenience comes great responsibility, as securing these SaaS applications has become a top priority for Chief Information Security Officers (CISOs) and IT teams worldwide. Effectively securing SaaS applications requires a delicate balance between robust security measures and enabling users to perform their tasks efficiently. To navigate this complex terrain, this article excerpts a stepThe Hacker News
September 12, 2023 – Criminals
BianLian Ransomware Gang Claims to Have Hit Save The Children Full Text
Abstract
Cybercrime crew BianLian claims to have broken into the IT systems of a top non-profit and stolen a ton of files, including what the miscreants claim is financial, health, and medical data.Cyware
September 12, 2023 – Breach
Chinese Redfly Group Compromised a Nation’s Critical Grid in 6-Month ShadowPad Campaign Full Text
Abstract
A threat actor called Redfly has been linked to a compromise of a national grid located in an unnamed Asian country for as long as six months earlier this year using a known malware referred to as ShadowPad . "The attackers managed to steal credentials and compromise multiple computers on the organization's network," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. "The attack is the latest in a series of espionage intrusions against [critical national infrastructure] targets." ShadowPad, also known as PoisonPlug, is a follow-up to the PlugX remote access trojan and is a modular implant capable of loading additional plugins dynamically from a remote server as required to harvest sensitive data from breached networks. It has been widely used by a growing list of China-nexus nation-state groups since at least 2019 in attacks aimed at organizations in various industry verticals. "ShadowPad is decThe Hacker News
September 12, 2023 – Business
Cleafy Raises $10.7 Million for Online Banking Fraud Prevention Platform Full Text
Abstract
Online banking fraud detection and prevention firm Cleafy today announced that it has raised €10 million ($10.7 million) in its first funding round, which was led by United Ventures.Cyware
September 12, 2023 – Phishing
Sophisticated Phishing Campaign Deploying Agent Tesla, OriginBotnet, and RedLine Clipper Full Text
Abstract
A sophisticated phishing campaign is using a Microsoft Word document lure to distribute a trifecta of threats, namely Agent Tesla, OriginBotnet, and OriginBotnet, to gather a wide range of information from compromised Windows machines. "A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into clicking on it," Fortinet FortiGuard Labs researcher Cara Lin said . Clicking on the image leads to the delivery of a loader from a remote server that, in turn, is designed to distribute OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and Agent Tesla for harvesting sensitive information. The loader, written in .NET, employs a technique called binary padding by adding null bytes to increase the file's size to 400 MB in an attempt to evade detection by security software. The activation of the loader triggers a multi-stage process to estThe Hacker News
September 12, 2023 – Malware
OriginBotnet, RedLine Clipper, and AgentTesla Distributed Via Phishing Emails Full Text
Abstract
A dark cloud of threats hovers over Windows users as security researchers uncovered a phishing campaign delivering Agent Tesla, OriginBotnet, and RedLine Clipper via maldocs. Attackers can extract a wide range of data from compromised systems, such as credentials, crypto wallet data, and other sens ... Read MoreCyware
September 12, 2023 – Malware
Beware: MetaStealer Malware Targets Apple macOS in Recent Attacks Full Text
Abstract
A new information stealer malware called MetaStealer has set its sights on Apple macOS, making the latest in a growing list of stealer families focused on the operating system after Stealer , Pureland , Atomic Stealer , and Realst . "Threat actors are proactively targeting macOS businesses by posing as fake clients in order to socially engineer victims into launching malicious payloads," SentinelOne security researcher Phil Stokes said in a Monday analysis. In these attacks, MetaStealer is distributed in the form of rogue application bundles in the disk image format (DMG), with targets approached through threat actors posing as prospective design clients in order to share a password-protected ZIP archive containing the DMG file. Other instances have involved the malware masquerading as Adobe files or installers for Adobe Photoshop. Evidence gathered so far shows that MetaStealer artifacts began appearing in the wild in March 2023. The most recent sample was uploadeThe Hacker News
September 12, 2023 – Malware
New Family of Obfuscated Go Info-stealers ‘MetaStealer’ Spread in Targeted Attacks Full Text
Abstract
Unlike other recent macOS malware, MetaStealer relies on social engineering tactics to persuade victims to launch malicious payloads, often disguised as legitimate files or software.Cyware
September 12, 2023 – Vulnerabilities
Google Rushes to Patch Critical Chrome Vulnerability Exploited in the Wild - Update Now Full Text
Abstract
Google on Monday rolled out out-of-band security patches to address a critical security flaw in its Chrome web browser that it said has been exploited in the wild. Tracked as CVE-2023-4863 , the issue has been described as a case of heap buffer overflow that resides in the WebP image format that could result in arbitrary code execution or a crash. Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto's Munk School have been credited with discovering and reporting the flaw on September 6, 2023. The tech giant has yet to disclose additional details about the nature of the attacks, but noted that it's "aware that an exploit for CVE-2023-4863 exists in the wild." With the latest fix, Google has addressed a total of four zero-day vulnerabilities in Chrome since the start of the year - CVE-2023-2033 (CVSS score: 8.8) - Type Confusion in V8 CVE-2023-2136 (CVSS score: 9.6) - Integer overflow in Skia CVE-2023-3079The Hacker News
September 12, 2023 – Government
CISA Adds Recently Discovered Apple Zero-Days to Known Exploited Vulnerabilities Catalog Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) added the security vulnerabilities chained in the zero-click iMessage exploit BLASTPASS to its Known Exploited Vulnerabilities Catalog.Cyware
September 12, 2023 – Denial Of Service
After Microsoft and X, Hackers Launch DDoS Attack on Telegram Full Text
Abstract
The hacker group Anonymous Sudan has launched a distributed denial-of-service (DDoS) attack against Telegram in retaliation to the messaging platform’s decision to suspend their primary account, threat intelligence firm SOCRadar reports.Cyware
September 11, 2023 – Outage
MGM Resorts shuts down IT systems after cyberattack Full Text
Abstract
MGM Resorts International disclosed today that it is dealing with a cybersecurity issue that impacted some of its systems, including its main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines.Bleeping Computer
September 11, 2023 – General
Some of the Top Universities Wouldn’t Pass Cybersecurity Exam: Left Websites Vulnerable Full Text
Abstract
Many universities worldwide, including some of the most prestigious, leave their webpages unpatched, leaking sensitive information, and even open to full takeovers, a Cybernews Research team investigation reveals.Cyware
September 11, 2023 – Phishing
Vietnamese Hackers Deploy Python-Based Stealer via Facebook Messenger Full Text
Abstract
A new phishing attack is leveraging Facebook Messenger to propagate messages with malicious attachments from a "swarm of fake and hijacked personal accounts" with the ultimate goal of taking over the targets' accounts. "Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods," Guardio Labs researcher Oleg Zaytsev said in an analysis published over the weekend. In these attacks, dubbed MrTonyScam, potential victims are sent messages that entice them into clicking on the RAR and ZIP archive attachments, leading to the deployment of a dropper that fetches the next-stage from a GitHub or GitLab repository. This payload is another archive file that contains a CMD file, which, in turn, harbors an obfuscated Python-based stealer to exfiltrate all cookies and login credentials from differentThe Hacker News
September 11, 2023 – Vulnerabilities
Vulnerabilities Allow Hackers to Hijack, Disrupt Socomec UPS Devices Full Text
Abstract
Aaron Flecha Menendez, an ICS security consultant at Spain-based cybersecurity firm S21sec, discovered that some Socomec UPS devices, specifically MODULYS GP (MOD3GP-SY-120K), are affected by seven vulnerabilities.Cyware
September 11, 2023 – Attack
Charming Kitten’s New Backdoor ‘Sponsor’ Targets Brazil, Israel, and U.A.E. Full Text
Abstract
The Iranian threat actor known as Charming Kitten has been linked to a new wave of attacks targeting different entities in Brazil, Israel, and the U.A.E. using a previously undocumented backdoor named Sponsor. Slovak cybersecurity firm is tracking the cluster under the name Ballistic Bobcat . Victimology patterns suggest that the group primarily singles out education, government, and healthcare organizations, as well as human rights activists and journalists. At least 34 victims of Sponsor have been detected to date, with the earliest instances of deployment dating back to September 2021. "The Sponsor backdoor uses configuration files stored on disk," ESET researcher Adam Burgher said in a new report published today. "These files are discreetly deployed by batch files and deliberately designed to appear innocuous, thereby attempting to evade detection by scanning engines." The campaign, dubbed Sponsoring Access, involves obtaining initial access by opportThe Hacker News
September 11, 2023 – General
Report: 75% of Education Sector Attacks Linked to Compromised Accounts Full Text
Abstract
According to a report by Netwrix, 69% of organizations in the education sector have experienced a cyberattack in the past year. Phishing and user account compromise were the most common attack methods in this sector.Cyware
September 11, 2023 – Education
How to Prevent API Breaches: A Guide to Robust Security Full Text
Abstract
With the growing reliance on web applications and digital platforms, the use of application programming interfaces (APIs) has become increasingly popular. If you aren't familiar with the term, APIs allow applications to communicate with each other and they play a vital role in modern software development. However, the rise of API use has also led to an increase in the number of API breaches. These breaches occur when unauthorized individuals or systems gain access to an API and the data it contains. And as victims can attest, breaches can have devastating consequences for both businesses and individuals. One of the primary concerns with API breaches is the exposure of sensitive data. APIs often contain or provide access to personal or financial information, and if this data falls into the wrong hands, it can be used for fraudulent activities or identity theft. API breaches can also lead to severe reputational damage for businesses. Customers and stakeholders expect their informatioThe Hacker News
September 11, 2023 – Malware
New HijackLoader Malware Used to Distribute Various Malware Families Full Text
Abstract
A new malware loader known as HijackLoader has gained popularity among cybercriminals for distributing various payloads, including DanaBot, SystemBC, and RedLine Stealer. HijackLoader uses a modular architecture that facilitates threat actors to perform code injection and execution. Organizations m ... Read MoreCyware
September 11, 2023 – Solution
Google Chrome Rolls Out Support for ‘Privacy Sandbox’ to Bid Farewell to Tracking Cookies Full Text
Abstract
Google has officially begun its rollout of Privacy Sandbox in the Chrome web browser to a majority of its users, nearly four months after it announced the plans . "We believe it is vital to both improve privacy and preserve access to information, whether it's news, a how-to-guide, or a fun video," Anthony Chavez, vice president of Privacy Sandbox initiatives at Google, said . "Without viable privacy-preserving alternatives to third-party cookies, such as the Privacy Sandbox, we risk reducing access to information for all users, and incentivizing invasive tactics such as fingerprinting." To that end, the search giant is initially leaving nearly three percent of users unaffected by the change in order to conduct sufficient tests. General availability is expected to encompass all users in the coming months. Privacy Sandbox is Google's umbrella term for a set of technologies that aim to eliminate third-party tracking cookies on the web and replace themThe Hacker News
September 11, 2023 – Outage
Rhysida Ransomware Gang Claims to Have Hacked Three More US Hospitals Full Text
Abstract
The Singing River Health System, which operates three hospitals and 10 clinics, experienced a cyberattack that disrupted various services, including laboratory and radiology testing.Cyware
September 11, 2023 – Attack
Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows Full Text
Abstract
A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium. The activity has been codenamed Steal-It by Zscaler ThreatLabz. "In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang's Start-CaptureServer PowerShell script , executing various system commands, and exfiltrating the retrieved data via Mockbin APIs," security researchers Niraj Shivtarkar and Avinash Kumar said. Nishang is a framework and collection of PowerShell scripts and payloads for offensive security, penetration testing, and red teaming. The attacks leverage as many as five different infection chains, although they all leverage phishing emails containing ZIP archives as the starting point to infiltrate specific targets using geofencing techniques - NTLMv2 hash stealing infection chaiThe Hacker News
September 11, 2023 – General
Generative AI, Contactless Tech Make Hotels Vulnerable to Cyberattacks Full Text
Abstract
The transition to mobile and contactless services in the hospitality industry is making hotels more vulnerable to cyber threats, according to a report from Trustwave SpiderLabs.Cyware
September 11, 2023 – Malware
New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World Full Text
Abstract
A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot , SystemBC , and RedLine Stealer . "Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have," Zscaler ThreatLabz researcher Nikolaos Pantazopoulos said . First observed by the company in July 2023, the malware employs a number of techniques to fly under the radar. This involves using syscalls to evade monitoring from security solutions, monitoring processes associated with security software based on an embedded blocklist, and putting off code execution by as much as 40 seconds at different stages. The exact initial access vector used to infiltrate targets is currently not known. The anti-analysis aspects notwithstanding, the loader packs in a main instrumentation module thatThe Hacker News
September 11, 2023 – Government
CISA Director Says Critical Infrastructure Cyber Incident Reporting Rules Almost Ready Full Text
Abstract
Final work is underway for the Cyber Incident Reporting for Critical Infrastructure Act, which CISA Director Jen Easterly expects to be done by the end of the year or early 2024 at the latest, she said at the Billington Cybersecurity Summit.Cyware
September 9, 2023 – Phishing
New Phishing Campaign Launched via Google Looker Studio Full Text
Abstract
As part of the observed attacks, threat actors are using Google Looker Studio to create fake crypto pages that are then delivered to the intended victims in emails sent from the legitimate tool itself.Cyware
September 09, 2023 – Malware
Millions Infected by Spyware Hidden in Fake Telegram Apps on Google Play Full Text
Abstract
Spyware masquerading as modified versions of Telegram have been spotted in the Google Play Store that's designed to harvest sensitive information from compromised Android devices. According to Kaspersky security researcher Igor Golovin, the apps come with nefarious features to capture and exfiltrate names, user IDs, contacts, phone numbers, and chat messages to an actor-controlled server. The activity has been codenamed Evil Telegram by the Russian cybersecurity company. The apps have been collectively downloaded millions of times before they were taken down by Google. Their details are as follows - 電報,紙飛機-TG繁體中文版 or 電報,小飛機-TG繁體中文版 (org.telegram.messenger.wab) - 10 million+ downloads TG繁體中文版-電報,紙飛機 (org.telegram.messenger.wab) - 50,000+ downloads 电报,纸飞机-TG简体中文版 (org.telegram.messenger.wob) - 50,000+ downloads 电报,纸飞机-TG简体中文版 (org.tgcn.messenger.wob) - 10,000+ downloads ئۇيغۇر تىلى TG - تېلېگرامما (org.telegram.messenger.wcb) - 100+ downloads The last app on the list tranThe Hacker News
September 9, 2023 – Policy and Law
UK and US Sanction 11 Russians Connected to Notorious Trickbot Group Full Text
Abstract
The individuals targeted by the sanctions “include key actors involved in management and procurement for the Trickbot group, which has ties to Russian intelligence services,” according to the U.S. Treasury.Cyware
September 09, 2023 – Cryptocurrency
Cybercriminals Weaponizing Legitimate Advanced Installer Tool in Crypto-Mining Attacks Full Text
Abstract
A legitimate Windows tool used for creating software packages called Advanced Installer is being abused by threat actors to drop cryptocurrency-mining malware on infected machines since at least November 2021. "The attacker uses Advanced Installer to package other legitimate software installers, such as Adobe Illustrator, Autodesk 3ds Max, and SketchUp Pro, with malicious scripts and uses Advanced Installer's Custom Actions feature to make the software installers execute the malicious scripts," Cisco Talos researcher Chetan Raghuprasad said in a technical report. The nature of the applications trojanized indicates that the victims likely span architecture, engineering, construction, manufacturing, and entertainment sectors. The software installers predominantly use the French language, a sign that French-speaking users are being singled out. This campaign is strategic in that these industries rely on computers with high Graphics Processing Unit (GPU) power for tThe Hacker News
September 9, 2023 – Attack
Active North Korean Campaign Targeting Security Researchers Full Text
Abstract
A new campaign has been discovered with similarities to a previous campaign, including the use of social media sites to build rapport with targets. The threat actors then engage in encrypted messaging and send a malicious file with a 0-day exploit.Cyware
September 9, 2023 – Government
CISA, FBI, and CNMF Release Advisory on Multiple Nation-State Threat Actors Exploiting CVE-2022-47966 and CVE-2022-42475 Full Text
Abstract
CISA, FBI, and CNMF confirmed that nation-state APT actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network.Cyware
September 9, 2023 – Malware
Weaponized Windows Installers Target Graphic Designers in Crypto Heist Full Text
Abstract
Attackers execute malicious scripts through a feature of the installer called Custom Action, dropping several payloads — including the M3_Mini_Rat client stub backdoor, Ethereum mining malware PhoenixMiner, and multi-coin mining threat lolMiner.Cyware
September 8, 2023 – Business
Check Point Buys Startup Atmosec to Secure SaaS Applications Full Text
Abstract
Check Point Software plans to purchase Atmosec, an early-stage SaaS security startup founded by former Armis leaders to anticipate and block threats from malicious applications.Cyware
September 08, 2023 – Criminals
U.K. and U.S. Sanction 11 Russia-based Trickbot Cybercrime Gang Members Full Text
Abstract
The U.K. and U.S. governments on Thursday sanctioned 11 individuals who are alleged to be part of the notorious Russia-based TrickBot cybercrime gang. "Russia has long been a safe haven for cybercriminals, including the TrickBot group," the U.S. Treasury Department said , adding it has "ties to Russian intelligence services and has targeted the U.S. Government and U.S. companies, including hospitals." The targets of the sanctions are administrators, managers, developers, and coders who are believed to have provided material assistance in its operations. Their names and roles are as follows - Andrey Zhuykov (aka Adam, Defender, and Dif), senior administrator Maksim Sergeevich Galochkin (aka Bentley, Crypt, Manuel, Max17, and Volhvb), software development and testing Maksim Rudenskiy (aka Binman, Buza, and Silver), team lead for coders Mikhail Tsarev (aka Alexander Grachev, Fr*ances, Ivanov Mixail, Mango, Misha Krutysha, Nikita Andreevich Tsarev, and Super Misha), human resourceThe Hacker News
September 8, 2023 – Outage
Hackers Claim to Publish Prominent Israeli Hospital’s Patient Data Full Text
Abstract
The ransomware attack on Mayanei Hayeshua Medical Center resulted in the shutdown of its administrative computer systems, leading the hospital to redirect new patients and those requiring emergency care to other medical centers.Cyware
September 08, 2023 – Vulnerabilities
Cisco Issues Urgent Fix for Authentication Bypass Bug Affecting BroadWorks Platform Full Text
Abstract
Cisco has released security fixes to address multiple security flaws, including a critical bug, that could be exploited by a threat actor to take control of an affected system or cause a denial-of service (DoS) condition. The most severe of the issues is CVE-2023-20238, which has the maximum CVSS severity rating of 10.0. It's described as an authentication bypass flaw in the Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform. Successful exploitation of the vulnerability -- a weakness in the single sign-on (SSO) implementation and discovered during internal testing -- could allow an unauthenticated, remote attacker to forge the credentials required to access an affected system. "This vulnerability is due to the method used to validate SSO tokens," Cisco said . "An attacker could exploit this vulnerability by authenticating to the application with forged credentials. A successful exploit could allow the attacker to commit toll fraud or to eThe Hacker News
September 8, 2023 – Vulnerabilities
Hackers Exploit Multiple Bugs in Hotel Booking Platform Full Text
Abstract
Financially motivated hackers developed custom malware to exploit a likely zero-day flaw in popular property management software used by resorts and hotels, said security researchers.Cyware
September 08, 2023 – Attack
Protecting Your Microsoft IIS Servers Against Malware Attacks Full Text
Abstract
Microsoft Internet Information Services (IIS) is a web server software package designed for Windows Server. Organizations commonly use Microsoft IIS servers to host websites, files, and other content on the web. Threat actors increasingly target these Internet-facing resources as low-hanging fruit for finding and exploiting vulnerabilities that facilitate access to IT environments. Recently, a slew of activity by the advanced persistent threat (APT) group Lazarus has focused on finding vulnerable Microsoft IIS servers and infecting them with malware or using them to distribute malicious code. This article describes the details of the malware attacks and offers actionable suggestions for protecting Microsoft IIS servers against them. An Overview on Microsoft IIS Servers IIS was first introduced with Windows NT 3.51 as an optional package back in 1995. Since then, it has seen several iterations, improvements, and features added to align with the evolving Internet, including supportThe Hacker News
September 8, 2023 – Outage
Alleged LockBit Ransomware Attack Shuts Down City Networks in Seville Full Text
Abstract
The council said it will not pay a ransom of $1.5 million demanded by the hackers, according to local media reports. The incident has affected a broad range of city services, including police, firefighters, and tax collection.Cyware
September 08, 2023 – Attack
North Korean Hackers Exploit Zero-Day Bug to Target Cybersecurity Researchers Full Text
Abstract
Threat actors associated with North Korea are continuing to target the cybersecurity community using a zero-day bug in an unspecified software over the past several weeks to infiltrate their machines. The findings come from Google's Threat Analysis Group (TAG), which found the adversary setting up fake accounts on social media platforms like X (formerly Twitter) and Mastodon to forge relationships with potential targets and build trust. "In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest," security researchers Clement Lecigne and Maddie Stone said . "After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp, or Wire." The social engineering exercise ultimately paved the way for a malicious file containing at least one zero-day in a popular software package. The vulnerability is currently in the process of being fixed. The payload, for its part, perfThe Hacker News
September 8, 2023 – Breach
See Tickets Alerts 300,000 Customers After Another Web Skimmer Attack Full Text
Abstract
In a data breach notification letter sent to the affected individuals, a copy of which was submitted to the Maine Attorney General’s Office, See Tickets says the new attack was identified in May 2023 and completely shut down in July.Cyware
September 8, 2023 – Vulnerabilities
Cisco Patches Critical Vulnerability in BroadWorks Platform Full Text
Abstract
Tracked as CVE-2023-20238, the vulnerability affecting the BroadWorks platform was identified in the SSO implementation and could be exploited by remote, unauthenticated attackers to forge credentials and access affected systems.Cyware
September 8, 2023 – Vulnerabilities
Google Addressed an Actively Exploited Zero-Day in Android Full Text
Abstract
In total, Google has fixed 6 flaws in the Framework module, 14 in the Kernel componet, 3 issues in the Qualcomm components, and 9 issues in the Qualcomm closed-source components.Cyware
September 08, 2023 – Government
CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. "Nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network," according to a joint alert published by the agency, alongside Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF). The identities of the threat groups behind the attacks have not been disclosed, although the U.S. Cyber Command (USCYBERCOM) hinted at the involvement of Iranian nation-state crews. The findings are based on an incident response engagement conducted by CISA at nn unnamed aeronautical sector organization from FebruarThe Hacker News
September 8, 2023 – Vulnerabilities
Dozens of Unpatched Flaws Expose Security Cameras Made by Defunct Company Zavio Full Text
Abstract
Zavio is a defunct Chinese company, but its security cameras are reportedly still deployed in the United States and Europe, which is why it’s important to raise awareness about the vulnerabilities.Cyware
September 08, 2023 – Vulnerabilities
Apple Rushes to Patch Zero-Day Flaws Exploited for Pegasus Spyware on iPhones Full Text
Abstract
Apple on Thursday released emergency security updates for iOS, iPadOS, macOS, and watchOS to address two zero-day flaws that have been exploited in the wild to deliver NSO Group's Pegasus mercenary spyware. The issues are described as below - CVE-2023-41061 - A validation issue in Wallet that could result in arbitrary code execution when handling a maliciously crafted attachment. CVE-2023-41064 - A buffer overflow issue in the Image I/O component that could result in arbitrary code execution when processing a maliciously crafted image. While CVE-2023-41064 was found by the Citizen Lab at the University of Torontoʼs Munk School, CVE-2023-41061 was discovered internally by Apple, with "assistance" from the Citizen Lab. The updates are available for the following devices and operating systems - iOS 16.6.1 and iPadOS 16.6.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generatiThe Hacker News
September 8, 2023 – Malware
New BlueShell Malware Attacks Windows, Linux, and Mac Full Text
Abstract
The BlueShell malware was found being used by various threat actors to target systems running Windows, Linux, and other operating systems in Korea and Thailand. The Dalbit Group, a China-based threat group, has been identified as using a customized version of BlueShell. To mitigate such threats, or ... Read MoreCyware
September 8, 2023 – Malware
New Atomic Stealer Variant Used in a Malvertising Campaign Full Text
Abstract
Researchers at Malwarebytes have identified a new version of the Atomic Stealer macOS malware that employs a technique to bypass the operating system's Gatekeeper security feature. The malware masquerades as the popular TradingView platform. It is important to deploy an antivirus with real-time pro ... Read MoreCyware
September 7, 2023 – Vulnerabilities
NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild Full Text
Abstract
Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware.Citizen Lab
September 7, 2023 – Breach
Dunghill Leak Ransomware Gang Claims Credit for Sabre Data Breach Full Text
Abstract
Travel booking giant Sabre said it was investigating claims of a cyberattack after a tranche of files purportedly stolen from the company appeared on an extortion group’s leak site.Cyware
September 07, 2023 – Phishing
Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware Full Text
Abstract
A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called Atomic Stealer (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users. Malvertising via Google Ads has been observed as the primary distribution vector in which users searching for popular software, legitimate or cracked, on search engines are shown bogus ads that direct to websites hosting rogue installers. The latest campaign involves the use of a fraudulent website for TradingView, prominently featuring three buttons to download the software for Windows, macOS, and Linux operating systems. "Both the Windows and Linux buttons point to an MSIX installer hosted on Discord that dropsThe Hacker News
September 7, 2023 – Malware
Mac Users Targeted in New Malvertising Campaign Delivering Atomic Stealer Full Text
Abstract
Attackers are using phishing sites and search engine ads to trick victims into downloading the malware, highlighting the importance of verifying the authenticity of downloaded programs.Cyware
September 07, 2023 – General
The State of the Virtual CISO Report: MSP/MSSP Security Strategies for 2024 Full Text
Abstract
By the end of 2024, the number of MSPs and MSSPs offering vCISO services is expected to grow by almost 5 fold, as can be seen in figure 1. This incredible surge reflects the growing business demand for specialized cybersecurity expertise and the lucrative opportunities for MSPs and MSSPs in vCISO services. Figure 1: Timeline for offering vCISO services The State of the Virtual CISO Survey Report by Global Surveyz, an independent survey company, which was commissioned by Cynomi, provides a deep understanding of the challenges facing MSPs and MSSPs today. The report shares insights from 200 security and IT leaders in MSPs and MSSPs of all sizes, all of which are security-focused. It shines a light on the growing trend of the vCISO offering, including the reasons behind this trend, potential blockers for MSPs/MSSPs and how to overcome them. 480% Expected Increase in vCISO Service Offerings Currently, only 19% of MSPs and MSSPs are offering vCISO services. This relatively low percentThe Hacker News
September 7, 2023 – Breach
Just Kids Dental Says Nearly 130,000 People Affected by Cyberattack Full Text
Abstract
Acadia Health LLC, which does business as Just Kids Dental, in a breach report submitted on September 1 to Maine's attorney general office said the practice's computer systems and network were attacked by a malicious actor on August 2.Cyware
September 07, 2023 – Vulnerabilities
Alert: Apache Superset Vulnerabilities Expose Servers to Remote Code Execution Attacks Full Text
Abstract
Patches have been released to address two new security vulnerabilities in Apache Superset that could be exploited by an attacker to gain remote code execution on affected systems. The update (version 2.1.1) plugs CVE-2023-39265 and CVE-2023-37941 , which make it possible to conduct nefarious actions once a bad actor is able to gain control of Superset's metadata database. Outside of these weaknesses, the latest version of Superset also remediates a separate improper REST API permission issue ( CVE-2023-36388 ) that allows for low-privilege users to carry out server-side request forgery ( SSRF ) attacks. "Superset by design allows privileged users to connect to arbitrary databases and execute arbitrary SQL queries against those databases using the powerful SQLLab interface," Horizon3.ai's Naveen Sunkavally said in a technical write-up. "If Superset can be tricked into connecting to its own metadata database, an attacker can directly read or write application configuration thrThe Hacker News
September 7, 2023 – Breach
Thousands of Popular Websites Found Leaking Secrets, Source Code Full Text
Abstract
An analysis of the exposed credentials by Truffle Security has revealed that AWS and GitHub keys were the most prevalent type of leaked secrets, accounting for 45% of all credentials.Cyware
September 07, 2023 – Botnet
Mirai Botnet Variant ‘Pandora’ Hijacks Android TVs for Cyberattacks Full Text
Abstract
A Mirai botnet variant called Pandora has been observed infiltrating inexpensive Android-based TV sets and TV boxes and using them as part of a botnet to perform distributed denial-of-service (DDoS) attacks. Doctor Web said the compromises are likely to occur either during malicious firmware updates or when applications for viewing pirated video content are installed. "It is likely that this update has been made available for download from a number of websites, as it is signed with publicly available Android Open Source Project test keys," the Russian company said in an analysis published Wednesday. "The service that runs the backdoor is included in boot.img," enabling it to persist between system restarts. In the alternative distribution methods, it's suspected that users are tricked into installing applications for streaming pirated movies and TV shows through websites that mainly single out Spanish-speaking users. The list of apps is as follows -The Hacker News
September 7, 2023 – Business
Tenable to Acquire Cloud Security Firm Ermetic for $240 Million Full Text
Abstract
Exposure management solutions provider Tenable announced on Thursday that it has entered into a definitive agreement to acquire Israeli cloud security startup Ermetic for roughly $240 million in cash and $25 million in restricted stock and RSUs.Cyware
September 07, 2023 – Breach
Outlook Hack: Microsoft Reveals How a Crash Dump Led to a Major Security Breach Full Text
Abstract
Microsoft on Wednesday revealed that a China-based threat actor known as Storm-0558 acquired the inactive consumer signing key to forge tokens and access Outlook by compromising an engineer's corporate account. This enabled the adversary to access a debugging environment that contained information pertaining to a crash of the consumer signing system and steal the key. The system crash took place in April 2021. "A consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process ('crash dump')," the Microsoft Security Response Center (MSRC) said in a post-mortem report. "The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The key material's presence in the crash dump was not detected by our systems." The Windows maker said the crash dump was moved to a debugging environment on the internet-connected corporate network, from where Storm-The Hacker News
September 7, 2023 – Policy and Law
Australian Official Slams Firms for Data Breach Reporting Delays Full Text
Abstract
In the first half of 2023, OAIC received reports of breaches within 30 days after they occurred from 74% of organizations, and just 5% of organizations took longer than four months to report breaches.Cyware
September 7, 2023 – Business
Battery Ventures Buys GrammaTech’s Application Security Unit Full Text
Abstract
GrammaTech has separated its security software products and cyber research services divisions, and venture capital firm Battery Ventures has acquired the former and renamed it CodeSecure.Cyware
September 7, 2023 – General
Avoidable Digital Certificate Issues Fuel Data Breaches Full Text
Abstract
Among organizations that have suffered data breaches 58% were caused by issues related to digital certificates, according to a report by AppViewX and Forrester Consulting.Cyware
September 6, 2023 – Malware
Threat Actors Target NPM, PyPI, and RubyGems Developers Full Text
Abstract
A new cyber campaign has emerged, with threat actors uploading malicious packages to PyPI, NPM, and RubyGems repositories, posing a significant threat to macOS user data. The malicious packages would collect system information and exfiltrate it to attacker-controlled servers. Security firm Phylum i ... Read MoreCyware
September 06, 2023 – Vulnerabilities
Zero-Day Alert: Latest Android Patch Update Includes Fix for Newly Actively Exploited Flaw Full Text
Abstract
Google has rolled out monthly security patches for Android to address a number of flaws, including a zero-day bug that it said may have been exploited in the wild. Tracked as CVE-2023-35674 , the high-severity vulnerability is described as a case of privilege escalation impacting the Android Framework . "There are indications that CVE-2023-35674 may be under limited, targeted exploitation," the company said in its Android Security Bulletin for September 2023 without delving into additional specifics. The update also addresses three other privilege escalation flaws in Framework, with the search giant noting that the most severe of these issues "could lead to local escalation of privilege with no additional execution privileges needed" sans any user interaction. Google said it has further plugged a critical security vulnerability in the System component that could lead to remote code execution without requiring interaction on the part of the victim. "The severity assessment isThe Hacker News
September 6, 2023 – Malware
Bogus URL Shorteners Go Mobile-Only in AdSense Fraud Campaign Full Text
Abstract
The attackers have implemented multiple layers of defense to protect their Google AdSense accounts, including JavaScript execution, mobile user agent checks, user interaction requirements, and server-side user agent checks.Cyware
September 06, 2023 – Phishing
Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant Full Text
Abstract
The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist . "APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability," NSFOCUS Security Labs said in a report published last week. APT34, also known by the names Cobalt Gypsy, Hazel Sandstorm (formerly Europium), Helix Kitten, and OilRig, has a track record of targeting telecommunications, government, defense, oil and financial services verticals in the Middle East since at least 2014 via spear-phishing lures that culminate in the deployment of various backdoors. One of the key traits of the hacking outfit is its ability to create new and updated tools to minimize the odds of detection and gain a foothold on compromised hosts for extended periods of time. SideTwist was first documented as used by APT34 in April 2021, with Check PoinThe Hacker News
September 6, 2023 – Vulnerabilities
Researchers Discover Critical Vulnerability in PHPFusion CMS Full Text
Abstract
The authenticated local file inclusion flaw, identified as CVE-2023-2453, allows for remote code execution if an attacker can upload a maliciously crafted ".php" file to a known path on a target system.Cyware
September 06, 2023 – Education
Three CISOs Share How to Run an Effective SOC Full Text
Abstract
The role of the CISO keeps taking center stage as a business enabler: CISOs need to navigate the complex landscape of digital threats while fostering innovation and ensuring business continuity. Three CISOs; Troy Wilkinson, CISO at IPG; Rob Geurtsen, former Deputy CISO at Nike; and Tammy Moskites, Founder of CyAlliance and former CISO at companies like Time Warner and Home Depot – shared their perspectives on how to run an effective SOC in 2023. 1) Prioritize Cost Efficiency While Remaining 'Secure' As a world-renowned speaker, a co-author of an Amazon Best Seller, and a trusted commentator on prominent news networks such as NBC, CBS, and Fox, Troy Wilkinson, knows a thing or two about cybersecurity. When adopting new technologies, Troy reinforces that CISOs don't have the luxury of waiting months or years to see the value of new investments; "Time to Value is critical. New solutions need to deliver value quickly." Rob Geurtsen, former Deputy CISO at Nike, joThe Hacker News
September 6, 2023 – Malware
New Agent Tesla Variant Being Spread by Specially Crafted Excel Document Full Text
Abstract
A new variant of the Agent Tesla malware is spreading through a phishing campaign, exploiting the CVE-2017-11882/CVE-2018-0802 vulnerability to gain access to victims' devices and steal sensitive information.Cyware
September 06, 2023 – Vulnerabilities
9 Alarming Vulnerabilities Uncovered in SEL’s Power Management Products Full Text
Abstract
Nine security flaws have been disclosed in electric power management products made by Schweitzer Engineering Laboratories (SEL). "The most severe of those nine vulnerabilities would allow a threat actor to facilitate remote code execution (RCE) on an engineering workstation," Nozomi Networks said in a report published last week. The issues, tracked as CVE-2023-34392 and from CVE-2023-31168 through CVE-2023-31175, have CVSS severity scores ranging from 4.8 to 8.8 and impact SEL-5030 acSELeratorQuickSet and SEL-5037 GridConfigurator, which are used to commission, configure, and monitor the devices. Exploitation of CVE-2023-31171 could be achieved by sending a phishing email that tricks a victim engineer into importing a specially crafted configuration file to achieve arbitrary code execution on the engineering workstation running the SEL software. What's more, the shortcoming can be chained with CVE-2023-31175 to obtain administrative privileges on the target workstation. CVE-202The Hacker News
September 6, 2023 – Vulnerabilities
ASUS Routers are Affected by Three Critical Remote Code Execution Flaws Full Text
Abstract
ASUS routers RT-AX55, RT-AX56U_V2, and RT-AC86U are affected by three critical remote code execution vulnerabilities (CVE-2023-39238, CVE-2023-39239, and CVE-2023-39240) that can potentially allow threat actors to take over the devices.Cyware
September 06, 2023 – Phishing
W3LL Store: How a Secret Phishing Syndicate Targets 8,000+ Microsoft 365 Accounts Full Text
Abstract
A previously undocumented "phishing empire" has been linked to cyber attacks aimed at compromising Microsoft 365 business email accounts over the past six years. "The threat actor created a hidden underground market, named W3LL Store, that served a closed community of at least 500 threat actors who could purchase a custom phishing kit called W3LL Panel, designed to bypass MFA, as well as 16 other fully customized tools for business email compromise (BEC) attacks," Group-IB said in a report shared with The Hacker News. The phishing infrastructure is estimated to have targeted more than 56,000 corporate Microsoft 365 accounts and compromised at least 8,000 of them, primarily in the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy between October 2022 and July 2023, netting its operators $500,000 in illicit profits. Some of the prominent sectors infiltrated using the phishing solution include manufacturing, IT, consultinThe Hacker News
September 6, 2023 – Privacy
GhostSec Leaks Source Code of Alleged Iranian Surveillance Tool Full Text
Abstract
The first messages were posted on August 27, with GhostSec saying it had discovered facial recognition "and various other privacy invading features and tools" within the FANAP group's software.Cyware
September 06, 2023 – APT
Ukraine’s CERT Thwarts APT28’s Cyberattack on Critical Energy Infrastructure Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday said it thwarted a cyber attack against an unnamed critical energy infrastructure facility in the country. The intrusion, per the agency, started with a phishing email containing a link to a malicious ZIP archive that activates the infection chain. "Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file 'weblinks.cmd' to the victim's computer," CERT-UA said , attributing it to the Russian threat actor known as APT28 (aka BlueDelta, Fancy Bear, Forest Blizzard, or FROZENLAKE). "When a CMD file is run, several decoy web pages will be opened, .bat and .vbs files will be created, and a VBS file will be launched, which in turn will execute the BAT file." The next phase of the attack involves running the "whoami" command on the compromised host and exfiltrating the information, alongside downloading the TOR hidden service to route malicious traffic. Persistence is achieveThe Hacker News
September 6, 2023 – Malware
New Chae$ 4 Strain Targets Financial and Logistics Customers Full Text
Abstract
A reworked variant of the Chaes malware, Chae$ 4, is causing havoc in the banking and logistics sectors with significant overhauls. It has been completely rewritten in Python to bypass traditional security defenses and improve communication protocols. It's essential to regularly update and pa ... Read MoreCyware
September 6, 2023 – General
Ransomware Attacks Soar by 87% in U.K, Reveals JUMPSEC Full Text
Abstract
A report from JUMPSEC noted an 87% increase in attacker-reported ransomware in the U.K and a 37% globally in H1 2023. The mass exploitation of vulnerabilities is the primary contributor to this growth. One key reason for the surge in attack figures is due to the growing number of ransomware v ... Read MoreCyware
September 5, 2023 – Breach
Suspected ALPHV Ransomware Attack on Melbourne Pathology Clinic Possibly Exposed Patient Data Full Text
Abstract
The Australian government is aware of the data breach as well as potential incidents affecting real estate firm Barry Plant and owners corporation management company Strata Plan, national cybersecurity coordinator Darren Goldie said in a statement.Cyware
September 05, 2023 – Malware
New BLISTER Malware Update Fuelling Stealthy Network Infiltration Full Text
Abstract
An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic . "New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments," Elastic Security Labs researchers Salim Bitam and Daniel Stepanic said in a technical report published late last month. BLISTER was first uncovered by the company in December 2021 acting as a conduit to distribute Cobalt Strike and BitRAT payloads on compromised systems. The use of the malware alongside SocGholish (aka FakeUpdates), a JavaScript-based downloader malware, to deliver Mythic was previously disclosed by Palo Alto Networks Unit 42 in July 2023. In these attacks, BLISTER is embedded within a legitimate VLC Media Player library in an attempt to get around security software and infiltrate victim environments. Both SocGholish andThe Hacker News
September 5, 2023 – Malware
New Chaes Malware Variant Targeting Financial and Logistics Customers Full Text
Abstract
This new variant, primarily targeting logistics and financial sectors, has undergone significant changes, including being rewritten in Python, enhanced communication protocols, and new modules.Cyware
September 05, 2023 – Malware
New Python Variant of Chaes Malware Targets Banking and Logistics Industries Full Text
Abstract
Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes . "It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol," Morphisec said in a new detailed technical write-up shared with The Hacker News. Chaes, which first emerged in 2020, is known to target e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information. A subsequent analysis from Avast in early 2022 found that the threat actors behind the operation, who call themselves Lucifer, had breached more than 800 WordPress websites to deliver Chaes to users of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago. Further updates were detected in December 2022, when Brazilian cybersecurity company Tempest Security Intelligence uncovered the malThe Hacker News
September 5, 2023 – Criminals
Cybercriminals Use Research Contests to Create New Attack Methods Full Text
Abstract
The contests mirror legitimate security conference ‘Call For Papers’ and provide the winners considerable financial rewards, recognition from peers, and also, potential jobs.Cyware
September 05, 2023 – Education
Way Too Vulnerable: Join this Webinar to Understand and Strengthen Identity Attack Surface Full Text
Abstract
In today's digital age, it's not just about being online but how securely your organization operates online. Regardless of size or industry, every organization heavily depends on digital assets. The digital realm is where business takes place, from financial transactions to confidential data storage. While organizations have quickly adopted tools like Multi-Factor Authentication (MFA), Privileged Access Management (PAM), and service account protection, a pressing question remains: Are these measures truly sufficient? With the rise of identity threats, the real battleground has shifted. It's no longer just about firewalls or encryptions but the very identities that access these digital assets. Every day, attackers devise new strategies to compromise user identities to find that weak link to gain malicious access. The tools we've come to rely on might not be as foolproof as we once believed. Many organizations remain unaware of vast security gaps, exposing them to potThe Hacker News
September 5, 2023 – General
Exploring the Traits of Effective Chief Audit Executives Full Text
Abstract
Chief audit executives (CAEs) have identified risk orientation, stakeholder management, and team leadership as the top three characteristics of the most effective individuals, according to Gartner.Cyware
September 05, 2023 – General
Key Cybersecurity Tools That Can Mitigate the Cost of a Breach Full Text
Abstract
IBM's 2023 installment of their annual " Cost of a Breach " report has thrown up some interesting trends. Of course, breaches being costly is no longer news at this stage! What's interesting is the difference in how organizations respond to threats and which technologies are helping reduce the costs associated with every IT team's nightmare scenario. The average cost of a breach rose once again to $4.45 million, increasing 15% over the last three years. Costs associated with escalation and detection have rocketed up 42% during the same period. With that in mind, I was surprised to learn that only 51% of the breached entities surveyed by IBM decided to bolster their security investments, despite the rising financial consequences of dealing with a breach. Headline stats around breach costs are interesting – but can digging into these trends actually help you save money? Organizations want to know where to invest their security budget and which technologies offer the besThe Hacker News
September 5, 2023 – Malware
Unraveling EternalBlue: Inside the WannaCry’s Enabler Full Text
Abstract
EternalBlue exploits a vulnerability in the Microsoft implementation of the Server Message Block (SMB) Protocol. This dupes an unpatched Windows machine into allowing illegitimate data packets into the legitimate network.Cyware
September 05, 2023 – Attack
Researchers Warn of Cyber Weapons Used by Lazarus Group’s Andariel Cluster Full Text
Abstract
The North Korean threat actor known as Andariel has been observed employing an arsenal of malicious tools in its cyber assaults against corporations and organizations in the southern counterpart. "One characteristic of the attacks identified in 2023 is that there are numerous malware strains developed in the Go language," the AhnLab Security Emergency Response Center (ASEC) said in a deep dive released last week. Andariel, also known by the names Nicket Hyatt or Silent Chollima, is a sub-cluster of the Lazarus Group that's known to be active since at least 2008. Financial institutions, defense contractors, government agencies, universities, cybersecurity vendors, and energy companies are among the top targets for the state-sponsored group to fund espionage activities and illegally generate revenue for the country. Attack chains mounted by the adversary have leveraged a variety of initial infection vectors, such as spear-phishing, watering holes, and supply chain attacks, asThe Hacker News
September 5, 2023 – Breach
Hackers Push Anti-Iranian Government Messages to Millions via Breached App Full Text
Abstract
An Iranian-focused hacking group known as Black Reward, with a history of going after the Iranian government, announced a new attack late Thursday, this time targeting a financial services app used by millions of Iranians for digital transactions.Cyware
September 05, 2023 – Disinformation
Meta Takes Down Thousands of Accounts Involved in Disinformation Ops from China and Russia Full Text
Abstract
Meta has disclosed that it disrupted two of the largest known covert influence operations in the world from China and Russia, blocking thousands of accounts and pages across its platform. "It targeted more than 50 apps, including Facebook, Instagram, X (formerly Twitter), YouTube, TikTok, Reddit, Pinterest, Medium, Blogspot, LiveJournal, VKontakte, Vimeo, and dozens of smaller platforms and forums," Guy Rosen, chief information security officer at Meta, said last week, describing the Chinese disinformation group. The network, which included 7,704 Facebook accounts, 954 Pages, 15 Groups and 15 Instagram accounts, is said to have been run by "geographically dispersed operators" across China, posting content about China and its province Xinjiang, criticism of the U.S, Western foreign policies, and critics of the Chinese government. Central to the activity is the sharing of spammy links, the origins of which trace back to a cluster named Spamouflage (aka DRAGONBRIDGE ) that has beenThe Hacker News
September 4, 2023 – Breach
India: Ayush Jharkhand Portal Breached, 320,000 Patients’ Records Exposed Full Text
Abstract
The compromised data also contains sensitive information about doctors, including their PII, login credentials, usernames, passwords, and phone numbers. The data breach was initiated by a threat actor named "Tanaka".Cyware
September 04, 2023 – Attack
Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers Full Text
Abstract
An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers. Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance. The comprises CVE-2023-28432 (CVSS score: 7.5) and CVE-2023-28434 (CVSS score: 8.8), the former of which was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 21, 2023. The two vulnerabilities "possess the potential to expose sensitive information present within the compromised installation and facilitate remote code execution (RCE) on the host where the MinIO application is operational," Security Joes said in a report shared with The Hacker News. In the attack chain investigated by the company, the flaws are said to have been weaponized bThe Hacker News
September 4, 2023 – Attack
New SuperBear Trojan Targets South Korean Activists Full Text
Abstract
Civil society organizations in South Korea came under the brunt of a phishing attack that used a new RAT called SuperBear. The intrusion targeted an undisclosed activist, who received a malicious LNK file in late August, posing as a member of their organization. The researchers have provided the IO ... Read MoreCyware
September 04, 2023 – Privacy
X (Twitter) to Collect Biometric Data from Premium Users to Combat Impersonation Full Text
Abstract
X, the social media site formerly known as Twitter, has updated its privacy policy to collect users' biometric data to tackle fraud and impersonation on the platform. "Based on your consent, we may collect and use your biometric information for safety, security, and identification purposes," the company said . The revised policy is expected to go into effect on September 29, 2023. The social media behemoth told Bloomberg, which first reported the development, that the change is limited to premium users and that a biometric matching process "will also help X fight impersonation attempts and make the platform more secure." To that end, users will be given the option to provide government ID and a picture for identity matching or verification using biometric data, the company told the publication. However, there is currently no clarity on how it plans to collect it and for how long such information will be retained in its systems. The policy update is also expected to include a cThe Hacker News
September 4, 2023 – Breach
More Than 200,000 Indiana Medicaid Members Possibly Exposed in CareSource Data Breach Full Text
Abstract
CareSource, the entity that manages software for the Indiana Family and Social Services Administration (FSSA), suffered a data breach in May that may have exposed the personal information of 212,193 Indiana Medicaid members.Cyware
September 04, 2023 – General
Everything You Wanted to Know About AI Security but Were Afraid to Ask Full Text
Abstract
There's been a great deal of AI hype recently, but that doesn't mean the robots are here to replace us. This article sets the record straight and explains how businesses should approach AI. From musing about self-driving cars to fearing AI bots that could destroy the world, there has been a great deal of AI hype in the past few years. AI has captured our imaginations, dreams, and occasionally, our nightmares. However, the reality is that AI is currently much less advanced than we anticipated it would be by now. Autonomous cars, for example, often considered the poster child of AI's limitless future, represent a narrow use case and are not yet a common application across all transportation sectors. In this article, we de-hype AI, provide tools for businesses approaching AI and share information to help stakeholders educate themselves. AI Terminology De-Hyped AI vs. ML AI (Artificial Intelligence) and ML (Machine Learning) are terms that are often used interchangeably, but theThe Hacker News
September 4, 2023 – Attack
Threat Actors Exploit MS SQL Servers to Deploy FreeWorld Ransomware Full Text
Abstract
A campaign named DB#JAMMER is utilizing poorly secured MS SQL servers to distribute Cobalt Strike and a ransomware strain called FreeWorld. Cybersecurity firm Securonix revealed that the attackers gain initial access by brute-forcing the MS SQL server, followed by reconnaissance, system firewall im ... Read MoreCyware
September 04, 2023 – Criminals
Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising Full Text
Abstract
Malicious actors associated with the Vietnamese cybercrime ecosystem are leveraging advertising-as-a-vector on social media platforms such as Meta-owned Facebook to distribute malware. "Threat actors have long used fraudulent ads as a vector to target victims with scams, malvertising, and more," WithSecure researcher Mohammad Kazem Hassan Nejad said . "And with businesses now leveraging the reach of social media for advertising, attackers have a new, highly-lucrative type of attack to add to their arsenal – hijacking business accounts." Cyber attacks targeting Meta Business and Facebook accounts have gained popularity over the past year, courtesy of activity clusters such as Ducktail and NodeStealer that are known to raid businesses and individuals operating on Facebook. Among the methods employed by cybercriminals to gain unauthorized access to user accounts, social engineering plays a significant role. Victims are approached through various platforms ranging from Facebook aThe Hacker News
September 4, 2023 – Breach
Maker of Chastity Device Left Users’ Emails, Passwords, and Locations Exposed Full Text
Abstract
A company, that makes a chastity device that can be controlled over the internet, exposed users’ email addresses, plaintext passwords, home addresses and IP addresses, and — in some cases — GPS coordinates, due to several flaws in its servers.Cyware
September 04, 2023 – Malware
Beware of MalDoc in PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus Full Text
Abstract
Cybersecurity researchers have called attention to a new antivirus evasion technique that involves embedding a malicious Microsoft Word file into a PDF file. The sneaky method, dubbed MalDoc in PDF by JPCERT/CC, is said to have been employed in an in-the-wild attack in July 2023. "A file created with MalDoc in PDF can be opened in Word even though it has magic numbers and file structure of PDF," researchers Yuma Masubuchi and Kota Kino said . "If the file has a configured macro, by opening it in Word, VBS runs and performs malicious behaviors." Such specially crafted files are called polyglots as they are a legitimate form of multiple different file types, in this case, both PDF and Word (DOC). This entails adding an MHT file created in Word and with a macro attached after the PDF file object. The end result is a valid PDF file that can also be opened in the Word application. Put differently; the PDF document embeds within itself a Word document with a VBThe Hacker News
September 4, 2023 – Breach
Freecycle Users Told to Change Passwords After Data Breach Full Text
Abstract
Freecycle, an online community that encourages sharing unwanted items with eachother than chucking them in the bin or taking them to landfill, has told users to change their passwords after it suffered a data breach.Cyware
September 04, 2023 – Criminals
Chinese-Speaking Cybercriminals Launch Large-Scale iMessage Smishing Campaign in U.S. Full Text
Abstract
A new large-scale smishing campaign is targeting the U.S. by sending iMessages from compromised Apple iCloud accounts with an aim to conduct identity theft and financial fraud. "The Chinese-speaking threat actors behind this campaign are operating a package-tracking text scam sent via iMessage to collect personally identifying information (PII) and payment credentials from victims, in the furtherance of identity theft and credit card fraud," Resecurity said in an analysis published last week. The cybercrime group, dubbed Smishing Triad , is also said to be in the business of "fraud-as-a-service," offering other actors ready-to-use smishing kits via Telegram that cost $200 a month. These kits impersonate popular postal and delivery services in the U.S, the U.K, Poland, Sweden, Italy, Indonesia, Malaysia, Japan, and other countries. A stand-out aspect of the activity is the use of breached Apple iCloud accounts as a delivery vector to send package delivery failure messages, urgiThe Hacker News
September 4, 2023 – Government
UK Cyber Agency Warns of Prompt Injection Attacks in AI Full Text
Abstract
Threat actors are manipulating the technology behind large language model chatbots to access confidential information, generate offensive content, and "trigger unintended consequences," warned the U.K. cybersecurity agency.Cyware
September 03, 2023 – Vulnerabilities
PoC Exploit Released for Critical VMware Aria’s SSH Auth Bypass Vulnerability Full Text
Abstract
Proof-of-concept (PoC) exploit code has been made available for a recently disclosed and patched critical flaw impacting VMware Aria Operations for Networks (formerly vRealize Network Insight). The flaw, tracked as CVE-2023-34039 , is rated 9.8 out of a maximum of 10 for severity and has been described as a case of authentication bypass due to a lack of unique cryptographic key generation. "A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI," VMware said earlier this week. Summoning Team's Sina Kheirkhah, who published the PoC following an analyzing the patch by VMware, said the root cause can be traced back to a bash script containing a method named refresh_ssh_keys(), which is responsible for overwriting the current SSH keys for the support and ubuntu users in the authorized_keys file. "There is SSH authentication in place; however, VMware forgot to regenerate the keys," KhThe Hacker News
September 2, 2023 – Attack
VMConnect Supply Chain Attack Persists Full Text
Abstract
ReversingLabs identified three new malicious Python packages on PyPI, which are linked to a previously discovered VMConnect campaign. Analysis of the packages reveals similarities to previous supply chain attacks attributed to the Lazarus Group. To protect against such threats, organizations must i ... Read MoreCyware
September 02, 2023 – Attack
Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges Full Text
Abstract
Identity services provider Okta on Friday warned of social engineering attacks orchestrated by threat actors to obtain elevated administrator permissions. "In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller's strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users," the company said . The adversary then moved to abuse the highly privileged Okta Super Administrator accounts to impersonate users within the compromised organization. The campaign, per the company, took place between July 29 and August 19, 2023. Okta did not disclose the identity of the threat actor, but the tactics exhibit all the hallmarks of an activity cluster known as Muddled Libra , which is said to share some degree of overlap with Scattered Spider and Scatter Swine. Central to the attacks is a commercial phishThe Hacker News
September 2, 2023 – Attack
Pennsylvania School District to Stay Open Despite Ransomware Attack Full Text
Abstract
On Thursday, the Chambersburg Area School District published a message on its website and social media channels announcing that it had become yet another K-12 school district attacked by a ransomware gang.Cyware
September 01, 2023 – Attack
Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware Full Text
Abstract
Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld. Cybersecurity firm Securonix, which has dubbed the campaign DB#JAMMER , said it stands out for the way the toolset and infrastructure is employed. "Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical breakdown of the activity. "The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld." Initial access to the victim host is achieved by brute-forcing the MS SQL server, using it to enumerate the database and leveraging the xp_cmdshell configuration option to run shell commands and conduct reconnaissance. The next stage entails taking steps to impair system firewall and establish persistence by connecting to a remote SMB shareThe Hacker News
September 1, 2023 – Breach
Data Breach Could Affect More Than 100,000 in Pima County Full Text
Abstract
More than 100,000 Pima County residents could be affected by a nationwide data breach that affected the company that handled COVID-19 case investigations and contact tracing here, officials say.Cyware
September 01, 2023 – Malware
Russian State-Backed ‘Infamous Chisel’ Android Malware Targets Ukrainian Military Full Text
Abstract
Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. on Thursday disclosed details of a mobile malware strain targeting Android devices used by the Ukrainian military. The malicious software, dubbed Infamous Chisel and attributed to a Russian state-sponsored actor called Sandworm, has capabilities to "enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information." Some aspects of the malware were uncovered by the Security Service of Ukraine (SBU) earlier in August, highlighting unsuccessful attempts on part of the adversary to penetrate Ukrainian military networks and gather valuable intelligence. It's said that Russian forces captured tablets used by Ukraine on the battlefield, using them as a foothold to remotely disseminate the malware to other devices by using the Android Debug Bridge ( ADB ) command-line tool. Sandworm, also known by the names FROZENBARENTS, IrThe Hacker News
September 1, 2023 – Breach
LogicMonitor Customers Hit by Hackers Due to Weak Default Passwords Full Text
Abstract
Some customers of the network security company LogicMonitor have been hacked due to the use of default passwords, TechCrunch has learned. A LogicMonitor spokesperson confirmed “a security incident” affecting some of the company’s customers.Cyware
September 01, 2023 – Phishing
New SuperBear Trojan Emerges in Targeted Phishing Attack on South Korean Activists Full Text
Abstract
A new phishing attack likely targeting civil society groups in South Korea has led to the discovery of a novel remote access trojan called SuperBear . The intrusion singled out an unnamed activist, who was contacted in late August 2023 and received a malicious LNK file from an address impersonating a member of the organization, non-profit entity Interlabs said in a new report. The LNK file, upon execution, launches a PowerShell command to execute a Visual Basic script that, in turn, fetches the next-stage payloads from a legitimate but compromised WordPress website. This includes the Autoit3.exe binary ("solmir.pdb") and an AutoIt script ("solmir_1.pdb") that's launched using the former. The AutoIt script, for its part, performs process injection using a process hollowing technique , in which malicious code is inserted into a process that's in a suspended state. In this case, an instance of Explorer.exe is spawned to inject a never-before-seen RAT referred to as SuperBear thThe Hacker News
September 1, 2023 – Ransomware
Free Decryptor Available for ‘Key Group’ Ransomware Full Text
Abstract
Also known as keygroup777, Key Group is a Russian-speaking cybercrime actor known for selling personally identifiable information (PII) and access to compromised devices, as well as extorting victims for money.Cyware
September 01, 2023 – General
It’s a Zero-day? It’s Malware? No! It’s Username and Password Full Text
Abstract
As cyber threats continue to evolve, adversaries are deploying a range of tools to breach security defenses and compromise sensitive data. Surprisingly, one of the most potent weapons in their arsenal is not malicious code but simply stolen or weak usernames and passwords. This article explores the seriousness of compromised credentials, the challenges they present to security solutions, and the importance of implementing robust measures to protect Active Directory (AD) environments. Additionally, we introduce Silverfort Unified Identity Protection , a comprehensive solution that offers enhanced security for AD environments against the misuse of compromised credentials. The Power of Stolen Credentials: Full Access to Any Resource In the world of cyberattacks, stolen usernames and passwords are a highly effective means of gaining unauthorized access to networks and systems. They grant adversaries an entry point, allowing them subsequent access to sensitive on-prem and cloud resourceThe Hacker News
September 1, 2023 – Breach
Sourcegraph Discloses Data Breach Following Access Token Leak Full Text
Abstract
According to the platform, the admin access token used in the attack was leaked in a July 14 commit that passed internal code analysis tools. The token “had broad privileges to view and modify account information on Sourcegraph.com”.Cyware
September 01, 2023 – Phishing
Classiscam Scam-as-a-Service Raked $64.5 Million During the COVID-19 Pandemic Full Text
Abstract
The Classiscam scam-as-a-service program has reaped the criminal actors $64.5 million in illicit earnings since its emergence in 2019. "Classiscam campaigns initially started out on classified sites, on which scammers placed fake advertisements and used social engineering techniques to convince users to pay for goods by transferring money to bank cards," Group-IB said in a new report. "Since then, Classiscam campaigns have become highly automated, and can be run on a host of other services, such as online marketplaces and carpooling sites." A majority of victims are based in Europe (62.2%), followed by the Middle East and Africa (18.2%), and the Asia-Pacific (13%). Germany, Poland, Spain, Italy, and Romania accounted for the highest number of fraudulent transactions registered in Classiscam chats. First discovered in 2019, Classiscam is an umbrella term for an operation that encompasses 1,366 distinct groups on Telegram. The activities first targeted RussiThe Hacker News